MMX instructions used in a Malware
Thursday, January 23, 2014 | Author: Deep Flash
Today I saw the usage of MMX instructions in the decryption routine of a self modifying code as shown below:



MOV EDI,DWORD PTR SS:[ESP]
MOV ESI,6581DBCA
MOV EAX,704
MOV ECX,DDDDFDDD        ; set ECX to a large value
IMUL EBX,EBX,21
XOR EDX,EDX
TEST EBX,EBX
ADD EBX,3
SUB EBX,1
MOV EBX,1                ; junk instructions
LOOPDNE SHORT 0014DB72    ; loop used to introduce delay in execution
SUB EAX,4
MOVD MM0,DWORD PTR DS:[EDI]    ; usage of MMX registers
MOVD MM1,ESI
PXOR MM0,MM1                ; MMX XOR instruction used
MOVD DWORD PTR DS:[EDI],MM0
ADD EDI,4
TEST EAX,EAX
JNZ SHORT 0014DB86
RETN

The reason for using MMX XOR instructions instead of the general x86 XOR instructions might be to bypass code emulation. It is a known method to make use of undocumented instructions in the code to defeat the code emulators. I am not sure if the MMX instructions are implemented in the code emulators.

In the self modified code, it uses common anti debugging tricks by checking the BeingDebugged and NtGlobalFlags fields in PEB.

After this, it executes the CPUID instruction with eax set to 1 (CPUID_GETFEATURES) and checks the value of the bit, CPUID_FEAT_EDX_MMX. This check is done to see if the CPU supports MMX instructions.



Below is another code section where it is using MMX registers in a delay execution routine:



MOV ECX,0D55ABBF    ; set ECX to a large value
NOP
XOR EAX,EAX
XOR EDX,EDX
RDTSC
NOP
MOVD MM1,EAX
MOVD MM0,EDX
LOOPD SHORT 0014D4ED
CMP ECX,0
JNZ 0014DB53
EMMS
JMP 0014D9BA

It is good to the see usage of MMX instructions in a malware. We will most likely see the usage of more FPU/MMX instructions in the malwares.

Since most security vendors these days make use of a sandbox to run the malware, such instructions can be used to defeat the emulators.

c0d3inj3cT
EFF Targeted Attack - VMWare Aware Malware
Monday, January 20, 2014 | Author: Deep Flash
A few hours ago, EFF posted a blog on their official site about a targeted attack on them. They received Conference Invitation emails with a malicious attachment (in *.hta format - HTML Application).

A preliminary analysis has already been posted on their site here:

https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal

I was checking the executable dropped by it in the %temp% directory. It enumerates the processes on the system and checks for the presence of the following processes:

DF5Serv.exe - DeepFreeze
VBoxService.exe - VirtualBox

It also checks for the presence of Virtual Machines by checking the value of the registry key:

HKLM\System\ControlSet001\Services\Disk\Enum

Checks for the following strings in the value of the above key:

VBOX
VMWARE
VIRTUAL

StrStrIW() is used to perform a case insensitive search. This is a common technique.

It is becoming increasingly common for malwares to detect the presence of Virtual Machines.

c0d3inj3cT
1und1 PHP Script and Compromised Wordpress Sites Spreading Malware
Monday, January 20, 2014 | Author: Deep Flash
Today, I came across a malware which is hosted on several compromised wordpress sites. The PHP script, 1und1.php which triggers the download of the archived malware was found on several wordpress sites.

The name of the archive file is:

Rechnung_Monat_Januar_2014.zip

This archive has the following malicious file:

pdf_Online_Rechnung_Id_9287474290248_fur_den_Monat_Januar_2014_1und1_Telecom_GmbH.exe

It has the icon of a PDF file even though it is an executable.

I performed some quick analysis of this malware to see what activities it performs. So, below is a summary:

1. Makes a copy of itself in the following directory:

C:\Documents and Settings\Administrator\Application Data\KB00119649.exe

The file name is used to spoof the Microsoft Patch Fix names (KB*)

2. Creates a startup registry entry which points to the above file.

HKU\\Software\Microsoft\Windows\CurrentVersion\Run\KB00119649.exe

3. Creates a batch file in the %temp% folder which will delete the original copy of the malware once it has been copied to %AppData% directory.

4. It creates another process to start its replicated copy from the %appdata% directory.

5. Injects code into explorer.exe process. The method used for code injection is very basic.

OpenProcess(), VirtualAllocEx(), WriteProcessMemory() and CreateRemoteThread()

6. It hooks the following APIs (using inline hooks) after injecting the code in explorer.exe process:

LdrLoadDll()
ZwResumeThread()
InitializeSecurityContextA()
SealMessage()
UnsealMessage()
DeleteSecurityContext()

7. Sends an HTTP POST request to: bestofthewest.ru as shown in the screenshot below of network capture.

POST request to: http://bestofthewest.ru/hmW/t/v9kmJCAAAAA/OpVkYDAAAA/


The traffic is encrypted.

8. Creates the registry entry:

HKU\\Software\Microsoft\Windows NT\S%08X\

9. Mutexes created:

XMM00000E38
XMI00000E38
XMR9241752F

10. Directory created:

C:\Documents and Settings\Administrator\Application Data\4CECCBC0

DNS queries were observed to:

onlyproxies.ru
bestofthewest.ru

Below are the list of wordpress sites on which the 1und1.php script is hosted.

http://www.bondibeachradio.com.au/wp-admin/1und1.php/
http://k-masterskaya.ru/wp-content/plugins/1und1.php/
http://www.maxiapps.eu/1und1.php
http://www.anandexports.org/wp-content/plugins/braille/1und1.php
http://swinefluinfluenza.net/generator/1und1.php
http://o365.gr/wp-includes/1und1.php
http://onlineeduchoice.com/wp-content/themes/twentytwelve/1und1.php
http://natalya-emelkina.com/wp-content/uploads/2013/12/1und1.php
http://matteforklaring.no/statistikk/1und1.php
http://luckymobile.ru/wp-includes/1und1.php
http://med-fusion.net/wp-admin/1und1.php
http://mantado.me/1und1.php
http://kylie-walters.com/wp-content/plugins/1und1.php
http://gosmartrepair.com/wp-content/plugins/akismet/1und1.php
http://k-masterskaya.ru/wp-content/plugins/1und1.php
http://hillsbarfoundation.com/hiddenpress/wp-content/themes/1und1.php
http://impresoraytonerxerox.com/wp-content/plugins/wp-post-icon/1und1.php
http://howtobuildaresponder.com/wp-content/themes/1und1.php
http://gosensations.com/libs/spaw2/plugins/core/lib/theme/spaw2/templates/1und1.php
http://o365.gr/wp-includes/1und1.php/

Here is the malicious 1und1.php script obtained from one of the compromised servers:



 Directory Listing from one of the compromised wordpress sites:


MD5 hash of the virus: d28899d9ec1d3141ec31604bda6b63ae

c0d3inj3cT