Hi,
Some day ago ( 2010/05/24 ) appeared in the various malware collector a set of websites compromised by Eleonore Exploits pack v1.4.1 this is the evidence of Eleonore infection:
* XXXXXXX.com/el2/
* XXXXXXX.com/el2/stat.php
* XXXXXXX.com/el2/load.php?spl=mdac&h=
Where stat.php belongs to the Control Panel and load.php delivers the SpyEye variant.
Dropped executable is named load.exe, let's observe its PE Structure:
FileName: load.exe
MD5: E8268FB6853E8B5A5E0F213873651D28
SHA-1: DFFD9D8AB989F94EFA30575B37C4A078E50DC821
As you can see between sections we have .edata, the usual name of the section that belongs to the Export Directory, so let's observe this last one:
The Import Directory presents two modules kernel32.dll and user32.dll between the classical imports we can see:
* CreateSemaphoreW
* FindResourceA
Especially the last one suggests that some of resources stored into the executable will be extracted and processed (usually processing means one or more Decryption Routines)
RCData contains a block of data that appears to be encrypted, with good approsimation this resource entry will be the one that contains some embedded executable. PE Inspection is now complete we can move to disam && debugging.
Here the EntryPoint
In the latest instructions it's installed an Exception Hadler placed at 0040864B, this piece of code works as a second layer of decryption, but this time is performed in a little different way, we have a SEH that corresponds to the body of the decryption routine, immediately before this 'body' we have a call which causes an exception, this last one raises the core decryption and exits, at the end we have the conditional check of the cyle and if does not match, starts a new iteration that causes again an Exception.
This decryption loop was precisely coded to Visually Fool the Analyst, because if we do not place a break point into the handler, execution flow appears to be a classical loop that jumps after the call a block of instructions. In practice the 'body' is executed but without a breakpoint inside you can't fully trace the code.
By prosecuting analysis, what emerges is the massive usage of layer of encryption, the previously SEH Loop, decoded another block and inside we have another decryption loop. Finally we land here:
The essential scope of this decrypted piece of code is to extract from resources another block and successively decode it, by allocating a block of memory. It's important to say that analysis is harder because presents a good level of junk code. Let's observe a block of decrypted data:
Carefully observe ASCII in the red circles, there are clear evidences of the PE nature of this block of code, that presents a low level on encryption. After dumping it, the obfuscated executable, is placed again in memory and deobfuscated, emerges as should be obvious an UPX packed one. At this point load.exe obtains the EntryPoint of this new executable (it's trivial Optional Header->AddressOfEntryPoint)
Execution now jumps to the new executable and after decrypting a block of code, builds by hand an Import Address Table.
As usual, after data block decoding let's see what we meet:
Here emerges a truly interesting element, the malicious usage of EnumTimeFormats function, this is an original element in the common malware, due to the fact that is rarely/uniquely used. To understand how can be badly used this API let's what it does:
Enumerates the time formats that are available for a locale specified by identifier.
SpyEye overworks the fact that EnumTimeFormats executes a Callback. The first effect of this method is merely visual, done to fool analysts, because if you execute normally this call, suddenly execution ends, by checking SEH nothing seems to happen because does not occur any Execption. What we have to do is to place a breakpoint on the Callback address 00401F5B, executing the call and suddenly execution in blocked by the BP.
We are now inside the Callback, that presents an interesting structure, that will be reversed in the second episode.
Regards,
Giuseppe 'Evilcry' Bonfa
Some day ago ( 2010/05/24 ) appeared in the various malware collector a set of websites compromised by Eleonore Exploits pack v1.4.1 this is the evidence of Eleonore infection:
* XXXXXXX.com/el2/
* XXXXXXX.com/el2/stat.php
* XXXXXXX.com/el2/load.php?spl=mdac&h=
Where stat.php belongs to the Control Panel and load.php delivers the SpyEye variant.
Dropped executable is named load.exe, let's observe its PE Structure:
FileName: load.exe
MD5: E8268FB6853E8B5A5E0F213873651D28
SHA-1: DFFD9D8AB989F94EFA30575B37C4A078E50DC821
As you can see between sections we have .edata, the usual name of the section that belongs to the Export Directory, so let's observe this last one:
The Import Directory presents two modules kernel32.dll and user32.dll between the classical imports we can see:
* CreateSemaphoreW
* FindResourceA
Especially the last one suggests that some of resources stored into the executable will be extracted and processed (usually processing means one or more Decryption Routines)
RCData contains a block of data that appears to be encrypted, with good approsimation this resource entry will be the one that contains some embedded executable. PE Inspection is now complete we can move to disam && debugging.
Here the EntryPoint
Code: Select all
Execution passes also through the two export functions, by performing a layer of decryption and finally landing here:
.text:0040101C start:
.text:0040101C push ebp
.text:0040101D mov ebp, esp
.text:0040101F sub esp, 64h
.text:00401022 mov [ebp-4], esi
.text:00401025 mov edi, [ebp-38h]
.text:00401028 mov [ebp-34h], edx
.text:0040102B mov [ebp-50h], ebx
.text:0040102E dec ebx
.text:0040102F inc ebx
.text:00401030 inc esi
Code: Select all
Flow jump to 408634 that is the routine preciously decrypted..text:004011C9 mov ecx, 408634h
.text:004011CE push ecx
.text:004011CF xor edx, [ebp-10h]
.text:004011D2 retnCode: Select all
00408634 \55 PUSH EBP
00408635 8BEC MOV EBP,ESP
00408637 83EC 3C SUB ESP,3C
0040863A 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
0040863D 55 PUSH EBP
0040863E 50 PUSH EAX
0040863F C70424 00000000 MOV DWORD PTR SS:[ESP],0
[b]00408646 E8 09000000 CALL 00408654 ;This call Cause an Exception[/b]
[b]0040864B 8B6424 08 MOV ESP,DWORD PTR SS:[ESP+8] ;Here starts ExceptionHandler[/b]
0040864F E9 1E000000 JMP 00408672
00408654 33C0 XOR EAX,EAX
00408656 64:FF30 PUSH DWORD PTR FS:[EAX]
[b]00408659 64:8920 MOV DWORD PTR FS:[EAX],ESP ;Install Exception Handler[/b]
0040865C EB 03 JMP SHORT 00408661
..
00408678 FF0424 INC DWORD PTR SS:[ESP]
0040867B 813C24 59050000 CMP DWORD PTR SS:[ESP],559
00408682 ^ 0F82 BEFFFFFF JB 00408646In the latest instructions it's installed an Exception Hadler placed at 0040864B, this piece of code works as a second layer of decryption, but this time is performed in a little different way, we have a SEH that corresponds to the body of the decryption routine, immediately before this 'body' we have a call which causes an exception, this last one raises the core decryption and exits, at the end we have the conditional check of the cyle and if does not match, starts a new iteration that causes again an Exception.
This decryption loop was precisely coded to Visually Fool the Analyst, because if we do not place a break point into the handler, execution flow appears to be a classical loop that jumps after the call a block of instructions. In practice the 'body' is executed but without a breakpoint inside you can't fully trace the code.
By prosecuting analysis, what emerges is the massive usage of layer of encryption, the previously SEH Loop, decoded another block and inside we have another decryption loop. Finally we land here:
Code: Select all
Inside the call
004087F7 E8 02000000 CALL 004087FECode: Select all
0040881B 2B4D F8 SUB ECX,DWORD PTR SS:[EBP-8]
0040881E 81E8 68384000 SUB EAX,OFFSET load.00403868
00408824 81C0 0A344000 ADD EAX,OFFSET load.0040340A
0040882A 50 PUSH EAX
0040882B EB 14 JMP SHORT 00408841
00408841 C3 RETN ;Jump to 0040839E (the latest decoded block)The essential scope of this decrypted piece of code is to extract from resources another block and successively decode it, by allocating a block of memory. It's important to say that analysis is harder because presents a good level of junk code. Let's observe a block of decrypted data:
Carefully observe ASCII in the red circles, there are clear evidences of the PE nature of this block of code, that presents a low level on encryption. After dumping it, the obfuscated executable, is placed again in memory and deobfuscated, emerges as should be obvious an UPX packed one. At this point load.exe obtains the EntryPoint of this new executable (it's trivial Optional Header->AddressOfEntryPoint)
Execution now jumps to the new executable and after decrypting a block of code, builds by hand an Import Address Table.
As usual, after data block decoding let's see what we meet:
Code: Select all
0040221F 68 00000040 PUSH 40000000
00402224 68 00080000 PUSH 800 ;LOCALE_SYSTEM_INFO
00402229 68 5B1F4000 PUSH 401F5B ;Callback's Address
[b]0040222E FF15 9C804000 CALL DWORD PTR DS:[40809C] ;EnumTimeFormatsA[/b]
00402234 6A 00 PUSH 0
00402236 FF15 AC804000 CALL DWORD PTR DS:[4080AC] ;ExitProcessHere emerges a truly interesting element, the malicious usage of EnumTimeFormats function, this is an original element in the common malware, due to the fact that is rarely/uniquely used. To understand how can be badly used this API let's what it does:
Enumerates the time formats that are available for a locale specified by identifier.
Code: Select all
BOOL EnumTimeFormats(
__in TIMEFMT_ENUMPROC lpTimeFmtEnumProc,
__in LCID Locale,
__in DWORD dwFlags
);SpyEye overworks the fact that EnumTimeFormats executes a Callback. The first effect of this method is merely visual, done to fool analysts, because if you execute normally this call, suddenly execution ends, by checking SEH nothing seems to happen because does not occur any Execption. What we have to do is to place a breakpoint on the Callback address 00401F5B, executing the call and suddenly execution in blocked by the BP.
We are now inside the Callback, that presents an interesting structure, that will be reversed in the second episode.
Regards,
Giuseppe 'Evilcry' Bonfa
