Saturday, August 14, 2010

Analyzing malicious PDF malware.

Here We’ll demonstrate analysis of a PDF malware using two vulnerabilities of Acrobat Reader. The sample I got from Mila (thanks Mila) but I don’t remember the link and cant find it again.

Required things
• Python Scripts (zlib decompress), (shellcode2bin)

• HT Editor

• Hex Editor

First of all we open the malware sample in notepad++ and look for javascript streams.


So we see flatedecode is used here. We can decompress this with help of zlib. For this we copy this stream in other text file and save it and then use a python script (zlibd.py) to decompress it.




Now we analyze the malicious javascript in test editor.



The javascript shellcode is obfuscated using replace function (%u is replaced by XX)

So now we copy the shellcode in another file and replace ‘XX’ with ‘%u’. Then we will change shellcode to bin to further analyze its disassembly.


We will use another python script (shellcode2bin.py) to convert the shellcode to binary to analyze in disassembly




Now we can analyze it with HT editor:



We can see that the file have malicious exe XOR’ed with key 0x0f. When we again XOR the file we get the exe headers…at offset 0x4374. The size of the exe is 229475 bytes. At the end of this malicious exe a genuine PDF starts which opens when the exploit is completed. The genuine pdf file is XOR encoded with key 0xFF and starts from offset 0x3c3d7




We select this pdf file from 0x3c3d7 Where we can see %PDF till %%EOF in hex editor and paste it in a new file and save as ‘dropped.pdf’. Now this is the original file which is dropped after exploit is complete.

And to extract the exe We select from 0x4374 till 0x3c3d6 and XOR it with 0x0F..

This way we safely extracted the malicious exe from the PDF exploit as well as the real PDF file embedded in it without even opening the file.

If you want to download the sample file, javascript, Shellcode etc for analysis. Please download from here

http://rapidshare.com/files/412983633/analysis.rar

http://www.megaupload.com/?d=IDC87YJT

The rar password is::  infected


References::
http://contagiodump.blogspot.com/
http://www.honeynor.no/

Download HT Editor from::: http://hte.sourceforge.net/downloads.html


Author:: Abhishek Lyall and Abhishek Sahni


Email:: asl.itsec@gmail.com , info@aslitsecurity.com  


Web:: http://aslitsecurity.com


Blog:: http://aslitsecurity.blogspot.com  





zlibd.py



import sys

import zlib



file = sys.argv[1]

f = open(file,mode='rb')

buff=f.read()

f.close()

evilbuff = bytearray(zlib.decompress(buff))


file = sys.argv[2]

f = open(file,mode='wb')

f.write(evilbuff)

print ("[+] Done")




Shellcode2bin.py

#!/usr/bin/python



from binascii import unhexlify

import sys



def writeToStdout(content):

sys.stdout.write(content)



def HexToBin(hex):

res = ''

length = len(hex)

idx = 0

while idx < length:

res += unhexlify(hex[idx:idx+2])

idx += 2

return res



def cArrayToBin(carray):

bytes = carray.split('\\x')

res = ''

for b in bytes:

res += HexToBin(b)

return res



def unicodeToBin(unicode):

bytes = unicode.split('%u')

binary = ''



for uni in bytes:

binary += swapHexToBin(uni)



return binary



def swapHexToBin(bytes):

if(len(bytes) == 0):

return ''



if(len(bytes) != 4):

print "Error swapping bytes! (%s)" % bytes

sys.exit(1)



a = bytes[2:4]

b = bytes[0:2]



return unhexlify(a) + unhexlify(b)

#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -#

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #

#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -#

if len(sys.argv) < 2:

f = sys.stdin

else:

filename = sys.argv[1]

f = file(filename, 'r')



content = f.read()



# strip newlines, whitespace, etc..

content = content.replace('\n', '')

content = content.replace(';', '')

content = content.replace('\r', '')

content = content.replace('\t', '')

content = content.replace(' ', '')

content = content.replace('+', '')

content = content.replace('"', '')

content = content.replace("'", '')



if content[0:2] == '%u':

res = unicodeToBin(content)

writeToStdout(res)

elif content[0:2] == '\\x':

res = cArrayToBin(content)

writeToStdout(res)

else:

res = HexToBin(content)

writeToStdout(res)

2 comments:

  1. I have downloaded the attachment but it require password. please add it

    ReplyDelete