Norman sandbox report did not show any registry or network activity. This might be due to the use of virtual CPU or sandbox bypass techniques by the malware. Sunbelt sandbox was down at the time of the analysis.
Dynamic analysis indicated that the malware copies itself to the "application data" directory of the current logged-on user and achieves automatic startup by adding the following registry entry:
Code analysis of the malware resulted in the following findings:
The decryption function was found at offset 0x58be of the second code stage :
The decryption algorithm can be presented by the following formula:
D(buff[n])=buff[n] XOR (buff[n-1]*pow(2,(n-1 AND 3)) where n values range from 1 to data_size-1.
The decrypted buffer contents are not completely readable and contain some metadata inserted at various positions. This indicates that the buffer is also compressed using a byte level compression algorithm. Further debugging reveals a decompression function at offset 0x1118 and decompressed command content is shown in the figure below:
The command instructs the bot to change the startup home page of the victim's browser to "http://www.juniormind.com/" for a possible SEO campaign.
Our next scheduled training sessions have been planned for November. If you're interested in attending, the dates and locations are:
'Hacking By Numbers - Bootcamp Edition' is our 'introduction to hacking' course. It is strongly method-based and emphasizes structure, approach and thinking over tools and tricks. The course is popular with beginners, who gain their first view into the world of hacking, and experts, who appreciate the sound, structured approach.
2) HBN Extended (Cadet & Bootcamp) 9-12th November
The HBN 'Extended Edition' is simply an intensive extended version of the regular Bootcamp course. Whilst the content and structure are essentially the same as Bootcamp, the Extended Edition offers students a deeper understanding of the concepts being presented and affords them more time to practice the techniques being taught. Extended Edition is currently offered in Switzerland and South Africa only, or can be arranged on request.
3) HBN Developer Edition 15-17th November
'Hacking By Numbers - Developer Edition' is a course aimed at arming web application developers with knowledge of web application attack techniques currently being used in the 'wild' and how to combat them. Derived from our internationally acclaimed 'Hacking By Numbers' security training, this course focuses heavily on two questions: "What am I up against?" and "How can I protect my applications from attack?" During the course sample applications will be dissected to discover security related bugs hidden within the code. The class will then consider prevention, detection & cure.
More information is available on our website at www.sensepost.com/training
or contact us on firstname.lastname@example.org or call the office on 012-460 0880 to register.
At the invitation of the South African Department of Trade and Industry SensePost will form part of a South African delegation represented at GITEX 2010 from 17-21 October 2010: