flat assembler
Message board for the users of flat assembler.

Index > Heap > Viruses pretending to be written using fasm and MASM

Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17247
Location: In your JS exploiting you and your system
revolution
Here is a virustotal scan of one of the current batch of viruses going around. It has a section named '.fasm' and another section named '.masm'. Now, I know that section names are arbitrary and can be any text whatsoever, but it seems likely to me that the writer would have used fasm to assemble the .fasm section and MASM to assemble the .masm section.

Do you think the writer is an active member on this board? I have some suspicions about some posters here but, of course, I can't confirm them.

BTW: The entry address is in the .fasm section. I'm tempted to disassemble it, but my concern at accidentally unleashing the virus is currently holding me back from opening it in Olly.


Last edited by revolution on 28 May 2008, 09:05; edited 1 time in total
Post 27 May 2008, 16:57
View user's profile Send private message Visit poster's website Reply with quote
gunblade



Joined: 19 Feb 2004
Posts: 209
gunblade
I dont see why they would mix the two assemblers.. seems pointless. (Unless it is re-using other people's code, and they cant/wont change it to the other syntax).

As for disassembling it, theres plenty of disassemblers that will disassemble with no risk of running the code itself (Cant think of any off the top of my head, I dont use windows much). If you do want to "run" it in ollydbg, you could setup a Virtual PC (kinda like vmware, but free), and run it inside there (Although you might want to make a "snapshot" of the virtual windows install to be able to revert to it after the virus hits).
Post 27 May 2008, 19:13
View user's profile Send private message Reply with quote
mattst88



Joined: 12 May 2006
Posts: 260
Location: South Carolina
mattst88
Attach it and I'll disassemble it from Linux and post the assembly output.
Post 27 May 2008, 19:58
View user's profile Send private message Visit poster's website Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
just a poor noob question:

is an antivirus program recognized as a virus?
because if i understand well, they will simply seek some shemes in the binary flow, and compare them with some values, then, tell it is a virus.

then, a binary file can be a virus for this kind of programs, but ti will just have datas that seems to be malicious code, but is just datas.

hem...yes, my idea is hard to folllow. Sad
Post 27 May 2008, 20:28
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar
Assembly Artist


Joined: 16 Jun 2003
Posts: 7709
Location: Kraków, Poland
Tomasz Grysztar
The assemblers leave a kind of a "footprint" in the code that would be used to check, if it was really assembled with fasm or not.

For example: fasm assembles "add ebx,ebx" as 01-DB, while MASM assembles it as 03-DB.

I would try to view the sections with some kind of tool like HIEW, instead of using debugger.
Post 27 May 2008, 21:48
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2887
Location: [RSP+8*5]
bitRAKE
Although IDA has a debugger now - it's still primarily a disassembler as heart, and wouldn't run any code unless you explicitly told it to. That silly tool labels all my programs as virii - atleast 5/32! Laughing

_________________
¯\(°_o)/¯ unlicense.org
Post 28 May 2008, 03:21
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17247
Location: In your JS exploiting you and your system
revolution
mattst88 wrote:
Attach it and I'll disassemble it from Linux and post the assembly output.
No way. I'm not going to post a virus here (or anywhere).
gunblade wrote:
I dont see why they would mix the two assemblers.. seems pointless. (Unless it is re-using other people's code, and they cant/wont change it to the other syntax).
These viruses are sensitive to timing. Once an exploit is known they have a small time frame to release it before the hole is closed, or the AV programs are updated. So I would imagine that the writers would quickly piece together any bits of code they have and not bother with making it pretty and doing conversions etc.
edfed wrote:
is an antivirus program recognized as a virus?
They used to be, but now days the engines all have special code to detect the other AV progs and allow them to pass.
Post 28 May 2008, 03:44
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17247
Location: In your JS exploiting you and your system
revolution
Here is a partial disassembly of the startup code. It is from the entry point up to the last byte of the decrypter. I have not run the code to decrypt the rest of the section so I can't say if the following code is of the same style.
Code:
0041A09A >  55              PUSH    EBP
0041A09B    8BEC            MOV     EBP,ESP
0041A09D    83C4 F0         ADD     ESP,-10
0041A0A0    68 17230600     PUSH    62317
0041A0A5    81C8 4F2A4000   OR      EAX,402A4F
0041A0AB    5A              POP     EDX
0041A0AC    6A 80           PUSH    -80
0041A0AE    81E3 922B4000   AND     EBX,402B92
0041A0B4    76 05           JBE     SHORT e-CertUC.0041A0BB
0041A0B6    39DE            CMP     ESI,EBX
0041A0B8    48              DEC     EAX
0041A0B9    01C2            ADD     EDX,EAX
0041A0BB    5E              POP     ESI
0041A0BC    B8 00000000     MOV     EAX,0
0041A0C1    6A 26           PUSH    26
0041A0C3    39DA            CMP     EDX,EBX
0041A0C5    5B              POP     EBX
0041A0C6    68 42A14100     PUSH    e-CertUC.0041A142
0041A0CB    59              POP     ECX
0041A0CC    6A EE           PUSH    -12
0041A0CE    F7C7 01274000   TEST    EDI,402701
0041A0D4    73 02           JNB     SHORT e-CertUC.0041A0D8
0041A0D6    29DB            SUB     EBX,EBX
0041A0D8    5A              POP     EDX
0041A0D9    6A C2           PUSH    -3E
0041A0DB    5E              POP     ESI
0041A0DC    81F7 D0214000   XOR     EDI,4021D0
0041A0E2    66:8B39         MOV     DI,[ECX]
0041A0E5    66:83C7 9C      ADD     DI,0FF9C
0041A0E9    66:8939         MOV     [ECX],DI
0041A0EC    BB 33000000     MOV     EBX,33
0041A0F1    66:0119         ADD     [ECX],BX
0041A0F4    66:8301 33      ADD     [WORD ECX],33
0041A0F8    81FE 61244000   CMP     ESI,e-CertUC.00402461
0041A0FE    74 0E           JE      SHORT e-CertUC.0041A10E
0041A100    81CF 321C4000   OR      EDI,401C32
0041A106    81E7 40254000   AND     EDI,402540
0041A10C    39D3            CMP     EBX,EDX
0041A10E    41              INC     ECX
0041A10F    81C3 DD1A4000   ADD     EBX,e-CertUC.00401ADD
0041A115    76 06           JBE     SHORT e-CertUC.0041A11D
0041A117    F7C2 07134000   TEST    EDX,401307
0041A11D    83C1 01         ADD     ECX,1
0041A120    68 84A34100     PUSH    e-CertUC.0041A384
0041A125    5E              POP     ESI
0041A126    39CE            CMP     ESI,ECX
0041A128  ^ 75 AF           JNZ     SHORT e-CertUC.0041A0D9
0041A12A    83C0 01         ADD     EAX,1
0041A12D    89F7            MOV     EDI,ESI
0041A12F    68 70A20200     PUSH    2A270
0041A134    8B3424          MOV     ESI,[ESP]
0041A137    5B              POP     EBX
0041A138    39F0            CMP     EAX,ESI
0041A13A  ^ 75 8A           JNZ     SHORT e-CertUC.0041A0C6
0041A13C    81FE 05254000   CMP     ESI,e-CertUC.00402505    
You will probably notice lots of redundant and pointless instructions inserted. I guess that is typical virus style.

So do the binary codes match the fasm footprint? Answer: No. Notice that "OR EAX,402A4F" uses the longer encoding "81C8", fasm will use the shorter "0D".
Post 28 May 2008, 04:25
View user's profile Send private message Visit poster's website Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6034
Location: Poland
MHajduk
revolution wrote:
You will probably notice lots of redundant and pointless instructions inserted. I guess that is typical virus style.
Shall we reckon every program protected by obfuscators ("pointless" sequences of instructions, inserted junk code, self-modification) among viruses? I think not. Smile
Post 28 May 2008, 07:59
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17247
Location: In your JS exploiting you and your system
revolution
MHajduk wrote:
Shall we reckon every program protected by obfuscators ("pointless" sequences of instructions, inserted junk code, self-modification) among viruses? I think not. Smile
Of course not, there are also many commercial programs out there that use similar techniques to obfuscate themselves.

But just in case anyone is in doubt, I am not labelling this particular program a virus based upon the obfuscation. I already knew it was some type malware before I downloaded it based upon where it came from.

I downloaded it from a link in an email that pretended to come from "a large respected bank" (of which I am not even a customer). I was curious what was the technique they were using to fool people, so I followed the link (with JS disabled of course).

It was a new twist I had not seen before. They claimed that "the large respected bank" needed to install a new security program in my desktop to support their "new 128bit encryption" process. The story goes much like this: the bank was going to make it mandatory for all customers to use this new security program by the next working day so I had to hurry up and download and install it to avoid being locked out.

Well, I did download it but I will never install it, no way am I going to let their virus downloader/whatever do bad things to my computer.
Post 28 May 2008, 08:23
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2887
Location: [RSP+8*5]
bitRAKE
revolution wrote:
You will probably notice lots of redundant and pointless instructions inserted. I guess that is typical virus style.
Most likely the code is generated by something else - not a common assembler - opcode usage seems restricted to me. Mis-direction is a real time waster for the shallow mind.

I wrote a boot sector virus in 1993 (was to prevent infection by unknown virii). Makes me wonder where those floppies are. That computer went to Texas with a friend. Doubtful that it even exists as it was coded in 68000 designed to hook the floppy read/write vector of Atari ST TOS.

_________________
¯\(°_o)/¯ unlicense.org
Post 28 May 2008, 10:04
View user's profile Send private message Visit poster's website Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP
That code you posted, it is a later generation... Good luck! ( Does the header have 'GENOTYPE' by any chance?!)
Post 29 May 2008, 14:36
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17247
Location: In your JS exploiting you and your system
revolution
AlexP wrote:
That code you posted, it is a later generation... Good luck! ( Does the header have 'GENOTYPE' by any chance?!)
I'm not sure what you mean here. How do you come to know if it a later generation? And a later generation of what?

There is no text "GENOTYPE" in the encoded file anywhere. But I have not decoded it (and I won't, so don't ask) so I can't say if the decoded binary has "GENOTYPE" in there.
Post 29 May 2008, 14:50
View user's profile Send private message Visit poster's website Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP
Quote:
I'm not sure what you mean here. How do you come to know if it a later generation? And a later generation of what?
Nevermind that, it is obviously a later generation though... (maybe even second, there's no way to know without engine).

Okay, it was just a wild guess as to a virus from Vecna, he used a sort of pointer table to instructoins that weren't junk, but that virus has a pretty ... not well constructed for it's purpose ... engine.

The baltant* use of large numbers and obvious garbage means it's probably just something cheap.
Post 30 May 2008, 14:28
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.