Brazilian Malwares using .CPL extension

June 15, 2010 Leave a comment

Brazilian bad guys are using a new type of attack to infect machines: the Control Panel files.

These files are loaded by control panel when you launch it, they are the mouse, keyboard, sound extension from the control panel.

The .CPL files are like DLLs, but with one significant difference, are lauched by windows with a double-click, then it means that is so easy to bring the user to the machine infection.

When you run a CPL file, it automatically launches the rundll32 with this command line:

“rundll32.exe” shell32.dll,Control_RunDLL “C:\Documents and Settings\Administrador\Desktop\wininnet.cpl”,

Explaining this command line, the OS calls the Control_RunDLL with the cpl file path as parameter, so, the code contained in cpl file is executed.

I have found a lot of malwares using this method, that is very simple and… it works!

Remote Debugging with IDA Pro

May 20, 2010 Leave a comment

When you’re working on Malware Analysis, for some reasons, you need to debug an infected file in a secure environment, so, I will try to explain how it is a simple task using IDA Pro.

First, we need to configure the virtual machine network, in this case I will use NAT configuration as shown below.

VmWare Network Settings

After, we need check network status and IP address, my VM address is 192.168.182.129, it will be used in debugger configuration.

Now, copy the remote server that is located in Program Files\IDA to the virtual machine, in this case, win32_remote.exe ( there are win64 versions too ).

Start the server, it will start accepting connections, as image below.

Server accepting connections

Note: Disable windows firewall, to prevent blocking the connection.

Let’s go act! Open the IDA Pro, and open a file to disasm. I will use google talk app.

I always change the file extension to prevent some problems, as double click unintentionally.

Now, go to the menu Debugger > Process options… and set your data.

IDA Debugger configuration

Press F9 to run.

Note: I like to set a breakpoint at the EntryPoint to prevent from a non intentional run.

IDA will prompt you if you want to copy the file to the remote machine, so hit yes!

And you’re ready to debug remotely.

IDA Pro Remote Debugging

Process running in VM

Malicious Page Obfuscation

April 22, 2010 Leave a comment

I have found a lot of bank fraudulent pages that are using an analysis protection, that try to hide the real content of the page. It’s a very simple technique, that checks if the page is being loaded from local machine, then redirect to about:blank page.

The first part of code is a call to unescape() function, that decodes a crypted function.

<script language=”JavaScript”><!–
document.write(unescape(“%3C%53%43%52%49%50%54%20%4C%41%4E% 47%55%41%47%45%3D%22%4A%61%76%61%53%63%72%69%70%74%22% 3E%3C%21%2D%2D%0D%0A%68%70%5F%6F%6B%3D%74%72%75%65%3B% 66%75%6E%63%74%69%6F%6E%20%68%70%5F%64%30%31%28%73%29%7B %69%66%28%21%68%70%5F%6F%6B%29%72%65%74%75%72%6E%3B%76% 61%72%20%6F%3D%22%22%2C%61%72%3D%6E%65%77%20%41%72%72%61% 79%28%29%2C%6F%73%3D%22%22%2C%69%63%3D%30%3B%66%6F%72%28%69 %3D%30%3B%69%3C%73%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%7B%63 %3D%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%3B%69%66%28% 63%3C%31%32%38%29%63%3D%63%5E%32%3B%6F%73%2B%3D%53%74%72%69%6E %67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%29%3B%69%66%28 %6F%73%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%61%72%5B%69%63%2B%2B %5D%3D%6F%73%3B%6F%73%3D%22%22%7D%7D%6F%3D%61%72%2E%6A%6F%69%6E %28%22%22%29%2B%6F%73%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74% 65%28%6F%29%7D%2F%2F%2D%2D%3E%3C%2F%53%43%52%49%50%54%3E”));//–>
</script>
This code will generate this:
<script language=”JavaScript”><!–
hp_ok=true;
function hp_d01(s)
{
if(!hp_ok) return;
var o=””,ar=new Array(),os=””,ic=0;
for(i=0;i<s.length;i++)
{
c=s.charCodeAt(i);
if(c<128)c=c^2;
os+=String.fromCharCode(c);
if(os.length>80)
{
ar[ic++]=os;
os=””
}
}
o=ar.join(“”)+os;
document.write(o);
}//–>
</script>
Now, the page has the function hp_d01() , that will be used to decode the real content of malicious page, as shown below.
<script language=”JavaScript”><!–
hp_d01(“>QAPKRV\x22NCLEWCEG? HctcQapkrv \x3C>#//kd*fmawoglv,WPN,qw`qvpkle*2.6+?? dkng +yjr]mi?dcnqg9uklfmu,nmacvkml? c`mwv8`ncli \x7F–//\x3C>-QAPKRV\x3C”);//–>
</script>
And will generate…
<script language=”JavaScript”><!–
if(document.URL.substring(0,4)==”file”)
{
hp_ok=false;
window.location=”about:blank”
}//–>
This is the part that redirects to about:blank, if loaded from disk.
Now, the bank specific data…
<script language=”JavaScript”><!–
hp_d01(“>jgcf\x3C>OGVC\x22JVVR/GSWKT? Rpceoc \x22AMLVGLV? Lm/Acajg \x3C>OGVC\x22JVVR/GSWKT? Acajg/Amlvpmn \x22AMLVGLV? Lm/Acajg.Owqv/Pgtcnkfcvg.Lm/Qvmpg \x3C>OGVC\x22LCOG? Pm`mvq \x22AMLVGLV? LmKlfgz \x3C>OGVC\x22JVVR/GSWKT? Gzrkpgq \x22AMLVGLV? 2 \x3C>vkvng\x3CY“,amo,`p/\x22@clam\x22fm\x22@pcqkn_>-vkvng\x3C>qv{ng\x22v{rg? vgzv-aqq \x3Cvf\x22koe\x22yfkqrnc{8\x22`nmai9\x7F`mf{\x22y ocpekl/ngdv8\x222rz9 ocpekl/vmr8\x222rz9\x7F,qv{ng4\x22y dmlv/dcokn{8\x22Eglgtc.\x22Cpkcn.\x22Jgntgvkac.\x22qclq/qgpkd9 dmlv/qkxg8\x2233rz9\x7Fc8nkli\x22y vgzv/fgampcvkml8\x22lmlg9\x7Fc8tkqkvgf\x22y vgzv/fgampcvkml8\x22lmlg9\x7Fc8jmtgp\x22y vgzv/fgampcvkml8\x22wlfgpnklg9\x7Fc8cavktg\x22y vgzv/fgampcvkml8\x22lmlg9\x7F,qv{ng33\x22y amnmp8\x22!2222DD9 dmlv/qkxg8\x2232rz9\x7F,qv{ng31\x22y amnmp8\x22!2061:79 dmlv/qkxg8\x2232rz9\x7F>-qv{ng\x3C>-jgcf\x3C”);//–>
</script>
<head><META HTTP-EQUIV=”Pragma” CONTENT=”No-Cache”><META HTTP-EQUIV=”Cache-Control” CONTENT=”No-Cache,Must-Revalidate,No-Store”><META NAME=”Robots” CONTENT=”NoIndex”><META HTTP-EQUIV=”Expires” CONTENT=”0″>
<title>[bank name]</title>
<style type=”text/css”>
td img {display: block;}body {
margin-left: 0px;
margin-top: 0px;
}
.style6 {
font-family: Geneva, Arial, Helvetica, sans-serif;
font-size: 11px;
}
a:link {
text-decoration: none;
}
a:visited {
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
a:active {
text-decoration: none;
}
.style11 {
color: #0000FF;
font-size: 10px;
}
.style13 {
color: #024385;
font-size: 10px;
}
</style></head>

Configuring layer7 + iptables 1.4.3.2 on Slackware 12 Kernel 2.6.21

May 24, 2009 7 comments

After some problems with this, i’ll post a how-to configuration tested and running.ūüėÄ

First, we need to download these packages:

– iptables-1.4.3.2: http://netfilter.org/projects/iptables/files/iptables-1.4.3.2.tar.bz2

– layer7 patch: http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.21.tar.gz

– layer7 protocols: http://ufpr.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2009-05-10.tar.gz

Now, extract the packages to an especific folder ( I’m using /usr/src )

tar jxvf iptables-1.4.3.2.tar.bz2 -C /usr/src/
tar zxvf netfilter-layer7-v2.21.tar.gz -C /usr/src
tar zxvf l7-protocols-2009-05-10.tar.gz -C /usr/src

#tar jxvf iptables-1.4.3.2.tar.bz2 -C /usr/src/

#tar zxvf netfilter-layer7-v2.21.tar.gz -C /usr/src

#tar zxvf l7-protocols-2009-05-10.tar.gz -C /usr/src

Remove the old iptables installation

#removepkg iptables

Applying the layer7 patch

#cd /usr/src/linux

#patch -p1 < ../netfilter-layer7-v2.21/for_older_kernels/kernel-2.6.20-2.6.21-layer7-2.16.1.patch

Now, we need to compile the kernel to activate layer7 and string match modules

#cd /usr/src/linux

#make oldconfig ( if you be asked about layer7 modules, hit enter )

#make menuconfig

Check this options

Networking–>

Networking options –>

Network Packet Filtering framework (Netfilter) –>

Core Netfilter Configuration –>

(M) layer7 match suport   <- check this

[ ] ¬† ¬† layer7 debugging output <- don’t check this

(M) string match support <- check this

#make

#make modules

#make modules_install

# cp /usr/src/linux/arch/i386/boot/bzImage /boot/bzImage

# cp /usr/src/linux/System.map /boot/

# cd /boot

# rm -rf vmlinuz

# ln -s bzImage vmlinuz

We’ll install ne new iptables version, in this version it’s needed to do some modifications on the patch, so, I published this modified files in this link:¬†http://www.easy-share.com/1905337902/libxt_layer7.rar

Extract this files to this: /usr/src/iptables-1.4.3.2/extensions/, then compile it

# ./configure –with-ksource=/usr/src/linux-2.6.21.5/

# make SBIN_DIR=/sbin LIBDIR=/lib

# make SBIN_DIR=/sbin LIBDIR=/lib install

Install the layer7 prococols

#cd /usr/src/l7-protocols-2009-05-10/

#make install

To finish… make sure that it’s working.

# iptables -A FORWARD -m layer7 –l7proto msnmessenger -j DROP

#iptables -L -n
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP ¬† ¬† ¬† all ¬†— ¬†0.0.0.0/0 ¬† ¬† ¬† ¬† ¬† ¬†0.0.0.0/0 ¬† ¬† ¬† ¬† ¬† LAYER7 l7proto msnmessenger

If you get this with no error, means that you have a iptables with layer7 working. If you get some error, post here that I’ll try to help you.

More information about supported protocols can be found at this address: http://l7-filter.sourceforge.net/protocols

Explaining Brazilian “Ransomware”

May 12, 2009 Leave a comment

Based on post http://www.linhadefensiva.org/2009/05/antivirus-fraudulento-brasileiro-sequestra-sistema by Fabio Assolini I will show how it works ( coding view ).

– FotoTorpedo7812.com

This is a simple downloader that call UrlDownloadToFile API to get the file http://www.byteclark.com.br/imgsite3.bmp to c:\comps.exe that’s the file that really locks your system.

downloader

After the file download, it runs the file ccomps.exe, calling WinExec to start system infection.

– ccomps.exe

This program was developed on Delphi and it doesn’t use any packer or code protector,  making to simple the disassembly.

peid

When it runs at first time, the path is added to Run registry key, to make sure that the program will be running after a system reboot,  it’s so common in those type of malwares.

Run

This program has a timer1 component that enumerates all windows, get your text and store it to compare with strings specified in the code.

Timer1

List of strings that this malware look for:

-Word

-Excel

-Bloco de notas

-Visualizador de imagens e fax

-Galeria de Fotos

-Documentos

-Editor do Registro

-PowerPoint

-Minhas imagens

-Calculadora

-Configuratpo do sistema

-Gerenciador de tarefas

-Paint

-Minhas musicas

-Media Player

-Adobe Reader

Then, it has a second timer, that compare the returned list of windows title with the strings shown above.

If the comparison returns true, then it has two actions:

If it’s a MSOffice program, then exec taskkill to kill the process running.

Ex. taskkill /f /im winword.exe

timer2-word

If it’s another program, the program calls the FindWindow API to get the window handle, then send a WM_CLOSE message.

timer2-another

After that, the malware set your own form as visible, showing a window that redirects the user to http://www.byteclark.com.br, where is hosted the “solution” to this problem.

The solution costs R$ 20,00, and I really want to know if someone bought it.

Now this address if down, being impossible to get these files.

Raio-X: Phishing

April 26, 2009 Leave a comment

Hoje em dia e comum recebermos mensagens de serviços como MSN, Orkut, mesmo sem ter nenhum contato anterior com nenhum destes serviços, os chamados SPAMS que lotam nossos emails, incomodando uma saudável leitura matinal.

Por√©m muitos deles, possuem softwares maliciosos utilizados para a captura de dados pessoais de acesso a sistemas online, como bancos, sites de relacionamento, mensagens instant√Ęneas , conhecidos como phishings.

mail

Ao clicar no link t√£o bem especificado pela mensagem , somos redirecionados para a url hxxp://www.urlsplit.com/0Sfkv0bN, que baixa um arquivo que de acordo com as instru√ß√Ķes devemos execut√°-lo.

O arquivo baixado (Windows Live.com ), trata-se de um Downloader que ao ser executado baixa mais três arquivos e os executa em sua máquina. Analisando mais a fundo o executável podemos capturar as urls de onde ele baixa os arquivos.

Estes Downloaders costumam ser pequenos, normalmente menores que 1 mb, pois possuem um código muito simples. Apenas utilizam uma API para baixar os arquivos desejados roda estes arquivos no PC da vítima e adiciona nas chaves de auto execução no registro do sistema.

strings

Neste caso, estes arquivos s√£o baixados para a pasta System32 de onde ser√£o executados.

Os arquivos baixados foram:

· Imglog.exe

· Ppsemail.exe

· Process.exe

process

– Process.exe

Este arquivo é utilizado para remoção de ferramentas utilizadas pelos bancos brasileiros, pois com esta ferramenta em execução o trojan provavelmente não conseguirá fazer o seu trabalho corretamente, fazendo-se necessário a remoção.

– Ppsemail.exe

Este e responsável pela propagação do trojan, pois o envia para os contatos localizados na máquina, inclusive MSN.

findwindow

– Imglog.exe

Este arquivo √© encarregado do roubo das informa√ß√Ķes, pois detecta que o usu√°rio esta navegando em um site espec√≠fico ( banco, relacionamento, etc. ), finaliza o processo do browser real e abre um browser falso , para efetuar a captura dos dados da v√≠tima.

Neste caso, podemos verificar j√° na abertura do fake browser, que a bara de progresso e bem diferente da utilizada pelo Internet Explorer

barra

Outro fator importante e que ao descer a barra de rolagem identificamos uma imagem sobreposta por uma janela, isto n√£o aconteceria se fosse realmente o site do banco. Utilizando uma ferramenta para focalizar as janelas podemos ver que realmente possui uma janela em frente ao browser.

janela

A √ļltima verifica√ß√£o, seria digitar uma ag√™ncia e conta incorreta, pois no site do banco nunca iria aceitar dados incorretos, ao contr√°rio do trojan que n√£o possui uma forma de verificar estes dados, aceitando ent√£o qualquer informa√ß√£o.

lastwindow


Follow

Get every new post delivered to your Inbox.