Abusing Magic for fun and profit

So called “Magic” numbers evolved from the UNIX operating system and now play a regular role in (amongst others) identifying particular file types. The doctoring of these magic numbers may render files unrecognisable by the operating system or applications expecting to work with them – and malware authors have long ago attempted to leverage this.

Malware authors are again rediscovering the usefulness of magic mangling and exploiting the fact that anti-virus engines also recognise files using magic – allowing them to hide certain content by preventing the correct parsing of tainted objects.

A recent example of this is the Troj/BadCab-A Trojan which to the casual observer might appear to be a legitimate Microsoft CAB file SFX’er – yet the CAB object appears to be missing from its regular location in the resource section…

badcab_cmpres.PNG

Upon closer inspection the reason for the missing CAB file becomes evident. Comparing resources of a real CABSfx with the sample at hand shows that the CAB magic is missing (or more importantly not what it should be – “MSCF” being MicroSoft CabinetFile)

Now this is strange since the sample runs and drops files so how does the CABSfx engine still recognise the embedded CAB file when it has an invalid magic? Diffing the executable part of the two samples we see some minor differences which exactly happen to match the magic numbers…

cabsfx_cmp.PNG

Using the offset of the difference we can cross-match with a disassembly and see exactly what bytes are being replaced and why. The patched bytes appear to be the immediate value being used to compare a local variable – this must obviously be part of the CABSfx engine which verifies the CAB magic in the resource object prior to extraction. Had this code not been patched the CABSfx’er would fail to extract the object – and no surprise, most AV engines would also fail to find the embedded CAB.

badcab_asm.PNG

A simple yet sneaky technique which can be difficult to discover unless one knows what one is looking for…