All malware researchers love strings. They allow us to gain valuable insights into the possible behavior of the sample being investigated. Even IT professionals, who do not research malware professionally, can make good use of these clues.
Here’s a quick example of strings in a malware disassembly listing:
00403100 Security Troubleshooting.url00403120 ot.ico00403128 %s/soft/?c=%1.1d%d%1.1d00403140 Online Security Guide.url0040315C ts.ico00403164 %s/test/?c=%1.1d%d%1.1d0040317C Online Security Test.url00403198 *.securemanaging.com004031B0 *.safetyincludes.com004031C8 *.securewebinfo.com004031DC 126.96.36.199004031EC 188.8.131.5200403300 195.95.*.*0040330C 194.187.*.*00403318 turbocodec.com00403328 flyvideonetwork.com0040333C websoft-c.com0040375C plus-codec.com0040376C freerealitympegs.com00403784 inc-codec.com00403794 user_pref("browser.search.selectedEngine", "Search");004037D0 user_pref("browser.search.selectedEngine"00403840 \profiles.ini00403850 Mozilla\Firefox00403908 Software\Microsoft\Internet Explorer\New Windows\Allow00403940 %sVersion\Internet Settings\ZoneMap\EscDomains\%s004039A8 Domains\%s
Right off the bat, one might guess that there is probably something fishy going on with these domains in relation to Firefox and Internet Explorer settings. A quick google search on some of these domains yields many results which are seemingly related to malware. If the search result is some what ambiguous, a researcher can always plug a string into ThreatExpert to find related malware behavior.
Searching for “securewebinfo.com” on ThreatExpert yields plenty of results. Most of the strings found in this particular sample match up very nicely to the results found, so it is reasonably safe to assume that this sample is probably a variant. However, if the search results were inconclusive, one of the next steps a malware researcher can take is to disassemble the file in the IDA Pro.
What is this malware actually doing with those strings? We are glad you asked!
Below is the image of the strings in the disassembler. The following items are shown moving from left to right: the address in memory where the strings reside, the automatic name IDA gave this location, the string data itself, and last but not least, the cross reference (XREFs).
Navigating to one of the cross references changes the view to an array of string pointers as seen in the image below. This array also contains a cross reference, but to a function this time.
The function seen below was labeled “modify_IEXPLORE_SecurityZones” as it was found to call sub-functions which modify the registry associated with Internet Explorer’s Security Zones.
The last loop in this function, “AddAllowPopup_loop”, executes once for each item in the domain_name_array. Each item in the array will be added to the AllowPopup registry key. The next time Internet Explorer is run, those domains will be allowed to display pop-up windows at will. This code confirms our suspicions of malicious behavior.