[ssj100]

Site seems dead? Tried it in Windows XP, SP3, IE 6 (not patched for nearly 1 year) with basically no third party program installed. Nothing seems to happen.

[CloneRanger]

It's still alive for me !

XP/SP2 few updates and in Admin ;)

Went there using IE6 with NO updates and scripting prompts.

Disallowed helpctr.exe which was called ? and then got 2 wierd alerts followed by an Active X alert.

Heck of a lot of stuff in the source including several mentions of avast_the_best_

http://www.malwaredomainlist.com = rezjure.co.cc/x/index.php = trojan SpyEye

As only 3 uploads are allowed :( i can't Directly post the screenies i captured, plus the source, so it's all in the Zip. PW = infected

Be interested to hear what you make of it ?

[ssj100]

I think it's dead now. I did notice that something tried to run (it called up Java) when I initially tried it with a sandboxed IE on my REAL system - of course, pretty much nothing but iexplore.exe can run in that sandbox (it's the sandbox I use for banking etc) so the execution was stopped dead. My freshly installed Windows didn't have Java installed - perhaps that's why it didn't work?

Anyway, thanks for the help and information. I'm still looking for fancy live malware samples (preferably actual malware files) that I can easily reproduce an infection with (and test against various anti-malware applications).

[ssj100]

More specifically, can anyone give me a sample file containing eg. a Microsoft Word/Excel document file which contains an executable (eg. .exe or .dll) embedded inside it? It doesn't necessarily need to be a malicious file. Thanks.

[PX5]

Code: Select all

AhnLab-V3	2010.09.29.01	2010.09.29	X97M/Dropper
AntiVir	7.10.12.62	2010.09.29	EXP/Excel.CVE-2009-3129
Antiy-AVL	2.0.3.7	2010.09.29	-
Authentium	5.2.0.5	2010.09.29	MSExcel/Dropper.B!Camelot
Avast	4.8.1351.0	2010.09.28	-
Avast5	5.0.594.0	2010.09.28	-
AVG	9.0.0.851	2010.09.28	-
BitDefender	7.2	2010.09.29	-
CAT-QuickHeal	11.00	2010.09.29	-
ClamAV	0.96.2.0-git	2010.09.29	BC.XLS.Exploit.CVE_2009_3129
Comodo	6233	2010.09.29	-
DrWeb	5.0.2.03300	2010.09.28	-
Emsisoft	None	None	None
eSafe	7.0.17.0	2010.09.28	-
eTrust-InoculateIT	None	None	None
eTrust-Vet	36.1.7881	2010.09.28	X97M/EXEDropper!exploit
Ewido	None	None	None
F-Prot	4.6.2.117	2010.09.28	-
F-Prot4	None	None	None
F-Secure	9.0.15370.0	2010.09.29	-
FileAdvisor	None	None	None
Fortinet	4.1.143.0	2010.09.29	-
GData	21	2010.09.29	-
Ikarus	T3.1.1.90.0	2010.09.29	-
Jiangmin	13.0.900	2010.09.29	Heur:Exploit.CVE-2009-3129
K7AntiVirus	9.63.2628	2010.09.28	-
Kaspersky	7.0.0.125	2010.09.29	Exploit.MSExcel.Agent.y
McAfee	5.400.0.1158	2010.09.29	Exploit-MSExcel.u
McAfee+Artemis	None	None	None
McAfee-GW-Edition	2010.1C	2010.09.29	Exploit-MSExcel.u
Microsoft	1.6201	2010.09.29	Exploit:Win32/CVE-2009-3129
NOD32	5487	2010.09.28	-
Norman	6.06.06	2010.09.28	-
nProtect	2010-09-29.01	2010.09.29	-
Panda	10.0.2.7	2010.09.28	-
PCTools	7.0.3.5	2010.09.28	Trojan.Mdropper
Prevx	3.0	2010.09.29	-
Rising	22.67.01.01	2010.09.29	-
SAVMail	None	None	None
Sophos	4.58.0	2010.09.29	Troj/DocDrop-S
Sunbelt	6943	2010.09.29	TrojanDropper.Win32.Agent.bc (v)
SUPERAntiSpyware	4.40.0.1006	2010.09.29	-
Symantec	20101.2.0.161	2010.09.29	Trojan.Mdropper
T3	None	None	None
TheHacker	6.7.0.1.039	2010.09.29	-
TrendMicro	9.120.0.1004	2010.09.29	-
TrendMicro-HouseCall	9.120.0.1004	2010.09.29	-
UNA	None	None	None
VBA32	3.12.14.1	2010.09.27	-
ViRobot	2010.8.31.4017	2010.09.29	-
VirusBuster	12.66.4.0	2010.09.28	-

[ssj100]

Can I just confirm with you that opening this Excel file drops "uxtheme.dll" into the C:\Windows directory? If so, simply running as a limited user would prevent this from working.

EDIT: I've just worked out with SRP advanced logging that opening the Excel file also drops "svchost.exe" into the user's temp folder. SRP of course blocks the execution of this easily. With this blocked, "uxtheme.dll" is unable to be created. That is, the malware is stopped dead in its tracks with SRP, even in an Administrator account.

To conclude, LUA + SRP acts as a double shield against this piece of malware. No surprise I guess haha.

Anyway, thanks for the sample! I will probably be testing this piece of malware against various anti-malware mechanisms.

[EP_X0FF]

You can also try this crafted PDF with Adobe Zeroday Reader.

[CloneRanger]

@ EP_X0FF

Thanks for the apdlftcpaqkogt sample ;) I know someone who wants to test their defences with an embedded executable, and they don't have Excell so couldn't test the other sample.

[ssj100]

You can also try this crafted PDF with Adobe Zeroday Reader.

Thanks, but could you please run through exactly what this exploit does? It doesn't seem to be as obvious as the Excel exploit I dissected and tested here:
http://ssj100.fullsubject.com/security- ... 6.htm#2096

I'll do more testing on this Adobe exploit, but one problem may be that I'm not using a version of Adobe that is vulnerable (using a 6 month old version - 9.3.0). Does the exploit end up dropping a payload? Thanks for any feedback/information.

[ssj100]

Seems this forum needs an expert malware analyst of some sort haha. Anyway, if anyone knows of more of these types of exploits, I'd really appreciate it if you could post links. In particular, I'd like to see some exploits that can bypass default-deny anti-execution mechanisms. The ones which spontaneously download and run a PE executable are boring - as you can see, the Excel exploit was blocked by everything I tested it against.

I recently read a claim that SRP can be bypassed if executable code is run from within the Excel/Adobe/etc file. This is because SRP white-lists the Excel/Adobe/etc program to run, and therefore allows any code to run from within this program area. I would really like to get my hands on a POC like this (I'm not sure if even Didier Stevens' POC works in a Limited User Account, since it attempts to modify a DLL file in the C:\Windows directory). EP_X0FF, perhaps you could create such a POC as described here by Didier Stevens:
http://blog.didierstevens.com/2008/06/2 ... trictions/

Apparently, AppLocker is able to block such exploits, since it operates at kernel level. Unfortunately, AppLocker is only available in the Ultimate version of Windows 7, and Microsoft are only supporting this version until 2015 (they are supporting the Home Premium and Professional versions until 2020).

Personally, even these exploits don't impact me, since I always open any newly introduced file sandboxed with Sandboxie, 32-bit. But it'd be amazing to get hold of a POC that can bypass SRP or other default-deny anti-execution software (eg. ProcessGuard, Faronics Anti-Executable, and even Classical HIPS). If someone could design such a POC so that it's easy to execute, I'd be very interested to test it, and it'd be a great break-through in publically available exploits.