As a child, one of my favorite daily pastimes was solving the cryptogram puzzle published in the LA Times (after my mom finished the crossword puzzle, of course). I used to plow through paperback word puzzle books obsessively, finishing them in days. Appropriately, a Trojan that popped onto my radar last week had me flexing my cryptogram muscles yet again.
The Trojan is a fairly common game password stealer, and it wouldn’t have merited a second look except that it also runs through a few routines to disable various antivirus products sold exclusively in Korea. Most game phishing Trojans we see originate in China and target gamers (and antivirus products sold) in China.
The application is designed to drop a copy of itself into the Windows directory, rename that copy canima.exe, then insert the appropriate registry keys to install itself as a service (with the implausible name “Nationaldddeew Instruments Domain Service” — hasn’t anyone told these game-snarfing saps about the uncanny valley?). It then sits around and wait for someone to enter credentials to log into any of at least seventeen online games popular in Korea, including Maple Story, Aion, WoW, and FIFA Online. The Trojan finally submits the stolen passwords to a Web site, but it doesn’t make that connection until it has something to upload. If you don’t have any games installed (as I don’t on my default testbed), the malware simply waits patiently until you install some.
So, I dumped the running file out of memory and took a look at whatever plain text strings were present. Sometimes you find domain names or other clues that reveal the origin of the attack (or the destination of any exfiltrated data). Several lines of text caught my eye, but they weren’t words, or even legible data. What was most apparent about these strings was that a large group of them began with a pattern that follows the paradigm 1223455 — the actual string in the file that caught my eye was s{{8HSS. If that pattern looks familiar, it should: The http:// prefix follows that same pattern.