A forum for reverse engineering, OS internals and malware analysis 

MIDI vulnerability + malware

Forum for analysis and discussion about malware.

MIDI vulnerability + malware

 #11347  by R136a1
 Mon Jan 30, 2012 3:05 pm
Hey there,

if you read the subsequent blogpost you will learn about the current MIDI exploit used by some chinese malware writers:

Malware Leveraging MIDI Remote Code Execution Vulnerability Found:
http://blog.trendmicro.com/malware-leve ... ity-found/

Microsoft Windows Media Player 'winmm.dll' MIDI File Parsing Remote Buffer Overflow Vulnerability:
http://www.securityfocus.com/bid/51292/info

Site with MIDI exploit (be careful!):
hxxp://images.c2bshop.com/mp.html

Loads the following file if exploit successful:
hxxp://images.c2bshop.com/tdc.exe

This in turn loads two other components:
hxxp://file.tellmegirl.com/20120113.exe -> rootkit component
hxxp://file.tellmegirl.com/20120113.jpg -> configuration file
Attachments
MIDI file + downloader + components
pw: infected
(170.71 KiB) Downloaded 47 times

Re: MIDI vulnerability + malware

 #11351  by EP_X0FF
 Mon Jan 30, 2012 3:47 pm
Hello,

links to malware sites must be obfuscated without exception, your post has been edited.
hxxp://file.tellmegirl.com/20120113.exe -> rootkit component
What it exactly doing?
Can you attach both drivers mentioned in article?

for all who interested decryption xor key for dropper is 0xa2 (ignoring nulls of course)

Thanks.

Re: MIDI vulnerability + malware

 #11353  by kmd
 Mon Jan 30, 2012 5:39 pm
how did it survives reboot? system infected for sure after dropper start for example rku gives alert about remote thread
i cant find any traces in registry, no hooks found

Re: MIDI vulnerability + malware

 #11354  by EP_X0FF
 Mon Jan 30, 2012 5:44 pm
kmd wrote:how did it survives reboot? system infected for sure after dropper start for example rku gives alert about remote thread
i cant find any traces in registry, no hooks found
It patches imm32.dll entry point to load malicious code copy saved on disk as d3dx9_09.dll (25 Mb to avoid uploading to online scanners)

Re: MIDI vulnerability + malware

 #11355  by R136a1
 Mon Jan 30, 2012 5:47 pm
I did a mistake:
20120113.exe doesn't contain any rootkit capabilities as you probably already noticed. This is the credentials stealer "related to certain Korean online game sites."

The dropper (tdc.exe) contains the rootkit. Unfortunately I am not able to decrypt this file. As you already mentioned the XOR key is "0xA2", but the file does contain another state of obfuscation (to many 0-bytes, so it seems to be crippled).

Anyway the decrypted dropper can be found here:
https://www.virustotal.com/file/cab7cd4 ... /analysis/

And com32.sys driver here:
https://www.virustotal.com/file/90142be ... /analysis/

Maybe someone has access to virustotal files.

Re: MIDI vulnerability + malware

 #11356  by EP_X0FF
 Mon Jan 30, 2012 6:06 pm
Seems this piece of crap is not really impressive
Probably this rootkit part is simple driver agent.

hxxp://hummingbird.tistory.com/3544
 Return to “Malware”