Malware: When <!-- comments --> become commands
I started to look at the malware and got it unpacked in my faithful debugger when I saw some strings that always peak my interest...those that give you a command shell. I always like those. There was also a URL in the strings, so I fired the malware up in my VM and saw that it indeed wanted to go to that URL. I looked at the source code for the actual URL and found nothing really unique about it. There were two .htm files in that websites directory structure. One we'll call "File.htm" and the other "file2.htm". A regular user gets "file.htm" when they visit the site, but the malware wanted "file2.htm". The only difference between the two files were 8 little characters commented out at the top using html comments "<!--" and --> which seemed interesting.
Well, if it wants a website...give it a website (isn't VM great). I set up a website for my malware using copies of the htm files from the actual site and sent it on its happy way. A packet capture showed the malware going to the website, establishing a connection, getting thefile it wanted, sending an ack for it and then a rst ending the connection. My curiosity was peaked but what exactly was the purpose of it going to that specific site? So when I encounter something new and cool and really need an expert on the code.....what do I normally do.....find my fellow handler Tom Liston and see if he has time to play!
Tom (many thanks to you Tom!) and I spent alot of time looking at this and the mystery is not yet solved as to how it is working in its entirety. But its scary as it currently exists. Not the delivery of it, but the malware itself. The malware gets installed by a user clicking on a link in the email to download a file and then opening that file or by opening the attachment and running it. The .exe installs itself and runs as a service. The malware contacts the site and does a GET, the site passes the page back and looks just like normal web traffic to the casual observer. The malware however parses the first 64 bytes of that page it gets which means it grabs those unique little characters at the top and a little more. Then it uses a delimiter of <!-- for the left side and --> for the right side and pulls the characters out of the middle. It runs them through several commands, but it doesn't appear that the string on the page is the one its looking for right now. Nothing is happening with it at this point. We have theories as to what the malware is doing and we are working to confirm them.
However it doesn't take take much to realize that it is a unique approach and many nasty things could be done. Its really just another sad indicator as to the direction that malware is going and the more difficult our battle is to keep our networks secure.
Comments