Author Archives: adam

Random Stats from 1.2M samples – PE Section Names

Posted on by

update3

There is a newer version of this list here

update2

updated section list/fixed bugs – thanks to Nicolas Brulez and Tomislav Pericin (ap0x)

update

added one more list – List of popular section names

old post

I continue to batch analyze my malware collection and the latest list I generated contains:

  • The most popular PE file section names
  • The packer/protector section names/keywords – I tried to build a separate list of known section names/keywords that belong to known packers/protectors

You can find the lists below – please let me know if you find any mistakes (especially in packer sections’ names/attribution); Thanks!

The most popular PE file section names (top 100)

 658574 .rsrc   
 590338 .text   
 545976 .data   
 442607 .rdata  
 298316 .reloc  
 194273         
 178386 .idata  
 111369 .tls    
 109676 CODE    
 105309 DATA    
 100668 BSS     
  40293 UPX0    
  37838 UPX1    
  35164 .adata  
  35020 .bss    
  31336 .edata  
  28137 .ndata  
  15890 .itext  
  15451 .aspack
  12818 INIT    
   9665 UPX2    
   9376 .Upack  
   7727 PS      
   6786 .CRT    
   6628 .vmp0   
   6602 .nsp1   
   6590 .nsp0   
   6560 .code   
   6542 .sdata  
   6423 .nsp2   
   6270 .pdata  
   5710 tldksods
   5462 .       
   5395 Themida
   4313 .vmp1   
   4054 .MaskPE
   3926 PAGE    
   3721 .text-co
   3721 .data-co
   3314 rdata   
   3249 BitArts
   3035 .didata
   2886 idata   
   2881 .packed
   2803   @   @
   2707 .textbss
   2299 .text1  
   2257 .data1  
   2150 .petite
   2079 .texc   
   1926 Shared  
   1793 pebundle
   1714   u     
   1557 MEW F   
   1536 .UPX0   
   1513     t   
   1450 .data2  
   1434 text    
   1346 .RLPack
   1331 .vmp2   
   1300 .ex_cod
   1286 sdt     
   1280 mdata   
   1267 cdata   
   1263 sdata   
   1240 .pklstb
   1238 .MPRESS1
   1235 .MPRESS2
   1204 .UPX1   
   1201 .rdata p
   1191 .brdata
   1183 .udata  
   1131 .crt    
   1114 .sxdata
   1091 htomaota
   1083 .perplex
   1076 PAGEWMI
   1057 edata   
   1044 .delete
   1038 .relo2  
   1031 pec1    
   1015 .mackt  
   1009 PAGEDRV
    981 .svkp   
    980 .avp    
    969 .ByDwing
    967 .DATA   
    963 .debug  
    943 0 ext   
    899 .xdata  
    876 .ccg    
    865 .data ri
    857 .wqvwbj
    857 .kewyo  
    857 .axlgt  
    852 .spack  
    849     ta  
    839 .exc    
    824 .avc    
    807 PAGESYS

The packer/protector section names/keywords

  • .aspack – Aspack packer
  • .adata – Aspack packer/Armadillo packer
  • ASPack – Aspack packer
  • .ASPack – ASPAck Protector
  • .ccg – CCG Packer (Chinese Packer)
  • BitArts – Crunch 2.0 Packer
  • DAStub – DAStub Dragon Armor protector
  • !EPack – Epack packer
  • FSG! – FSG packer (not a section name, but a good identifier)
  • kkrunchy – kkrunchy Packer
  • .mackt – ImpRec-created section
  • .MaskPE – MaskPE Packer
  • MEW – MEW packer
  • .MPRESS1 – Mpress Packer
  • .MPRESS2 – Mpress Packer
  • .neolite – Neolite Packer
  • .neolit – Neolite Packer
  • .nsp1 – NsPack packer
  • .nsp0 – NsPack packer
  • .nsp2 – NsPack packer
  • nsp1 – NsPack packer
  • nsp0 – NsPack packer
  • nsp2 – NsPack packer
  • .packed – – RLPack Packer (first section)
  • pebundle – PEBundle Packer
  • PEBundle – PEBundle Packer
  • PEC2TO – PECompact packer
  • PECompact2 – PECompact packer (not a section name, but a good identifier)
  • PEC2 – PECompact packer
  • pec1 – PECompact packer
  • pec2 – PECompact packer
  • PEC2MO – PECompact packer
  • PELOCKnt – PELock Protector
  • .perplex – Perplex PE-Protector
  • PESHiELD – PEShield Packer
  • .petite – Petite Packer
  • ProCrypt – ProCrypt Packer
  • .RLPack – RLPack Packer (second section)
  • RCryptor – RPCrypt Packer
  • .RPCrypt – RPCrypt Packer
  • .sforce3 – StarForce Protection
  • .spack – Simple Pack (by bagie)
  • .svkp – SVKP packer
  • Themida – Themida Packer
  • .Themida – Themida Packer
  • .packed – Unknown Packer
  • .Upack – Upack packer
  • .ByDwing – Upack Packer
  • UPX0 – UPX packer
  • UPX1 – UPX packer
  • UPX2 – UPX packer
  • UPX! – UPX packer
  • .UPX0 – UPX Packer
  • .UPX1 – UPX Packer
  • .UPX2 – UPX Packer
  • .vmp0 – VMProtect packer
  • .vmp1 – VMProtect packer
  • .vmp2 – VMProtect packer
  • VProtect – Vprotect Packer
  • WinLicen – WinLicense (Themida) Protector
  • .WWPACK – WWPACK Packer
  • .yP – Y0da Protector
  • .y0da – Y0da Protector

List of popular section names

  • .arch – Alpha-architecture section
  • .bss – Uninitialized Data Section
  • .BSS – Uninitialized Data Section
  • .code – Code Section
  • .cormeta – CLR Metadata Section
  • .CRT – Initialized Data Section  (C RunTime)
  • .data – Data Section
  • .DATA – Data Section
  • .data1 – Data Section
  • .debug – Debug info Section
  • .debug$F – Debug info Section
  • .debug$P – Debug info Section
  • .debug$S – Debug info Section
  • .debug$T – Debug info Section
  • .didata – Delay Import Section
  • .edata – Export Data Section
  • .fasm – FASM flat Section
  • .flat – FASM flat Section
  • .idata – Initialized Data Section  (Borland)
  • .idlsym – IDL Attributes
  • .itext – Code Section  (Borland)
  • .ndata – Nullsoft Installer section
  • .pdata – Exception Handling Functions Section (PDATA records)
  • .rdata – Read-only Data Section  (Borland)
  • .reloc – Relocations Section
  • .rodata – Read-only Data Section
  • .rsrc – Resource section
  • .sbss – GP-relative Uninitialized Data Section
  • .sdata – GP-relative Initialized Data Section
  • .srdata – GP-relative Read-only Data Section
  • .sxdata – Registered Exception Handlers Section
  • .text – Code Section
  • .text1 – Code Section
  • .textbss – Section used by incremental linking
  • .tls – Thread Local Storage Section
  • .tls$ – Thread Local Storage Section
  • .udata – Uninitialized Data Section
  • .vsdata – GP-relative Initialized Data
  • .xdata – Exception Information Section
  • BSS – Uninitialized Data Section  (Borland)
  • CODE – Code Section (Borland)
  • DATA – Data Section (Borland)
  • edata – Export Data Section
  • idata – Initialized Data Section  (C RunTime)
  • INIT – INIT section (drivers)
  • PAGE – PAGE section (drivers)
  • rdata – Read-only Data Section
  • sdata – Initialized Data Section

Skype worm – strings & some metadata

Posted on by

Update
A few guys asked what are the hashes associated with the samples; here they are:

c483bffc879233d99ba52f05fd100872    skype_02102012_images.exe
393b4c117e15fbcfe56f560a8e6a3f0c    skype_04102012_image.exe
98f74b530d4ebf6850c4bc193c558a98    skype_05102012_image.exe
e8e2ba08f9aff27eed45daa8dbde6159    skype_06102012_image.exe
e3af8159d2f1af293bb43cd41d4171db    skype_08102012_image.exe

I just had a very quickly look at the code today and interestingly, there are some ‘funny’ snippets e.g.

  • directly reading value at @7FFE002Ch _KUSER_SHARED_DATA.ImageNumberLow and if not equal to IMAGE_FILE_MACHINE_I386 is launching Internet Explorer – its PID is later used by some extra thread which I have not explored yet
  • a dead code attempting to wipe out the PhysicalDrive0
  • checking if the host’s drive is USB via  DeviceIoControl (…(IOCTL_STORAGE_QUERY_PROPERTY…)
  • code removing ADS :Zone.Identifier
  • seems to be also hooking a few APIs, but need to check that as well

Older post

Info on skype worm does the rounds, so I had a quick look and dumped the strings from the process inject – some are quite interesting and indicative of the functionality described in various blogs. Don’t have time to look at the code today, but it does look interesting enough to come back to it.

Interestingly, while timestamps indicate compilation timestamps from 2012

2012-10-02 19:36:26     .\skype_02102012_images.exe
2012-10-04 15:03:38     .\skype_04102012_image.exe
2012-10-06 06:24:55     .\skype_05102012_image.exe
2012-10-07 01:15:19     .\skype_06102012_image.exe
2012-10-08 12:09:07     .\skype_08102012_image.exe

The compilation time of one of the injects is 2011-05-16 21:46:39, so it seems to be quite an old code.

%s.%s
pdef
%s.%S
brk
dll
exe
DBWIN
\\.\pipe
%s.Protect “%s” against file removal done!!
%s.Protect “%S” against removal of our pc!!
block
bdns
kernel32.dll
CreateFileW
0123456789ABCDEF
i.root-servers.org
%s.Stopped “%s” against removal of file!
%s.Stopped “%S” against moving the file!
%s.MSN-> Done, MSG is sent
%s.MSN-> Succesfully sent to %s!
%s.MSN-> Message Pwned :)!
msnmsg
msnint
baddr
X-MMS-IM-Format:
CAL %d %256s
msnu
Done frst
ssssssssssssss: %d
ssssssssss: %d
NtFreeVirtualMemory
NtAllocateVirtualMemory
NtQuerySystemInformation
LdrEnumerateLoadedModules
NtQueryInformationProcess
LdrGetProcedureAddress
NtQueryVirtualMemory
LdrLoadDll
NtQueryInformationThread
LdrGetDllHandle
RtlAnsiStringToUnicodeString
ntdll.dll
\\.\pipe\%s
kernel32.dll
GetNativeSystemInfo
%s_%d
%s_0
%s-Mutex
SeDebugPrivilege
ntdll.dll
NtGetNextProcess
%s-pid
%s-comm
NtResumeThread
Internet Explorer\iexplore.exe
PONG
JOIN #
PRIVMSG #
%s.Stopped “%S” against makin “%S”
%s.Stopped “%S” against makin “%S” – “%s” file deleted successfully!
.exe
autorun.inf
%s.Identified Proc- “%S” sending a suspicious message to %s:%d.
%s.Identified Proc- “%S” as malicious upon checking port %s:%d {Nigger: %s}.
PRIVMSG %255s
JOIN %255s
PRIVMSG
JOIN
cnc
%s:%d
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
NtSetInformationProcess
%s.%s%s
%S%s%s
HKCU\
HKLM\
%s.%S%S
%S%S%S
HKCU\
HKLM\
msn
%s_
aaaaa_%s
off
%s.%s (p=’%S’)
pop3://%s:%s@%s:%d
popgrab
%s:%s@%s:%d
anonymous
ftp://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
asdadasdsss
asds
sss
ssssss
ssss
%s-%s-%s
dasdsd
asdsds
Microsoft Unified Security Protocol Provider
%s.ewfewewrtwertwerterfegergwregwergwergretretwerfrr ‘%s’
scr
pif
com
%s.eufhquwefh9wef89qwey8fhqwehf89hqwe89fh8w9ehf89h8e ‘%S’
dddddsds
asdasdsds
234534543324534545445
23423415644556
894848
89234543464554544
345487544
8944451
843456544
298548344565454458449
8344584458495
345234545
8344584544
2854844
81254848484450
sdfdfcs
asdsdsasffsds
ssdasccxzxccefrg
erffssd
eeefiyu
etwegfg
erttergh
ertrtgb
ertgfd
erttrf
rrrr
dfhtrstgthgh
rthfg
ertrtfdgfg
cvbhrthgfgh
dfbbghth
thtrhhgf
dfgdgggbvf
dfgerhrthth
rthhth
dfgrthrtggfgv
rthrtgtrhthrt
dgrthgfhhhg
ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
login[password]
login[username]
*members*.iknowthatgirl*/members*
IKnowThatGirl
*youporn.*/login*
YouPorn
*members.brazzers.com*
Brazzers
clave
numeroTarjeta
*clave=*
*bcointernacional*login*
Bcointernacional
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
Dotster
loginid
*enom.com/login*
Enom
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
1and1
token
*moniker.com/*Login*
Moniker
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
Namecheap
loginname
*godaddy.com/login*
Godaddy
Password
EmailName
*Password=*
*alertpay.com/login*
Alertpay
*netflix.com/*ogin*
Netflix
*thepiratebay.org/login*
Thepiratebay
*torrentleech.org/*login*
Torrentleech
*vip-file.com/*/signin-do*
Vip-file
pas
log
*pas=*
*sms4file.com/*/signin-do*
Sms4file
*letitbit.net*
Letitbit
*what.cd/login*
Whatcd
*oron.com/login*
Oron
*filesonic.com/*login*
Filesonic
*speedyshare.com/login*
Speedyshare
*pw=*
*uploaded.to/*login*
Uploaded
*uploading.com/*login*
Uploading
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
Fileserve
*hotfile.com/login*
Hotfile
*4shared.com/login*
4shared
txtpass
txtuser
*txtpass=*
*netload.in/index*
Netload
*freakshare.com/login*
Freakshare
login_pass
*login_pass=*
*mediafire.com/*login*
Mediafire
*sendspace.com/login*
Sendspace
*megaupload.*/*login*
Megaupload
*depositfiles.*/*/login*
Depositfiles
userid
*signin.ebay*SignIn
eBay
rut
*officebanking.cl/*login.asp*
OfficeBanking
*secure.logmein.*/*logincheck*
LogMeIn
session[password]
session[username_or_email]
*password]=*
*twitter.com/sessions
Twitter
txtPassword
txtEmail
*&txtPassword=*
*.moneybookers.*/*login.pl
Moneybookers
*runescape*/*weblogin*
Runescape
*dyndns*/account*
DynDNS
*&password=*
*no-ip*/login*
NoIP
*steampowered*/login*
Steam
quick_password
quick_username
username
*hackforums.*/member.php
Hackforums
email
*facebook.*/login.php*
Facebook
*login.yahoo.*/*login*
Yahoo
passwd
login
*passwd=*
*login.live.*/*post.srf*
Live
TextfieldPassword
TextfieldEmail
*TextfieldPassword=*
*gmx.*/*FormLogin*
GMX
*Passwd=*
Gmail
FLN-Password
FLN-UserName
*FLN-Password=*
*fastmail.*/mail/*
Fastmail
pass
user
*pass=*
*bigstring.*/*index.php*
BigString
screenname
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
AOL
Passwd
Email
*service=youtube*
*google.*/*ServiceLoginAuth*
YouTube
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
PayPal
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Keep-Alive: 300
Connection: keep-alive
Content-Length: 42
GET
POST
Mozilla/4.0
Connection: Close
X-a: b
\\.\PHYSICALDRIVE0
00100
%d.
SeShutdownPrivilege
NtShutdownSystem
uwifhuewgfhkjhsduyrhdhd
eiueriufjeidj
weiouriweojrioejeicn
eriuioiuerhoiohwefhjidj
ewoueiuroyihehdkjjfbcn
System Issue
shell32.dll
“%s” %S
msg
http
int
httpi
usbi
dnsapi.dll
DnsFlushResolverCache
POST
http://%s/%s
http://%s/
HTTP
Host:
POST /%1023s
.exe
lol
lol.exe
{%s|%s%s}%s
n%s{%s|%s%s}%s
<br>
ERR
2K8
VIS
2K3
admin
isadmin
127.0.0.1
%s|%s|%s
DnS Redir3cted!!!! “%s” to “%s”
disabled
enabled
%s|%s
[Logins]: Cleared %d logins
#user
#admin
#new
removing
exiting
reconnecting
332
433
001
376
MOTD
bsod
disable
POP3 ->
FTP ->
[d=”%s” s=”%d bytes”] Problem Found!: Check ur MD5 (%s != %s)
dlds
http://
R3b00tinG
[Login]: %s
[DNS]: Blocked %d domain(s) – Redirected %d domain(s)
asdasdweifuhwuiefggweihwuerhiiuhwerhueb
Software\Microsoft\Windows\CurrentVersion\Run
%s:Zone.Identifier
lolsup
running
IPC_Check
wininet.dll
secur32.dll
ws2_32.dll
shell\open\command=
shell\explore\command=
icon=shell32.dll,7
useautoplay=1
action=Open folder to view files
shellexecute=
[autorun]
.lnk
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %%cd%%%s
/c “start %%cd%%RECYCLER\%s
RECYCLER
.inf
%s%s
\\.\%c:
%S%S\Desktop.ini
%s\%s
%sautorun.tmp
%sautorun.inf
%c:\
gdkWindowToplevelClass
%0x.exe
comment-text
*bebo.*/c/home/ajax_post_lifestream_comment
bebo Lifestream
*bebo.*/c/profile/comment_post.json
bebo Comment
Message
*bebo.*/mail/MailCompose.jsp*
bebo Message
*friendster.*/sendmessage.php*
Friendster Message
comment
Friendster Comment
shoutout
*friendster.*/rpc.php
Friendster Shoutout
*vkontakte.ru/mail.php
vkontakte Message
*vkontakte.ru/wall.php
vkontakte Wall
message
*vkontakte.ru/api.php
vkontakte Chat
text
*twitter.*/*direct_messages/new*
Twitter Message
*twitter.*/*status*/update*
Twitter Tweet
status
*facebook.*/ajax/*MessageComposerEndpoint.php*
Facebook Message
msg_text
*facebook.*/ajax/chat/send.php*
Facebook IM
-_.!~*'()
Content-Length:
%s.%s hijacked!
%s=
MSG %d %s %d
MSG %d %1s
SDG %d %d
Reliability:
From:
Content-Length: %d
X-MMS-IM-Format:
SDG %d
bmsn
%s_0x%08X
winlogon.exe
explorer.exe
RegCreateKeyExW
RegCreateKeyExA
advapi32.dll
URLDownloadToFileW
URLDownloadToFileA
urlmon.dll
PR_Write
nspr4.dll
DnsQuery_W
DnsQuery_A
dnsapi.dll
InternetWriteFile
HttpSendRequestW
HttpSendRequestA
GetAddrInfoW
send
CreateFileA
MoveFileW
MoveFileA
DeleteFileW
DeleteFileA
kernel23.dll
CopyFileW
CopyFileA
NtQueryDirectoryFile
NtEnumerateValueKey
%s\%s.exe
%08x
OPEN
lsass.exe
Ft7
DnsFree
DnsQuery_A
DNSAPI.dll
FreeContextBuffer
InitializeSecurityContextW
FreeCredentialsHandle
DeleteSecurityContext
QueryContextAttributesW
AcquireCredentialsHandleW
EncryptMessage
DecryptMessage
InitializeSecurityContextA
ApplyControlToken
Secur32.dll
SHGetSpecialFolderPathW
SHGetFileInfoA
ShellExecuteA
SHELL32.dll
InternetCloseHandle
InternetReadFile
InternetQueryDataAvailable
HttpQueryInfoA
InternetOpenUrlA
InternetOpenA
HttpQueryInfoW
InternetQueryOptionW
WININET.dll
PathAppendW
StrStrIA
PathAppendA
PathFindExtensionA
SHLWAPI.dll
WS2_32.dll
memset
wcsstr
strstr
wcsrchr
??3@YAXPAX@Z
atoi
sscanf
_strcmpi
printf
_snprintf
sprintf
strncpy
_memicmp
_wcsnicmp
_vsnprintf
_stricmp
strtok
strchr
_snwprintf
??2@YAPAXI@Z
_strnicmp
isxdigit
memmove
strncmp
toupper
strrchr
vsprintf
isalnum
strncat
MSVCRT.dll
lstrcpyA
MoveFileExA
lstrcmpA
WideCharToMultiByte
MoveFileExW
lstrcmpW
ExitThread
MultiByteToWideChar
GetFileAttributesA
SetFileAttributesW
GetFileAttributesW
LoadLibraryW
CloseHandle
SetFileTime
CreateFileW
GetFileTime
GetSystemTimeAsFileTime
WriteFile
GetModuleHandleW
GetLastError
ReadFile
GetTickCount
HeapAlloc
GetProcessHeap
HeapFree
lstrlenA
Sleep
WriteProcessMemory
ReadProcessMemory
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapReAlloc
SetEvent
ConnectNamedPipe
CreateNamedPipeA
CreateEventA
DisconnectNamedPipe
GetOverlappedResult
WaitForMultipleObjects
CreateFileA
VirtualFreeEx
VirtualAllocEx
IsWow64Process
CreateRemoteThread
OpenProcess
WaitForSingleObject
ReleaseMutex
MapViewOfFile
OpenFileMappingA
CreateFileMappingA
InterlockedIncrement
UnmapViewOfFile
CreateMutexA
GetVersionExA
GetModuleFileNameW
InterlockedCompareExchange
CreateThread
GetWindowsDirectoryW
DeleteFileW
GetTempFileNameW
lstrcatW
lstrcpynW
DeleteFileA
SetFileAttributesA
lstrcpyW
LocalFree
LocalAlloc
lstrcpynA
SetFilePointer
DeviceIoControl
VirtualAlloc
CreateProcessW
ExitProcess
lstrcatA
GetVolumeInformationW
GetLocaleInfoA
FlushFileBuffers
CopyFileW
FindClose
FindNextFileA
FindFirstFileA
SetCurrentDirectoryA
LockFile
GetFileSize
CreateDirectoryA
GetLogicalDriveStringsA
OpenMutexA
GetModuleFileNameA
GetWindowsDirectoryA
KERNEL32.dll
MessageBoxA
wvsprintfA
wsprintfW
DefWindowProcA
DispatchMessageA
TranslateMessage
GetMessageA
RegisterDeviceNotificationA
CreateWindowExA
RegisterClassExA
USER32.dll
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptReleaseContext
CryptCreateHash
CryptAcquireContextA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegNotifyChangeKeyValue
RegSetValueExA
RegOpenKeyExA
ADVAPI32.dll
CoCreateInstance
CoInitialize
ole32.dll
w,a
jp5

IOCTL_STORAGE_QUERY_PROPERTY