Category: Exploit Kits


Content In Brief

An exploit kit, namely The KaiXin Exploit Kit, was discovered roughly 4 months ago by the malware analyst community. I also posted a decent report of this malware back in August. Since then, KaiXin has made another go for it, introducing Version 1.1, which was blogged today by Eric Romang.

I immediately set out to compare file sizes and detection number on VirusTotal. What I found out was rather shocking. Check out the results of 2 different variants, both shellcode exploits [Note: names are randomly generated, but the size of the files are so similar as to assume they are different variants]:

KaiXin Version 1.0 (cLpl7.html)
[NEW] KaiXin Version 1.1 (JSZlR.html)

KaiXin Version 1.0 (gADSr.html)
[NEW] KaiXin Version 1.1 (WysBRr.html)

The detection rate is lower than before. Why is that?

Keep searching,
~!Donovan

Yesterday, Polonus addressed the issue on the avast! forums. Let’s check out the inform.htm.

First, review the VirusTotal results.

The malicious code is as follows:

inform.htm

As you can see, no obfuscation. They aren’t trying to hide anything. Maybe they are trying to reduce general AV detection. And the script looks simple enough, with a redirect to this podarunoki(dot)ru site…

Now we will look two at two urlQuery references: here and here.

Both of these sites, including the one given in the picture above, lead to .ru domains with :8080.

You can check for new malicious inform.htm sites on CleanMX,
~!Donovan

Found to infect another site with the Blackhole Exploit, a user reported this issue on the avast! forums. Confirmed with urlQuery and Sucuri, researching the blackhole site: Google says it has infected over 23 sites while Sucuri says it’s been used for redirection.

So, just how many scanners will detect this (Besides urlQuery and Sucuri of course)?

Interesting,
~!Donovan

Today I was searching on Google and guess what I found? A related post to the KaiXin Exploit Kit article. On twitter. Trying to visit directly gives a 404 error, which means that Twitter deleted it. This is when Google’s Cache saves us. :)

The Tweet

The Tweet

Guess what? The Mediafire link still works. :)

However, scanning it on VirusTotal, I get various Trojan Dropper alerts. Check out the results.

KaiXin Exploit Kit.zip Contents

KaiXin Exploit Kit.zip Contents

So its the real deal and KaiXin was finished around 8-4-12. Interesting.
~!Donovan

Exploring the recent exploit trends, I found the KaiXin Exploit Kit. Originally found by Kahu Security, the attacked site was also reported on CleanMX. Further research shows that the attack site has been logged on Wepawet and JSunpack. Lets download all the Base Zero (Raw) files and send them to VirusTotal.

KaiXin VirusTotal Results

Now lets set up our files. Keep them organized. :)
Setting Up

Lets start with the ‘Not Detected‘ side. swfObject.js is legit.

swfObject.js

deployJava.js aka jpg.js is a little trickier. However, I found a similar file on Google Code.

deployJava.js aka jpg.js

The third party appears to track the user via placing a hidden iframe in the html. Valid but ugly (and not standard, as iframes are deprecated in HTML5).

51Yes Tracking

Now lets look in the malicious stuff! >:)

index.html Original

The index.html contains a hidden iframe to ad.html. Lets have a look.

ad.html Original

Not that readable, so lets beautify it!

ad.html JavaScript Beautified

Hmm.. At first sight unescape. Looks easy enough.

ad.html JavaScript Unescape Deobfuscated

Well looky here! We have 2 long strings, a ‘document’, and ‘write’. We can only guess that there will be a document.write later in the script.

ad.html JavaScript Deobfuscated document.write

So its going to write Dz to the document. Makes our day easy. All we have to do is replicate the situation replacing the document.write with alert :)

ad.html JavaScript Deobfuscated Script

So it defines a cookie as the useragent, then checks if the useragent is valid, not a bot/spider, etc. It also checks if its own cookie has been set before, which ensures that the user is exploited only once and cannot replicate it. It then checks for specific Java versions (using javaDeploy) and uses different class files for the 0.exe based on the results. Comodo analysis of 0.exe Variant 1. AntiVirus Lab analysis of 0.exe Variant 2.

ad.html JavaScript Deobfuscated Java Exploit

It then uses swfObject to get the version of flash and checks the version of internet explorer. 2 different iframes are written, based on the Internet Explorer version.

ad.html JavaScript Deobfuscated Flash Exploit

Anyways, before we go any further, lets send the deobfuscated results to VirusTotal. 1/42..

So lets analyze the flash html files.

cLpl7.html Original

Again we’ll beautify it.

cLpl7.html Beautified

Looks like this Exploit Kit uses the same algorithm. This time we have two Dzs in their own separate script tags. Again we’ll alert the Dz returns. For safety purposes, remember to disable the object tag. You can do so by putting comment tags around it. The return was so big that I couldn’t read it on the alert window! Had to copy-paste before getting a glimpse of the code. Have a look at the core of cLpl7:
cLpl7.html Deobfuscated First

And the second one:

cLpl7.html Deobfuscated Second

So we have some shellcode and a buffer overflow to make it run. Now lets look at the final gADSr.html:

gADSr.html Original

You know the drill ;)

gADSr.html Beautified

Dz returns this:

gADSr.html JavaScript Deobfuscated

Later in the script it loads a obfuscated .swf file.

Conclusion:

The phrase ‘document.write() can be a form of eval’ is no joke.

Despite being 5 days old in the wild, only ClamAV detects the deobfuscated return of the main ad.html file.

Stay safe,
~!Donovan