Skip to main content


Showing posts from 2012

APT and Incident Response

State sponsored cyber espionage attacks are both the least understood and most difficult issues to deal with within an enterprise. We've dealt with several situations where internal IT or even externally contracted security companies failed to mitigate an APT compromise situation. Fighting an APT actor is an ongoing intelligence game, simply playing whack-a-mole removing compromised systems from a network is like treating the symptoms of the problem, but not the root cause, persistence.
Phases of state sponsored intrusions:Stage 0 - Initial attacks - email attachments or links - PDF/MS Office, disguised executables (password protected archives, right to left shift etc), SQLI, web apps, seeded websites/adsStage 1 - Basic implants - initial recon and assessmentStage 2 - Better implants - exfiltration, multiple backdoors, remote shell, RDP, domain controllers/password hashes exfiltratedStage 3 - Network persistence - legitimate access as admin, passive backdoors usually not resolving…

CVE-2012-0754 exploitability in PDF

Just a short blog post in follow up to the 9bplus and Xecure Lab posts on targeted attacks using the CVE-2012-0754 Flash calling malformed MP4 exploit in PDF. Adobe reports that Reader 10+ sandbox mitigates this threat, and Acrobat Reader 9.5.1 now uses the separate Flash player which was patched in February.

We've received samples of CVE-2012-0754 as early at April 20 2012 used in attacks prior to that date. Adobe's Acrobat Reader 9.5.1 was released April 10, 2012. Prior to April 10, Acrobat Reader 9.5 and earlier used a built in Flash player which was vulnerable to the CVE-2012-0754 exploit which was publicly known since February 15 2012 when it was patched in the Flash player. Attacks using the PDF version of CVE-2012-0754 may have been occurring prior to April 10, though we have no confirmation of this, and could have been successful against Acrobat Reader 9.5 at that time, we suggest that Adobe should have patched Reader for CVE-2012-0754 in February at the same time as F…

CCITTFaxDecode support added to PDFExaminer

With the recent Sophos report of a CCITTFaxDecode filter being used to obfuscate malware, we decided it was time to add CCITT support for Group 3 1D to PDFExaminer.

We've been aware of one malware PDF using CCITTFaxDecode being used previously, however, the use of Javascript was not obfuscated, just the content, so we still flagged the file as suspicious. After implementing the Group 3 1D protocol [pdf] in PDFExaminer and testing our previously known sample appears to have led us to having found the same file as Sophos, but from 2010-11-07 -MD5: 863f99103941a33fbbe722f0deb3afa5, so there's not a lot of these going around, and they do not appear to be current.

View the full PDFExaminer report here and the 6 / report from 2010-10-09.

XLS CVE-2009-3129 and countering cryptanalysis technique

We've recently come across a new technique to evade cryptographic analysis of malware documents by avoiding XOR key leakage by not encrypting any zero-blocks of the malware payload.

The method does take more complicated shellcode and can be tricky, we've previously only seen this technique used with one byte XOR keys, in this case we have a 8 byte XOR key used to encrypt an executable and clean dropped .doc file.

Sample: MAP forecast template_2012.xls / f2e17c8954569ca2b20428f4c3112a30

Looking at the original XLS file, we can see that the embedded malware's zero space is not encrypted, the actual XOR key does not appear anywhere in the file:

In the image above, we can see that fragments of the inverse XOR key are left when a block of FF characters is encrypted with the 8 byte key. We can see the pattern b181826c015bd079 appears to repeat, since FF in binary is 11111111, XORing FF will leak the bitwise NOT of the key (compared to the full key when XORing 00000000). Using the …

Cryptam Multi tool - automatic extraction of encrypted exe's and dropped files

We've added a bunch of new features and special case handling to the Cryptam malware document analysis system. Here's a few highlights:

- MS Office Open XML .docx handling
- RTF Datastore embedded file detection
- bitwise not ciphers
- Automatic extraction of encrypted embedded executables, dropped clean PDFs and documents

Executable and dropped clean document extraction:
While we won't be serving up malware exe files for download after processing on Cryptam, we are releasing this free script to extract embedded executables yourself from a document or PDF file. We've seen a increase in malware MS Office documents targeting Tibetan groups using subjects related to self-immolation.

The Cryptam Multi tool - standalone malware extractor from documents:

Extract executables using a known xor key, rol, ror, transposition full/512 byte headers and bitwise not ciphers. Submit a malware document to Cryptam via our API to get the XOR and any ciphers needed for decoding, or query the Cryp…

Flash in Doc CVE-2012-0754 detection added to Cryptam

We've added to support to our Cryptam document analysis system detect the embedded flash in Office document exploit CVE-2012-0754, which is a recently patched with a new Flash Player update, yet increasingly used in attacks since at least Feb 27.

Cryptam will detect compressed Flash (CWS) files, decompress them and search for signatures of CVE-2012-0754 as well as conduct a cryptographic analysis to detect XOR encrypted executables as well as ROL encoding to detect new emerging or unknown threats in document format files.

We've noted a small number of samples of CVE-2012-0754 with 2 separate URLs for the remote mp4 file. The embedded executables have used a 1 byte XOR+ROL or just ROL 2 encoded.

View Cryptam Document Analysis System reporting of sample e92a4fc283eb2802ad6d0e24c7fcc857reported on Contagiodump.

Decrypting embedded encrypted executables

In addition to the detection of embedded executables in documents, you will probably want to run the malware in your dynamic analysis sandbox or do a static analysis in IDA. To decrypt the executable or embedded clean documents etc that are obfuscated/encrypted, we have the following simple script. First you'll need the XOR key and ROL decode shift from a Cryptam report:

Download our cryptam_unxor.php script.

Sample usage:
dev:cryptam_test dev$ strings 34eba128caa21df52b7cec6ea1c80a91.virus|egrep This.program
dev:cryptam_test dev$ php cryptam_unxor.php 34eba128caa21df52b7cec6ea1c80a91.virus -xor 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5…

Obfuscation and detection of embedded executables

We're going to talk a little bit more about how our new Cryptam system detects malware documents based on identification of the encrypted executables. A document exploit needs to install an executable, those executables are usually either obfuscated and embedded in the document, or downloaded from a remote site.

APT type targeted email attacks, or "spear phishing" attacks, in our experience, most commonly embed the executable trojan within the document exploit. From plaintext, to obfuscation using 1-1024 byte XOR keys, counters, and Rol/Ror bit shifting are all commonly seen.

Common AV typically fails with detecting malware documents, as the exploit shellcode is usually heavily packed, and the XOR encryption creates a huge number of variants of potential signatures, so usually AV detection ends up being hash based and lags behind the attacks with new attacks getting only 10-20% detection on Virustotal.

Our Cryptam system uses the entropy of the file content to ignore legiti…

New malware document scanner tool released

We've recently released our malware document scanner tool called Cryptam (which stands for cryptanalysis of malware) . This system scans document files such as MS Office (.doc/.ppt/.xls), PDF and other document formats for embedded executables whether encrypted or not. As most embedded malware executables use varying lengths of XOR and ROL/ROR obfuscation to evade traditional A/V detection, we focus on the detection of the embedded executable rather than the exploit itself.

A typical Cryptam report visually shows three critical pieces of the cryptanalysis done. The first graph shows the count for each ascii character in the file, obvious single byte XOR keys can be seen here. The second graph is the entropy of the file, most documents other than PDFs are very light entropy on legitimate content, and only images or the embedded executables showing as red high entropy sections. The third and final graphic is the XOR dispersion over 1024 bytes with the calculated key overlayed. We de…