Thursday, April 19, 2012

CVE-2012-0158 - South China Sea, Insider Information and other samples and analysis

Update April 20, 2012 - I added 8 more samples (now there are 12 posted), did not look at all of them yet but I think you may find them useful for developing signatures, etc

The TrendMicro report "CVE-2012-0158 – Now Being Used in More Tibetan-Themed Targeted Attack Campaigns" appeared in the news a few days ago, highlighting the beginning of a new wave of exploits using RTF as a carrier.

Researchers based in Asia noticed these malicious documents in Japan and Taiwan before they started showing up/targeting USA companies. Three documents donated a few days ago by someone from Asia were crafted to run only on  the Taiwanese version of Windows. The document I found today was uploaded to an online analysis service and it is for English Windows, it was named "inside information.doc" and drops a decoy document called 英文 , which means English. I could not get "Taiwanese" binaries run on English OS but this one executed successfully.

The vulnerability is due to an error in ActiveX control, in this case embedded in an RTF document. All documents I looked at are very similar, most likely there is a generator involved in making these. I have not seen any documents that would run without crashing the Word, so you need to carve out at least the first stage binary manually.

Many thanks to Brandon Dixon and Binjo for technical advice and inspiration :)

Wednesday, April 18, 2012

DarkMegi rootkit - sample (distributed via Blackhole)

Update April 20, 2012 Kimberly wrote an excellent analysis of this sample. Please go to
Stopmalvertising to read

This is a "DarkMegie" rootkit sample, kindly donated by Hendrik Adrian. Just like described in the McAfee article "Darkmegi: This is Not the Rootkit You’re Looking For" by Craig Schmugar, it is anything but quiet and stealthy. In fact, it makes so many system changes that it is hard to cover it all in a quick post.
Indeed, it drops the rootkit components in drivers with the incredible padding to 25MB and generates a lot of traffic. Unfortunately, I did not have time yet to sort out the mess and purpose of all files that this malware creates so I am just posting it here along with sandbox results for you to analyze. If you write a detailed analysis, please share,  I will link to.

Monday, April 16, 2012

Java OSX CVE-2012-0507, CVE-2011-3544 and Flashback.35/J sample

Dr. Web published BackDoor.Flashback.39 (Flashback.K-11th variant) epidemic chronology to augment their discovery of the Mac botnet "Doctor Web exposes 550 000 strong Mac botnet".  In general, the Flashback OSX epidemic started on or before August 2011 (F-Secure) with variants distributed as a fake Adobe Flash player. In January 2012, Intego reported Flashback.35/ J (the 10th) which was also distributed as a fake Flash download.

 I am posting here 3 Java exploits used to distribute Flashback trojans:

SAMPLE 1 JAVA CVE-2012-0507 is dated April 4, and appears to be distributing Flashback.35/J - as seen from the payload
SAMPLE 2 is java_signed_applet social engineering exploit (see Michael Schierl's comment below)
and 3 is JAVA CVE-2011-3544 and are dated February 2012.

I don't know which domains distributed these exploits (let me know if you do) but perhaps we are seeing the malware distribution scheme common for Windows-targeting exploit packs

Thursday, April 12, 2012

OSX/Flashback.K sample + Mac OS malware study set (30+ older samples)

Update April 12, 2012  Added another binary sv.4 - with plist fle (edited to remove userid)

OSX Flashback malware has been in the news a lot after Kaspersky's announcement about 600,000 botnet "Kaspersky Lab Confirms Flashfake / Flashback Botnet Infected more than 600,000 Mac OS X Computers, Describes Ramifications and Remedies "

I got a sample tonight thanks to Tim Strazzere and I have not analyzed it but I want to try. Meanwhile, I am posting this sample and 30+ other Mac OS malware samples accumulated by Contagio and also from vxheavens collection (thank you all). They are dated by the year and provide a good historical set to study the evolution of Mac malware - I would start here: SANS Mac OS X Malware Analysis or check out Reverse Engineering Mac Defender (OS X) malware analysis for beginners

Wednesday, April 11, 2012

OSX Flashback URLs, Domains, etc

Dr.Web image
I have been tracking infections too and will be posting the domains I come across. I don't have the DGA script or list of domains to date, but even if I had, I think the best way to find them is via User Agent followed by the id:  I posting URLs and domains below and will add more soon.

Since it generates new domains every day, the full list would be much much longer but I will post those that I run across below in case it helps anyone. These below appear to be a variant of v.39/K

Tuesday, April 10, 2012

OSX/Flashback.O sample + some domains

1. A few hours after I posted the Flashback.K, someone anonymously uploaded Flashback.O sample (thank you very much!), which I am posting below. Like in the first case, it is a payload binary from a victim, not the downloader, which makes it impossible to install.  If you succeed or have a binary that installs, please share. I personally have not tried to run them yet, did not have a vm.
2. Matt Thompson from Unveillance emailed his comments about the Flackback.K sample please see the quote below.
3. Update April 11 - I will put domains and URLs in a separate post because they relate to various versions of Flashback, not v.40/O