Sunday, July 11, 2010

Just some Acrobat exploits

In this second post I will explain the functions in the javascript code carved out used to exploit the Acrobat vulnerability.

First of all we take a look at the function that acts as a version-check of Acrobat with which the victim opened to read the pdf infected.

This is the function:



the function name is GDUvmppC (). Inside, yVXd variable is declared, and through app.viewerVersion.toString () function is initialized with the respective version number of Acrobat. At last, through Iterations will start the respective exploit depending on the detected version.

If the version is less than 8, then performs the waDmT () function.
If the version is greater than 8, then performs the FdAY () function.
If the version is less than 9.1, then performs the mLU() function.
If the version is less than version 9.2, then performs the breakfast() function.

As you can see there are 4 functions.

The waDmT() function exploits the collectEmailInfo vulnerability
-> collectEmailInfo({ subj:"",msg:mmk })



The FdAY() function exploits the util.printf vulnerability
-> util.printf("%45000f",uzpymeSR)



The mLU() function exploits the getIcon vulnerability
-> app.doc.Collab.getIcon(gGsYFcss)



The breakfast() function exploits the util.printd vulnerability
-> util.printd(GDagaCuyNfRSFzaSZLO, new Date())



All functions contain shellcode, and in particular we find them some interesting links:

- http://*/yogetheadshot.php?ids=UdPDF
- http://*/yogetheadshot.php


From these two links are downloaded same malware. Malware are identical because they are only called from two different links depending on the version of Acrobat ;)

In the next post I'll try to explain what makes the malware downloaded through the PDF.

Bye, see you in the next post. =)

Analysis of a malformed and exploited PDF

Hi
today I'm going to analyze an infected PDF which allows Acrobat exploitation :)

The file target is called soreheadprattler.pdf
md5: AF485196F31F66B07D87E63DFCA41239
At moment when I'm writing, referring to Virustotal, PDF is detected by 29.27% of AV ( 12/41 ), to be honest, very low rate to the potential of the exploit in question. This PDF, using the Sophos nomenclatur, is identified as Troj/PDFJs-LJ

Let's go to analyze the PDF.

First of all I take this opportunity to thank my friend Daniel for giving me the opportunity to act as tester, being still under development. Thx =)
The tool in question is PDF Insider, for more info visit ntcore.com.

Opening the PDF file in PDF Insider we immediately notice a malformation.



We warned of an unresolved xref. The xref keyword ( Cross-reference ) in PDF format are used to search the objects, in fact for this problem we have no object apparently, but this is not a problem because PDF Insider provides us special functions for finding objects to solve these mishaps ;).
In fact clicking on Detect Object we get 4 objects: 1.0, 2.0, 3.0 and 4.0.
Here a screenshot:



Each object may contain the JS code and / or compressed Stream. Of course in our case being merely 4 would not be a problem to go through each object and check for interesting content, but if it was a pdf with many object was a real suicide, unless you are masochistic :P.

PDF Insider intervenes again to our aid, showing what object or stream contains JavaScript code.



We can see that the 4.0 object contains both Stream ( compressed ) and Javascript code, as well as being the only one!
But let's go to see what's interesting inside it:



We note immediately between the Info, interesting Filters:

- LZWDecode: This indicats that data are compressed, as I said before. LZW ( Lempel-Ziv-Welsh ) is more used as a data compression algorithm in PDF;
- ASCII85Decode: Other encryption algorithm, also known as Base85 encoding used for communication protocols;
- ASCIIHexDecode: Decodes data encoded in an ASCII hexadecimal
representation, reproducing the original binary data;
- RLE: The RLE ( Run Length Decode ) decompresses data encoded using a byte-oriented run-length encoding algorithm, reproducing the original text or binary data.

Now that we have this info we can also do proper analysis of 4.0 Object. PDF Insider supports LZW algorithm and thus is able to decompress it easily to show the contents of the Stream:



What is immediately evident is the declaration of a variable, specifically named B0b. Skip to the eye because it contains a very long string. But scrolldown to see how this variable is used!

As I thought! It is used in a function that operates a character replacement. It's easy to see that there are many "@" and indeed this character will be replaced by another. Better explain the whole, below the rest of the code:



First are declared some variables. At z variable is assigned the value app.doc which is then chained to complete the function with syncAnnotScan().
Immediatly below B0b varaible is worked. BOb.replace (/ @ / g, String.fromCharCode (32-1 +6) makes a global research (-> /g) throughout the data block to find "@" char and then replace it by the function String.fromCharCode () with the symbol related to hex code 37 (32-1 +6 == 37) that corresponds to the symbol "%". Well, we obtein a new data block:



Before I mentioned app.doc and syncAnnotScan so now I report the explanation from Adobe documentation:

- app: The app object is a static object that represents the Acrobat application itself. It offers a
number of Acrobat-specific functions in addition to a variety of utility routines and
convenience functions.

- doc: The doc object is the primary interface to the PDF document, and it can be used to access
and manipulate its content. The doc object provides the interfaces between a PDF
document open in the viewer and the JavaScript interpreter.

- syncAnnotScan: The syncAnnotScan method guarantees that all annotations in the documents are scanned.

Once we've done all, we find the classic eval () function and inside the unescape() function.
First of all through the unescape function data block which we talked about before is decoded getting the horrible javascript code and then run through eval () function, so oN ().

In the next post I will explain how functions in the javascript code, which we got after these simple steps, are used to exploit vulnerabilities in various versions of Adobe.

Bye, see you in the next post. =)

Friday, June 25, 2010

Qt Creator 2.0 is Out!

Then OllyDbg 2.0 news, another one good; Qt Creator 2.0 is out. This last version integrates more nice features, improvements and it's makes to develop more fast and easy with mobile development kit. Qt Libraries 4.6.3 is also out. More info:



Nokia today released Qt Creator 2.0, an updated version of its cross-platform integrated development environment (IDE) for use with the Qt framework. Qt Creator 2.0 brings a range of new features specifically designed to make mobile development for Symbian, MeeGo and other platforms faster and easier.


Qt Creator 2.0 is available as part of the Nokia Qt SDK 1.0 – also released today – as part of an updated build of the Qt SDK, or as a standalone binary or source download. All Qt releases are available for download from http://qt.nokia.com/downloads.


Qt Creator 2.0 part of Nokia Qt SDK 1.0

Released today, the Nokia Qt SDK provides developers with a single package containing all tools they need – including Qt Creator and the Qt framework – to code, simulate, debug and build cross-platform applications for Symbian, Maemo, and in the future, MeeGo devices. For more information, and to download, visit http://www.forum.nokia.com/Develop/Qt/Tools/.


For a detailed list of changes introduced in Qt Creator 2.0, consult the changes file found in the packages or browse the information in the Qt Developer Zone at http://qt.nokia.com/developer/changes/changes-qtcreator-2.0.


New Qt APIs for Mobile Development Updates

Also released today is an update to the New Qt APIs for mobile development – Mobility 1.0.1. The patch release provides new Symbian backends, finalizes the Qt Multimedia API and includes bug fixes. For more information, visit the New Qt APIs for mobile development catalog.


To download SDK: Qt

Bye. =)

Sunday, June 13, 2010

OllyDbg 2.0 ini File Configuration

Here the OllyDbg 2.0's ini file which I have changed to improve the appearance and other general settings of our favorite debugger :D

UPDATED 29/05/2013
To Download: ini file

N.B. : Some options about code highlighting I've taken from an old ini file for 1.10 Olly version, made by one my friend.

If you have some changes to hint me, I'll be happy to add them!

Bye, see you in the next post. =)

Saturday, June 5, 2010

Olly 2.0 Final Release is Out!

Finally, after a couple of years of development and beta release, final version is out! :D One very good news


Here some info from Olly's Home Page:




You haven't heard much about OllyDbg 2.0 for a long time. Unfortunately, I am permanently busy and have not much free time.

But there is a progress. I have made many changes and bugfixes, among them:

- prn bombed me with many, many ideas and found bugs. For example, he reported massive problems with UNICODE filenames that use extended charset. And no, Windows doesn't convert them automatically to ASCII. As OllyDbg is still an ASCII application, now I convert such names to old 8.3 DOS format. Active breakpoint were not marked in the corresponding breakpoint windows; memory breaks were falsely hinted, and so on, and so forth... Thank you, and please don't stop!
- William reported bugs with PUSH AH etc. Yes, there are no such commands, but OllyDbg v2.0 happily assembled them.
- Keyboard shortcuts did not work in Edit/Search dialog. Reported by mailnew2ster.
- Ange gave me the complete list of 80x86 commands as a compiled executable file. He found many assembly/disassembly errors. With his list, we were able to remove them. He also criticided my "English" help file for grammatical errors, silly old me!
- Eric, deepzero and karmany reported problems with highlighting and comments.
- John found out that Always on top may hide error messages.
- Aaron and many other reported crash on structure decoding, namely on those where some elements were unnamed, like elements of array.
- I thought that exe/dll with 5 MB code section is really large, until Ivar sent me an executable which code section was 83,079,168 bytes (SEVENTY NINE MEGABYTES) long! Analysis attempted to allocate more than 1,5 GB of memory - still not a problem, but due to fragmentation, my memory manager was unable to execute the request. It was necessary to redesign it.
- Rinze pointed at problem with memory breakpoints on stack. OllyDbg did not check memory addressed indirectly by ESP.
- NCR asked for the search for process name in Attach window by typing its name.
- numax suggested list of user comments.
- Hopefully OllyDbg will support Chinese and Japanese fonts in dialog boxes (Edit/Search data), main issue that we tried to debug together with locklose. It should work, but I can give you no warranty. Please check.
- And, a couple of days ago, edemko discovered that conditional jums on LOOPZ/LOOPNZ are falsely predicted. This was the last bug corrected in the version 2.00.

The list is far from complete, altogether I received more than 100 reports and suggestions. So for all contributors: Without your help, OllyDbg 2.0 would not exist. Thank you very much!

And now about my plans for the future. Probably I will convert OllyDbg to UNICODE. There are too many places where ASCII is not fully supported by Windows, like file names with extended charset or controls that don't receive WM_WCHAR. This will mean end for Win95 and WinME users. Those who use WinNT, 2000, XP and Win7 will notice nothing. Of course, plugins will be forced to UNICODE, too.

I plan to introduce experimental plugin support in the version 2.01. The interface is not yet defined. If you have written plugins for v1.10, please send me your ideas and suggestions now!

Version 2.01 will finally work under 64-bit Windows. Probably I will start developing 64-bit OllyDbg, but this depends on my free time.



This last news more interesting!!! OllyDbg is Uber

To download it: http://www.ollydbg.de/version2.html

Bye. =)

Sunday, May 30, 2010

Just another MSN’s fake address

Hi all

another fake address I have discovered these days. It's of the same family of my first previous post regard this field.

The address today is: NikiaPortisienrh@hotmail.com

The behaviour is the same of the previous contacts analyzed other times. Let's go to see a chat form:



As you can see after a couple of messages, the contact invites the victim to go to an address to see the pseudo-girlfriend in cam, after that the victim has accepted one invite. The link sended by the fake account is: http://shortlinks.co.uk/1mc3
This link redirects the victim at a main URL where the fraud acts: http://www.webcamcrush.com/StephiesAss20. This URL is presents also in Personal Message form.

As you can understand the page is the same of the other fake accounts of the previous analysis, as it had announced. Here a screenshot:


To the right there is a form to chat with the girl. So, typing " Hi! ", you recive immediately an error which says: Error: You must complete age verification process to communicate with this member. Click here to verify your age!



The link "Click here to verify your age!" acts as a fake age verify, because it serves to accept the invite


infact clicking it we'll redirect to this page:


Scroll down and you can see a classic registation form, which asks you Name, Surname, E-Mail, etc...


Here the screenshot regards the credit fraud:



So friends, this is all! Block and delete this address and similar!

See you in the next post. Bye. =)

Saturday, May 22, 2010

A brief analysis about Trojan.Banker.Delf.ZLR

Hi to all!

Today I will speak very briefly about a new threat that affects banks. Specifically the Brazilian bank Bradesco [hxxp://www.bradesco.com.br/].

Some info about the Bradesco Bank:


Type: Public (BM&F Bovespa:BBDC3 / BBDC4 NYSE: BBD BMAD: XXBDC)

Industry: Finance and Insurance

Founded: 1943

Headquarters: Osasco, Brazil

Key people: Luiz Carlos Trabuco Cappi (CEO) Lázaro de Mello Brandão (Chairman of the Board of Directors) Antônio Bornia (Vice-Chairman of the Board of Directors)

Products: Banking

Revenue: ▲US$ 36.1 Billion (2009)

Net income: ▲US$ 4.5 Billion (2009)

Total assets: ▲US$ 299.0 Billion (2010)

Employees: 85,577



The Trojan banker in question is called, in according to the nomenclature of the antivirus houses; Trojan.Banker.Delf.ZLR.

Before I start talking about what makes the virus, I give you some general information about the target, such as: the geometry of the PE format, any packer/compressed/Cryptor, etc...

The threat, at the time of this writing, is recognized by 15/41 AV as suggested by VirusTotal.

Hash MD5: fc3f089f7d64eb4dcc7113c5add3bda7

Hash SHA-1: ae521a311bde3667d7bcb74460b4a6e92a8cd2c8

Imports:

advapi32.dll

comctl32.dll

gdi32.dll

kernel32.dll

oleaut32.dll

user32.dll

version.dll




Sections:

UPX0

UPX1

.rsrc


There is also the presence of TLS Directory, so if anyone wants to analyze this virus more in depth must keep in mind to ensure that, going to make a dynamic analysis through a debugger like OllyDbg need to configure the debugger so that it stops before the TLS Callback to prevent any action that the virus anticipates before it goes to the OEP.

It's easy to understand that the file is packed with the very common free compressor UPX. Since it is so let's go to decompress it. I did through the splendid suite of Ntoskrnl Explorer Suite which also includes a UPX utility for this purpose.

Immediately after decompressed the file, analyzing it with a PE Scanner, such as PEiD or RDG Packer Detector, and we note that is written in Delphi. Another info which is very helpfull in most cases but not in this specific sample. In Malware Analysis more info we can get from target study and much easier is to analyze our target.

As I already said, this virus is one of those classics that tries to steal the credentials of the bank accounts of the poor unfortunate. That's why they are called Trojans Banker ;). Trojan.Banker.Delf.ZLR essentially does nothing special. Basically is a fake program was created specifically to belive you need to perform banking transactions directly from your PC.

It consists of a classical form which contains 3 special edit for entering your bank account and a way to "simulate" the installation of this false account management program. But let's go to see how it is made:




When the victim had entered the bank account details, click on "Instalar" notice that will be simulated to download a dll. I say simulated because it actually does not download any dll, as you can check by running Wireshark while performing these steps, which shows no GET request from any site, but also going to search for the name ib2k1.dll find anything on the system. All this is done only to make the installation process look better.



Simulated the download of this dll, we get the form to enter your account credentials, such as the account holder, password and secret word. This is then sent to the site who created the fake program to steal these credentials.
Between the strings contained by the file I found very interesting two particular things: a URL and a sentence, respectively,

http://firefoxxx.t35.com/Dario.envio.desco.php

Bradesco by D4RiO

What we understand is that he who created the software is called Dario and the URL that contact is: http://firefoxxx.t35.com/Dario.envio.desco.php

Here a screenshot about:



Then we come to form of the credit card owner. In this form must be included the last three digits of its Credit Card Number and press Confirm to send everything that was stored by the program to the URL mentioned above.



For this time it's all guys. See you at the next post. =)

Friday, April 9, 2010

Monday, March 22, 2010

ARM Opcode

Strong ARM (SA1110) Opcodes


Command Hex Example
--------------------------------------------------------------------------------------------------------
B xxxxxxEA branch
BEQ xxxxxx0A b if zero (Z)
BNE xxxxxx1A b if not equal (-Z)
BGE xxxxxxAA b if greater or equal (N*V/-N*-V)
BHI xxxxxx8A b if higher (-C*-Z)
BLT xxxxxxBA b if less than (N*-V/-N*V)
BCC xxxxxx3A b if carry clear
BCS xxxxxx2A b if carry set
BVC .
BVS .
BPL xxxxxx5A
BMI xxxxxx4A b if negative, set N
BHS .
BLO .
BLS xxxxxx9A b if lower or same (C/Z)
BGT xxxxxxCA b if greater than (N*V*-Z/-N*-V*-Z)
BLE xxxxxxDA b if less or equal (Z/N*-V/-N*V)


00022714 B loc_22734 06 00 00 EA
000226B8 BLE loc_226E4 09 00 00 DA

--------------------------------------------------------------------------------------------------------

BL xxxx00EB
BLEQ xxxx000B

--------------------------------------------------------------------------------------------------------

MOV (reg,value) xxxxA0E3 Mov R1,#0 0010A0E3
Mov R0,#1 0100A0E3
MOVEQ (reg,value) xxxxA003 Moveq R5, #0 0050A003
MOVNE (reg,value) xxxxA013
MOVGE (reg,value) xxxxA0A3
MOVHI (reg,value) xxxxA083


7F 0C A0 E3 MOV R0, #0x7F00
27 3B A0 E3 MOV R3, #0x9C00

value = erste 2 bytes * mX (x = Byte 4)

m1 := $40000000;
m2 := $10000000;
m3 := $4000000;
m4 := $1000000;
m5 := $400000;
m6 := $100000;
m7 := $40000;
m8 := $10000;
m9 := $4000;
mA := $1000;
mB := $400;
mC := $100;
mD := $40;
mE := $10;
mF := $4;

--------------------------------------------------------------------------------------------------------

MOV (reg,reg) xxxxA0E1 Mov R4,R0 0040A0E1
Mov R7,R1 0170A0E1
MOVEQ (reg,reg) xxxxA001
MOVNE (reg,reg) xxxxA011


00 38 A0 E1 MOV R3, R0,LSL#16
23 38 A0 E1 MOV R3, R3,LSR#16

--------------------------------------------------------------------------------------------------------

MOVS R10, R11,ASR#31 CB AF B0 E1
MOVS R11, R1,ASR#31 C1 BF B0 E1

--------------------------------------------------------------------------------------------------------

CMP (reg,val) 00 00 53 E3
CMP R0,#0 00 00 50 E3
CMP R5,#0 00 00 55 E3
CMPEQ R3,#1 01 00 53 03

--------------------------------------------------------------------------------------------------------

CMP (reg,reg) xx xx 5X E1
CMP R0,R3 03 00 50 E1

--------------------------------------------------------------------------------------------------------

LDR R0,[R1,#0x38] 38 00 91 E5
LDR R0,[R5] 00 00 95 E5
LDR R2, [R3] 00 20 93 E5
LDR R1, [R6] 00 10 96 E5

LDRB R2,[R0,#2] 02 20 D0 E5

LDRSH R1, [R6,#0x54] F4 15 D6 E1
LDRSH R1, [R6,#0x56] F6 15 D6 E1

LDRSB R3, [SP,#2] D2 30 DD E1

--------------------------------------------------------------------------------------------------------

STR R0,[R7] 00 00 87 E5

STRB R1,[R0,R3] 03 10 C0 E7
STRB R11,[LR] 00 B0 CE E5
STRB R11,[LR,#1] 01 B0 CE E5

STRH R3, [R4,#0xC] BC 30 C4 E1
STRH R3, [R4,#0xE] BE 30 C4 E1
STRH R3, [R1] B0 30 C1 E1

--------------------------------------------------------------------------------------------------------

ORR R3,R3,#0xC 0C 30 83 E3
ORR R3,R3,#0x3C 3C 30 83 E3
ORRS R1, R1, #0x80 80 10 91 E3
ORRS R3, R2, R3,LSL#8 03 34 92 E1
ORRS R5, R2, R3,LSL#8 03 54 92 E1

--------------------------------------------------------------------------------------------------------

ADD R3, R2, R3 03 30 82 E0
ADD R2, R2, #1 01 20 82 E2
ADD R1, R1, #4 04 10 81 E2
ADD SP, SP, #4 04 D0 8D E2

--------------------------------------------------------------------------------------------------------

SUB SP, SP, #0x38 38 D0 4D E2
SUB R3, R11, R0 00 30 4B E0

--------------------------------------------------------------------------------------------------------

ANDS R3, R10, #0xFF FF 30 1A E2
ANDS R3, R0, #0xFF FF 30 10 E2

AND R10, R9, R10 0A A0 09 E0
AND R10, R4, R10 0A A0 04 E0
AND R11, R11, #0xF8 F8 B0 0B E2

--------------------------------------------------------------------------------------------------------

MUL R11, R2, R4 92 04 0B E0
MUL R9, R11, R3 9B 03 09 E0
MUL R0, R2, R0 92 00 00 E0

--------------------------------------------------------------------------------------------------------

RSBMI R10, R1, #0 00 A0 61 42
RSBGT R6, R1, R4 04 60 61 C0
RSBMI R4, R2, #0 00 40 62 42

--------------------------------------------------------------------------------------------------------

RET 0EF0A0E1

--------------------------------------------------------------------------------------------------------
Virtual NOP MOV R0, R0 00 00 A0 E1


LDREQ R3, [R7,#0x10] = 10 30 97 05
LDREQ R0, [R3,#0x8] = 08 00 93 05

From Fravia's site.

Saturday, March 20, 2010

A fake MSN's address

Hi all,
today, while I'm chatting through MSN with my friends, I received a invite to add in my contact list one contact. The contact is: rosaliareeves38@hotmail.com

Being curious, I accepted the invitation to try to understand if it were a real contact or a classic fake account.

So I'm starting a conversation with it saying: " Hi ", and I received a very very fast reply which said: " I know a way we can chat and have a better time.. do you cam? ". Is simple to understand that the answer to the question is the second ;).

I also noticed that as a personal message has a web address; http://shortlinks.co.uk/wuz

Going to this address we are redirected to another; http://www.mywebcamcrush.com/JessiesHotCam10

We can see that the site is about web chat which it calls to register to see through cam one girl named Jessica. There is also a false interactive chat with girl to the right.
Well, there is not to say anything but only stay away from this contact and this site which is obviously a classic scam site. =)

Bye, see you in the next post.