OpenRCE_RolfRolles
February 14th, 2008, 23:26
From time to time I notice an obvious spam account in the "Active in Last 5 Minutes" box or on the 'Users' page. This one in particular ("http://www.openrce.org/profile/view/financialaidsfortarrantcountycommunitycollege") caught my attention. You can see several pages of links to useless things (such as "poster of vin diesel in shower"
, with all of those links pointing to .cn domains. I figured I'd be infected by malware if I visited one of the sites, so I opened up the link inside of a VM.
It was not at all surprising when the page ran a fake spyware scan and then urged me to install its anti-spyware product to get rid of all of the dangerous rootkits infecting my system. The webpage serves you a small downloader which is packed with something I've never seen before. All in all the packer is trivial, but it uses an anti-debug trick that I hadn't seen before:
[EDIT 02/14: apparently the up arrow in the ; CODE XREF was causing problems with WoodMann's blog imports]
If, on line 004042DE, you modify the register esi to instead contain 0x0040A200 (e.g. subtract 0x00100000), unpacking proceeds as usual. Therefore I surmised that msvcrt!CIacos(0) returns 0x00321E98 if a debugger is not present, 0x00321EA8 otherwise. I wrote a small test application that confirms this behavior. Comments on this point would be appreciated.
The downloader installs itself as an autorun in the registry, downloads a file off of some Californian webserver, runs it, and then writes out a hard-coded file called c:\Program Files\SpyShredder\SpyShredder.lic. There's only three non-library functions inside of the downloader, so it makes for pretty quick work, although it's MSVC on high optimization settings so the instruction scheduling and inlined string operations are a bit hard to read.
At this point all of the "SpyShredder" references caught my attention, so I googled it and submitted the samples to VirusTotal. I stopped analyzing when I saw that F-Secure ("http://www.f-secure.com/sw-desc/renos.shtml") has a pretty good write-up on it -- it's one of those trojans that pops up many official-looking nag windows warning you about the sky falling, and promises that the windows will go away if you pay up. There's a technical term for that behavior. The United States' Federal Trade Committee calls it "extortion" ("http://edition.cnn.com/2003/TECH/internet/11/07/microsoft.popup.reut/index.html").
The moral of the story? Spamming malware onto a site for professional reverse engineers is plain stupid.
https://www.openrce.org/blog/view/1043/SpyShredder_Malware_Spammed_on_OpenRCE
, with all of those links pointing to .cn domains. I figured I'd be infected by malware if I visited one of the sites, so I opened up the link inside of a VM.It was not at all surprising when the page ran a fake spyware scan and then urged me to install its anti-spyware product to get rid of all of the dangerous rootkits infecting my system. The webpage serves you a small downloader which is packed with something I've never seen before. All in all the packer is trivial, but it uses an anti-debug trick that I hadn't seen before:
Code:
.text:004042F7 push 0
.text:004042F9 call dword ptr [eax] ; <- msvcrt!_CIacos
.text:004042FB mov edx, eax ; <- eax = 0x00321EA8
.text:004042FD imul edx, 10000h ; <- edx = 0x1EA80000
...
.text:004042D8 push 0E1A8A200h
.text:004042DD pop esi
.text:004042DE add esi, edx ; <- esi = 0x0050A200, read-only memory
.text:004042E0 mov edi, esi
.text:004042E2
.text:004042E2 loc_4042E2:
.text:004042E2 lodsd
.text:004042E3 xor eax, 0C2EA41h
.text:004042E8 stosd ; <- access violation writing to read-only memory
.text:004042E9 loop loc_4042E2
[EDIT 02/14: apparently the up arrow in the ; CODE XREF was causing problems with WoodMann's blog imports]
If, on line 004042DE, you modify the register esi to instead contain 0x0040A200 (e.g. subtract 0x00100000), unpacking proceeds as usual. Therefore I surmised that msvcrt!CIacos(0) returns 0x00321E98 if a debugger is not present, 0x00321EA8 otherwise. I wrote a small test application that confirms this behavior. Comments on this point would be appreciated.
The downloader installs itself as an autorun in the registry, downloads a file off of some Californian webserver, runs it, and then writes out a hard-coded file called c:\Program Files\SpyShredder\SpyShredder.lic. There's only three non-library functions inside of the downloader, so it makes for pretty quick work, although it's MSVC on high optimization settings so the instruction scheduling and inlined string operations are a bit hard to read.
At this point all of the "SpyShredder" references caught my attention, so I googled it and submitted the samples to VirusTotal. I stopped analyzing when I saw that F-Secure ("http://www.f-secure.com/sw-desc/renos.shtml") has a pretty good write-up on it -- it's one of those trojans that pops up many official-looking nag windows warning you about the sky falling, and promises that the windows will go away if you pay up. There's a technical term for that behavior. The United States' Federal Trade Committee calls it "extortion" ("http://edition.cnn.com/2003/TECH/internet/11/07/microsoft.popup.reut/index.html").
The moral of the story? Spamming malware onto a site for professional reverse engineers is plain stupid.
https://www.openrce.org/blog/view/1043/SpyShredder_Malware_Spammed_on_OpenRCE