Reversing malware, a little story.

I’ve always been a fan of reverse engineering, not because of cracking, I don’t really care about cracking… Well, let’s be honest I crack software from time to time, especially when I need it but I don’t have the money to buy it but this is out of the scope of this blog. I like reverse engineering because it allows you a deep inspection of how things work and in some cases you can make the program suit your needs by adding extra features etc. From times to times, I like to reverse malwares, just to see how they work. I generally find malware developers talented, plus I like to see what’s going on under the hood.

Some days ago a guy who works in a local computer repair shop mailed me an image of a “computer with a strange behaviour” opening IE and entering a certain page but then blocking the user from everything, even after restarting it would boot normally and then again the same thing, which didn’t happen in safe boot. I asked a copy of the client’s HDD but I received a negative since it was the client’s and it may had whatever inside. I asked for more information about the client’s computer. 32-bit Windows XP, possibly illegal copy of the OS, no firewall running, not updated. 106 gb of illegally downloaded movies, and software, user said the last visited page was a porn site.  And then another user came up with the same malware, Windows 7 this time, watching porn too. I kept contact with these guys for the next five days. After these five days, they had 10 computers with the same problem, 2 were windows 7, one didn’t watch porn but downloaded illegal software from torrents. I quickly set up a honeypot, installed windows XP, installed a couple debuggers I use a lot, Wireshark, didn’t allow it to update, killed the firewall, didn’t install any antivirus and I started visiting porn sites, I visited A LOT, randomly clicked videos, advertisements… Ok, pause… Do you want to know how I made my penis 30 inches long? I cut it in half dipshit advertisers. After one day I finally was infected after being asked to download and execute an executable. After every restart the malware would start IE with that page asking for money to disinfect. Cool story bro but I am not willing to pay for disinfecting my honeypot. It wouldn’t start though in safe mode.

I went in safe mode and took a copy of the wireshark logs file AND a copy of the registry. I was pretty sure that the malware executed some cmd argument that made IE load that page and somehow made it open full screen, like games do. First thing I noticed in registry was that there was an entry that executed a batch on system boot. Grabbed a copy of the batch and cleaned the registry entry, which was two entries actually in

	
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Both of these entries have the problem of not starting under safe mode, which allowed me to go further. Started normally, everything worked like a charm BUT the virus was still there. The batch was simply a command line argument which executed a .exe file. Grabbed the .exe and loaded it into IDA Pro.

The first thing I noticed was that it didn’t have any antireversing protection. No isDebuggerPresent(), no packer, no obfuscation, not even a checksum. That made my life reaaally easy.  Time to see the internals. The executable had a lot of hardcoded strings, such as the registry values, and some other, possibly debugging strings since they were mostly “Failed to do that”.

The internals… The program was executed the first time by the user, it would call a function, I called it in IDA Pro “IsRegistryCreated” which checked if the registry key was set. If not, it would return 0.  It had a conditional JMP that would set the value of the registry for the batch file(another function call, no parameters). Then it would call another function checking if the batch file existed. Again a Boolean function, it would return 0 if it didn’t, in my case it returned 1. If it was 0, another conditional JMP was taken which called another function which had only one parameter, the path to the batch file, which was again hardcoded and looked like %SYSTEM%/blah/blah/blah . If everything was set the malware called system() and pass it the parameter to the IE and the page, making it fullscreen, “disabling” keys and mouse using two simple things. The mouse couldn’t overpass the borders of the screen (thus not allowing the user to press the X button and terminate the program),  functions inside <windows.h> I think. In order to kill the keys it used the _getch() like someone would do using a keylogger but it checked the input and if it found a match of Ctrl+Alt+Del then it would do nothing(actually block it entirely), if the user used anything other such as [a-z/A-Z,0-9/~-+] it was allowed so that the user could insert the paysafe card credentials and pay for the disinfection. If the user inserted the credentials, the malware would contact a remote host from a .php file and the file would return 1 if the amount and the credentials were right and 0 if not. Then the malware would just delete the batch and the registry entry and prompt the user for a restart.

Summing up, it turned out that about 5000 users had been infected, my sources tell me that the developer was busted. Btw, the host carrying the infection was located somewhere in Romania. Anyway, although it didn’t have any difficulties reversing this, it highlighted again that you don’t need 0day exploits to own someone, you need to find someone fool enough and make him trust you.

End of message 😛

Leave a Reply

Your email address will not be published. Required fields are marked *