Reversing a PHP Script Dynamically and Statically

A reader sent me two PHP scripts because the PHP Converter program I wrote wasn’t able to handle it. They are both similar so I’ll just work on one of them in this post. Here’s what it looks like:

2014-07-11_01

And this is what happens when you try to use PHP Converter:

2014-07-11_02

Let’s reverse this script dynamically and then statically.

First, I’ll just change the ‘eval’ keyword to ‘echo’.

2014-07-11_03

And take a peek at what’s going on.

2014-07-11_04

Yikes, this is messed up! I thought the PHP file got corrupted somehow but then I looked closely and noticed several PHP keywords. This is actually a pretty clever technique. Basically the script is converting the strange characters to text but it’s surrounded by long, seemingly random strings that are variable names.

So I figure I would just write it out to a file and then change the ‘eval’ I noticed at the end to ‘echo’.

2014-07-11_05

Here’s the resulting file:

2014-07-11_06

I’ll just make that quick change and run it again.

2014-07-11_07

Cool, now we know what this script does!

Now let’s reverse this script statically.

Here’s a new, fixed version of PHP Converter. I added a filter to present the results of the deobfuscation without stopping if it encounters any strange characters. The characters outside the alphanumeric range will be represented by a neutral character.

2014-07-11_08

I also added the ability to output the result to Base64 format and/or to a file. With both options checked, you will get a text file of the result encoded in Base64 so the binary values will be preserved.

2014-07-11_09

Now I can convert this base64-encoded string to text using Converter.

2014-07-11_10

After cleaning this up, we can see that the section below is XOR’ing the blob using the decimal value of ’30′ which is assigned to the first variable.

2014-07-11_11

I’m going to convert the base64-encoded string to hex this time.

2014-07-11_12

Then send the data to Converter’s Key Search/Convert feature and set the values accordingly:

2014-07-11_13

And I get this result. The junk at the top and bottom is the result of XOR’ing the original text so I can ignore that.

2014-07-11_14

There are other ways to get to the final result but I think these two methods are straightforward and quick/easy to do.

The updated version of PHP Converter can be downloaded here.

Posted in Malscript, Tools | Tagged , , | Comments Off

Deobfuscating PHP Scripts

Occasionally people send me PHP scripts to help them analyze it. Most of the time, it’s simply unescaping the script and finding the right variable to echo. I got two tricky ones within the past couple of months and finally got around to writing a program to quickly deobfuscate them. These scripts represent obfuscation methods that make it difficult to read them but they don’t employ character rotation, XOR, base64, etc. I’m not sure if there’s an easier way to do this; if there is, I’d like to hear about it.

I already wrote a tool to handle an older variety of this method and I decided to add functionality to handle the newer ones. I also added a pretty basic (crappy) beautifier and making this available as a separate download (I think I’ll add this to Converter later).

Method 1 – Array Search/Replace
This script uses an array of base64-encoded strings. The second part of the script references specific values from the array. The obfuscated script looks like this:

2014-06-01_01

The idea is to first base64-decode the strings and load them into an array. Loop through the array and replace the calling variables with the actual values.

You should concatenate the strings first. I use Converter but even Notepad will do.

2014-06-01_02

Then you need to base64-decode the strings. Again I’m using Converter.

2014-06-01_03

Using the PHP Script Decoder tool, I paste the result from above to the “Lookup Array” box. I paste the obfuscated script to the input box. When you choose the Array method you have to enter a delimiter (in this case the comma is used) and the search string. The search string is the variable you wish to replace with the value. In this case I enter “_449578015(#)”. The pound sign is a placeholder which the tool needs.

Here’s what it looks like. Now the deobfuscated script is much easier to figure out.

2014-06-01_04

If you want to beautify the script, click on the “Copy Output to Input” button then click on the “Beautify” button.

2014-06-01_05

The result is a simple and rough cleanup of the script.

Method 2 – Random Variables
This script uses randomize variable names and assigns a value to it. The later portion references the value. Here’s what this looks like:

2014-06-01_06

The tool will parse the script and load each variable and associated value into an array. It then does a search for the variable and replaces it with the value.

I just paste the entire script in the input box and choose the “random vars” option. The delimiter for this script is a semi-colon and for the search string I enter ${“GLOBALS”}["#"]=”*”; The pound sign is a placeholder for the variable name and the asterisk is the placeholder for the value.

Here’s the result:

2014-06-01_07

Method 3 – Key Lookup
This script uses a lookup array to build the values for its variables. Each character in this string is loaded into an array:

“,`TD[r)Ej|4*^QXOK\t: @.tl#2%\\L\r_R-~b=Z7zaV{]S+’Gio>gd058up6C!HkwxmvN?nJI(\”FMWc3hYs\$&;\nBA

The script concatenates each character of the value and assigns it to a variable. The tool again does a search and replace of each character. You can optionally concatenate the result. For this particular script, you then need to use the second method and replace the variable name with the value.

2014-06-01_08

Here we go…the first step I do is paste the entire script in the input box and choose the key lookup option. The delimiter is irrelevant. I use $f9[#] as the search string. In the lookup key box I need to paste the key with the starting and ending quotes. The tool will unescape the value so you don’t have to do it yourself.

2014-06-01_09

You can see that the strings should be concatenated so I check the box and click on Convert again.

2014-06-01_10

Now I click on the “Copy Output to Input” button and choose the random vars option. I leave the delimiter to semi-colon and use $GLOBALS['#'] = ‘*’; as my search string.

2014-06-01_11

Ah, much more readable! By the way, you may have seen this on several compromised sites as the output looks something like this:

Linux10+cfcd208495d565ef66e7dff9f98764da
-or-
WINNT20+cfcd208495d565ef66e7dff9f98764da

This script is essentially an emailer.

You can find this program here.

Posted in Malscript, Tools | Tagged , | Comments Off

Reversing RIG EK’s Flash File

VirusTotal is showing 0 out of 51 for RIG EK’s SWFIE exploit (MD5: 65AFF3A3774298B3ED5BA2C43F8A1979). Here’s a really quick overview on how to reverse this exploit file so we can determine which vulnerability it’s using. This method can also be used on Infinity EK’s flash file and probably others.

First, you need to use your favorite method to decompile the SWF file. I always try to give ActionScriptExtractor the first shot. If it doesn’t work, you might have to use a commercial tool like I did. Looking over the decompiled code, there’s an interesting function called “onus”.

2014-05-23_01

Variable _local5 is assigned a value of “4939333″. This value is used to XOR each value from the large array. The _local2 array consists of Qwords in decimal and hex formats.

I wrote a program that will convert the Qwords to decimals then XOR the values with an XOR key. It will then write it out in little Endian format just like the ActionScript indicates.

2014-05-23_02

After converting the decimal values to hex and writing it out to a binary file, I get another SWF file (MD5: 04FC52BE437FF46465F42994F0DC5AAE). VirusTotal detects this with 3 out of 53 AV with one saying it’s CVE-2013-0634.

2014-05-23_03

The decompiled version looks like this:

2014-05-23_04

Here we see the exploit code:

2014-05-23_05

This part here writes out the shellcode after base64-decoding it.

2014-05-23_06

The Javascript from the landing page contains the base64-encoded shellcode which is read in by the ActionScript.

2014-05-23_07

The code does look similar to CVE-2013-0634 but my understanding of the Flash exploit tells me this is really CVE-2014-0322.

Anyway, the point of this article was really to make available the tool to convert Qword, Dword, and Word values to decimal. I’ll continue using it and work out any kinks before adding it to Converter. You can download this tool here if you want to give it a try.

Posted in Exploit Packs, Malscript, Tools | Tagged , , | Comments Off

RIG Exploit Pack

A new exploit pack has been marketed in the underground since last month and appears to be picking up some steam. The new pack is called RIG and touts the following exploits:

Java – CVE-2012-0507, CVE-2013-2465
IE 7/8/9 – CVE-2013-2551
IE 10 – CVE-2013-0322
Flash – CVE-2013-0634
Silverlight – CVE-2013-0074

2014-05-12_01

The pack is said to have an average rate of 8-12% and costs $60 per day or $300 per week.

Here’s what a typical infection chain looks like. Look closely and you can see why this is being pegged as Infinity EK. There are similarities but they are different packs.

2014-05-12_02

On a compromised website, the iframe tag leads to the TDS rotator:

2014-05-12_03

If everything checks out then you get another iframe (the bottom part of the page appears to be a tracker):

2014-05-12_04

On the counter.php page, there’s yet another iframe. This time you get to the landing page of the exploit pack:

2014-05-12_05

The landing page is a large file and consists of five scripts. The top section, through some misdirection and obfuscation, assigns a value of “body” to the “vx” variable which is used by the following four scripts.

2014-05-12_06

Each of the four scripts looks something similar to this. All it’s doing is building up decimal values that are on each line preceding with “pop” to the variable “bui” which is then converted to ASCII and appended to the body element.

2014-05-12_07

This is the result after deobfuscating one of the scripts. This sets up the Java exploit.

2014-05-12_08

Here’s one for Silverlight. You can see the URL to the exploit followed by the shellcode in Base64.

2014-05-12_09

The D&E shellcodes which are passed as a parameter to the exploit code are XOR-encoded each with it’s own unique five-value hex key.

2014-05-12_10

Since the landing page contains all of these scripts, you get hit with several exploits at once leading to multiple payloads asking to bypass UAC. It’s very noisy and inefficient.

2014-05-12_11

If the exploit is successful, the payload is downloaded and executed and then requests are made to the following sites to download crimeware:

zemmes-gimbl .com/b/shoe/1928
chanse-leaf .com/com_phocaguestbook/jquery/

Files called “UpdateFlashPlayer_[random].exe” are downloaded to the temp folder with the hidden attribute set which prompts the user incessantly.

File: applet.jar
MD5: 9c6317f0c22b0782fac5858d0c4c4886
VT: 4/52

File: flash1.swf
MD5: 65aff3a3774298b3ed5ba2c43f8a1979
VT: 0/52

File: flash2.swf
MD5: 40fd69626f5248012b6d5bd2e4d2fc9b
VT: 0/52

File: 264078.exe
MD5: e4f53ece665e71955bf8f9170e3324a1
VT: 9/52

File: ewuwxeu.exe
MD5: ea8dbf470fb0dc41e10d2dcf69f53153
VT: 14/52

File: UpdateFlashPlayer_5386a177.exe
MD5: 60b1cbb5d9af6125d011bd7306afec64
VT: 2/51

File: UpdateFlashPlayer_9609e705.exe
MD5: 8caf8b2f7198bc757541a93267447460
VT: 10/52

Posted in Exploit Packs | Tagged , | Comments Off

8×8 Script Leads to Infinity Drive-By

The “8×8″ script I’m referring to includes a link that looks like this:
hxxp://www.example .com/JB3xd6iX.php?id=87342871

And can be detected using a regular expression that looks something like this:
/^.*\/[a-z0-9A-Z]{8}\.php\?id=\d{8}$

One set of links redirect users to social engineering scams (e.g. fake Adobe Flash Player update) that I wrote about earlier. Another set redirects users to Infinity EK (aka “RedKit”, “GoonEK”).

First, let’s see how this drive-by looks like from the users’ perspective.

The user visits a website that’s been compromised. On one of the webpages, there’s a script with the filename containing eight random characters followed by an ID value which has eight digits (i.e. the “8×8″ script).

2014-04-06_01

The user is then redirected to another legitimate website that’s been previously compromised. This site serves up a script that leads to another site.

2014-04-06_02

This site is also legitimate and compromised. It houses the Infinity Exploit Pack script which tries to exploit the user’s browser.

2014-04-06_03

This is what the deobfuscated version of the landing page looks like. If the exploit is successful, there’s a request for the malicious payload file back to the same site.

2014-04-06_04

Infinity has an arsenal that includes two Java, two MSIE, Flash, and Silverlight exploits. The author(s) have been adding updates to their arsenal as well as modifying the links and infrastructure since the last time I analyzed it as RedKit v2.0.

Now let’s look at what’s happening behind the scenes. A webmaster provided me with suspicious files from his compromised website after I informed him his site was redirecting users to a drive-by. (I promised I would not reveal his site name so I redacted and/or modified the following screens.)

Turns out his site was compromised two different times. The first time, the attacker modified at least one HTML page and inserted the following script tags:

2014-04-06_05

Sometime later, the/another attacker modified the index.php file and inserted a PHP script that would download content from another website.

2014-04-06_06

Running this script, makes a request to a backend server and produces a seemingly endless number of new links:

2014-04-06_07

I was very fortunate that the compromised website had both the infected index.php file and the 8×8 script on his server. The link above leads to a PHP script on another site but I’m pretty certain it’s the same as the one below (which is also the same as the one I wrote about earlier).

2014-04-06_08

Deobfuscating the script is no longer a chore so I can extract the contents of the encrypted config string.

2014-04-06_09

Running it produces the TDS IP, key, and other information:

2014-04-06_10

So this is what’s going on…

2014-04-06_11

Here’s a series of packets showing this:

2014-04-06_12

The scripts are all the same and therefore appears to be the work of the same gang behind RedKit v2, Box Fraud, Goon EK, and Infinity.

Posted in Exploit Packs, Malscript | Tagged , , , , | Comments Off