A Cryptogram a Day Keeps the Malware Away

by


Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

As a child, one of my favorite daily pastimes was solving the cryptogram puzzle published in the LA Times (after my mom finished the crossword puzzle, of course). I used to plow through paperback word puzzle books obsessively, finishing them in days. Appropriately, a Trojan that popped onto my radar last week had me flexing my cryptogram muscles yet again.

The Trojan is a fairly common game password stealer, and it wouldn’t have merited a second look except that it also runs through a few routines to disable various antivirus products sold exclusively in Korea. Most game phishing Trojans we see originate in China and target gamers (and antivirus products sold) in China.

The application is designed to drop a copy of itself into the Windows directory, rename that copy canima.exe, then insert the appropriate registry keys to install itself as a service (with the implausible name “Nationaldddeew Instruments Domain Service” — hasn’t anyone told these game-snarfing saps about the uncanny valley?). It then sits around and wait for someone to enter credentials to log into any of at least seventeen online games popular in Korea, including Maple Story, Aion, WoW, and FIFA Online. The Trojan finally submits the stolen passwords to a Web site, but it doesn’t make that connection until it has something to upload. If you don’t have any games installed (as I don’t on my default testbed), the malware simply waits patiently until you install some.

So, I dumped the running file out of memory and took a look at whatever plain text strings were present. Sometimes you find domain names or other clues that reveal the origin of the attack (or the destination of any exfiltrated data). Several lines of text caught my eye, but they weren’t words, or even legible data. What was most apparent about these strings was that a large group of them began with a pattern that follows the paradigm 1223455 — the actual string in the file that caught my eye was s{{8HSS. If that pattern looks familiar, it should: The http:// prefix follows that same pattern.

Now, assuming those lines of garbled up text were URLs, I figured I’d try my hand at manually decoding them. But I only had the letters h, t, p, and the colon and forward slash punctuation marks to go on. As it so happens, the lines of text strings also ended with a common pattern, “R |8” — and if one assumes that 8=p, then it was also possible that this is the suffix of an Active Server Page, or .asp file on the destination server.

So armed with the additional assumption that R=., an empty space is the letter “a,” and the pipe symbol represents “s,” the decoding process began to come together. It was looking good until I realized I had no idea how I’d guess the rest of the letters in the URL, because unlike a conventional cryptogram, which only uses (case-insensitive) letters, this one seemed to incorporate numbers and punctuation marks, as well.

So, digging through the strings some more, I came upon a couple of lines I had skipped over in my first scan of the file. They looked like this:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890`-=[];,./~!@#$%^&*()_+|{}:<>? "'
 "lmqrs'ABC34D8G+|{9V%XYZ=[M];120ab*(N)_}:<W>?cdijtuvwz`-nop,./~IOPQRSJL!@#$efgh56^&EFHxykTUK7

Technically, they looked exactly like this:

It didn’t take long for me to realize that the tools who wrote this cryptogrammatically-enhanced malware embedded the secret decoder ring right into the file, alongside their “obfuscated” data.

After converting a single line, character by character, I was able to extract a full URL. (Cryptogram fans who also read this blog, I look forward to your letters.)

And, yes, the greedy malware distributors running the operation, overconfident in the security of their cryptogram, didn’t bother to put the data collection tools behind even a blank index.html page. The open directories were full of (you guessed it) .asp pages.

Imagine my shock to discover .mdb database files, arranged in folders named after each targeted game, which held thousands of usernames and passwords. Shocked at the brazen stupidity of it all.

I’ve attempted to contact each of the game publishers whose games were apparently targeted, and provided those publishers who responded their respective databases containing the compromised user accounts. (If you are a game publisher who caters to the South Korea market reading about this for the first time today, please contact me. Seriously.)

I wouldn’t call the haul massive by any means. After all, it’s not like I recovered millions upon millions of credentials. Here’s a screenshot of the index from the largest of the databases, and to be honest, the index started with the number 104, so this database alone contains 80,181 accounts, but that was by far the largest. There were a total of 85 such database files on the malware distributor’s server, and most only had a few hundred accounts.

One of the more supportive publishers reached out to the Web host where the files were stored; Thanks to their efforts, the Web sites are now shut down, so the Trojans no longer have a useful dead drop where they can upload stolen passwords. The Trojan itself is detected in a new definition we published last week named Trojan-Phisher-dddeew.

Just another cautionary tale for online gamers (or even people on holiday, far from home, staying in touch): You never can be completely sure if a public computer you’re using, whether it’s in a hotel lobby or a cybercafe, has been compromised. Change your passwords often and, if you’re traveling, as soon as you get home. wordpress blog stats


Trackbacks

  1. [...] This post was mentioned on Twitter by Webroot and WB, OciRicO. OciRicO said: A Cryptogram a Day Keeps the Malware Away: By Andrew Brandt As a child, one of my favorite daily pastimes was so… http://bit.ly/eNIuyA [...]