Win64 / Expiro - cross-platform file infector

    File viruses are already well known and long studied, but similar infectors, in the vast majority of cases, are aimed at modifying 32-bit files. One of such families - Expiro (Xpiro) was discovered a long time ago and can hardly surprise anyone today. However, recently a new modification of Expiro was discovered by our anti-virus laboratory, which is capable of infecting 64-bit files. In addition, the body of this modification is universal and fully cross-platform, since it can infect 32-bit and 64-bit files (and vice versa, that is, it can infect 64-bit files from infected 32-bit files). In our naming system, the virus is called Win64 / Expiro.A (aka W64.Xpiro or W64 / Expiro-A ). 32-bit infected files are detected asWin32 / Expiro.NBF .

    The infector is aimed at maximizing destructive profit and infects executable files on both local and network drives. The payload of this malware includes installing extensions for the Google Chrome and Mozilla Firefox browsers. Malicious code steals digital certificates stored on a computer and passwords from Internet Explorer, Microsoft Outlook, and FileZilla FTP client. Such extensions serve to redirect the user to malicious URLs, as well as stealing various confidential information. The virus disables a number of services on a compromised computer, including Windows Defender and the Windows Security Center, and can also terminate a number of processes.

    Infector

    The virus body itself, in a 64-bit infected file, is a new .vmp0 section of 512,000 bytes in size added to the end of the executable file (on disk). To transfer control to the main body, the virus inserts a malicious startup code of 1269 bytes in size to the entry point. In this case, the original bytes are transferred to the beginning of the .vmp0 section. This startup code is an unpacker for the main code, which is located in the virus section. The screenshot below shows a startup code template that will be written to the place of the entry point of a 64-bit file during infection.



    When generating this code for infection, part of these instructions will be overwritten, thus ensuring the uniqueness of the data in the original .vmp0 section. In this case, instructions such as add, mov or lea, in which immediate offsets appear, are subject to change. At the end of the code, an instruction to go to the unpacked code of the .vmp0 section is added.



    A similar startup code for 32-bit files is also located in the .vmp0 section and has the form.



    What in the 32-bit version looks like this: The



    size of this startup code in the 64-bit version is 1269 bytes, and in 32-bit 711 bytes.

    The virus infects executable files, passing recursively through the logical drive directories, and the executable file is infected using the created .vir file, in which the malicious code forms the new contents of the file and then writes it to the infected file in 64K blocks. If the virus cannot open the file for reading / writing, it tries to change its security descriptor and owner information.

    Signed executables are no exception. After infection of such a file, it ceases to be signed, since the virus records its body after the last section, where the overlay with a digital signature is located in the original file. In addition, the virus adjusts the Security Directory field values ​​in the Data Directory by setting the RVA and Size field to 0. Accordingly, in the future, such a file can also be executed, since it is deprived of any information about the digital signature. Below are the differences in the original and infected 64-bit file, which is digitally signed. On the left in the modified version you can see that the .vmp0 section and the original bytes of the entry point begin at the place of the overlay.



    In terms of terminating security processes, Expiro is not original and uses an approach based on retrieving their list using the CreateToolhelp32Snapshot API and then terminating using OpenProcess / TerminateProcess . Expiro completes the following processes in the system: "MSASCui.exe", "msseces.exe" and "Tcpview.exe".



    To maintain its presence in the system, Expiro creates two mutexes called gazavat.

    In addition, the infection process itself can be determined in the system by a large number of I / O operations and read / written bytes. Since the virus needs to scan all the files in the system, the infection process can take a long time, which is also a symptom of the presence of suspicious code in the system.



    The body of the virus uses obfuscation when calling various APIs and passing them values, line offsets, and more. For example, in the following code, when passing the argument SERVICE_CONTROL_STOP (0x1) to the function in the advapi32! ControlService API , which is used to disable services, arithmetic from reserved constants is used.



    With this code, the virus tries to disable the following services: wscsvc (Windows Security Center), windefend (Windows Defender Service), MsMpSvc (Microsoft Antimalware Service), NisSrv (part of Microsoft Antimalware).

    Payload

    As a payload, the virus attempts to install extensions for the Google Chrome and Mozilla Firefox browsers. The manifest file for the Chrome extension to install is as follows:



    In the directory with extensions, the directory of this plugin will be called dlddmedljhmbgdhapibnagaanenmajcm. The extension uses background.js and content.js scripts for its work. After deobfuscation, the background.js template looks like this.



    The HID variable stores the system identifier, with its version and Product ID. The SLST variable contains a list of domains that are used to redirect the user to malicious resources, some of which are listed in the SLST variable.



    The extension manifest for Mozilla Firefox is as follows.



    The part of the code from the content.js script that is responsible for parsing form elements.



    From the point of view of the bot, Expiro can do the following:
    • change the list of URLs of management servers;
    • execute commands in the cmd.exe interpreter;
    • Download and execute plugins
    • Download files from the network and save them in% commonapddata% \% variable% .exe;
    • implement a DoS attack TCP flood;
    • list files using the \ b * .dll mask in the% commonappdata% directory and execute code from them;
    • start proxy server (SOCKS, HTTP);

    Malicious code steals the credentials of FileZilla using the file% appdata% \ FileZilla \ sitemanager.xml. When stealing passwords stored in Internet Explorer, a special COM object is used. If the downloaded code detects a credit card data entry form on a web page, it tries to copy the data from there. At the same time, it checks the input of credit cards for compliance with the "VISA" / "MasterCard" format and displays a window with the message:

    "Unable to authorize. \ N% s processing center is unable to authorize your card% s. \ NMake corrections and try again . ”

    Conclusion

    The method of infecting executable files is a very effective vector for spreading malicious code. The described modification of Expiro poses a serious threat to both home users and company employees. Since the virus infects files both on local drives, removable devices, and over the network, the epidemic can take on quite serious proportions. In the case of Expiro, the situation is aggravated by the fact that if at least one infected file remains in the system that will be executed, the process of total disk infection will start again. From the point of view of the delivery of the payload, a file infector is also a rather preferred option precisely in view of the activity of the distribution of its body.

    Also popular now: