We looked into a few samples of the malware, observing how the transfer of control to Polip code happens. As we read through the code, I started seeing some patterns.
In the cases we looked at, Polip always added a new section to the end of the infected executable. Then it chose some call within the original application and modified it to jump to the virus code, later on resuming execution in the original target of the call. Keeping, in that way, the original functionality of the infected application, just with a small detour.
Needless to say, it would be very tedious to manually find the redirected call(s) within an infected executable, but really easy with some scripting. Using IDAPython and the knowledge about how the jumps to the malicious code look like, we can easily come up with something that will quickly list them for us.
Let's take a look at the structure of the executable. The code of the standard application will, in most cases, reside in a single segment named CODE, .text or something along the lines. The code of the virus will reside in a segment appended to the end of the file.
Hence, if we could make a simple script that checks every single code reference that crosses segment boundaries, we would be able to list the transfers of control to the virus. Some other references might come up depending on the executable, but with some additional filtering, we will get just a few, with Polip's entry point(s) among them.
The idea in pseudo-code could look something like the following:
| for each segment in the executable: for each function if the segment: for each instruction in the function: for each code reference from the instruction: if the reference points to another segment and both source and target segments are marked executable then print 'Possible obfuscated entry point found' |
And in IDAPython... well, not all that different:
| for segment in idautils.Segments(): for func_start in idautils.Functions(segment, idc.SegEnd(segment)) : for head in Heads(func_start, FindFuncEnd(func_start)): for ref in list( CodeRefsFrom(head, 0) ): if SegName(ref) != SegName(func_start) and GetSegmentAttr( ref, SEGATTR_PERM ) & 0x1 and GetSegmentAttr( func_start, SEGATTR_PERM ) & 0x1: print '%08x: intersegment reference to %08x' % (head, ref) |
Polip also finds cavities within the "standard" text section and places chunks of itself there. For those cases this simple idea of looking for inter-segment code references won't yield anything. Fortunately, most of the code lies in the extra section and studying the references from that code is almost trivial to find the chunks that Polip inserted in the cavities... it's just a few more lines of IDAPython left as an exercise for the reader... ;-)
Just want to remind anyone interested that BlackHat Vegas is coming in a few weeks and Pedram Amini and I will be teaching our training, "Reverse Engineering on Windows: Application in Malicious Code Analysis " . If you want learn about how to build this kind of automation among other things, we would love to have you in our class.
