Saturday, August 13, 2011

Interesting Malware Trick

Sometimes it's hard to keep from admiring the tricks the various malware purveyors come up with. A couple days ago, my friend Luby (Luby Warning Luby Warning Luby Warning) sent me a malware sample he'd received as an email attachment. The filename was "Changelog_08_08_201atdoc" and its icon gave it the appearance of being a Microsoft Word document:

It would be easy to see that icon and not notice the "doc" part of the filename had no dot between it and the rest of the name to make a proper filename extension.   Fortunately, Luby knows better than to open such an attachment and he started looking into it further, hashing it with FTK Imager. He noticed that when viewing the spreadsheet produced by FTK Imager, that the filename appeared as "Changelog_08_08_201at[U+202E]cod.exe" while copying and pasting the file using Windows Explorer, the filename looked like "Changelog_08_08_201atexe.doc".

He did some research and found that the characters within the brackets represent a Unicode Right to Left Override, where anything after the inserted Unicode control character is reversed in the way it is displayed. Thus, the "cod.exe" is displayed as "exe.doc" but the system still knows what it is and executes it when you double click it. You can read about similar uses of Unicode in this Microsoft Malware Protection Center blog post that came out the same day I received the file from Luby.

I'm sure this is nothing new to many people, but I must admit I'd never heard of such a thing. Like I said above, it's almost hard to keep from admiring cool tricks, but then I remember the reason for the trick and it's not so cool.

I found the executable file was packed with the UPX packer. I uploaded it to Virustotal and found 32 of the virus checkers there recognized the file as malicious:
Notice most everything listed under the File name (Submission date, Current Status, etc) is backwards. The Unicode in the file name even affected the VirusTotal display.

Not satisfied with what I'd found so far, I executed the malware file in a Windows XP virtual machine and obtained an image of RAM using the new free tool from Moonsols called DumpIt. I'd been wanting a good opportunity to try out DumpIt and this seemed like as good as any.

I saved the RAM image and moved to my analysis machine where I proceeded to examine it with the awesome Volatility Framework. I decided to obtain a copy of the unpacked executable from RAM and Volatility is perfect for that, using the procexedump plugin. After obtaining the unpacked executable, I uploaded it to VirusTotal and found this:

Only 10 out of 43 antivirus products on VirusTotal recognized the unpacked malware. I thought that was kind of interesting. My AV of choice was one of those that didn't recognize it in either the packed or unpacked versions, so I submitted both samples to them so signatures could be created (signatures for both now exist for Vipre Antivirus).

I searched online for some of the names given for this malware by the various AV vendors and only found a little information. I submitted the packed version of the malware to and got a good report. Instead of me retyping it, you can have a look here: ThreatExpert Report.

By the way, I checked the headers from the original email sent to Luby and found it came from Austria. I'm planning to spend a little more time looking at this file soon, but have a couple other projects to take care of first. If I find anything new and interesting, I'll be sure to post about it.

Addendum: I wanted to give the MD5 of the packed exe for those who create their own signatures: FE84E712F52AF7B0F0F3FC58296FEE00.