Thursday, 9 August 2012

Java Exploit Toolkits - Part 1: Finding The Initial Infection Vector

So before I start I'd like to thank Corey Harrell for the following fantastic posts in regards to finding the initial attack vector and in particular highlighting some of the java artifacts an analyst might expect to see from a Java exploit toolkit.

If you haven't seen the posts already then I highly recommend you review the following posts by Corey.

Finding the Initial Infection Vector
Malware Root Cause Analysis

This post will follow Corey's guide to finding the initial attack vector, a java exploit toolkit, and will lead into my next post Java Exploit Toolkits - Part 2: Deobfuscating Java Exploit Toolkits.

Lets get started. 

I was presented with an image of a workstation that had received a single virus alert which had detected the following file:

 Backdoor. Trojan - C:\Windows\Installer{a01f369f-9731-282d-71b6-e8855551185f}\n  


I decided to start with the Windows Events and review those to see if there were any virus detections and to confirm the information i'd been provided. As suspected I found the original alert but also a few more which i've listed below (note: the actual username has been replaced with 'username')

 Security Risk Found!Backdoor.Trojan in File: C:\Documents and Settings\username\Local Settings\Application Data\{a01f369f-9731-282d-71b6-e8855551185f}\n by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: The file was deleted successfully.  
 Security Risk Found!Trojan.Maljava!gen23 in File: C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\U7DbO-18afaa21-3d6ae555.zip by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.  
 Security Risk Found!Trojan.Gen in File: C:\Documents and Settings\All Users\Application Data\6C82D11B21D185215B60FBE17B07D287\6C82D11B21D185215B60FBE17B07D287.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.   


On reviewing of the events I also found that Symantec Antivirus Tamper Protection control had reported seven (7) days earlier that two files had attempted to disable the Antivirus protections

 SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe Event Info: Terminate Process Action Taken: Blocked Actor Process: C:\Documents and Settings\username\Local Settings\Temp\3E8.tmp (PID 2936)   
 SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec Shared\ccApp.exe Event Info: Terminate Process Action Taken: Blocked Actor Process: C:\Documents and Settings\All Users\Application Data\6C82D11B21D185215B60FBE17B07D287\6C82D11B21D185215B60FBE17B07D287.exe (PID 860)  

The next step I followed was to create a directory listing of the image and review the events that occured on disk around the time that the tamper protection events had started. 

 -A------- 2012-07-30 20:14:38.100 2012-07-30 20:14:37.850 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\U7DbO-18afaa21-3d6ae555.idx  
 -A------- 2012-07-30 20:14:38.69 2012-07-30 20:14:37.882 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\U7DbO-18afaa21-3d6ae555.zip  
 D-------- 2012-07-30 20:14:37.850 2012-07-11 19:06:34.285 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\..  
 D-------- 2012-07-30 20:14:37.850 2012-07-11 19:06:34.285 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\.  
 D-------- 2012-07-30 20:14:37.850 2012-07-11 19:06:34.285 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar  
 -A------- 2012-07-30 20:14:37.272 2012-07-11 19:06:34.473 c:\Documents and Settings\username\Application Data\Sun\Java\Deployment\log\plugin150_06.trace  
 -A------- 2012-07-30 20:14:34.741 2012-07-11 19:06:34.160 c:\Documents and Settings\username\Local Settings\Temp\java_install_reg.log  

Thanks to the posts by Corey that I highlighted earlier I immediately focused on the java artifacts that he'd mentioned. I could see that the user in question was browsing with Internet Explorer (not shown above) at the time the events were generated but also that the artifacts highlighted in red were created around the time in question. Unfortunately as we saw above anti virus had already quarantined the zip file so unfortunately I would not be able to use jd-gui to open the zip file. 

Instead I decided to focus on the .idx file and at least attempt to idenfity the website that had dropped the malware I opened the idx file and viewed the following (note: i've removed the malicious url and replaced it with 'x')



So by now I realised that the user had been browsing the web and hit the malicious website within the idx file. The zip file highlighted above had been downloaded and then executed and run. My final objective was to review the java_install_reg.log and confirm that java had executed. I opened the file and found the following

 -----------------------------------------  
 == Start JNICALL Java_com_sun_deploy_util_UpdateCheck_shouldPromptForAutoCheck ==  
 -----------------------------------------  
 Process start at 07/30/2012-20:14:34.  
 -----------------------------------------  
 == Start JNICALL Java_com_sun_deploy_panel_PlatformSpecificUtils_getPublicJres ==  
 -----------------------------------------  
 Process start at 07/30/2012-20:14:34.  
 -----------------------------------------  
 == Start JNICALL Java_com_sun_deploy_util_UpdateCheck_shouldPromptForAutoCheck ==  


As mentioned all this was possible due to Corey's posts. The post doesn't highlight anything additional to the information that Corey hasn't already provided. My goal was to provide another example for anyone interested but also assist me when discussing Part 2 of this guide when I'll begin to discuss a beginners attempt to deobfuscating Java exploit toolkits.

1 comment:

  1. hiddenillusion11 August 2012 20:55

    Sequence of events/artifacts looks like it was associated with an Exploit Kit - Blackhole has been big and exploiting Java is commonly seen. The file path mentioned ending with {GUID}\n is commonly associated with ZeroAcess.

    ReplyDelete