Scene virus

By Silkut

Intro

On the 2nd of February 2008 Scamp^vacuum (untergrund.net) posted the news on the famous Pouet.net BBS. The news was quite freaky: Pouet was infected with a malicious script that downloads a Trojan horse from the index page.

The fact that several other demoscene-related websites were infected too makes you read carefully. Besides untergrund.net (four scener-dedicated websites), scene.org (hosting Pouet and PAiN amongst others) and demoparty.net were also affected.

History

The malware problem is not unknown to the demoscene, first of all because one of the coding techniques to reduce binary size is to use packers. Packers are used to compress binary sections as much as possible to gain some precious bytes. They usually create a self-extracting routine in an added section, plus a modified application entry point.

Some packers are well-known because they used to come with viruses aiming to hide their code from AV software (which are detecting the packer signature and creating what we call false-positives).

Second, because as in every community, some skiddies submit viruses as productions, but that is only a tiny minority.

And last but not least, because the past of the demoscene that started with cracking groups is somehow spreading a bad reputation: people cracking video games and software.

Is it a plausible explaination to the kind of recommendations we used to hear: "Don't download games or cracked software because they contain malware"?

But that's another story, another debate.

Facts

To come back to our story, from what Ryg^fr collected from some admins, it seems that the script was put online using genuine user logins/passwords, making admins think that those users were also infected with some kind of malware (such as a keylogger).

From the log files, it seems that the logins were obtained during the first week of January. Some days later, they (after being verified as functional) were used to put a file online, which was immediately deleted.

The real introduction of the script is from the 1st of February, but luckily with joined forces the menace was stopped the day after, the 2nd of February. Unfortunately for us, a part of the script disappeared.

Theory

This script family is not really a virus itself: it is not dangerous as is, but its action is usually to download the malicious payload which will be submitted to a software (browser, media player, plugins), all suffering from exploitable vulnerabilities.

The payload is usually a shellcode contained in an innocent file, being the real backdoor inviting the author to use more aggressive and more stealthy tools.

(For further information, read my precedent article here: http://navilinux.free.fr/blog/index.php?2008/03/11/3-analyse-du-virus-trojan-downloaderjspsymec (fr))

Code

What remains of the code is relatively obfuscated, using a scrambled design and some encryption techniques.

see .[0x01]
After a partial indentation of the code we obtain some enlightenment.

see .[0x02]
While quickly reading the code, we can recognize some keywords that could point us to the used cypher. (Using a kind of frequency analysis related to the JavaScript language keywords.)

see .[0x03]
The use of the ROT13 algorithm (a Caesar number variant) seems to be the choice of the author. While rotating 13 times the alphabet letters with some parts of the code, here is what we obtain.

see .[0x04]
It appears at this analysis state, that some parts are still heavily encrypted. The missing part of the code is critical to understanding it. The decrypted routines are used to decrypt the other part using some kind of substitution.

see .[0x05]
The result is some redirection to a fake Google analytics website (googleanalytics.net, google-analytlcs...) while trying to steal some critical PHP session information.

It is very likely that the rest of the code used to be the Trojan downloading part, probably mebroot (a modificated malware from an eEye Security PoC, says Symantec Corp.)

Mafia

From the log files, the two IP addresses used belong to an ISP that is presumably owned as a cover by a powerful russian cybercrime syndicate: Russian Business Network. A quick search on Wikipedia will inform you of the reputation of this group, which is unfortunately not the object of any legal procedures, because of a big automous laundering system - quite a classic for a crime syndicate - that make their actions "legal".

The primary goal of these kind of big attacks is to capture as many computers as possible to build zombie networks. Those botnets (a famous RBN activity) are used to run DDoS attacks on some organisation networks, or on some neighbour countries (as it happened in the Eastern Europe last year).

Protection

How to protect yourself from this kind of malware? The question was asked and answered several times, but it will always be important.

* Turn off JavaScript as much as you can while you're surfing.

* Choose a browser that supports security plugins like NoScript.

* Keep your software up to date regularly: Operating System, Browser, media player (WMP, QuickTime, Winamp) and their plugins, your AV database.

* Do not surf without protection.

* Do not trust or entirely rely on the website you're surfing, even if admins are quick to counter the menace and acts effectively to avoid inconveniences.

Links

ROT13 - http://en.wikipedia.org/wiki/ROT13
RBN - http://en.wikipedia.org/wiki/Russian_Business_Network
Mebroot - http://rbnexploit.blogspot.com/2008/01/rbn-out-with-new-and-in-with-old.html

Thanks to

+ DiamonDie^Hugi
+ sakuya and ebola for reporting typos
+ girafe and kaneel for their support

This article and attached code (bonus pack) are for analysis purposes only. The code file is a harmless PLAINTEXT file, so you can view it in your favourite text viewer. I advise you not to activate the automatic line return in your text viewer for convenient reading.

Silkut