This post is part two of two.

In our previous post, we came across a couple of files that used some popular games as part of its social engineering technique. One of the files, which was named "diablo3-crack.exe" (after Diablo the video game series) is currently detected as Backdoor:Win32/Fynloski.A. It piqued our interest because we're avid gamers, and much to our surprise when we took a closer look we found out that the obfuscation technique it uses was also interesting.

An initial look at the file (sha1: a3ca4151c31181a3b948b7cd6a1ef97754fcce22 ) revealed an intriguing thing about the way it decodes its strings, as in Figure 1 below:

Backdoor:Win32/Fynloski.A code


Fig. 1 - Backdoor:Win32/Fynloski.A code

We can see from Figure 1 that this code will copy the file into a temporary folder, but we can't see the name that is being used for the copy yet. We'll need to decrypt it first.

We've seen this type of encryption used in various other threats, like Worm:Win32/Ainslot.A, Worm:Win32/Skopvel and Worm:Win32/Rebhip.A so we decided to dig deeper. In order to decrypt the code and see what it does, we've translated it into its C# equivalent (shown in Figure 2):

Decryptor for Backdoor:Win32/Fynloski.A converted to C#


Fig. 2 - Decryptor for Backdoor:Win32/Fynloski.A converted to C#

By adding the two strings (the encoded string and the key) to our decoding routine, we can get more information about what the malware does. For example, from the image above, after decryption we can see that the malware is using svchost.exe as a name for the dropped file.

Now that we've decrypted the code, let's have a look in Figure 3 at the start of the injection routine:

Fig. 3 - Start of the injection routine for Backdoor:Win32/Fynloski.A (note that this is an incomplete code snippet)


Fig. 3 - Start of the injection routine for Backdoor:Win32/Fynloski.A (note that this is an incomplete code snippet)

The routine is obfuscated, but once we decode the strings and resolve the data structures, we get a human-readable version, shown in Figure 4, of what's going on:

C#-like translation of the code snippet shown in Figure 4


Fig. 4 – C#-like translation of the code snippet shown in Figure 3

From here on, the code is straight forward. The backdoor routine is accessed and injected into various legitimate processes via the WriteProcessMemory API. A detailed description of what the malware does can be found in its encyclopedia description.

As always, run an antivirus solution to protect your computer against these kinds of threats.

--

Andrei && Francis