Binary File Converter

Posted on April 17, 2012 by darryl

I wanted to copy over some of my tools into a remote host via VPN. The remote host was locked down so emailing files to myself or downloading files from a website or local drive was not possible. The only thing that was allowed was the clipboard so copying/pasting worked.

There have been previous articles and discussions about converting binary content into text to move files in and out of VPN and other similar technologies so I searched for and found some tools on Internet that I could use but they were kludgy, bloated, or cumbersome to use.

So here’s a quick, little tool I wrote with the least creative name I could come up with and the UI to match. 🙂 It converts a binary file into text which shows up in the text box which you can copy/paste over to a receiving program which converts text back into a binary file.

To get the receiving program into the remote host, click on the “Create VBS File” button. The textbox will populate with a VBS script.

You just copy the text, switch over to the remote host, and paste it into a text document then save it as “file.vbs” and run it.

When the script runs, a “lite version” of the program will be written out.

In my example, I zipped up my tools on the local host:

Then I clicked on “Read Binary File”. The program converts the binary file into text. I just right-clicked and choose “Select All” then “Copy”.

I went over to the remote host and pasted the text into the textbox. When I clicked on “Write Binary File”, the zipped file appeared on the desktop.

I probably need to mention that companies should already know about this threat. Antivirus should protect against moving malware into the remote host and DLP should protect against data exfiltration. If the security gap is still too big then you can disable the clipboard via group policy.

Last thing. VB Classic was used to code this program. Textboxes in VB Classic is limited to 64K, however, a smart fellow came up with a way to break this barrier. Credit and thanks to Tom Moran. I think I’ll be using his code snippet in my projects since it works great and seems stable (albeit slowly when dealing with large files). This program is available as-is, without warranties.

Filename: Binary File Converter.zip
MD5: 1C9766C1A7A18DB7736CB709090C4C22
Download: http://www.mediafire.com/?zdb2pli66vw9gs7

Posted in Tools | Tagged , , , , , | 2 Comments

Escalating Java Attacks

Posted on March 28, 2012 by darryl

If you’re into malware analysis or incident response, I’m sure you’ve come across a number of malicious Java applets lately. And perhaps you’ve noticed some new tactics being employed which are quite clever and probably effective in getting past perimeter and desktop security.

Here are three related articles that caught my eye:
A unique ‘fileless’ bot attacks news site visitors
An interesting case of JRE sandbox breach
New Java Attack Rolled into Exploit Packs

As noted by Brian Krebs, the latest Java exploit, CVE-2012-0507, will be added to exploit packs soon. Some people believe that the Eleonore Exploit Kit is the first kit to use this exploit. An announcement at the end of 2011 revealed version 1.8.91 which included Java Rhino.

Eleonore Exploit Kit v1.8.91
Private sheaf exploit
Coder - Exmanoize

Are included new exploit:
java_rhino
pdf libtiff
pdf u3d new
flash pack
quicktime
iepeers
mdac

Average having punched on a sheaf: 15-25% Depends on the traffic.
On сео traffic can be 25-35%
* Knock standard, even hardly above the standard:
> Zeus = 50-60%
> Loader = 80-90%

The price of last version 1.8.91 :
> Cost of the sheaf = 2200$
> Cleanings from antivirus = от 50$
> Domain change free of charge, change ip = 50$
> Updates = от 100$
* Sheaf with a binding to the domain or IP .

It’s very possible that Eleonore has been updated since then with this new Java Atomic exploit as Exmanoize has added 0days to his kit before.

Microsoft researchers have already dissected this but let’s have a quick look at this Java exploit anyway…

The exploit file has a hidden class in the applet (“arrayOfString”):

I used my Converter program to swap one character every one position to reveal the magic number for class files, “CAFEBABE”:

After writing that out to a binary file, we can see that it uses two alternating values to XOR an encrypted file:

Since the file is encrypted and looks like a bunch of random bytes, it’s very likely it would download just fine and land on the victim’s PC as it’s decrypted and executed by the applet.

Here’s another tactic I found that’s similar. This was part of a malvertisement campaign on a Chinese news site discovered the other day. Instead of downloading a separate binary file that gets decrypted and executed, malware authors are using a self-contained applet which includes the encrypted payload.

The entry point reveals a call to an external Javascript file, some encodings, and a redirect:

Here’s the Javascript file doing the encoding:

You have to nail the referer and the parameters just right or you’d end up with this innocent JAR (I’m noticing that some new exploit kits require the same attention to details or you’ll get a goose-egg):

If you’re successful, you’ll get the malicious applet.

The pl.class describes rotating four values to XOR decrypt a resource file that’s actually included right in the JAR file itself. It’s the CMQSQVRW file seen on the left-hand side.

Here’s how the encrypted file looks like:

I wrote a quick and dirty program to XOR files using multiple values for added flexibility:

Sure enough, you end up with an executable, actually a DLL. You’ll notice that the first two bytes are not “MZ”. Those bytes are written out by the applet (see the above code) which my program didn’t do.

When the applet runs, it decrypts the resource file, then writes it out to the temp folder as an innocent looking “htm” file:

The DLL file is then called up which scans the registry for known AV products. When done, it makes an HTTP request for a “tracking.gif” file which includes information in its user-agent string and cookie.

This behavior sounds similar to what the Kaspersky researcher found that preceded the Lurk infection.

Going back to the applet, I tried to look for clues that would tell me which Java exploit was used but there’s nothing there. I noticed a Corba import and makes me wonder if this is using the vulnerability described here:

CVE-2012-0506 - “Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to CORBA.”

There are no further information or technical details about this vulnerability so I can’t confirm. Since Oracle indicated that they have fixed this vulnerability in Java SE 6u31, I installed this version and executed the applet. Nothing happened. The applet failed to decrypt and write out the DLL file to the temp folder.

DLL MD5: 52FA85A43AE7666DAAB7893385FA2F7F
VT: 0/42
Anubis results

JAR MD5: 08331A5C7564FD61A84EDEA7FBCF56FC
VT: 0/42

Posted in Exploit Packs | Tagged , , , , , | 1 Comment

Converter v0.3 Released

Posted on March 16, 2012 by darryl

Here’s another update based on some recent real-world analysis I’ve done as well as some of your requests and feedback.

The first thing you’ll notice is that I’ve increased the workspace as requested.

 
 

Custom Character Filter
Here’s one example but you can find numerous variants via Google:

It’s just a URL with garbage characters inserted between valid ones. This feature allows you to remove a string of single characters. Note: You can also use the “invert” option to keep the string of characters that match instead.

 
 

Multi-Pass Search
You might have seen this script on recent website compromises; it uses a convoluted method of character replacement.

You can tackle this script in a couple of ways. One method is to manually search/replace each character but that takes time so I’ve added a way you can do multiple searches/replacements in one pass. Just make sure you use a unique character for your delimiter.

FIFO, “first in, first out”, means that it will find the first match and ignore any other matches. LILO is “last in, last out” which means that the last match will be used. Here’s a very simple example:

Method: Single-Pass (FIFO)
String: “hello”
Search: e,x
Replace: x,z
Delimiter: , (comma)
Result: “hxllo”

Method: Multi-Pass (LILO)
String: “hello”
Search: e,x
Replace: x,z
Delimiter: , (comma)
Result: “hzllo”

 
 

Under the File menu item…

 
 

Convert Binary File
You can read in a binary file and convert it to a hex file and vice versa. The output file will be written to the application’s current path.

Convert Shellcode to EXE
If you encounter shellcode, you can convert that to an EXE file (credit to David Zimmer of Sandsprite). The file “shellcode.exe_” will be written to the application’s current path.

Now you can decompile/debug it using IDA or Olly. You can see the XOR decryption loop here (remember this for later).

 
 

Under the Tools menu item…

 
 

Convert Unix Epoch Timestamp
You can convert date/time to Unix Epoch and vice versa:

XOR Encrypt/Decrypt
You can now encrypt or decrypt content using XOR (credits to Sebatian L. and to James Johnston of TechKnow Professional Services. This program also contains cryptography software by David Ireland of DI Management Services Pty Ltd).

If you paste shellcode in hex, you can decrypt it if you know the key. Remember the example above? It uses the value of 0x28 to decrypt the shellcode, which is “(” in ASCII. You can use either values.

This program is packed with UPX so AV may falsely indicate this is malicious but it’s not. Also, this is being made available as-is without warranties. I hope you all continue to find this tool useful.

Download: http://www.mediafire.com/?p0zb8kexad1vewz
MD5: 9880C4D32103945D5244BD5286932602

Posted in Tools | Tagged , , | Leave a comment

Chinese Pack Using Dadong’s JSXX VIP Script

Posted on March 1, 2012 by darryl

Another week, another pack. But this one is using Dadong’s JSXX 0.41 VIP obfuscation script which makes the task of Javascript deobfuscation a more difficult than the others. We’ll get to that in a bit but let’s talk about the exploit pack itself first.

This exploit pack calls up three exploits across several files. There’s numerous references to “gondad” in the script so we’ll call this “Gong Da Pack” (according to translation sites, “gong da” means “attack” in Chinese). Here’s the main page and the start of the exploitation process:

Near the top of the screenshot above, you can see that it iframes “ff.html”. This page calls up a Flash exploit (CVE-2011-2140).

The second page it iframes is “i.html”. It loads up a MIDI file which exploits Windows Multimedia Library (CVE-2012-0003).

Finally, in one of the obfuscated content, it calls up a JAR file that exploits Rhino (CVE-2011-3544). You’ll see this at the end when we deobfuscate the script.

If the exploits are successful, “Gong Da Pack” drops two executables onto the client’s PC:

Filename: top.exe
MD5: DAA26AC034C368CE43B7EF1F952DAD01
VT: 31 / 43

Filename: topx.exe
MD5: 2FBC5B68C1D744610CD583FA366DFE6C
VT: 1 / 43

Now let’s talk a little about the script obfuscation. Prior to this pack’s discovery, I’ve never heard of “Dadong’s JSXX 0.41 VIP” Javascript obfuscator. I tried searching for the obfuscation program, script, or service but I couldn’t find anything (if anyone can share, please email to me).

Next I tried to get more information about the obfuscation technique and see what others had to say about it. I didn’t find much but apparently, this obfuscator has been used to hide exploits before. I also found two programs that tries to deobfuscate the scripts but both fail on this particular version. Seems like another cat-and-mouse game is going on between the author(s) and researchers.

Here’s the main page again and you can see the reference to the obfuscator:

This is one clever piece of code which takes the blob of hex at the top and turns it into exploit code but does so in a way that any kind of tampering of the deobfuscation script below causes it to return gibberish instead.

What the author has done is made the deobfuscation script tamperproof (kind of like using the callee function) where an addition, deletion, or change of any character will cause the “decryption” key to be modified. How is it doing that? By using the value of each of the characters in the deobfuscation script. Nice!

Here’s what happens if you try to modify the script to deobfuscate it. The variable “vTeXx3” contains what we want to see so we try to view its value. We replace “IPUk4(vTeXx3)” with “alert(vTeXx3)” as seen here:

And this is the result:

Let’s try again but this time we intercept “IPUk4” (which is set to execScript — similar to eval) and route the variable to “alert”. However, we need to be mindful of what the code is doing so we will change “IPUk4” to “IPUl3” (increment “k” and decrement “4” which is a wash) and add the alert outside of the “VXWBks7” variable like so:

When we execute the script, the deobfuscated text appears:

And it’s here that we see the Java Rhino exploit.

Posted in Exploit Packs, Malscript | Tagged , , , , | 3 Comments

Another Chinese Pack

Posted on February 13, 2012 by darryl

This set of exploits was found on a Chinese website by @switchingtoguns (thanks!). It appears to be another Chinese exploit pack.

As mentioned in a previous post, Chinese “exploit packs” are straightforward and no-nonsense. It doesn’t use PHP, have a database, nor does it have an administration panel. It’s a collection of HTML files that contain exploit code and minimal Javascript obfuscation. Despite its simplicity, it appears to be quite effective and it seems as though that’s all that really matters to its creators.

The entry page contains iframes that call upon several exploit files in the single folder:

This pack, which we’ll call “Zhi Zhu Pack” (pronounced “jii-juu”), contains five exploits but interestingly there are no Java exploits. The first three exploits were also found in the previously announced pack we called “Yang Pack“.

* IEPeers (CVE-2010-0806)
* Flash 10.3.181.x (CVE-2011-2110)
* Flash 10.3.183.x (CVE-2011-2140)
* IE Time Element Memory Corruption (CVE-2011-1255)
* WMP MIDI (CVE-2012-0003)

Why are we calling it “zhī zhū”? There’s numerous references to the word “spider” in several of its HTML files. “Zhī zhū” in Chinese means spider so this is basically the Spider Exploit Pack.

The IE Time Element Memory Corruption exploit (CVE-2011-1255) has been seen in the wild since June of last year. It’s the first time I’m seeing this exploit in a “pack”.

The newest edition is the very recent Windows Media Player MIDI remote exploit code execution vulnerability (CVE-2012-0003):

The payload appears to be a password stealer for an online game:

Posted in Exploit Packs | Tagged , , , | 3 Comments