Category Archives: Reverse Engineering

Gong Da / Gondad Exploit Pack Add Java CVE-2013-0422 support

If you are working in computer security and still don’t have hear about the latest Oracle Java 0day, aka CVE-2013-0422, then you should change you job ! This last Oracle Java 0day was discovered massively exploited in exploit kits by @kafeine the 10th January. Other exploit kits have quickly add support of this new vulnerability, like Gong Da exploit kit.

Gond-Da-CVE-2013-0422-2

This new version was discovered on “hxxp://syspio.com/data/m.html” a web site how is actually still online.

gond-da-exploit-kit-CVE-2013-0422-1

syspio.com” is hosted on 222.239.252.166, in KR and this domain name seem to be associated with a legit compromised web site.

The “m.html” file containing JavaScript code obfuscated by “JSXX VIP JS Obfuscator“, but traditional traces if this obfuscator are no more available.

After de-obfuscation of the “m.html” file you can see that Gong Da Pack has involve to the following diagram.

Gong Da EK - 1.3

Here under some information s regarding the different files:

  • EnKi2.jpg (aka CVE-2011-3544) : 8/46 on VirusTotal.com
  • cLxmGk3.jpg (aka CVE-2012-0507) : 11/46 on VirusTotal.com
  • OLluRM4.jpg (aka CVE-2012-1723) : 20/46 on VirusTotal.com
  • GPUrKz2.jpg (aka CVE-2012-4681) : 29/45 on VirusTotal.com
  • PBLO5.jpg (aka CVE-2012-5076) : 12/46 on VirusTotal.com
  • Nuwm7.jpg (aka CVE-2013-0422): 6/46 on VirusTotal.com

Isn’t Linux/Chapro.A only Darkleech Apache Module ?

ESET anti-virus editor has post a blog post the 18th December regarding a “new” malicious Apache module how inject malicious content into web pages served up by compromised servers. The malware, named Linux/Chapro.A by ESET, is using a XOR loop obfuscation and other techniques in order to evade detection by system administrators. ESET also reported that the malware was actively used by Exploit Kits, and precisely by Sweet Orange. Some screenshots were provided by ESET, but no samples.

I was interested by this new malware, cause few weeks ago another malicious Web server module was found, but this time targeting nginx in proxy mode, but with the same purposes.

Based on the few information’s provided by ESET I began my investigation in order to find samples and have more details on the malware.

My first track was the “C_ARRAY_BAN_USERAGENT” string present in the ESET screenshots. By a simple search on Google I found a presentation made by russian security researchers, in October 2012, and describing the usage of malicious Apache modules by Exploit Kits (Page 19 of the presentation). String “C_ARRAY_BAN_USERAGENT” was present in this presentation. The original discovery is attributed to Unmask Parasites in September 2012.

If you take a look at page 23 of the presentation and to the screenshot made by ESET. Do you not see any similarities ?

ESET screenshot of Linux/Chapro.A behaviors
ESET screenshot of Linux/Chapro.A behaviors
Russian Presentation Screenshot Apache Module Behaviors
Russian Presentation Screenshot Apache Module Behaviors
ESET screenshot of Linux/Chapro.A behaviors
ESET screenshot of Linux/Chapro.A behaviors
Russian Presentation Screenshot Apache Module Behaviors
Russian Presentation Screenshot Apache Module Behaviors

I saw here too much similarities between the malicious Apache module discovered by Unmask Parasites and ESET Linux/Chapro.A.

Hopefully Unmask Parasites has provide more details (some strings) of the malicious Apache module in his blog post, in order to continue my investigations. The malicious Apache module was linked to Darkleech module by the author of this module on Russian underground forums.

Also hopefully, malware.lu had one sample of Linux/Chapro.A (e022de72cce8129bd5ac8a0675996318) and I had the possibility to compare ESET sample and strings provided by Unmask Parasites in his blog post. If you take a look at my strings comparison results between the two samples (Unmask Parasites stringsLinux/Chapro.A strings), also if you compare the capabilities and behaviors between the two samples, they’re is no doubt Linux/Chapro.A is not new but he is only Darkleech.

Another interesting point is that Darkleech has a new version since mid-November.

Capture d’écran 2012-12-19 à 23.17.30

Translation is “After a pause, resumed sales! Please knock old customers for updates, current version 2012.11.16!“.

KaiXin Exploit Kit Evolutions

Beginning August, Kahu Security discovered a new Chinese named KaiXin EK (Exploit Kit). This exploit kit was using, like his brother in blood Gong Da (Gondad) EK, javascript obfuscation “Yszz vip“.

The August version of KaiXin was supporting:

November version of KaiXin has involve by removing support of Oracle Java CVE-2012-0507 and CVE-2012-0754 vulnerabilities, and adding support of Oracle Java CVE-2012-1723 (fixed in Jun 2012 CPU), of Oracle Java CVE-2012-4681 (fixed in End August Oracle Security Alert) and of Oracle Java CVE-2012-5076 (fixed in October 2012 CPU).

Here under a VirusTotal analysis of all involved files:

The following diagram describe you the way November version of KaiXin EK is working.

 

Cool Exploit Kit Remove Support of Java CVE-2012-1723

Beginning November, @Kafeine discovered that Cool EK (Exploit Kit) had integrate an exploit for a Oracle Java vulnerability fixed in 7U9. The new exploit was exploiting CVE-2012-5076 vulnerability through the “new.jar” file.

November version of Cool EK was supporting :

The following diagram describe you the way November version of Cool EK was working.

Since few days, Cool EK has involve by removing support of Oracle Java CVE-2012-1723 vulnerability, replacing “new.jar” file with a “java.php” streamed file. The new “java.php” is only catched by 3/44 anti-viruses on VirusTotal. November version, aka “new.jar” was catched by 28/46 anti-viruses on VirusTotal.

In November version “file.jar” requested “myfile.dll” through “/r/f.php?k=1&e=0&f=0” request and “new.jar” requested the same DLL file through “/r/f.php?k=2&e=0&f=0” request. All these requests have been replaced, in the December version, with a unique request to “/r/f.php?k=1“.

The following diagram describe you the way December version of Cool EK is working.