Finding 0-day Malware with my Morning Coffee

I haven’t been looking through exploit kits for a couple of weeks, as I’ve been learning NodeJS and Angular.  I will use a web app I wrote last week to finish the analysis here.  So, this morning I grabbed some coffee and fired up the VM.  Malware domain list had a recent URL for Blackhole, and so I curled down the content.  And as expected, it is obfuscated javascript (the page and extracted unicode are placed on github, password: infected):

eyonObfuscated

This is easy to deal with using js beautifier and NodeJS.

Opening Node, we place the variable ‘a’ into the engine.

 $ node
> var a = "112;100;112;100;61;123;118;101;114;115;105;111;110;58;34;48;46;55;46;5(;34;44;110;9(;109;101;58;34;112;100;112;100;34;44;104;9(;110;100;108;101;114;58;102;11(;110;99;116;105;111;110;40;99;44;98;44;9(;41;123;114;101;116;11(;114;110;32;102;11(;110;99;116;105;111;110;40;41;123;99;40;98;44;9(;41;125;125;44;111;112;101;110;84;9(;103;58;34;60;34;44;105;115;68;101;102;105;110;101;100;58;102;11(;110;99;116;105;111;110;40;98;41;123;114;101;116;11(;114;110;32;116;121;112;101;111;102;32;98;33;61;34;11(;110;100;101;102;105;110;101;100;34;125;44;105;115;65;114;114;9(;121;58;102;11(;110;99;116;105;111;110;40;98;41;123;114;

Using beautifier, I can pick and choose the commands to enter.  I change ‘e = eval’ to ‘e = console.log’.  This will print to the screen instead of evaluating the content of a string.

I then ignore the catch/try combinations that check to see if document exists.  Malicous JavaScript that checks against the ‘document’ is done to defend against automated analysis. Ignoring the obfuscation allows me to perform the proper regex replace command to get the hex array out of the variable ‘a’.

> var e = console.log;
undefined
> var rr = "replace";
undefined
> var sp = "split";
undefined
> a=a[rr](new RegExp("\\(","ig"),7)[sp](";");
[ '112',
  '100',
  '112',
  '100',
  '61',
  '123',

I can now go back to the initial function c, which contained the String.fromCharCode that changes the hex into characters.  It was original obfuscated (if(window.document)s+=String["f"+"ro"+"mCh"+"arC"+ff](a[i]);).

> function c() {
... for (i=0, s=""; i < a.length; i++) {
..... s += String.fromCharCode(a[i]);
..... }
… }
undefined

Now we can run the function and then output, using console.log, the page.

> c();
undefined
> e(s)
pdpd={version:"0.7.9",name:"pdpd",handler:function(c,b,a){return function(){c(b,a)}},openTag:"<",isDefined:function(b){return typeof b!="undefined"},isArray:function(b){return(/array/i).test(Object.prototype.toString.call(b))},isFunc:function(b){return typeof b=="function"},isString:function(b){return typeof b=="string"},isNum:function(b){return typeof b=="number"},isStrNum:function(b){return(typeof b=="string"&&(/\d/).test(b))},getNumRegx:/[\d][\d\.\_,-]*/,splitNumRegx:/[\.\_,-]/g,getNum:function(b,c){var d=this,a=d.isStrNum(b)?(d.isDefined(c)?new RegExp(c):d.getNumRegx).exec(b):null;return a?a[0]:null},compareNums:function(h,f,d))….

From here, we have all we need to grab links and evaluate the kit.

eyonGetShellCode

But I just finished creating a web app to examine shellcode and want to try it out.  So scanning the output I find a function properly named getShellCode.

eyonGettingShell

Running it we get the unicode version.  This is posted on the samples github site.  This is what we want.  Now I can use my new tool. Placing the unicode into the playingwithothers.herokuapp.com tool, I hit “Analyze”.  I can see that it found the http token.

eyonTerms

Then I check the printables and copy the http address.

eyonPayload

I can curl the address and get the binary.

eyonCurl

Then I can see Virus Totals opinion,

eyonVT

I can also get the xor’ed hex and run it through ndisasm to see if there is anything interesting in the code.

eyonHex

This you can just cut and paste into hex fiend and then save the binary.  Once saved as a binary, you can use nidisam:

$ ndisasm -u eyon 
00000000 6969694EABCCD4 imul ebp,[ecx+0x69],dword 0xd4ccab4e
00000007 D4C3 aam 0xc3
00000009 387019 cmp [eax+0x19],dh
0000000C E14E loope 0x5c
0000000E A9C1D3D5A8 test eax,0xa8d5d3c1
00000013 1800 sbb [eax],al
00000015 68CAD2C32D push dword 0x2dc3d2ca
0000001A C0C3D7 rol bl,0xd7
0000001D D7 xlatb
0000001E D7 xlatb
0000001F 85E4 test esp,esp
00000021 7534 jnz 0x57
00000023 E95F33C064 jmp 0x64c03387
00000028 8B4030 mov eax,[eax+0x30]
0000002B 8B400C mov eax,[eax+0xc]
0000002E 8B701C mov esi,[eax+0x1c]
00000031 56 push esi
00000032 8B7608 mov esi,[esi+0x8]
00000035 33DB xor ebx,ebx
00000037 668B5E3C mov bx,[esi+0x3c]
0000003B 0374332C add esi,[ebx+esi+0x2c]

Update Note: When I originally posted this article, I stopped at this point feeling that many readers would already have a good sense of how to reverse the binary shellcode. And so the posting ends fairly abruptly, without conclusion as a reader pointed out to me.

I have been coding in the last couple of weeks, writing a x86 disassembler in Javascript. The idea is to allow an instruction output of the binaries from the playingwithothers.herikuapp.com tool without cutting and pasting into a hex editor and then running through ndisasm on the users system. I also did not want to have the situation of sending the binary back to the server for privacy reasons.  The idea of writing a JS version of a disassembler is somewhat crazy.

Hopefully, I can pull myself away from this task to work on a post about shellcode and add some conclusion to this analysis. Cheers.

Comments

  1. Very helpful! One thing that was useful to me was to write out a beautified, deobfuscated version of the original malicious payload:
    > var fs = require(‘fs’);
    > fs.writeFile(‘deobfuscated.js’,require(‘node-beautify’).beautifyJs(s));

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 224 other followers

%d bloggers like this: