This program does not achieve persistence. It runs once and then exits.
The program displays an advertisement web page to the user.
The program finishes executing after displaying the advertisement.
We begin with some basic static analysis. While we don’t see any interesting ASCII
strings, we do see one interesting Unicode string: http://www.malwareanalysisbook.com/ad.html
. We check the imports and exports of the program, and see only a few imports in addition to the standard imports,
as follows:
SysFreeString SysAllocString VariantInit CoCreateInstance OleInitialize OleUninitialize
All of these functions are COM-related. The CoCreateInstance
and OleInitialize
functions in
particular are required in order to use COM functionality.
Next, we try dynamic analysis. When we run this program, it opens Internet Explorer and displays an advertisement. There’s no evidence of the program modifying the system or installing itself to execute when the computer is restarted.
Now we can analyze the code in IDA Pro. We navigate to the _main
method and see the code shown in the following listing.
00401003 push 0 ; pvReserved 00401005 call ❶ds:OleInitialize 0040100B test eax, eax 0040100D jl short loc_401085 0040100F lea eax, [esp+24h+(1) ppv] 00401013 push eax ; ppv 00401014 push offset riid ; riid 00401019 push 4 ; dwClsContext 0040101B push 0 ; pUnkOuter 0040101D push offset rclsid ; rclsid 00401022 call ❷ds:CoCreateInstance 00401028 mov eax, [esp+24h+❸ppv]
The first thing the malware does is initialize COM and obtain a pointer to a COM object with
OleInitialize
at ❶
and CoCreateInstance
at ❷. The COM object returned will be stored on the stack in a variable that IDA Pro has
labeled ppv
, as shown at ❸. In order to determine what COM functionality is being used, we need to examine the
interface identifier (IID) and class identifier (CLSID).
Clicking rclsid
and riid
shows that they are 0002DF01-0000-0000-C000-
000000000046
and D30C1661-CDAF-11D0-8A3E-00C04FC9E26E
, respectively. To determine which program will be
called, check the registry for the CLSID, or search for the IID on the Internet for any
documentation. In this case, these values are the same identifiers we used in The Component Object Model. The IID is for IWebBrowser2
,
and the CLSID is for Internet Explorer.
As shown in the following listing, the COM object returned by CoCreateInstance
is accessed a few instructions later at ❶.
0040105C❶mov eax, [esp+28h+ppv] 00401060 push ecx 00401061 lea ecx, [esp+2Ch+pvarg] 00401065❷mov edx, [eax] 00401067 push ecx 00401068 lea ecx, [esp+30h+pvarg] 0040106C push ecx 0040106D lea ecx, [esp+34h+var_10] 00401071 push ecx 00401072 push esi 00401073 push eax 00401074 ❸call dword ptr [edx+2Ch]
Following this instruction, EAX points to the location of the COM object. At ❷, EAX is dereferenced and EDX points to the beginning of the COM
object itself. At ❸, the function at an offset of +0x2C
from the object is called. As discussed in the chapter, the offset 0x2C for the IWebBrowser2
interface is the Navigate
function, and we can use the Structures window in IDA Pro to create a structure and label the
offset. When Navigate
is called, Internet Explorer navigates to
the web address http://www.malwareanalysisbook.com/ad.html.
After the call to Navigate
, there are a few cleanup
functions and then the program ends. The program doesn’t install itself persistently, and it
doesn’t modify the system. It simply displays a one-time advertisement.
When you encounter a simple program like this one, you should consider it suspect. It may come packaged with additional malware, of which this is just one component.