Eilam E.Reversing.Secrets of reverse engineering.2005
.pdf
Reversing Malware 301
characters long. While I was first stepping through this sequence, all of these four strings were empty. This made the code proceed to the code sequence that follows instead of calling into a longish function at 00403016 that would have been called if there was a match on one of the usernames. Let’s look at what the function does next (when the usernames don’t match).
00402F29 |
PUSH ZoneLock.004050BE |
; |
<%s> = “tounge” |
00402F2E |
PUSH ZoneLock.00405110 |
; |
<%s> = “morris” |
00402F33 |
PUSH ZoneLock.004054A1 |
; |
format = “%s %s” |
00402F38 |
LEA EAX,DWORD PTR SS:[EBP-260] |
|
|
00402F3E |
PUSH EAX |
; |
s |
00402F3F |
CALL <JMP.&CRTDLL.sprintf> |
|
|
00402F44 |
LEA EAX,DWORD PTR SS:[EBP-260] |
|
|
00402F4A |
PUSH EAX |
; |
s2 |
00402F4B |
PUSH ESI |
; |
s1 |
00402F4C |
CALL <JMP.&CRTDLL.strcmp> |
|
|
This is an interesting sequence. The first part uses sprintf to produce the string morris tounge, which is then checked against the current message being processed. If there is a mismatch, the function performs one more check on the current command string (even though it’s been confirmed to be PRIVMSG), and returns. If the current command is “!morris tounge”, the program stores the originating username in the currently available slot on that string array from 004051C5. That is, upon receiving this Morris message, the program is storing the name of the user it’s currently talking to in an array. This is the array that starts at 004051C5; the same array that was scanned for the attacker’s name earlier. What does this tell you? It looks like the string !morris tounge is the secret password for the Backdoor program. It will only start processing commands from a user that has transmitted this particular message!
One unusual thing about the preceding code snippet that generates and checks whether this is the correct password is that the sprintf call seems to be redundant. Why not just call strcmp with a pointer to the full morris tounge string? Why construct it in runtime if it’s a predefined, hard-coded string? A quick search for other references to this address shows that it is static; there doesn’t seem to be any other place in the code that modifies this sequence in any way. Therefore, the only reason I can think of is that the author of this program didn’t want the string “morris tounge” to actually appear in the program in one piece. If you look at the code snippet, you’ll see that each of the words come from a different area in the program’s data section. This is essentially a primitive antireversing scheme that’s supposed to make it a bit more difficult to find the password string when searching through the program binary.
302 Chapter 8
Now that we have the password, you can type it into our IRC program and try to establish a real communications channel with the backdoor. Obtaining a basic list of supported commands is going to be quite easy. I’ve already mentioned a routine at 00403016 that appears to process the supported commands. Disassembling this function to figure out the supported commands is an almost trivial task; one merely has to look for calls to string-comparison functions and examine the strings being compared. The function that does this is far too long to be included here, but let’s take a look at a typical sequence that checks the incoming message.
0040308B |
PUSH ZoneLock.0040511B |
; |
s2 |
= “?dontuseme” |
00403090 |
LEA EAX,DWORD PTR SS:[EBP-200] |
|
|
|
00403096 |
PUSH EAX |
; |
s1 |
|
00403097 |
CALL <JMP.&CRTDLL.strcmp> |
|
|
|
0040309C |
ADD ESP,8 |
|
|
|
0040309F |
OR EAX,EAX |
|
|
|
004030A1 |
JNZ SHORT ZoneLock.004030B2 |
|
|
|
004030A3 |
CALL ZoneLock.00401AA0 |
|
|
|
004030A8 |
MOV EAX,3 |
|
|
|
004030AD |
JMP ZoneLock.00403640 |
|
|
|
004030B2 |
PUSH ZoneLock.00405126 |
; |
s2 |
= “?quit” |
004030B7 |
LEA EAX,DWORD PTR SS:[EBP-200] |
|
|
|
004030BD |
PUSH EAX |
; |
s1 |
|
004030BE |
CALL <JMP.&CRTDLL.strcmp> |
|
|
|
004030C3 |
ADD ESP,8 |
|
|
|
004030C6 |
OR EAX,EAX |
|
|
|
004030C8 |
JNZ SHORT ZoneLock.004030D4 |
|
|
|
004030CA |
MOV EAX,3 |
|
|
|
004030CF |
JMP ZoneLock.00403640 |
|
|
|
004030D4 |
PUSH ZoneLock.00405138 |
; |
s2 |
= “threads” |
004030D9 |
LEA EAX,DWORD PTR SS:[EBP-200] |
|
|
|
004030DF |
PUSH EAX |
; |
s1 |
|
004030E0 |
CALL <JMP.&CRTDLL.strcmp> |
|
|
|
See my point? All three strings are compared against the string from [EBP200]; that’s the command string (not including the exclamation mark). There are quite a few string comparisons, and I won’t go over the code that responds to each and every one of them. Instead, how about we try out a few of the more obvious ones and just see what happens? For instance, let’s start with the !info command.
/JOIN ##g##
<attacker> !morris tounge <attacker> !info
-iyljuhn- Windows 2000 [Service Pack 4]. uptime: 0d 18h 11m. cpu 1648MHz. online: 0d 0h 0m. Current user: eldade. IP:192.168.11.128 Hostname:eldad-vm-2ksrv. Processor x86 Family 6 Model 9 Stepping 8, GenuineIntel.
Reversing Malware 303
You start out by joining the ##g## channel and saying the password. You then send the “!info” command, to which the program responds with some general information regarding the infected host. This includes the exact version of the running operating system (in my case, this was the version of the guest operating system running under VMWare, on which I installed the Trojan/backdoor), and other details such as estimated CPU speed and model number, IP address and system name, and so on.
There are plenty of other, far more interesting commands. For example, take a look at the “!webfind64” and the “!execute” commands. These two commands essentially give an attacker full control of the infected system. “!execute” launches an executable from the infected host’s local drives. “!webfind64” downloads a file from any remote server into a local directory and launches it if needed. These two commands essentially give an attacker full-blown access to the infected system, and can be used to take advantage of the infected system in a countless number of ways.
Running SOCKS4 Servers
There is one other significant command in the backdoor program that I haven’t discussed yet: “!socks4”. This command establishes a thread that waits for connections that use the SOCKS4 protocol. SOCKS4 is a well-known proxy communications protocol that can be used for indirectly accessing a network. Using SOCKS4, it is possible to route all traffic (for example, outgoing Internet traffic) through a single server.
The backdoor supports multiple SOCKS4 threads that listen to any traffic on attacker-supplied port numbers. What does this all mean? It means that if the infected system has any open ports on the Internet, it is possible to install a SOCKS4 server on one of those ports, and use that system to indirectly connect to the Internet. For attackers this can be heaven, because it allows them to anonymously connect to servers on the Internet (actually, it’s not anony- mous—it uses the legitimate system owner’s identity, so it is essentially a type of identity theft). Such anonymous connections can be used for any purpose: Web browsing, e-mail, and so on. The ability to connect to other servers anonymously without exposing one’s true identity creates endless criminal opportu- nities—it is going to be extremely difficult to trace back the actual system from which the traffic is originating. This is especially true if each individual proxy is only used for a brief period of time and if each proxy is cleaned up properly once it is decommissioned.
Clearing the Crime Scene
Speaking of cleaning up, this program supports a self-destruct command called “!?dontuseme”, which uninstalls the program from the registry and
304Chapter 8
deletes the executable. You can probably guess that this is not an entirely trivial task—an executable program file cannot be deleted while the program is running. In order to work around this problem, the program must generate a “self-destruct” batch file, which deletes the program’s executable after the main program exits. This is done in a little function at 00401AA0, which generates the following batch file, called “rm.bat”. The program runs this batch file and quits. Let’s take a quick look at this batch file.
@echo off
:start
if not exist “C:\WINNT\SYSTEM32\ZoneLockup.exe” goto done
del “C:\WINNT\SYSTEM32\ZoneLockup.exe”
goto start
:done
del rm.bat
This batch file loops through code that attempts to delete the main program executable. The loop is only terminated once the executable is actually gone. That’s because the batch file is going to start running while the ZoneLockup.exe executable is still running. The batch file must wait until ZoneLockup.exe is no longer running so that it can be deleted.
The Backdoor.Hacarmy.D: A Command Reference
Having gathered all of this information, I realized that it would be a waste to not properly summarize it. This is an interesting program that reveals much about how modern-day malware works. The following table provides a listing of the supported commands I was able to find in the program along with their descriptions.
Table 8.1 List of Supported Commands in the Trojan/Backdoor.Hacarmy.D Program.
COMMAND |
DESCRIPTION |
ARGUMENTS |
!?dontuseme |
Instructs the program to |
|
|
self-destruct by removing |
|
|
its Autorun registry entry |
|
|
and deleting its executable. |
|
|
|
|
!socks4 |
Initializes a SOCKS4 server |
Port number to open. |
|
thread on the specified port. |
|
|
This essentially turns the |
|
|
infected system into a |
|
|
proxy server. |
|
|
|
|
!threads |
Lists the currently active |
|
|
server threads. |
|
|
|
Reversing Malware 305 |
|
Table 8.1 (continued) |
|
|
|
|
|
|
|
COMMAND |
DESCRIPTION |
ARGUMENTS |
|
!info |
Displays some generic |
|
|
|
information regarding |
|
|
|
the infected host, including |
|
|
|
its name, IP address, CPU |
|
|
|
model and speed, currently |
|
|
|
logged on username, |
|
|
|
and so on. |
|
|
|
|
|
|
!?quit |
Closes the backdoor |
|
|
|
process without uninstalling |
|
|
|
the program. It will be |
|
|
|
started again the next time |
|
|
|
the system boots. |
|
|
!?disconnect |
Causes the program to |
Number of minutes to |
|
|
disconnect from the IRC |
wait before attempting |
|
|
server and wait for the |
reconnection. |
|
|
specified number of |
|
|
|
minutes before attempting |
|
|
|
to reconnect. |
|
|
|
|
|
|
!execute |
Executes a local binary. |
Full path to executable file. |
|
|
The program is launched in |
|
|
|
a hidden mode to keep the |
|
|
|
end user out of the loop. |
|
|
|
|
|
|
!delete |
Deletes a file from the |
Full path to file being deleted. |
|
|
infected host. The program |
|
|
|
responds with a message |
|
|
|
notifying the attacker |
|
|
|
whether or not the |
|
|
|
operation was successful. |
|
|
|
|
|
|
!webfind64 |
Instructs the infected host |
URL of file being downloaded |
|
|
to download a file from |
and local file name that will |
|
|
a remote server (using a |
receive the downloaded file. |
|
|
specified protocol such |
|
|
|
as http://, ftp://, |
|
|
|
and so on). |
|
|
!killprocess |
The strings for these two |
|
|
!listprocesses |
commands appear in the |
|
|
|
executable, and there is a |
|
|
|
function (at 0040239A) |
|
|
|
that appears to implement |
|
|
|
both commands, but it is |
|
|
|
unreachable. A future |
|
|
|
feature perhaps? |
|
|
|
|
|
|
306 Chapter 8
Conclusion
Malicious programs can be treacherous and complicated. They will do their best to be invisible and seem as innocent as possible. Educating end users on how these programs work and what to watch out for is critical, but it’s not enough. Developers of applications and operating systems must constantly improve the way these programs handle untrusted code and convincingly convey to the users the fact that they simply shouldn’t let an unknown program run on their system unless there’s an excellent reason to do so.
In this chapter, you have learned a bit about malicious programs, how they work, and how they hide themselves from antivirus scanners. You also dissected a very typical real-world malicious program and analyzed its behavior, to gain a general idea of how these programs operate and what type of damage they inflict on infected systems.
Granted, most people wouldn’t ever need to actually reverse engineer a malicious program. The developers of antivirus and other security software do an excellent job, and all that is necessary is to install the right security products and properly configure systems and networks for maximum security. Still, reversing malware can be seen as an excellent exercise in reverse engineering and as a solid introduction to malicious software.
P A R T
III
Cracking
C H A P T E R
9
Piracy and Copy Protection
The magnitude of piracy committed on all kinds of digital content such as music, software, and movies has become monstrous. This problem has huge economic repercussions and has been causing a certain creative stagnation— why create if you can’t be rewarded for your efforts?
This subject is closely related to reversing because cracking, which is the process of attacking a copy protection technology, is essentially one and the same as reversing. In this chapter, I will be presenting general protection concepts and their vulnerabilities. I will also be discussing some general approaches to cracking.
Copyrights in the New World
At this point there is simply no question about it: The digital revolution is going to change beyond recognition our understanding of the concept of copyrighted materials. It is difficult to believe that merely a few years ago a movie, music recording, or book was exclusively sold as a physical object containing an analog representation of the copyrighted material. Nowadays, software, movies, books, and music recordings are all exposed to the same problem— they can all be stored in digital form on personal computers.
This new reality has completely changed the name of the game for copyright owners of traditional copyrighted materials such as music and movies,
309
310Chapter 9
and has put them in the same (highly uncomfortable) position that software vendors have been in for years: They have absolutely no control over what happens to their precious assets.
The Social Aspect
It is interesting to observe the social reactions to this new reality with regard to copyrights and intellectual property. I’ve met dozens of otherwise law-abiding citizens who weren’t even aware of the fact that burning a copy of a commercial music recording or a software product is illegal. I’ve also seen people in strong debate on whether it’s right to charge money for intellectual property such as music, software, or books.
I find that very interesting. To my mind, this question has only surfaced because technological advances have made it is so easy to duplicate most forms of intellectual property. Undoubtedly, if groceries were as easy to steal as intellectual property people would start justifying that as well.
The truth of the matter is that technological approaches are unlikely to ever offer perfect solutions to these problems. Also, some technological solutions create significant disadvantages to end users, because they empower copyright owners and leave legitimate end users completely powerless. It is possible that the problem could be (at least partially) solved at the social level. This could be done by educating the public on the value and importance of creativity, and convincing the public that artists and other copyright owners deserve to be rewarded for their work. You really have to wonder—what’s to become of the music and film industry in 20 years if piracy just keeps growing and spreading unchecked? Who’s problem would that be, the copyright owner’s, or everyone’s?
Software Piracy
In a study on global software piracy conducted by the highly reputable market research firm IDC on July, 2004 it was estimated that over $30 billion worth of software was illegally installed worldwide during the year 2003 (see the BSA and IDC Global Software Piracy Study by the Business Software Alliance and IDC [BSA1]). This means that 36 percent of the total software products installed during that period were obtained illegally. In another study, IDC estimated that “lowering piracy by 10 percentage points over four years would add more than 1 million new jobs and $400 billion in economic growth worldwide.”
Keep in mind that this information comes from studies commissioned by the Business Software Alliance (BSA)—a nonprofit organization whose aim is to combat software piracy. BSA is funded partially by the U.S. government, but primarily by the world’s software giants including Adobe, Apple, IBM,