.

00401500                 push    ebp 00401501                 mov     ebp, esp 00401503                 sub     esp, 198h 00401509                 mov     [ebp+wVersionRequested], 202h 00401512                 lea     eax, [ebp+WSAData] 00401518                 push    eax             ; lpWSAData 00401519                 mov     cx, [ebp+wVersionRequested] 00401520                 push    ecx             ; wVersionRequested 00401521                ❶call    WSAStartup 00401526                 mov     [ebp+var_4], eax 00401529                 push    100h            ; namelen 0040152E                ❸push    offset name     ; name 00401533                ❷call    gethostname 00401538                 push    0               ; int 0040153A                 push    offset FileName ; "C:\\*" 0040153F                ❹call    sub_401000 00401544                 add     esp, 8 00401547                 xor     eax, eax 00401549                 mov     esp, ebp 0040154B                 pop     ebp 0040154C                 retn    10h

is executed.

.

Example C-213. A virtual function call

0040132F                 mov     ecx, [ebp+var_148] 00401335                 mov     edx, [ebp+var_4] 00401338                 mov     [ecx+4], edx 0040133B                 mov     eax, [ebp+var_148] 00401341                 mov     edx, [eax] 00401343                 mov     ecx, [ebp+var_148] 00401349                 call    dword ptr [edx]

This code references the object stored in var_148, and then calls the first pointer in the virtual function pointer table. This code is the same whether a .pdf or .doc object is created, but the function called differs for different types of objects.

We saw earlier that the code could create one of three different objects:

• An object for .pdf files, which we’ll call pdfObject. The first function for this object in the virtual function table is at 0x4060D8.

• An object for .doc files, which we’ll call docObject. The first function in the virtual function table for this object is at 0x4060DC.

• An object for all other files, which we’ll call otherObject. The first function in the virtual function table for this object is at 0x4060E0.

We’ll first check the function to be called for a pdf object. We navigate to the virtual function table at 0x4060D8 and find that the function being called starts at 0x401380. We see that it calls InternetOpen to initialize an Internet connection, and then calls InternetConnect to establish an FTP connection to ftp.practicalmalwareanalysis.com. Then we see it changes the current directory to pdfs and uploads the current file to the remote server. We can now rename the function pdfObject_UploadFile. We also look at the function for docObject and see that it executes nearly the same steps, except that it changes the directory to the docs directory.

Finally, we look at the virtual function table for the otherObject to find the upload function for otherObject at 0x401370. This function does very little, and we can conclude that only .doc and .pdf files are uploaded by this malware.

The malware author implemented virtual functions to allow this code to be easily modified or extended in order to add support for different file types simply by implementing a new object and changing the part of the code where the object is created.

To test this code, we can add directories named docs and pdfs to our FTP server, and allow anonymous write access to them. When we rerun our malicious code, we see that it uploads every .pdf and .doc file from the victim’s computer to these directories, naming each file with the victim’s hostname and an ID number.