Skip to main content

Posts

Showing posts from March, 2012

XLS CVE-2009-3129 and countering cryptanalysis technique

We've recently come across a new technique to evade cryptographic analysis of malware documents by avoiding XOR key leakage by not encrypting any zero-blocks of the malware payload.

The method does take more complicated shellcode and can be tricky, we've previously only seen this technique used with one byte XOR keys, in this case we have a 8 byte XOR key used to encrypt an executable and clean dropped .doc file.

Sample: MAP forecast template_2012.xls / f2e17c8954569ca2b20428f4c3112a30




Looking at the original XLS file, we can see that the embedded malware's zero space is not encrypted, the actual XOR key does not appear anywhere in the file:




In the image above, we can see that fragments of the inverse XOR key are left when a block of FF characters is encrypted with the 8 byte key. We can see the pattern b181826c015bd079 appears to repeat, since FF in binary is 11111111, XORing FF will leak the bitwise NOT of the key (compared to the full key when XORing 00000000). Using the …

Cryptam Multi tool - automatic extraction of encrypted exe's and dropped files

We've added a bunch of new features and special case handling to the Cryptam malware document analysis system. Here's a few highlights:

- MS Office Open XML .docx handling
- RTF Datastore embedded file detection
- bitwise not ciphers
- Automatic extraction of encrypted embedded executables, dropped clean PDFs and documents

Executable and dropped clean document extraction:
While we won't be serving up malware exe files for download after processing on Cryptam, we are releasing this free script to extract embedded executables yourself from a document or PDF file. We've seen a increase in malware MS Office documents targeting Tibetan groups using subjects related to self-immolation.

The Cryptam Multi tool - standalone malware extractor from documents:

Extract executables using a known xor key, rol, ror, transposition full/512 byte headers and bitwise not ciphers. Submit a malware document to Cryptam via our API to get the XOR and any ciphers needed for decoding, or query the Cryp…

Flash in Doc CVE-2012-0754 detection added to Cryptam

We've added to support to our Cryptam document analysis system detect the embedded flash in Office document exploit CVE-2012-0754, which is a recently patched with a new Flash Player update, yet increasingly used in attacks since at least Feb 27.

Cryptam will detect compressed Flash (CWS) files, decompress them and search for signatures of CVE-2012-0754 as well as conduct a cryptographic analysis to detect XOR encrypted executables as well as ROL encoding to detect new emerging or unknown threats in document format files.

We've noted a small number of samples of CVE-2012-0754 with 2 separate URLs for the remote mp4 file. The embedded executables have used a 1 byte XOR+ROL or just ROL 2 encoded.

View Cryptam Document Analysis System reporting of sample e92a4fc283eb2802ad6d0e24c7fcc857reported on Contagiodump.