said by Rocktagon:
I was wondering if you have any examples of malicious code embedded in an .exe file you could post. I know it would only be an example, but it may give those of us with limited programming knowledge an idea of the kinds of things to be looking for.
Sure, good idea!
There are a few types of text that I watch for when trying to understand an executable. First is the API names. You know the .exe has at least the _potential_ to do unwanted things if you see APIs like:
RegSetValueExA Writes to the Registry
RegCreateKeyExA Makes a Registry key
Reg[whatever] Registry worries: Set, Delete, Create
CreateFileA Makes a file; could be innocent
NetShareAdd Creates a share
NetShareEnum Checks out shares
WNetAddConnectionA Maps a drive or resource
WNet[whatever] Windows Networking stuff
Also you'll find .DLL names. One to really watch out for:
wsock32.dll - Windows Sockets, aka TCP/IP networking.
Usually you'll find error messages and user feedback in plain text. A couple to raise your hair from BO2K:
Could not start listen socket
Could not move/rename directory
Look for email headers and NNTP protocol commands, common in worms:
Type: multipart/mixed
Encoding: base64
HELO
RCPT TO:
Known nasties often have their own name inside, which you may recognize:
begin 644 Happy99.Exe -- Happy99
(This's CV, No Nimda.) -- Nimda
If you see this or something similar down in the middle of a file (it's normally at the very top):
This program must be run under Win32
... then there's another executable contained _inside_ this one. Very common with keyloggers, which are often dropped by trojans and run independently.
If the thing plays with the Registry, you'll usually find Registry key and path names. Some to watch out for:
currentversion -- that's where the startup keys live.
exefile -- some modify this key for startup.
There are tons of other things, you just have to use your head. Here's some text from a porn-dialer trojan:
Port Opened
Openning port...
Initializing modem...
rasdialProb
rasdialProbPB
Undefined RAS Dial Error (%ld).
It's not uncommon to find obvious indicators of malware, such as llittle gloats or greetz to the writer's buddies. Not surprisingly, they're frequently in ungrammatical, misspelled or h@x0r1zed text.
Even compressed .exe's often reveal telltale bits of text.
Compression/encryption isn't unusual. Look for UPX and other PE compressor names early in the file, they usually announce themselves. It's not a sure sign of malware, but certainly not a good sign either.
Often you can decompress them; just seek out a copy of the PE compressor utility, which is often available free or as a demo. It can be very revealing! The bad guys sometimes go really nuts in a proggy they're compressing, tossing in even more of the obvious telltales and taunts than usual.Don't limit your curiosity to .exe's. Not all executables carry the .exe extension by a long shot; especially malware. Commonly used extensions on worms and other malware are .com, .scr, .pif, .shs, and other executable types; also .dll, .jpg, .txt. Anything is possible. An executable extension is not always necessary in order to make a program run. For instance, entries in the Registry startup keys (Run, RunServices, RunOnce, etc.) are executed regardless of extension.pchelp
(edits in italics)
[text was edited by author 2002-02-03 15:19:52]