Tried, Tested and Proven
The following is part 1 of a series of 3 blog posts, in which we go through an information stealing malware. We will be discussing the type of information it is interested in, as well as the way it stores and sends this information to the malicious FTP server. Furthermore, we will do an overview of a few Anti-Reversing tricks that we located during the analysis of this malware.

Introduction

Recently, we identified a malware sample, the sole purpose of which was to steal information, including login credentials and other host related information. This is, of course, nothing new. What we found interesting about this particular sample, was that the malware does not attempt to achieve persistence on the ‘infected’ host.

In fact, the host never actually gets ‘infected’ in the typical sense of the word. The malware is designed to run once, steal specific information and then ‘die’. We also identified several anti-reversing techniques in the code, yet interestingly these functions are never called by the program during execution.

This technical article will focus on what happens upon execution, starting from the initial decryption/loading process, before dealing with the information stealing process, as well as the way it attempts to compress, encrypt, and ex-filtrate the data from the ‘infected’ target host. An overview of the anti-reversing techniques will be presented. Although they are not called by the malware in this particular case, they are nonetheless interesting to analyse and discuss.

Initial Loading Stage

The malicious code is hidden under two layers of protection against AntiVirus scanners. The first layer is just the UPX packer which is very commonly used for compressing malware due to its simplicity and it’s code compression capabilities.

The next layer is a highly obfuscated decryption stub (see: ‘Breaking Static Detections‘ article) which is used to decrypt the virus body through a custom encryption algorithm. The same algorithm is used in order to achieve polymorphism on the viral code, while the junk code type obfuscation implemented over the decryption algorithm is used for future quick changes on the decryption stub in order to achieve some type of metamorphism over that layer of code.

In other words, by placing a lot of junk instructions that have no real effect on execution, among the effective instructions of the decryption stub, it makes it possible to easily modify the code by keeping the decryption algorithm the same and only modifying those instructions in order to break any static detection that would include those code blocks.

Once the decryption stub has finished decrypting the code portion that contains the executable code, then execution will continue to the original entry point of the originally compiled executable. Next, another function will be called that will decrypt non executable data, through a custom XOR based decryption algorithm, which includes Windows DLL and API names for the dynamic importing that is going to follow and other data strings that are used later from the rest of the functions of the malware (Appendix A, A.1).

key: 57 78 C9 F8 90 C7 40 A1 12 64 F3 E4 46 D1 9A 2C

00401F44    83FA 10         CMP     EDX, 10 ←  if reached last byte of the key

00401F47    0F85 02000000   JNZ     00401F4F

00401F4D    33D2            XOR     EDX, EDX  ←   ..zero out key index and continue with next byte to decrypt

00401F4F    AC              LODS    BYTE PTR DS:[ESI] ←   get next encrypted byte

00401F50    32041A          XOR     AL, BYTE PTR DS:[EDX+EBX] ← xor with current byte of the Key based on the index (EDX)

00401F53    AA              STOS    BYTE PTR ES:[EDI] ←   store back decrypted byte

00401F54    42              INC     EDX ←   increase key index

00401F55    83E9 01         SUB     ECX, 1 ←  decrease counter

00401F58    0F85 E6FFFFFF   JNZ     00401F44

The same algorithm will be called once more but with a different key (A4 B8 06 E0 A3 A4 1C 4E 07 EE 1F E3 D8 26 C8 6E) in order to decrypt another chunk of non executable code embedded as a resource (Appendix A, A.2). As a next step, it will dynamically import all Windows APIs needed using LoadLibrary and GetProcAddress APIs, as illustrated in the next section.

Figure 1.Networking APIs

Figure 1.Networking APIs

Figure 2. Info Retrieval & Crypto APIs

Figure 2. Info Retrieval & Crypto APIs

Figure 3. Data Compression APIs

Figure 3. Data Compression APIs

Finally, before the information stealing stage starts, it will create a named mutex object called “UFR_Stealer_2600″. This is also done as a verification that the same mutex does not already exists which would imply that another instance of the same malware is already running. If that’s the case the malware will immediately terminate itself in order not to interfere with the other instance of it already running.

Figure 4. MutexName

Figure 4. MutexName

Conclusion

This part of the article focused on the steps undertaken during the initial stage of execution of the malware. In the next part a discussion on some networking activity performed by the malware will be presented. The information stealing stage will also be examined in order to evaluate the importance of the data targeted by the malware.

Written by: Kyriakos Economou of Portcullis.

Any questions/feedback?

If you have any further question/feedback regarding the MutexName: “UFR_Stealer_2600″ article, please do get in touch!
We would like to hear your thoughts. You may contact us at: labs@portcullis-security.com

Appendix A

A.1 Decrypted Data

00411000  .psapi.dll.EnumProcesses.GetModuleFileNameExA.shell32.dll.ShellE
00411040  xecuteA.SHGetSpecialFolderPathA.netapi32.dll.NetUserEnum.NetApiB
00411080  ufferFree.wininet.dll.FtpSetCurrentDirectoryA.InternetOpenA.FtpP
004110C0  utFileA.FtpOpenFileA.InternetConnectA.InternetCloseHandle.FtpCre
00411100  ateDirectoryA.InternetOpenUrlA.InternetReadFile.ws2_32.dll.htons
00411140  .inet_addr.gethostname.gethostbyname.connect.closesocket.WSAStar
00411180  tup.socket.send.inet_ntoa.recv.advapi32.dll.GetUserNameA.RegClos
004111C0  eKey.RegEnumKeyExA.RegEnumValueA.RegOpenKeyExA.RegQueryValueExA.
00411200  CredEnumerateA.CredFree.CryptAcquireContextA.CryptCreateHash.Cry
00411240  ptDestroyHash.CryptGetHashParam.CryptHashData.CryptReleaseContex
00411280  t.CryptDestroyKey.CryptEncrypt.CryptExportKey.CryptGenKey.OpenPr
004112C0  ocessToken.GetUserNameW.CryptImportKey.CryptDecrypt.shlwapi.dll.
00411300  PathMatchSpecA.PathFindFileNameA.PathFindExtensionA.StrToIntExA.
00411340  crypt32.dll.CryptUnprotectData.ole32.dll.CoUninitialize.CoInitia
00411380  lize.CoCreateInstance.CoTaskMemFree.ntdll.dll.RtlGetCompressionW
004113C0  orkSpaceSize.RtlCompressBuffer.urlmon.dll.URLDownloadToFileA.X:\
00411400  .SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.HARDWARE\DE
00411440  SCRIPTION\System\CentralProcessor\0.ProcessorNameString.Identifi
00411480  er.SOFTWARE\Microsoft\Windows NT\CurrentVersion.ProductId.Digita
004114C0  lProductId.BCDFGHJKMPQRTVWXY2346789.DisplayName.Trololo.http://w
00411500  hatismyip.akamai.com.http://whatismyip.everdot.org/ip.http://wha
00411540  tismyip.org.open.\. ......_._. -> .  .-....%02hu-%02hu-%hu_%02hu
00411580  -%02hu-%02hu.FTP.*.File-Paths.txt.Files-Are-Copied.txt.APPDATA.U
004115C0  FR_Stealer_2600.%lu......HARDWARE\DESCRIPTION\System.SystemBiosV
00411600  ersion.ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234
00411640  56789+/ABCDABCDABCD.--...Content-Disposition: form-data; name="m
00411680  yfile"; filename="."..Content-Type: application/octet-stream....
004116C0  .POST . HTTP/1.1..Host: ...Connection: close..Content-Type: mult
00411700  ipart/form-data; boundary=...Content-Length: .The Wireshark Netw
00411740  ork Analyzer.gdkWindowToplevel.PROCEXPL.PROCMON_WINDOW_CLASS.Fil
00411780  eMon.exe.RegMon.exe.SbieDll.dll..exe.%s%s%s%s%s.%s%s%s%s%s%s%s%s
004117C0  %s%s%s.ComSpec./c del "." >> NUL.EHLO server...AUTH LOGIN...MAIL
00411800  FROM:<.RCPT TO:<.>...DATA...Subject: .......QUIT...Content-Type
00411840  : application/octet-stream; name="%s"..Content-Disposition: atta
00411880  chment; filename="%s"..Content-Transfer-Encoding: base64...UFR S
004118C0  tealer Report [ %s ].Windows Registry Editor Version 5.00.....Re
00411900  gistry-Grabbing.reg.00,.%02X,.[%s\%s]..."%s"=hex(%x):.HKEY_CLASS
00411940  ES_ROOT.HKEY_CURRENT_USER.HKEY_LOCAL_MACHINE.HKEY_USERS.report_.
00411980  .bin.NO_PWDS_.\Google\Chrome\User Data\Default\.Login Data.Web D
004119C0  ata......Software\Far\Plugins\FTP\Hosts.Software\Far18\Plugins\F
00411A00  TP\Hosts.Software\Far2\Plugins\FTP\Hosts.HostName.Password.User.
00411A40  APPDATA.FileZilla\recentservers.xml.FileZilla\sitemanager.xml.<S
00411A80  erver>.</Server>.<Host>.</Host>.<User>.</User>.<Pass>.</Pass>.So
00411AC0  ftware\Mozilla\Mozilla Firefox.CurrentVersion.Install Directory.
00411B00  \Mozilla\Firefox\Profiles\.%s\%s\Main.%s%s\signons.sqlite.SELECT
00411B40  hostname, encryptedUsername, encryptedPassword FROM moz_logins.
00411B80  nss3.dll.sqlite3.dll.mozsqlite3.dll.NSS_Init.PK11_GetInternalKey
00411BC0  Slot.PK11_Authenticate.PK11SDR_Decrypt.NSS_Shutdown.PK11_FreeSlo
00411C00  t.NSSBase64_DecodeBuffer.sqlite3_open16.sqlite3_exec.sqlite3_clo
00411C40  se.SOFTWARE\Mozilla\Mozilla Thunderbird.\Thunderbird\Profiles\.0
00411C80  x.SOFTWARE\FlashFXP.InstallerDataPath.InstallerDathPath.quick.da
00411CC0  t.Sites.dat.IP.user.pass.created.yA36zA48dEhfrvghGRg57h5UlDv3..S
00411D00  oftware\Google\Google Talk\Accounts.pw....i.b....5}O.}H.........
00411D40  ...............S.t.o.r.e.d.P.a.s.s.w.o.r.d...APPDATA.ICQ\.%s%s\O
00411D80  wner.qdb.%s%s\Owner.mdb.pstorec.dll.PStoreCreateInstance.interne
00411DC0  t explorer.Software\Microsoft\Internet Explorer\IntelliForms\Sto
00411E00  rage2.@J7<.....}...iF.............O.®8?.%02X.WindowsLive:name=*.
00411E40  \Miranda\.%s%s\%s.dat.%d.AM_BaseProtoLoginNamLoginPassworAPPDATA
00411E80  .Mra\Update\ver.txt.Software\Mail.Ru\Agent\magent_logins3.####pa
00411EC0  ssword.Passport.Net\*...........................................
00411F00  ................................Opera\Opera\wand.dat.profile\wan
00411F40  d.dat.Software\Opera Software.Last Directory3.Last Install Path.
00411F80  APPDATA..purple\accounts.xml.<account>.</account>.<protocol>.</p
00411FC0  rotocol>.<name>.</name>.<password>.</password>.%s%s\%s.qip......
00412000  .\QIP\Profiles\.Software\Microsoft\Windows\CurrentVersion\Uninst
00412040  all\QIP Infium.InstallLocation.Profiles\*.Software\Microsoft\Win
00412080  dows\CurrentVersion\Uninstall\QIP 2005.InstallLocation.Users\*.%
004120C0  s%s\Config.ini.Main.Custom2.SmartFTP\Client 2.0\Favorites\Quick
00412100  Connect\.<Name>.</Name>.<Host>.</Host>.<User>.</User>.<Password>
00412140  .</Password>.%s%s.\The Bat!\.%s%s\Account.cfn.%s%s\Account.cfg.S
00412180  oftware\Ghisler\Total Commander.FtpIniName.InstallDir.host.usern
004121C0  ame.password.%

A.2 Decrypted Data

0044E198   00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00  ................
0044E1A8   00 00 63 73 2D 70 72 6F 6D 6F 74 69 6F 6E 2E 75  ..cs-[deleted].u
0044E1B8   63 6F 7A 2E 72 75 00 0E 00 00 00 30 63 73 2D 70  coz.ru.....0cs-[
0044E1C8   72 6F 6D 6F 74 69 6F 6E 00 09 00 00 00 6C 6F 6C  deleted].....lol
0044E1D8   6C 6F 6C 36 33 00 01 00 00 00 00 01 00 00 00 00  lol63...........
0044E1E8   00 0A 00 00 00 75 66 72 5F 66 69 6C 65 73 00 00  .....ufr_files..
0044E1F8   00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 55  ...............U
0044E208   46 52 5F 53 74 65 61 6C 65 72 00 00 00 00 00 00  FR_Stealer......
0044E218   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0044E228   00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00  ................

Note: Part of the malicious URL was replaced with [deleted] for safety reasons. You can use the hex bytes to reconstruct it.

Categories