Where to start in Reverse Engineering?

•January 20, 2011 • 3 Comments

Well given the recent take down of reverse-engineering.net for unknown reasons I’ve decided to mirror some content here. I’ve formatted out some of the bits like user posts identities and cleaned up some formatting. Other than that I have NOT link checked so not sure what are good/bad links here. Hope you find it useful and woodmann.com will probably mirror the entire archive before to long.

****START PASTIE******

What do I learn first?

—>>path 1:

1 ) visit http://video.reverse-engineering.net/ to view some reversing videos that train you in the RCE basis.
2 ) check http://www.crackmes.de to find some visual solution submitted for crackmes.
3 ) Try to repeat the shown steps, and reproduce them with other crackmes. This will bring you quickly to practice.
4 ) Learn ‘on-demand’ what you need to know over the time by using linked resources about languages, apis, forum etc. you can find in this section.

—>> path 2:

1 ) read http://www.cplusplus.com/doc/tutorial/ up to “Compound Data Types:” included
2 ) read http://www.winprog.org/tutorial/ up to “Graphics Device Interface” included (use the Win32 help file -below- to understand Win32 functions better)
3 ) Now you know the Win32 basis, select an Assembler Ebook/tutorial and start learning a bit of assembler -the more, the better.
4 ) Take Olly -below-, go to http://www.crackmes.de and select some crackme level 1
5 ) read the solution of 2-4 solved crackmes of level 1!!
6 ) select a solved crackme lvl1 and try to solve it. If you have problems, read the solution and TRY TO DO the steps of the solver.
7 ) goto 6 until you solve lvl1 crackmes very easily
8 ) Increase level difficulty by 1, goto 5!

1. Full Newbie Tutorials
2. Challenges and Tutorials at *any* level
3. Tutorials, Papers, Documentation, Books (all Free)
4. Learning Programming Languages (ASM etc.)
5. Debuggers/Disassemblers
6. Tools of Our Trade
7. Linux Related
8. Suggested Books (not free)
9. Advanced Reversing Papers/Material
10. Hacking over the Net…
————————

1. Full Tutorials
————————

Course for Newbies
http://www.freewebs.com/fdemunck/newbieproject1.rar
Very Assembler Basis, SICE Usage, Basic Techniques. A very good set of tutorials from LoRd HrUn. Also explains what is the ‘stuff’ you see when you open a debugger for the first time… (link is missing for now, to be restored)

Lessons for Newbies
http://evilteach.8k.com/ : a collection of 4 lessons with material that explain you what mean the things you see when you start reversing a program.

2. Challenges and Tutorials at *any* level:
————————

Challenges for Crackers, at any Level
http://crackmes.de/ ; you can find many legal crackmes(=stuff you can legally crack) here to test your skills 🙂
Being sorted by difficult grade -most of them offers one or more TUTORIAL for their solution-, it is also the biggest tutorial collection available today.

3. Tutorials, Papers, Documentation, Books (Free)
————————

(note: material for learning languages is in the appropriate section!)

Win32 API Help File
http://www.borland.com/devsupport/borlandcpp/patches/BC52HLP1.ZIP ; here you can download the Win32 help file for the external link with Olly.
Do not even THINK to do without this. API reference is essential, so take it if you haven’t it yet.

Win32 Basis
http://www.winprog.org/tutorial/index.html ; here you learn the true basis of Win32 API programming, in C. Just read it ALL. The more you know about Windows, the better you understand what’s happen when reversing code.

Introduction to Cryptography (full free ebook)
http://www.cacr.math.uwaterloo.ca/hac/ The “Handbook of Applied Cryptography”, a cool free e-book on cryptography. Excellent as a quick reference.

Introduction to Cryptography (full course)
http://www.cs.washington.edu/education/courses/csep590/06wi/ ; a whole course that introduces to cryptography and ciphers, with all the materials and assignments online!! A very good starting point for cryptos.

Introduction to Cryptography (Tutorials)
http://www.antilles.k12.vi.us/math/cryptotut/home.htm ; a set of easy tutorials on ciphers. Highly recommended.

Cryptography Tutorials (ECC)
http://www.certicom.com/index.php?actio … cc_tut_1_0 ; a very nice link on Elliptic Curve -worth to read about.

Inject code, General Reversing Introduction Tutorial/Document
http://www.codeproject.com/useritems/inject2exe.asp ; this article contains clean references to the basic tools (ResHacker, Debuggers, Disassemblers) and exaplian also how to inject code into an executable.

SEH Paper/Tutorial/Document
http://www.jorgon.freeserve.co.uk/Except/Except.htm ; a paper that tells you what you need to know on SEH and Trap Flag tricks

PE Format, AntiDebug, AntiDump, Iczelion Assembler Tutorials/Papers/Documents
http://www.migeel.sk/anticrack/showpage.php?page=downloads ;This page contains few zipped papers that can be useful.

Art of Disassembly E-BOOK
http://aod.reverse-engineering.net/

Article on PE Header at Code-Breakers Journal (CBJ)
http://www.secure-software-engineering.com/index.php?option=com_content&task=view&id=60 ; contains a very detailed and easy explanation of all the PE sections (IAT -Import Address Table, EAT -Export Address Table, Sections, Directories, Resources etc.) how alter them and what they are. From beginners to experts.

PE Header Reference
this text contains a description of the PE Header which is good to keep as a quick reference. For learning the PE header structure and fields, I suggest the above CBJ article.
http://webster.cs.ucr.edu/Page_TechDocs/pe.txt

Quick Assembler Reference
a quick reference to pentium ASM instructions. Just click the initial letter, and select the ASM mnemonic. Very handy (especially if you download the whole site into your HD 😉 )
http://faydoc.tripod.com/cpu/index_v.htm

Quick Guide to Network Programming
a quick tutorial for learning the basis of network programming, without spending too much time.
http://beej.us/guide/bgnet/output/htmlsingle/bgnet.html

Adding Sections to PE, RVAs and Import table, loaders/patcher code
http://www.sunshine2k.de/Articles.htm ; this site contains some small, very basic articles on PE, Import table, Basic DLL Injection and loader’s coding.

4. Learning Languages (ASM etc.):
————————

Learning Assembler Language E-BOOK (A)
hxxp://webster.cs.ucr.edu/ ; the HLA Assembler home page. An excellent, free EBOOK for learning Assembler, “The Art of Assembly Language”, with HLA compiler and many tools. The site has a Linux section.

Learning Assembler Language E-BOOK (B)
http://www.drpaulcarter.com/pcasm/ ; this site contains an *excellent* free EBOOK that teaches Assembler language from scratch. Translated in various languages. Pretty good. If you are not interested in HLA, this is a valid alternative.

Learning Assembler Language E-BOOK (C)
http://savannah.nongnu.org/projects/pgubook/ ; a good free ebook that teaches Assembler from scratch, explaining even what a “word” is. “Small” drawback: AT&T Assembler syntax 😯 .

Learning C++ Language
http://www.cplusplus.com/doc/tutorial/ ; this tutorial gives you the basis of C++ language, for starting coding your keygen’s, and helping you reversing C++ stuff.

Rapid Application Development with MASM/HLA
hxxp://www.radasm.com/ ; a R.A.D. IDE for the MASM/HLA assembler (and the links to masm32 Compiler and related stuff). Note: the Masm32 compiler contains the famous Iczelion’s tutorials on Assembler language in the “X:\masm32\icztutes” folder.

Freeware C++/Pascal
http://www.bloodshed.net/ ; If you need a free compiler for writing your keygens, you can find there a C++ or a Pascal one. The C++ core is the GNUCPP.

Freeware Borland C++ 5.5
hxxp://www.winprog.org/tutorial/bcpp.html ; this page gives all the needed links to download BC++5, with a bit of explanation.

12 lessons on Assembler and RosASM
http://rosasm.org ; RosASM Assembler contains 12 lessons on basic assembly, written with a “generic syntax” so that the beginner could, later, switch, with as few problems as possible, to the Assembler he will finally choose.

5. Debuggers/Disassemblers:
————————
(note: Ring0 means you can use it for debugging Kernel Drivers, and generally it is tougher to use than Ring3 debuggers)

OLLY
http://ollydbg.de/ ; the home of the most used Ring-3 Debugger, OllyDebug. A must have.
(ps: you can find a link to the Win32 help file below)

SYSER
http://www.sysersoft.com/ ; Syser is an excellent, visual Ring0 (and Ring3) debugger. It is not yet very stable but, if it works for you, it’s very cool.

WinDBG
http://www.Micro$oft.com/whdc/devtools/debugging/default.mspx
Home of WinDBG debugger (Ring0 too). Seen the site, I don’t think I need to add much more…

IDA
http://www.datarescue.com/ ; IDA home. IDA is an Interactive DeAssember, used to perform a static analisys of the assembler code.
(IDA 4.3 free: http://www.downloadjunction.com/product/software/69070/)

PVDASM
http://pvdasm.reverse-engineering.net/ ; PVDasm is a very interesting Disassembler project, made by Ben and supported in this Board. It also allows you to export code directly MASM syntax format.

OLLY Plugins
http://woodmann.net/ollystuph/index.php ; The “Stuph” page contains many useful OllyDebug Plugins.

Shadow’s OLLY
hxxp://navig8.to/Shadow/ ; a modded Olly… a charged bazooka 😈 …usage: when needed.

6. Tools of Our Trade:
————————

FILEMON, REGMON
hxxp://www.sysinternals.com/FileAndDiskUtilities.html This is the home of the Marc guru and of our first, must-have TOTs. A very interesting site to visit, from time to time. And a source of useful tools.

LordPE
hxxp://www.softpedia.com/get/Programming/File-Editors/LordPE.shtml This tool enables you to explore and alter PE Header. You can modify/add sections, directories, IAT, and more. It is also a Dumper Server, in case you need.

7. Linux Related:
————————
Well, the HLA home site listed above, for Assembly on Linux.

ASSEMBLER E-BOOK
http://savannah.nongnu.org/projects/pgubook/ ; a good free ebook that teaches Assembler from scratch, explaining even what a “word” is. “Small” drawback: AT&T Assembler syntax 😯 .

NASM Assembler
hxxp://nasm.sourceforge.net/ ; a free assembler for Linux. On SourceForge, so you can work TO it, if you wish.

GNU Debugger
hxxp://www.gnu.org/software/gdb/gdb.html/ ; the GNU project debugger. It can run on both Linux&Windows, and support remote debugging.

8. Suggested Books (not free)
————————

Reversing: Secrets of Reverse Engineering
http://www.amazon.com/gp/product/0764574817/sr=1-1/qid=1138097867/ref=pd_bbs_1/002-6173215-8598445?%5Fencoding=UTF8 ; a good book for learning the basis of reversing engineering. Probably one of the best to start with. Worth its money.

Rootkits : Subverting the Windows Kernel
http://www.amazon.com/gp/offer-listing/0321294319/ref=dp_olp_2/002-6173215-8598445?%5Fencoding=UTF8 ; an ADVANCED book, not a reading for a newbie -at all. Consider it when you wish to go a true ‘step ahead’ in reversing. Many techniques you otherwise learn ‘the hard way’ (sigh!) are clearly explained and shown there, a must-have. Worth its money.

9. Advanced Reversing Papers/Material
————————

Reversing an Application -Analysis Example
http://www.honeynet.org/scans/scan33/nico/ ; an excellent discussion on reversing and anti-reversing techniques, from PE header to anti-debugging and virtual machines.

Disassembler and other tools
hxxp://www.cybertech.net/~sh0ksh0k/projects/ ; a set of utilities that covers DLL injection on live/suspended, tracer, c parser (why not using yacc?) port redirector etc.

PE Import Table structure and Redirection
hxxp://www.codeproject.com/useritems/inject2it.asp ; this article contains images and explanation of what the Import Table is, and how it can be redirected.

10. Hacking over the Net…
————————

Introduction to Hacking
hxxp://www.pulltheplug.org/wargames/vortex/ ; a wargame made for newbies to teach (anti-)hacking and C programming. Will teach you how manage basic exploitation techniques (and yes, tells you what an exploit is).

————————
Also, I suggest to google for the “programmers tools”, the org one 🙂
Last edited by Maximus on 07-26-2007 08:29 AM, edited 65 times in total.

Import Table Rebuilding
————————
hxxp://www.yates2k.net/rebuild.txt
hxxp://sandsprite.com/CodeStuff/Underst … ports.html

Code Injection
—————-
hxxp://biw.rult.at/tuts/dlladdfunc.htm
hxxp://www.woodmann.com/fravia/lazcalc.htm

http://www.freewebs.com/fdemunck/newbieproject1.rar

Online x86 Disassembler
———————————-
PVPHP – Online Disassembler – PVPHP Is the First ever seen x86 Online
Disassembler, which is capable of disassembling a PE based executable files.

I think the official vendor manual can be a good source of information too. Especially the volumes on system programming.
IA-32 Intel® Architecture Software Developer’s Manuals
AMD64 Architecture Tech Docs

ARM Documentation
AVR Documentation
SH4/5 SuperH Documentation

Article on PE Header at Code-Breakers Journal (CBJ)
contains a very detailed and easy explanation of all the PE sections (IAT -Import Address Table, EAT -Export Address Table, Sections, Directories, Resources etc.) how alter them and what they are. From beginners to experts.
http://www.codebreakers-journal.com/viewarticle.php?id=74&layout=abstract ;

Network Programming using win32asm
http://www.madwizard.org/programming/tutorials/netasm/

This is a basic website for hacking, starting with the basic
http://www.hackthissite.org/

http://www.scientific-hacking.com

*Use google here to find file repositories. If you can’t figure that out find a new hobby/profession.

ReWrit’s AIO Cracking CD.part1 ******* (48,8 mb)
ReWrit’s AIO Cracking CD.part2 ******* (48,8 mb)
ReWrit’s AIO Cracking CD.part3 ******* (5 mb)

Tool List:

few crackmes (from http://www.crackmes.de)
BVReFormer
Net Reflector
CrypTool
OllyDbg 1.10 & Plugins
W32Dasm 8.93 – Patched
PEiD 0.93 + Plugins
RDG Packer Detector v0.5.6 Beta – English
ImpRec 1.6 – Fixed by MaRKuS_TH-DJM/SnD
Revirgin 1.5 – Fixed
LordPE De Luxe B
FSG 2.0
MEW 11 1.2 SE
UPX 1.25 & GUI
SLVc0deProtector 0.61
ARM Protector v0.3
WinUpack v0.31 Beta
dUP 2
CodeFusion 3.0
Universal Patcher Pro v2.0
Universal Patcher v1.7
Universal Loader Creator v1.2
aPatch v1.07
PMaker v1.2.0.0
Tola’s Patch Engine v2.03b
ABEL Loader v2.31
Yoda’s Process Patcher
Registry Patch Creator
ScAEvoLa’s PatchEngine v1.33
Dogbert’s Genuine Patching Engine v1.41
Graphical-PatchMaker v1.4
The aPE v0.0.7 BETA
Liquid2
PELG v0.3
PrincessSandy v1.0
Biew v5.6.2
Hiew v7.10
WinHex v12.5
DeDe 3.50.04
VB ’Decompiler’ Lite v0.4
Flasm
ACProtect – ACStripper
ASPack – ASPackDie
ASProtect > Stripper 2.07 Final & Stripper 2.11 RC2
DBPE > UnDBPE
FSG 1.33 > Pumqara’s Dumper
FSG 2.00 > UnFSG
MEW > UnMEW
PeCompact 1.x > UnPecomp
PEncrypt > UnPEncrypt
PeSpin 0.3 > DeSpinner 0.3
tELock 0.98-1.0 > UntELock
EXEStealth > UnStealth
Xtreme-Protector / Themida > XprotStripper v1.1
Morphine Killer 1.1 by SuperCracker/SND
ASPR Dumper v0.1
Armadillo Process Detach v1.1
Armadillo Dumper v1.0
Armadillo Nanomite Fixer
Armadillo Distance Decryptor aka Jump Table Fixer
ArmTools (Translated!)
ArmInline v0.1
Quick Unpack v1.0b3
Procdump v1.6.2
TMG Ripper Studio 0.02
FileMon v7 (Patched)
RegMon v7 (Patched)
RSATool 2
DAMN HashCalc
EVACleaner 2.7
Process Explorer
Resource Hacker
PUPE 2002
PointH Locator
ASPR CRC Locator 1.2
PE Tools 1.5 RC5
API Address Finder
Jump to Hex Convertor
PE GeNeRaToR 1.2.1
Quick File Viewer v1.0.1
PE Insight 0.3b
Crypto Searcher
PE Editor v1.7
bkslash’s Inline Patcher
Stud_PE v2.1
Injecta v0.2
PE Rebuilder v0.96b
PE Optimizer v1.4
ToPo v1.2
NFO Builder 2000 v1.02
NFO File Maker v1.6
TMG NFOmakeR v1.0
hCalc

http://www.woodmann.com/collaborative/tools/index.php/OllyDbg_(Shadow_Modification)

http://www.orkspace.net/secdocs/ and spend some time there.

Tedroo Spambot Analysis

•January 10, 2011 • 2 Comments

 

This is a tutorial analyzing the Tedroo spam bot. The MD5 for the binary is 37d0738dec3c65e416aec49e36db81b4. I’ve taken the binaries off the blog but send me an email ( brad _at_ reverseco (d0t) de ) if you’d like the binaries and want to dive in yourself. Thanks Greg Newman for providing this piece of malware. I’m going to try to keep this brief as possible and hit on only the high points of what this program does. It’s a spam worm that has been picked up/identified by some of the popular AV engines via VirusTotal.  This is the total from the packed exe.

Crazy enough the VirusTotal for the dumped binary has LESS of a detection prominence in the Anti-Virus community.  Not sure why that is?!?

As you can see this thing goes by a few different names. Well we can fire up IDA and load up the dump that was garnered from the original executable here.  The packer isn’t identified with PEid but it was easy enough to find the OEP and use Ollydump to make a valid file.

After some static/dynamic analysis the dropper does a few things. The dropper specifies the download server to connect out to as well as a decryption routine to decrypt the api’s that are included in the binary. The algorithm for the encrypted api’s is pretty easy to reverse and it’s pseudocode is [encrypted_address+counter] XOR [0x54 + counter]. Here is a sample of one of the routines. Later on it hides the calling conventions to these API’s to make static analysis more difficult.

.text:00403728
.text:00403728 decrypt_api_ntohs:
; CODE XREF: start+224j
.text:00403728 mov dl, al
.text:0040372A add dl,
54h
.text:0040372D xor byte_405590[eax], dl
.text:00403733 inc eax
.text:00403734 cmp eax,
6
.text:00403737 jb short decrypt_api_ntohs
.text:00403739 xor eax, eax

This routine will decrypt the strings for the API’s that it wishes to load. It utilizes these later by pushing the decrypted api string onto the stack then calling GetProcAddress to let the program know where it’s located in memory for future reference.

.text:00403945 push offset byte_40555C ; lpProcName
.text:0040394A push dword_4059A0 ; hModule
.text:00403950 mov dword_405988, eax
.text:00403955 call esi ;
GetProcAddress

After decrypting and loading libraries that will be utilized the dropper tries to throw us off the trail by calling the Sleep API for 10 minutes.  Feel free to modify this to 0 or go grab a cup of coffee!

.text:00403A85 push 927C0h ; dwMilliseconds
.text:00403A8A call esi ; Sleep ; wait 10 minutes

Next up drop file routine is called and it copies itself to userini.exe in the system32 directory. This is an exact copy of the dump file that is included in the archive above.  Two threads are then created that do the spam list requesting and other things that we’ll explore now.

.text:00403A91 push edi
.text:00403A92 push edi
.text:00403A93 push edi
.text:00403A94 push offset
Thread1
.text:00403A99 push edi
.text:00403A9A push edi
.text:00403A9B call
CreateThread ; createthread
.text:00403AA1 push edi
.text:00403AA2 push edi
.text:00403AA3 push edi
.text:00403AA4 push offset
Thread2
.text:00403AA9 push edi
.text:00403AAA push edi
.text:00403AAB mov dword_405964, eax
; result from CreateThread
.text:00403AB0 call CreateThread
.text:00403AB6 mov dword_4059DC, eax ; Result from CreateThread

One thread is relegated to making sure our registry keys are made to startup and the other thread gets some encrypted xml from the spam server.  Most notable registry locations that have been plucked from the subroutine @ 401CB4 are….

Software\Microsoft\Windows\CurrentVersion\run
Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Explorer

There are additional registry strings that are in the file but are not currently used. The others attempt to modify firewall settings to make sure the malware has an open line to the internet. The next step is to report to the spam server and do it’s bidding. The second thread in the program forms a http GET request that has a similar structure to this url http://%5BSPAM_SERVER_IP%5D/source/zxhttr.php?id=%5BWINDOWS_REGID%5D&tick=%5BUPTIME_DATA%5D&ver=%5BWSOCKVER%5D&smtp=ok&task=3″.  Once the response is read into the buffer this is our encrypted xml string that contains who to spam, what to spam them with. This information can change and it looks like the program has a capability to update itself if the botmasters decide to serve up something else. Here is the routine where the string is formatted before it hits the wire.

.text:0040321B
.text:0040321B
Format_String_Wire: ; “202”
.text:0040321B push offset a202
.text:00403220 call
atoi
.text:00403225 pop ecx
.text:00403226 push dword_405A0C
.text:0040322C push offset aOk ; “ok”
.text:00403231 push eax
.text:00403232 call dword_405694
.text:00403238 mov ebx, ds:
sprintf
.text:0040323E push eax
.text:0040323F push offset Dest
.text:00403244 push offset aSourceZxhttr_p ; “/source/zxhttr.php”
.text:00403249 lea eax, [ebp+
Dest]
.text:0040324F push offset aS?idSTickDVerD ; “%s?id=%s&tick=%d&ver=%d&smtp=%s&task=%d”…
.text:00403254 push eax
; Dest
.text:00403255 call ebx ; sprintf

Now if you notice there’s a few variables that get passed back to the spam server. ID is our unique windows id from the regkey “id” @ HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer. Tick is derived from GetTickCount API which reports back how long it’s been since we’ve booted up so this returns uptime data to the spammers. Version is hardcoded in the program but appears to request version 2.02 of windows sockets. Task is an internal notation to the spam server to flag “3” as sending out spam activity.

*If you also notice this particular server is running Server: nginx/0.6.32.  This was fished out of the http response.  Notice there are numerous exploits for this server and how it was probably compromised into a spam press!  Use the following search string to track some down (nginx + “security advisory” + “0.6.32”).  Of course you can modify this to find POC’s or whatnot .

Next we’re going to dive into the decryption routine for the http response as well as utilize some code to do this for us.

.text:00401874
.text:00401874 Decrypt_HTTP_Stream:
; CODE XREF: sub_40184E+5Fj
.text:00401874 push [ebp+var_8]
.text:00401877 lea eax, [ebp+
var_1]
.text:0040187A call sub_401223
.text:0040187F mov al, byte ptr Dest[edi]
.text:00401885 add al,
20h
.text:00401887 xor al, [ebp+var_1]
.text:0040188A inc edi
.text:0040188B mov [esi+ebx], al
.text:0040188E mov eax, offset Dest
.text:00401893 lea ecx, [eax+
1]

I’m going to use python here btw.  Python to construct the http responses as it’s very quick/easy to utilize urllib2 to construct this data and save it.  Here is the source. The decryption algorithm works like this. The original stream thats taken take the 2 bytes and produce a hex representation of them. “68” would be 0x68. Take this and XOR this with the ID from HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\id + 0x20. So if the first character from your id is “4” it’d be 0x34 + 0x20 = 0x54. 0x54 XOR 0x68 gives us 0x3C which is “<” or the first character of an xml formatted tag.  Here is an example of a decrypted portion from the server.

<config>
</config>
<info>
taskid=3
realip=MY_IP_HERE
hostname=MY_HOSTNAME_HERE
style=0
</info>
<emails>
email123@spamme.com
email12390@email.com
</emails>
</info>

This is how the response looks after decryption and directs the program flow throughout the bot. The python script should clear up any questions you may have. This could change as the botmasters could serve up a different program. The flags to look for those routines are run and update. I’m thinking about coding up a php emulator to do just this for analysis or if anyone wants to volunteer that for additional study it’d be great 🙂

After our stream is processed in the program begins formatting email messages to send out over the wire. Processing occurs like this.

.text:00401E1C
.text:00401E1C push ebp
.text:00401E1D mov ebp, esp
.text:00401E1F sub esp,
258h
.text:00401E25 push ebx
.text:00401E26 push esi
.text:00401E27 push edi
.text:00401E28 mov esi, offset aHostname ; “hostname=”
.text:00401E2D lea edi, [ebp+
var_48]
.text:00401E30 movsd
.text:00401E31 movsd
.text:00401E32 movsw
.text:00401E34 mov esi, offset aStyle ; “style=”
.text:00401E39 lea edi, [ebp+
var_30]
.text:00401E3C movsd
.text:00401E3D movsw
.text:00401E3F movsb
.text:00401E40 mov eax, ds:dword_4042C8
.text:00401E45 mov esi, offset aEmails ; “<emails>”
.text:00401E4A lea edi, [ebp+
var_3C]
.text:00401E4D movsd
.text:00401E4E movsd
.text:00401E4F movsb
.text:00401E50 mov esi, offset aInfo ; “<info>”
.text:00401E55 lea edi, [ebp+
SubStr]
.text:00401E58 movsd
.text:00401E59 movsw
.text:00401E5B movsb
.text:00401E5C mov esi, offset aText ; “<text>”
.text:00401E61 lea edi, [ebp+
var_1C]
.text:00401E64 mov [ebp+
var_28], eax
.text:00401E67 mov eax, ds:dword_4042CC

Most notably these functions calls are around 402bd4 and it Create’s a seperate thread for each email message being sent. The email send routine is @ 4022BE. This basically queries the DNS of the spamee’s domain to see what mail server it resolves too.

<span style="color:#c0c0c0">.text:004022BE ; —————————————————————————
.text:004022BE
.text:004022BE Email_Send: ; CODE XREF: sub_402263+4Fj
.text:004022BE push esi ; Size
.text:004022BF push ebx ; Val
.text:004022C0 push ebp ; Dst
.text:004022C1 call memset
.text:004022C6 add esp, 0Ch
.text:004022C9 push ebx
.text:004022CA lea eax, [esp+
1Ch+var_4]
.text:004022CE push eax
.text:004022CF push ebx
.text:004022D0 push ebx
.text:004022D1 push
0Fh
.text:004022D3 push [esp+2Ch+Email_Domain]
.text:004022D7 call
dnsapi_DnsQueryA
.text:004022DD test eax, eax
.text:004022DF jnz loc_402681
.text:004022E5 mov ecx, [esp+
18h+var_4]
.text:004022E9 call
Get_MailServer
.text:004022EE mov edi, eax ; return mailserver of said domain
.text:004022F0 cmp edi, ebx
.text:004022F2 jz loc_40265C
.text:004022F8 push edi
.text:004022F9 push offset aConnectingS___ ; "Connecting %s …\r\n"
.text:004022FE push ebp
; Dest
.text:004022FF call ds:sprintf

Then it builds the packet to send and sends out the mail request using to/from as the same person and it sends out some viagra spam to that mail domain. Here is the following html that it sends out.

..

Click here!

..

Please don’t follow the links as it could be later modified to have some form of drive by downloading

Most namely are update/run.  So it looks like this server could switch over and begin hosting more malicious binaries that may install a rootkit or a more advanced spambot!  I hope you enjoyed this tear-down and feel free to leave feedback in the comments section.

*PS Large cash donation and firstborn children can be sent to my email as I’m a hobbyist!

Hello world!

•January 10, 2011 • Leave a Comment

#include <iostream.h>

 

main()

{

printf(“Hello world?!?”);

return 0;

}