Saturday, August 13, 2011

Interesting Malware Trick

Sometimes it's hard to keep from admiring the tricks the various malware purveyors come up with. A couple days ago, my friend Luby (Luby Warning Luby Warning Luby Warning) sent me a malware sample he'd received as an email attachment. The filename was "Changelog_08_08_201atdoc" and its icon gave it the appearance of being a Microsoft Word document:


It would be easy to see that icon and not notice the "doc" part of the filename had no dot between it and the rest of the name to make a proper filename extension.   Fortunately, Luby knows better than to open such an attachment and he started looking into it further, hashing it with FTK Imager. He noticed that when viewing the spreadsheet produced by FTK Imager, that the filename appeared as "Changelog_08_08_201at[U+202E]cod.exe" while copying and pasting the file using Windows Explorer, the filename looked like "Changelog_08_08_201atexe.doc".

He did some research and found that the characters within the brackets represent a Unicode Right to Left Override, where anything after the inserted Unicode control character is reversed in the way it is displayed. Thus, the "cod.exe" is displayed as "exe.doc" but the system still knows what it is and executes it when you double click it. You can read about similar uses of Unicode in this Microsoft Malware Protection Center blog post that came out the same day I received the file from Luby.

I'm sure this is nothing new to many people, but I must admit I'd never heard of such a thing. Like I said above, it's almost hard to keep from admiring cool tricks, but then I remember the reason for the trick and it's not so cool.

I found the executable file was packed with the UPX packer. I uploaded it to Virustotal and found 32 of the virus checkers there recognized the file as malicious:
 
Notice most everything listed under the File name (Submission date, Current Status, etc) is backwards. The Unicode in the file name even affected the VirusTotal display.

Not satisfied with what I'd found so far, I executed the malware file in a Windows XP virtual machine and obtained an image of RAM using the new free tool from Moonsols called DumpIt. I'd been wanting a good opportunity to try out DumpIt and this seemed like as good as any.

I saved the RAM image and moved to my analysis machine where I proceeded to examine it with the awesome Volatility Framework. I decided to obtain a copy of the unpacked executable from RAM and Volatility is perfect for that, using the procexedump plugin. After obtaining the unpacked executable, I uploaded it to VirusTotal and found this:

   
Only 10 out of 43 antivirus products on VirusTotal recognized the unpacked malware. I thought that was kind of interesting. My AV of choice was one of those that didn't recognize it in either the packed or unpacked versions, so I submitted both samples to them so signatures could be created (signatures for both now exist for Vipre Antivirus).

I searched online for some of the names given for this malware by the various AV vendors and only found a little information. I submitted the packed version of the malware to ThreatExpert.com and got a good report. Instead of me retyping it, you can have a look here: ThreatExpert Report.

By the way, I checked the headers from the original email sent to Luby and found it came from Austria. I'm planning to spend a little more time looking at this file soon, but have a couple other projects to take care of first. If I find anything new and interesting, I'll be sure to post about it.

Addendum: I wanted to give the MD5 of the packed exe for those who create their own signatures: FE84E712F52AF7B0F0F3FC58296FEE00.

7 comments:

  1. I posted the issue on Google Plus. I then looked at the source code. All user entered words, after the .doc file name (which had been cut and pasted and therefore retained the unicode) was backwards!

    Note: Jared Myers analyzed the code and said that it resolves to the URL armaturan.ru.

    ReplyDelete
  2. Anything else interesting from Volatility? :-)

    ReplyDelete
  3. Looks like I need to do a part 2 covering more Volatility use. I'm not overly confident in my memory analysis abilities, but Volatility 2.0 sure makes it a lot easier. I just need to learn more about interpreting the data I get from RAM.
    KP

    ReplyDelete
  4. I guess it is the dropper. It performs no materials malicious functions, but only create a droppee.

    I have similar sample, Check here: http://www.threatexpert.com/report.aspx?md5=073e9de932d0094b18cde2a1eb383fbd

    After the code analysis, I found it first create a DLL, then inject the DLL into explorer.exe. It sends encrypted HTTP traffic to a C&C. After a while, (actually, it uploaded some basic information), it downloaded 3 more binaries to perform the actual malicious functions.

    ReplyDelete
  5. @ Ran2

    Very cool, thanks for the info! I still have very much to learn in the area of malware analysis, but am fascinated by the subject. I haven't had time the last couple days to work with this, but hoping on my days off to experiment some more. I appreciate the info!

    ReplyDelete
  6. @KP -- could you please contact me offline.

    abrandt (at) webroot (dot) com

    Cheers!

    -=A

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete