Windows Reverse Engineering - Example 2: Reversing Malicious Code
(Page 9 of 9 )
One of the most important functions of RCE is to reverse engineer malicious code such as computer viruses or Trojans. In this example, we will be reversing the notorious SubSeven Trojan by MobMan. By reverse engineering a Trojan, you can find its unique hex byte signature, its registry entries, etc., for the purposes of antivirus programs or manual extraction. However, in this case we will be reversing SubSeven in order to demonstrate its hidden secret. Interestingly, we will demonstrate why these days you can’t even trust an honest Trojan writer!
At the time of this writing, you can obtain the Trojan from http://www.subseven.ws or, when that site goes down (which it undoubtedly will), by a simple web search. Credit for this discovery goes to the Defiler, and portions are reprinted with permission from +Tsehp. For this exercise, you need SoftICE installed and running.
You may choose from several versions of SubSeven, each of which will give you slightly different results. After installing the software, you configure the server portion using the accompanying EditServer program (Figure 2-17). In this exercise, we will use the localhost address for the server and configure it with port 666 and password “Peikari.”
Make sure to use an uninstall manager when installing any malware so that you will be able to manually remove it later. For this exercise, you must turn off your virus scanners, or you will be unable to work with the malware. Once the server is configured, launch the client. The disclaimer that appears (Figure 2-18) is quite ironic, as we will soon see.
We point the client to localhost (127.0.0.1), as shown in Figure 2-19. Note that we will change the port from the default of 27374 to read “666” (which is how we configured our server).
Next, open SoftICE’s symbol loader to import winsock exports (wsock32.dll), depending on your operating system. After you load the SubSeven server in Soft-ICE’s symbol loader, the Trojan will run. Once you click “connect” to reach local-host, the password dialog pops up. In this case, enter a dummy password that is different from the real password (Peikari) that we chose previously.
The server uses the WSOCK32!recv function to retrieve data sent from a socket:
int recv (
SOCKET s, char FAR* buf,
int len,
int flags
);
The second parameter (char FAR* buf) is the important one, as the data will be stored within it. Before you continue to enter the password, hit Ctrl-D to break into SoftICE. Now set a breakpoint on the recv function, as follows:
bpx recv do "d esp->8"
Enter Ctrl-D again, then click OK to send the password to the client. SoftICE will break on the bpx. Press F11, and you will see your dummy password in SoftICE’s data window, along with its current address in memory.
Now set a bpr on the password's address (e.g., bpr 405000 405010 RW). Run the program again, and this time SoftICE will break at location 004040dd. You will see the following code:
0167:004040dd 8b0e mov ecx,[esi] ; our password
0167:004040df 8b1f mov ebx,[edi]
0167:004040e1 39d9 cmp ecx,ebx
0167:004040e3 755 jnz 0040413d
0167:004040e5 4a dec edx
0167:004040e6 7415 jz 004040fd
0167:004040e8 8b4e04 v ecx,[esi+04] ; move 1st 4chars into ecx
0167:004040eb 8b5f04 mov ebx,[edi+04] ; move another 4 chars into ebx
0167:004040ee 39d9 cmp ecx,ebx ; compare the two values
The program breaks at line 4040dd after we set a bpr on our dummy password. Thus, the password must be located inside the buffer to which esi points. The first four characters are moved into ecx, and another four characters are moved into ebx. They will then be compared.
We have now found the cmp that compares our dummy password with the real one, right? Wrong! We have stumbled on to the fact that the author of SubSeven has put a backdoor in his backdoor! Type d edi to see the data contents of the edi register in SoftICE, and you will see the following:
016F:012A3DD4 31 34 34 33 38 31 33 36-37 38 32 37 31 35 31 30 1443813678271510
016F:012A3DE4 31 39 38 30 00 69 6F 00-28 00 00 00 22 00 00 00 1980.io.(..."...
016F:012A3DF4 01 00 00 00 13 00 00 00-53 75 62 73 65 76 65 6E ........Subseven
016F:012A3E04 5F 5F 5F 3C 20 70 69 63-6B 20 3E 00 10 3E 2A 01 ___< pick >..>*.
016F:012A3E14 10 3E 2A 01 38 00 00 00-53 75 62 73 65 76 65 6E .>*.8...Subseven
This number (14438136782715101980) is not the password we set. We now disable all of the breakpoints (bd *) and run the program, this time entering the password 14438136782715101980. SubSeven responds with “connected.”
This exercise reveals that SubSeven’s author has secretly included a hardcoded master password for all of his Trojans! The Trojan itself has been Trojaned. You just can’t trust anyone these days.
References The example crackmes from this chapter are at http://www.securitywarrior.com. Due to their controversial nature, some of the references in this book have volatile URLs. Whenever possible, we list the updated links at http://www.securitywarrior.com.
- Windows Internet Security: Protecting Your Critical Data, by Seth Fogie and Cyrus Peikari. Prentice Hall, 2001.
- “.NET Server Security: Architecture and Policy Vulnerabilities.” Paper presented at Defcon 10, August 2002.
- “PE header Format.” Iczelion’s Win32 Assembly Homepage. (http://win32asm. cjb.net)
- “Mankind comes into the Ice Age.” Mammon_’s Tales to his Grandson.
- “An IDA Primer.” Mammon_’s Tales to Fravia’s Grandson.
- SoftICE breakpoints. (http://www.anticrack.de)
- “WoRKiNG WiTH UCF’s ProcDump32,” by Hades.
- Win32 Assembly Tutorial. Copyright 2000 by Exagone. (http://exagone.cjb.net)
- SubSeven official site. (http://www.subseven.ws)
- “Reversing a Trojan: Part I,” by the Defiler. Published by +Tsehp.
- Muad’dib’s Crackme, published by +Tsehp.
 | If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
Visit the O'Reilly Network http://www.oreillynet.com for more online content. |
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
/ 23 
