Converter Update

Posted on January 2, 2013 by darryl

Happy New Year! I finally finished developing and testing another version of Converter. It has been updated to version 0.5 which includes features written about in recent blog posts, plus a few extras.

Under the File menu, I’ve added three new features.

2013-01-02_02

You can import binary files into Converter (but don’t try loading a 100MB file though since that’s not what Converter was meant for). The file contents will show up as hex data which you can send to the main form or back out to a text file.

You can also export binary files from hex data.

If your file is too big for Converter to handle, you can split files into smaller segments (and subsequently join them back together).

If you need to convert a large file, you can always use the Convert Binary File feature. I incorporated new options found in another program I wrote called File Converter. You can read about it here:

Under the Tools menu, I added the Secret Decoder Ring feature.

You can learn how to use this feature from this blog post:

The Convert Base feature now includes a new delimiter per request.

And finally, the Key Search/Convert feature has been enhanced as described in this post:

You can get Converter here. I hope you enjoy this update!

Posted in Tools | Tagged | Leave a comment

Wild Wild West – 12/2012

Posted on December 1, 2012 by sectek

Added the folllowing packs:
alphaPack
Vintage Pack
CritXPack
Serenity Exploit Pack
ProPack
ANRAM Exploit Pack

Posted in Exploit Packs | Tagged | Leave a comment

New Exploit Pack Spotted

Posted on November 26, 2012 by darryl

Another new exploit pack has been found in the wild. This pack uses two interesting methods to obfuscate its contents. Both methods aren’t brand new but interesting nonetheless. Let’s have a closer look…

Here’s the infection chain:

tmkgm.lflinkup.com/main.php
alpkfbtgy.lflinkup.com/3227fyw/024776ygcgd.asp?1
alpkfbtgy.lflinkup.com/06592657829ja/qrsop326821?1
alpkfbtgy.lflinkup.com/06592657829ja/rke80886
alpkfbtgy.lflinkup.com/06592657829ja/lib1.pdf
alpkfbtgy.lflinkup.com/06592657829ja/39723568va1start
alpkfbtgy.lflinkup.com/06592657829ja/ncai8236581

The first two URLs are redirectors to the main landing page which is “qrsop326821″. When I first looked at this HTML page, I thought the file got corrupted in Wireshark but it’s actually not.

Here’s the Javascript portion. The script basically loops through the code to re-sort itself back into its original form.

And this is what the deobfuscated code looks like:

Here’s what the transformation looks like since it’s rather difficult to describe.

In a recent update, this pack now separates the Javascript from the HTML page by storing it in an external file.

As you can see from the landing page, there’s two sets of exploits — Java and PDF. The PDF contains the LibTiff exploit and shellcode which does a download and execute of the final payload file. When the Java applet appears to use two exploits and if successful then it downloads a JPEG file that doesn’t have the correct magic number.

Opening the file with a hex editor shows that every other byte is a garbage character and that this is really an executable.

I updated a program I wrote earlier to extract every other byte and dump it to a file.

These are the results I got:

File: rke80886.jar (CVE-2012-4681, CVE-2012-1723)
MD5: E2B9C1892F7BA7D0DC69EBFC91098636
VT: 1 / 43

File: lib1.pdf (CVE-2010-0188)
MD5: B80B7119A6AC1596C7467C1942CD0CD1
VT: 4 / 44

File: EXE Payload
MD5: 7B89036D65CA53FD133FAC4F75DD4770
VT: 27 / 44

This pack hasn’t been identified yet so if anyone knows its name, please drop me a note.

Posted in Exploit Packs, Malscript | Tagged , | 1 Comment

Exploit Packs and the Secret Decoder Ring

Posted on November 17, 2012 by darryl

If you’ve ever analyzed an exploit pack, you will often see a string of strange characters as parameters to a Java applet. You might have even noticed a certain pattern suggesting that this isn’t random characters. Here’s what I’m talking about; have a look at the parameter values for Black Hole:

In a version of Black Hole early in the month, you could find this in the HTTP request generated by the Java applet itself:

These strings are the URLs of the payload obscured using a secret decoder so to speak. Every two characters is a byte that represents a position in a key. If you extract the results from the key and concatenate them, you’ll have the URL.

What’s the key? Each author or exploit pack version could have its own unique key but we can try to figure out what the key is; we just have to work in reverse. I wrote a program that might be of some help so let’s try this out on Black Hole version 2.

First we have to obtain this string of encoded characters and the URL of the payload. I’ve done a little Wiresharking that yielded the following:

I’ve pasted the values in the program and set it to “Position Lookup”, two-character formatting with a hex type:

If you press the “Analyze” button right now, it will tell you that the output field is empty (it needs to have a starting string to build off of) so the program will then insert a string of ` characters for you like so:

Now press the “Analyze” button once again. It will fill in the positions of the key based on what is known — the encoded values and the URL.

Let’s get another set of strings from another instance of Black Hole and put that into the program but this time we leave the output value alone because we want to add to our existing (partial) key.

Keep going, trying to find a good mix of characters based off of the payload URL. After a few more, you’ll probably end up with this:

dq&`pg“3twh_`v“kz““o8sa`0`y:`u-m“`2b7`4f““/i`6ej1c=n`.?9`x`5lr“““

The left over ` characters reveal missing values. By counting those up, we can guess that those are upper case characters and a couple more symbols. What we have are all the lower case characters, numbers, and significant symbols which may be enough. Now let’s use the key, paste in just the encoded value, and this time click on the “Decode” button:

Cool! If you haven’t figured out how this position lookup works, the above graphic should make it more clear. The first two bytes of the encoded value (“text input” field) are “0b”. Just above the “Key/Substitution” field are a set of incrementing hex values. Go to position 0x0b and get the character directly underneath it, which is “h”. That’s the first character of the URL! The next two characters are “09” so go to the 0x09 position and get that character which is “t”. Got it?

Now we can use this secret key to find out what the payload URLs are for this variant of Black Hole v2…until the key is changed.

Interestingly, I analyzed a new exploit pack that Kafeine found called Cool Exploit Pack and noticed the same-looking string of encoded characters. I put that into the program using the Black Hole key and guess what…it worked! What’s the odds of two exploit pack authors using the same secret decoder?

The program also helps you tackle another type of “encoding method” called character substitution. The program acts a little differently for this method. You will need to enter a “plain text” value. I’ve already included a common set of URL-related characters but it probably won’t work for all cases so you can adjust it as needed. In addition, the length of the “plain text” must match the length of the starting string (all those ` characters) since this is a subtitution cipher after all.

Here we have the payload URL for yet another new exploit pack called CritXPack. We plug this into the fields and click on the “Analyze” button. In this particular substitution cipher, the first character of the encoded string is “d” which corresponds to “h”, “X” corresponds to “t”, and so on.

Again, you would find other instances of this exploit pack, collect enough encoded strings and URLs to build up the key until you have all of the useful characters. Then you can keep that key for decoding future CritXPack’s payload URLs.

This program is now available on the Tools page.

Posted in Exploit Packs, Tools | Tagged , , , , | Leave a comment

KaiXin Exploit and Tool Update

Posted on November 10, 2012 by darryl

Just a quick follow-up of an in-depth article from Denis Laskov which you can read here. Denis kindly provided me with the pack and I noticed that this strange text file was getting downloaded:

This sort of looks like an EXE file structure so I imported the file as hex, truncated it so I could do an XOR search for “MZ” quickly. Found the key!

Now I can load up the entire file then XOR it with the key, 0xA2, but something doesn’t look right.

All the 0xA2 values should actually be 0x00s. The KaiXin author(s) only encoded non-0x00 values. Clever. So I check this box then convert it again.

Okay, that looks better. Now let’s write it out to a binary file and check it against VirusTotal. Here are the results:

MD5: a2528ea962ce621b3b0f190a1d1e904e
VT: 25 / 43

I updated this Data Converter tool to incorporate some new ideas like the one above. It can also enumerate all the keys to an external file because sometimes you don’t know what you are looking for.

I also included the ability to add or subtract a decimal value before and after performing the action. This suggestion came from Kafeine (thanks!) when trying to extract an encrypted class file from a JAR.

If there are no major bugs then I’ll be adding this to the Converter tool later. You can download this and other programs directly from this site now on the Tools page.

Posted in Exploit Packs, Tools | Tagged , , | Leave a comment