The Number of the Beast

Yesterday, we sent out a warning regarding the PDF zero-day we found being exploited in the wild. Adobe has released a security advisory with mitigations. Here are more details about the attack.

The JavaScript embedded in the crafted PDF is highly obfuscated using string manipulation techniques. Most of the variables in the JavaScript are in Italian. The JavaScript has version checks for various versions of Adobe Reader as shown below and it creates the appropriate shellcode based on the version found.

10.0.1.434

10.1.0.534

10.1.2.45

10.1.3.23

10.1.4.38

10.1.4.38

10.1.5.33

11.0.0.379

11.0.1.36

9.5.0.270

The Shellcode

We are working with Adobe and have jointly decided not to share more technical information on the vulnerabilities at this time. Instead, let's start with the shellcode. To bypass ASLR and DEP, the shellcode is in a format of ROP chain. It will create a new DLL file on the disk and execute it by calling LoadLibraryA(). Here is the sequence of the ROP shellcode:

msvcr100!fsopen()

msvcr100!write()

mvvcr100!fclose()

kernel32!LoadLibraryA()

kernel32!Sleep()

Upon loading the malicious library, it will enter a long sleep and ensure that the thread has not crashed because the whole stack in the thread is already manipulated for creating a ROP chain.

The Payload

Eventually the malicious library will load the payload. The payload involved in this exploit ultimately installs what appears to be a first stage downloader in the form of a DLL posing as a “language bar addin,” using the registry key “HKCU\Software\Microsoft\CTF\LangBarAddIn” to persist after reboot. It further attempts to legitimize this disguise in its file properties.

Properties

As a precautionary measure, it checks which process it is loaded into against a list of processes that would normally consider loading a language bar and refrains from certain behaviors if there is no match, likely to disrupt analysis.

Proclist

It employs other anti-analysis tricks as well. It makes use of a TLS callback in order to start a thread before the entry point is reached, and it filled its Export Table with over 200 fake entries that are named after Windows Property System functions but point to invalid memory locations. The latter is particularly effective at muddying up sandbox analysis reports that enumerate exports in a DLL and attempt to call each of them.

Exports

We have identified a set of registry values under “HKCU\Software\Microsoft\Multimedia\Other” that are used for certain functionality in the malware. One value “UI” is a bool value that when set to 1 will trigger the malware to uninstall itself. Another value “SD” holds a date formatted as “YYYYMMDD” that is used for a long term sleep feature.

The compile times for the various payloads dropped are very recent as seen in Table 1.

Filenames Compile Times
D.T (dropped) D.T (dropped) 01/24/2013 14:13:52 01/24/2013 14:13:52
L2P.T (dropped) L2P.T (dropped) 02/04/2013 14:36:29 02/04/2013 14:36:29
langbar32.dll (dropped) langbar32.dll (dropped) 02/04/2013 14:36:06 02/04/2013 14:36:06
lbarext32.dll (downloaded) lbarext32.dll (downloaded) 02/04/2013 16:02:01 02/04/2013 16:02:01
lbarhlp32.dll (downloaded) lbarhlp32.dll (downloaded) 02/04/2013 16:02:22 02/04/2013 16:02:22

Table 1

Network Activity

After the initial beacon with a GET request we shared yesterday, it also makes various POSTS. In response to the POST we observed

additional payloads being downloaded. The two of note are libarext32.dll and libarhlp32.dll which it downloads and loads. It also creates a data file called “kmt32.pod”. It is unclear what the contents of this file are so far.

Post1Post2

A Peculiar Image Base Address

The author chose "666C" as the preferred Image Base, likely in reference to the verse from Revelation in the bible from which the popular heavy metal band “Iron Maiden” drew

inspiration for their album and song "The Number of the Beast." Hence, the name of this blog post. We also named this malware "Trojan.666" based on this discovery.

Imagebase

We will continue our analysis and will provide updates as we discover more.

Read More

For a continuation of this blog with more technical details about this malware, please see our follow-up post, "It's a Kind of Magic."

This blog is written by FireEye researchers James Bennett, Yichong Lin, and Thoufique Haq.