03.18.05
The Bi-Weekly Monthly Annual not Regularly Published Virus Report
I was asked yesterday to have a look at a computer (yes, I need to get this t-shirt, but only right after I get this mug) that was behaving oddly. In the process of “brooming and trimming” I ran across a number of adware/spyware and decided to take some of them with me, for later analysis. The one specimen that fascinated me the most was a 2821 bytes large file. It is recognized as Trojan-Downloader.Win32.IstBar.gen by Kaspersky Lab, but there’s no description available for it.
The reason it caught my attention in the first place is its size. Viruses discovered in the wild have over the last couple of years moved more towards using VBS and being written by 14-year olds. So finding this file (YES THIS IS A VIRUS DO NOT BLINDLY RENAME AND EXECUTE IT) sure felt like a fresh breeze.
Upon closer examination it turns out that the header is far from standard as it’s been modified to span the smallest area possible. You could remove some of the directory slots to make it even smaller but I suspect older versions of Windows wouldn’t approve. The overall structure of the file is a complete mess and there’s both code and data inside the header. If you look at the section headers you’ll see that the space reserved for a section name, 8 bytes, have been used to stuff functions into!
Moving on, the entry point is located near the end of the file, a mere 10 bytes from the end actually. Near the end of the file is also the import table. They share the space there and the entry point points inside the first and only import descriptor. It points at the time and date stamp which holds a jump to code located inside the header (yes, again the header). This is all pretty neat considering what it does for the file size but code in the header is a big no-no as generally a virus scanner would pick up on it immediately. A major abnormality also related to the import table is the fact that there’s no terminating empty import descriptor. I expect a number of common tools to choke on this, because the PE specification states that “The Import Directory Table consists of an array of Import Directory Entries, one entry for each DLL the image references. The last directory entry is empty (filled with null values), which indicates the end of the directory table”. Microsoft’s tool dumpbin handles it pretty well since at least it doesn’t crash or display random data.
As a side-note I can mention that earlier versions of HIEW fail to correctly disassemble the jump at the entry point. Without having investigated it I can only guess that this is because those versions of HIEW assume only sections are relevant jump targets. Luckily, it’s been corrected somewhere between version 6.85 and version 7.10.
The first section doesn’t exist on disk, but is expanded by the PE loader when the virus is mapped into memory. This way the virus doesn’t need to bother with memory allocation which in turn shaves another couple of bytes off of the total size. Code found in the header unpacks the real virus into the first section, then loads dependencies and resolves symbols. And all in less than 200 bytes… can you say efficiency?
Something tells me there were two or more people working on putting this file together. While the envelope is a sight for sore eyes, what follows after it isn’t nearly as exciting. Standard CRT startup code can be observed interfacing with the dynamically loaded runtime library. Then when it’s time for the good stuff what have we if not a bunch of calls into MFC code. Basically, what the entire virus does is it downloads a file and executes it. Knowing this, I’m not as impressed with the size of it as I was when I started writing this article. But the envelope almost made it worth the time…
Devine9 said,
February 3, 2007 at 11:02 am
During the first 24 hours in which the new Panda ActiveScan was operating, 84 percent of malware detected was
spyware and the first 74 most detected malicious code were all spy programs.
In fact, this type of application has even overtaken the Downloader.GK
Trojan, which had topped the ranking for the last eight months.
The data then shows that users’ PCs now contain more spyware than viruses.
First place in the ranking is now held by ISTBar, present in almost 16
percent of the computers scanned. After this come other spy programs such as
Dyfuca, Cydoor, New.Net, AltNet, BetterInet, or the veteran BargainBuddy,
which are all intensely active around the globe.
junior said,
February 3, 2007 at 11:08 am
Sizewise this virus is kind of impressive, but really, my “toy” generic scanner would pick this up. Executable header, entrypoint in a non-code section, residing at the end of file.
No wonder there’s no description of it, it might be they don’t even know it’s in the wild, since im sure it gets picked up by even VERY old and outdated scanners smile
sna said,
February 3, 2007 at 11:08 am
Junior, I agree with what you’re saying about all the tell-tale signs of a virus, but surprisingly enough, some antivirus scanners don’t flag the file as suspicious.
In part, I think it’s fair to blame it on all the bazillion exe-packers out there. You need to set the bar somewhere and if you place it too high up it’ll result in too many false positives. Of course, what you need to do is keep signatures of exe-packers and unpack the file in a virtual machine to get at the real application. But I’m not sure they even considered the option back then.
The scanner I used is “F-Prot Antivirus for Windows” version 3.11. It’s a couple of years old now (using Oct/2004 signatures) but the file came up as clean. The current version of F-Prot Antivirus no doubt contains immense improvements over the version I used and I’m not in any way trying to bring F-Prot or its creator FRISK down. However, I can see how someone not used to computers might buy an antivirus solution seeing it as a one time investment. That someone is going to be very very sorry one of these days.
junior said,
February 3, 2007 at 11:09 am
Symantec antivirus screams when the entrypoint is in the last section, and decides it’s Bloodhound smile
Most AV-companies actually keep signatures of quite a lot of packers, and of a bunch of copy protections including SecuROM and Safedisc.
Of course, since at this company we’re clever, we found a way around this without having to hassle the companies about adding us to their list wink