Blog

Note: We do not link to any malicious code directly, but it should not be too difficult to locate the sites discussed in this article. Please exercise extreme caution should you decide to visit these sites on your own.

This is amazing! This codec will give me 40% better quality on Pulp Fiction, Sin City, and my Korn albums -- no wonder everyone has been going crazy over this thing. I can't wait to check it out, but... maybe I should glance over the Terms of Use first.

Whatever. Looks good to me. Time to download it.

Right away we notice is that the binary is a Nullsoft installer. Good. That makes the first part of our job easier: our full import table is intact and we don't have any packers/protectors to deal with. The first thing we want to do is peel off the installation wrapper to get at the actual installed binaries and determine what actions (if any) are being performed by the installer.

I open up the file in everyone's favorite debugger and set breakpoints on all of the calls we might care about (in this situation, the ones that end up mattering are: CreateFile, WriteFile, and CreateProcessA). Carefully stepping through the process, you will soon reach a point where the file "C:\Program Files\HQ Codec\register.exe" is created and launched with CreateProcess. I save off a copy of this binary and disable the CreateProcess call: I'll deal with it when I'm done with the installer.

The installer continues along, creating a few harmless registry entries and displaying some convincing dialog boxes:

But it doesn't actually do anything after it drops register.exe. It's all just social engineering to convince us that we just executed a legitimate installer. Let's take a few step backwards and take a look at the file we saved off earlier, maybe it's got something more interesting...

Ooh, packed! I love it when my malcode plays hard-to-get. Right at the start of the file we notice a loop (0040A13C) writing values to an empty section of memory. Immediately following this loop there's a jump to the same previously empty section of memory (00408E20). Uhh... we're at the OEP already? Okay, so perhaps it wasn't playing hard-to-get after all. Set a breakpoint after the loop but before the jump. Continue execution and watch those bytes decode!

Now, we should probably keep unpacking this file but I want to take a peek at that juicy data we just decoded. Dump that section of memory to disk and run it through a strings utility. Here are a few snippets:

Incredible! This codec just keeps getting better. Not only does it improve my video quality by 40%, it also has undocumented bonus features that could let it modify my DNS, download additional files, and access pornography sites! I love surprises.

Back in our debugger, step through until you get to the jump we mentioned above. Step into it and you'll find yourself at address 00408E20, which happens to be the OEP of our unpacked sections. If you are interested in creating an unpacked version of this binary, you'll want to dump the memory right now and repair your IAT. However, we don't need that at the moment so we're going to keep our analysis going for now.

A quick look over this function makes it obvious what is going on here: We're in a loop that calls LoadLibraryA followed by GetProcAddress and saves off the return value. The packer is creating an IAT for itself. Set a breakpoint just outside the loop (00408F05). Continue execution and when you hit the breakpoint you'll have a list of all functions imported by the binary. This gives us just a little bit more information about what it is up to.

Viewing the unpacked strings and the imported functions is very helpful information but we're done conjuring up hypotheses. It's time to find out what our little buddy is actually up to. From this point in the code, it's very straight forward to step through the program and find out exactly what is going on. Everything is out in the clear now, so just take your time and look around. Here's a summary:

• Hijacks DNS settings. The Trojan sets your DNS servers to a pair of IP addresses in Russia. The Trojan authors now have a log of every requested website and can redirect the computer's internet traffic to wherever they please. It's a good thing the egress policy on your firewall only permits DNS traffic to trusted servers (right!?).
  
  
• Mini-Rootkit. The Trojan deletes its tracks and then uses some rootkit-ish techniques to hide itself from the operating system. It would be rather difficult to detect if you weren't looking for it.
  
  
• Downloads additional files. The program sends a web request to a URL, which returns an encrypted block of data. This data is then decrypted into a list of additional URLs to download and execute. This allows the author to dynamically modify which files are downloaded by the Trojan. This article hasn't touched on any of the additional functionality provided by these downloaded files.

This Trojan is capable of a few more surprises but the Trojan's main intention here is clearly to capture web traffic and serve as a downloader. I'll leave you with one final interesting tidbit:

If you try to visit any of the URLs accessed by this Trojan, you'll be greeted with a misleading 404:

On closer inspection, you'll notice that all requests from the Trojan have a custom user agent of "MS Internet Explorer" (spot it in the strings above?). Try your request again, but this time set your user agent to match the one used by the Trojan. Gotcha!

Researcher: Alex Rice, Websense Security Labs