The Layers of Trojan.Ransompage
Trojan.Ransompage is interesting because it is the first ransom threat that is designed to target three different browser platforms. Not only has the malware author chosen to target the two most popular browsers in Firefox and Internet Explorer, but Opera is also a target. This shows that the malware author wanted to target more than one browser in order to maximize the chances of success in case an infected user decided to change browsers rather than pay the ransom.
Curiously the malware author decided to use a scripting language instead of a regular executable. Most of the time, we see payloads being delivered by an executable file. However in this case, the payload came in the form of a .wsf file. According to Microsoft:
A Windows script (*.wsf) file is a text document containing Extensible Markup Language (XML) code. It incorporates several features that offer you increased scripting flexibility. Because Windows script files are not engine-specific, they can contain script from any Windows Script compatible scripting engine. They act as a container.
Layer 2: Understanding the main payload
Layer 3: Figure out what is happening to Internet Explorer, Firefox, and Opera
As you can see, some work has to be done in order to find out what the Trojan is trying to do. After stripping out the unnecessary elements (the xml wrapper) and simply formatting the code, the script becomes a bit more readable:
While this may seem confusing, taking a closer look at the code actually reveals that the malware author threw in several dummy loops and randomly named variables to deter further analysis. These instances are shown inside the red boxes. For example, the first condition in the top red box shows a statement of “IF ( 0 > 1 ) …” This will never be true; therefore, anything inside that grouping will never run. The same goes for the following “while” loop. In fact, the only instructions that are actually successfully run in that portion of the script are the instructions building the aiSUfXq6Rpq2e8m string, shown with the green arrows.
After removing the dummy loops and renaming the variables to something more understandable we arrive at the following code:
As can be seen from the formatted code above, there is a layer of encryption to go through. The important line from the decryption routine above is:
decrypting[i] = String[strFromCharCod]('0x'+encrypted_payload[strSubstr](i*2, 2)^key[strCharCodeAt](j));
This shows that the payload is xor’d with the key. Of course, for the threat to run it must be able to decrypt itself, so we will just wait until the payload has been decrypted and then output the decrypted code to the screen. We can do this by calling alert(decrypted_payload); on line 25 above.
Inspecting the decrypted payload shows another script. This second script reveals more of the purpose of this malware:
We can see that the script will call three functions (highlighted in the red box above): install_ie(), install_op(), and install_ff().
The Opera script is encoded with hex characters. A hex editor can be used to convert the code above to readable ASCII characters. Once this conversion has taken place, the code below will be revealed and can be analyzed further:
Again, the malware author has taken efforts to hide is being attempted with this code. This will be investigated in Layer 3. The components for Firefox and Internet Explorer were encoded in a similar way and can be decoded in the same manner.
You may recall that in the beginning, the malware used dummy loops and randomly named variables. In this case, a text editor that supports code coloring shows that the script is using comment lines to hide the payload (the comments are shown in green in the previous screenshot). Nothing a little regular expression magic can’t fix. After removing the comments, formatting the code, and renaming the random variables, the code is again more readable.
The decryption routine is much like the first decryption routine that was used back in Layer 1, so we can decrypt it using the same technique as described before. The resulting decrypted code shows the true intentions of the code:
The malware author uses a mix of CSS, the <div> tag, as well as an iframe injection to display the malicious banner on the browser. This is the origin of the Russian banner we saw in the beginning. The same tricks are used to infect Firefox. For Internet Explorer, the malware author drops a DLL file called msmedia.dll, which is installed as a BHO. This malicious BHO is then used by Internet Explorer to display the banner.