Virus in Odnoklassniki
Thank you, O Habraludi, for a small increase in karma. Now I can finally write about yesterday's events on Odnoklassniki with technical details.
On 2.06.2008, a mass spam mailing aimed at Odnoklassniki users was made. The messages contained a link to a site. Unfortunately, when I came to work and started working on the problem, the link was already dead. But the users managed to navigate through it and eventually sent us several executable files. Most likely, the link was one of the exploits, allowing you to download files to the victim’s computer without the user's knowledge and run them. I did not analyze the first file on the victim’s computer; I got some of the stages of his malicious life journey.
So, WinNt32.dll.
A regular DLL, except that there are no exports and immediately catches the eye that the file is encrypted or compressed. First of all, the two clogged constants calculate the address of KiFastSystemCall and call this function. In EAX at this time, 0x09, which seems to correspond to NtEnumerateBootEntries:
.text: 004011A6 mov edx, 67C7AE8Eh
.text: 004011AB mov ebx, [edx + 18365472h]
.text: 004011B1 dec ebx
.text: 004011B2 call ebx
This is a peculiar binding to the OS and protection against debugging: the file did not work in one of our virtual machines. In the .rsrc section, the file contains a large array of encrypted data, the address of which is then transmitted to VirtualProtect. After that, the decryption function is called, as a result of which a full executable file is obtained in memory. Now it's small - VirtualAlloc, several times memcpy and in a freshly allocated memory image of the file, ready for execution. I note that the decrypted file is not flushed to disk!
')
The file decrypted and loaded at the first stage bears in itself all payload. It creates two parameters in HKLM \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Notify \ WinNt32: ID and Unique (filled with a random string). After that, according to an unclear algorithm (most likely randomly), a GET request is generated. The next step is to download encrypted data from the network. Not InternetReadFile or UrlDownloadToFile, but the basic Windows Sockets functions: connect-send-recv. The requested URL is always different, as well as the received data, which suggests that the data received depends on the requested URL. After decoding the received data in memory are 2 PE-file. The first of the files is saved to disk and started, but the fate of the second is a bit more interesting. The Trojan launches the svchost process, and then injects into it with the help of WriteProcessMemory the second received file and transfers control to its code.
Total: the link to the page allegedly containing malicious code, downloading and launching a file on the victim’s computer was distributed in the spam. As a result of the work of this file on the victim's disk, the WinNt32.dll file appeared, which received two encrypted files through the network, one of which was saved and launched, and the second - injected in svchost.
The functionality of the downloaded files now analyze. Wait for the news!
On 2.06.2008, a mass spam mailing aimed at Odnoklassniki users was made. The messages contained a link to a site. Unfortunately, when I came to work and started working on the problem, the link was already dead. But the users managed to navigate through it and eventually sent us several executable files. Most likely, the link was one of the exploits, allowing you to download files to the victim’s computer without the user's knowledge and run them. I did not analyze the first file on the victim’s computer; I got some of the stages of his malicious life journey.
So, WinNt32.dll.
A regular DLL, except that there are no exports and immediately catches the eye that the file is encrypted or compressed. First of all, the two clogged constants calculate the address of KiFastSystemCall and call this function. In EAX at this time, 0x09, which seems to correspond to NtEnumerateBootEntries:
.text: 004011A6 mov edx, 67C7AE8Eh
.text: 004011AB mov ebx, [edx + 18365472h]
.text: 004011B1 dec ebx
.text: 004011B2 call ebx
This is a peculiar binding to the OS and protection against debugging: the file did not work in one of our virtual machines. In the .rsrc section, the file contains a large array of encrypted data, the address of which is then transmitted to VirtualProtect. After that, the decryption function is called, as a result of which a full executable file is obtained in memory. Now it's small - VirtualAlloc, several times memcpy and in a freshly allocated memory image of the file, ready for execution. I note that the decrypted file is not flushed to disk!
')
The file decrypted and loaded at the first stage bears in itself all payload. It creates two parameters in HKLM \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Notify \ WinNt32: ID and Unique (filled with a random string). After that, according to an unclear algorithm (most likely randomly), a GET request is generated. The next step is to download encrypted data from the network. Not InternetReadFile or UrlDownloadToFile, but the basic Windows Sockets functions: connect-send-recv. The requested URL is always different, as well as the received data, which suggests that the data received depends on the requested URL. After decoding the received data in memory are 2 PE-file. The first of the files is saved to disk and started, but the fate of the second is a bit more interesting. The Trojan launches the svchost process, and then injects into it with the help of WriteProcessMemory the second received file and transfers control to its code.
Total: the link to the page allegedly containing malicious code, downloading and launching a file on the victim’s computer was distributed in the spam. As a result of the work of this file on the victim's disk, the WinNt32.dll file appeared, which received two encrypted files through the network, one of which was saved and launched, and the second - injected in svchost.
The functionality of the downloaded files now analyze. Wait for the news!
Source: https://habr.com/ru/post/26714/
All Articles