Tuesday, 2 July 2013

Zero Access [HTTP Callbacks]

Source: 
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1713&sid=cd3cc5cbadd7a7c0f917c0929b8df486

Hashes: 
2EFE003B8969FA946F194333152F334C (Original Binary)
9645CD309A01211C8DB323EBFCC44C6B (Unpacked Binary)

VirusTotal: 
https://www.virustotal.com/en/file/8be9b39f78064d454e90b7fead8d51e8e4749e880f1e00b0fd843227b7677bd1/analysis/


Start by Looking Strings
Notice the two HTTP GET strings. They are likely to be callback URLs for communications with a command and control server of sorts. 


Picking one of them for a closer look.


Now, isolating the functions that work with this string: only one function to prototype.


Lets look at the function in IDA: note that it takes in one INT argument. The parameter maps to a query string variable called "s".


The formulation of the HTTP GET request happens here.


Debugging the callback.


A closer look at the query string params on the stack (illustrated using notepad).


And the query is pushed to the stack after it is formulated.


A cleaner representation of the callback query.


The domain "livecounter.co" is still active (as of 2013-07-03 00:57 hrs).



Analysis of the second HTTP Get string surfaced the following callback query.


The domain "fling.com" is also still active.

No comments:

Post a Comment