Malware - Exploit Packs, Zeus and Ransomware

Show left menu  
Hide left menu  
Ransomware

19 July 2012

In the last blog post, we looked at the processes and steps involved in a successful malware campaign. The series covered the Trojan Carberp and the many aspects to its functionality that resulted in a complex and technically advanced piece of malware. In this post, we will look at a newer trend in malware that we are experiencing an increase in: Exploit Packs and Ransomware; with a particular focus on the Blackhole Exploit Kit and a post infection feature recently added Zeus that leads to users being held to ransom. In previous analysis that we have conducted, malware had the primary aim of stealth, evasion and data extraction. Context and the industry as a whole is now seeing an increase in drive-by download attacks that lead to infection from “Ransomware” malware that result in users being extorted for money [1]. The extortion usually stems from files being encrypted or system lockouts occurring. In the majority of cases, users will pay the fee to have the system unlocked or look to AV companies for remediation.

Interestingly, Context has recently observed a newly formed Zeus variant that employs this technique. The sample was first discovered a number of weeks ago by F-Secure (http://www.f-secure.com/weblog/archives/00002367.html), [2]. Since the original release of the Zeus source code, a large number of mutant variants have appeared in the wild that expand on Zeus’ capabilities. However, this particular feature does not appear to be well implemented and falls below par when compared with the advanced feature set of the original. This post will take a look at this new feature and also provide an overview on how such ransomware is currently being deployed to unsuspecting users through the Blackhole Exploit Kit.

It is clear that the malware authors responsible for financial fraud have now moved to a more widespread campaign for targeting victims and the services of the Blackhole Exploit kit have been employed, resulting in a dramatic increase in infections and overall geographic coverage. Statistics from AV companies clearly show that Blackhole has become a more mainstream threat and forms a large proportion of the latest infections [3]. A look at Malware Domain List for Blackhole, returns a large number of infected sites attributed to it [4].

Exploit Kits

With the general adoption of malware for financial gain in the form of crimeware over the past few years (Fireeye [5], Sophos) [6], malware authors have increasingly turned to drive-by attacks and exploits kits to infect victims. This increase has led to an explosion of various families of exploit kits. Exploit kits are essentially web applications that contain all the necessary elements for running a distributed malware infection campaign. The packs contain programs and a set of exploits that are mainly used to carry out automated ‘drive-by’ attacks in order to spread the malware. These drive-by attacks consist of a victim browsing or searching the internet, which in turn leads to an infected site that results in a redirect to a server containing the pack.

The exploit pack hosts a number of exploits in a single page that are used to compromise users through the exploitation of browser plugins that are installed as part of software products such as Java or Adobe Flash. The kits are developed in a web language such as PHP and then sold on the black market, where prices ranging from several hundred to over a thousand pounds are paid by criminals. The price includes access to a server or complete application pack installation on a compromised or bulletproof-hosted server.

Malware authors then use various methods such as blackhat search engine optimisation to poison search engines with malicious sites containing links back to the exploit pack server, which then increases the likelihood of unsuspecting users coming across the page. The net result of this is waves of victims becoming infected with a specific malware family.

Numerous exploit packs have appeared over the last few years, with the main players being MPack, Eleonore, Crimepack and more recently the Blackhole Exploit Kit. Context have analysed a number of exploit pack based attacks and the lifecycle of such an attack for Blackhole is outlined below.

Blackhole Exploit Kit

The Blackhole Exploit kit has seen a large number of high profile campaigns recently that resulted in numerous sites being injected with a JavaScript tag that redirects users to the main exploit pack infection page, such as the US Airways [8] or FileServe [9] cases. When the code snippet is inserted into the main page of a legitimate compromised site, users will first be redirected to the first stage of the exploit code. In later versions of Blackhole, this can consist of another JavaScript code snippet that performs an additional redirection step, however the end result is the same: The attacks will result in a piece of code that redirects users unknowingly to an interim site that contains a large portion of obfuscated code. The code is included in the site content through the use of an iFrame (a HTML component to embed an external document or page).

malware12

Figure 1 - Blackhole Obfuscated Script

The result of an infected iFrame is that a victim is redirected to a malicious site that contains more obfuscated JavaScript. In our analysis, Figure 1 illustrates the code that executes behind the scenes and makes use of Firebug. The obfuscation can protect the code in a number of ways and is intended to both confuse analysis and defend against AV scanners that monitor the browser against drive-by-attacks, as the heuristics-based scanning normally targets the functions that can be used to carry out malicious actions (i.e. eval, document.write).

As the code is highly obfuscated, we can make use of Firebug, Malzilla or something like Rhino Debugger in a controlled virtual environment to evaluate the code and extract the underlying JavaScript in its “plaintext” format, making it easier to read and understand. In Figure 1, the variables on the right are monitored (watches) whilst we debug the code through Firebug to reveal the usual “eval” statements that may be used to execute the next stage of code. This method lets us step through the code line by line as it is altered and deobfuscated. Using the variable names obtained from the obfuscated code, we can then view them until the moment just before the code executes to determine what values they contain. The JavaScript must perform this deobfuscation before it executes and thus allows for easy analysis. It is this final stage of the process that is responsible for the exploitation of some browser plugin such as Flash or Java.

Figure 2 below contains a snippet of the final deobfuscated code. It shows a function named “spl5” that used for Flash exploitation. The full exploit code for this Blackhole kit code contained exploits for Flash and Java which have become increasingly popular platforms for attack with the Blackhole Exploit packs (CVE-2012-0507, CVE-2011-0611). These types of exploits are leading the campaigns of mass infection and as a result, Ransomware malware is becoming very popular and increasingly evident in the wild (Link1 [10], Link2 [11]).

malware15

Figure 2 - Blackhole Script Deobfuscated

In this instance of Blackhole, whilst reviewing the compromised site, the code was seen to exploit the HPC URLHelp Center URL Validation Vulnerability CVE-2010-1885 for our browser. The final page that contains the exploit code contained approximately 10 separate vulnerabilities that targeted Flash, Java and Adobe Reader. As with any exploit pack, we can readily analyse the exploits and extract the shellcode for further analysis to determine the type of exploit.

The approach to shellcode extraction can be a manual process (Malzilla, JSUnpack etc) and is covered in our first post here. An automated approach can also be taken to determine the intent of the shellcode and services such as the excellent Wepawet may be used to scan potentially malicious sites. In this instance, the code could be emulated to view the function calls carried out post exploit as a result of the shellcode execution. In one example observed, the following sets of calls were executed to infect the host.

  • kernel32.VirtualProtect
  • kernel32.LoadLibraryA()
  • kernel32.GetTempPathA()
  • urlmon.URLDownloadToFileA()
  • kernel32.WinExec()
  • kernel32.TerminateThread()

As with all exploit packs, the stats for Blackhole that relate to infections, exploits, operating system and even geolocation are stored and presented in a central administration panel (shown below – source: Google). These panels are only available to the criminals that have purchased access to the exploit pack.

malware16

Figure 3 - Blackhole Admin Panel

The concept of exploit packs is simple and serves to infect large numbers of unsuspecting users whilst they browse the web. To compliment this improved and much more successful attack vector, we are now seeing malware that has gained additional capabilities to allow it to create a greater return on investment for its authors / purchasers. Traditional financial fraud malware such as Zeus are now being created with with ransomware capabilities to allow for the extraction of money from infected victims. Cybercriminals then employ the services of Blackhole exploit kit owners to deliver the infections. It is not known why this ransomware approach has now been taken, as the Man-in-the-Browser capabilities of Zeus have previously been extremely lucrative for criminals and the inclusion of such an invasive feature negates the need for the malware to be stealthy as users are immediately made aware of the presence of an infection. It may be that the protections put in place by banks are beginning to have an effect on the success rate of such infections. Could they be winning the war on financial malware?

With the delivery mechanism for this class of malware covered, we shall now take a look at the new functionality in Zeus that has been developed. The analysis is provided in the following section.

Zeus Ransom Tactics

Introduction

At the time of the release of the Zeus source code, speculation was rife that this would result in more attacks and versions of this malware. As expected, a large number of variants have been created that make use of its core codebase. The variants that Context have observed over the months since the release, such as IceIX reuse the code and attempt to improve the evasion or defensive capabilities through modification of the configuration file mechanism, improved encryption or P2P architecture. In the case of the Zeus malware branch known as Citadel12, the original Zeus was taken and modified to improve its functionality and includes a community development and support aspect. This latest ransomware addition appears to have stemmed from Citadel as an attempt at including a new approach to monetization (although not currently successful or in use) for criminals using it.

Ransomware has existed for a while and has not been used extensively; although the rise of exploit packs and financial incentives seem to be causing a rise in this type of malware. The majority of ransomware such as GPCode tend to use encryption to lock files on the system before extorting money. As we will see, this is much more technically advanced than the Zeus approach and may yet be seen in future versions. The next sections deal with the current approach taken by this particular Zeus sample.

Zeus Ransomware

The infection of the malware is consistent with previous variants of Zeus and the malware allocates various regions of memory before decrypting additional code into them. The main executable is written to memory and it is clear from the format that a simple method of encoding has been used. The presence of numerous F1 bytes and subsequent loop shows that a simple XOR was used to obfuscate the main binary. The code has a familiar appearance and is demonstrated in the Figure below.

malware17

Figure 4 - Zeus Xor Encrypted Binary

The bytes at 00AB0000 are encrypted MZ bytes and the F1 bytes are 00 XORed with F1. The code body is then XORed in a loop to reveal the malware executable which is dumped for further analysis. It is this code that contains the ransomware features and core Zeus functionality.

At this point, we can continue with analysis on the newly dumped code. The code then continues with multiple rounds of decryption and again, code sections, along with URLs are revealed in memory. The contained URL is used to obtain the configuration file (http://XXXXXX.to/cfg/config.php).

The code also creates a unique identifier from the system name combined with the InstallDate and DigitalProductID values obtained from the “HKLM\Software\Microsoft\Windows\CurrentVersion\Run” registry key. At this point, files are dropped in randomly named folders located in “Application Data”. The persistence registry keys are created in under the key “HKLM\Software\Microsoft\Windows\CurrentVersion\Run”. The Zeus malware then uses CreateProcess to execute the newly dropped executable. With the files created and setup to start on system boot, it is now necessary to proceed with the both the system process injection and userland code hook creation. These code hooks are installed across all processes that are currently running. Zeus requires the majority of these for its data theft functionality.

Once these processes have been modified, a final injection using CreateRemoteThread is used to deliver the Ransomware code into the main Explorer process. The original malware terminates and control is passed to the code that has now hijacked the Explorer address space. Context captured the code flow using a debugger to understand how the extortion feature gets executed. The code below shows the initial check that corresponds to a registry query for a “syscheck” key in the HKCU registry hive. This is where the F-Secure remediation fix comes into effect (F-Secure).

malware18

Figure 5 - Ransomware Activation Check

The value is checked to determine if it is set to 1. If not then the main Ransomware code is executed and determines that it is currently running in Explorer. The malware then obtains the location of Internet Explorer and at this point the unique identified created earlier is now used to form the URL used for the extortion. Interestingly, the domain is down and whois records indicate that the domain has been around since 2010, with it only recently being updated. As it currently, stands any infections occurring now would result in users not being able to properly use their system as they could not access the malicious page as a HTTP 404 error is returned due to the file not being present.

Whilst the URL is not available, it is not fully possible to ascertain what demands would be made. However, from analysing the Zeus sample, this unsophisticated feature simply uses CreateProcess to run the IE browser in kiosk mode with the “-k” flag and prevents a user from accessing the desktop due to the IE process remaining in the foreground whilst the code continually executes the IE kiosk mode.

Whilst the system is in this mode, t is possible to access files and the underlying drive . Simply pressing F1 in the Internet Explorer kiosk instance provides access to the internet options panel. From here, we can browse for any folders/files, although the browser window will continually be pushed to the foreground. From this, it is reasonable to assume that this “lock” is used as the ransom feature.

malware19

Figure 6 - Extortion Code Launching IE

As we can see, the feature is not very advanced and is easily remediated. The functionality is primitive when compared to other code hooks and process injection that takes place during the infection process. It is hoped that such an attack would have limited reach, but an infection vector such as Blackhole could change this in the future, as would any improvement on the ransomware feature.

Conclusion

In this blog post we have looked at a number of subjects that are currently seeing a trend increase in the malware world. The Blackhole Exploit Pack is increasingly being used to deliver various malware types to users in drive-by download attacks with a high degree of success. The reverse engineering of the pack and subsequent exploits can provide a much better idea as to the types of exploit being used in the wild. At times, these packs may even reveal zero-day exploits. Like the exploit pack, ransomware is being seen more regularly in the wild and is somewhat at odds with the traditional stealth and evasion methods implemented by malware and rootkits.

This post has also provided an overview and analysis of one of the most recent proponents of this type of attack – Zeus. It has shown that simple methods are being employed in an attempt to monetize these types of Trojan further. Whilst the implementation is crude, Context believe that such an attack could prove successful if user awareness is not improved and as such this posting has given us the opportunity to inform internet users that these attacks are being seen in the wild. Context will continue to monitor this particular strain with a view to determining if the ransomware site used in the attack will come online.

With the release of the Zeus source code almost a year ago, criminals have been quick to capitalise on the availability of this Trojan and the movement towards this style of attack is a worrying trend. Especially when used in conjunction with a mass delivery system such as the Blackhole Exploit Kit. Currently, it is standard internet users are becoming infected with this type of malware and as such businesses are generally not at risk. However, with DDOS being used against business as a ransoming tactic, it would be reasonable to assume that in future we may see ransomware being used in targeted campaigns against companies. Some businesses could suffer a large financial impact in having their files and critical systems encrypted by cybercriminals. In a large number of cases, a financial payoff could be the more attractive option when it comes to removing the threat from systems, rather than a full removal for all infected systems. Let us hope that this does not happen and hopefully, this analysis will shed some light on these attacks and in turn create more awareness for users and clients.

References
[1] - http://blogs.avg.com/news-threats/blackhole-ransomware-graphic-mimics-fbi/
[2] - http://www.f-secure.com/weblog/archives/00002367.html
[3] - http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit-14/
[4] - http://www.malwaredomainlist.com/mdl.php?search=Blackhole&colsearch=All&quantity=50
[5] - http://www.fireeye.com/resources/pdfs/FireEye_Advanced_Threat_Report_1H2011.pdf
[6] - http://www.lsec.be/upload_directories/documents/2011/sophos-security-threat-report-2011-wpna.pdf
[7] - http://contagiodump.blogspot.co.uk/2010/06/overview-of-exploit-packs-update.html
[8] - http://threatpost.com/en_us/blogs/us-airways-spam-redirects-blackhole-zeus-infection-040312
[9] - http://stopmalvertising.com/malvertisements/fileserve-and-malware-spyeye-delivered-via-blackhole-exploit-kit.html
[10] - http://nakedsecurity.sophos.com/2012/07/04/ransomware-menaces/
[11] - http://blog.trendmicro.com/ransomware-attacks-continue-to-spread-across-europe/
[12] - http://krebsonsecurity.com/2012/01/citadel-trojan-touts-trouble-ticket-system/

Immunity Debugger - http://immunityinc.com/products-immdbg.shtml
Firebug - http://getfirebug.com/
Malzilla - http://malzilla.sourceforge.net/
Wepawet - http://wepawet.iseclab.org/
Back to Top