Removing Debugging Information from Visual C++/C# Projects

It’s often surprising how many malware programmers forget to do the simplest things. Mostly because many are so concerned with functionality, stealthiness and other production concerns, that details slip easily of their minds – a clear advantage to forensics. One of these details is the Program DataBase (PDB) information added by Visual Studio, which most malware authors used for Windows development. While it may seem innocuous, this string reveals a lot about the operating system used by the author, its user name and most notably, symbols that can be used by IDA and ease understanding of the disassembly.

Share

Introduction

It’s often surprising how many malware programmers forget to do the simplest things. Mostly because many are so concerned with functionality, stealthiness and other production concerns, that details slip easily of their minds – a clear advantage to forensics. One of these details is the Program DataBase (PDB) information added by Visual Studio, which most malware authors used for Windows development. While it may seem innocuous, this string reveals a lot about the operating system used by the author, its user name and most notably, symbols that can be used by IDA and ease understanding of the disassembly. This information allows to link multiple pieces of malware together, by using the username for example. Of course, this also allows for the creation of signatures. Thus, removing this information will add a hurdle to the analysts.

Contents

The Program Database File

The Program Database (PDB) is a binary file used to store debugging information about DLL and EXE files. The PDB file is created when you build your project and stores a list of symbols  their addresses along with the name of the file and the line number on which the symbol was declared. PDB files is also used for services collecting crash data to send it to developers for resolution.

Debugging Information

In Visual Studio, you can select to build your project in Debug or Release mode. In Debug mode, VS will include debugging information with your executable. In Release mode, no debug information is included by default, but in some cases is enabled so that if the program crashes, information can be retrieved and sent to the author for fixing. However for some reasons, some developers don’t really bother to use the Release mode, and simply use the executable generated by the Debug mode. Generally, you don’t want that if you are making malware (or any program really!). If left within the executable, a path to the PDB file will be included and can be extracted:

Path to the PDB file
Path to the Program Database (PDB) file used by Visual Studio for debugging purposes, extracted using the “strings” program.

Within the strings, you can determine that:

  1. The program was developed on Windows 7+ (because of C:\Users folder),
  2. The username of the developer is SUPPORT_23e45RT
  3. The source, or part of it, can be found on Github
  4. The original name of the program is CaitSithTest

These indicators can be useful to link this specific program with others and provide a common link between multiple malware. Additionally, the username could potentially be used to conduct open source research and find linked accounts or forum posts. But wait, there’s more…

If you leave the debugging information, you may be able to restore all the original names of variables and functions of the source code using IDA. IDA will first detect debugging information and ask the analyst if he wants to retrieve it, either via Microsoft – http://msdl.microsoft.com/download/symbols (not browseable)- or by looking locally.

IDA detected that debugging information is available and ask if the user wishes to retrieve it.
IDA detected that debugging information is available and ask if the user wishes to retrieve it.

If for some reason, the user is able to retrieve the information, he will have access to the names of the original symbols, which will make reverse engineering much more easier.

Since symbol information is available, the original names of the variables are displayed.
Since symbol information is available, the original names of the variables are displayed.

Compare the information from the figure above to the figure below, in which debugging information has been stripped at build time:

IDA could not find any debugging information and thus used its own labelling system to identify variables.
IDA could not find any debugging information and thus used its own labelling system to identify variables.

You can see that the variables defined in the first figure, such as ClipboardData, isProcessElevated and isDebugged have been preserved. By keeping information about the symbols, reverse engineering is much more easier compared to figure 2, in which information about the code is lost.

Disabling Debugging Information

To prevent VC from including this information in your executable, right click on your project, go to Project Properties > Linker > Debugging configuration menu. Select No in the Generate Debug Info option.

Removing debugging information in Visual Studio.
Removing debugging information in Visual Studio.

After doing this, rebuild your project and rerun the string extraction program against your binary, the path to the PDB file should not be present in the executable anymore.

no_debug_info
The path to the PDB file is not included in the executable once debugging information has been omitted.

Doing so makes it a bit more difficult to fingerprint the malware and hides information about the author’s system.

Conclusion

This is a simple tactic that is often omitted not only by malware author, but penetration testers, which are often Google programmers, i.e. copy-pasting code snippets from Stack Overflow or googling functions ūüėČ If you attempt to hide your malware into the System32 folder, looking for this information in the EXE or DLL files will quickly tell you which files are bad, since legitimate files will rarely have this info, or have legitimate looking one. As such, if you want to make sure, create a legitimate-Microsoft-looking user (Bill.Gates) on your machine and put your code into a Microsoft-looking project and path (C:\users\Bill Gates\Documents\HTA\Release\).

Gears of (Cyber)War – C++ Code to Detect Version of Windows

A common structure in malware, and also in many legitimate software is to recognize what is the underlying operating system (OS). Depending on the version of it, the virus may want to take different route to execute its activities. This functionality can be reused across different programs and is therefore useful to create and optimize. In this post, we design a function to detect the version of the Windows OS on which the program is currently running.

Share

Introduction

A common structure in malware, and also in many legitimate software is to recognize what is the underlying operating system (OS). Depending on the version of it, the virus may want to take different route to execute its activities. This functionality can be reused across different programs and is therefore useful to create and optimize. In this post, we coded a function to detect the version of the Windows OS on which the program is currently running.

Windows Versions

The Windows OS is known to have a confusing version system, which is often the result of marketing pressure. As such, while all software usually follow a version number specifying the major version, the minor version and the revision (and sometimes the build), Windows swings between years of release (ex. Windows 2000), fancy names (Windows Vista) or some designated number (Windows 7). However, in the underlying machinery of Windows are defined standard version numbers, ex. 5.1. Below is the correspondance between Windows operating systems and standard versions.

When programming in C/C++, the version number of Windows can be obtained via the OSVERSIONINFO structure (or OSVERSIONINFOEX) and the GetVersionEx Windows API function:

The version information described in the table above is stored in the dwVersionMajor and dwVersionMinor of the OSVERSIONINFO structure. All version of Windows in the table above will store the value VER_PLATFORM_WIN32_NT (0x2) in the variable dwPlatformId of the structure.

Branching C++ Code Based on Version

Based on the description above, we can create a reusable function to detect the version of the Windows OS:

Note that in many cases, we won’t know if the OS is the workstation version of Windows or the server version of it. Also, there is no details for other versions of Windows, i.e. Windows CE, Windows 95 (…should it still be used somewhere..). That’s where OSVERSIONINFOEX is useful. The wProductType variable will be set to¬†VER_NT_WORKSTATION if the current OS is the workstation version. Furthermore, you can retrieve service packs numbers and edition information with¬†wServicePackMajor,¬†wServicePackMinor and¬†wSuiteMask. So if you need more details about the Windows OS, you can include these as well:

For a full version of the procedure, visit this GitHub page, you’ll find the C/C++ code.

Conclusion

Practically any malware at some point will need to check the version of the operating system being infected in order to enable specific functions or exploit certain vulnerability. Rarely will this check go as far as getting the suite, but Remote Access Tool (RAT) and bots will report the operating system, the version and the service pack. If you are a malware analyst, expeect this function to be present in whatever piece of code you’re analyzing.

The Palestine-Israeli Conflict on the Web

Share

As any conflict that happened in the 21st century, there is usually a parallel conflict raging online as well. Either commanded by individuals or groups, which can be helped or not by either government agencies or other interest groups, acts of cyberwarfare are getting more and more common. The conflict in the Gaza strip offers a new opportunity to explore this kind of activity. This time, reports of websites defacement are numerous and ongoing, some reporting that malware is spreaded from hacked websites and even an Israeli botnet is starting to grow in order to attack Hamas supporters servers.

Reports are now growing over hundreds of websites defacements of Western websites by Palestinians supporters1. Various Palestinian groups and supporters have been vandalizing Israeli and other western nation commercial websites by putting propaganda and redirecting to jihadist forums and/or uploading malware on the hacked web servers. Hackers mentioned in the article are Team Evil, DNS Team, Tw!$3r, KaSPeRs HaCKeR CreW, PaLiSeNiaN HaCK, MoRoCcAn HaCkErZ.

Palestinian Propaghanda insert into Defaced Websites
Palestinian Propaganda insert into Defaced Websites

Recently, sites from the U.S Army and NATO have also been targeted by the vandals2. Archived versions of the hacked NATO webpage can be found here and here for the hacked version of the U.S Army website. For now, only defacements have been reported and no real attack has occured. Web defacement is a very easy attack to do on web servers with weak passwords. Most of the time, the attackers are script kiddies using software such as AccessDiver with a list of proxies and wordlists to conduct dictionaries attacks on servers. Using AccessDiver is fairly simple and many tutorials can be found on YouTube. Other ways include of course exploits and SQL injections attacks. Surprisingly, no DDoS attacks have been reported yet, but a group of Israeli students launch the “Help Israel Win” initiative3. At the time of writing, the website was online available through Google’s cache. Anoher website (http://help-israel-win.tk/) has been suspended. The goal was to develop a voluntary botnet dubbed “Patriot” to attack Hamas-related websites:

We have launched a new project that unites the computer capabilities of many computers around the world. Our goal is to use this power in order to disrupt our enemy’s efforts to destroy the state of Israel4.

The website offered a small executable to download. This bot would receive commands as a normal criminal bot would. Hamas-friendly sites like qudsnews.net and palestine-info.info were targeted by the IRC botnet. Still according to the article, the botnet has come under attack by unknown assaillants5. No definitive number is given as to how many machines the botnet is controlling, it might range from anything from 1000 to 8000 machines6. Very few detail is given on how the bot actually works.

There was a very similar attempt to create a “conscript” botnet known as the e-Jihad botnet that failed to realized its objective last year, as the tool was unsophisticated and rather crude7. The e-Jihad tool had the same objective as the Patriot botnet, which was to launch DDoS attacks against various targets.

e-Jihad 3.0 Screen
e-Jihad 3.0 Screen

Nevertheless, this kind of parallel attack is due to become a popular civilian option to attack servers. The only thing needed is to create a solid botnet, by using some of the most sophisticated criminal botnets and transform them into voluntary “cyber-armies”. There is one problem thought…how can we make sure it’s legitimate ? Making such programs open source ? But then you reveal your command and control servers and information that could make the enemy hijack our own botnet. It then all comes down to a question of trust…and of course, a clear and easy way to remove the bot anytime.

See also :

“Army Mil and NATO Paliarment hacked by Turks”, Roberto Preatoni,¬† Zone-H, http://www.zone-h.org/content/view/15003/30/ (accessed on January 10, 2009)



1“Battle for Gaza Fought on the Web, Too”, Jart Armin, Internet Evolution, January 5, 2009, http://www.internetevolution.com/author.asp?section_id=717&doc_id=169872& (accessed on January 10, 2009)

2“Pro-Palestine vandals deface Army, NATO sites”, Dan Goodin, The Register, January 10, 2009, http://www.theregister.co.uk/2009/01/10/army_nato_sites_defaced/ (accessed on January 10, 2009)

3“Wage Cyberwar Against Hamas, Surrender Your PC”, Noah Shachtman, Danger Room, Wired, January 8, 2009, http://blog.wired.com/defense/2009/01/israel-dns-hack.html, (accessed on January 10, 2009)

4Copied from Google’s cache of help-israel-win.org

5Ibid.

6Hacktivist tool targets Hamas”, John Leyden, The Register, January 9, 2008, http://www.theregister.co.uk/2009/01/09/gaza_conflict_patriot_cyberwars/ (accessed on January 10, 2009)

7“E-Jihad vs. Storm”, Peter Coogan, Symantec, September 11, 2007, https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/170#M170 (accessed on January 10, 2009)

Malware Authors Loves Obama Too

Share

The Register reports that malware creators are already using Mr. Obama’s popularity to distribute the Papras Trojan using spam, social engineering and Google Ads[1].

Users usually receive an email from what seems a legitimate news sources such as CNN and BBC, inviting users to see the speech of Barack Obama on their website. The content of the email is the following[2]:

Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!

Proceed to the election results news page>>

2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.

And senders are usually:

  • news@cnn.com
    news@usatoday.com
    news@online.com
    news@c18-ss-1-lb.cnet.com
    news@president.com
    news@unitedstates.com
    news@bbc.com

The email contains a link to a fake website, which prompts the users to update their Flash player in order to see the speech. Of course, the update is actually a Trojan.

Screen shots of the email and fake website, from F-Secure[3]:

 

Papras is an information stealing Trojan, trying to get a hold of logins and passwords among others. This Trojan is detected by only 14 of the 36 major anti-virus programs.


[1] “Obama-themed malware mauls world+dog”, Dan Goodin, The Register, November 5, 2008, http://www.theregister.co.uk/2008/11/05/obama_malware_attacks/ (accessed November 6, 2008)

[2] “Computer Virus masquerades as Obama Acceptance Speech Video”, Gary Warner, CyberCrime & Doing Time, November 5, 2008, http://garwarner.blogspot.com/2008/11/computer-virus-masquerades-as-obama.html (accessed on November 6, 2008)

[3] “US Presidential Malware”, F-Secure, November 5, 2008, http://www.f-secure.com/weblog/archives/00001530.html (accessed on November 6, 2008)

Fake Anti-Virus Brings in 158 000$ a Week

Share

Russian criminals who are selling a fake anti-virus, “Antivirus XP 2008/2009” among others, have made more than 150¬†000$ in a week, according to the Sydney Morning Herald[1]. If you ever seen those annoying popups warning you that you might be infected with one or more viruses, then you probably came across this scam.

Fake Spyware Detection Alert
Fake Spyware Detection Alert

“For most people they might just be browsing the web and suddenly they don’t know why this thing will pop up in their face, telling them they’ve got 309 infections on their computer, it will change their desktop wallpaper, change their screen saver to fake ‘blue screens of death’,” said Joe Stewart, from SecureWorks said.

The software is sold for 49.95 $US and will “detect” various viruses and Trojans on the computer. Stewart shows that Antivirus XP still has some basic anti-malware functionality, but as he explains, it’s mostly in case the authors are brought to court “they might try to claim the program is not truly fraudulent – after all, it can clean computers of at least a few malicious programs[2]“. Only 17 minor threats can be removed, far from the 102,563 viruses the anti-virus claims to clean. And don’t expect a refund for the software.

The entity behind this fraudware is called Bakasoftware, a Russian company that pays affiliates to sell its anti-virus to users. Affiliates can earn between 58% and 90% of the sale price. Criminals are therefore using everyway to trick users into installing the software, including scaring the user into believing that he is infected, even using botnets to push the program into the users’ computers.

Since it is not hacking people’s computers and only runs the affiliate program, Bakasoftware does not have to worry about being shut down by police“, Stewart said[3].

Affiliate ID

Affiliate Username

Account Balance (USD)

4928 nenastniy $158,568.86
56 krab $105,955.76
2 rstwm $95,021.16
4748 newforis $93,260.64
5016 slyers $85,220.22
3684 ultra $82,174.54
3750 cosma2k $78,824.88
5050 dp322 $75,631.26
3886 iamthevip $61,552.63
4048 dp32 $58,160.20
Table 1.0 – Top earners in the Bakasoftware Affiliate Program[4]
 

Screenshots took from the administrative panel of bakasoftware.com which was hacked by NeoN:

Bakasoftware Registred Domains
Bakasoftware Registred Domains

Bakasoftware All Socks Controls
Bakasoftware All Socks Controls

(Screenshots are from “Rogue Antivirus Dissected – Part 2”, Joe Steward, SecureWorks, October 22, 2008, http://www.secureworks.com/research/threats/rogue-antivirus-part-2/?threat=rogue-antivirus-part-2)

By the time of this writing, http://www.bakasoftware.com/ was not accessible. Another interesting fact, if the Russian language is installed on your computer, there’s a good chance you won’t be considered as a target because of Russian legislation. Apparently the creators have been sued anyway[5].

Many other fraudware are available, always proposing anti-malware software. Their ads are oven seen on torrents, warez and cracks/serials sites. What’s particularly dangerous is that they can come with other legitimate software or by drive-by downloads. Once they are installed in your computer, they get annoying very fast and can trick you into buying fraudware. Popups can appear that you are infected. Other types of fraudware are those “boost your computer” software.

P.S “baka” means “stupid” in Japanese. A totally appropriate title for the operators of this company.
See also:

“Fake software nets hacker $158,000 in a week”, Stewart Meagher, The Inquirer, November 5, 2008, http://www.theinquirer.net/gb/inquirer/news/2008/11/05/fake-antivirus-nets-hacker-150 (accessed on November 5, 2008)

“Antiviral ‘Scareware’ Just One More Intruder”, John Markoff, The New York Times, October 29, 2008, http://www.nytimes.com/2008/10/30/technology/internet/30virus.html (accessed on November 5, 2008)

“Crooks can make $5M a year shilling fake security software”, Gregg Keizer, ComputerWorld, October 31, 2008, http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security_hardware_and_software&articleId=9118778&taxonomyId=145&intsrc=kc_top (accessed on November 5, 2008)


[1] “Russian scammers cash in on pop-up menace”, Asher Moses, The Sydney Herald, November 4, 2008, p.1, http://www.smh.com.au/news/technology/security/russian-scammers-cash-in-on-popup-menace/2008/11/04/1225560814202.html (accessed on November 5, 2008)

 

[2] “Rogue Antivirus Dissected – Part 1”, Joe Stewart, SecureWorks, October 21, 2008, http://www.secureworks.com/research/threats/rogue-antivirus-part-1/?threat=rogue-antivirus-part-1 (accessed on November 5, 2008)

[3] “Russian scammers cash in on pop-up menace”, Asher Moses, The Sydney Herald, November 4, 2008, p.2, http://www.smh.com.au/news/technology/security/russian-scammers-cash-in-on-popup-menace/2008/11/04/1225560814202.html (accessed on November 5, 2008)

[4] “Rogue Antivirus Dissected – Part 2”, Joe Steward, SecureWorks, October 22, 2008, http://www.secureworks.com/research/threats/rogue-antivirus-part-2/?threat=rogue-antivirus-part-2 (accessed on November 5, 2008)

[5] “Infamous vendor of “AntiVirus XP” badware sued”, Adam O’Donnell, ZDNet, September 30th, 2008, http://blogs.zdnet.com/security/?p=1980 (accessed on November 5, 2008


Microsoft: Malware Up 38% in United States in 2008

Share

According to the latest Security Intelligence Report from Microsoft, malicious software installations on computers increased 38% in the U.S for 2008.[1] Also, the number of “High Severity” vulnerabilities detected increased by 13% in the second half of 2007, putting the total of “High Severity” vulnerabilities to 48%.

Downloaders and droppers, accounting for 30% of all malicious software, with around 7 millions computers infected in the United States alone.

And of course, no good Microsoft document would be complete by stating that Vista in more awesome than XP, and therefore the report states that if you own Windows XP SP3, you’re likely to be infected 9 times on 1000 infections, while this number drops to 4 times on 1000 infections for Vista.

“For browser-based attacks on Windows XP-based machines, Microsoft vulnerabilities accounted for 42 percent of the total. On Windows Vista-based machines, however, the proportion of vulnerabilities attacked in Microsoft software was much smaller, accounting for just 6 percent of the total[2].”

Taken from the report:

Country/Region

2007

2008

% Chg.

Afghanistan

58.8

76.4

29.9

Bahrain

28.2

29.2

3.4

Morocco

31.3

27.8

-11.4

Albania

30.7

25.4

-17.4

Mongolia

29.9

24.7

-17.6

Brazil

13.2

23.9

81.8

Iraq

23.8

23.6

-1.1

Dominican Republic

24.5

23.2

-5.2

Egypt

24.3

22.5

-7.5

Saudi Arabia

22.2

22.3

0.4

Tunisia

15.9

21.9

37.3

Turkey

25.9

21.9

-15.4

Jordan

20.4

21.6

5.5

Former Yugoslav Republic of Macedonia

16.3

21.1

29.8

Lebanon

20.6

20.2

-1.8

Yemen

17.7

20.1

13.7

Portugal

14.9

19.6

31.7

Algeria

22.2

19.5

-12.2

Libya

17.3

19.5

13.1

Mexico

14.8

17.3

17

United Arab Emirates

18.2

17.3

-4.8

Monaco

13.7

17.0

23.7

Serbia

11.8

16.6

41.4

Bosnia and Herzegovina

12.8

16.3

27.5

Jamaica

15.0

16.3

8.9

Table 1.0 – Countries with the Highest Infection Rates[3]

See also:

“Microsoft Security Intelligence Report”, Microsoft, January-June 2008, http://www.microsoft.com/downloads/details.aspx?FamilyId=B2984562-47A2-48FF-890C-EDBEB8A0764C&displaylang=en (accessed on November 4, 2008)

“Les menaces en augmentation de 43%, dit Microsoft”, Marie-√ąve Morasse, Cyberpresse, November 3, 2008, http://technaute.cyberpresse.ca/nouvelles/internet/200811/03/01-35773-les-menaces-en-augmentation-de-43-dit-microsoft.php (in French) (accessed on November 4, 2008)


[1] “Microsoft Security Intelligence Report”, Microsoft, January-June 2008, p. 122

[2] Ibid. p. 5

[3] Ibid. p.49