Here We’ll demonstrate analysis of a PDF malware using two vulnerabilities of Acrobat Reader. The sample I got from Mila (thanks Mila) but I don’t remember the link and cant find it again.
Required things
• Python Scripts (zlib decompress), (shellcode2bin)
• HT Editor
• Hex Editor
First of all we open the malware sample in notepad++ and look for javascript streams.
So we see flatedecode is used here. We can decompress this with help of zlib. For this we copy this stream in other text file and save it and then use a python script (zlibd.py) to decompress it.
Now we analyze the malicious javascript in test editor.
The javascript shellcode is obfuscated using replace function (%u is replaced by XX)
So now we copy the shellcode in another file and replace ‘XX’ with ‘%u’. Then we will change shellcode to bin to further analyze its disassembly.
We will use another python script (shellcode2bin.py) to convert the shellcode to binary to analyze in disassembly
Now we can analyze it with HT editor:
We can see that the file have malicious exe XOR’ed with key 0x0f. When we again XOR the file we get the exe headers…at offset 0x4374. The size of the exe is 229475 bytes. At the end of this malicious exe a genuine PDF starts which opens when the exploit is completed. The genuine pdf file is XOR encoded with key 0xFF and starts from offset 0x3c3d7
We select this pdf file from 0x3c3d7 Where we can see %PDF till %%EOF in hex editor and paste it in a new file and save as ‘dropped.pdf’. Now this is the original file which is dropped after exploit is complete.
And to extract the exe We select from 0x4374 till 0x3c3d6 and XOR it with 0x0F..
This way we safely extracted the malicious exe from the PDF exploit as well as the real PDF file embedded in it without even opening the file.
If you want to download the sample file, javascript, Shellcode etc for analysis. Please download from here
http://rapidshare.com/files/412983633/analysis.rar
http://www.megaupload.com/?d=IDC87YJT
The rar password is:: infected
References::
http://contagiodump.blogspot.com/
http://www.honeynor.no/
Download HT Editor from::: http://hte.sourceforge.net/downloads.html
Author:: Abhishek Lyall and Abhishek Sahni
Email:: asl.itsec@gmail.com , info@aslitsecurity.com
Web:: http://aslitsecurity.com
Blog:: http://aslitsecurity.blogspot.com
zlibd.py
import sys
import zlib
file = sys.argv[1]
f = open(file,mode='rb')
buff=f.read()
f.close()
evilbuff = bytearray(zlib.decompress(buff))
file = sys.argv[2]
f = open(file,mode='wb')
f.write(evilbuff)
print ("[+] Done")
Shellcode2bin.py
#!/usr/bin/python
from binascii import unhexlify
import sys
def writeToStdout(content):
sys.stdout.write(content)
def HexToBin(hex):
res = ''
length = len(hex)
idx = 0
while idx < length:
res += unhexlify(hex[idx:idx+2])
idx += 2
return res
def cArrayToBin(carray):
bytes = carray.split('\\x')
res = ''
for b in bytes:
res += HexToBin(b)
return res
def unicodeToBin(unicode):
bytes = unicode.split('%u')
binary = ''
for uni in bytes:
binary += swapHexToBin(uni)
return binary
def swapHexToBin(bytes):
if(len(bytes) == 0):
return ''
if(len(bytes) != 4):
print "Error swapping bytes! (%s)" % bytes
sys.exit(1)
a = bytes[2:4]
b = bytes[0:2]
return unhexlify(a) + unhexlify(b)
#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #
#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -#
if len(sys.argv) < 2:
f = sys.stdin
else:
filename = sys.argv[1]
f = file(filename, 'r')
content = f.read()
# strip newlines, whitespace, etc..
content = content.replace('\n', '')
content = content.replace(';', '')
content = content.replace('\r', '')
content = content.replace('\t', '')
content = content.replace(' ', '')
content = content.replace('+', '')
content = content.replace('"', '')
content = content.replace("'", '')
if content[0:2] == '%u':
res = unicodeToBin(content)
writeToStdout(res)
elif content[0:2] == '\\x':
res = cArrayToBin(content)
writeToStdout(res)
else:
res = HexToBin(content)
writeToStdout(res)
I have downloaded the attachment but it require password. please add it
ReplyDeleteThe rar pass is :: infected
ReplyDelete