Home
Who am I?
Scenarios
Where & When
Misc
Olde Style Page
Math Puzzles
0x10 Second Place

by Pete Schuyler

*1. Based on the output of the strings command, what capabilities might
be built into the malicious code?*

We know that the program is meant to run under a 32-bit Windows
operating system, based on the existence of the string "This
program must be run under Win32".

It appears to have been written in Delphi, since the string
"FTWARE\Borland\Delphi\RTL" would indicate inclusion of the Delphi
run time library.

The string EliRT 1.00 would seem to indicate inclusion of this
library in the executable. EliRT, which was written by Radim
Picha, is used in the hacking community to facilitate DLL
injection. The library has only 5 functions, and while they will
work on most modern Windows platforms, 4 of them are designed for
Windows Win9x and NT 3.51/4.

Since I'm not a windows programmer, I'm going to make an educated
guess on the next two strings. Assuming that DLL injection has
been used, the injection process first inserts shell code, called
a "hook", into a running process. I'm guessing that the
"Hook.Patch" references a file that contains that code. The hook
would then basically modify the functionality of an API, such as
the "GetProcAddress" function, so that it injects a DLL or creates
a thread from which another process can be started.

It may be trying to use a modified version of the Stealth2 tool,
based on the existence of the "Stealth2j" string. This would make
some sense, as there are a few versions of the Stealth tool,
written by DoC, that are classified as "RATs" or Remote
Administration Tools. This would basically allow remote access to
the windows interface, much like Windows Terminal Services,
PCAnywhere, or VNC does. Since Stealth2 also captures Passwords
and records keystrokes, it is possible that the backdoor is trying
to forward account information to the remote web server via
Internet Explorer over port 443. But since there was no second
application mentioned that was generating traffic, it may be more
likely that the RAT itself is being tunneled through IE.

The application also appears to be checking if it is being run
from within a VMWare virtual machine, based on the existence of
the string "\VMware Tools". Some Malware will check for this in an
attempt to determine if it is being run in that environment, and
hence possibly being reverse engineered. If that would be the
case, the application would simply exit to try and prevent that.

Since the DLL injection can only effect running processes, the
attacker would have to have a means to re-instantiate his Malware
at every boot. The very last string appears to be part of a
registry setting. If that's the case, then I would expect to find
an entry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
pointing to an executable installed around the "9:04 AM that
morning" timeframe, possibly even note.exe.

I can't forget to mention the two strings of "Please remember to
buy" and "The Malware book by Ed and Lenny", which I would put in
the "Shameless plug" category. ;)

*2. What simple and popular method could the attacker have used to
thwart strings analysis (as well as making binary disassembly more
difficult) on note.exe? What tools could the attacker use to accomplish
this goal?*

The attacker could have used a packer to do this. There are many
available such as FSG, Petite, and NeoLite, but one of the most
used is UPX, which is freely available.

*3. How could a malicious code researcher overcome the strings-obscuring
and anti-disassembly technique(s) you described in your answer to
question 2? What tools could a researcher use to accomplish this goal?*

Depends on the packer being used. If UPX was used, you can
download the UPX utility and unpack the note.exe using the command
"upx -d C:\note.exe". If another packer was used which did not
support unpacking, you have three basic options.

A) You could use Google to search for an unpacker for that
particular Packer (which has mixed results, at best).
B) Use a process dumper, like LordPE or ProcDump32, and dump the
running process from memory to a file.
C) You can use a program debugger, like OllyDbg, and dump the
process with the OllyDump plug-in.

*4. What should Molly do next to eradicate the malware and win Jake's
heart?*

This depends on if she wants to try and track down the individuals
who hacked her system. If she just wants to move on with her life,
she could simply nuke the machine from high orbit, and reinstall.

If she wanted to more fully investigate the matter, she should
probably start by performing a bit-for-bit backup of her PC with
something like Ghost or even WinHex. I would then go through and
get some system information using some utilities, from either a CD
or a USB thumb drive, such as HijackThis, PSTools, TCPView, and
even CWShredder since this appears to be an attack involving
Internet Explorer. These utilities can be used with minimal
disturbance to the file system, and can give a knowledgeable user
a good picture of what is going on with their system, as well as
the information needed to eradicate the malware. Ultimately, the
system should be rebuilt in a secure manner.

She could also contact her local law enforcement, if she was
inclined toward legal satisfaction.
 

 

Send me some e-mail

©Copyright 2005, Ed Skoudis