Wednesday, December 31, 2014

SteamStealer - A look into the source code

I've been wanting to take a little bit of a look at the recent SteamStealer malware going around throughout November and December. There's a few different types, mainly being .src executables that once executed connect to a designated domain and drop more stuff. The other more recent type uses a custom crypter with a library containing a RunPE function to inevitably load SteamStealer into the process. In any case, I won't be doing any "on the surface" analysis/removal tips, as it's been nicely done by blogs such as this. I'll instead be taking a look at the source code for a few of these .src files, and talking a bit about them as well.

So first off, the big thing regarding a lot of these recent .src files is they are obfuscated with Confuser, or its successor known as ConfuserEx. Confuser is a pretty popular free obfuscator mainly because it's one that isn't completely easy to reverse. It's still reversible, just not as easy as many other free obfuscators out there. You can do it with WinDbg which is absolutely gruesome and not really recommended for .NET deobfuscation, as anything really past methods is difficult and time consuming. Alternatively, you can use the wonderful internet world we have to get any slew of tools to decrypt methods, delegate killer, dump, and string decrypt.

Let's first take a look at what the thumbnails for the samples look like:


As we can see, the thumbnails appear as a Steam inventory with various items.

Back to obfuscation, if we try to take one of our .src samples obfuscated with Confuser into IDA, here's what we get:


After deobfuscation however, we can successfully take a somewhat broken look at the source code. Near the top of the code you can generally find the following (and hilarious) format:

 newobj  instance void SteamWorker::.ctor()  
   stloc.0  
   ldloc.0  
   ldstr  "7656119816xxxxxxx" // Steam ID  
   ldstr  "203496355"  
   ldstr  "N71Ll_bP"  

All of the Steam ID's extracted from various source code samples are all 8 or 9 (mostly 9) digit ID's, implying they're new and not old accounts by any means. With this said, these accounts were of course created for the sole purpose of spamming trades with this malware, and most likely selling valuable items for real money. I wouldn't be surprised if they were purchased or stolen ID's.

   callvirt instance void SteamWorker::getSessionID()  
   ldloc.0  
   ldstr  "csgolounge"  
   ldstr  "how much is this karambit knife? hxxp://screen4say.com/image.png"  
   callvirt instance void SteamWorker::SpamGroup(string, string)  
   ldloc.0  
   ldstr  "dota2lounge"  
   ldstr  "how much is this unusual courier? hxxp://screen4say.com/image.png"  
   callvirt instance void SteamWorker::AddGroupAndMess(string, string)  
   ldloc.0  
   callvirt instance void SteamWorker::getFriends()  
   ldloc.0  
   ldstr  "He give me this knife hxxp://screen4say.com/image.png ty for you :)"  
   callvirt instance void SteamWorker::sendMessWall(string)  
   ldloc.0  
   callvirt instance void SteamWorker::DeleteAll()  

Above is an example of one of the many domains used in the malware (purged). You can see it would join the Steam group "csgolounge" and then message users "how much is this karambit knife?" with a link to the malware. This is how it mainly propagated, by joining various Steam trade groups and spamming anyone with public inventories. Mainly "csgolounge" and "dota2lounge" as those were the main games used for the malware.

Domains used from what I've seen are: prntsrc-online, screen4free, hostingscreen, screenshotyou, etc.

If we do a lookup on any one of those:

 Domain name: prntsrc-online.com  
 Domain idn name: prntsrc-online.com  
 Status: clientTransferProhibited  
 Registry Domain ID:  
 Registrar WHOIS Server: whois.reg.ru  
 Registrar URL: https://www.reg.com/  
 Registrar URL: https://www.reg.ru/  
 Registrar URL: https://www.reg.ua/  
 Updated Date: 2014-12-15  
 Creation Date: 2014-12-15T19:18:01Z  
 Registrar Registration Expiration Date: 2015-12-15  
 Registrar: Domain names registrar REG.RU LLC  
 Registrar IANA ID: 1606  
 Registrar Abuse Contact Email: Email Masking Image@reg.ru  
 Registrar Abuse Contact Phone: +7.4955801111  
 Registry Registrant ID:  
 Registrant Name: Ivan Ivanov  
 Registrant Organization: Yandex LTD  
 Registrant Street: ul.Koshkina 15 kv 4  
 Registrant City: Moscow  
 Registrant State/Province: MOSCOW STATE  
 Registrant Postal Code: 132170  
 Registrant Country: RU  
 Registrant Phone: +79871975615  
 Registrant Phone Ext:  
 Registrant Fax:  
 Registrant Fax Ext:  
 Registrant Email: spamspam228@mail.ru
 Registry Admin ID:  
 Admin Name: Ivan Ivanov  
 Admin Organization: Yandex LTD  
 Admin Street: ul.Koshkina 15 kv 4  
 Admin City: Moscow  
 Admin State/Province: MOSCOW STATE  
 Admin Postal Code: 132170  
 Admin Country: RU  
 Admin Phone: +79871975615  
 Admin Phone Ext:  
 Admin Fax:  
 Admin Fax Ext:  
 Admin Email: spamspam228@mail.ru  
 Registry Tech ID:  
 Tech Name: Ivan Ivanov  
 Tech Organization: Yandex LTD  
 Tech Street: ul.Koshkina 15 kv 4  
 Tech City: Moscow  
 Tech State/Province: MOSCOW STATE  
 Tech Postal Code: 132170  
 Tech Country: RU  
 Tech Phone: +79871975615  
 Tech Phone Ext:  
 Tech Fax:  
 Tech Fax Ext:  
 Tech Email: spamspam228@mail.ru  
 Name Server: ns1.hostinger.ru  
 Name Server: ns2.hostinger.ru  
 Name Server: ns3.hostinger.ru  
 Name Server: ns4.hostinger.ru  
 DNSSEC: Unsigned  

Regarding this search, we can see it's a Russian based domain that was created and is administered by spamspam228(at)mail.ru. There's no doubt spamspam228 is a legitimate email, right? My favorite part isn't the email, but that the registrant's name is Ivan Ivanov from the organization Yandex LTD. This is absolutely hilarious considering Yandex is a Russian search engine (and ISP I believe?). I don't think Mr. Ivan Ivanov from Yandex is behind this.

If we now go ahead and look up this email, we can see:

 The email [email protected] is related to these domains :  
 1. printsrceen.com  
 2. prntsrc-online.com  

There's another interesting one:

 Domain Name: PICTURES-SCREEN.NET  
 Registry Domain ID:  
 Registrar WHOIS Server: whois.publicdomainregistry.com  
 Registrar URL: www.publicdomainregistry.com  
 Updated Date: 2014-12-23T16:15:07Z  
 Creation Date: 2014-12-23T16:15:05Z  
 Registrar Registration Expiration Date: 2015-12-23T16:15:05Z  
 Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com  
 Registrar IANA ID: 303  
 Registrar Abuse Contact Email: 
 Registrar Abuse Contact Phone: +1-2013775952  
 Domain Status: clientTransferProhibited  
 Registry Registrant ID:  
 Registrant Name: Xuila Pitrov Vasielvis  
 Registrant Organization: ScreenPictures  
 Registrant Street: Puschcicha,4,15   
 Registrant City: Moscow  
 Registrant State/Province: Moscow  
 Registrant Postal Code: 148821  
 Registrant Country: RU  
 Registrant Phone: +7.9652422078  
 Registrant Phone Ext:  
 Registrant Fax:  
 Registrant Fax Ext:  
 Registrant Email: jesus7298@mail.ru  
 Registry Admin ID:  
 Admin Name: Xuila Pitrov Vasielvis  
 Admin Organization: ScreenPictures  
 Admin Street: Puschcicha,4,15   
 Admin City: Moscow  
 Admin State/Province: Moscow  
 Admin Postal Code: 148821  
 Admin Country: RU  
 Admin Phone: +7.9652422078  
 Admin Phone Ext:  
 Admin Fax:  
 Admin Fax Ext:  
 Admin Email: jesus7298@mail.ru  
 Registry Tech ID:  
 Tech Name: Xuila Pitrov Vasielvis  
 Tech Organization: ScreenPictures  
 Tech Street: Puschcicha,4,15   
 Tech City: Moscow  
 Tech State/Province: Moscow  
 Tech Postal Code: 148821  
 Tech Country: RU  
 Tech Phone: +7.9652422078  
 Tech Phone Ext:  
 Tech Fax:  
 Tech Fax Ext:  
 Tech Email: jesus7298@mail.ru  
 Name Server: ns1.webhost1.ru  
 Name Server: ns2.webhost1.ru  
 DNSSEC:Unsigned  

Administered by a Xuila Pitrov Vasielvis, from Russia once again, from the organization "ScreenPictures". It's the domain name backwards, hilarious. It's registered/administered by/to the email jesus7298(at)mail.ru. Once again, an interesting choice for an email.

If we now go ahead and look up this email, we can see:

 The email jesus7298@mail.ru is related to these domains :  
 1. pictures-screen.net  
 2. picturesscreen.net  
 3. screenshotcapture.net  

See the pattern? Lots of malicious domains hosted and administered by Russians.

So right away after deobfuscation you can find the Steam ID of the account the items are ultimately being sent to for collection, and information regarding the domain housing the malware. Of course after we find a Steam ID, we can look that up and find the profile on Steam Community. I won't be posting the Steam ID's publicly even though these accounts were used for malicious purposes, because I'm just here to analyze and that's it. You can probably dig up the profiles if you care enough to report them.


Right, so we can see that this account is level 1 (new), the only game it has played is Dota 2, and it has joined the Dota 2 group so it can spam the malware. We can see this person was nice enough to leave their Skype, name (possibly fake in some cases), etc. I have blanked it out as I noted I will. Let's take a look at another account:


This account is a bit more active, with 5.9 hours played of Dota 2 in the last two weeks. It's also level 2 as opposed to the previous account which was only level 1. This account is also in two of the usual spam groups, rather than one. With all of the above said, the above account was likely actively spamming successfully more than the first. Either that, or it was just used for spamming with the malware in general rather than prepared to be used for spamming.

You can see the "view more info" button, which hilariously the user left most if not all of their online credentials and places to find them. One of the links was to a Russian hack forum in which they hosted a thread offering various "services".

We can see some of the items the malware looked to steal:

   ldstr  "440,570,730,753"  
   ldstr  "753:gift;570:rare,legendary,Dc,mythical,arcana,normal,unusual,ancient,tool,key;440:unusual,hat,tool,key;730:tool,knife,pistol,smg,shotgun,rifle,sniper rifle,machinegun,sticker,key"  
   callvirt instance void SteamWorker::addItemsToSteal(string, [opt] string)  

The first few are Dota 2 tiers for the rarity quality for an item, and then we branch off to keys, unusual hats, hats in general, etc, and eventually ending up with Counter Strike items. Considering for example that unusual hats depending on the type, effect, etc can go upwards of several hundred dollars, this is a pretty annoying malware for people that aren't aware of it.

Overall however it's not a very impressive piece of malware by any means, just looks like script stuff. However I don't think it was meant to/supposed to be. It has obviously satisfied its original and intended goal, which was to steal items. A lot of people have had their items stolen, simply because a lot of people aren't aware as I noted above. Although I said I wouldn't go into removal, to avoid this malware other than just understanding how it works, just make your trades private.

Friday, December 19, 2014

Regin, the top-tier PASSIVE_LEVEL malware!

Over the past few weeks it seems left and right there's Regin this, Regin that. I am not going to do a detailed analysis and discuss its stages and what have you, as there are various/informative in-depth whitepapers, etc.

To name a few:

Symantec, Symantec.
Kaspersky, Kaspersky.
F-Secure.

In my opinion, Regin is your typical malware that expands outside of the reverse engineer/security community due to its original goal. Journalists or researchers with little kernel-level knowledge/background get a hold of it and before you know it, it's the next biggest sophisticated piece of malware and all that matters is PR. At this point, writing accurate and detailed articles doesn't matter anymore. What am I referring to, and what will I instead talk about with Regin?

Secret Malware in European Union Attack Linked to U.S. and British Intelligence.

Let's quickly talk about a short few things the whitepapers haven't mentioned (as far as I am aware), and the above article. Respectfully, I have absolutely no idea who reviewed the above article before it was pushed. You have to wonder if The Intercept rushed like hell to publish this article because Symantec released their whitepaper and didn't care about what half of it even said. Note the dates:



There's a lot of strange and irrelevant information in that article you can pick at, but the absolute best is:
This Regin driver recurrently checks that the current IRQL (Interrupt Request Level) is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function in many parts of the code, probably in order to operate as silently as possible and to prevent possible IRQL confusion. This technique is another example of the level of precaution the developers took while designing this malware framework.
Since its publication date this has yet to have been changed, so I guess they don't care after all about its inaccuracies. Anyway, if it's not a surprise, calling KeGetCurrentIrql over and over again throughout the code is just a PAGED_CODE macro. It has absolutely nothing to do with stealth, and PASSIVE_LEVEL doesn't automatically imply obfuscation or stealth. For an example, here's an excerpt from db405ad775ac887a337b02ea8b07fddc (kernel driver - stage 1).

 call  KeGetCurrentIrql  
 test  al, al  
 jnz   short loc_FDEFAA3D  
 push  dword ptr [esi] ; Handle  
 call  ZwClose  
 test  eax, eax  
 jnz   short loc_FDEFAA3D  
 push  18h  
 push  ebx  
 push  esi  
 call  sub_FDEFA2EC  
 add   esp, 0Ch  
 mov   bl, 1  


Again taking a look at db405ad775ac887a337b02ea8b07fddc, there's another interesting tidbit throughout the code:

 push  43726150h 
 push  20h  
 push  edi  
 call  ds:ExAllocatePoolWithTag  

The above is the kernel mode driver's pool tag, the # of bytes to allocate for the memory request, the pool type, and finally its call to ExAllocatePoolWithTag allocate pool memory. Okay, so what's the big deal? If we convert the pool tag operand to a character, we get the following result:

 push  'CraP'  
 push  20h  
 push  edi  
 call  ds:ExAllocatePoolWithTag  

The pooltag is CraP : ) This is probably how many of us feel about this malware being so hyped by the media. There are of course others throughout the code, for example:

 push  'CraP'  
 push  eax  
 push  1  
 call  ds:ExAllocatePoolWithTag  

Overall, I guess the moral is to take time to get as much accurate information as you can for your articles. I cannot speak for anyone but myself, but as someone with a love for reverse engineering, malware, and debugging, I appreciate in-depth whitepapers and articles that provide thorough analysis. If all you're worried about is competition for views and hyping malware, chances are you're not going to appeal to the people who really care about the written content.

PS: Thanks to KernelMode as always for the hilarious discussion.