Thursday, November 29, 2012

Analysis on TOR_Browser malware

694DD57886B32AD850224A783198D9FE, 10D52767B537B2F9F564481665B029E6, 761EA80A1C0019D6CB606BB646EBE57F

The sample has been already circulated around few weeks ago. But still found less information about this malware on internet. Thus, I decide to make some quick analysis.

Basic File Information
Received filename : Tor_Browser.exe
Original Filename : suf70_launch.exe
Executable vendor : Indigo Rose Corp.
File size : 707,793 bytes
MD5 hash received from report:
694DD57886B32AD850224A783198D9FE (Installer file 707,793 bytes) 10D52767B537B2F9F564481665B029E6 (Malicous PE file 9,080 bytes) 761EA80A1C0019D6CB606BB646EBE57F (Malicous PE file 74,240 bytes)
MD5 hash from official website:
Official installer file is about 22MB size while the sample is only 700kb.


The sample that we received is in PE installer file. Using TOR Project file icon. While in installation wizard, user will notice that there is no EULA appear on the screen:

The installer file is a malware dropper. Upon finished installation, the malware will not execute itself automatically. Thus, it will need user interaction to reboot their PC or run it manually from Start Menu.

If user run it from Start Menu, it will run itself from C:\Program Files\Tor Browser\Tor_Browser.exe. This PE file will then run another process from the following location:
C:\Users\<user profile>\AppData\Local\Temp\explorer.exe
Then run the %RANDOMNAME%.bat dropped at Windows Temporary folder. This will delete the previous file Tor_Browser.exe after the process has been terminated.

The running fake explorer.exe process will doing several malicious activity including keylogger, save keystroke in encrypted form, resolve IP into malware author DNS.

The explorer.exe will remain it process in memory.

Process Activity

Upon execution of the sample its create the following mutex:

This will make sure only single process of itself is running.

File & folder

Upon installation the following file has been created:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tor Browser\
    жÔØ Tor Browser.lnk

C:\Users\<user profile&gt>\AppData\Roaming\Help\
    CREATELINK.EXE (Legit file use to create a shortcut link)
    IconCacheBt.DAT (Encrypted fake explorer.exe file)
    IconConfig.DAT (Encrypted keylogger configuration)

C:\Program Files\Tor Browser\Tor_Browser.exe
C:\Windows\Tor Browser\uninstall.exe -- Non-malicious file
C:\Users\<user profile>\AppData\Local\Temp\explorer.exe

This malware sample also create a shortcut link as a startup to the following folder:
C:\Users\<userprofile>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

The shortcut file will be linked to the following file location:

Windows Registry

The malware will create the following registry key:

NOTE: This registry key use to mark the current machine as already infected.
The malware also read the following registry key:
and try to read the following value "~MHz". This value is storing a current CPU speed.

Keylogger Activity

Save key stroke from user input to the following file:
C:\Users\<user profile>\AppData\Local\Temp\win_32.sys

All captured key stroke is saved in encrypted form (Using compression library).


Trying to connect to the following IP:
Domain name found on the malware. Trying to resolve IP from the following DNS:


The malware sample (iexplore.exe) also contain a digital certificate embedded to it while fake explorer.exe does not have any digital certificate.

The digital certificate may be stolen and has been revoked.

Monday, November 26, 2012

Twitter Spam Bot 'Seducing' You

Well, not directly seduce you. It will mentioning your name on twitter first. It's almost a week after receiving several Tweet post that suddenly mentioned my nickname on my Twitter account. It is look suspicious when these person is not even following me. The text message also has nothing to do with my interest.

By the time I wrote this blog post, those spammer still actively tweet and randomly mentioning peoples name. Average sending around 20 tweet post per day.

As I post this screenshot it is not only that name keep randomly mentioning people but there is several others spammer using different name but almost the same message produced by their spam 'bot'. Virus Bulletin guys also send some screenshot regarding this twitter spam activity.

Most of spam 'bot' name is starting with prefix 'Caprigalxxx' ('x' could be random alphabet & number). But it could be other name also. Those 'random' account name is really exists and always use seduce picture to attract more people following them.

Here it is another example screenshot. Most of those spammer account always looks like this.