Thursday, March 29, 2012

XLS CVE-2009-3129 and countering cryptanalysis technique

We've recently come across a new technique to evade cryptographic analysis of malware documents by avoiding XOR key leakage by not encrypting any zero-blocks of the malware payload.

The method does take more complicated shellcode and can be tricky, we've previously only seen this technique used with one byte XOR keys, in this case we have a 8 byte XOR key used to encrypt an executable and clean dropped .doc file.

Sample: MAP forecast template_2012.xls / f2e17c8954569ca2b20428f4c3112a30




Looking at the original XLS file, we can see that the embedded malware's zero space is not encrypted, the actual XOR key does not appear anywhere in the file:




In the image above, we can see that fragments of the inverse XOR key are left when a block of FF characters is encrypted with the 8 byte key. We can see the pattern b181826c015bd079 appears to repeat, since FF in binary is 11111111, XORing FF will leak the bitwise NOT of the key (compared to the full key when XORing 00000000). Using the inverse key and calculating the NOT gets us the actual key 4E7E7D93FEA42F86. Which shows the FF space as suspected:



And the malware in encrypted form:




And decrypted we can see the MZ Header:



We've added the above as a feature to our Cryptam document malware anaylysis system, this is the report for this XLS trojan:



And we've added a new "zero space not replaced" field to the cryptanalysis section. We'll add proper decoding for this in our public tools soon.


Other new features in the latest release of Cryptam :
  • Enhanced Max OSX malware embedded in documents' detection.
  • Retina resolution images in all reports.
  • More accurate CVE-2010-3333 RTF exploit signature
  • Open XML document format scanning - docx, pptx, xlsx.

Monday, March 19, 2012

Cryptam Multi tool - automatic extraction of encrypted exe's and dropped files

We've added a bunch of new features and special case handling to the Cryptam malware document analysis system. Here's a few highlights:

- MS Office Open XML .docx handling
- RTF Datastore embedded file detection
- bitwise not ciphers
- Automatic extraction of encrypted embedded executables, dropped clean PDFs and documents

Executable and dropped clean document extraction:
While we won't be serving up malware exe files for download after processing on Cryptam, we are releasing this free script to extract embedded executables yourself from a document or PDF file. We've seen a increase in malware MS Office documents targeting Tibetan groups using subjects related to self-immolation.

The Cryptam Multi tool - standalone malware extractor from documents:

Extract executables using a known xor key, rol, ror, transposition full/512 byte headers and bitwise not ciphers. Submit a malware document to Cryptam via our API to get the XOR and any ciphers needed for decoding, or query the Cryptam API for decoding parameters of previously submitted documents. All from a single script.

https://www.malwaretracker.com/tools/cryptam_multi_php.txt


Support for Windows and Mac embedded executables.

Example usage:

$ ls Action\ Plan\ for\ March\ 10th.doc
Action Plan for March 10th.doc


Submit a document from the command line (-submit):
$ php cryptam_multi.php Action\ Plan\ for\ March\ 10th.doc -submit
Submitting Action Plan for March 10th.doc to remote server
using XOR key 100f0e0d0c0b0a09080706050403020100fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0dfdedddcdbdad9d8d7d6d5d4d3d2d1d0cfcecdcccbcac9c8c7c6c5c4c3c2c1c0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a09f9e9d9c9b9a999897969594939291908f8e8d8c8b8a898887868584838281807f7e7d7c7b7a797877767574737271706f6e6d6c6b6a696867666564636261605f5e5d5c5b5a595857565554535251504f4e4d4c4b4a494847464544434241403f3e3d3c3b3a393837363534333231302f2e2d2c2b2a292827262524232221201f1e1d1c1b1a191817161514131211
wrote 51880 bytes at 60688 as type exe abb7d6371e8b389184802667fbc9a1ac
wrote 76120 bytes at 112568 as type exe aa88ea7d5a2ebdba4755e2e22a98778e

$ ls Action\ Plan\ for\ March\ 10th.doc*
Action Plan for March 10th.doc
Action Plan for March 10th.doc-112568.exe
Action Plan for March 10th.doc-60688.exe
Action Plan for March 10th.doc.out


$ php cryptam_multi.php Iran\'s\ Oil\ and\ Nuclear\ Situation.doc -api
Accessing remote API for decoding params for e92a4fc283eb2802ad6d0e24c7fcc857
using ROR 2
wrote 49160 bytes at 57444 as type exe 0bd8671cc6b6f7ae94bb5c04c12699d3

$ php cryptam_multi.php CVE-2012-0744-xls.xls -apiAccessing remote API for decoding params for 198de4a1ebf05f7f44faf76f167b0233
using XOR key 9a
using ROR 1
wrote 33888 bytes at 66124 as type exe 0decc2ec261bb2cb56456a8173355079
wrote 141224 bytes at 100012 as type exe 68c62ae7a28c2ccca3892b1926ed958f


Extract executables and documents from documents in plaintext:
$ php cryptam_multi.php macmalware.doc
wrote 42556 bytes at 26162 as type macho XXX8786a4887a763d8f3e5243724XXXX
wrote 37376 bytes at 68718 as type doc XXXf81de9f7d53c7e584bc15b1fdXXXX

Extract executables by downloading decode params from the api (-api):
$ php cryptam_multi.php 0353449f52f30d46aa425895f39acd39.virus -api
Accessing remote API for decoding params for 0353449f52f30d46aa425895f39acd39
using XOR key c9
using ROR 7
wrote 33800 bytes at 57420 as type exe 3cd745d8245aeec4c98a9317a7863f70


Extract executables from the command line using known xor key and rol/rol/not:
$ php cryptam_multi.php 0353449f52f30d46aa425895f39acd39.virus -xor c9 -ror 7
using XOR key c9
using ROR 7
wrote 33800 bytes at 57420 as type exe 3cd745d8245aeec4c98a9317a7863f70

Automatically untranspose MZ headers if needed:
$ php cryptam_multi.php TWA\ mourns\ the\ self\ immolation\ deaths\ of\ two\ female\ protesters.doc -api
Accessing remote API for decoding params for 4c689a4dbff1cf735fa44322800ebfe8
using XOR key 9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c
wrote 86016 bytes at 37230 as type exe d1690cb9c36fff1b8f27c20d0784a686
wrote 27648 bytes at 123246 as type doc e4e6dce8b7a59663b5f4888848e4fb0f



Usage:
$ php cryptam_multi.php
Cryptam Multi Tool - Decode and extract embedded executables from documents
php cryptam_unxor.php virus.doc -xor fe85aa -rol 3 -not -out file.out
php cryptam_unxor.php virus.doc -api [gets decoding params from malwaretracker.com]
php cryptam_unxor.php virus.doc -submit [upload file to malwaretracker.com, download params]
Params:
-xor XOR key to decode document with
-rol bitwise left shift places
-ror bitwise right shift places
-not use a bitwise not fiter
-tp transposition cipher filter on file
-tph transposition cipher filter on EXE 512 byte header
-submit upload file to malwaretracker.com Cryptam analyzer, captures decoding params
and extracts EXE/docs/pdfs from file
-api queries malwaretracker.com Cryptam api with MD5 hash only, captures decoding params
and extracts EXE/docs/pdfs from file

Monday, March 5, 2012

Flash in Doc CVE-2012-0754 detection added to Cryptam

We've added to support to our Cryptam document analysis system detect the embedded flash in Office document exploit CVE-2012-0754, which is a recently patched with a new Flash Player update, yet increasingly used in attacks since at least Feb 27.

Cryptam will detect compressed Flash (CWS) files, decompress them and search for signatures of CVE-2012-0754 as well as conduct a cryptographic analysis to detect XOR encrypted executables as well as ROL encoding to detect new emerging or unknown threats in document format files.

We've noted a small number of samples of CVE-2012-0754 with 2 separate URLs for the remote mp4 file. The embedded executables have used a 1 byte XOR+ROL or just ROL 2 encoded.

View Cryptam Document Analysis System reporting of sample e92a4fc283eb2802ad6d0e24c7fcc857 reported on Contagiodump.