Archive for the ‘Undetected malware’ Category

« Older Entries

Urlzone/Bebloh Unpacking Stub AntiVM/Anti-Emulation

Wednesday, October 14th, 2009

ThreatFire protected systems have been preventing Urlzone (also known as Bebloh), which has been flying under the radar of most AV vendors, for most of the year. The family is long in the wild and a pernicious one, so why the lack of recognition? Let’s take a quick look at some complexities related to the unpacking stub and the file’s delivery.

Multiple variants of the family implement an unpacking stub that burns through anti-emulation time lock loops intermixed with additive decoding loops, and then transfer control to underlying layers of the unpacking code by making a service pack dependent calculation to the location that control must be transferred to.

All of these calculations are surrounded by garbage code, so let’s strip down the trick to its bare bones: calculations are made, edx is pushed on the stack and control is transferred to that location with a return instruction.

The correct value of edx is arrived at by subtracting a predictable data value copied from a location near the kernel32 module entrypoint to attain the expected value. Kernel32 changes across service packs, so uploading these samples to automation tools may produce varying results depending on whether or not the researcher downloading from the distribution web server indicated the same service pack in the http request on the client system as on the automation system.

So what data may change across service packs and protected OS’s? The data preceding and at the entrypoint of kernel32. The unpacking routine is dependent on finding the values in the Peb (Process Environment Block) for the “InLoadOrderModuleList”, which points to a list of loaded modules (dlls) within the process. This technique is often used in exploitation-delivered shellcode (see skape’s section 3.2.1 on using PEB to find kernel32). The unpacking stub then walks the list to find the pointer to the entry point of kernel32.

A predictable sequence of bytes exists prior to and at kernel32’s entrypoint per Service Pack. The calculation in the this post is meant for XP SP3, any SP prior causes the malware to calculate an incorrect location and exit. That predictable sequence also changes if the entrypoint of kernel32 is hooked. Any jmp instructions will break the control.
Hence, the 0×8b909090 value (the three nop bytes prior to kernel32.EP and the push ebp) for use in a sub from their hardcoded value to calculate the final jmp destination.

Following the sub from edx, ebx is discarded. Edx is pushed to the stack for a ret and the malicious execution continues from there…

Posted in Undetected malware, Unpack | No Comments »

Headline Malware Downloaders

Wednesday, September 2nd, 2009

The relentless group pushing malicious downloaders that are crafted most often to appear as video codecs and also are packaged with cracks, underground key generators, and blackhat SEO schemes, this week have moved to serving up their warez from 95.211.8.21 to 64.20.55.163. The server now hosts files similarly named to “flash-plugin_update.45031.exe” (that number in the name changes per download).

A number of domains resolve to that ip address 64.20.55.163:
094k.ofspokesman .com
bestexe .com
bestexeonline .com
boomexe .com
boomexesite .com
hardexeworld .com
hexexe .com
hexexeterra .com
lastexe .com
lastexesite .com
luxexe .com
novoxexe .com
startexcite .com
startexe .com

ThreatFire is preventing the malicious downloaders in high volumes and currently is the most reliable solution for detecting this family. Scanning the files as they are downloaded and run by users shows dismal detection rates, as the downloaders evade detection with frequent repacking and obfuscation. Be sure to add a behavioral solution that can definitively recognize entire families of malware like this one reliably, and do your best to ensure that the software that you are downloading and installing is coming from a trustworthy source.

Posted in Social Engineering, Undetected malware | No Comments »

Your Computer is Infected!, Probably Because of that Bredolab Attachment

Tuesday, September 1st, 2009

Last week’s Bredolab post generally described the ongoing downloader’s email blasts and the malicious injector/downloader’s static and dynamic characteristics. Here are a few more screenshots of the moneymaker payload. This payload currently is the rogueware/scareware “PC AntiSpyware 2010″, which also has been distributed in a number of other ways over the past few months.

First off, users are prompted with the all-too-familiar, inaccurate and scary taskbar balloon “Your Computer is Infected! Windows has detected spyware infection!”.

The software then pops an attractive dialog, appearing to scan the drive and find infections. So far in this screenshot it incorrectly reported 34 infections on our clean lab machine:

Even on our clean lab system, the user is also prompted with a series of phony malware detections. This one appears to be “Email-Worm.JS.Gigger”, which they claim can “reformat the user’s hard disk after reboot”:

A registration page will eventually pop up, which redirects the user to a page to register the software for a “Lifetime Software License – 89.95 USD One Time Charge“.

The home page for the site includes a set of supposed “Testimanials” and a list of award logos that they have never achieved:

This site’s installer, “installer2.exe”, is served up from a site hosted in London:
uliondarvasoka.com
216.86.144.130

As warned in the previous post, always be suspicious of attachments that arrive via email, software being delivered from web sites that don’t seem to be trustworthy, and add a behavioral layer of protection to your system.

Posted in Social Engineering, Spam, Undetected malware | 2 Comments »

« Older Entries