Posted on by pete

More phishing

I got an email purporting to be from paypal, asking me to download a security tool that will help protect my computer. Well guess what, it doesn’t (well duh!). It turns out to be changing the NameServer entries for all the interfaces in in the registry keys under SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces to something else. Firing up a disassembler, we find out that the value it’s trying to set is:

aRstpuucpuucpur	db 90h			; DATA XREF: start+Ao start+101o ...
db  98h	;
db  92h	;
db  8Fh	;
db  93h	;
db  93h	;
db  96h	;
db  8Fh	;
db  93h	;
db  93h	;
db  96h	;
db  8Fh	;
db  93h	;
db  90h	;
db  99h	;
db    0	;

Not surprisingly, this is not a kosher string, it’s been encoded. One of the first things the code does is decode this, using the following bit of code

sub_0_40107E	proc near		; CODE XREF: start+Fp
arg_0		= dword	ptr  4
mov	eax, [esp+arg_0]
mov	ecx, eax
mov	dl, [eax]
loc_0_401086:				; CODE XREF: sub_0_40107E+15j
test	dl, dl
jz	short locret_0_401095
xor	dl, 0A1h
mov	[ecx], dl
mov	dl, [ecx+1]
inc	ecx
jmp	short loc_0_401086

<sarcasm>Terribly complicated</sarcasm>. The code xor’s each value in the string with 0A1h. We can step by step this, or you can trust me that it’s 193.227.227.218. A traceroute reveals that it’s probably somewhere in romania (.ro top level domain)

Tracing route to 193.227.227.218 over a maximum of 30 hops
1     1 ms    <1 ms    <1 ms  10.0.0.71
2    57 ms    21 ms    23 ms  b-ras1.lmk.limerick.eircom.net [159.134.155.24]
3    21 ms    22 ms    20 ms  ge15-2.corea.lmk.limerick.eircom.net [83.71.114.97]
4    36 ms    36 ms    35 ms  83.71.112.94
5    36 ms    40 ms    39 ms  london1-br2-fe0-0.rdsnet.ro [195.66.226.46]
6    54 ms    53 ms    52 ms  fra2-cr1-ge5-0.539.rdsnet.ro [62.231.127.89]
7     *        *        *     Request timed out.
8    89 ms    90 ms    87 ms  constanta1-cr1-vlan25.rdsct.ro [212.93.137.51]
9    94 ms    88 ms    96 ms  constanta1-fo-vlan10.rdsct.ro [212.93.137.10]
10    89 ms   101 ms    90 ms  81.196.163.89
11    95 ms    95 ms   101 ms  cr1.micos.ro [193.227.226.254]
12    91 ms    96 ms    97 ms  193.227.227.218

The short answer is never run code that you’re uncertain of the origin of, and 2. never run code that you’re uncertain of the origin of.

Quick XOR tutorial. Exclusive OR. Either A is true or B is true but not both. so 0 xor 0 = 0, 0 xor 1 = 1, 1 xor 0 = 1, 1 xor 1 = 0. Each hex digit is a run of 4 binary numbers. 0 = 0000, 9 = 1001, A = 1010, F = 1111.
90h xor 0A1h == 1001 0000 xor 1010 0001 = 0011 0001 = 31
Conveniently, 30h = ‘0’, 39h = ‘9’ and 2eh = ‘.’, so it’s easy to translate them.