Wednesday, May 6, 2009

trying to analyze mebroot (torpig) - part 0

This post is intended as an attempt to analyze mebroot (torpig botnet related). So some info at this time may be incorrect or not fully explained.

Let to start from malwaredomainlist.com where it's been found the following malicious URL indicated as once of mebroot spreading site :


With malzilla the result it's a not so bad javascript obfuscated code:

After a smart code analysis it was noted the following code:


For avoid boring deobfuscation task It was used the following line of code and pasted it within a html page:

Opening the HTML page the result is:


Some info (thanks to robtex.com) about the URL called by the obfuscated script:


Calling the url gdq4hevif.com/ld/ment/ it's executed the exploiter (contained in j.js file). The following screen shot show the URL related:


This spreading stage it's seem user driven so automatic analysis tool suck.

The exploiter (j.js) contains checking method for a good number of object potentially
vulnerable such as web browser plugins, Microsoft Office and PDF reader version installed on the probed system and other stuff.
The info are sent via HTTP POST, to javascript-analytics.com.

The following dump is the HTTP traffic logged with HTTPHeader Firefox plug in:



Some decoded info passed to javascript-analytics.com:

For now it's all. I think that for obtaining the malware binary it's necessary a web browser user driven session. It may be that the info grabbed by exploiter are used by malware site for ad hoc web page generation so the user web browser may be exploited with correct issues.

Passing the starting URL to wepawetaet are obtained some more info (but not so more): http://wepawet.cs.ucsb.edu/view.php?hash=80f9d23ca8855e09a91fbd2ac13dc207&t=1241617911&type=js

No comments:

Post a Comment