While refining and improving our detection of the W32/Tobin file patcher malware we analysed its “infection” algorithm closer. Upon execution, it drops a DLL (usually “nikitob.dll”) and modifies executable files on the system so that they load the dropped DLL once they get started. So far nothing new or unusual.

Fig. 1: The new import table

W32/Tobin adds a new section named “.lenna” at the end of the PE file. This section consists of an import table – such import tables are used by the Windows loader to dynamically load DLLs and provide the corresponding function from them to the started program. The new import table references the dropped DLL “nikitob.dll”. At the same time, the import data directory entry in the PE header gets modified to point to the newly attached import table. If there is a bound import table in the executable, W32/Tobin “removes” the entry from the data directory by setting it’s RVA and size to 0.

Fig. 2: Original data directory address

Fig. 3: Patched data directory address

The dropped DLL “nikitob.dll” just exports one function, “NikitaTob”. Upon calling it, it shows a message box with the text “NikitaTob”. The actual virus code is executed automatically when the DLL is loaded.

Fig. 4: The malware dll exports just one function

Among other things, the import address table is rebuilt to make the patched executable work. In our analysis we didn’t find further malicious routines in the malware.

Fig. 5: W32/Tobin just shows a message

In one of the W32/Tobin samples we found the reference to “C:\NIKITA\Soft\black_soft\29a\nikitob\Release\nikitob.pdb”. A short search in our archives turned up an old magazine of the VX group 29A. In the issue from January 2005 there is proof-of-concept code which exactly infects files the W32/Tobin-way. The new section there is called “.senna”, and a message box shows the text “PayLoad”. It looks like some malware writers used the Proof-of-Concept virus to learn new techniques.

Removing this kind of malware from an infected system isn’t as simple as it may look on first glance. Simply deleting the dropped DLL doesn’t work: The infected executables depend upon the DLL now and won’t start anymore. Most likely the whole system wouldn’t start up anymore. Since W32/Tobin stores the address of the original import table at the end of the executable, it is possible to restore that value and disinfect the system gracefully.

Dirk Knop
Technical Editor

The underground economy is a strange place. Sometimes you stumble over offers which sound really good – from the malware writer’s point of view. Recently we got aware of a german site selling a so called cryptor which should make the malware of the interested buyer undetectable for antivirus products.

When will they start with `buy one, get one free´? The underground economy is becoming increasingly service-orientated.

Such a cryptor adds its own unscrambling routine to the binary of an attacker and encrypts the rest of it. This would fool heuristic detections that search for certain code snippets representing functions in executable files, for example for requesting a network socket, performing file read/write, and so on. Also, a signature detection can be circumvented with a new cryptor version which slightly changes the encryption; this means that the malware author has to spread a new binary though.

Feature-wise the cryptor sounds very sophisticated: The coders promise sandbox detection, as well as detection of virtual machines like VMware and VirtualPC – which is very simple, a programmer at his/her very beginning can code that within 5 minutes. They also correct the PE-Headers of a windows executable after patching it, which else is an easy way to detect the cryptor. Additionally, they even did some quality-assurance with some common bots and backdoors and guarantee their cryptor to work with those. The programmers also emphase the ease-of-use of their crime-supporting-ware. In the according forums, plenty of such tools are offered – accompanied with discussions how to bypass certain antivirus solutions.

The price for this cryptor is very low, only 40 Euros. If you imagine that you get between 1 and 20 US-$ for data of a credit card or a whole identity stolen, this is just peanuts. Also included in this price: A guarantee to get a new cryptor version, should your one be detected by some antivirus product. The underground is becoming increasingly service-orientated.

Since we are monitoring the scene, these cryptors pose no real threat though. Most of the times they are quite trivial to detect. So purchasing them is a pure waste of money. Also think about this: Can you trust someone who offers you something criminal to help you with your crime? Your banking data or credit card numbers are of a certain value for the cryptor-seller, too…

Dirk Knop
Technical Editor