As a new wave of Trojan bagles came in, once
again, we started monitoring links that were downloaded by the new
bagle, now detected as TROJ_BAGLE.AH.
One of the many links in its body gave me a z.php file which when
opened was actually a base64 file…ahh it seems that this is it,
if only it were that easy.
I extracted the base64 file using winzip and came up with a file
which I thought was damaged. (No MZ/PE Header) Was this a dead end?
I wasn”t yet sure. It looks like the bagle authors weren’t
exactly going to permit me analysis that easy.
The file I extracted as I said did not have an MZ/PE header but it
did look like a chunk from a file. But there wasn’t really much to
go on so I decided it was really just a garbage file…a mistake, I
admit. :p
Out of boredom I looked again at TROJ_BAGLE.AH, tested it in an
environment with an internet and as expected downloaded a file (the
one I thought was damaged), but to my surprise, the downloaded file
executed in my test machine…and curiosity took over. =)
How did that happen?!
So I looked at the downloaded file which ran (now detected as
TROJ_BAGLE.AJ) and compared it with the one I thought was
damaged.
The discussion below proves the evolving technology of the Bagle
minded people. It downloaded a file looking like garbage and fused
it with an MZ and PE header and then later decrypted the file to
form the now TROJ_BAGLE.AJ.
This is a hex view of the downloaded file which ran
(TROJ_BAGLE.AJ)
The highlighted portion in the first picture is the MZ header that
is fused at the beginning of the downloaded file (the one extracted
from z.php). So now it is a legitimate pe file.
And a hex view of the file I thought was damaged.
The file is then decrypted to form the now (TROJ_BAGLE.AJ). The
encryption although not that hard, can be misleading. I just
thought the file was packed. I think this is better explained with
pictures. :p
This is again a hex view of TROJ_BAGLE.AJ.
See the similarities? Below are a few bytes in the highlighted
portion of TROJ_BAGLE.AJ
00 03 E0 00 00 28 00
And below is the highlighted portion of the file extracted from the
base 64 file z.php.
00 3E 00 00 02 80 00
The first half of the byte was transferred to the byte at the
left.
00 3E 00 is now 03 E0 00
This is done up to the end of the file.
For a clearer picture here are two other hex views of TROJ_BAGLE.AJ
before and after encryption.
Before encryption the file looked like this.
and after the encryption was performed…
This again shows how bagle is continually growing and thinking of
new ways to make our lives a bit harder :p… The encryption may
have been designed to do just that. To make analysis harder and
mislead analysts in to making the wrong conclusion, not to mention
avoiding the scanners that looks on files that are being
downloaded.
again, we started monitoring links that were downloaded by the new
bagle, now detected as TROJ_BAGLE.AH.
One of the many links in its body gave me a z.php file which when
opened was actually a base64 file…ahh it seems that this is it,
if only it were that easy.
I extracted the base64 file using winzip and came up with a file
which I thought was damaged. (No MZ/PE Header) Was this a dead end?
I wasn”t yet sure. It looks like the bagle authors weren’t
exactly going to permit me analysis that easy.
The file I extracted as I said did not have an MZ/PE header but it
did look like a chunk from a file. But there wasn’t really much to
go on so I decided it was really just a garbage file…a mistake, I
admit. :p
Out of boredom I looked again at TROJ_BAGLE.AH, tested it in an
environment with an internet and as expected downloaded a file (the
one I thought was damaged), but to my surprise, the downloaded file
executed in my test machine…and curiosity took over. =)
How did that happen?!
So I looked at the downloaded file which ran (now detected as
TROJ_BAGLE.AJ) and compared it with the one I thought was
damaged.
The discussion below proves the evolving technology of the Bagle
minded people. It downloaded a file looking like garbage and fused
it with an MZ and PE header and then later decrypted the file to
form the now TROJ_BAGLE.AJ.
This is a hex view of the downloaded file which ran
(TROJ_BAGLE.AJ)
The highlighted portion in the first picture is the MZ header that
is fused at the beginning of the downloaded file (the one extracted
from z.php). So now it is a legitimate pe file.
And a hex view of the file I thought was damaged.
The file is then decrypted to form the now (TROJ_BAGLE.AJ). The
encryption although not that hard, can be misleading. I just
thought the file was packed. I think this is better explained with
pictures. :p
This is again a hex view of TROJ_BAGLE.AJ.
See the similarities? Below are a few bytes in the highlighted
portion of TROJ_BAGLE.AJ
00 03 E0 00 00 28 00
And below is the highlighted portion of the file extracted from the
base 64 file z.php.
00 3E 00 00 02 80 00
The first half of the byte was transferred to the byte at the
left.
00 3E 00 is now 03 E0 00
This is done up to the end of the file.
For a clearer picture here are two other hex views of TROJ_BAGLE.AJ
before and after encryption.
Before encryption the file looked like this.
and after the encryption was performed…
This again shows how bagle is continually growing and thinking of
new ways to make our lives a bit harder :p… The encryption may
have been designed to do just that. To make analysis harder and
mislead analysts in to making the wrong conclusion, not to mention
avoiding the scanners that looks on files that are being
downloaded.