Artifact-Malware and its Primary and Secondary Effects

A few days ago we saw an article in Facebook stream about trolling airline passengers. When they descend to an airport, they read a different city name written in large letters on the roof of some house.

An idea came to us to model this behavior for memory dump analysis: when we analyze crash dumps we usually rely on the output of some commands that redirect or reformat the contents of memory. For example, lmv WinDbg command shows module resource information such as its product name, copyright information, etc. What if that information were deliberately crafted to deceive and disturb software diagnostics and debugging process, and ultimately to explore possible vulnerabilities there? Popular debuggers have their own vulnerabilities1 which may be used not only for anti-debugging purposes. When we say “deliberately crafted” we don’t mean Fake Module2 malware analysis pattern that is about a module that tries to present itself as another legitimate, well-known module. Also, we are not concerned with false positive decoy artifacts3. In our case Artifact-Malware, as we call it (or Arti-Malware for short, not to confuse with anti-malware), intentionally leaves malicious legitimate artifacts in software execution artifacts (such as memory dumps, traces, and logs) deliberately structured to alter execution of static analysis tools such as debuggers, disassemblers, reversing tools, etc. Such artifacts in artifacts may suggest exploring them further as possible culprits of abnormal software behavior thus triggering certain software and human vulnerabilities, and even social engineering attacks (when they suggest calling a phone number).

To model this, we quickly created a small Visual C++ project called TrollingApp and inserted version info resource. Normally WinDbg lmv command would show something like this:

0:000> lmv m TrollingModule
start             end                 module name
00000001`3ff50000 00000001`3ff58000   TrollingModule C 
(private pdb symbols)
    Loaded symbol image file: TrollingModule.exe
    Image path: ...\TrollingApp\x64\Release\TrollingModule.exe
    Image name: TrollingModule.exe
    Timestamp:        Sat Jun 27 10:28:47 2015 (558E6CCF)
    CheckSum:         00000000
    ImageSize:        00008000
    File version:     1.0.0.1
    Product version:  1.0.0.1
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     1809.04b0
    CompanyName:      TODO: 
    ProductName:      TODO: 
    InternalName:     TrollingModule.exe
    OriginalFilename: TrollingModule.exe
    ProductVersion:   1.0.0.1
    FileVersion:      1.0.0.1
    FileDescription:  TODO: 
    LegalCopyright:   Copyright © 2015 
        by Software Diagnostics Institute

Since LegalCopyright is the last field shown in the formatted output, we changed it to contain the long string of “\r\n” characters intended to scroll away module information. The string was long as it was allowed by the resource compiler.

VS_VERSION_INFO VERSIONINFO
 FILEVERSION 1,0,0,1
 PRODUCTVERSION 1,0,0,1
 FILEFLAGSMASK 0x3fL
 FILEFLAGS 0x0L
 FILEOS 0x40004L
 FILETYPE 0x1L
 FILESUBTYPE 0x0L
BEGIN
    BLOCK "StringFileInfo"
    BEGIN
        BLOCK "180904b0"
        BEGIN
            VALUE "CompanyName", "TODO: "
            VALUE "FileDescription", "TODO: "
            VALUE "FileVersion", "1.0.0.1"
            VALUE "InternalName", "TrollingModule.exe"
            VALUE "LegalCopyright", "\r\n\r\n\r\n ... "
            VALUE "OriginalFilename", "TrollingModule.exe"
            VALUE "ProductName", "TODO: "
            VALUE "ProductVersion", "1.0.0.1"
        END
    END
    BLOCK "VarFileInfo"
    BEGIN
        VALUE "Translation", 0x1809, 1200
    END
END

The program itself is very simple triggering a NULL pointer exception to generate a crash dump (we configured LocalDumps registry key on Windows 7).

int _tmain(int argc, _TCHAR* argv[])
{
	int *p = 0;

	*p = 0;
	return 0;
}

So we opened a crash dump and checked the stack trace which suggested checking information about TrollingModule (as Exception Module4 memory analysis pattern):

Loading Dump File [C:\MemoryDumps\TrollingModule.exe.2076.dmp]
User Mini Dump File with Full Memory: Only application data is available

Windows 7 Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: SingleUserTS Personal
Machine Name:
Debug session time: Sat Jun 27 10:28:58.000 2015 (UTC + 1:00)
System Uptime: 3 days 21:28:51.750
Process Uptime: 0 days 0:00:01.000
.....
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(81c.1604): Access violation - code c0000005 (first/second chance not available)
ntdll!NtWaitForMultipleObjects+0xa:
00000000`7769186a c3 ret

0:000> .symfix c:\mss

0:000> .reload
.....

0:000> kL
Child-SP RetAddr Call Site
00000000`001fe6d8 000007fe`fd741430 ntdll!NtWaitForMultipleObjects+0xa
00000000`001fe6e0 00000000`77541723 KERNELBASE!WaitForMultipleObjectsEx+0xe8
00000000`001fe7e0 00000000`775bb5e5 kernel32!WaitForMultipleObjectsExImplementation+0xb3
00000000`001fe870 00000000`775bb767 kernel32!WerpReportFaultInternal+0x215
00000000`001fe910 00000000`775bb7bf kernel32!WerpReportFault+0x77
00000000`001fe940 00000000`775bb9dc kernel32!BasepReportFault+0x1f
00000000`001fe970 00000000`776d3398 kernel32!UnhandledExceptionFilter+0x1fc
00000000`001fea50 00000000`776585c8 ntdll! ?? ::FNODOBFM::`string'+0x2365
00000000`001fea80 00000000`77669d2d ntdll!_C_specific_handler+0x8c
00000000`001feaf0 00000000`776591cf ntdll!RtlpExecuteHandlerForException+0xd
00000000`001feb20 00000000`77691248 ntdll!RtlDispatchException+0x45a
00000000`001ff200 00000001`3ff51002 ntdll!KiUserExceptionDispatch+0x2e
00000000`001ff908 00000001`3ff51283 TrollingModule!wmain+0x2
00000000`001ff910 00000000`775359ed TrollingModule!__tmainCRTStartup+0x10f
00000000`001ff940 00000000`7766c541 kernel32!BaseThreadInitThunk+0xd
00000000`001ff970 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

But when we executed lmv command we saw the blank screen with some UNICODE symbols at the end:

Not only we triggered the scroll but the artifact buffer somehow caused additional unintended consequences.
We were also surprised by the second order effects. We were curious about what that Unicode string was meant and copied it to Google translate page in IE. It was hanging afterward spiking CPU when we were switching to that tab. We tried to save a crash dump using Task Manager, but it failed with a message about an error in ReadProcessMemory API and, although, the crash dump was saved, it was corrupt. The tab was recovered, and we were not able to reproduce it again. Perhaps, the browser was already in an abnormal state because on the second attempt it behaved better:

Simple Google search shows that such output also appeared in different problems such as related to PDF printing:

In conclusion, we say that the primary effect of arti-malware is abnormal software behavior in static analysis tools. We have the secondary effect when information produced by a static analysis tool triggers abnormal software behavior in another analysis tool.

1 M. Sikorski, A. Honig, Practical Malware Analysis, Debugger Vulnerabilities, page 363
2 D. Vostokov, Memory Dump Analysis Anthology, Volume 7, page 240
3 A. Walters, N. Petroni, Jr., Volatools: Integrating Volatile Memory Forensics into the Digital Investigation Process
4 D. Vostokov, Memory Dump Analysis Anthology, Volume 8a, page 80