Analyzing PDF Malware - Part 3D

SpecialGlasses5

This is part 3D, the final point in the Analyzing PDF Malware constellation. If you haven't read any of the preceding posts you can find them arranged here-> Part1, Part2, Part3A, Part3B, and Part3C. That's a lot of posts, but we will be building off our analysis from those posts for this finale and referencing back to them from time-to-time.

...

In Part3A we were able to successfully disassemble our second stage shellcode - check off our first goal. In Part3B and Part3C we analyzed the shellcode thoroughly - check off goal number two. For Part3D we will investigate the binary that the malware downloaded from a remote system to achieve our final goal.

Our Part3 Goals:

1. Disassemble the second stage shellcode
2. Analyze the disassembly to determine its full capabilities
3. Track down and determine the ultimate goal of the malware

Full circle…

Having just wrapped up the shellcode analysis, we now find ourselves in a somewhat familiar situation. We know that the malicious PDF attempts to exploit a vulnerability, execute its shellcode, and download and run an unknown binary. So, just as in Part1 of this series, we have within our sights a suspicious file that we need to investigate.

If you were paying close attention, the URL being used by the malware has popped up a handful of times throughout our previous analyses. We can find it stored at the very end of the shellcode starting at the offset 0x137 in our IDA database file.

IDA-URL
Fig1. – URL data located at the end of the shellcode (site is no longer live)

We could have recovered the binary during our dynamic analysis stage (Part3C) by allowing our virtual machine to connect to the Internet, but a better and safer way would be to manually download the file. If you are extra paranoid, you may want to download the file using an OS that is not targeted by this attack (*nix, OSX). *note* The host does not resolve and is no longer live.

If we remember back to the inaugural write-up of this series, one of the very first things we should do is to take a hash of the file (MD5/SHA1/etc) to create a unique identifier and then use that to search the Interwebs. It is possible that someone out there has already encountered this particular piece of malware and has shared some analysis on it. Even though any such analysis should be taken with a grain of salt and independently verified, it is almost certainly better than the blank slate we would be starting off with otherwise. The last time around we just ran a simple MD5 checksum against our PDF. This time the one thing we already know about our sample is that it is actually an executable. Keeping that in mind, let's run a tool that will give us a report on the PE's structural characteristics in addition to a handful of unique hashes. The Python script 'pescanner.py' written by Michael Ligh will produce the following report for our downloaded sample.

Meta-data================================================================================File:    d[1].phpSize:    311808 bytesType:    PE32 executable (GUI) Intel 80386, for MS WindowsMD5:     e1f7fc1853fdda8c5da21f84a10629afSHA1:    3ba4cb33621539b740289db3ee008ad8b1aeda6cssdeep:  6144:Zw4TvcsVIeAGKSVGkt11OBClz1uPmTR+aewqMBVBa:ZBUsVfAUGktDOolzQYR+aLFaDate:    0x4DF041C7 [Thu Jun  9 03:45:11 2011 UTC]EP:      0x404b0f .text 0/5CRC:     Claimed: 0x0, Actual: 0x5532c [SUSPICIOUS]Signature scans================================================================================Clamav: d[1].php: OKResource entries================================================================================Name               RVA      Size     Lang         Sublang                  Type--------------------------------------------------------------------------------RT_ICON            0x101f0  0x468    LANG_ENGLISH SUBLANG_ENGLISH_US       GLS_BINARY_LSB_FIRSTRT_ICON            0x10658  0x10a8   LANG_ENGLISH SUBLANG_ENGLISH_US       dataRT_ICON            0x11700  0x25a8   LANG_ENGLISH SUBLANG_ENGLISH_US       dataRT_ICON            0x13ca8  0x4228   LANG_ENGLISH SUBLANG_ENGLISH_US       dataRT_ICON            0x17ed0  0x10828  LANG_ENGLISH SUBLANG_ENGLISH_US       dataRT_GROUP_ICON      0x286f8  0x4c     LANG_ENGLISH SUBLANG_ENGLISH_US       MS Windows icon resource - 5 icons, 16x16, 256-colorsRT_VERSION         0x28744  0x21c    LANG_ENGLISH SUBLANG_ENGLISH_US       dataRT_HTML            0x28960  0x22c5a  LANG_ENGLISH SUBLANG_ENGLISH_US       PC bitmap, Windows 3.x format, 142372 x 1 x 32Sections================================================================================Name       VirtAddr     VirtSize     RawSize      Entropy     --------------------------------------------------------------------------------.text      0x1000       0x97ca       0xa000       6.471374    .rdata     0xb000       0x1b6a       0x2000       5.006934    .data      0xd000       0x21a4       0x1000       3.972730    .rsrc      0x10000      0x3b5bc      0x3c000      7.107627    [SUSPICIOUS].reloc     0x4c000      0x119e       0x2000       3.145897    Version info================================================================================LegalCopyright: InternalName: OneFileVersion: 1,0,0,0ProductName: OneProductVersion: 1.0.0.0FileDescription: OneOriginalFilename: One.exeTranslation: 0x0409 0x04b0

Rep1. – PEscanner.py Report

The report gives us quite a bit of information in addition to the MD5 checksum. One point of interest that jumps out is that the .rsrc section as been labeled as "[SUSPICIOUS]" due to its unusually high entropy. It is possible that there is an encrypted file or data embedded here. Handy information to be aware of, and definitely something you should keep in mind while progressing with the analysis.

A quick Google of the MD5 "e1f7fc1853fdda8c5da21f84a10629af" nets us 52 results at the time of this writing. Yahtzee! We are in luck! There are several results including a ThreatExpert sandbox report and a VirusTotal submission among others. VirusTotal returns a detection rate of 8 / 42 antivirus vendors that flag our file as malicious on the date of its initial submission.

VirusTotal
Fig2. – VirusTotal Web results for the binary downloaded by the shellcode.

Protip: You can save yourself a step here by getting a VirusTotal API key and integrating a script that they provide into the pescanner.py script we just used. This will effectively perform a very quick search of the VirusTotal database using the MD5 checksum of the sample and return results via the command line.

VirusTotal Search================================================================================{u'permalink': u'http://www.virustotal.com/file/12c3f477dc4d82319035789f42ea081edbd89fb1740f154a1fcca63b8702d9bf/analysis/', u'report': [u'2011-10-22 00:49:24',             {u'AVG': u'Patched_c.KVZ',              u'AhnLab-V3': u'Win-Trojan/Zbot.311808.D',              u'AntiVir': u'TR/Dropper.Gen',              u'Antiy-AVL': u'Trojan/Win32.Agent.gen',              u'Avast': u'Win32:Kryptik-DBD [Trj]',              u'BitDefender': u'Trojan.Generic.KDV.246814',              u'ByteHero': u'',              u'CAT-QuickHeal': u'Trojan.Ircbrute.A',              u'ClamAV': u'',              u'Commtouch': u'',              u'Comodo': u'Heur.Suspicious',              u'DrWeb': u'Trojan.Packed.21754',              u'Emsisoft': u'Trojan.SuspectCRC!IK',              u'F-Prot': u'',              u'F-Secure': u'Trojan.Generic.KDV.246814',              u'Fortinet': u'W32/Zbot.CC!tr.pws',              u'GData': u'Trojan.Generic.KDV.246814',              u'Ikarus': u'Trojan.SuspectCRC',              u'Jiangmin': u'Trojan/Agent.eyrc',              u'K7AntiVirus': u'Riskware',              u'Kaspersky': u'Trojan.Win32.Agent.hutl',              u'McAfee': u'W32/Kolab.gen.g',              u'McAfee-GW-Edition': u'W32/Kolab.gen.g',              u'Microsoft': u'PWS:Win32/Zbot',              u'NOD32': u'a variant of Win32/Injector.GXD',              u'Norman': u'W32/Injector.AOF',              u'PCTools': u'Trojan-PSW.Generic',              u'Panda': u'Generic Trojan',              u'Prevx': u'',              u'Rising': u'',              u'SUPERAntiSpyware': u'Trojan.Agent/Gen-Injector',              u'Sophos': u'Troj/Zbot-ASH',              u'Symantec': u'Infostealer',              u'TheHacker': u'Trojan/Injector.gxd',              u'TrendMicro': u'WORM_KOLAB.SMQX',              u'TrendMicro-HouseCall': u'WORM_KOLAB.SMQX',              u'VBA32': u'Trojan.Agent.hutl',              u'VIPRE': u'Trojan.Win32.Generic!BT',              u'ViRobot': u'Worm.Win32.Autorun.126976.N',              u'VirusBuster': u'Trojan.Agent!bzJbt4LQzTQ',              u'eSafe': u'Win32.PWS.Zbot.Cc',              u'eTrust-Vet': u'Win32/SillyAutorun.FLW',              u'nProtect': u'Trojan/W32.Agent.311808.BG'}], u'result': 1}--------------------------------------------------------------------------------

Rep2. – VirusTotal.py Report

The ThreatExpert results reveal that the file is a part of the infamous Zeus (Zbot) trojan malware family which often focuses on stealing online banking credentials. Our VirusTotal report also mentions the Zbot Trojan a number of times. Additionally, but not directly related to our sample, many similar types of malicious files were at one time being served up from the same host that our URL once resolved to. The file downloaded and executed by the shellcode attempts to infect the victim's system with the Zbot backdoor and join the recently estimated more than 13 million others members of the Zeus botnet. This should safely satisfy our final question regarding the malware's ultimate purpose. For a further detailed dive into the analysis of the Zeus crimeware, be sure to check out the excellent Spiderlab's blog series "Catch Me If You Can" </shameless plug>.

And knowing is half the battle…

Double click a random PDF and money starts fraudulently leaving your bank account. Scary thought, but we've just walked through the malware sample that is capable of that very scenario. Had the victim opened 'sample1.pdf' they most definitely would have had a very bad day, followed by countless hours on the phone trying to repair the damage done by the crimeware.

The average user has no idea that a PDF is capable of even running JavaScript, let alone that it can be leveraged to compromise their system. What can be done to help them? Well, you may want to start by disabling JavaScript in your PDF reader preferences, but the obvious and age-old mantras still ring true of ensuring that your operating system, anti-virus, applications, and especially your PDF clients are all kept up to date on all security patches. This is especially effective against older and known attacks. But sometimes there can be lag between initial identification of a threat to when updates are available. To combat the lag and wrap on additional layers of protection, sandboxing and virtualization tools, such as Sandboxie, can be used to open programs like Web browsers and PDF readers in a standalone manner, and can help contain attacks from infecting your system. Microsoft also has released a tool called Enhanced Mitigation Experience Toolkit (EMET) that adds various anti-exploitation techniques such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to applications and older operating systems that do not have built-in, native protections.

Ultimately, there is no substitute for common sense. Beware of strangers bearing PDFs. If you don't know the sender of an email that contains an attachment or a link to a file, or even if you receive an unexpected or out of character email from someone you do know, proceed with caution. Tell your friends and families, and happy Reversing!

--@Rnast

Tools Used:

  • IDA - Multi-processor disassembler and debugger
  • Pescanner.py - Python PE scanning script written by Michael Ligh
  • VirusTotal.py - Python script to query VirusTotal via commandline.

Resources:

  • IDA "xord.idb" - Commented IDA database of our exctracted shellcode.
  • Sandboxie- Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.
  • EMET v3.0 - A toolkit for deploying and configuring security mitigation technologies

Special Thanks:

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.