Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Lab 12-4 Solutions
Дальше: Lab 13-2 Solutions

.

) are not found. Therefore, we can assume that these strings might be encoded by the malware.

.

contains a small loop that appears to increment a counter (var_4) and modify the contents of a buffer (arg_0) by XOR’ing the original contents with 0x3B. The other argument (arg_4) is the length of the buffer that should be XOR’ed. The simple function sub_401190, which we’ll rename xorEncode, implements a single-byte XOR encoding with the static byte 0x3B, taking the buffer and length as arguments.

shows the FindResourceA function at .

shows the result.

shows the original version of the data, and the bottom portion shows the effect of applying XOR with 0x3B to each byte. The figure clearly shows that the resource stores the string www.practicalmalwareanalysis.com in encoded form.

Of the two strings that we suspected might be encoded, we’ve found the domain, but not the GET request string (aG9zdG5hbWUtZm9v in our example). To find the GET string, we’ll use PEiD’s KANAL plug-in, which identifies a Base64 table at 0x004050E8. shows the output of the KANAL plug-in.

shows one of the code blocks in this function.

. This supports the conclusion that base64index is related to Base64 encoding, because = is used for padding in Base64 encoding.

The function that calls base64index is the real base64_encode function located at 0x004010B1. Its purpose is to divide the source string into a 3-byte block, and to pass each to base64index to encode the 3 bytes into a 4-byte one. Some of the clues that make this apparent are the use of strlen at the beginning of the function to find the length of the source string, the comparison with the number 3 (cmp [ebp+var_14], 3) at the start of the outer loop (code block loc_401100), and the comparison with the number 4 (cmp [ebp+var_14], 4) at the start of the inner write loop that occurs after base64index has returned results. We conclude that base64_encode is the main Base64-encoding function that takes as arguments a source string and destination buffer to perform Base64 translation.

Using IDA Pro, we find that there is only one cross-reference to base64_encode (0x004000B1), which is in a function at 0x004011C9 that we will refer to as beacon. The call to base64_encode is shown in at .

. The first character of the returned data is compared with the letter o. If the first character is o, then beacon returns 1; otherwise, it returns 0. The main function is composed of a single loop with calls to Sleep and beacon. When beacon (0x004011C9) returns true (by getting a web response starting with o), the loop exits and the program ends.

To summarize, this malware is a beacon to let the attacker know that it is running. The malware sends out a regular beacon with an encoded (and possibly truncated) hostname identifier, and when it receives a specific response, it terminates.

Назад: Lab 12-4 Solutions
Дальше: Lab 13-2 Solutions

sss
sss

© RuTLib.com 2015-2018