Dribble

So here's that follow-up post i promised you guys. The predominant reasoning behind posting an analysis of this key stealer was due to the fact that it is undetected by any virus scanner; see: VirusTotal.

The executable itself weighs in at 44,544 bytes (43.5KB). Not too unexpected for a executable who's sole purpose is to steal all your passwords. Though, we'll get into this later.

The key stealer implements a simple string obfuscation system. When it needs to call an API, it references a global variable containing the string name which is unxored at runtime. Before Call:

.data:004060F8 aVirtualallocex db 'ŒÍ÷Š�«ÆöÍ‚Š',0FFh,'€ú',0 ; DATA XREF: DecryptString+2o

.data:004060F8 aVirtualallocex db 'VirtualAllocEx',0 ; DATA XREF: DecryptString+2o

IDC Script:

static main()
{
    auto dwString, dwSize, dwKey;
    dwKey = 0x4060A4;
    dwString = 0x4060F8;
    dwSize = 0xE;
    for( i = 0; i < dwSize; i++ )
        PatchByte( dwString+i, ( Byte(dwString + i) ^ Byte(dwKey + i) ) );
}

The decryption process simply employed a 36 byte key, xoring each byte of the string with the corresponding entry in the key array and in fact would fail on strings greater than 36 bytes. Once this was all said and done, it grabs it's payload from it's resources section. Below is an 010 Editor script to decrypt the payload.

int Offset = 0xEE8;
int i = 0, y = 0, x = 0;
byte Modified;
for( i = 0; i < 0x4600; i++ )
{
    if ( y >= 0xED8 )
        y = 0;

    Modified = ReadByte( Offset + i );
    Modified -= (x + ReadByte( y )) % 0x3E8;

    if ( Modified < 0 )
        Modified += ( 255 - Modified ) >> 8 << 8;

    WriteByte( Offset + i, Modified );
    x += 9;
    y++;
}

Presuming decryption is successful, it creates a suspended process from itself, and hijacks the CRT loader to redirect code flow to the payload. The payload uses it's resource to determine the FTP Host, User, Pwd and various password dumping techniques. Likewise, here is an 010 Editor script to decrypt those strings.

char[] ApplyXoring( char Buf[], int Len )
{
    int i = 0;
    for( i = 0; i < Len; i++ )
        Buf[i] ^= i % 5 + 1;
    return Buf;
}

char strHost[] = ReadString( 0x7063 );
ApplyXoring( strHost, Strlen( strHost ) );
Printf( "%s\n", strHost );

char strUser[] = ReadString( 0x7095 );
ApplyXoring( strUser, Strlen( strUser ) );
Printf( "%s\n", strUser );

char strPwd[] = ReadString( 0x70B5 );
ApplyXoring( strPwd, Strlen( strPwd ) );
Printf( "%s\n", strPwd );

In terms of what applications this steals information from, at very least it has MSN Messenger, Steam, Firefox stored passwords, IExplorer passwords and many more. Anyone who runs this application (and firewall doesn’t block it) has their information published to an FTP server of the author’s choosing.

All in all, this key stealer was quite sophisticated, but towards the end it seems the author got lazy, especially with the string xoring.

A note to those infected:
It does not seem to create any start up entries, but is rather an on-run based system. Pardon my French, but you’re fucked.