Analyzing PDF Malware - Part 3D
This is part 3D, the final point in the Analyzing PDF Malware constellation. If you haven't read any of the preceding posts you can find them arranged here-> Part1, Part2, Part3A, Part3B, and Part3C. That's a lot of posts, but we will be building off our analysis from those posts for this finale and referencing back to them from time-to-time.
...
In Part3A we were able to successfully disassemble our second stage shellcode - check off our first goal. In Part3B and Part3C we analyzed the shellcode thoroughly - check off goal number two. For Part3D we will investigate the binary that the malware downloaded from a remote system to achieve our final goal.
Our Part3 Goals:
1. Disassemble the second stage shellcode
2. Analyze the disassembly to determine its full capabilities
3. Track down and determine the ultimate goal of the malware
Full circle…
Having just wrapped up the shellcode analysis, we now find ourselves in a somewhat familiar situation. We know that the malicious PDF attempts to exploit a vulnerability, execute its shellcode, and download and run an unknown binary. So, just as in Part1 of this series, we have within our sights a suspicious file that we need to investigate.
If you were paying close attention, the URL being used by the malware has popped up a handful of times throughout our previous analyses. We can find it stored at the very end of the shellcode starting at the offset 0x137 in our IDA database file.
Fig1. – URL data located at the end of the shellcode (site is no longer live)
We could have recovered the binary during our dynamic analysis stage (Part3C) by allowing our virtual machine to connect to the Internet, but a better and safer way would be to manually download the file. If you are extra paranoid, you may want to download the file using an OS that is not targeted by this attack (*nix, OSX). *note* The host does not resolve and is no longer live.
If we remember back to the inaugural write-up of this series, one of the very first things we should do is to take a hash of the file (MD5/SHA1/etc) to create a unique identifier and then use that to search the Interwebs. It is possible that someone out there has already encountered this particular piece of malware and has shared some analysis on it. Even though any such analysis should be taken with a grain of salt and independently verified, it is almost certainly better than the blank slate we would be starting off with otherwise. The last time around we just ran a simple MD5 checksum against our PDF. This time the one thing we already know about our sample is that it is actually an executable. Keeping that in mind, let's run a tool that will give us a report on the PE's structural characteristics in addition to a handful of unique hashes. The Python script 'pescanner.py' written by Michael Ligh will produce the following report for our downloaded sample.
Meta-data================================================================================File: d[1].phpSize: 311808 bytesType: PE32 executable (GUI) Intel 80386, for MS WindowsMD5: e1f7fc1853fdda8c5da21f84a10629afSHA1: 3ba4cb33621539b740289db3ee008ad8b1aeda6cssdeep: 6144:Zw4TvcsVIeAGKSVGkt11OBClz1uPmTR+aewqMBVBa:ZBUsVfAUGktDOolzQYR+aLFaDate: 0x4DF041C7 [Thu Jun 9 03:45:11 2011 UTC]EP: 0x404b0f .text 0/5CRC: Claimed: 0x0, Actual: 0x5532c [SUSPICIOUS]Signature scans================================================================================Clamav: d[1].php: OKResource entries================================================================================Name RVA Size Lang Sublang Type--------------------------------------------------------------------------------RT_ICON 0x101f0 0x468 LANG_ENGLISH SUBLANG_ENGLISH_US GLS_BINARY_LSB_FIRSTRT_ICON 0x10658 0x10a8 LANG_ENGLISH SUBLANG_ENGLISH_US dataRT_ICON 0x11700 0x25a8 LANG_ENGLISH SUBLANG_ENGLISH_US dataRT_ICON 0x13ca8 0x4228 LANG_ENGLISH SUBLANG_ENGLISH_US dataRT_ICON 0x17ed0 0x10828 LANG_ENGLISH SUBLANG_ENGLISH_US dataRT_GROUP_ICON 0x286f8 0x4c LANG_ENGLISH SUBLANG_ENGLISH_US MS Windows icon resource - 5 icons, 16x16, 256-colorsRT_VERSION 0x28744 0x21c LANG_ENGLISH SUBLANG_ENGLISH_US dataRT_HTML 0x28960 0x22c5a LANG_ENGLISH SUBLANG_ENGLISH_US PC bitmap, Windows 3.x format, 142372 x 1 x 32Sections================================================================================Name VirtAddr VirtSize RawSize Entropy --------------------------------------------------------------------------------.text 0x1000 0x97ca 0xa000 6.471374 .rdata 0xb000 0x1b6a 0x2000 5.006934 .data 0xd000 0x21a4 0x1000 3.972730 .rsrc 0x10000 0x3b5bc 0x3c000 7.107627 [SUSPICIOUS].reloc 0x4c000 0x119e 0x2000 3.145897 Version info================================================================================LegalCopyright: InternalName: OneFileVersion: 1,0,0,0ProductName: OneProductVersion: 1.0.0.0FileDescription: OneOriginalFilename: One.exeTranslation: 0x0409 0x04b0
Rep1. – PEscanner.py Report
The report gives us quite a bit of information in addition to the MD5 checksum. One point of interest that jumps out is that the .rsrc section as been labeled as "[SUSPICIOUS]" due to its unusually high entropy. It is possible that there is an encrypted file or data embedded here. Handy information to be aware of, and definitely something you should keep in mind while progressing with the analysis.
A quick Google of the MD5 "e1f7fc1853fdda8c5da21f84a10629af" nets us 52 results at the time of this writing. Yahtzee! We are in luck! There are several results including a ThreatExpert sandbox report and a VirusTotal submission among others. VirusTotal returns a detection rate of 8 / 42 antivirus vendors that flag our file as malicious on the date of its initial submission.
Fig2. – VirusTotal Web results for the binary downloaded by the shellcode.
Protip: You can save yourself a step here by getting a VirusTotal API key and integrating a script that they provide into the pescanner.py script we just used. This will effectively perform a very quick search of the VirusTotal database using the MD5 checksum of the sample and return results via the command line.
VirusTotal Search================================================================================{u'permalink': u'http://www.virustotal.com/file/12c3f477dc4d82319035789f42ea081edbd89fb1740f154a1fcca63b8702d9bf/analysis/', u'report': [u'2011-10-22 00:49:24', {u'AVG': u'Patched_c.KVZ', u'AhnLab-V3': u'Win-Trojan/Zbot.311808.D', u'AntiVir': u'TR/Dropper.Gen', u'Antiy-AVL': u'Trojan/Win32.Agent.gen', u'Avast': u'Win32:Kryptik-DBD [Trj]', u'BitDefender': u'Trojan.Generic.KDV.246814', u'ByteHero': u'', u'CAT-QuickHeal': u'Trojan.Ircbrute.A', u'ClamAV': u'', u'Commtouch': u'', u'Comodo': u'Heur.Suspicious', u'DrWeb': u'Trojan.Packed.21754', u'Emsisoft': u'Trojan.SuspectCRC!IK', u'F-Prot': u'', u'F-Secure': u'Trojan.Generic.KDV.246814', u'Fortinet': u'W32/Zbot.CC!tr.pws', u'GData': u'Trojan.Generic.KDV.246814', u'Ikarus': u'Trojan.SuspectCRC', u'Jiangmin': u'Trojan/Agent.eyrc', u'K7AntiVirus': u'Riskware', u'Kaspersky': u'Trojan.Win32.Agent.hutl', u'McAfee': u'W32/Kolab.gen.g', u'McAfee-GW-Edition': u'W32/Kolab.gen.g', u'Microsoft': u'PWS:Win32/Zbot', u'NOD32': u'a variant of Win32/Injector.GXD', u'Norman': u'W32/Injector.AOF', u'PCTools': u'Trojan-PSW.Generic', u'Panda': u'Generic Trojan', u'Prevx': u'', u'Rising': u'', u'SUPERAntiSpyware': u'Trojan.Agent/Gen-Injector', u'Sophos': u'Troj/Zbot-ASH', u'Symantec': u'Infostealer', u'TheHacker': u'Trojan/Injector.gxd', u'TrendMicro': u'WORM_KOLAB.SMQX', u'TrendMicro-HouseCall': u'WORM_KOLAB.SMQX', u'VBA32': u'Trojan.Agent.hutl', u'VIPRE': u'Trojan.Win32.Generic!BT', u'ViRobot': u'Worm.Win32.Autorun.126976.N', u'VirusBuster': u'Trojan.Agent!bzJbt4LQzTQ', u'eSafe': u'Win32.PWS.Zbot.Cc', u'eTrust-Vet': u'Win32/SillyAutorun.FLW', u'nProtect': u'Trojan/W32.Agent.311808.BG'}], u'result': 1}--------------------------------------------------------------------------------
Rep2. – VirusTotal.py Report
The ThreatExpert results reveal that the file is a part of the infamous Zeus (Zbot) trojan malware family which often focuses on stealing online banking credentials. Our VirusTotal report also mentions the Zbot Trojan a number of times. Additionally, but not directly related to our sample, many similar types of malicious files were at one time being served up from the same host that our URL once resolved to. The file downloaded and executed by the shellcode attempts to infect the victim's system with the Zbot backdoor and join the recently estimated more than 13 million others members of the Zeus botnet. This should safely satisfy our final question regarding the malware's ultimate purpose. For a further detailed dive into the analysis of the Zeus crimeware, be sure to check out the excellent Spiderlab's blog series "Catch Me If You Can" </shameless plug>.
And knowing is half the battle…
Double click a random PDF and money starts fraudulently leaving your bank account. Scary thought, but we've just walked through the malware sample that is capable of that very scenario. Had the victim opened 'sample1.pdf' they most definitely would have had a very bad day, followed by countless hours on the phone trying to repair the damage done by the crimeware.
The average user has no idea that a PDF is capable of even running JavaScript, let alone that it can be leveraged to compromise their system. What can be done to help them? Well, you may want to start by disabling JavaScript in your PDF reader preferences, but the obvious and age-old mantras still ring true of ensuring that your operating system, anti-virus, applications, and especially your PDF clients are all kept up to date on all security patches. This is especially effective against older and known attacks. But sometimes there can be lag between initial identification of a threat to when updates are available. To combat the lag and wrap on additional layers of protection, sandboxing and virtualization tools, such as Sandboxie, can be used to open programs like Web browsers and PDF readers in a standalone manner, and can help contain attacks from infecting your system. Microsoft also has released a tool called Enhanced Mitigation Experience Toolkit (EMET) that adds various anti-exploitation techniques such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to applications and older operating systems that do not have built-in, native protections.
Ultimately, there is no substitute for common sense. Beware of strangers bearing PDFs. If you don't know the sender of an email that contains an attachment or a link to a file, or even if you receive an unexpected or out of character email from someone you do know, proceed with caution. Tell your friends and families, and happy Reversing!
--@Rnast
Tools Used:
- IDA - Multi-processor disassembler and debugger
- Pescanner.py - Python PE scanning script written by Michael Ligh
- VirusTotal.py - Python script to query VirusTotal via commandline.
Resources:
- IDA "xord.idb" - Commented IDA database of our exctracted shellcode.
- Sandboxie- Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.
- EMET v3.0 - A toolkit for deploying and configuring security mitigation technologies
Special Thanks:
- @jgrunzweig - for his CSS 3D wizardry.