0x10 Candles


0x10 Candles: A Birthday Story of Teenage Angst and Malicious Code

by Ed Skoudis

 "It's like totally my birthday, but my family completely forgot!" Molly Ringworm typed frantically into her diary on her Windows-based laptop.  "I thought turning 0x10 would be, like, sooo major," she lamented.  As with many kids heavily steeped in contemporary teenage computer culture, Molly referred to numbers almost exclusively in hexadecimal, citing her 16th birthday as the "Big 0x10".  Indeed, Molly was a computer aficionado to her core, getting the nickname "Ringworm" based on her compelling analysis of the Ring Zero worm a few years back.  Despite her family's forgetting her Sweet 0x10, Molly Ringworm held out hope that this evening's dance would be far better, possibly giving her a chance finally to speak with Jake Ryan, the object of her biggest crush ever.

Unfortunately, at the dance, she was just too shy to even approach Jake.  Compounding the problem, the biggest nerd of all, known simply as "The Geek", wouldn't stop bothering her.  She thought she'd escape him by moving to a secluded cubicle in a corner of the high school computer lab to update her diary.  The Geek still stalked her even there.  Lonely and heartbroken, Molly decided to confide to The Geek, "This is the single worst day of my entire life… Jake doesn't know I exist and everyone has forgotten my birthday!"  The Geek, however, was interested in much more than discussing Molly's hormonally induced pathos.  He cut right to the chase, "Would it be totally off the wall if I asked if I could have an account on your box?"  Molly chuckled at the complete absurdity of such a request, and responded, "As if!  Like, totally gag me!"

The Geek, having anticipated such a reaction, decided to move to Plan B.  "I'm getting input here that I'm reading as relatively hostile...  But I made a bet with my buds that I could score an account on your system.  I can't go back empty handed, but there's a way we could work this, even without you giving me an account.  Can I borrow your motherboard for ten minutes?"

Right after The Geek left, Molly's laptop starting behaving erratically, with the mouse cursor moving around on the screen by itself!  Completely shocked, she quickly fired up her favorite sniffer and noticed packets leaving her machine going to a web server on TCP port 443.  She then ran Active Ports, a tool that lists programs that are utilizing TCP and UDP ports.  She saw that a program named iexplore.exe was trying to connect to a remote system on TCP port 443, even though she couldn't see a browser window on her screen.  Sighing, Molly exclaimed, "Like, what a total bummer… hacked on my birthday!" 

Despite her near overdose of self-pity, Molly needed to act.  Given that the attack had likely just occurred, she conducted a search of her hard drive using the dir and find commands, looking for executable files created today.  She found one!  A new executable called note.exe created this morning at 9:04 AM.

Molly then ran the dir command again, this time with the /B flag, to determine the location of that strange file.  It turns out that note.exe was located right in her c:\ directory.

To get a quick feel for what the malicious code might be doing, she ran the SysInternals strings command by Mark Russinovich against note.exe.  The results of all of Molly's commands are shown in the screen capture below.

Now, here is where you, dear reader, get involved…  please answer the following questions to help Molly determine the nature of this malware so she can get back to chasing Jake:

•1) Based on the output of the strings command, what capabilities might be built into the malicious code?

•2) What simple and popular method could the attacker have used to thwart strings analysis (as well as making binary disassembly more difficult) on note.exe?  What tools could the attacker use to accomplish this goal?

•3) How could a malicious code researcher overcome the strings-obscuring and anti-disassembly technique(s) you described in your answer to question 2?  What tools could a researcher use to accomplish this goal?

•4) What should Molly do next to eradicate the malware and win Jake's heart?

The winners and answers for this challenge are here.