Posted on Leave a comment

Encryption related to Duqu font expoit (CVE-2011-3402)

You remember the Duqu font related exploit and shell code in the dropper? Yes, that’s the exploit that was recently used in many exploit kits.
First of all, this is a kernel level exploit, it should be kept in mind while checking code.

The original dropper had a decryptor for the stage1 of shell code:

void __fastcall sub_1500(int a1, int a2)
int v2; // eax@2
int v3; // ecx@2
int v4; // eax@5
int i; // eax@5

if ( !dword_14FC )
v2 = 0;
dword_14FC = 1;
v3 = (unsigned __int8)dword_14F8;
while ( v2 != dword_14F8 )
LOBYTE(a2) = v2 ^ *((_BYTE *)sub_17C + v2) ^ v3;
*((_BYTE *)sub_17C + v2) = a2;
a2 = (unsigned __int8)a2;
v3 ^= a2;
v4 = sub_158C(v2, a2, v3);
sub_17C(v4 - (_DWORD)sub_17C);
for ( i = 0; i != dword_14F8; ++i )
*((_BYTE *)sub_17C + i) = 0;

It’s not a complicated obfustation/crypto, the interesting thing is that it is not like the ones for Flame. The most similar thing is Stuxnet’s modules’s crypto, maybe later discussed.

The next level is still obfuscated. ntoskrnl.exe function calls are stored in a table by hash of the function call name, just like calls are obfuscated in other parts of Duqu. This is not unusal, but shows specific care on the module.

The hash-function relation table is costructed like under:

seg000:00001043 mov [esi+10h], eax
seg000:00001046 jz loc_11B2
seg000:0000104C push ecx
seg000:0000104D push ecx
seg000:0000104E push 0BF5CA508h ; ExAllocatePool, hash:bf5ca508
seg000:00001053 push edi
seg000:00001054 call sub_7FD
seg000:00001059 add esp, 10h
seg000:0000105C test eax, eax
seg000:0000105E mov [esi+14h], eax
seg000:00001061 jz loc_11B2
seg000:00001067 push edx
seg000:00001068 push edx
seg000:00001069 push 2973E9CCh ; export name: ExFreePool, hash:2973e9cc
seg000:0000106E push edi
seg000:0000106F call sub_7FD
seg000:00001074 add esp, 10h
seg000:00001077 test eax, eax
seg000:00001079 mov [esi+18h], eax

Note the constants 2973ECCh and similar. These are identifiers of ntoskrnl.exe exports (specific functions).

The hash calculation is done like this:
for ( i = 0; ; i += 7 * i * i + 12 * v8 + 17 * v8 * v8 )
v8 = (_BYTE *)v3;
if ( !
(_BYTE *)v3 )

It’s not like encryption/obfuscation code for FLame. Maybe the exploit creators also provided this stage to the customers.

Based on this code function calls in the exploit can be recovered. And still, this is just one step among others to fully understand how original Duqu dropper worked…

A few sample values for hashes based on the function described above:

export name: AlpcInitializeMessageAttribute, hash:f8ab4ead
export name: CcCanIWrite, hash:c833f901
export name: CcCoherencyFlushAndPurgeCache, hash:41ab559d
export name: CcCopyRead, hash:99b1f488
export name: CcCopyWrite, hash:96bc06d5
export name: CcCopyWriteWontFlush, hash:210fdfb4
export name: CcDeferWrite, hash:038897a1
export name: CcFastCopyRead, hash:1e3c8f5c
export name: CcFastCopyWrite, hash:c1874039
export name: CcFastMdlReadWait, hash:2eea7438
export name: CcFlushCache, hash:0a30abdd
export name: CcGetDirtyPages, hash:cc24ab45
export name: CcGetFileObjectFromBcb, hash:8244f064
export name: CcGetFileObjectFromSectionPtrs, hash:9406fe99

… possibly TBC…

Posted on Leave a comment

Stuxnet-Flame relation

Some time ago, we rechecked some Stuxnet code. Guess what have we learned: Kasperksy already published Flame-Stuxnet relationship, but on the encryption level, there is another similarity. In fact, this was found by Norman back in June , but they compared with soapr32’s encryption which is slightly more different than 4069.dll’s encryption E2.

Stuxnet PLC dll encryption code:
unsigned int __cdecl encryption_routine_sub_10010B26(int a1)
int v1; // eax@1

v1 = (a1 + 11) * (a1 + 17);
return (a1 + 11) * (a1 + 17) ^ (((a1 + 11) * (a1 + 17) & 0xFFFFFF00 ^
((((unsigned int)((a1 + 11) * (a1 + 17)) >> 8) ^ v1
& 0xFF0000) >> 8)) >> 8);

Flame 4069.dll:
unsigned int __cdecl encryptor_sub_4025C0(int a1)
return (a1 + 11) * (a1 + 17) ^ (((unsigned __int16)((a1 + 11) * (a1 + 17) & 0xFF00)
^ ((((unsigned int)((a1 + 11) * (a1 + 17)) >> 8) ^ (a1 + 11) * (a1 + 17) &
0xFF0000) >> 8)) >> 8);

But for what reason was this encryption (obfuscation) used in 4069?

Flame 4069 contains some strings like this:

5F 5F 73 73 5F 73 5F 5F 00 31 32 25 77 69 6E 64 ss_s.12%wind
69 72 25 5C 73 79 73 74 65 6D 33 32 5C 72 64 63 ir%\system32\rdc
76 6C 74 33 32 2E 65 78 65 00 5F 5F 73 73 5F 65 vlt32.exe.__ss_e

Basically ss_s is some kind of magic string where “ss” stands for string. then “00” is a placeholder for a length variable,
“12” is a magic string, and finally the encrypted string is put in the file. Oh, no. Wait a minute. This seems to be human readable?! Yes, basically 4069 is prepared to accept encrypted strings “if needed”, but the marker for doing that is the length field. If it is 00 (as above), then the string is unencrypted, and can be direcrtly read, otherwise it uses E2 to decrypt the string. Magic “12” is not part of the “real” string, this info is a fix for our Flame/Skywiper tech report.
All-in-all, the connection is not jut strange, but in 4069 this encryption routine is not even really used. Most likely, authors have made a postprocessor for the binary finding s_s strings, 12 magics and then encrypting strings and writing back length field into the file, but for some reason in the samples we saw, they did not use the post-processing tool.

.text:004025F1 mov ebx, [esp+4+length_arg_4]
.text:004025F5 push esi
.text:004025F6 xor esi, esi
.text:004025F8 test ebx, ebx
.text:004025FA jbe short loc_402618

If length is not set, then jump out of the decryption loop.