Didier Stevens

Tuesday 24 July 2007

RSR

Filed under: Malware,Reverse Engineering — Didier Stevens @ 6:53

This is an example of Really Simple Reversing of a piece of malware. It’s written in the AutoIt scripting language and compiled to an EXE.

It’s not intentional, I’m sure about this, but this AutoIt tool offers some interesting features for (inexperienced) malware authors. You can compile your script to a stand-alone executable that is automatically packed with UPX. And even after unpacking it, the strings are still obfuscated.

Decompiling the script is really easy, because the AutoIt authors include a decompilation utility with the AutoIt installation package (Exe2Aut). You can find a video of the decompilation here hosted on YouTube, and you can find a hires version (XviD) here. The icon of the bin.exe file you see in the video is the default AutoIt icon.

autoit.png

See how easy it becomes understanding what this malware does once you have the source code:

  • the URLs are defined in variables at the beginning
  • you can see from where the malware downloads updates and where they get installed
  • how it disables tools that can help you clean the infected machine, like Task Manager
  • that it tries to spread via IM applications

And did you notice the folder under F:\Documents and Settings at the beginning of the script? Oops!

When I submitted this malware to VirusTotal, only 4 AV engines detected it (July 18th 2007).

I played with the AutoIt compiler and decompiler and found some interesting things, I’ll probably blog about this later. Here is a hint: when you password-protect a compiled AutoIt script, you have to provide the password to decompile it, but not to execute it. Can you guess what this means? 😉 Post your answer in the comment section!

Blog at WordPress.com.