• Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg
  • Delicious

Anti-Malware Laboratory

Yet Another Malware Blog

About

An informal blog from your friendly neighborhood software security humans.

Blog Archive

  • ►  2015 (5)
    • ►  October (1)
    • ►  August (2)
    • ►  May (1)
    • ►  March (1)
  • ►  2014 (8)
    • ►  October (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (4)
    • ►  April (1)
  • ▼  2013 (12)
    • ▼  December (3)
      • A Hesperbot Core Analysis
      • PDF CVE-2013-5065 - Dropped BAD Malware
      • New PDF Exploit uses 2 new vuln's + JJencode
    • ►  November (5)
    • ►  August (2)
    • ►  March (2)
  • ►  2012 (35)
    • ►  April (4)
    • ►  March (12)
    • ►  February (17)
    • ►  January (2)

Categories

adobe (1) android (10) android february (1) baksmali (1) Black Hole (2) crimepack (1) disassembler (1) exploit (3) Exploits (4) Fakeav Winrar sfx (1) Fishbowl (1) flash (1) gift certificates (1) Google Authenticator (1) google play (1) hcp (1) java (1) Malware (5) mdac (1) Mobile (24) NSA Mobility Program (1) obfuscated script (1) pdf (1) Reversing (2) rhino (1) skype (1) smali (1) spam (1) test (1) Unpacking (1) vouchers (1) vulnerability (3)

Popular Posts

  • Bank of America spam: An Analysis
    An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The mess...
  • [BE CAUTIOUS] Dragon Ball Z: Resurrection of F MALWARE and SCAM
    Be wary of downloading movies in torrent sites.  Executables can also be executed with a file size as huge as a gigabyte...
  • Unpacking MFC Compiled CryptoWall Malware
    Unpacking MFC Compiled CryptoWall Malware Introduction First and foremost, this article does not intend to analyze what CryptoWall malw...

Visitors to this blog

Friday, December 6, 2013

PDF CVE-2013-5065 - Dropped BAD Malware

Posted on Friday, December 06, 2013 by Unknown | No comments

This malware is definitely created by a professional as it has an advance method of installing itself. And the malware author knows that what he/she created is BAD.

0x0BAD - Signature of ShellCode for data stealing.

Installation

This malware was dropped by a PDF file that takes advantage of a known vulnerability which results to Privilege Escalation. To maintain its privilege to run as admin, it creates the following autostart key:

Software\Microsoft\Windows NT\Currentversion\Winlogon
Shell="explorer.exe, <malware_path_and_filename>"

This malware inject its code to windows taskbar by searching for Shell_TrayWnd window handle. And also, It uses ZwQuerySystemInformation to get all the running processes in the system wherein it will calculate the hash of the names of running processes. The hashes will then be compared to the hardcoded list of hashes of executable files that will be targeted for code injection. Here are targeted executables and their corresponding hashes:

69CD16BA - iexplore.exe
7B6061F9 - firefox.exe
880F19D2 - chrome.exe
DD87014F - opera.exe
74667F89 - explorer.exe

This malware uses hashes instead of directly providing the API name that it needs. It uses the TIB (FS[0x18]) to get all the loaded dll modules. Below are the list of APIs and their corresponding hashes:

1F8B758A - ntdll.dll
B05FD69A - LdrGetDllHandle
CCE8D5E4 - LdrLoadDll
FBAF20FE - ZwSetInformationThread
F84E6809 - ZwResumeThread
251E0CC9 - ZwDelayExecution
17CF5544 - RtlGetProcessHeaps
9B2E0E85 - RtlAllocateHeap
41324137 - ZwQuerySystemInformation
086A61AC - RtlReAllocateHeap
E4A0A8C0 - RtlFreeHeap
CD74BF79 - ZwOpenProcess
309A4C54 - ZwClose
73ED9B27 - ZwCreateSection
5D859023 - ZwMapViewOfSection
B62E0ECD - _snprintf
6828791B - ZwTerminateThread
0301DA7D - RtlDecompressBuffer
CE8286AD - ZwAllocateVirtualMemory

4F515588 - kernel32.dll
1A08B014 - CreateRemoteThread
C3B42C10 - GetModuleFileNameW
98D29F2E - GetModuleFileNameA
63A4DEA5 - GetShortPathNameW
412E83B3 - GetShortPathNameA
EB771CAF - CreateEventA
F6F15646 - ExpandEnvironmentStringsA
438EED48 - CloseHandle
A01B4F40 - GetFileAttributesA
69FB2CCE - GetFileAttributesW
5568AE6B - CreateFileA
DC0BC10F - WriteFile
534D310F - ExitProcess
2415842C - DeleteFileW
7DC71262 - DeleteFileA
293DF8B5 - GetProcessVersion

5B117232 - advapi32.dll
E4A8B4E0 - OpenProcessToken
3B97B437 - GetTokenInformation
5B1D4476 - EqualSid
1A726DBB - DuplicateTokenEx
F5E6C455 - RegCreateKeyExA
A63ACEB9 - RegSetValueExA
8F2D0F57 - RegCloseKey

5A4B3EDE - user32.dll
8FAFF46C - FindWindowA
D69D869A - PostMessageA
71669709 - SetWindowLongA

69DE0153 - shell32.dll
F955B5FA - ShellExecuteA

69304E4B - ole32.dll
5142539F - CoCreateGuid


Information Stealing

This malware has the following capabilities:

Delete files
Download and execute files
Send stolen data to server
Stop its own process

But the above routines will not get executed if the following network monitoring tools are running:

tcpdump.exe
windump.exe
ethereal.exe  
wireshark.exe
ettercap.exe  
snoop.exe
dsniff.exe

It steals the following information from a compromised machine:

Uptime of the machine
Temp folder
File listing on certain directory
Drive Types
Network Resources
TCP and UDP connection table
List of running processes
List of names of open windows
Machine Information (Manufacturer and Model)
Operating System version
Processor Information
Computer Name
Local Group
Local Users
Language
Timezone
Country
Installed Windows Updates

And then collates and encrypts the above mentioned data before sending them to the following sites via HTTP POST request:

http://{REMOVED}play.com/wp-includes/sitemap/?rank=78964
http://{REMOVED}ree.ir/wp-content/plugins/online-chat/?rank=87758



Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
volute-glacial
volute-glacial
volute-glacial
volute-glacial
Copyright © Anti-Malware Laboratory | Powered by Blogger
Design by Fabthemes | Blogger Template by NewBloggerThemes.com