Sunday, August 28, 2011

Can we believe our eyes?

Several days ago, one of our customers submitted a sample (SHA1: fbe71968d4c5399c2906b56d9feadf19a35beb97, detected as TrojanDropper:Win32/Vundo.L). This trojan hijacks  the hosts “vk.com” and “vkontakte.ru” (both social networking sites in Russia)and redirects them to 92.38.209.252, but achieves this in an unusual way.

A common  method used to hijack a website and redirect it to a site of the attacker’s choice is to add an entry in the Windows hosts file located in the %SystemRoot%\system32\drivers\etc directory. However, when we open this file on an affected computer, it doesn’t contain any entries related to “vk.com” and “vkontakte.ru”, as you can see in the following example:

3364.BID17_2D00_001.jpg

But when we show hidden files, we can see another “hosts” file. It is hidden, as in the following example:

5775.BID17_2D00_002.jpg

There are two files with exactly the same name, “hosts”, in the etc directory! How can this happen?

As we know, it is not possible for a directory to contain two files with the same name. When we copy the file names to notepad, save them as a Unicode text file and open them with a hex editor we see the following (the upper is for the first “hosts” file, the lower is for the second “hosts” file):

For Unicode (UTF-16), the 0x006F is the same as 0x6F in ASCII, which is the character “o”. But what’s the 0x043E in Unicode? We can find it in Unicode chart table (Range: 0400-04FF). The following is part of this table.

Read more: Microsoft Malware Protection Center
QR: can-we-believe-our-eyes.aspx

Posted via email from Jasper-Net