Spammed downloader
Getting spam with attached malware isn’t anything new. Usually I just dispose the junk mails but every now and then I see a spam message that looks interesting enough to dig further. Today’s example is a spam mail that claimed to be a reply to a message I allegedly sent. The body of the message was like this:
Hello, toni.koivunen. Friday, March 21, 2008, 09:54:5 AM, you wrote
> Hi. > I love you with all my heart and soul. > I miss you so much. > I send you my photo. Please do not show it to your family and friends. > Many kisses, Your Love.
HI Super nice foto :) Call me: 7052667 -- Best regards, barnyard54 mailto: ba rn ya rd 54 @cyber-cards.com
I broke the e-mail address on purpose. Anyway, attached to the mail was a file called images09.gif.zip which had a size of about 2k, which is quite small compared to other spam zips. Inside the zipfile was a file called images09.gif.exe that was whopping 1 989 bytes in size. Even though being packed, it’s pretty small. It’s packed with FSG2 even though the headers have been obfuscated to hide this fact.
After the FSG is unpacked, a layer of code can be seen:
004017EE 92 XCHG EAX,EDX ; ntdll.7C97C0D8
004017EF 92 XCHG EAX,EDX
004017F0 90 NOP
004017F1 87F2 XCHG EDX,ESI
004017F3 87F2 XCHG EDX,ESI
004017F5 90 NOP
004017F6 90 NOP
004017F7 47 INC EDI
004017F8 93 XCHG EAX,EBX
004017F9 93 XCHG EAX,EBX
004017FA 90 NOP
004017FB 90 NOP
004017FC 90 NOP
004017FD 8077 FF AC XOR BYTE PTR DS:[EDI-1],0AC
00401801 50 PUSH EAX
00401802 50 PUSH EAX
00401803 58 POP EAX
00401804 90 NOP
00401805 58 POP EAX
00401806 90 NOP
00401807 87C9 XCHG ECX,ECX
00401809 F657 FF NOT BYTE PTR DS:[EDI-1]
0040180C 52 PUSH EDX
0040180D 90 NOP
0040180E 52 PUSH EDX
0040180F 5A POP EDX
00401810 5A POP EDX
00401811 87C9 XCHG ECX,ECX
00401813 52 PUSH EDX
00401814 90 NOP
00401815 5A POP EDX
00401816 39F7 CMP EDI,ESI
00401818 ^75 D4 JNZ SHORT images09.004017EE
As you most likely notice, it contains a lot of junk commands that do nothing. Could be to evade code scanners or could be created by some kind of morphic stub since the junk commands can be easily changed, thus causing hash based signatures to fail. The functionality can be shortened to few less commands:
_loop:
inc edi
xor byte ptr ds:[edi-1], 0ACh
not byte ptr DS:[edi-1]
cmp edi, esi
jnz short images09.004017ee
So in short, it’s a small decryption stub using xor+not.
After unpacking it opens up a browser and points it so h t t p://www. superlaugh.com/1/catnip.htm
Some of you might remember this as the same file that the Storm gang used. Also, in the background it downloads two trojans from www. eden21 .net. The trojans themself seem to be banker trojans and not connected to Storm, but due to lack of time they weren’t fully analyzed.