Deobfuscating the CK Exploit Kit

The CK Exploit Kit has been around since 2012 and has its roots in the NetBoom Exploiter kit according to security blog site CySecTa. You can read about its history and other information here.

Output from the NB Exploiter doesn’t resemble the scripts found in today’s CK Exploit Kit so we’re probably talking about a completely new tool. However, when you take a closer look, you will find variable names like “nbcode”, “nbChar”, and “nbencode” so there may be some code reuse after all.

2013-09-02_01

Finding a live instance of the CK Exploit Kit these days is a somewhat of a challenge. The drive-by download appears for less than a day then the files are removed from the server. This exploit kit tends to show up on Chinese and Korean sites.

The CK Exploit Kit is definitely out of date but since it’s still being used today, I thought I would document it here for my reference. I won’t spend too much time digging into the kit since there’s already several good write-ups including this one from KISA – Korean Internet & Security Agency.

The landing page looks like this (you will notice the text “ck” referenced in variable names in several places). The “top.js” file is a plug-in detector and mainly checks for IE and Java versions.

2013-09-02_02

The Javascript is compressed using a variant of Dean Edwards’ packer. You can barely make out the variables p, a, c, k, e, d in between the comment tags:

2013-09-02_03

The variable “p” holds the deobfuscated value so you just need to replace “return p” with “document.write(‘<textarea>’+p)”:

2013-09-02_04

Since this script checks your cookie to make sure you only run it once, you can remove that part or just clear your browser cookies if you need to visit the page a second time. You should see a textbox containing the uncompressed script.

2013-09-02_05

All I did here was add the “script” tags, copy the function “ckl” from the landing page back to this page, and then separated the blocks of script so I can make better sense of it. If you go through the script, you’ll find that you can deobfuscate the script by modifying the function in the red block which is basically “window[document][write](t)”.

2013-09-02_06

Change the red block text to this: “window[X3cQCMIIF][ErTiUlaxlkP](‘<textarea>’+t)” and execute the script. You will again see a small textbox with your deobfuscated script in it. Here’s the final script with an interesting class name. Apparently someone didn’t have a good day.

2013-09-02_07

Inside one of those applets, the hilarity continues with another funny string:

2013-09-02_08

Near the bottom of the landing page, the script will open one of two HTML files depending on the version of IE used to visit the page.

if(ck_wm.indexOf(“msie 6”)>-1){document.write(“< iframe src=zip.html width=60 height=1>< /iframe>”);}else if(ck_wm.indexOf(“msie 7”)>-1||ck_wm.indexOf(“msie 8”)>-1){document.write(“< iframe src=win.html width=60 height=1>< /iframe>”);}

This zip.html page uses the same obfuscation method as the landing page:

2013-09-02_09

When you deobfuscate the script, it should look something like this. This hosts the CVE-2012-1889 exploit.

2013-09-02_10

The second page, win.html, calls up a Flash file which is protected with DoSWF.

2013-09-02_11

By the way, it contains an interesting string “King Lich V” which may be related to PlugX based on this write-up from Jaime Blasco.

2013-09-02_12

The script references an file “Moview1.html” which I wasn’t able to pull down in time. Presumably this is exploiting CVE-2013-0634. The shellcode is XOR’d using the value 0xE2 which is the same as Jaime’s sample from 2012.

2013-09-02_13

The payload file was downloaded from p.wangwangwangwangwang.com (174.139.88.102):

2013-09-02_14

The payload was a Trojan that checked in at qwe.xzczxcasrafdsfzxcvzv.com:3306 (98.126.71.38).

File: logo.swf (dropper)
MD5: ad760c37c4198449b81b4992a3f2d561
VT: 6 / 45

File: ckwm.jar (CVE-2011-3544)
MD5: 4a562094a9d2771507e50faf08a6ca79
VT: 8 / 46

File: wmck.jar (CVE-2012-4681)
MD5: 5b47778d02048bb081b122cb11367217
VT: 22 / 45

File: p.exe
MD5: b8c0bec6b361c971a09d2b6a93692291
VT: 25 / 46

This entry was posted in Exploit Packs and tagged , , . Bookmark the permalink.