A Case Study of Information Stealers: Part I
Introduction:
A stealer is a type of malware that looks for passwords stored on the machine and sends them remotely (e.g. mail, HTTP) to an attacker. Most stealers use a web interface to facilitate browsing the data, especially if the targeted number of victims is important. Pony's web interface, for example, offers statistics about the stolen data and what applications from which the information originated.
Become a certified reverse engineer!
Statistics from Pony's web interface
The majority of credentials that Pony malware targets are FTP accounts and Bitcoin wallets. It can also steal Firefox, Chrome, and Internet Explorer data. The Pony builder leaves the choice for the attacker to determine which applications (called plugins) are of most interest. Here's how the builder's interface looks:
Pony Stealer builder
As we will see later in the analysis, each plugin is nothing but a function specialized in stealing information and storing it in the virtual address space.
A first look at the malware sample:
The sample we will work on during this analysis was hosted in the domain "heritageibn.com" that was up a few days ago, but is unfortunately down at the moment. The Pony panel (web interface) was hosted on the same website, and required a login/pass combination to enter. Since the web interface is out of the scope of this article, we'll keep our eyes focused on the sample that I renamed to: Pony.exe.
You can download the sample from the link provided in the References section at the end of this article.
The best practices of malware analysis dictate that we analyze the malware in a secured environment. In other words, we will be using a Windows 7 32-bit virtual machine to execute and analyze the Pony stealer's sample.
Malwares generally come packed, and as you might have noticed in the Pony builder's figure above, an option includes UPX packing of the executable. As you might know already know, UPX compressed files are the easiest files to dump. In fact, the UPX packer offers a service to unpack any executable packed with UPX unless modifications were made to the packer's source code or the executable itself. Let's open the executable in a Hex editor and see if we can recognize any familiar strings indicating that the sample was packed with UPX (i.e. the packing option was chosen):
It's clear now that UPX was used to pack the file. Therefore, we can get to unpacking the sample. There are two ways to do it.
The first method would be to download the UPX packer from the internet and then use the -d (decompress) option to unpack the file.
The problem with this method is that the attacker could just modify one letter from one of the UPX strings, and as a result the -d command would fail to decompress the file. It is because the tool would get confused while parsing the target file.
The second method is to unpack the file while debugging it. When the UPX stub unpacks the file completely in memory, it will jump to the OEP (Original Entry Point) and then start executing the Pony stealer's code. Dumping the executable is easy in such case, especially when dealing with UPX, which doesn't implement any anti-dumping tricks.
We won't go through such details since unpacking is out of the scope of this article. Instead, we'll work on the unpacked executable of the sample.
Now that we have the unpacked executable, let's start first by dumping its strings. Here are some strings that can be easily dumped using OllyDbg, IDA Pro or any strings dumping tool.
There's actually a great amount of strings and I couldn't encapsulate them all in one picture, so I tried to show the most interesting ones. You can clearly notice that Firefox registry keys are being accessed either to read from or write to! You can also notice that Pony targets Bitcoin wallets, which is really dangerous if you own bitcoins and perform transactions. According to the bitcoin.it a wallet.dat file contains the following details:
- keypairs for each of the owner's addresses
- transactions done from/to the owner's addresses
- user preferences
- default key
- reserve keys
- accounts
- a version number
- Key pool
Unfortunately, we won't be able to go through every application that the Pony stealer targets because there are so many of them and it is time/effort consuming to go through them one by one. We will be interested instead on how the malware behaves, how it encrypts the data, how it does send it to the C&C.
The entry point:
The unpacked sample's entry point is at 00410EBF.
We start by noticing a kind of prologue before executing the instruction at 00410ED2. This prologue is actually found in the majority of Pony's functions and it is really easy to understand.
XOR EDX,EDX ; zero out EDX
XOR EAX,EAX
XOR EDX,EDX
push 00410ED2 ; push the actual routine's address to call
NOP
CLC ; CF = 0
NOP
JB SHORT 00410ED1
NOP
RETN ; pop the address and the execution goes to 00410ED2
After the execution returns from 00410E45 ExitProcess is called, so let's get into 00410E45 and see what it does.
Constructing a custom import table:
In addition to the default IAT (Import address table), the sample constructs a second import table that it will use in many routines through its execution. This table has a custom format and its function are called using this method: CALL DWORD PTR DS:[ Address ]. The functions are imported from the following DLLs:
- ole32.dll
- crypt32.dll
- advapi32.dll
- shell32.dll
- netapi32.dll
- kernel32.dll
- msi.dll
- pstorec.dll
- userenv.dll
The loop that actually fills the table with functions is called for each library. The same function is also responsible for calling LoadLibrary to get a handle to the loaded module before calling GetProcAddress on it.
The table that is filled starts at a static address and is located at: 004153C5.
Adjusting the process token:
During this step, Pony tries to adjust the process privileges so it will be able to perform its tasks. The privileges that the malware tries to add are the following:
- SeImpersonatePrivilege
- SeTcbPrivilege
- SeChangeNotifyPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeIncreaseQuotaPrivilege
- SeAssignPrimaryTokenPrivilege
These privileges are added one by one to the token by:
- Calling LookupPrivilegeValueA to look up the LUID of the privilege.
- Calling OpenProcessToken with TOKEN_ADJUST_PRIVILEGES for the current process.
- Calling AdjustTokenPrivileges finally to add the privilege to the process token.
The stealer also appears to call GetUsernameA function, to get the username associated with the current thread and then store the string pointer at a static address: 00418681.
Accessing the registry:
In this part, Pony starts using OLE stream objects and will continue using them throughout its other tasks. A stream object is created using the function: CreateStreamOnHGlobal. This function returns a pointer to a structure that can be used to store data of any type.
Access to the stream's structure directly isn't a good practice so OLE32 offers a function to get a pointer to the actual stored data: GetHGlobalFromStream.
Therefore, the malware creates two stream objects each one for some kind of data that we'll know about later in this section. It then goes on to open the registry key:
"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall"
Under Windows, if you want to uninstall a program for example you would access the Add/Remove programs utility from the Control Panel. What's interesting about the registry key above is that the Add/Remove programs utility actually uses it to get all the details about the applications being displayed to the user.
What Pony does is iterate through all the subkeys in the above key using RegEnumKeyExA and then check if that subkey contains the two values: "UninstallString" and "DisplayName". The former value is the path to the executable responsible for uninstalling the software and the latter is the software's name to be displayed. If these values actually exist, it reads their content and stores each one in an OLE stream. Now it is clear that the two streams are used to store two different kinds of data, one stream is used to store "UninstallString" values and the other one is used for "DisplayName" values. After iterating through all the subkeys, each one of the streams is copied to an independent memory location (dynamically allocated), then the pointers are stored in 0041506E (UninstallString strings) and in 00415072 for "DisplayName" strings. Finally, the streams are freed.
Since we aren't going to delve deeply on how Pony steals data from each type of software, since each one is unique. I am going to show you a tiny example in which the sample puts "UninstallString" to use ("DisplayName" is also used for other software targeted by the stealer).
In this example, Pony targets CuteFTP software. It iterates through all the uninstall strings looking for the CUTEFTP substring since it's known that this program has actually as CUTEFTP substring in its UninstallString. If the substring wasn't found in any of the strings, it simply means that the software isn't installed on the machine.
Decrypting the encryption key:
The encryption key that is used to encrypt the data that is communicated to the C&C server is encrypted using a very simple algorithm.
00410522 MOV EAX,DWORD PTR SS:[EBP+8]
00410525 AND EAX,EAX
00410527 JZ SHORT 00410535
00410529 JMP SHORT 00410530
0041052B DEC BYTE PTR DS:[EAX]
0041052D DEC BYTE PTR DS:[EAX]
0041052F INC EAX
00410530 CMP BYTE PTR DS:[EAX],0
00410533 JNE SHORT 0041052B
00410535 LEAVE
00410536 RETN 4
The encrypted string "dcdclc{B3456" becomes "babajay@1234". Which will be used, as we'll see later, in the encryption.
Decrypting a wordlist:
An encrypted wordlist is decrypted in run-time that will be used later by the stealer. The encryption is also very weak.
00402E5F PUSH EBP
00402E60 MOV EBP,ESP
00402E62 PUSH EDI
00402E63 MOV EDI,DWORD PTR SS:[EBP+8]
00402E66 JMP SHORT 00402E74
00402E68 JMP SHORT 00402E6E
00402E6A XOR BYTE PTR DS:[EDI],01 ; decrypting
00402E6D INC EDI
00402E6E CMP BYTE PTR DS:[EDI],0
00402E71 JNE SHORT 00402E6A
00402E73 INC EDI
00402E74 CMP BYTE PTR DS:[EDI],0
00402E77 JNE SHORT 00402E68
00402E79 POP EDI
00402E7A LEAVE
00402E7B RETN 4
The wordlist is stored at 00417F27, after it is decrypted it contains some of these words: samantha, michelle, david, eminem, scooter, asdfasdf, etc.
Conclusion:
In this first part, we took a look at what Pony does before starting to steal the data. What registry keys does it read and why! We've also seen that it decrypts a string, which is apparently a key, and a wordlist that will be used in some kind of bruteforce. The image is still not complete, that's why in the second part we will answer these questions:
Become a certified reverse engineer!
Resources:
Link to the sample: https://goo.gl/dC62wM