|
by Pete Schuyler *1. Based on the output of the strings command, what capabilities might be built into the malicious code?*
We know that the program is meant to run under a 32-bit Windows operating system, based on the existence of the string "This program must be run under Win32".
It appears to have been written in Delphi, since the string "FTWARE\Borland\Delphi\RTL" would indicate inclusion of the Delphi run time library.
The string EliRT 1.00 would seem to indicate inclusion of this library in the executable. EliRT, which was written by Radim Picha, is used in the hacking community to facilitate DLL
injection. The library has only 5 functions, and while they will work on most modern Windows platforms, 4 of them are designed for Windows Win9x and NT 3.51/4.
Since I'm not a windows programmer, I'm going to make an educated guess on the next two strings. Assuming that DLL injection has been used, the injection process first inserts shell code, called
a "hook", into a running process. I'm guessing that the "Hook.Patch" references a file that contains that code. The hook would then basically modify the functionality of an API, such as
the "GetProcAddress" function, so that it injects a DLL or creates a thread from which another process can be started.
It may be trying to use a modified version of the Stealth2 tool,
based on the existence of the "Stealth2j" string. This would make some sense, as there are a few versions of the Stealth tool, written by DoC, that are classified as "RATs" or Remote
Administration Tools. This would basically allow remote access to the windows interface, much like Windows Terminal Services, PCAnywhere, or VNC does. Since Stealth2 also captures Passwords
and records keystrokes, it is possible that the backdoor is trying to forward account information to the remote web server via Internet Explorer over port 443. But since there was no second
application mentioned that was generating traffic, it may be more likely that the RAT itself is being tunneled through IE.
The application also appears to be checking if it is being run
from within a VMWare virtual machine, based on the existence of the string "\VMware Tools". Some Malware will check for this in an attempt to determine if it is being run in that environment, and
hence possibly being reverse engineered. If that would be the case, the application would simply exit to try and prevent that.
Since the DLL injection can only effect running processes, the
attacker would have to have a means to re-instantiate his Malware at every boot. The very last string appears to be part of a registry setting. If that's the case, then I would expect to find
an entry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pointing to an executable installed around the "9:04 AM that morning" timeframe, possibly even note.exe.
I can't forget to mention the two strings of "Please remember to buy" and "The Malware book by Ed and Lenny", which I would put in the "Shameless plug" category. ;)
*2. What simple and popular method could the attacker have used to thwart strings analysis (as well as making binary disassembly more difficult) on note.exe? What tools could the attacker use to accomplish
this goal?*
The attacker could have used a packer to do this. There are many available such as FSG, Petite, and NeoLite, but one of the most used is UPX, which is freely available.
*3. How could a malicious code researcher overcome the strings-obscuring and anti-disassembly technique(s) you described in your answer to question 2? What tools could a researcher use to accomplish this goal?*
Depends on the packer being used. If UPX was used, you can download the UPX utility and unpack the note.exe using the command "upx -d C:\note.exe". If another packer was used which did not
support unpacking, you have three basic options.
A) You could use Google to search for an unpacker for that particular Packer (which has mixed results, at best).
B) Use a process dumper, like LordPE or ProcDump32, and dump the running process from memory to a file. C) You can use a program debugger, like OllyDbg, and dump the process with the OllyDump plug-in.
*4. What should Molly do next to eradicate the malware and win Jake's heart?*
This depends on if she wants to try and track down the individuals
who hacked her system. If she just wants to move on with her life, she could simply nuke the machine from high orbit, and reinstall.
If she wanted to more fully investigate the matter, she should
probably start by performing a bit-for-bit backup of her PC with something like Ghost or even WinHex. I would then go through and get some system information using some utilities, from either a CD
or a USB thumb drive, such as HijackThis, PSTools, TCPView, and even CWShredder since this appears to be an attack involving Internet Explorer. These utilities can be used with minimal
disturbance to the file system, and can give a knowledgeable user a good picture of what is going on with their system, as well as the information needed to eradicate the malware. Ultimately, the
system should be rebuilt in a secure manner.
She could also contact her local law enforcement, if she was inclined toward legal satisfaction. |
|