WormUP Houdini
Houdini is an autorun worm written in VBS and spreads over USB devices using autorun functionality. The malware is obfuscated therefore it's hard to read the source code, but not impossible. Performing static analysis to the file didn't get any useful information besides that 28 Anti-Virus engines from VirusTotal recognize the file as malicious.
It got me a little bit curious, and I wanted to know precisely what is the file objectives, and if It's possible to deobfuscate the file so I can get the source code.
Deobfuscate the code wasn't that hard; when I looked into the source code of the VBS, I noticed that it uses the command EXECUTE with a variable inside of it. So I figured that the variable must have the entire code inside of it since it's executed.
So, I began the process of the deobfuscate the malware; first I comment the line of the EXECUTE command, so the code inside of the variable is not running on my lab. However, it needs to reveal the source code inside of the variable. Later I use 4 lines of command to write the variable to file and check the output.
IT WORKED!
The new file has shown me another obfuscated source code which I deobfuscated the same way as the original file.
SOURCE CODE REVEALED!
If you interested to watch the process of deobfuscation, there is a video that explains everything at the bottom of this page.
Here is the video of the deobfuscacion:
https://www.youtube.com/watch?v=nvhdf6lUEP4
Technical Info MD5 of our File is FDFFE02EB769E82CA70D26A325B28009.Our infected file name was serial numbers. It was first recognized in 22/11/2013. The main purpose of this malware is to steal all possible serial numbers. It checks if there are any removable devices currently connected to the workstation, if so, makes a copy of itself to the removable device and spreads by this way. Next time this exact device connects to another workstation, it infects it in the same way. After gathering as many serials as possible it sends all the information to a C&C Server. This malware also has the ability to download other files from the C&C. More information about the malware modules you can find below.
Modules Summary
There are 23 modules in this VBS. We will categorize these modules by the level of risk:
We also noticed that some methods are written twice. One called in the Main Code at the beginning of the VBs, the second version of the method called from the Main Code from the middle of VBS. The percentage of methods risk levels:
Short Modules Sammary
Main Code - malware execution- High
Install- Installing the malware on the machine and removable devices-High
Post- sending the collected information to C&C server- High
Cmdshell- getting info from cmd- High
Sitedownloader- downloading the file over HTML-High
Download- sending info over HTML-High
Xins- creating the persistency and creating shortcuts in the removable device- Medium
PID- getting the process serial number- Medium
Upstart- adding persistency- Medium
Hwid+HWD-collecting the serial numbers of removable devices- Medium
Enumdriver-saving the path and type of the removable device- Medium
Enumfaf- saving the name, size, and settings of the files in the folder- Medium
Enumprocess- saving the name, PID, the path of all running processes- Medium
Exitprocess- closing the process- Medium
Ins- creating the folder in the registry- Medium
Information+inf - saving the machine name,username, OS type,AV type, infection date- Medium
Instance- adding value to the registry- Medium
Deletefaf- deleting the folders and files from the path- Low
Security- checking the AV type if exists- Low
Uninstall+uns- deleting the malware from the machine and removable devices- Low
Comments