Archive for the ‘Unpack’ Category

Keeping strings real – Part I

Tuesday, May 20th, 2008

All malware researchers love strings. They allow us to gain valuable insights into the possible behavior of the sample being investigated. Even IT professionals, who do not research malware professionally, can make good use of these clues.

Here’s a quick example of strings in a malware disassembly listing:

00403100 Security Troubleshooting.url00403120 ot.ico00403128 %s/soft/?c=%1.1d%d%1.1d00403140 Online Security Guide.url0040315C ts.ico00403164 %s/test/?c=%1.1d%d%1.1d0040317C Online Security Test.url00403198 *.securemanaging.com004031B0 *.safetyincludes.com004031C8 *.securewebinfo.com004031DC 85.255.117.158004031EC 88.255.74.19700403300 195.95.*.*0040330C 194.187.*.*00403318 turbocodec.com00403328 flyvideonetwork.com0040333C websoft-c.com0040375C plus-codec.com0040376C freerealitympegs.com00403784 inc-codec.com00403794 user_pref("browser.search.selectedEngine", "Search");004037D0 user_pref("browser.search.selectedEngine"00403840 \profiles.ini00403850 Mozilla\Firefox00403908 Software\Microsoft\Internet Explorer\New Windows\Allow00403940 %sVersion\Internet Settings\ZoneMap\EscDomains\%s004039A8 Domains\%s

Right off the bat, one might guess that there is probably something fishy going on with these domains in relation to Firefox and Internet Explorer settings. A quick google search on some of these domains yields many results which are seemingly related to malware. If the search result is some what ambiguous, a researcher can always plug a string into ThreatExpert to find related malware behavior.

Searching for “securewebinfo.com” on ThreatExpert yields plenty of results. Most of the strings found in this particular sample match up very nicely to the results found, so it is reasonably safe to assume that this sample is probably a variant. However, if the search results were inconclusive, one of the next steps a malware researcher can take is to disassemble the file in the IDA Pro.

What is this malware actually doing with those strings? We are glad you asked!

Below is the image of the strings in the disassembler. The following items are shown moving from left to right: the address in memory where the strings reside, the automatic name IDA gave this location, the string data itself, and last but not least, the cross reference (XREFs).

Navigating to one of the cross references changes the view to an array of string pointers as seen in the image below. This array also contains a cross reference, but to a function this time.

The function seen below was labeled “modify_IEXPLORE_SecurityZones” as it was found to call sub-functions which modify the registry associated with Internet Explorer’s Security Zones.

The last loop in this function, “AddAllowPopup_loop”, executes once for each item in the domain_name_array. Each item in the array will be added to the AllowPopup registry key. The next time Internet Explorer is run, those domains will be allowed to display pop-up windows at will. This code confirms our suspicions of malicious behavior.

AMTSO and CARO Workshop

Tuesday, May 6th, 2008

The AV industry was busy this past week amongst the blooming tulips in Hoofddorp, the Netherlands. Both an AMTSO conference and a CARO workshop was held the last three days of the week.

A large group of attendees arrived for the Wednesday all-day testing standards meeting, with more journalists in attendance than before. It was encouraging to see, because one of the AMTSO’s formative goals has been to invite and include representatives from all parts of the computer security industry. Progress is being made toward a set of testing standards for anti-malware products for everyone involved.

The CARO workshop followed on Thursday and Friday, with presentations focusing on malware obfuscation from the AV industry’s perspective (googling “datasecurity event caro” provides a link to the home page). The opening talk by Paul Ducklin from Sophos set the tone for most of the event — legitimate compressors/packers are acceptable and good (according to a number of individuals in the AV scanner business), while software protection solutions like Themida and SVKP are unacceptable and evil (to a number of individuals in the AV scanner business).
It was interesting that while AV vendors and Ilfak Guilfanov of IDA Pro/Hex Rays spoke and gave presentations over the two days, none of the developers or vendors from Themida or ASProtect (a couple of software protection systems that were referred to in the presentations) were invited or presented their thoughts.

Even at the workshop, it seems that there remains disagreement on how the industry should handle software obfuscation, and there remains a sense that software obfuscation is a major source of problems for the AV industry. Whether it’s due to difficulties in emulation, performance issues when unpacking, the complexities of the virtualization packers (where Sophos’ Boris Lau showed that a single NOP instruction can be easily and inexpensively be translated into over 50 virtual instructions) or simply disagreement over how to identify what is behind software protection, it continues to be a weakness for traditional AV scanners.
Just to give an idea of the volume of difficulties and tricks that researchers have to develop methods to deal with, Peter Ferrie’s paper was presented by Mady Marinescu of Microsoft, and in it he enumerated over 50 anti-unpacking tricks commonly seen in packers and often seen in malware.
Presenters also included evaluations of the proportions of malware seen packed by specific packers and various approaches to dealing with them, including blacklisting. It seems that it is easier to include this approach in a scanner than to have to actually implement an unpacker in a scanner for all the different varieties of packers. Blacklisting is cheap and easy, but is more prone to causing fp’s, and often decisions to blacklist may be debatable.
We will see what this turn away from extremely low false positive rates will do to the major advantage that the scanners had over behavioral based solutions.

From the perspective of an individual pushing a behavioral solution that solves for the difficulties that scanners have with obfuscation, it is somewhat easy to be critical of AV scanner products’ inability to continue performing with such a low level of false positives and exacting matches in the face of ongoing obfuscation and “server-side polymorphism”/”rapid release” techniques currently used by malware distributors to evade the AV solutions. The complexity and difficulties are high for the guys trying to develop elegant and effective AV solutions to these problems.
We’ll see more of this obfuscation topic, but from the “hackers” perspective, when defcon’s “Race To Zero” contest is held this fall.

Reversing a suspicious dll continued

Monday, December 31st, 2007

In a post earlier this month, I presented steps for unpacking and restoring the IT/IAT of a suspicious BHO for analysis purposes. In that case, it was packed with a tool called “Upack”, otherwise known as the “Ultimate PE Packer” by its author Dwing. Upack often is used on executable files around 40kb in size. It compresses the file’s contents with the LZMA algorithm and adds an unpacking stub to the target file for self-decompressing at runtime.
In other words, to make a file smaller for download and delivery without requiring a decompression utility like WinZip or WinRar to already be installed on another system at runtime, an author can compress their executable creation with this tool.
This posting will work with the PE file that was recreated from that previous work.

Here are some of the steps we used to work on this file, leaving off at the last step to identify some behaviors of this malicious file:
Change PE file to .exe in PE header, rename dll to exe extension
Load into Ollydbg
Find OEP (original entry point) — pretty easy with Upack
Break at oep and dump file from memory to disk
Fixup IAT with ImpRec and write to dumped file
Rename fixed file and modify PE header back to dll
Load into IDA Pro 5.1 with the IDA Python plugin installed…

When we load this file into IDA Pro, the disassembler now can provide a listing that can be used to reverse engineer the component’s functionality. Without properly unpacking the file and fixing up the imports, the disassembler cannot analyze the code.
However, the listing doesn’t seem to immediately reveal much about the component’s activity. But knowing that this component is a BHO helps identify key areas for reversing progress. We do see fundamental Win32 API calls like “AtlInternalQueryInterface” and “AtlComPtrAssign”, leaving clues about COM programming within the component. The location of these calls can lead us further down the control flow to locations where COM calls can be further analyzed and easily understood. Joe Stewart published information about reversing OLE, but this code is more complex than a common SubmitHook trojan.
Frank Boldewin’s Python scripts come in handy for walking through these COM calls — the listing now reveals a section where the code obtains the “document” interface within the web browser and enumerates its connection points. We can set memory breakpoints on these sections for further analysis, and when we visit various banking web sites, we can see that the BHO is building an event sink:

Once the event sink is set, GetKeyState is then called on “KEY_DOWN” events. The component can check on each individual keystroke as they are hit. And it appears that the only keystrokes being checked are the ones emanating from the userid and pass input fields.

So, we’ve got a dll that identifies Urls of banks and other financial institutions and, after parsing and identifying an “interesting” Url, then constructs an event sink attached to very specific fields within the browser’s web page — namely, userid and password input fields. This ActiveX component will log these keystrokes and send them off the system. The component calls “HttpSendRequestA” to send off the banking usernames and passwords it just collected from these fields. I think that we’ve found an interesting piece of malware, quite possibly a password stealer for banking websites. We’ll add more technical detail to this post as time permits.
It helps to be able to dump this file and modify it for static analysis.