Seems like people are trying to find a way to suck music out of Spotify

… by the bad guys unfortunately

When investigating one of the files that was being downloaded by the initial dropper from the Kirisun hack I found something very interesting. I do not know if this is a known technique, but it is new to me. The file I was looking at was the “24.exe” and the reason for choosing that one were:

1. Easy Self-extracting RAR, no encryption and no sandbox detection.
2. It was one of the largest files == lot’s of goodies?

After running the self-extracting RAR in the sandbox I ended up with the following files in c:\windows\system32\:

Inside the “drivers” folder a copy of npf.sys was dropped. This file belongs to the WinPcap project and so does some of the other files that were extracted.

The file that was supposed to auto start after decompression was “3.vbs” whose only job was to silently run “run.bat” which contained the following two lines:

Ok, then what do our little friend Vml.exe do with these parameters I thought? After asking my friend Google I got the answer that I thought I would get, it was performing ARP poisoning on the local network (well, just the two subnets specified in the .bat) and inserting iframes into all websites being viewed. Previously discovered by CISRT earlier in November.

Genious! One point to the bad guys!

http://blog.didierstevens.com/2007/02/12/reverse-engineering-mentoring/

For those of us that is not yet fluent in assembler (but some programming experience in C is preferred if you ask me) this is a great place to start.

Doesn’t seem to have been updated lately, but I think it’s great beginners info anyway.