Blog
Previous Posts
September 2006| 09/29/2006 | Malicious Website / Malicious Code of the Week » |
| 09/24/2006 | Web Attacker with VML being setup. » |
| 09/24/2006 | Keep an eye on NEWS stories. » |
| 09/22/2006 | MOTW: VML Payload Analysis » |
| 09/22/2006 | VML Candid Camera » |
| 09/20/2006 | Proof-of-Concept (POC) for I.E. zero-day posted. » |
| 09/19/2006 | New Internet Explorer Zero-Day being utilized. » |
| 09/16/2006 | MOTW: Downloader Analysis » |
| 09/08/2006 | MOTW: zCodec Delivers » |
| 09/01/2006 | MOTW: VMProtect Analysis » |
+ August 2006
+ July 2006
+ June 2006
+ May 2006
+ April 2006
This discussion will be split into two pieces, and it will be clear why as we reverse the code.
Programs we will be using are:
- IDA Pro 5 (http://www.datarescue.com)
- UPX (http://upx.sourceforge.net)
The first thing we need to do is determined if this piece of malcode is packed. I like to jump right into things from the start and take a look around, so I opened the malcode in IDA Pro. While IDA is loading the piece of malcode, I receive an error message stating that the Import segments is probably corrupted.
Finally getting a look at the code, it's obvious that it's UPX packed. Excellent - that makes things easy. We unpack it with UPX and we're ready to start.
Back to IDA Pro, we now open up the file and take a good look around. It's always a good idea to take a look through the strings and see what we may have going on here. Interesting things here are the "WriteFileA," "CreateFileMapping," and "SHFileOperationA."
Next thing we want to do is step through the malcode and start looking for interesting behavior. Stepping through, we see is that it loads kernel32.dll, and we have a resource referenced by "Bynary." We'll find more about this later.
Continuing on, it looks like it's checked for "kernel32.dll," and trying to determine the date/time of that particular file. Perhaps it wants to create some new file with this date - not sure yet, but we'll see how it all unfolds.
Moving on, we see that it now does several odd actions. First, it tries to delete a file called "Upperhost.dllh" in the windows system directory. On a typical system, this file does not exist. However this doesn't generate any errors, and the malcode continues onto the next instruction.
Finally, the malcode creates and writes to the file "UpperHost.dll" (the contents of Bynary), and it has created it as a hidden file. Sneaky...but not sneaky enough!
Next we see that the code sets the date/time of this new file to the same date/time as Kernel32.dll, and then loads UpperHost.dll into memory.
"UpperHost.dll" turns out to be keylogger that captures data entered into web forms. This is the keylogger that was recently covered in our "VML Candid Camera" blog entry.
Researcher: Vic Baddour, Websense Security Labs
