Support for detecting ROR and ROL ciphers in documents

We added support for detecting executables ciphered with bitwise shift ciphers - ROR (shift right) and ROL (shift left) which was first reported from a sample from Mila's blog (contagiodump). Bitwise shifts are similar to multiple or division by 2's. This sample used a shift left of one position (rol 1) along with a 256byte XOR key.

CVE-2010-1297 Flash exploit variants

We haven't seen too many variations of the Flash exploit CVE-2010-1297, so we decided to take a look to see if there were a lot of samples using the proof on concept ones. Our tests showed some variation - 6 different embedded Flash files used in attacks:

Malware with pad.swf - Flash variant a (26810 bytes, 49ddb9b210e773b987b9a25678f65577):

5e810b49f879007610f4156afb1a29c8

721601bdbec57cb103a9717eeef0bfca

306d7e608a52121aa4508e9901e4072e (AES 128b PDF Encryption)

Malware with kp.swf - Flash variant b (1297 bytes, ea24ea1063f49c594f160a57c268d034):

aba6f3c89f3cdcd6dc294e2b1c503d28

Malware with flate encoded Flash variant c (27181 bytes, 0ab61f2fe334e22b4defb18587ae019f; inflated Flash variant d 53345 bytes, ac69d954d9e334d089927a1bc875d13d):

fb2523d17b3fa3b19a914bf23a61827c

e3f5ef4fa17b4e08388ae4b0e2373728

2beab5cfd84c929938f396e927c62e1c

Flash variant e (53902 bytes, 8286cc6dc7e2193740f6413b6fc55c7e):

81f31e17d97342c8f3700fdd56019972

Flash variant f (26774 bytes, bd7eac5ae665ab27346e52278f367635):

6932d141916cd95e3acaa3952c7596e4

497bd7eb4be6ae9b68c624e3fb594502

Flash variant g (26774 bytes, 4666a447105b483533b2bbd0ab316480):

ee81327f15db183f83815754fbfad5dd

XOR Key normalizing and hashing

Comparing XOR keys can be a bit of a pain, typically one would expect attackers to use the same shellcode to extract embedded executable code, giving the XOR key another similarity to compare when looking at different attacks.

One of the things we came up with early on is a key sum, simply counting the ascii values:

for ($i = 0; $i < strlen($key) - 1; $i+=2) {
$sum += hexdec($key[$i].$key[$i+1]);
}

This can be helpful with shorter keys, however given a 256 byte key counting up from 00 or down from FF can have the same key sum = 32640. This is where another solution is needed - a key hash. Keys can be found anywhere in a document, so hashing a key needs an extra step - normalizing the key. We decided to go with finding the highest values as the starting point - so the key would start with FF if present, if two or more FF appear, the next value is compared to get the highest multi-byte value. Once we have the normalized key, we take a simply md5:

Given this key:

080706050403020100fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0dfdedddcdbdad9d8d7d6d5d4d3d2d1d0cfcecdcccbcac9c8c7c6c5c4c3c2c1c0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a09f9e9d9c9b9a999897969594939291908f8e8d8c8b8a898887868584838281807f7e7d7c7b7a797877767574737271706f6e6d6c6b6a696867666564636261605f5e5d5c5b5a595857565554535251504f4e4d4c4b4a494847464544434241403f3e3d3c3b3a393837363534333231302f2e2d2c2b2a292827262524232221201f1e1d1c1b1a191817161514131211100f0e0d0c0b0a09

When normalized becomes:

fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0dfdedddcdbdad9d8d7d6d5d4d3d2d1d0cfcecdcccbcac9c8c7c6c5c4c3c2c1c0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a09f9e9d9c9b9a999897969594939291908f8e8d8c8b8a898887868584838281807f7e7d7c7b7a797877767574737271706f6e6d6c6b6a696867666564636261605f5e5d5c5b5a595857565554535251504f4e4d4c4b4a494847464544434241403f3e3d3c3b3a393837363534333231302f2e2d2c2b2a292827262524232221201f1e1d1c1b1a191817161514131211100f0e0d0c0b0a09080706050403020100

And the hash of the above is c9b69399459095f1b991eb1997a4d066.

Given this key:

4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3

Will be normalized to:

ff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e034e5e6e7e8e9eaebecedeee

And hashed as 9b7e14df2ffe3c32566f3fff8481c6f2.

Normalize XOR key source code:

function normalizeKey($key) {
$values = hex2str($key).hex2str($key);
$size= strlen($values) / 2;
$high = chr(0x00);
$highest = '';
$highestLoc = 0;
for ($j = 0; $j < $size; $j++) {
for ($i = 0; $i < $size; $i++) {
if (strlen($highest) > 0) {
$check = substr($values,$i,strlen($highest));
//echo "Compare [".dechex(ord($highest))."] and [".dechex(ord($check))."]\n";
if ($highest == $check) {
//echo "Found partial [".dechex(ord($high))."]\n";
$pos = $i+strlen($highest);
if ($values[$pos] > $high) {
//echo strhex($highest)." ".strlen($highest)."\n";
$highestLoc = $i-1;
$high = $values[$pos];
//echo "found highest at $highestLoc [".strhex($highest).dechex(ord($high))."]\n";
}
}
} else {
if ($values[$i] > $high) {
$highestLoc = $i-1;
$high = $values[$i];
//echo "found highest at $highestLoc [".dechex(ord($high))."]\n";

}
}

}
$highest .= $high;
$high = chr(0x00);

$search = '';
for ($l = 0; $l < strlen($highest); $l++) {
$search .= "\x".dechex(ord($highest[$l]));
}

if (preg_match_all("/$search/s", $values, $matches, PREG_OFFSET_CAPTURE)) {
if (count($matches[0]) <= 2) {
break;

}
}

}

$new = '';
for($i = $highestLoc+1; $i < $highestLoc+$size+1; $i++) {
$new .= $values[$i];
}

return strhex($new);
}

Now you can search on ViCheck for similar attacks by searching either the XOR Key sum, or key hash by clicking the "more" link on the report page on ViCheck.ca.

Email report enhancements

Hello, we're made a few changes to the emailed report to make things clearer:

Sample malware Office document report (thanks to Mila contagio: Jul 15 CVE-2009-0556 PPT North Korean Nuclear Update from david.alton33@hotmail.com) :

Nuclear report.pps:
https://www.vicheck.ca/md5query.php?hash=71803d893ed7d052fdb58f10da200fe9
RESULT: Embedded executable detected.
Encryption level: 256 byte key.
Confidence ranking: 100 (18 hits).

External hash searches:
VIRUS SCAN VirusTotal: 11/42 (26%) detected malware
REPORT http://www.virustotal.com/analisis/3bb1d1d441ab7412ca429ec2db6dbcf48e2b19323bf589d37698e76dc305044f-1279726141
VIRUS SCAN Threat Expert: New
VIRUS SCAN Team-CYMRU.org: New

and a sample with just potential javascript but no embedded malware:

e9b6bd98f6e38ac529ae33c18b3e7d2a.virus:
SCAN: Suspicious file - Javascript obfuscation syncAnnotScan to hide blocks
REPORT: https://www.vicheck.ca/md5query.php?hash=e9b6bd98f6e38ac529ae33c18b3e7d2a
Confidence ranking: 75 (2 hits).

External hash searches:
VIRUS SCAN VirusTotal: 0/42 not detected
REPORT http://www.virustotal.com/analisis/e6e36efb4a26863dca5de7c92e32fb59327f78d12df650e217dfffbb0458c7ee-1279592040
VIRUS SCAN Threat Expert: New
VIRUS SCAN Team-CYMRU.org: New

And lastly a sample executable file:

e3963db2ab325916fd84117e08252b9b.virus:
SCAN: skipped - see sandbox report - file format executable
REPORT: https://www.vicheck.ca/md5query.php?hash=e3963db2ab325916fd84117e08252b9b
Confidence ranking: 50 (1 hits).

External hash searches:
VIRUS SCAN VirusTotal: 11/41 (27%) detected malware
REPORT http://www.virustotal.com/analisis/3d43f262c19bba43cdd52c7eaa68a7c16759b52dcb03a77ad256281f6525399c-1279791222
VIRUS SCAN Threat Expert: New
VIRUS SCAN Team-CYMRU.org: New

Report page enhancements

For recently processed documents such as PDF or MS Office (engine >=193) we are now highlighting more information about the embedded executable such as the encryption/cipher method and information about the key.

Example result:

Embedded Executable:

XOR encryption: Yes
Replacement cipher: No
Mathematical substitution cipher: No

Matching: full
Key Length: 256 bytes
Key Unique Sum: 32640 More
Key Location: @5888 bytes
Key Accuracy: 100.00%
Fuzzy Errors: 0
File XOR Offset: @0 bytes
XOR Key normalized hash: eb58ea3d9dfb335ddc5d064954bc0daf
XOR Key: 0x[d8d7d6d5d4d3d2d1d0cfcecdcccbcac9c8c7c6c5c4c3c2c1c0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a09f9e9d9c9b9a999897969594939291908f8e8d8c8b8a898887868584838281807f7e7d7c7b7a797877767574737271706f6e6d6c6b6a696867666564636261605f5e5d5c5b5a595857565554535251504f4e4d4c4b4a494847464544434241403f3e3d3c3b3a393837363534333231302f2e2d2c2b2a292827262524232221201f1e1d1c1b1a191817161514131211100f0e0d0c0b0a09080706050403020100fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0dfdedddcdbdad9]

Thanks

Thanks to Lenny Zeltser for including ViCheck on the Analyzing Malicious Documents Cheat Sheet.

It's probably a good time to introduce ourselves. ViCheck is a combination of cryptanalysis engine to detect encrypted executables embedded in documents, as well as multi-decoder for PDF to detect known exploits or Javascript obfuscation techniques. We also use a commercial sandbox to attempt to collect dynamic information from exploit documents, statically extracted and decrypted executables. We don't run our samples live on the internet, a honeynet captures requests for C2 domains internally.

Regarding our primary goal of detecting embedded executables in documents, we use an in house developed cryptanalysis engine to scan for and try leaked plaintext keys (a large amount of any executable file is zero-space which when encrypted with XOR algorithms leaks the key as plaintext), decrypt the executable and scan for imported libraries. We also detect mathematical substitutions and replacement ciphers, and combinations thereof.

Samples can be submitted via web form on ViCheck.ca from your local computer or a remote web url, or via email by forwarding suspicious emails to hereyougo at vicheck.ca

Rerunning samples

We'll be rerunning our entire sample database over the next few days to collect more information on embedded EXE's for a upcoming enhancement to the search page, there might be some extra long processing times for new samples (don't worry we'll still prioritize new samples to run before old ones), and some existing samples will show as queued/running temporarily.

Behind the scenes we've developed 6 different cryptanalysis techniques for detecting embedded executables, we'll be testing all the methods to determine the most effective and efficient one(s). You may have noticed some clean samples taking a while to run, we've been sequentially exhaustively searching with various techniques to locate embedded executables, a key indicator for a malicious document.

Worst Social Engineering Ever

From a recent submission via the email intake - hereyougo at vicheck.ca:

With a subject line of a invitation to a Tibetan event, invitation.rar (3026984137716828cf8f55b10bb0069) contained the aptly named "exploit.pdf" which certainly inspires confidence to open the attachment:

exploit.pdf:
EXECUTABLE SCAN: PDF Exploit Embedded Flash may be CVE-2010-1297 (genexploit/full)
REPORT: https://www.vicheck.ca/md5query.php?hash=ee81327f15db183f83815754fbfad5dd
Exploit method detected as genexploit - PDF Exploit Embedded Flash may be CVE-2010-1297.
Confidence ranking: 100 (11 hits).

Embedded EXE is encrypted with a 256 byte key as well as a simple replacement cipher.

Drops:

c:\a.exe 23876a91a7510e5c39e39670f5b9343d	72560 bytes
c:\a.pdf 36710aef65cf5b4ccae81b2842821dbd	1243 bytes
C:\[WINDOWS]\system32\srvlic.dll e94e4e5023c51a7a37a02a3db5802944	20480 bytes
C:\[WINDOWS]\fxsst.dll da0ce7a6c134d45e63c61c301ba13c25	40960 bytes

New hash search page

The hash search report has been streamlined and the beta version phased out, now some of the more verbose reporting is hidden and can be shown with a click beside it's heading. Shellcode dissassembly (which now includes some basic automatic unpacking) and hexdump images are hidden by default. More info on the embedded exe coming soon. A future version will probably be a static page to speed up the loading.

Submit web url, comments

Trying out a couple of newly written features - submit a document/pdf/zip from a web link (which is handy to see what's in those emailed links) try it here. Also added a comments box to each MD5 report page to perhaps drive some collaborative analysis. Migrated the forms throughout to HTML5 to take advantage of some of the new browser features.

APT Malware Trends

Some history on the most common Adobe PDF and MS Office exploits and the timeline of their detection on ViCheck.ca:


CVE-2006-2492 MS Word
July 2009 - Current

CVE-2009-0927 PDF Collab.getIcon
July 2009 - Current

CVE-2007-5659 PDF Collab.collectEmailInfo
September 2009 - Current

CVE-2009-3957 PDF Colors
September 2009 - February 2010

CVE-2008-2992 PDF util.printd
December 2009 - Current

CVE-2009-3954 PDF 3D
December 2009 - May 2010

CVE-2009-3953 CVE-2009-3959 PDF U3D
December 2009 - May 2010

CVE-2009-4324 PDF media.newPlayer
December 2009 - Current

CVE-2008-2992 PDF util.printd
December 2009 - Current

CVE-2010-0188 PDF TIFF
March 2010 - Current

CVE-2009-3129 MS Office
June 2010 - Current

CVE-2010-1297 PDF+Flash
June 2010 - Current

View detection hits as hexdump on ViCheck.ca

For recently analyzed reports, we've added a Beta Analysis Report linked to from the regular report page, you can view hex humps of the exploits or embedded executables:

Detect JavaScript exploits in PDF, or embedded executables in MS Office exploits in .doc, xls, ppt files on ViCheck.ca.

More fun with PDF Obfuscation

Another interesting way to hide a block of JavaScript inside a PDF, info.Trailer:

exmu='dmw';if(app.alert)exmu='';WmMw=this;zisc=WmMw.info;exmu=exmu+unescape('%')+exmu;y1vw=zisc.Trailer.replace(/([A-Z])/g,exmu);app.setTimeOut(unescape(y1vw),3)

Shellcode Detection Tool

New web tool - paste your hex right from a hex editor into the Decoder Tool and select Detect as shellcode to run a LibEmu detection scan. Also decode various JavaScript obfuscation methods such as charFromCode, unicode, regular hex escaping.

Executable extraction from documents

New feature in beta, extraction of the EXE files and embedded documents. Check the bottom of the report page for a list of embedded files. The MD5's may vary from actual dropped files as any whitespace at the end of the exe's won't be included.

PDF JavaScript Obfuscation

Here's a quick note on an emerging JavaScript obfuscation technique. The use of getAnnots and syncAnnotScan to iterate through FlateDecode blocks which contain raw encoded data. Inside the encoded data is usually packed obfuscated JavaScript with some recent exploit.

var z; var y; z = y = app.doc;
y = 0; z.syncAnnotScan ( ); y = z;var p = y.getAnnots( { nPage: 0 }) ;var s = p[0].subject; var l = s.replace(/z/g, 'a%b'.replace(/[ab]/g, ''));s = this['unes' + 'cape'] (l) ;var e = app['ev' + 'al']; e(s); s = ''; z = 1;

Our new blog

Welcome to the ViCheck blog, we're hoping to use this forum for updates on the malware analysis scene. Current trends are showing a rise in document format malware, viruses embedded in Adobe PDF or MS Office documents are difficult to detect. Our malware analysis engine at ViCheck.ca can detect current PDF exploits (media.newPlayer being the current favorite), as well as executables embedded in documents.

Yesterday's Google blog post has again highlighted the risks of PDF based malware against private corporations, government, and human rights groups. To reduce the risk from this type of malware, Javscript can be disabled in Acrobat Reader.

Recent ViCheck analysis reports of malware, including PDF viruses can be accessed from our website.