Skip to main content

Bitcoin Facebook Virus Complete Analysis

As discussed in previous post now we will employ traditional malware analysis technique in order to dissect this new virus. Figure 2 show LOL zip virus message. Initially we have following information about this malware:
·         This message is sent from victim’s computer without his knowledge to all his Facebook friends and
·         Victims also reported sluggish performance of system after the infection.

Fig. 2. Facebook Message containing Malware

We will safely download this file on our virtual controlled environment to carry the further analysis. After unzipping it we found a JAR (Java Archived File) in it.

Fig. 3. JAR file inside Zipped folder

 Using online available java decompiler we have converted the byte code (JAR file) to source code file.

Fig. 4. Decompiled Jar File
 Decompilation and comprehension of JAR File
Source of JAR file is obfuscated so it is needed to decompile such a file. We will use simple print instruction to find out the meaning of all the functions. After analyzing each function we have following information. These operations are performed by JAR file in order to download and install the actual malware.

·         Jar file creates a directory in C drive if not present, namely C:\\TEMP\\
·         Jar file created file name YQJHBJX.PWY as hidden alternate stream of TEMP folder.
·         Jar file then opened the http connection to location +string1="f6pb6ya5e5vc0q5/d.dat?dl=1@@@21urb4zg9n2on4s/d.dat?dl=1@@@8h46y6oodr4dxxf/d.dat?dl=1@@@8opd2hw50b974mx/d.dat?dl=1@@@tix3692duv4yts9/d.dat?dl=1"
·         "@@@" is splitter that means fg6oxlrzau4egd5/d.dat?dl=1 constitutes one link. Jar will be downloading something from one of these links. Jar file will try all the links in order to download the malicious DLL.
·         Jar file then downloads a file named d.dat. Then the jar file copies the content of d.dat (Main malicious file) to 081C854F.dat
·         final step is to run d.dat or  081C854F.dat. Lastly the Jar file installs the malicious file as a system level service using following command:
 regsvr32 /s C:\\temp: 081C854F.dat (/s stands for silent install.)
 Static Analysis
Next we will use strings  utility to dump out all the ASCII and UNICODE present in d.dat (DLL file) which we downloaded from the URL found above.

Fig. 5. Strings.exe Output

We found temp directory using strings utility inside the malicious DLL d.dat. This temp directory contains the Alternate Data Stream which is denoted by :rnd. So the Temp directory confirms the previous deduction.

If we go to TEMP and do "dir /r" then we can see the hidden alternate data stream. We the used tools like alternate data stream viewer to find out the contents of these alternate data streams.
Alternate data stream of TEMP folder contains 5 files as shown in figure 6

d.dat (DLL file)
Rnd.dat/List file

Fig. 6. NTFS Alternate Streams

If rnd.dat/list file is opened after extracting alternate data stream of TEMP folder then we will find profile id of all your Facebook friends separated by comma inside it:


These Facebook profile IDs are used by the virus to further replicate to other users via Facebook. This virus replicates itself from victim account to the accounts of people in victim’s profile.

If SRV file is opened then a link to a file containing a message from the creator of this virus is found inside it:
The message says virus aim is CPU mining.

In order to confirm that the virus actually performs CPU mining we will dig further.
DLL (d.dat) will runs from a hidden alternate data stream. So the malicious DLL is hidden on TEMP folder alternate data stream.

Fig. 7. Strings.exe Output
By carefully going through the strings we can conclude
·         Virus injects minerd mining utility in explorer.exe memory.
·         Virus is registered as a service in system using a DLL file stored in alternate data stream of C:/TEMP folder.
·         Attacker have used curl module to automate LOL zip message to Facebook friends of the victim.

Fig. 8. Minerd.exe Operation List

 Dynamic Analysis
We will now run the malware sample to confirm the deductions made above. Now will look at InetSim data to confirm the hypothesis made after doing static analysis:
InetSim log shows and confirms the web address that we find as ASCII string in Malicious DLL Figure 7 below show the site( and confirm that explorer.exe is injected with minerd utility code.

Fig. 9. Wafflepool Website 
Thus we can conclude form Figures 9 and 5 that explorer.exe has been injected with malicious code. Explorer does not take any command normally. Therefore the commands given to explorer in Figure 5 were able to run because of the injected minerd utility. The injection was done by LOL file in the main memory.

We concluded the following operations which are being performed by this malware sample.
·         Virus injects minerd mining utility in explorer.exe memory. This executable is used for mining of bitcoins. These BitCoins can directly be redeemed for money in digital world. BitCoins is a peer to peer internet payment system in with the bitcoins serve as internet money.
·         Virus is registered as a service in system using a DLL file stored in alternate data stream of C:/TEMP folder. This will ensure that the malware gets system privilege and runs automatically every time victim logs on in facebook.
·         Attacker have used curl module to automate LOL zip message to Facebook friends of the victim. This ensures that as soon as a victim opens the LOL jar file, all the Facebook friends of the victim receive a copy of LOL zip file as well.

This confirms that aim of attacker is to earn BITCOINS by CPU mining which also fits with our initial information i.e. degraded CPU performance in victim’s machine.
Both the static and dynamic analysis techniques were able to uncover the details of the malware sample. Both the methods were used in conjugation with each other to confirm the findings.


Popular posts from this blog

Hacking Windows 10 UWP App: DLL Injection & common Vulnerabilities

I recently started working on  widows 10 Apps( Apps not Applications) security. Before diving deep in hacking terms lets try to understand what's new in Windows 10 UWP( Universal Platform) as compared to old Apps. Lets begin with how apps actually work on windows 10(desktop/tablet). Now windows 10 comes with a container only for running apps inside the isolated environment. By default, /APPCONTAINER(Linker Flag) is off. This option modifies an executable to indicate whether the app must be run in the appcontainer process-isolation environment. Specify /APPCONTAINER for an app that must run in the appcontainer environment—for example, a Windows Store app. (The option is set automatically in Visual Studio when you create a Windows Store app from a template.) For a desktop app, specify /APPCONTAINER:NO or just omit the option. The /APPCONTAINER option was introduced in Windows 8. Now there is no registry entry concept for these app in the System HIVE rather they install they own hiv

Installing vmware-11.0 on Ubuntu 15.04 Using kernel Patch

curl -o /tmp/vmnet-3.19.patch cd /usr/lib/vmware/modules/source tar -xf vmnet.tar patch -p0 -i /tmp/vmnet-3.19.patch tar -cf vmnet.tar vmnet-only rm -r *-only vmware-modconfig --console --install-all References:

SSI Injection Attack

SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like:  Code: < ! # = / . " - > and [a-zA-Z0-9] Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these type of pages does not mean that th