The function at 0x401000 is the check Internet connection method, 0x401040 is the parse HTML method, 0x4012B5 is
printf, and 0x401150 is theswitchstatement.A
forloop has been added to themainmethod.The function at 0x401040 now takes a parameter and calls
sprintfwith the format stringInternet Explorer 7.50/pma%d. It builds a User-Agent for use during HTTP communication using the argument passed in.This program will run for 1440 minutes (24 hours).
Yes, a new User-Agent is used. It takes the form
Internet Explorer 7.50/pma%d, where%dis the number of minutes the program has been running.First, the program checks for an active Internet connection. If none is found, the program terminates. Otherwise, the program will use a unique User-Agent to attempt to download a web page containing a counter that tracks the number of minutes the program has been running. The web page downloaded contains an embedded HTML comment starting with
<!--. The next character is parsed from this comment and used in aswitchstatement to determine the action to take on the local system. These are hard-coded actions, including deleting a file, creating a directory, setting a registry run key, copying a file, and sleeping for 100 seconds. This program will run for 24 hours before terminating.
We begin by performing basic static analysis on the binary. We see one new string of interest that was not in Lab 6-3 Solutions, as follows:
Internet Explorer 7.50/pma%d
It looks like this program may use a dynamically generated User-Agent. Looking at the imports,
we don’t see any Windows API functions that were not in Lab 6-3 Solutions.
When performing dynamic analysis, we also notice this User-Agent change when we see Internet Explorer 7.50/pma0.
Next, we perform more in-depth analysis with disassembly. We load the executable into IDA Pro
and look at the main method, which is clearly structurally
different from main in Lab 6-3 Solutions,
although many of the same functions are called. We see the functions 0x401000 (check Internet connection method), 0x401040
(parse HTML method), 0x4012B5 as printf, and 0x401150 (the switch statement). You should rename these functions as such in IDA Pro to make them
easier to analyze.
Looking at the main method in IDA Pro’s graphical
view mode, we see an upward-facing arrow, which signifies looping. Example C-9
shows the loop structure.
Example C-9. The loop structure
00401248 loc_401248 00401248 mov [ebp+var_C], 0 ❶ 0040124F jmp short loc_40125A 00401251 loc_401251: 00401251 mov eax, [ebp+var_C] 00401254 add eax, 1 ❷ 00401257 mov [ebp+var_C], eax 0040125A loc_40125A: 0040125A cmp [ebp+var_C], 5A0h ❸ 00401261 jge short loc_4012AF 00401263 mov ecx, [ebp+var_C] ❺ 00401266 push ecx 00401267 call sub_401040 ... 004012A2 push 60000 004012A7 call ds:Sleep 004012AD jmp short loc_401251 ❹
The variable var_C is the local variable used for the loop
counter. The counter is initialized to 0 at ❶, jumps
past the incrementing at ❷, performs a check at
❸, and loops back to the incrementor when it gets to
❹. The presence of these four code sections tells us
that we are looking at a for loop code construct. If the var_C (counter) is greater than or equal to 0x5A0 (1440), the loop will end. Otherwise, the code starting at ❺ is executed. The code pushes var_C on the stack before calling 0x401040, and then
sleeps for 1 minute before looping up at ❹ and
incrementing the counter by one. Therefore, this process will repeat for 1440 minutes, which is
equal to 24 hours.
In previous labs, 0x401040 did not take a parameter, so we
need to investigate this further. Example C-10 shows the start of 0x401040.
Example C-10. The function at 0x401040
00401049 mov eax, [ebp+arg_0] 0040104C push eax ❶ 0040104D push offset aInt ; "Internet Explorer 7.50/pma%d" 00401052 lea ecx, [ebp+szAgent] 00401055 push ecx ; char * 00401056 call _sprintf 0040105B add esp, 0Ch 0040105E push 0 ; dwFlags 00401060 push 0 ; lpszProxyBypass 00401062 push 0 ; lpszProxy 00401064 push 0 ; dwAccessType 00401066 lea edx, [ebp+szAgent] ❷ 00401069 push edx ; lpszAgent 0040106A call ds:InternetOpenA
Here, arg_0 is the only parameter, and main is the only method calling 0x401040, so we conclude that arg_0 is always the
counter (var_C) from the main
method. Arg_0 is pushed on the stack at ❶, along with a format string and a destination. We also see that
sprintf is called, which creates the string and stores it in the
destination buffer, the local variable labeled szAgent. And
szAgent is passed to InternetOpenA at ❷, which
means that every time the counter increases, the User-Agent will change. This mechanism can be used
by an attacker managing and monitoring a web server to track how long the malware has been
running.
To summarize, the program checks for an active Internet connection using the if construct. If
no connection is found, the program terminates. Otherwise, the program uses a unique User-Agent to
attempt to download a web page containing a counter from a for
loop construct. This counter contains the number of minutes the program has been running. The web
page contains an embedded HTML comment and is read into an array construct of characters and
compared to <!--. The next character is parsed from this
comment and used in a switch construct to determine what action to take on the local system. These
are hard-coded actions, including deleting a file, creating a directory, setting a registry run key,
copying a file, and sleeping for 100 seconds. This program will run for 1440 minutes (24 hours)
before terminating.