Saturday, April 13, 2013

Suspicious gif file contains signs similar to known shell-code decoder


GIF file containing suspicious CPU instructions

Background

Quttera's Online Website Malware Scanner detected suspicious image file. Heuristic layer of the scanner identified this .gif file as malicious because it contains sensible CPU instructions similar to known shell-code decoder. Malicious Content Detection System(PDF file), developed by Quttera, is the core technology that is used by all its products and services. And this layer is a part of the multi-layered investigation system.

Website Malware Scanner report summary

Website malware scan report: http://goo.gl/UL7wm
Size of URL response content scanned: 20MBs
Infected files count: 1

Online Website Malware Scanner report


Malicious GIF file





Heuristic exploit detection engine report




  1. flip-up_sv1.gif is suspicious.
  2. Detection offset: 0
  3. Payload disassembly:
  4. INC     EDI (0x00000000)
  5. DEC     ECX (0x00000000)
  6. INC     ESI (0x00000000)
  7. CMP     DS:[ECX]        (0xFFFFFFFF),BH (0x00)  ==random read instruction
  8. POPAD  
  9. POP     EAX (0x00000000)
  10. ADD     DL (0x00),DS:[ECX]      (0xFFFFFFFF)    ==random read instruction
  11. ADD     EDI (0x00000001),ESP (0x08F6C637)
  12. INC     DS:[EAX]        (0x00000000)
  13. PUSH    SS (0x0000)
  14. POP     SS (0x0000)
  15. ADC     AL (0x00),0x1B
  16. SBB     EBX (0x00000000),DS:[ESI]       (0x00000001)    ==random read instruction
  17. SBB     BL (0xB7),[EBX*0x1 + ECX]       (0xC6C7B9B6)    ==random read instruction
  18. AND     DS:[EDX]        (0x00000000),ESP (0x08F6C637)
  19. AND     DS:[EDX]        (0x00000000),ESP (0x08F6C637)
  20. AND     ESI (0x00000001),[0x221D2624]   (0x221D2624)    ==random read instruction
  21. SUB     EDX (0x00000000),DS:[EBX]       (0xC6C7B9B7)    ==random read instruction
  22. DAA    
  23. SUB     DS:[EAX]        (0x0000001B),EBP (0x00000000)   ==random write instruction
  24. DAS    
  25. SUB     EAX (0x00000015),0x31332F2D
  26. XOR     CH (0xFF),DS:[EDX]      (0x00000000)
  27. CMP     DS:[ECX]        (0xFFFFF8FF),DH (0x00)  ==random read instruction
  28. SUB     EDI (0x08F6C638),DS:[EAX]       (0xCECCD0E8)    ==random read instruction
  29. XOR     DS:[ECX]        (0xFFFFF8FF),EDI (0x08F6C638)   ==random write instruction
  30. XOR     EAX (0xCECCD0E8),0x36343335
  31. CMP     DH (0x00),DS:[EDX]      (0x00000000)
  32. SBB     AL (0xDD),0x37
  33. CMP     CL (0xFF),DS:[ECX + 0x38]       (0xFFFFF937)    ==random read instruction
  34. CMP     EDX (0x00000000),DS:[EDI + 0x43]        (0x08F6C67B)    ==random read instruction
  35. CMP     AL (0xA5),0x43
  36. INC     EBX (0xC6C7B9B7)
  37. CMP     EAX (0xF8F8E3A5),0x433E3F3D
  38. CMP     EAX (0xF8F8E3A5),0x403B3D40
  39. INC     EBX (0xC6C7B9B8)
  40. INC     ESI (0x00000000)
  41. AAA    
  42. INC     EAX (0xF8F8E3A5)
  43. INC     ECX (0xFFFFF8FF)
  44. CMP     DS:[ESI]        (0x00000001),BH (0xB9)  ==random read instruction
  45. INC     ESI (0x00000001)
  46. SUB     EAX (0xF8F8E3A6),0x44474947
  47. DEC     EDX (0x00000000)
  48. DEC     ESP (0x08F6C637)
  49. DEC     EAX (0xB4B19A5F)
  50. DEC     EDX (0xFFFFFFFF)
  51. INC     EDX (0xFFFFFFFE)
  52. INC     EBP (0x00000000)
  53. DEC     EDX (0xFFFFFFFF)
  54. PUSH    ESP (0x08F6C636)
  55. DEC     EBX (0xC6C7B9B9)
  56. DEC     EBP (0x00000001)
  57. CMP     EAX (0xB4B19A5E),0x52494B51
  58. DEC     EDX (0xFFFFFFFE)
  59. PUSH    ESP (0x08F6C632)
  60. DEC     ESI (0x00000002)
  61. DEC     ESP (0x08F6C62E)
  62. PUSH    EAX (0xB4B19A5E)
  63. POP     EBP (0x00000000)
  64. DEC     EDX (0xFFFFFFFD)
  65. INC     EAX (0xB4B19A5E)
  66. DEC     EAX (0xB4B19A5F)
  67. DEC     EBP (0xB4B19A5E)
  68. POPAD  
  69. DEC     ECX (0xFFFFF900)
  70. PUSH    ECX (0xFFFFF8FF)
  71. POP     EDX (0xFFFFFFFC)
  72. DEC     EDI (0xF6C63200)
  73. PUSH    ECX (0xFFFFF8FF)
  74. DEC     ESP (0x08F6C631)
  75. DEC     ESI (0xF6C63608)
  76. PUSH    EAX (0xB4B19A5E)
  77. POP     EBX (0xC6C7B9B8)
  78. DEC     EDX (0xFFFFF8FF)
  79. PUSH    EDX (0xFFFFF8FE)
  80. PUSH    EBX (0xB4B19A5E)
  81. DEC     ESP (0x08F6C628)
  82. PUSH    EBP (0xB4B19A5D)
  83. XOR     CL (0xFF),DS:[EAX + 0x5D]       (0xB4B19ABB)    ==random read instruction
  84. SUB     DS:[ESI + 0x56] (0xF6C6365D),EDX (0xFFFFF8FE)   ==random write instruction
  85. POP     EDI (0xF6C631FF)
  86. PUSH    ECX (0xFFFFF8FF)
  87. PUSH    EDI (0xB4B19A5D)
  88. PUSH    EAX (0xB4B19A5E)
  89. POP     EAX (0xB4B19A5E)
  90. POP     EDI (0xB4B19A5D)
  91. POP     EAX (0xB4B19A5E)
  92. PUSH    EDI (0xB4B19A5D)
  93. PUSH    EBX (0xB4B19A5E)
  94. DEC     EDI (0xB4B19A5D)
  95. POP     EDX (0xFFFFF8FE)
  96. POP     EBX (0xB4B19A5E)
  97. PUSH    EDI (0xB4B19A5C)
  98. POP     EBX (0xB4B19A5D)
  99. DEC     ECX (0xFFFFF8FF)
  100. OUTS    DX (0x9A5E),BYTE DS:[ESI]       (0xF6C63607)    ==random read instruction
  101. PUSH    EBX (0xB4B19A5C)
  102. PUSH    EBP (0xB4B19A5D)
  103. PUSH    EBP (0xB4B19A5D)
  104.  
  105. Investigation counters:
  106. REFERENCES_TO_PROCESS_INTERNALS 0
  107. REFERENCES_TO_PROCESS_IMPORTS   0
  108. REFERENCES_TO_PROCESS_EXPORTS   0
  109. CORRECTLY_PARSED_INSTRUCTIONS   100
  110. CORRECTLY_EXECUTED_INSTRUCTIONS 97
  111. UNRECOGNIZED_CALL_TARGETS       0
  112. UNDEFINED_DIRECT_CALLS  0
  113. UNRECOGNIZED_JUMP_TARGETS       0
  114. SYSTEM_CALLS_COUNT      0
  115. PROC_CALLS_INSIDE_INV_BUFFER    0
  116. JUMPS_INSIDE_INV_BUFFER 0
  117. JUMPS_TO_PROCESS_INTERNALS      0
  118. CALLS_TARGETED_IMPORTS_SECTION  0
  119. CALLS_TARGETED_EXPORTS_SECTION  0
  120. CORRECT_PROCEDURES_CALLS        0
  121. FAR_JUMPS_COUNT 0
  122. BUFFER_OUTSIDE_WRITES_COUNT     3
  123. BUFFER_INSIDE_WRITES_COUNT      0
  124. BUFFER_OUTSIDE_READS_COUNT      11
  125. BUFFER_INSIDE_READS_COUNT       0
  126. FULLY_INITIALIZED_INSTRUCTIONS  92
  127. CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS     25
  128. PROVIDED_ABSOLUTE_MEMORY_ADDRESSES      0
  129. INDIRECT_BUFFER_REFERENCES      19
  130. READS_FROM_PROCESS_STACK_MEMORY 12
  131. WRITES_TO_PROCESS_STACK_MEMORY  18
  132. EXECUTED_ARITHMETIC_INSTRUCTIONS        33
  133. EXECUTES_BITS_OPERATING_INSTRUCTIONS    0
  134. EIP_RETRIEVAL_INSTRUCTIONS      0
  135. IMMEDIATE_OPERANDS_INSTRUCTIONS 0
  136. MEMORY_MODIFYING_MATH_INSTRUCTIONS      0
  137. MAX_WRITTEN_MEMORY_BLOCK        0

Malware clean-up


Such malware is often targets specific software security vulnerability inside the attacked process or application. In order to make the final decision whether such detection is false-positive or part of a working vulnerability exploit in depth investigation of all website's files required. If you suspect your site has been compromised in this way sign up for Website Anti-malware Monitoring and receive malware remediation assessment for these and other kinds of malware.