Chat and paste

2013-06-03

Raul Alvarez

Fortinet, Canada
Editor: Helen Martin

Abstract

SKAgent, a simple, unencrypted, unsophisticated piece of malware, sends spam messages via Skype. Raul Alvarez describes the simple copy-and-paste technique it uses to do so.


In January 2013 I looked at Phopifas, the malware that uses Skype to send spam messages [1]. The messages display different language equivalents of ‘lol is this your new profile pic?’, with the language dependent on the location of the infected machine. The message also includes a link to a site that hosts Dorkbot.

Just a couple of months later, another piece of malware was discovered using Skype to send a malicious link to any open Skype chat window. This piece of malware is a component of the Shylock campaign. For the sake of brevity, we will refer to it as ‘SKAgent’.

Unlike Phopifas, SKAgent’s coding is not complicated. It does not have any stealth capabilities, and doesn’t even perform any decryption. The interesting part is that SKAgent doesn’t use any Skype modules to send the malicious URL. So, how is this simple, unencrypted, unsophisticated malware able to send spam messages through Skype?

Not such a big deal

Just a few bytes smaller than Tinba [2], SKAgent weighs in at only 17,408 bytes. The malware’s code is not encrypted and static analysis will suffice – but of course, we want to see it in action.

SKAgent doesn’t hash any of its APIs and makes no attempt to hide them. Even the malicious URL is visible to the naked eye. The malware’s single goal is to send the URL through Skype.

Simple as it is, we will describe how this malware can send a spam message without hooking the Skype application, without injecting its code into any processes, and without using any other plug ins.

SEH protection

SKAgent sets a lot of SEH (Structured Exception Handling) routines in order to avoid unforeseen errors that might occur in and outside of its code. This is to make sure that the malware continues its spamming activities even if it encounters an error. But not even the most sophisticated algorithm can prevent errors from occurring. If error events do occur, the malware will be able to catch the erring event and display an error message, as shown in Figure 1. The numbers shown in the message will be different when the actual error occurs. They will be generated by the malware.

The presence of an error message like the one shown is a strong indication that a system is compromised by SKAgent (or another malevolent application).

Error message.

Figure 1. Error message.

Gathering all resources

The resource section of the malware contains all the data it needs for spamming, including the unencrypted malicious URL string. Figure 2 shows the different resources found in the resource section.

Different resources found in the resource section.

Figure 2. Different resources found in the resource section.

SKAgent locates the resource named ‘SET’ of type RT_RCDATA by calling the FindResourceA API. RT_RCDATA is a type of resource that contains raw data defined by the malware. If the ‘SET’ resource is not found, it will look for a resource named ‘DLY’ using the same API.

If the malware is also unable to locate the ‘DLY’ resource, the whole application will terminate. If the ‘DLY’ resource is found but there is no ‘SET’ resource, the application will still terminate since some configurations are not performed. This is a bug in the malware: it does not expect to find the ‘DLY’ resource when the ‘SET’ resource is not available.

If the ‘SET’ resource is found, the call to the FindResourceA API will yield a resource handle, which is subsequently used by calling the LoadResource API. After the call to the LoadResource API, a new handle will be generated. This handle points to the location of the malicious URL, to be used later during the spamming event.

Then, using the SizeofResource API, the malware gets the size of the malicious URL. It locks the ‘SET’ resource using the LockResource API while the URL is being copied to the newly allocated virtual memory from a call to the VirtualAlloc API.

Once the URL is securely tucked away, it will free the ‘SET’ resource using the FreeResource API. Since the proper set up has been performed, the ‘DLY’ resource value will also be placed properly into the allocated virtual memory using the same procedure as for the ‘SET’ resource.

The ‘DLY’ resource contains the string ‘10000’. The ‘DLY’ string, ‘10000’, is then converted to its equivalent integer value 10000(0x2710). This value represents the number of seconds the malware will wait before it tries to send another spam message. (We will see it being used during the spamming phase later.)

Two other resources, namely ‘DVCLAL’ and ‘PACKAGEINFO’, can be seen in the resource section, but these are not used during the malware execution and spamming.

Copy-and-paste

Phopifas has a complicated means of spamming its malicious URL. It also determines the locale of a given system in order to send a valid-looking message with the URL. But for SKAgent, a simple copy-and-paste technique proves sufficient to send a spam message.

Regular chat users wanting to send a link or an exact copy of a certain message would normally use the copy and paste technique. Typically, this involves highlighting the relevant text, pressing Ctrl-C to copy, pressing Ctrl-V to paste, and finally, pressing the Enter key to send the message.

When you press Ctrl-C, the selected text is copied to the clipboard in the background. The contents of the clipboard will be replaced by the selected text and the text will be ready for pasting. When you press Ctrl-V, the content of the clipboard is copied to any editable window – e.g. a chat window, text editor window, spreadsheet window, and so on.

SKAgent’s copy-and-paste method will only work if the chat window is active (see Figure 3).

Copy-and-paste method.

Figure 3. Copy-and-paste method.

(Click here to view a larger version of Figure 3.)

Ctrl-C

To simulate Ctrl-C (the copying of the malicious URL to the clipboard):

  1. SKAgent gets the handle of the clipboard by calling the OpenClipboard API. This handle is used for succeeding calls to clipboard related APIs.

  2. The malware clears the clipboard by calling the EmptyClipboard API.

  3. The malicious URL is placed onto the clipboard as CF_TEXT by calling the SetClipboardData API.

  4. The handle is released by calling the CloseClipboard API.

Once the clipboard has been set with the malicious URL, the malware needs to monitor the active windows in order to paste the content of the clipboard. Without using code injection or rootkit capabilities, SKAgent can figure out whether the chat window is active by using a combination of two APIs.

SKAgent uses the GetGUIThreadInfo API to retrieve the information for an active window. This API is able to get the information for any active window, even if it is not owned by the malware. Once SKAgent is running in the background, it monitors each and every active window by calling the GetGUIThreadInfo API and saving the information as the GUITHREADINFO structure (see Figure 4).

The malware uses the GetClassNameA API to acquire the class name of an active window. It uses hWndFocus from the GUITHREADINFO structure as the handle parameter. The resulting class name from the call to the GetClassNameA API is checked against the string ‘TChatRichEdit’.

Information saved as the GUITHREADINFO structure.

Figure 4. Information saved as the GUITHREADINFO structure.

Ctrl-V

If the class name of an active window matches ‘TChatRichEdit’, SKAgent emulates the Ctrl-V key combination to paste the URL into that window.

Since the malicious link is already on the clipboard, the malware just needs to simulate the Ctrl-V key combination to paste the link.

To simulate Ctrl-V:

  1. It calls the keybd_event API with parameters (0x11,0,0,0) to simulate pressing and holding the Ctrl key.

  2. It makes another call to the keybd_event API with parameters (0x56,0,0,0) to simulate pressing the ‘V’ key.

  3. By calling the keybd_event API with parameters (0x56,0,[Flags]2,0) and setting the Flags parameter to 2 (KEYEVENTF_KEYUP), it simulates the release of the ‘V’ key.

  4. It makes another call to the keybd_event API with parameters (0x11,0, 2,0), which simulates the release of the Ctrl key.

At this point, the Ctrl-V key combination has been emulated. Calling the keybd_event API twice more with parameters (0x0D,0, 0,0) followed by (0x0D,0, 2,0), simulates the pressing and releasing of the Enter key.

As long as the chat window is active, any message that is typed or waiting in the ‘input’ area of the chat window will be sent, including the malicious URL. If the user is currently chatting with another person, he/she may notice that the message containing the URL has been sent without having pressed the Enter key.

SKAgent will sleep for 10,000ms (the value from the ‘DLY’ resource) before starting the process again, from copying the malicious URL to the clipboard, up to the pasting of the link into the active chat window.

The message containing the malicious URL has the following format:

‘LOL http://www.[removed]k.com/images.php?id=IMG0540250.JPG’. 

(At the time of writing this article, the link is no longer active, but for safety, I have removed part of the URL.)

Advantage over Phopifas

Phopifas uses one of the Skype modules in order to spam its malicious URL to users listed in the friends list. If a machine is running a different chat application, Phopifas won’t be able to infect it. In this case, it will take a different piece of malware altogether to implement the infection of a different chat program.

On the other hand, SKAgent doesn’t make use of any of the modules used by Skype. It uses a simple technique of copy and paste. If the malware is running as an active process and the user is chatting using Skype, SKAgent will paste the malicious URL into the chat window and simulate the pressing and releasing of the Enter key. Even if the user has not finished the message he or she is typing, the simulated Ctrl V and Enter sequence will send the unfinished message including the malicious URL.

Since it will appear to the person on the other side of the conversation that the message has been sent by the person that they are talking to, there is a significant chance that the malicious link will be clicked.

A simple tweak to the malware’s code would enable it to copy and paste the malicious link to any kind of chat application. All the user would need to do is to open the chat window and malware would take care of the rest.

Conclusion

Any sort of chat application, from standalone chat programs to the embedded chat messaging systems of social networking sites, is vulnerable to this type of attack. One way to avoid falling victim to such an attack is to avoid clicking on any links in any chat windows, even if they appear to have been sent by the person on the other side of the conversation.

Bibliography

[1] Alvarez, R. Talk To You Later. Virus Bulletin, January 2013. http://www.virusbtn.com/virusbulletin/archive/2013/01/vb201301-Talk.

[2] Alvarez, R. Tiny Modularity. Virus Bulletin, July 2012. http://www.virusbtn.com/virusbulletin/archive/2012/07/vb201207-tiny-modularity.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.