Dribble

So, i decided to change blogs to the feature rich WordPress. My new blog can be found at http://kynox.wordpress.com/

So, as per usual in Mimics “offence” on Warden, they achieved quite the spectacle. The resulting hilarity was the hooking of VirtualQueryEx. Sure, nothing wrong with that, right? Wrong. They’re also hooking VirtualQuery for good measure; lets take a look at VirtualQuery...

76126201 >  8BFF            mov edi,edi
76126203    55              push ebp
76126204    8BEC            mov ebp,esp
76126206    FF75 10         push dword ptr ss:[ebp+10]
76126209    FF75 0C         push dword ptr ss:[ebp+C]
7612620C    FF75 08         push dword ptr ss:[ebp+8]
7612620F    6A FF           push -1
76126211    E8 BAFFFFFF     call kernel32.VirtualQueryEx
76126216    5D              pop ebp
76126217    C2 0C00         retn 0C

So in summary, they’re hooking redundant API, including window finding API (which, might i add is pointless).

Attached are Hookshark images showing how easily detectable Mimic is. (Yes, you can see my WardenLogger; woopty doo!)

Image #1
Image #2

So here's that follow-up post i promised you guys. The predominant reasoning behind posting an analysis of this key stealer was due to the fact that it is undetected by any virus scanner; see: VirusTotal.

The executable itself weighs in at 44,544 bytes (43.5KB). Not too unexpected for a executable who's sole purpose is to steal all your passwords. Though, we'll get into this later.

 

The key stealer implements a simple string obfuscation system. When it needs to call an API, it references a global variable containing the string name which is unxored at runtime. Before Call:

.data:004060F8 aVirtualallocex db 'ŒÍ÷Š�«ÆöÍ‚Š',0FFh,'€ú',0 ; DATA XREF: DecryptString+2o

After call:

.data:004060F8 aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: DecryptString+2o

IDC Script:

static main()
{
    auto dwString, dwSize, dwKey;
    dwKey = 0x4060A4;
    dwString = 0x4060F8;
    dwSize = 0xE;
    for( i = 0; i < dwSize; i++ )
        PatchByte( dwString+i, ( Byte(dwString + i) ^ Byte(dwKey + i) ) );
}

The decryption process simply employed a 36 byte key, xoring each byte of the string with the corresponding entry in the key array and in fact would fail on strings greater than 36 bytes. Once this was all said and done, it grabs it's payload from it's resources section. Below is an 010 Editor script to decrypt the payload.

int Offset = 0xEE8;
int i = 0, y = 0, x = 0;
byte Modified;
for( i = 0; i < 0x4600; i++ )
{
    if ( y >= 0xED8 )
        y = 0;

    Modified = ReadByte( Offset + i );
    Modified -= (x + ReadByte( y )) % 0x3E8;

    if ( Modified < 0 )
        Modified += ( 255 - Modified ) >> 8 << 8;

    WriteByte( Offset + i, Modified );
    x += 9;
    y++;
}

Presuming decryption is successful, it creates a suspended process from itself, and hijacks the CRT loader to redirect code flow to the payload. The payload uses it's resource to determine the FTP Host, User, Pwd and various password dumping techniques. Likewise, here is an 010 Editor script to decrypt those strings.

char[] ApplyXoring( char Buf[], int Len )
{
    int i = 0;
    for( i = 0; i < Len; i++ )
        Buf[i] ^= i % 5 + 1;
    return Buf;
}

char strHost[] = ReadString( 0x7063 );
ApplyXoring( strHost, Strlen( strHost ) );
Printf( "%s\n", strHost );

char strUser[] = ReadString( 0x7095 );
ApplyXoring( strUser, Strlen( strUser ) );
Printf( "%s\n", strUser );

char strPwd[] = ReadString( 0x70B5 );
ApplyXoring( strPwd, Strlen( strPwd ) );
Printf( "%s\n", strPwd );

In terms of what applications this steals information from, at very least it has MSN Messenger, Steam, Firefox stored passwords, IExplorer passwords and many more. Anyone who runs this application (and firewall doesn’t block it) has their information published to an FTP server of the author’s choosing.

All in all, this key stealer was quite sophisticated, but towards the end it seems the author got lazy, especially with the string xoring.

A note to those infected:
It does not seem to create any start up entries, but is rather an on-run based system. Pardon my French, but you’re fucked.

Well. Apparently the new craze is to blog about crap no one will really care about, but who will instinctively read it anyway.

Following this post, either today or tomorrow i will be posting my reversings on a virus which was posted on MMOwned earlier today. The mods did their jobs well and got rid of it quickly, however about 10 users managed to fall trap to it.

See you on the flip side o_O