A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #3400  by driverobject
 Wed Nov 10, 2010 11:45 am
All,

Would it be ok to send here an email about an issue that I have with IdaPro not completely reversing successfully a piece of malware(unpacked outside the IdaPro).

Thanks
 #3401  by EP_X0FF
 Wed Nov 10, 2010 11:52 am
Hello,

you can upload malware/unpacked sample here in password protected archive. I'm sure someone will take a look.

what is your IDA version?

Regards.
 #3403  by driverobject
 Wed Nov 10, 2010 12:20 pm
Thank you very much.

The Ida version is 4.9 the free version, but also tried with the demo latest as well. File is attached w password
Code: Select all
infected
The problem I have with IdaPro is that it only disassembles 4-5 funcs, locations. But the binary imports 140 functions from other libraries and is 100 KB in size. And I also know that it is detected as Zbot.

After its dissassembly Ida shows dd <address>, <address>... and repeats this for the rest of the .text section.

Could I be missing an option in Ida to fully dissemble this malware?
Attachments
PWS!Zbot
(99.03 KiB) Downloaded 32 times
 #3404  by EP_X0FF
 Wed Nov 10, 2010 12:40 pm
You removed UPX and moved file to IDA?

If so, you just removed 1st layer of malware protection. IDA displaying as "dd" encrypted code/data blocks.

Second layer actually is cryptor (whatever) used to fool AV/hide malware data.

Take a look at 0x00380000 (trace to it from start, it's allocated in runtime) in debugger and trace it down (hint: somewhere in 0x003801XX it will be unpacked).

Even without full binary unpacking I've found this data inside bot
e x p l o r e r . e x e r d p c l i p . e x e c t f m o n . e x e w s c n t f y . e x e t a s k e n g . e x e t a s k h o s t . e x e d w m . e x e
GetProcAddress LoadLibraryA n t d l l . d l l NtCreateThread NtCreateUserProcess NtQueryInformationProcess RtlUserThreadStart LdrLoadDll LdrGetDllHandle X-Tag/%08X S O F T W A R E \ M i c r o s o f t . d a t 0xE35E00DF # S e T c b P r i v i l e g e . e x e n s p r 4 . d l l PR_OpenTCPSocket PR_Close PR_Read PR_Write - HTTP/1.1 POST GET M Y . t x t PR_GetNameForIdentity PR_SetError PR_GetError PR_NewTCPSocket PR_Connect PR_Poll Host Referer Content-Type Content-Length http:// NSS layer https://
HTTP/1. Transfer-Encoding chunked Connection close Proxy-Connection
:// / Host: X-ZCID: %s Connection: Connection: close %x
/favicon.ico identity Accept-Encoding TE If-Modified-Since ђ! @mozilla.org/cookieService;1 PR_Malloc x p c o m . d l l NS_GetServiceManager . t m p http://www.google.com/webhp b c socks G l o b a l \ % 0 8 X % 0 8 X % 0 8 X ?xml=1 n u l l B o t I D : % s
D a t a : % s
k e r n e l 3 2 . d l l IsWow64Process " % s " " % s " % s userenv.dll CreateEnvironmentBlock DestroyEnvironmentBlock Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1) Connection: close
urlmon.dll ObtainUserAgentString 0 : 0 S : ( M L ; ; N R N W N X ; ; ; L W ) S e S e c u r i t y P r i v i l e g e S : ( M L ; C I O I ; N R N W N X ; ; ; L W ) ?O ?I ?T c a b cabinet.dll FCICreate FCIAddFile FCIFlushCabinet FCIDestroy u n k n o w n I n s t a l l D a t e S O F T W A R E \ M i c r o s o f t \ W i n d o w s N T \ C u r r e n t V e r s i o n D i g i t a l P r o d u c t I d % s _ % 0 8 X % 0 8 X f a t a l _ e r r o r bcdfghklmnpqrstvwxz aeiouy G l o b a l \ L o c a l \ :d
del "%s"
if exist "%s" goto d b a t @echo off
%s
del /F "%s"
/ c " % s " C o m S p e c
Self deletion bat file, x64 OS checking, create process routines for Windows Vista/7, workaround with Mozilla API etc.
 #3407  by driverobject
 Wed Nov 10, 2010 1:35 pm
Thanks Ring0.

If I was to execute this on an isolated machine, and then get a full dump of it. Would this dump have code that is completely decrypted?

Does this or similar malware, completely decrypt on their targets when they start executing or do they decrypt on the fly or something? I hope I'm asking the question clearly :oops:
 #3408  by EP_X0FF
 Wed Nov 10, 2010 1:44 pm
If you dump it you will have a just binary with cryptor related parts, broken import etc. You need to read some articles about manual unpacking.
Does this or similar malware, completely decrypt on their targets when they start executing or do they decrypt on the fly or something?
Most of malware decrypts itself in runtime and only in memory.