Tuesday, 2 July 2013

Zero Access [HTTP Callbacks]


2EFE003B8969FA946F194333152F334C (Original Binary)
9645CD309A01211C8DB323EBFCC44C6B (Unpacked Binary)


Start by Looking Strings
Notice the two HTTP GET strings. They are likely to be callback URLs for communications with a command and control server of sorts. 

Picking one of them for a closer look.

Now, isolating the functions that work with this string: only one function to prototype.

Lets look at the function in IDA: note that it takes in one INT argument. The parameter maps to a query string variable called "s".

The formulation of the HTTP GET request happens here.

Debugging the callback.

A closer look at the query string params on the stack (illustrated using notepad).

And the query is pushed to the stack after it is formulated.

A cleaner representation of the callback query.

The domain "livecounter.co" is still active (as of 2013-07-03 00:57 hrs).

Analysis of the second HTTP Get string surfaced the following callback query.

The domain "fling.com" is also still active.

No comments:

Post a Comment