Someone Doesn’t Like Kaspersky

Note: This entry has been restored from old archives.

Seeing more and more of these spammed attempts to get people to self-infect. Most recently I passed over one that looked much like one described by the AVERT blog a short while ago. A very simple email with the line:

Dude I know thats you, someone emailed me a link to the video. see for yourself… http://www.youtube.com/watch?v=iVyfrel8jIt

The bit that seems to be a YouTube link is actually wrapped in an anchor tag linking to an IP address (not reproduced above). Not YouTube! Duh! (It’s rather disappointing that the YouTube URL actually doesn’t show some amusing video.)

If you hit the site you get a nice HTML page that tells you your video will be ready in 15 seconds. Meanwhile it tries to break your web browser, as recently described on the Kaspersky blog. In fact I think the author of this malware might read the KAV blog too, from the script code:

function kaspersky(suck,dick){}; function kaspersky2(suck_dick,again){};

Ouch! Getting personal in malware code!

As an added bonus the page includes:

If your download does not start in approximately 15 seconds, you can click here to launch the download and then press Run.

Sure, “press Run”? But how many people will this sucker? Too many I’m afraid.

ClamAV tells me that the HTML page is “JS.XorCrypt” (some sort of generic signature I assume) and that the video.exe file linked to is “Trojan.Small-3273”. McAfee and Kaspersky both catch both files too, “Nuwar” and “Zhelatin” respectively for video.exe… no surprises there. I guess the author is right to be annoyed at Kaspersky, it catches their malware! Ha! (On VirusTotal.com 46.88% of 32 scanners detect the HTML file and 78.13% detect the executable – detected malware names vary greatly.)

Examining the code in these things is often fun. In this example the HTML page contains the (reformatted) code:

function xor_str(plain_str, xor_key)
{   var xored_str = "";
    for (var i = 0 ; i < plain_str.length; ++i)
    xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); 
    return xored_str;
} 
function kaspersky(suck,dick){}; 
function kaspersky2(suck_dick,again){};
var plain_str = <<OBFUSCATED_STRING_HERE>>
var xored_str = xor_str(plain_str, 20);
eval(xored_str);

Given a couple of minutes I can translate this to:

#!/usr/bin/perl -w
use strict;
sub xor_str
{
    my ($plain_str, $xor_key) = @_;
    my $xored_str = "";
    for my $chr (split //, $plain_str)
    {
        $xored_str .= chr($xor_key ^ ord($chr));
    }
    return $xored_str;
}
my $plain_str = <<OBFUSCATED_STRING_HERE>>
my $xored_str = xor_str($plain_str, 20);
print $xored_str;

I don’t really have time to dig deeper (it’s 03:31 right now!), but here’s the list of functions grepped out of the decoded exploit code.

h() {mm=mm; setTimeout("h()", 2000);}
getb(b, bSize)
cf()
startWinZip(object)
startWVF()
elea(){
yah()
startOverflow(num)
GetRandString(len)
CreateObject(CLSID, name) {
XMLHttpDownload(xml, url) {
ADOBDStreamSave(o, name, data) {
ShellExecute(exec, name, type) {
MDAC() {
start() {

A final note. The virustotal.com result for the decoded payload gives a 46.88% (15/32) detection rate. What is interesting is that the detections are by a very different set of AV products and identified by a very different set of names! Only 7 engines detected both the encoded and decoded forms. Of these seven only one gave them the same name, but this was the rather uninspiring “Downloader” from Symantec. I kind of expected that at least one product would be able to perform the decode and identify the payload (although if you can detect prior to doing this you save CPU time, so doing the decode isn’t necessarily desirable).

All in all I think it is rather sad that malware this lame will probably do it’s intended job and net a few more netizens for the botnet empire.

Fun’n’games.