Malware oddball: key aspects of atypical malware

Date: 13/05/2014

If you think that the only possible variant for such a malware is a classic school-based .bat file with ‘format c:’ string inside, then you’re mistaken. The opportunity to automate various routine operations within the system with the help of .bat scripts has long grown into a full-scale trend for malware coding, for which almost all the anti-virus companies have rendered a special segment in their malware specifications.

E.g. you can download a file from the Net with the help of ‘ftp’ instruction, save it somewhere on the disk and then run it, or add the file to startup group with something like this written inside:

@reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" /v Trojan /t REG_SZ /d C:Trojan.bat /f 

As a result you get an elementary ‘Bat.Downloader’ that will accurately perform its functions.

Besides, ‘taskkill’ instruction can terminate any running processes which disturb malicious functionality of the programs:

// Killing explorer.exe
@taskkill /im explorer.exe /f > nul
// Killing some aver.exe anti-virus. This operation is likely to fail ;)
@taskkill /im aver.exe /f > nul

At first malware usually checks the system for anti-viruses and then acts upon the results of such a check. You can do it with ‘tasklist’ instruction in a bat script:

// Checking aver.exe process    
@for /F "delims=" %%A in ('tasklist /FI "imagename eq aver.exe"')
  do @set sr=%%A
@if "%sr:~,11%"=="aver.exe" goto ff
...
  // The process is detected
  // Performing appropriate actions
...
@goto bb
:ff
...
  // The process is not detected
  // Performing appropriate actions
...
:bb
...
  // Continue running

As for malicious actions themselves, they provide a broad activity area: we can delete or move various system files, modify the contents of configuration files (including ‘hosts’ file), change register values and block, for example, the possibility to activate ‘taskmgr.exe’ or forbid register modifications.

This is how Trojan.BAT.Qhost.abq modifies the contents of hosts file

This is how Trojan.BAT.Qhost.abq modifies the contents of hosts file

Part of bat-winlocker’s BAT/LockScreen.B code (Task Manager lock-up, prompt lock-up and prohibition on register modification are highlighted)

Part of bat-winlocker’s BAT/LockScreen.B code (Task Manager lock-up, prompt lock-up and prohibition on register modification are highlighted)

Great number of bat malware generators may be found in the Net. Of course, one shouldn’t take everything that comes out from these generators seriously, but unexperienced users may find even explorer.exe termination an insolvable problem.

One of numerous bat malware generators (most anti-virus companies refer to such hacks as Riskware)

One of numerous bat malware generators (most anti-virus companies refer to such hacks as Riskware)

In order to put malware scripts into a more familiar form of executable file the makers of such scripts often use converters like bat2exe. It works, but we can’t name such an action a full-fledged compilation: the script itself is written into .exe file as a resource, then cmd.exe is activated and then executes the script.

Trojan.BAT.Qhost.abq script as .exe file in the resource section

Trojan.BAT.Qhost.abq script as .exe file in the resource section

Self-extractors

Self-extracting archives (SFX archives) or the possibility to put several files into one archive with one of them automatically starting after extraction have long become appealing for distributors of suspicious software and content. These archives often contain rather legal programs along with a configuration or executable bat file (or a VBS script) that allows to use such archives for not so benevolent intentions.

For example, ‘RemoteAdmin.Win32.RAdmin.20’ SFX archive contains a server-based mod of a widely known utility for ‘Radmin’ remote administration and a bat script for a stealthy launch of ’Radmin” server-based mod. ‘Radmin’ keeps its configuration in the register, so the script located in the archive writes required parameters into respective register thread before ‘Radmin’ is launched.

Configuration .bat file for RemoteAdmin.Win32.RAdmin.20

Configuration .bat file for ‘RemoteAdmin.Win32.RAdmin.20’

When various types of crypto-currency became ubiquitous, SFX archives became popular among many people willing to mine some digital currency with some other computation capacities. In most cases mining utilities consist of several files, so a self-extractor is the best way to hide all these files. Of course, a .bat file or a VBS script is put into the archive, so they launch the program with necessary parameters.

Win32.BitCoinMiner.nni SFX archive contents (executable VBS script is highlighted)

Win32.BitCoinMiner.nni SFX archive contents (executable VBS script is highlighted)

Some SFX archives of this kind also contain ‘Hidden Start’ utility providing stealthy launch of the main program from a malicious archive.

AutoIt

Initially ‘AutoIt’ was designed for automation and execution of highly repetitive operations (e.g. software installation for a large number of computers). In its later versions the language started to look like most popular general-purpose machine languages.

Now a great number of malware is written with ‘AutoIt’. The language allows to interact with the system on a low level and supports API function activation. E.g., in order to implement your code into some process, you need to write something like:

// Permissions for OpenProcess
Local $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020)
...
...
$hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $Process)
...
...
DllCall("kernel32.dll", "int", "WriteProcessMemory", "ptr", $hProcess, "ptr", $pMem, "ptr", $buffer, "uint", 260, "uint*", 0)
...
...
DllCall("kernel32.dll", "ptr", "CreateRemoteThread", "ptr", $hProcess, "ptr", 0, "uint", 0, "ptr", $pMem, "ptr", $pMem, "dword", 0, "ptr", 0)

Besides the properties of the language, code obfuscation when being compiled is a great advantage for malware makers. You just need to write the following two strings in the beginning of the program:

// Run obfuscation before compilation
#Autoit3Wrapperr_Run_Obfuscator=y 
// Set obfuscation parameters
#Obfuscator_Parameters=/StripOnly /OM
Decompiled Backdoor.Win32.DarkKomet.djqs AutoIt code

Decompiled ‘Backdoor.Win32.DarkKomet.djqs’ AutoIt code

On the whole, if the volume of executable code compiled with ‘AutoIt’ is not taken into account, the language is quite efficient in dealing with tasks given by virus makers. From time to time we can see rather advanced samples using various code implementation and hide techniques, malware body encryption methods and other tricks.

Python, Lua and others

Although ‘Python’ is a real hacker machine language, you can rarely see a malware written with it. It’s mostly justified for OS X or Linux where Python is installed with the system.

Suspicious Python script for Linux under Backdoor.Python.RShell name

Suspicious Python script for Linux under ‘Backdoor.Python.RShell’ name

Backdoor.Python.Aharm.a Python script for Mac

‘Backdoor.Python.Aharm.a’ Python script for Mac

For Windows, malicious Python scripts are usually compiled into an executable file (in reality it’s not a full-fledged compilation either, as the .exe file contains the script itself and a Python interpreter).

As for ‘Lua’ machine language, the most malicious virus that has been written with it is Worm.Win32.Flame. The upper level logic in this worm was employed with ‘Lua’ for most of its components. Worm.Win32.Flame numbers 57 Lua components in total, each of them does some malicious function. E.g., ‘ATTACKOP _ JIMMY _ PRODS.lua’ script attacks another PC, ‘casafety.lua’ script serves to detect anti-virus software, ‘CRUISE _ CRED.lua’ is needed for login information theft, and ‘euphoria.lua’ exploits LNK file vulnerability.

These Lua scripts are partly from Worm.Win32.Flame

These Lua scripts are partly from ‘Worm.Win32.Flame’

Part of ATTACKOP _ JIMMY _ PRODS.lua script

Part of ‘ATTACKOP _ JIMMY _ PRODS.lua’ script

[efspanel style=”” type=””]
[efspanel-header]

INFO

[/efspanel-header]
[efspanel-content]
Windows is equipped (since Windows XP) with an ‘IExpress’ utility, which allows to create CAB archives including self-extractors.
[/efspanel-content]
[/efspanel]

Conclusion

As virus analysis practice shows us, a malicious code may be written with anything, and malware sample collections of many anti-virus companies sometimes have got very exotic samples written, for example with embedded language of “1C:Enterprise” system (‘Virus.1C.Bonny.a’, ‘Virus.1C.Bonny.b’ or ‘Virus.1C.Tanga.а’). We may call the hacks mentioned in the article odd and untypical, but they exist in reality and they do work. And as we all know, “1C:Enterprise” is installed on many computers of our country…

Virus.1C.Tanga.а under VirusTotal

Virus.1C.Tanga.а under VirusTotal

Part of Virus.1C.Tanga.а code

Part of Virus.1C.Tanga.а code

Related posts:
2022.06.01 — Cybercrime story. Analyzing Plaso timelines with Timesketch

When you investigate an incident, it's critical to establish the exact time of the attack and method used to compromise the system. This enables you to track the entire chain of operations…

Full article →
2023.06.08 — Cold boot attack. Dumping RAM with a USB flash drive

Even if you take efforts to protect the safety of your data, don't attach sheets with passwords to the monitor, encrypt your hard drive, and always lock your…

Full article →
2023.02.21 — Herpaderping and Ghosting. Two new ways to hide processes from antiviruses

The primary objective of virus writers (as well as pentesters and Red Team members) is to hide their payloads from antiviruses and avoid their detection. Various…

Full article →
2022.06.01 — Routing nightmare. How to pentest OSPF and EIGRP dynamic routing protocols

The magic and charm of dynamic routing protocols can be deceptive: admins trust them implicitly and often forget to properly configure security systems embedded in these protocols. In this…

Full article →
2022.06.03 — Challenge the Keemaker! How to bypass antiviruses and inject shellcode into KeePass memory

Recently, I was involved with a challenging pentesting project. Using the KeeThief utility from GhostPack, I tried to extract the master password for the open-source KeePass database…

Full article →
2022.02.09 — Dangerous developments: An overview of vulnerabilities in coding services

Development and workflow management tools represent an entire class of programs whose vulnerabilities and misconfigs can turn into a real trouble for a company using such software. For…

Full article →
2022.06.02 — Blindfold game. Manage your Android smartphone via ABD

One day I encountered a technical issue: I had to put a phone connected to a single-board Raspberry Pi computer into the USB-tethering mode on boot. To do this,…

Full article →
2022.06.01 — Quarrel on the heap. Heap exploitation on a vulnerable SOAP server in Linux

This paper discusses a challenging CTF-like task. Your goal is to get remote code execution on a SOAP server. All exploitation primitives are involved with…

Full article →
2022.06.01 — F#ck AMSI! How to bypass Antimalware Scan Interface and infect Windows

Is the phrase "This script contains malicious content and has been blocked by your antivirus software" familiar to you? It's generated by Antimalware Scan Interface…

Full article →
2022.01.11 — Persistence cheatsheet. How to establish persistence on the target host and detect a compromise of your own system

Once you have got a shell on the target host, the first thing you have to do is make your presence in the system 'persistent'. In many real-life situations,…

Full article →