Traversing or Reversing a DLL is ever challenging (For Beginners and Intermediates). If a DLL comes with an EXE, its EXE’s job to load the DLL in the memory. But what if you get just a DLL alone to reverse. It’s cool rite ;-)
Here I am going to Traverse a Financial Crimeware Trojan in the form of DLL.
Lets see the strings to guess what the DLL behaviour is.
haa.. Don’t see readable strings ? So it should be a packed file. Next step is to identify which packer.
To identify the packer let me use PEID.
So the packer is ASPack 2.12. Interesting and not so tough to unpack this.
Unpacking steps for ASPack is similar to UPX. You can see the PUSHAD instruction when the file is loaded in Olly. Now I’ll unpack this DLL using Olly Debugger by following the ESP register address in the dump and setting break point.
To unpack the DLL, as shown in the above screen shot, execute the 1st instruction PUSHAD (1) which pushes the value to the stack. Now follow the address in ESP register (2) in the dump (3) and set “Hardware On Access” break point as shown in 4. But why? The reason we set the break point here is to break when this address is popped out from the stack which would be POPAD. This will take us to the original entry point, what we call is unpacked file.
Lets see what happens when I press F9 after setting the above break point.
Bad.. It has detected the debugger. What’s next?
I found the API which is responsible for detecting the debugger. It is “IsDebuggerPresent”. Lets see what the function does according to MSDN,
“Determines whether the calling process is being debugged by a user-mode debugger”
By above reference its very clear that the function checks if the current process is debugged using a ring-3 debugger or not. So it is obvious that the function succeeds and it returns a positive value saying ‘Yes’. To unpack the file let us evade this Protection warning. For this we can either use plugins or modify the values to escape from checking the debugger. Lets do it manually ;-) For that I set a command line break point in the API “IsDebuggerPresent”.
Here we land in Kernel32 module which contains IsDebuggerPresent function. Press Alt + F9 to go to the user code.
Next instruction will be TEST AL AL. “Any return value of an API will be stored in EAX register”. So the TEST condition checks Accumulator lower order value is 0 or 1. Since the IsDebuggerPresent function succeeds here, the return value will be 1. In the next conditional jump instruction, since the return value is one in our case, it doesn’t satisfy the condition, thereby jump is not taken. As you see in the above screen shot when the jump is not taken, it calls the function where you get the Debugger Detected dialogue box.
To evade this warning we can either use external plug-in or modify some value to jump the debugger check function. But lets modify the value instead using plug-in.
There are three ways to jump the detection check function,
- By changing the return value in the EAX register from 1 to 0.
- Or by setting the Zero-Flag to 1.
- Or by ‘nop’ing the instructions.
To change the return value stored in EAX register, double click on the value and change from 00000001 to 00000000. When the TEST AL AL instruction is executed, it assumes that the return value is 0, means current process is not in the debugger mode and takes the Jump which does not take us to Debugger Detected dialogue box.
Else, just double click on the Z-Flag which changes the value from 0 to 1 which again takes the jump without taking us to the error message.
By pressing F9, the code breaks at JMP EAX which takes us to the Original Entry Point (OEP).
Now I should see readable strings in Olly since the file is unpacked.
I can see few encrypted strings even after unpacking the file. These strings has to be decrypted in run time to see which Bank this Trojan targets ?
Let me call the exported function ‘update’ using rundll32 command. This loads the DLL using rundll32.exe file. To enter the DLL module, attach rundll32.exe in olly and click the Module to view the DLL.
Very interesting part is it captures the Window Title name of Internet Explorer and Firefox to compare if it matches the strings this Trojan targets. But what string?
To find that I played a small trick here. I contacted some random website in Internet Explorer. The Trojan gets the name of the Title window to compare it with the list it has. Before that, this Trojan decrypts the encrypted strings in the memory and stores them in the buffer. This helps me to extract those readable strings and find the Targets.
This Trojan targets few Financial Institutions in Brazil which are listed below,
But what does this Trojan do with these Banks?
When a user contacts any one of the above listed bank website, this Trojan overlaps fake content of the bank which matches the original website. When you see the below screen shot, when I contacted the 4th link in the above list and clicked on the Usuario to enter username, Internet Explorer window becomes inactive and goes background, which confirms that the Marked part which asks for the user information is a fake content overlapped above the original website.
When I entered the information in the above fields and clicked on CONFIRMAR, it continued to ask further more information (Below screenshot), but the URL in the address bar doesn’t change. This shows that I am still in the login page of the original bank website, but the overlapped page proceeds to ask other information.
After collecting all the information from the user the Trojan DLL displays a error message. When we click Ok, it closes the fake content and puts the user back to the home page, which makes the user to renter information in the original website.
In the background, the Trojan connects to the command and control server to get the Drop site information, to post the stolen data. C&C server replies with a website where the information has to be sent. The Trojan sends the data to the remote server through HTTP Post.
The Trojan stores user information in the below format, which is later transferred to the remote server.
This post tells you how to work on DLL file and the impact in the user system when such Trojans are installed.
Trackback from your site.