Category Archives: Malware Analysis

RDTSCP – a recooked AntiRe trick

Posted on by

RDTSC is an instruction used to read a processor’s time stamp counter. Reading it twice allows to calculate a delta between the values of the time stamp counter and if the obtained delta is significantly large, use it as a detection of a debugger, emulator, or a virtual environment.

   rdtsc
   mov  ebx,eax
   rdtsc
   sub  eax,ebx
   cmp  eax,DELTA
   jb   ok
   ...
   suspicious environment detected
   ...
ok:

It’s a really old anti-reversing trick (and it has many variants) which can be recognized/instrumented/bypassed by making RDTSC a privileged instruction (e.g. using a Phantom plugin for OllyDbg), or simply by patching the code.

Newer processors support a new instruction called RDTSCP that does exactly the same thing as RDTSC, except it is doing it in a serializing way (which means it waits for all instructions to execute before reading the counter and the possible re-ordering of instruction execution won’t happen). It can be used to calculate the time stamp counter delta the same way as RDTSC and as a result detect the fact of program being debugged, emulated, or ran inside a virtual environment.

This is nothing groundbreaking (read: it’s kinda lame), but since it could be used as a ‘yet another anti-‘ trick it is still worth documenting.

   rdtscp
   mov  ebx,eax
   rdtscp
   sub  eax,ebx
   cmp  eax,DELTA
   jb   ok
   ...
   suspicious environment detected
   ...
ok:

The opcode for RDTSCP is 0F 01 F9 so you can embed it inline if your assembler doesn’t support it.

OllyDbg 1.x recognizes RDTSCP as:

  • 0F01F9 INVLPG  CL

The OllyDbg 2.x recognizes it correctly as

  • 0F01F9 rdtscp

RDTSCP is not recognized by Virtual PC 2007 and older hardware. One can use a cpuid to determine support for this instruction, or simply attempt running it and catch the STATUS_ILLEGAL_INSTRUCTION exception if the instruction is invalid.

One thing to note: RDTSC(P) delta trick doesn’t detect virtual environments very well – running samples ‘live’ inside VMWare easily fools malware that they run on the ‘real’ computer (unless they use other vm detection tricks, or the delta is really small – kinda silly idea since it would prevent running the malware on slower systems). As mentioned above, if used in debugging/tracing context RDTSC(P) can be quite successful. It would be interesting to find out how it performs under various emulators, but I don’t use them so I could not test it.

Results of running under VM are below:

  • Host (Windows 7SP1 x64):
    • rdtscp delta=27, rdtsc delta=21
    • rdtscp delta=56, rdtsc delta=18
    • rdtscp delta=27, rdtsc delta=140
    • rdtscp delta=56, rdtsc delta=18
    • rdtscp delta=76, rdtsc delta=60
    • rdtscp delta=27, rdtsc delta=29
    • rdtscp delta=38, rdtsc delta=21
  • VMWare Workstation 10.0.2, guest OS: Windows XP SP3 32:
    • rdtscp delta=241, rdtsc delta=325
    • rdtscp delta=241, rdtsc delta=399
    • rdtscp delta=236, rdtsc delta=331
    • rdtscp delta=236, rdtsc delta=405
    • rdtscp delta=265, rdtsc delta=304
    • rdtscp delta=265, rdtsc delta=349
    • rdtscp delta=265, rdtsc delta=340
  • VMWare Workstation 10.0.2, guest OS: Windows 7 SP1 32:
    • rdtscp delta=56, rdtsc delta=18
    • rdtscp delta=27, rdtsc delta=21
    • rdtscp delta=56, rdtsc delta=18
    • rdtscp delta=27, rdtsc delta=21
    • rdtscp delta=56, rdtsc delta=18
    • rdtscp delta=27, rdtsc delta=18
    • rdtscp delta=56, rdtsc delta=21
  • VMWare Workstation 10.0.2, guest OS: Windows 7 SP1 64:
    • rdtscp delta=27, rdtsc delta=21
    • rdtscp delta=56, rdtsc delta=18
    • rdtscp delta=27, rdtsc delta=47
    • rdtscp delta=27, rdtsc delta=18
    • rdtscp delta=56, rdtsc delta=18
    • rdtscp delta=56, rdtsc delta=18
    • rdtscp delta=27, rdtsc delta=21
  • Virtual Box 4.3.10, guest OS: Windows XP SP3 32:
    • rdtscp delta=64, rdtsc delta=64
    • rdtscp delta=27, rdtsc delta=47
    • rdtscp delta=27, rdtsc delta=18
    • rdtscp delta=27, rdtsc delta=18
    • rdtscp delta=56, rdtsc delta=21
    • rdtscp delta=27, rdtsc delta=21
    • rdtscp delta=27, rdtsc delta=50
    • rdtscp delta=27, rdtsc delta=47

You can download the test program here.

Upatre’s gadgetry

Posted on by

During last week I have seen News reports talking about spam campaign delivering the malware that is using a .gadget file extension. Since one of my spambait accounts got it as well I decided to run a quick test and write down what I found about it.

And just in case you are wondering – despite the Gadgets being retired they still work.

The malicious attachment is called internal_use_only.gadget; Gadget files are zip files so one can enumerate their content e.g. with 7Zip:

Path = internal_use_only.gadget
Type = zip
Physical Size = 6878

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2014-05-16 12:45:26 ....A          335          220  gadget.html
2014-05-16 12:44:14 ....A        10240         6151  main.exe
2014-05-15 22:08:40 ....A          326          199  gadget.xml
------------------- ----- ------------ ------------  ------------------------
                                 10901         6570  3 files, 0 folders

If dropped in a folder, we can see the icon of a Gadget

gadgetThe content of the gadget.xml:

gadget_xml2

The content of the gadget.html:

gadget_htmland the third file is a small executable called main.exe.

Quick analysis confirmed it’s Upatre, a well-known Zeus downloader.

When main.exe is executed it drops its copy as %TEMP%\ycare.exe and appends the original path to the main.exe so that ycare.exe can delete it once it’s executed. The executed ycare.exe attempts to connect to just* [ . ]com/wp-content/uploads/2014/02/1605UKmw.enc or grab the very same file from dot*[ . ]com/fonts/1605UKmw.enc.

If the user is silly enough to open this gadget on the computer the warning popup will show up:

gadget2

If the user is silly^2 enough, the ‘gadget’ will be ‘added’ to the Sidebar:

gadget3

– and the malware thingie will run.

The Gadgets leave Gadgetish remnants on the system and they can be potentially used to determine the original attack vector:

  • %USERPROFILE%\AppData\Local\Microsoft\Windows Sidebar\Gadgets\
    internal_use_only.gadget\gadget.html
  • %USERPROFILE%\AppData\Local\Microsoft\Windows Sidebar\Gadgets\
    internal_use_only.gadget\gadget.xml

and also

  • %USERPROFILE%\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

– the latter will contain the description of Gadget(s) added to the system

gadget_settings
Other artifacts are less reliable e.g.:

  • HKCU\Software\Classes\Local Settings\MuiCache

may contain references to Sidebar binaries and

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

may contain the entry starting Sidebar via

  • C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

– it’s less reliable, because users may have other Gadgets installed and Sidebar installation is nothing unusual in their environment.

Nothing extraordinary – just yet another creative way to deliver the badness.