2013-06-03
Abstract
SKAgent, a simple, unencrypted, unsophisticated piece of malware, sends spam messages via Skype. Raul Alvarez describes the simple copy-and-paste technique it uses to do so.
Copyright © 2013 Virus Bulletin
In January 2013 I looked at Phopifas, the malware that uses Skype to send spam messages [1]. The messages display different language equivalents of ‘lol is this your new profile pic?’, with the language dependent on the location of the infected machine. The message also includes a link to a site that hosts Dorkbot.
Just a couple of months later, another piece of malware was discovered using Skype to send a malicious link to any open Skype chat window. This piece of malware is a component of the Shylock campaign. For the sake of brevity, we will refer to it as ‘SKAgent’.
Unlike Phopifas, SKAgent’s coding is not complicated. It does not have any stealth capabilities, and doesn’t even perform any decryption. The interesting part is that SKAgent doesn’t use any Skype modules to send the malicious URL. So, how is this simple, unencrypted, unsophisticated malware able to send spam messages through Skype?
Just a few bytes smaller than Tinba [2], SKAgent weighs in at only 17,408 bytes. The malware’s code is not encrypted and static analysis will suffice – but of course, we want to see it in action.
SKAgent doesn’t hash any of its APIs and makes no attempt to hide them. Even the malicious URL is visible to the naked eye. The malware’s single goal is to send the URL through Skype.
Simple as it is, we will describe how this malware can send a spam message without hooking the Skype application, without injecting its code into any processes, and without using any other plug ins.
SKAgent sets a lot of SEH (Structured Exception Handling) routines in order to avoid unforeseen errors that might occur in and outside of its code. This is to make sure that the malware continues its spamming activities even if it encounters an error. But not even the most sophisticated algorithm can prevent errors from occurring. If error events do occur, the malware will be able to catch the erring event and display an error message, as shown in Figure 1. The numbers shown in the message will be different when the actual error occurs. They will be generated by the malware.
The presence of an error message like the one shown is a strong indication that a system is compromised by SKAgent (or another malevolent application).
The resource section of the malware contains all the data it needs for spamming, including the unencrypted malicious URL string. Figure 2 shows the different resources found in the resource section.
SKAgent locates the resource named ‘SET’ of type RT_RCDATA by calling the FindResourceA API. RT_RCDATA is a type of resource that contains raw data defined by the malware. If the ‘SET’ resource is not found, it will look for a resource named ‘DLY’ using the same API.
If the malware is also unable to locate the ‘DLY’ resource, the whole application will terminate. If the ‘DLY’ resource is found but there is no ‘SET’ resource, the application will still terminate since some configurations are not performed. This is a bug in the malware: it does not expect to find the ‘DLY’ resource when the ‘SET’ resource is not available.
If the ‘SET’ resource is found, the call to the FindResourceA API will yield a resource handle, which is subsequently used by calling the LoadResource API. After the call to the LoadResource API, a new handle will be generated. This handle points to the location of the malicious URL, to be used later during the spamming event.
Then, using the SizeofResource API, the malware gets the size of the malicious URL. It locks the ‘SET’ resource using the LockResource API while the URL is being copied to the newly allocated virtual memory from a call to the VirtualAlloc API.
Once the URL is securely tucked away, it will free the ‘SET’ resource using the FreeResource API. Since the proper set up has been performed, the ‘DLY’ resource value will also be placed properly into the allocated virtual memory using the same procedure as for the ‘SET’ resource.
The ‘DLY’ resource contains the string ‘10000’. The ‘DLY’ string, ‘10000’, is then converted to its equivalent integer value 10000(0x2710). This value represents the number of seconds the malware will wait before it tries to send another spam message. (We will see it being used during the spamming phase later.)
Two other resources, namely ‘DVCLAL’ and ‘PACKAGEINFO’, can be seen in the resource section, but these are not used during the malware execution and spamming.
Phopifas has a complicated means of spamming its malicious URL. It also determines the locale of a given system in order to send a valid-looking message with the URL. But for SKAgent, a simple copy-and-paste technique proves sufficient to send a spam message.
Regular chat users wanting to send a link or an exact copy of a certain message would normally use the copy and paste technique. Typically, this involves highlighting the relevant text, pressing Ctrl-C to copy, pressing Ctrl-V to paste, and finally, pressing the Enter key to send the message.
When you press Ctrl-C, the selected text is copied to the clipboard in the background. The contents of the clipboard will be replaced by the selected text and the text will be ready for pasting. When you press Ctrl-V, the content of the clipboard is copied to any editable window – e.g. a chat window, text editor window, spreadsheet window, and so on.
SKAgent’s copy-and-paste method will only work if the chat window is active (see Figure 3).
(Click here to view a larger version of Figure 3.)
To simulate Ctrl-C (the copying of the malicious URL to the clipboard):
SKAgent gets the handle of the clipboard by calling the OpenClipboard API. This handle is used for succeeding calls to clipboard related APIs.
The malware clears the clipboard by calling the EmptyClipboard API.
The malicious URL is placed onto the clipboard as CF_TEXT by calling the SetClipboardData API.
The handle is released by calling the CloseClipboard API.
Once the clipboard has been set with the malicious URL, the malware needs to monitor the active windows in order to paste the content of the clipboard. Without using code injection or rootkit capabilities, SKAgent can figure out whether the chat window is active by using a combination of two APIs.
SKAgent uses the GetGUIThreadInfo API to retrieve the information for an active window. This API is able to get the information for any active window, even if it is not owned by the malware. Once SKAgent is running in the background, it monitors each and every active window by calling the GetGUIThreadInfo API and saving the information as the GUITHREADINFO structure (see Figure 4).
The malware uses the GetClassNameA API to acquire the class name of an active window. It uses hWndFocus from the GUITHREADINFO structure as the handle parameter. The resulting class name from the call to the GetClassNameA API is checked against the string ‘TChatRichEdit’.
If the class name of an active window matches ‘TChatRichEdit’, SKAgent emulates the Ctrl-V key combination to paste the URL into that window.
Since the malicious link is already on the clipboard, the malware just needs to simulate the Ctrl-V key combination to paste the link.
To simulate Ctrl-V:
It calls the keybd_event API with parameters (0x11,0,0,0) to simulate pressing and holding the Ctrl key.
It makes another call to the keybd_event API with parameters (0x56,0,0,0) to simulate pressing the ‘V’ key.
By calling the keybd_event API with parameters (0x56,0,[Flags]2,0) and setting the Flags parameter to 2 (KEYEVENTF_KEYUP), it simulates the release of the ‘V’ key.
It makes another call to the keybd_event API with parameters (0x11,0, 2,0), which simulates the release of the Ctrl key.
At this point, the Ctrl-V key combination has been emulated. Calling the keybd_event API twice more with parameters (0x0D,0, 0,0) followed by (0x0D,0, 2,0), simulates the pressing and releasing of the Enter key.
As long as the chat window is active, any message that is typed or waiting in the ‘input’ area of the chat window will be sent, including the malicious URL. If the user is currently chatting with another person, he/she may notice that the message containing the URL has been sent without having pressed the Enter key.
SKAgent will sleep for 10,000ms (the value from the ‘DLY’ resource) before starting the process again, from copying the malicious URL to the clipboard, up to the pasting of the link into the active chat window.
The message containing the malicious URL has the following format:
‘LOL http://www.[removed]k.com/images.php?id=IMG0540250.JPG’.
(At the time of writing this article, the link is no longer active, but for safety, I have removed part of the URL.)
Phopifas uses one of the Skype modules in order to spam its malicious URL to users listed in the friends list. If a machine is running a different chat application, Phopifas won’t be able to infect it. In this case, it will take a different piece of malware altogether to implement the infection of a different chat program.
On the other hand, SKAgent doesn’t make use of any of the modules used by Skype. It uses a simple technique of copy and paste. If the malware is running as an active process and the user is chatting using Skype, SKAgent will paste the malicious URL into the chat window and simulate the pressing and releasing of the Enter key. Even if the user has not finished the message he or she is typing, the simulated Ctrl V and Enter sequence will send the unfinished message including the malicious URL.
Since it will appear to the person on the other side of the conversation that the message has been sent by the person that they are talking to, there is a significant chance that the malicious link will be clicked.
A simple tweak to the malware’s code would enable it to copy and paste the malicious link to any kind of chat application. All the user would need to do is to open the chat window and malware would take care of the rest.
Any sort of chat application, from standalone chat programs to the embedded chat messaging systems of social networking sites, is vulnerable to this type of attack. One way to avoid falling victim to such an attack is to avoid clicking on any links in any chat windows, even if they appear to have been sent by the person on the other side of the conversation.
[1] Alvarez, R. Talk To You Later. Virus Bulletin, January 2013. http://www.virusbtn.com/virusbulletin/archive/2013/01/vb201301-Talk.
[2] Alvarez, R. Tiny Modularity. Virus Bulletin, July 2012. http://www.virusbtn.com/virusbulletin/archive/2012/07/vb201207-tiny-modularity.