A few days ago I received an interesting email message:
Just your typical phishing email. Normally, I would just dump it into our signature automation processors and move on to the next piece of malicious code. This one was intriguing, though: within hours we received a handful of other samples similar to this, and having a couple extra hours in my day, I figured I’d stop and take a good look at it.
The malware arrived packed with UPX and once unpacked I discovered it had its own mechanisms in place to prevent emulation: 
I found this quite interesting. these days we don’t often see malware that’s particularly well-structured or beautifully written: the days of the early hacking outfits and groups have moved onto cybercriminals trying to pump out as much malware as they can as quickly as they can in order to maximize their potential to make money. The majority of today’s malware just doesn’t have that certain ‘classiness’ earlier malware did.
This malware deviated from today’s style of coding; it’s well-structured and well-written. Even the transfer calls are well crafted! Look at this example:
Notice the PUSH/RETN combination used instead of lazily using CALL[ADDRESS].
Also:
This malware seems to have dedicated most of its code on a singular goal: gathering details of an infected host’s FTP servers. This malware is obsessed with it!
It watches for many popular FTP programs, including: Far FTP
Ghisler’s Windows and Total Commander
WS_FTP
GlobalSCAPE CuteFTP
FlashFXP
How the malware acquires FTP details is very intricate. The malware queries the Windows registry for the path of either an .ini or .dat file. It can also query for the actual host, username and password related to the specific FTP client application via registry subkeys. Also, whenever possible it also checks the ShSpecialFolder for the presence of known FTP client directories and then manually searches for both the .ini and .dat files.
Here are a few examples:
For CuteFTP it queries the Windows registry: 
Aside from querying the registry it also parses special folders such as:
_%CurrentUser%\Application Data\
%All Users%\Application Data\
%CurrentUser%\Local Settings\Application Data\
%Program Files%_
By searching for CuteFTP’s .dat file (sm.dat – site manager data file), the malware can cover CuteFTP Pro, CuteFTP and CuteFTP Lite. It also covers CuteFTP’s QCToolbar versions 6, 7 and 8 for both Home and Professional editions by querying the QCHistory registry entries.
For Ghisler’s Total and Windows Commander:
The malware searches the registry carefully by querying for both ftpIniName and InstallDir for both versions which holds the wcx_ftp.ini file.
It also checks the registry for info for Far FTP, and retrieves the UserName, Password and Hostname subkeys: 
For WS_FTP it searches the following folders for .ini files:
%CurrentUser%\Application Data\Sites\
%All Users%\Application Data\Sites\
%CurrentUser%\Local Settings\Application Data\Sites\
When the malware searches the above directories, it then goes as far as checking whether the ShGetFolderPath API is incompatible with the victim’s hosts. If so, it extends the query to look in the related registry entires. The attention to detail is quite remarkable: 
For FlashFXP, it looks in the registry section HKCU\Software\FlashFXP and HKLM\Software\FlashFXP and then looks for path, InstallerDataPath, Install Path, and Data Folder, searching for the location of sites.dat, quick.dat, and history.dat: 
Just to be certain it finds everything, it also searches for the same files using ShSpecialFolders:
%CurrentUser%\Application Data\FlashFXP\3
%All Users%\Application Data\FlashFXP\3
%CurrentUser%\Local Settings\Application Data\FlashFXP\3
%CurrentUser%\Application Data\FlashFXP\4
%All Users%\Application Data\FlashFXP\4
%CurrentUser%\Local Settings\Application Data\FlashFXP\4
The author does a great job of covering a large number of common FTP client, email client, file browsers and file manager programs. It’s likely the infected host will be using at least one of these programs.
The programs it searches for are:
- FileZilla
- FTP Navigator FTP Commander
- BulletProof FTP
- SmartFTP
- TurboFTP
- Sota FFFTP
- Coffe Cup Software
- FTPWare COREFTP
- FTP Explorer
- Frigate3 Ftp
- VanDyke SecureFX
- UltraFXP
- FTPRush
- Cryer WebSitePublisher
- BitKinex
- ExpanDrive
- NCH Software ClassicFTP
- NCH Software Fling
- FTPClient SoftX.org
- GPSoftware Directory Opus
- CoffeCup Software SharedSettings
- LeapFTP
- Martin Prikryl WinSCP
- 32BitFtp
- NetDrive
- South River Technologies WebDrive
- FTPCON
- Opera Software Wand.dat
- AceBIT
- Rhino Soft FTPVoyager
- Mozilla FireFox Profiles
- Mozilla FireFox FireFtpSites
- Mozilla SeaMonkey
- Mozilla Flock Browser
- Mozilla Profiles
- LeechFTP
- SiteInfo.QFP
- WinFTP
- FTPSurfer
- FTPGetter
- Estsoft ALFTP
- Adobe Common SiteServers
- DeluxeFTP
- Google Chrome
- Chromium
- ChromePlus
- Bromium
- Nichrome
- Comodo
- RockMelt
- K-Meleon
- Epic
- Staff-FTP
- FTP Visicom Media
- GlobalDownloader
- FreshFTP
- BlazeFtp
- FTP++
- GoFTP
- 3D-FTP
- EasyFTP
- NetSarang
- RDP (Remote Desktop Protocol)
- FTPNow
- Robo-FTP 3.7
- LinasFTP
- Cyberduck
- Simon Tatham PuTTY
- NppFTP
- CoffeeCup FTP Profiles
- FTPShell
- MAS Soft FTPInfo
- NexusFile
- FastStone Browser
- MapleStudio ChromePlus
- Nico Mak Computing WinZip FTP
- Yandex
- My FTP
- Application with ID 74FF1730-B1F2-4D88-926B-1568FAE61DB7
- INSoftware NovaFTP
- Microsoft Windows Live Mail
- Microsoft Windows Mail
- RimArts Mail
- Poco Systems Mail
- IncrediMail
- RIT Bat Mail
- Microsoft Internet Account Manager
- Mozilla Thunder Bird
- FastTrack
Another interesting thing of note is how it calls the above listed FTP programs. The malware calls the addresses by using a table of predetermined addresses and then calling each by causing a fault, for example Call FEEEFEEE: 
.and then referring to the address to the SEH: 
Of course, the malware wouldn’t be complete without the ability to update itself and download new versions! Some of the URL’s it tries to contact to download updates are:
hxxp://bigfishllc.com:81/ponyb/gate.php
hxxp://3ecompany.com:8080/ponyb/gate.php
hxxp://24.coast2coastwoundcare.com/ponyb/gate.php
hxxp://24.coasttocoastwoundcare.com/ponyb/gate.php
hxxp://00002fl.rcomhost.com/ziM4.exe
hxxp://dtwassociates.com/HSj.exe
hxxp://208.112.50.5/h1bXVj.exe
hxxp://panipatexporters.com/zuxG8.exe
hxxp://www.hyperlogic.de/VE9N79S.exe
Most likely one of the above URL’s handles the transmission of the stolen credentials and information.
And of course we have the classic registry entries:
HKCU\Software\WinRARHKCU\Software\Microsoft\Windows\CurrentVersion\Run
{Some ID} \”\”%CurrentUser%\[RandomFolderName]\[RandomName].exe\”\”
This malware also applies a dictionary attack using the following long list of words. The malware uses the API LoadUserProfileA:
- 123456
- password
- phpbb
- qwerty
- 12345
- jesus
- 12345678
- abc123
- letmein
- password1
- hello
- monkey
- dragon
- trustno1
- 111111
- iloveyou
- 1234567
- shadow
- 123456789
- christ
- sunshine
- master
- computer
- princess
- tigger
- football
- angel
- jesus1
- 123123
- whatever
- freedom
- killer
- soccer
- superman
- michael
- cheese
- internet
- joshua
- fuckyou
- blessed
- baseball
- starwars
- 000000
- purple
- jordan
- faith
- summer
- ashley
- buster
- heaven
- pepper
- 7777777
- hunter
- lovely
- andrew
- thomas
- angels
- charlie
- daniel
- jennifer
- single
- hannah
- qazwsx
- happy
- matrix
- aaaaaa
- 654321
- amanda
- nothing
- ginger
- mother
- snoopy
- jessica
- welcome
- pokemon
- iloveyou1
- 11111
- mustang
- helpme
- justin
- jasmine
- orange
- testing
- apple
- michelle
- peace
- secret
- grace
- william
- iloveyou2
- nicole
- 666666
- muffin
- gateway
- fuckyou1
- asshole
- hahaha
- blessing
- blahblah
- myspace1
- matthew
- canada
- silver
- robert
- forever
- asdfgh
- rachel
- rainbow
- guitar
- peanut
- batman
- cookie
- bailey
- soccer1
- mickey
- biteme
- hello1
- eminem
- dakota
- samantha
- compaq
- diamond
- taylor
- forum
- john316
- richard
- blink182
- peaches
- flower
- scooter
- banana
- james
- asdfasdf
- victory
- london
- 123qwe
- 123321
- startrek
- george
- winner
- maggie
- trinity
- online
- 123abc
- chicken
- junior
- chris
- passw0rd
- austin
- sparky
- admin
- merlin
- friends
- shalom
- nintendo
- looking
- harley
- smokey
- joseph
- lucky
- digital
- thunder
- spirit
- bandit
- enter
- anthony
- corvette
- hockey
- power
- benjamin
- iloveyou!
- 1q2w3e
- viper
- genesis
- knight
- qwerty1
- creative
- foobar
- adidas
- rotimi
- slayer
- wisdom
- praise
- zxcvbnm
- samuel
- dallas
- green
- testtest
- maverick
- onelove
- david
- mylove
- church
- friend
- destiny
- microsoft
- 222222
- bubbles
- 11111111
- cocacola
- jordan23
- ilovegod
- football1
- loving
- nathan
- emmanuel
- scooby
- fuckoff
- sammy
- maxwell
- jason
- 1q2w3e4r
- red123
- blabla
- prince
- qwert
- chelsea
- 55555
- angel1
- hardcore
- dexter
- saved
- 112233
- hallo
- jasper
- danielle
- kitten
- cassie
- stella
- prayer
- hotdog
- windows
- mustdie
- gates
- billgates
- ghbdtn
- gfhjkm
- 1234567890
I have dedicated much of this write up on the ability of this malware to steal FTP info; I believe that this is what the malware was designed for.
Few authors take the time to make their malware code as clean as possible. This specific malware is well thought out and very carefully coded. In today’s culture of malware creation, few pay attention to quality and details, and for this malware I gladly and honorably provide him the distinction of W32/Kryptik.AX!tr.
-Zandro
Leave a reply
