Win64 / Expiro - cross-platform file infector
File viruses are already well known and have been studied for a long time, but such infectors, in most cases, are aimed at modifying 32-bit files. One of these families, Expiro (Xpiro), was discovered quite a long time ago and can hardly surprise today. However, recently our anti-virus laboratory discovered a new modification of Expiro, which is capable of infecting 64-bit files. In addition, the body of this modification is universal and fully cross-platform, since it can infect 32-bit and 64-bit files (and vice versa, i.e., infect 64-bit from infected 32-bit files). In our naming system, the virus is called Win64 / Expiro.A (aka W64.Xpiro or W64 / Expiro-A ). In this case, 32-bit infected files are detected as Win32 / Expiro.NBF .
The infector aims at obtaining the maximum destructive profit and infects executable files on both local and network drives. The payload of this malware includes installation of extensions for Google Chrome and Mozilla Firefox browsers. The malicious code steals digital certificates and passwords stored on the computer by Internet Explorer, Microsoft Outlook, FileZilla FTP client. Such extensions are used to redirect users to malicious URLs, as well as to steal various confidential information. The virus disables a number of services on a compromised computer, including Windows Defender and the Security Center (Windows Security Center), and can also terminate a number of processes.
Infector
')
The body of the virus, in a 64-bit infected file, is a new section .vmp0 of 512,000 bytes size (on disk) added to the end of the executable file. To transfer control to the main body, the virus inserts a malicious startup code of 1269 bytes in size to the entry point. In this case, the original bytes are transferred to the beginning of the .vmp0 section. This startup code is an unpacker for the main code, which is located in the virus section. Below is a screenshot of the startup code template that will be written in place of the entry point of a 64-bit file during infection.
When generating this code for infection, some of these instructions will be overwritten, thus ensuring the uniqueness of the data in the original .vmp0 section. In this case, the instructions of the type add, mov or lea, in which the immediate displacements (immediate) appear, are subject to change. At the end of the code, an instruction is added to jump to the unpacked code of the .vmp0 section.
The similar startup code for 32-bit files is also located in the .vmp0 section and looks like.
What the 32-bit version looks like:
The size of this startup code in the 64-bit version is 1269 bytes, and in 32 711 bytes.
The virus infects executable files by recursively passing through the directories of the logical drives, while the infection of the executable file occurs using the created .vir file, in which the malicious code forms the new contents of the file, and then writes it to the infected file in 64K blocks. If the virus cannot open the file for read / write, it tries to change its protection descriptor and owner information.
Are no exception to infection and signed executable files. After infecting such a file, it ceases to be signed, as the virus records its body after the last section, where the digital signature overlay is located in the original file. In addition, the virus corrects the values of the Security Directory field in the Data Directory, setting the RVA and Size fields to 0. Accordingly, in the future, such a file can also be executed because it is deprived of any digital signature information. The following shows the differences in the original and infected 64-bit file, which is digitally signed. On the left in the modified version, you can see that in place of the overlay, the .vmp0 section and the original bytes of the entry point begin.
In terms of completing security processes, Expiro is not original and uses an approach based on retrieving their list using the CreateToolhelp32Snapshot API and then terminating using OpenProcess / TerminateProcess . Expiro terminates the following processes in the system: "MSASCui.exe", "msseces.exe" and "Tcpview.exe".
To maintain its presence in the system, Expiro creates two mutexes named gazavat.
In addition, the infector process itself can be identified in the system by a large number of I / O operations and read / written bytes. Since the virus needs to scan all the files in the system, the infection process can take a long time, which is also a symptom of the presence of a suspicious code in the system.
In the body of the virus, obfuscation is used when calling various APIs and passing them values, line shifts and other things. For example, in the following code, when passing the SERVICE_CONTROL_STOP (0x1) argument to the function in the API advapi32! ControlService , which is used to disable services, arithmetic from reserved constants is used.
With this code, the virus tries to disable the following services: wscsvc (Windows Security Center), windefend (Windows Defender Service), MsMpSvc (Microsoft Antimalware Service), NisSrv (part of Microsoft Antimalware).
Payload
As a payload, the virus tries to install extensions for Google Chrome and Mozilla Firefox browsers. The manifest file for the Chrome extension being installed is as follows:
In the directory with extensions, the directory of this plugin will be called dlddmedljhmbgdhapibnagaanenmajcm. The extension uses for its work js-scripts background.js and content.js. After deobfuscation, the background.js template has the form.
The HID variable stores the system identifier, with its version and Product ID. The SLST variable contains a list of domains that are used to redirect the user to malicious resources, some of which are listed in the SLST variable.
The manifest extension for Mozilla Firefox is as follows.
A piece of code from the content.js script that is responsible for parsing form elements.
From the point of view of the bot, Expiro is able to perform the following actions:
The malicious code steals the credentials of the FileZilla program using the% appdata% \ FileZilla \ sitemanager.xml file. When stealing passwords stored in Internet Explorer, a special COM object is used. If the downloaded code detects a credit card entry form on a web page, it tries to copy data from there. At the same time, the entered credit card data is checked for compliance with the “VISA” / “MasterCard” format and displays a window with the message:
"Unable to authorize. \ N% s processing center is unable to authorize your card% s. \ NMake corrections and try again."
Conclusion
The method of infecting executable files is a very effective vector for the distribution of malicious code. The described modification of Expiro poses a serious threat to both home users and company employees. Since the virus infects files on local disks, removable devices and over the network, the epidemic can take quite serious proportions. In the case of Expiro, the problem is worsened by the fact that if at least one infected file remains in the system to be executed, the process of total infection of the disks will start again. From the point of view of the delivery of the payload, the file infector is also a rather preferable option precisely in view of the activity of the distribution of its body.
The infector aims at obtaining the maximum destructive profit and infects executable files on both local and network drives. The payload of this malware includes installation of extensions for Google Chrome and Mozilla Firefox browsers. The malicious code steals digital certificates and passwords stored on the computer by Internet Explorer, Microsoft Outlook, FileZilla FTP client. Such extensions are used to redirect users to malicious URLs, as well as to steal various confidential information. The virus disables a number of services on a compromised computer, including Windows Defender and the Security Center (Windows Security Center), and can also terminate a number of processes.
Infector
')
The body of the virus, in a 64-bit infected file, is a new section .vmp0 of 512,000 bytes size (on disk) added to the end of the executable file. To transfer control to the main body, the virus inserts a malicious startup code of 1269 bytes in size to the entry point. In this case, the original bytes are transferred to the beginning of the .vmp0 section. This startup code is an unpacker for the main code, which is located in the virus section. Below is a screenshot of the startup code template that will be written in place of the entry point of a 64-bit file during infection.
When generating this code for infection, some of these instructions will be overwritten, thus ensuring the uniqueness of the data in the original .vmp0 section. In this case, the instructions of the type add, mov or lea, in which the immediate displacements (immediate) appear, are subject to change. At the end of the code, an instruction is added to jump to the unpacked code of the .vmp0 section.
The similar startup code for 32-bit files is also located in the .vmp0 section and looks like.
What the 32-bit version looks like:
The size of this startup code in the 64-bit version is 1269 bytes, and in 32 711 bytes.
The virus infects executable files by recursively passing through the directories of the logical drives, while the infection of the executable file occurs using the created .vir file, in which the malicious code forms the new contents of the file, and then writes it to the infected file in 64K blocks. If the virus cannot open the file for read / write, it tries to change its protection descriptor and owner information.
Are no exception to infection and signed executable files. After infecting such a file, it ceases to be signed, as the virus records its body after the last section, where the digital signature overlay is located in the original file. In addition, the virus corrects the values of the Security Directory field in the Data Directory, setting the RVA and Size fields to 0. Accordingly, in the future, such a file can also be executed because it is deprived of any digital signature information. The following shows the differences in the original and infected 64-bit file, which is digitally signed. On the left in the modified version, you can see that in place of the overlay, the .vmp0 section and the original bytes of the entry point begin.
In terms of completing security processes, Expiro is not original and uses an approach based on retrieving their list using the CreateToolhelp32Snapshot API and then terminating using OpenProcess / TerminateProcess . Expiro terminates the following processes in the system: "MSASCui.exe", "msseces.exe" and "Tcpview.exe".
To maintain its presence in the system, Expiro creates two mutexes named gazavat.
In addition, the infector process itself can be identified in the system by a large number of I / O operations and read / written bytes. Since the virus needs to scan all the files in the system, the infection process can take a long time, which is also a symptom of the presence of a suspicious code in the system.
In the body of the virus, obfuscation is used when calling various APIs and passing them values, line shifts and other things. For example, in the following code, when passing the SERVICE_CONTROL_STOP (0x1) argument to the function in the API advapi32! ControlService , which is used to disable services, arithmetic from reserved constants is used.
With this code, the virus tries to disable the following services: wscsvc (Windows Security Center), windefend (Windows Defender Service), MsMpSvc (Microsoft Antimalware Service), NisSrv (part of Microsoft Antimalware).
Payload
As a payload, the virus tries to install extensions for Google Chrome and Mozilla Firefox browsers. The manifest file for the Chrome extension being installed is as follows:
In the directory with extensions, the directory of this plugin will be called dlddmedljhmbgdhapibnagaanenmajcm. The extension uses for its work js-scripts background.js and content.js. After deobfuscation, the background.js template has the form.
The HID variable stores the system identifier, with its version and Product ID. The SLST variable contains a list of domains that are used to redirect the user to malicious resources, some of which are listed in the SLST variable.
The manifest extension for Mozilla Firefox is as follows.
A piece of code from the content.js script that is responsible for parsing form elements.
From the point of view of the bot, Expiro is able to perform the following actions:
- change the list of management server URLs;
- execute commands in the interpreter cmd.exe;
- load and execute plugins;
- download files from the network and save them to% commonapddata% \% variable% .exe;
- Do a TCP flood attack
- list the files by the \ b * .dll mask in the% commonappdata% directory and execute code from them;
- start a proxy server (SOCKS, HTTP);
The malicious code steals the credentials of the FileZilla program using the% appdata% \ FileZilla \ sitemanager.xml file. When stealing passwords stored in Internet Explorer, a special COM object is used. If the downloaded code detects a credit card entry form on a web page, it tries to copy data from there. At the same time, the entered credit card data is checked for compliance with the “VISA” / “MasterCard” format and displays a window with the message:
"Unable to authorize. \ N% s processing center is unable to authorize your card% s. \ NMake corrections and try again."
Conclusion
The method of infecting executable files is a very effective vector for the distribution of malicious code. The described modification of Expiro poses a serious threat to both home users and company employees. Since the virus infects files on local disks, removable devices and over the network, the epidemic can take quite serious proportions. In the case of Expiro, the problem is worsened by the fact that if at least one infected file remains in the system to be executed, the process of total infection of the disks will start again. From the point of view of the delivery of the payload, the file infector is also a rather preferable option precisely in view of the activity of the distribution of its body.
Source: https://habr.com/ru/post/188176/
All Articles