Monday, 10 May 2010

Infostealer.Banker.G ripped Part 2

Welcome back to part two of the malware analyis.

When Installed this malware drops a dll in the system folder (C:\windows\system32\msls52.dll). Dll is pretty much packed with the same packer and the entry point of the dll looks similar to the dropper.
Very Interesting thing about this malware is that it infects windows Uxtheme.dll(system folder) and renames the clean copy as Uxtheme(random char).tmp.Infected Uxtheme.dll locks the file msls52.dll, when you try to delete it you get an "access denied" message. Use Kaspersky free removal tool to get rid of the dll on reboot. 
Since you've deleted the file msls52.dll the infected Uxtheme.dll tries to load it at the startup and gives the message "Unable to load msls52.dll" and makes your machine virtually unusable. 
To make it work again restart your machine with Windows Safe Mode with command prompt (press f8 on startup to safe mode menu). Once you are in safemode delete/rename the Uxtheme.dll and rename the Uxtheme(randomchar).tmp file as Uxtheme.dll. This should make your machine usable after reboot :-).Btw the infected Uxtheme.dll is detected as W32/Patched by some vendors  

Continuing  the analysis from the previous part if you follow the calls and jumps there are couple of interesting instructions.

.00409FA2 B9 BE 80 FF 1F  mov     ecx, 1FFF80BEh
.00409FA7 EB 41                  jmp     short loc_409FEA
....

00409FF6 C1 E1 02             shl     ecx, 2  ; ECX is now 7FFE02F8
00409FF9 EB 67                  jmp     short loc_40A062

0040A062 0F B6 09             movzx   ecx, byte ptr [ecx]

Hmmm..Ecx is now 7FFE02F8 and its trying to move the contents at the ecx value back into ecx register.
So what is this 7FFE02F8 any way. 7FFE0000 is KUSER_SHARED_DATA , this address is a region of the memory mapped in every process and is called as SharedUserData.7FFE000 + 2F8  refers to TestRetInstruction .In this malware i think its mainly used for antidebugging or anti emulation purposes.
If you continue analyzing the sample on the Ollydbg , Olly gets struck at one point unable to debug any further. You need to smartly change the control flow at this point and analyze further.
I didn't have much time to unpack this malware, as the packer in the malware uses VirtualProtect api , i'm sure you should be able find the unpacking routine around this area.
Hope this analysis helps you fight the bad forces.

Sunday, 9 May 2010

Infostealer.Banker.G ripped Part 1

I'll reverse engineer what Symantec call as Infostealer.Banker.G ( SHA: 4b7f41e7b02ed3b100b6afd756c3e551f52da82f )

 Lets see the physical structure of the file first and see what the PE tool says about the file.

 Hmm, Bad guys are crooked they have packed malware with a custom packer. Entrypoint is in first section . Lets open the file with a disassembler and see what the entrypoint looks like. 

.cdata:00409380            sub    esp, 4
.cdata:00409383            pusha            ; push all registers
.cdata:00409384            push    ebp
.cdata:00409385            mov    ebp, esp
.cdata:00409387            mov    edx, 103h
.cdata:0040938C            xor    eax, eax
.cdata:0040938E            inc    eax   ; Junk  to evade antivirus detection

.cdata:0040938F            inc    eax  ; .............
.cdata:00409390            inc    eax  ; junk
.cdata:00409391            inc    eax  ; .........
.cdata:00409392            inc    eax  ; .......
.cdata:00409393            inc    eax  ; .........
.cdata:00409394            inc    eax ; ........
.cdata:00409395            inc    eax ; .......
.cdata:00409396            call    sub_40949E
.cdata:0040939B            jmp    near ptr 0C3035769h 


If you look at the entrypoint it clearly looks like its packed with a polymorphic packer. All the 'inc eax instructions are junk either to stop antivirus detection or to make Emulation more confusing. If you follow the Jmp at the last line leads series of spaghetti ( uneven jmp or call instructions) jumps.

I'll continue the analysis in the next part see you then.

Saturday, 1 May 2010

Microsoft Sharepoint XSS Vulnerability

Microsoft have acknowledged the existence of XSS vulnerability in Sharepoint services and Sharepoint server.Successful exploitation of the vulnerability could allow attacker to run custom code leading to elevated privileges within the Sharepoint site.

According to this technet blog the likely attack scenario could be when attacker sends a malicious link and user clicks the link after logging into the vulnerable Sharepoint server, this results in malicious script running in the user context.  In simple words if you are user(assume Admin user) logged in to a vulnerable Sharepoint server and if you click a malicious link embedded within a malicious script, it could run with the admin privileges.