Malware

After a week of this 0-day vulnerability being reported a number of posts have been published over the last few days detailing the disassembled malicious flash (swf) file exposing the invalid byte triggering the vulnerability. The vulnerability is caused when handling a “newfunction” instruction by Adobe’s ActionScript Virtual Machine 2 (AVM2). The vulnerability lies in both Adobe Reader and Adobe Flash so either product is vulnerable to attack. This post Im focusing on the actual malware that gets dropped when a malicious pdf file is opened.

After the pdf file is opened the first thing it does is process the malformed flash file in the pdf file which triggers the vulnerability dropping an executable in the root.

C:\-.exe

This file has been embedded in the pdf file making it portable without depending on any external sites to download and execute the malware. Once the dropped executable gets executed and a further 3 more files gets dropped onto the system.

C:\WINDOWS\EventSystem.dll
C:\WINDOWS\system32\es.ini
C:\WINDOWS\system32\dllcache\qmgr.dll

The original qmgr.dll file located in C:\WINDOWS\system32\ gets renamed to kernel64.dll and a malicious qmgr.dll takes it place. Also the original qmgr.dll file located in C:\WINDOWS\ServicePackFiles\i386\ gets replaced with the malicious qmgr.dll. The file Eventsystem.dll is a copy of the malicious dll file qmgr.dll and the file es.ini is just ascii file contains the text below used by qmgr.dll

[qmgrConfig]
ServerAddress=hxxp://210.211.31.214/ddradmin/ddrh.ashx
SleepTime=1000     
Guid=00000000-0000-0000-0000-000000000000

The final change to the system making sure the malware starts up everytime is changing the settings in a legitimate Windows service called “Background Intelligent Transfer Service” (BITS). By default the status is not started and startup type set to manual. This now becomes a started status with the startup type set to automatic. Thereafter when the system starts the service dll qmgr.dll gets loaded in memory when the BITS service is started.

Note that the time stamp has also been modified making it harder to trace if searching by date.

Adobe has now released an update for Adobe Flash 10.1.53.64 fixing the vulnerability. This resolves the issue if a swf file is opened via the web. For pdf files Adobe Reader update has not yet been released. One way to mitigate for now is to rename the following files:
 
C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll
C:\Program Files\Adobe\Reader 9.0\Reader\rt3d.dll

This analysis had been done using Adobe Reader version 9.3.2 with a pdf file having a md5 hash value of 721601bdbec57cb103a9717eeef0bfca

References:

http://secunia.com/advisories/40026/
http://www.kb.cert.org/vuls/id/486225/
http://www.adobe.com/support/security/bulletins/apsb10-14.html
http://www.adobe.com/support/security/advisories/apsa10-01.html
http://www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader
http://community.websense.com/blogs/securitylabs/archive/2010/06/09/having-fun-with-adobe-0-day-exploits.aspx

This fake antivirus software calling itself “Security Tool” intercepts binary files at the point of execution terminates it. Weather it be a bat, com or exe extension the fake av terminates them upon execution. This can be very frustrating when trying to remove this malware on a standalone machine. Fortunately not all processes get terminated; Internet Explorer (iexplore.exe) and Windows Explorer (explorer.exe) do load up so we can use these to our advantage. Our main goal would be to locate and remove this fake av software. Running explorer.exe from start..run will load up the explorer window and from there we can browse to well known locations where the fake av software usually gets dropped.

C:\WINDOWS\
C:\WINDOWS\system32\
C:\Documents and Settings\All Users\Application Data\
C:\Documents and Settings\{username}\Application Data\
C:\Documents and Settings\{username}\Local Settings\Application Data\

Look for unusual files or folders in these locations and if found then rename and reboot. If your pc boots up normally then go the folder which you renamed earlier and delete the malware. In this case this fake av software was called 29225727.exe and was located in

C:\Documents and Settings\{username}\Application Data\

Make sure in your folder options “Show hidden files and folders” is selected before browsing as it might have a hidden attribute set.

Another way you can locate the malware is by searching for the file through Windows Explorer. You can search for files for a certain date, for only exe’s, etc. To get an idea on what the executable file might be called you can browse to the C:\WINDOWS\Prefetch\ folder and see last few files written and search for those executables.

Finally another way is by right-clicking on the shortcut from start..programs..Security Tool menu (if exists) and take note of the path then just go to the path, rename and reboot.

Another fake antivirus software calling itself “XP Guardian 2010” is doing its rounds displaying bogus pop-ups and fake scans enticing you to buy its product. What is interesting about this malware is that this one changes the machine exe associations in the Windows registry. When any executable with an exe extension is manually or automatically run this malware is loaded first which then calls the original executable.

When an executable is first run it checks various entries in the registry before loading the program. Once a machine has been infected by this malware the call is hijacked to first load the fake antivirus set in the registry

C:\Documents and Settings\{username}\Local Settings\Application Data\av.exe” /START “%1″ %*”

Here the malware av.exe is run followed by the actual executable. The malware has been developed to call the real program after its own program has loaded.

Another interesting entry in the registry made by the malware is when an executable is called Windows checks another location in the registry. This entry is not available in HKEY_CURRENT_USER but even if it was the value would have been exefile and not secfile. So what happens is Windows now checks the .exe key and sees secfile value, this points to the secfile key where is sees Application value which finally points to the exefile key in HKEY_LOCAL_MACHINE.

[HKEY_CURRENT_USER\Software\Classes\.exe]
@=”secfile”

points to . . .
           
[HKEY_CURRENT_USER\Software\Classes\secfile]
@=”Application”

which points to . . .

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile]
@=”Application”

So in the future if you think your exe association has been hijacked first area to check the .exe key in the registry and go from there. On a Windows XP machine by default HKEY_CURRENT_USER will not have an .exe key and only the values below in the HKEY_LOCAL_MACHINE .exe key.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]
@=”exefile”
“Content Type”=”application/x-msdownload”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\PersistentHandler]
@=”{098f2470-bae0-11cd-b579-08002b30bfeb}”

If you want to test exe hijacking you can save the following lines below in reg file and import it. From their on any executable run will load up Windows Calculator. Once testing is finished you can simply delete the .exe key in HKEY_CURRENT_USER. The same applies in the HKEY_LOCAL_MACHINE but here you cannot delete the .exe key. So if you want to test using HKEY_LOCAL_MACHINE I recommend you backup the .exe key first.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\.exe]
@=”anything”
[HKEY_CURRENT_USER\Software\Classes\.exe\shell]
[HKEY_CURRENT_USER\Software\Classes\.exe\shell\open]
[HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
@=”\”C:\\windows\\system32\\calc.exe\””

Reference:

http://www.threatexpert.com/report.aspx?md5=6472e446c64a34edf7fe4ae8270e6faf