Pushing the Envelope with Analyzers and Emulators

Via our spam traps, we see a malicious URL being spammed out that was highlighted as suspicious by the MITRE honeyclient and then further analyzed by Wepawet. three exploits leadig to an EXE, a PDF, and a SWF file. This one is interesting because it’s one of a handful that are pushing the boundaries of what our current honeyclient and emulated client-side tools can handle reliably. The URL chain is described below:

  • hxxp://bezotezi.wz.cz/both/function/memory69.html
    This is the URL being spammed out. Wepawet correctly calls it suspicious, but not malicious. Like a lot of web exploit toolkits it does some reasonable browser qualification (e.g. wget wouldn’t work). 

    wepawet example.png

    Wepawet was unable to describe the IE7 object reference bug in it by the way.

    • hxxp://kovsutap.cn/na/load.php?id=2

      MD5: 8f044c64a656326da65ab790379a064f
      SHA1: f09cbd1b622243d53f1fc106bfa3d07e328cfdc8
      File type: MS Windows PE
      File size: 20435 bytes

      Looking at this file we can see that VirusTotal has 0% detection .. maybe this is a benign file. The Anubis report is inconclusive. This binary has some modest anti-auto-analysis techniques in it and requires a human to look at it to qualify it.
    • hxxp://kovsutap.cn/na/pdf.php
      Definitely an exploit document, looks like it’s using a newer exploit maybe. Via VirusTotal we can see that a bunch of AV tools flag it.
    • hxxp://kovsutap.cn/na/swf.php
      The Webpawet report shows how the file basically thwarts detection by common toolkits. More manual analysis is required if you want to see how this is malicious.

Looking at blacklisting of the IP and hostname, we can see that Google doesn’t flag the IP. Maybe they will now. As far as other DNS BLs go we can see that it’s getting a green light from the ones I checked:

-- Fri Apr 10 16:55:27 2009 GMT
==> Checking bezotezi.wz.cz
multi.surbl.org OK
uri.ca2.sophosxl.com OK
dnsbl.mailshell.net OK
block.rhs.mailpolice.com OK
==> Checking bezotezi.wz.cz (
dnsbl.ahbl.org OK
bl.spamcop.net OK
dnsbl.njabl.org OK
zen.spamhaus.org Direct UBE sources, verified spam services and ROKSO spammers
dnsbl.sorbs.net OK
virbl.dnsbl.bit.nl OK
multi.uribl.com OK
dnsbl.dronebl.org OK

We know that attackers will continue to evolve their techniques to evade automated analysis tools (which are simply a requirement in today’s flood of malicious code, even for triage purposes). So, we’ll have to continue to push our analysis tools to handle these changes.

Comments are closed.