Friday, December 12, 2008

Internal Laughs

Most malware that I look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se days is packed, sometimes double-packed, in order to hide whats inside. When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y aren't packed, many times cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 strings inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 binary are encoded or encrypted so a strings program can't see what is going on.

Sometimes, however, if you wish REALLY hard and REALLY believe, you come across a gem like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one I looked at last night. I was notified of a piece of malware sitting on a server from one of my many sources I have. After downloading it, one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first things I did was run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sysinternals strings* utility against it. I found some interesting things:

C:\Documents and Settings\James\Desktop\MSN Pass Stealer\Stub\Project1.vbp

Hello AV Companies, Please Call Me

Hello AV Companies, Please Call Me Win32.MSNPassSteal.VB Thank You!

Its so nice to see things like this at times. While I'm pretty sure James didn't write this particular piece of malware, he probably did modify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source (MSN password stealer source code is easy to find) and compiled it.

James - if you are reading this let me give you some advice. First, learn how to use your compiler and how to turn off cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 debugging features that are turned on by default. Second, AV companies are not going to name your malware something you want. None of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m did.

And finally, if you are going to use a user ID to post cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results under, don't make it unique. Our intrepid fellow put cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 website cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stolen credentials would post to as well as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user ID to use. While I'm not 100% sure it's James' ID (whh is why I didn't show it), it is very unique and can be traced back to a single user.

Then again, James, don't follow my advice. It'll be easier to catch you that way. :)


* Even though I do 99% of my static analysis on Linux, I prefer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sysinternals strings program because it can grab unicode strings and to my knowledge cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Linux strings cannot. It works just great under wine. If anyone knows of a Linux strings program that can grab unicode strings, let me know.