Malware oddball: key aspects of atypical malware

If you think that the only possible variant for such a malware is a classic school-based .bat file with ‘format c:’ string inside, then you’re mistaken. The opportunity to automate various routine operations within the system with the help of .bat scripts has long grown into a full-scale trend for malware coding, for which almost all the anti-virus companies have rendered a special segment in their malware specifications.

E.g. you can download a file from the Net with the help of ‘ftp’ instruction, save it somewhere on the disk and then run it, or add the file to startup group with something like this written inside:

As a result you get an elementary ‘Bat.Downloader’ that will accurately perform its functions.

Besides, ‘taskkill’ instruction can terminate any running processes which disturb malicious functionality of the programs:

At first malware usually checks the system for anti-viruses and then acts upon the results of such a check. You can do it with ‘tasklist’ instruction in a bat script:

As for malicious actions themselves, they provide a broad activity area: we can delete or move various system files, modify the contents of configuration files (including ‘hosts’ file), change register values and block, for example, the possibility to activate ‘taskmgr.exe’ or forbid register modifications.

This is how Trojan.BAT.Qhost.abq modifies the contents of hosts file

This is how Trojan.BAT.Qhost.abq modifies the contents of hosts file

Part of bat-winlocker’s BAT/LockScreen.B code (Task Manager lock-up, prompt lock-up and prohibition on register modification are highlighted)

Part of bat-winlocker’s BAT/LockScreen.B code (Task Manager lock-up, prompt lock-up and prohibition on register modification are highlighted)

Great number of bat malware generators may be found in the Net. Of course, one shouldn’t take everything that comes out from these generators seriously, but unexperienced users may find even explorer.exe termination an insolvable problem.

One of numerous bat malware generators (most anti-virus companies refer to such hacks as Riskware)

One of numerous bat malware generators (most anti-virus companies refer to such hacks as Riskware)

In order to put malware scripts into a more familiar form of executable file the makers of such scripts often use converters like bat2exe. It works, but we can’t name such an action a full-fledged compilation: the script itself is written into .exe file as a resource, then cmd.exe is activated and then executes the script.

Trojan.BAT.Qhost.abq script as .exe file in the resource section

Trojan.BAT.Qhost.abq script as .exe file in the resource section

Self-extractors

Self-extracting archives (SFX archives) or the possibility to put several files into one archive with one of them automatically starting after extraction have long become appealing for distributors of suspicious software and content. These archives often contain rather legal programs along with a configuration or executable bat file (or a VBS script) that allows to use such archives for not so benevolent intentions.

For example, ‘RemoteAdmin.Win32.RAdmin.20’ SFX archive contains a server-based mod of a widely known utility for ‘Radmin’ remote administration and a bat script for a stealthy launch of ’Radmin” server-based mod. ‘Radmin’ keeps its configuration in the register, so the script located in the archive writes required parameters into respective register thread before ‘Radmin’ is launched.

Configuration .bat file for RemoteAdmin.Win32.RAdmin.20

Configuration .bat file for ‘RemoteAdmin.Win32.RAdmin.20’

When various types of crypto-currency became ubiquitous, SFX archives became popular among many people willing to mine some digital currency with some other computation capacities. In most cases mining utilities consist of several files, so a self-extractor is the best way to hide all these files. Of course, a .bat file or a VBS script is put into the archive, so they launch the program with necessary parameters.

Win32.BitCoinMiner.nni SFX archive contents (executable VBS script is highlighted)

Win32.BitCoinMiner.nni SFX archive contents (executable VBS script is highlighted)

Some SFX archives of this kind also contain ‘Hidden Start’ utility providing stealthy launch of the main program from a malicious archive.

AutoIt

Initially ‘AutoIt’ was designed for automation and execution of highly repetitive operations (e.g. software installation for a large number of computers). In its later versions the language started to look like most popular general-purpose machine languages.

Now a great number of malware is written with ‘AutoIt’. The language allows to interact with the system on a low level and supports API function activation. E.g., in order to implement your code into some process, you need to write something like:

Besides the properties of the language, code obfuscation when being compiled is a great advantage for malware makers. You just need to write the following two strings in the beginning of the program:

Decompiled Backdoor.Win32.DarkKomet.djqs AutoIt code

Decompiled ‘Backdoor.Win32.DarkKomet.djqs’ AutoIt code

On the whole, if the volume of executable code compiled with ‘AutoIt’ is not taken into account, the language is quite efficient in dealing with tasks given by virus makers. From time to time we can see rather advanced samples using various code implementation and hide techniques, malware body encryption methods and other tricks.

Python, Lua and others

Although ‘Python’ is a real hacker machine language, you can rarely see a malware written with it. It’s mostly justified for OS X or Linux where Python is installed with the system.

Suspicious Python script for Linux under Backdoor.Python.RShell name

Suspicious Python script for Linux under ‘Backdoor.Python.RShell’ name

Backdoor.Python.Aharm.a Python script for Mac

‘Backdoor.Python.Aharm.a’ Python script for Mac

For Windows, malicious Python scripts are usually compiled into an executable file (in reality it’s not a full-fledged compilation either, as the .exe file contains the script itself and a Python interpreter).

As for ‘Lua’ machine language, the most malicious virus that has been written with it is Worm.Win32.Flame. The upper level logic in this worm was employed with ‘Lua’ for most of its components. Worm.Win32.Flame numbers 57 Lua components in total, each of them does some malicious function. E.g., ‘ATTACKOP _ JIMMY _ PRODS.lua’ script attacks another PC, ‘casafety.lua’ script serves to detect anti-virus software, ‘CRUISE _ CRED.lua’ is needed for login information theft, and ‘euphoria.lua’ exploits LNK file vulnerability.

These Lua scripts are partly from Worm.Win32.Flame

These Lua scripts are partly from ‘Worm.Win32.Flame’

Part of ATTACKOP _ JIMMY _ PRODS.lua script

Part of ‘ATTACKOP _ JIMMY _ PRODS.lua’ script

[efspanel style=”” type=””]
[efspanel-header]

INFO

[/efspanel-header]
[efspanel-content]
Windows is equipped (since Windows XP) with an ‘IExpress’ utility, which allows to create CAB archives including self-extractors.
[/efspanel-content]
[/efspanel]

Conclusion

As virus analysis practice shows us, a malicious code may be written with anything, and malware sample collections of many anti-virus companies sometimes have got very exotic samples written, for example with embedded language of “1C:Enterprise” system (‘Virus.1C.Bonny.a’, ‘Virus.1C.Bonny.b’ or ‘Virus.1C.Tanga.а’). We may call the hacks mentioned in the article odd and untypical, but they exist in reality and they do work. And as we all know, “1C:Enterprise” is installed on many computers of our country…

Virus.1C.Tanga.а under VirusTotal

Virus.1C.Tanga.а under VirusTotal

Part of Virus.1C.Tanga.а code

Part of Virus.1C.Tanga.а code


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">