All this work and no gain

Many attacks these days involve several stages with malicious functionality contained in different files, often downloaded from compromised web pages.

One of the crucial pieces in a multi-stage attack is a small downloading Trojan that downloads the additional components. Downloaders are usually small files with basic functionality to download and execute files. Historically they have been quite easy to detect proactively as their functionality is often obvious, although recently we have observed an increasing number of downloaders with obfuscated functionality.

The other day I came across a downloader (Troj/DwnLdr-GVU) that uses several layers of simple encryption and some anti-emulation techniques to hide its functionality from anti-virus software:

1. 13 chunks of 30 bytes and one chunk of 15 bytes of encrypted data are decrypted into a buffer, using simple xor decryption with one decryption key per data chunk.

Troj/DwnLdr_GVU dissassembly

2. The control is transferred to the decrypted buffer.

3. Floating point instructions are used to calculate a value and save it to the stack (this may stop some code emulators).

4. Self-modifying code is used to decrypt a small piece of data revealing the next decryption loop.

5. The rest of the body is decrypted with a simple add decryption and static key. This reveals a URL used to download the target additional component. An interesting thing to note is that the URL does not end with a NULL character, which does not yet make it a usable string. Again, this may prevent some anti-virus software from extracting the decrypted string and detecting on the extracted URL.


6. The next stage of decryption continues. This time it is again a simple xor decryption loop.

7. The de-obfuscation finishes with a single xor instruction that changes the last character of the URL to NULL which makes the URL a fully formed C string, which is required by Win32 API function used for downloading.

8. The location of the downloaded file is built on the stack and the APIs are dynamically imported.

9. The additional component is downloaded and launched.

However, the first action of the downloader is to add itself to the list of Windows Firewall authorized applications. The behavior immediately gets blocked by Sophos’s recently released HIPS runtime behavior analysis.

HIPS runtime behavior analysis

Behavior-based protection provides an essential additional layer of proactive protection against previously unknown malware.