Crimepack 3.1.3 – checking vital signs

Today I am going to analyze the so called CrimePack 3.1.3, thanks to Mila. I will focus on the interesting parts, such as: a recent Java vulnerability (CVE-2010-0840) and a malicious PDF-generator on demand.

Let’s start!

Part 1: Java Exploit

As stated above, I focus on a malware that exploits a recent JRE vulnerability: CVE-2010-0840 to execute malicious files on a victim system. This malware comes inside a jar file, which contains the following two classes: Crimepack.class and KAVS.class.

Part 1.1: Crimepack.class

This class is the engine of the malware, it is obfuscated, but you can quickly strip off the obfuscation (my python beta tool is great…), once you get rid of the obfuscation you can see the following code:


As always, we have an Applet that access to the data parameter, generates a random name for the exe payload that will be dropped in the system temp directory and then executed. So at this point as you can see we have nothing new, the above is a common Java downloader… but let’s scroll down:


Above, we can see that the malware is creating a new instance of the KAVS class (description follows), in order to trigger the JRE vulnerability by using a call to the getValue() method (..snipped above..).

Part 1.2: KAVS.class

Here is the hand-crafted class, I say hand-crafted because such class cannot be compiled by using a standard compiler, so you have to edit the compiled class by editing the bytecode:


By using this strategy we are extending KAVS in a way, which allows the KAVS class to inherit the getValue() method from the Expression class instead of the Applet class, which is not-privileged. So the malware will exploit this method in order to execute the malicious payload on the victim system. More details about this Java vulnerability can be found on Sami Koivu blog here.

Part 2: PDF-generator on demand

The kit contains a nice php script that drops custom pdf on-demand, which means that you can have several mutations of the same piece of malware, by simply connecting to a malicious link.

Let’s take a look at the PHP code.

Here we have a function that will generate a string by using a sort of dictionary:

Follow a function, which is used to encrypt the javascript used for the exploits, this function takes the input javascript and a key that will be used to encrypt the code:

At the end of the PHP page, we have the real PDF generator, this function takes two parameters OS and browser:

and it will return a full malicious pdf file, ready to infect a new user:

It’s all.
I hope you have enjoyed the reading.

posted in java, javascript, malware, PDF, reversing by Donato Ferrante ( ratsoul )

2 Comments to "Crimepack 3.1.3 – checking vital signs"

  1. yoeddy wrote:

    Nice job! We’ve just had an infected client with a slight variation of the source code, but the exploit still seems to work sometimes

  2. why wrote:

    where i can get your python beta tool?

 
Copyright (c) 2010-2011 InREVERSE - All Right Reserved
Büyükçekmece Evden Eve Nakliyat Esenler Evden Eve Nakliyat Gaziosmanpasa Evden Eve Nakliyat Güngören Evden Eve Nakliyat Kadiköy Evden Eve Nakliyat Kartal Evden Eve Nakliyat Küçükçekmece Evden Eve Nakliyat Maltepe EvdenEve Nakliyat Sisli Evden Eve Nakliyat Tuzla Evden Eve Nakliyat Ümraniye Evden Eve Nakliyat Üsküdar Evden Eve Nakliyat Içerenköy Evden Eve Nakliyat Erenköy Nakliyat Etiler Evden Eve Nakliyat