Category Archives: Malware Analysis

Enter Sandbox – part 10: Removable devices & clickbait file names

Posted on by

Infection of removable drives is an old trick and no point explaining what it is. What is interesting though is looking at creativity of guys who leverage this infection vector and not the ones that exploit the autorun.inf mechanism (yawns!), but the one that focuses on social engineering.

Assuming that a potential victim of ‘removable device infection’ is typically not a very computer savvy individual is actually quite easy. We all know that it’s the guys like these that are a typical pray for malware authors.

But are they the only ones?

There is so many things one can do to place clickbaitfiles on the removable drive that the victim will end up clicking. It is stronger than us. Whether a rookie or a pro. You have seen it, I have seen it – the guys clicking, clicking… until it works. I have done it too.

Infection via a removable device is still a perfect social engineering platform and I’d say it is not going away anytime soon.

Looking at some of the sandboxes samples I have analyzed I created a short list of tricks I have spotted so far (send me more if you know others, and care to share).

  • hide the folder, create an .exe with the same name and ensure the .exe is using a folder icon
  • use ‘current’ and ‘directory up’ file names i.e. ‘..exe’ and ‘…exe’
  • use important-looking file names, also in foreign languages

匆删(重要资料).exe

  • leverage desktop.ini to change the appearance of the folder (f.ex. bin folder)
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
  • use various file extensions: .exe, .scr, .pif, .lnk
  • double .exe (.exe.exe), triple .exe (.exe.exe.exe)
  • intriguing names (sex&pr0n in general, controversy&scandal)
  • use attractive looking icons – yup, it’s thats imple
  • Fake Recycler folders
  • obviously, a randomized autorun.inf is a norm now
[AutoRun]
;FLvfB ysQiGKArLcs 
sheLl\open\commAnD = ukxfqq.pif
;fWJoARTstov kivfsp 
SHeLL\oPEn\dEfault=1
;tCcl bcaolB WdIa BdqhbkeGrp
Shell\explorE\COmmand= ukxfqq.pif
;ngFiihrOUk 
open =AutoRun.exe
;KyGpw
shEll\AutOpLAY\COMMaND=ukxfqq.pif
shell\1=Open
shell\1\Command=AutoRun.exe
shell\2\=Browser
shell\2\Command=AutoRun.exe
shellexecute=AutoRun.exe
;YtGyagvMMf ceqdP ymhOtYeaQn

Look at the screenshot below.

Be honest.

What you would NOT click?

mind you – it is good ol’ Windows XP!

removable

and same – on Windows 7

removablew7

 

 

Update

What does the topic of this post have in common with sandboxing?

It would be cool for sandboxes to highlight these artifacts (if they don’t, yet)…

If any sample drops its copy on a removable drive or another well-known file associated with social engineering i.e. exhibits one of the behaviors described above (and more, subject to more analysis) the ‘maliciousness’ score can easily go up.

Everyone wins. I hope 🙂

The story of a failed research :)

Posted on by

Most of the stuff I publish here are stories of a successful research. Today, for a change, I will talk about a little failed project. Little, because I didn’t spend too much time on it, failed – because it did fail 🙂

I think it is important to talk about such projects as well, because not only we do fail many times in our research activities + who knows, maybe someone will  come up with a better, more clever idea than me and make it actually successful.

In the Beyond good ol’ Run key, Part 22  series. I talked about perl2exe and how the executables created using this tool can load some other arbitrary perl scripts. So, when I found out about it I thought how cool would it be to access the hidden script in a programmatic way and just dump it (assuming that I could use the fact I can load an arbitrary code as a backdoor & that I can somehow find ways to access the source code of the perl script).

Of course, if you ever dumped the hidden script from perl2exe you may wonder why would I even bother to try – knowing that the script can be easily dumped using typical reversing tricks. Well, it was simply an appealing idea to me to be able to do it in a neat way. In the end I couldn’t find a way to do it. The only consolation is that I was able to at least print the names of the routines used in the code, and enable various debugging messages.

In the aforementioned post I mentioned you can load an arbitrary perl code when the perl2exe-compiled script is loaded.

For example, we can create a (null)\sitecustomize.pl script that will be executed before the main script.

If it contains the code

print "foobar\n";

it will load like this (running the old wmi.exe perl2exed script here)

foobar1

Running the code before the script is one thing, it may be handy to run code at the end of the execution as well – at that stage we will be able to enumerate some properties that are not available until the main script actually executes.

We can add the END section to our backdoor:

print "foobar - start\n";
sub END
{
 print "foobar - end\n";
}

that will do the following:


 foobar2

To dump  the code of the perl script one needs to employ the B::Deparse module.

One can write something like this:

use B::Deparse;
my $deparser = B::Deparse->new;
print $deparser->coderef2text(\&foobar);
sub foobar
{
 print "Hello world\n";
}

and when executed it will print the source code of the foobar function :

foobar3

A more complex script:

use warnings;
use B::Deparse;

printit (\%main::, 0);

sub printit
{
  my $hash1 = shift;my %hash=%{$hash1};
  my $n     = shift;

  foreach my $k ( keys %hash )
  {
      #print "-" x $n;

      if (defined $h{$k})
         {
           print "(hash)";
           printit (%{$h{$k}}, $n+1);
         }
      if (defined &{$k})
      {
        my $deparser = B::Deparse->new;
        print "$k\n";
        print $deparser->coderef2text(\&{$k});
      }

   }
}

sub foobar
{
  print "Hello world\n";
}

will produce something like this:

foobar4

It is kinda getting close to a quine and what we need, but…

But unfortunately, B::Deparse is not available inside the compile perl2exe-compiled binary. It also doesn’t seem to be possible to include this module from a separate perl repository. One can change the content of the INC environment variable (responsible for inclusion of modules) with a push f.ex.:

push (@INC, "C:/Perl/site/lib");
push (@INC,"C:/Perl/lib" );

at the top of our backdoor, but for some reason the B::Deparse doesn’t load (the engine finds the files, but you can’t use its functionality . Perhaps the appropriate version of perl (same as in perl2exe used to compile the script) may work – this is one of the potential paths that I have not explored. Perhaps other ways to load a library may work as well.

At this stage I kinda gave up, but still played a bit with some environmental variables.

For example, adding these to the top of the backdoor (so they are executed before the main script executes):

$ENV{PERL_DL_DEBUG}=1;
$ENV{DEBUG_TIE_REGISTRY}=1;

will enable a lot of debugging messages.

foobar5

and also related to Registry:

foobar6

Finally, adding this bit to the END section:

 foreach my $k ( keys %main:: )
 {
   print "FUNCTION: $k\n" if (defined &{$k});
 }

so that the final script looks like

print "foobar - start\n";

#$ENV{PERL_DL_DEBUG}=1;
#$ENV{DEBUG_TIE_REGISTRY}=1;

sub END
{
  print "foobar - end\n";
 
 foreach my $k ( keys %main:: )
  {
    print "FUNCTION: $k\n" if (defined &{$k});
  }

}

will allow us to print all the routines defined in the main script:

foobar7

GetSoftwareInfoGetHardwareInfo are indeed functions defined inside the wmi.exe – these may be still handy pieces of information if you want to quickly narrow down where the source of the original script is in memory (if you do a memory dump).

At this stage it is not a very useful piece of research. One could potentially employ this in sandboxing to produce a very detailed log, but  dumping the actual source code would be a much better choice.

Was it a wasted time? Hmm probably.

If you know, or come up with an idea how to print more useful info, or maybe even a source code – please let me know.