We wrote an article about the dropper used by Red October available here.
At the end of this article we got a file called svchost.exe and the file wsdktr.ltd . This file was first packed with a custom packer and secondly packed with UPX. Once we unpacked this file, we get a file with the md5: 5f38e180671fe1d86009d730687a0e3e.
This binary is used to decrypt the file wsdktr.ltd.
To decrypt the .dll file from xsdktr.ltd we must apply this algorithm:
Here the screenshot of the initialisation of the RC4 function KSA (function 0x403930):
For people who do not recognise RCA init, we can found 2 loops with 256 iterations… (comment for jvoisin)
Here the screenshot of the RC4 function PRGA (function 0x4039B0):
Here the usage of the zlib library (function 0x404500):
We can identify zlib with some specific strings available in the function.
We develop a script to get the .dll from the wsdktr.ltd file, for information we need to skip the first 4 bytes, these bytes contain the size of the final binary:
#!/bin/python import sys from Crypto.Cipher import ARC4 import hashlib import zlib key = "dfdedkwe3322oeitodkdjeio3e9ekdjwasddcncmvjdasalwpeoryg7534hvn5wewse" data = open(sys.argv).read() rc4 = ARC4.new(key) decrypted = rc4.encrypt(data) decompressed = zlib.decompress(decrypted[4:]) sys.stdout.write(decompressed)
email@example.com:~$ python get_dll.py wsdktr.ltp > final.dll firstname.lastname@example.org:~$ file final.dll final.dll: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
The .dll md5 is 9b049bcb675377af1ca08fcf3ddad89c.
The unpack .dll md5 is b587fb33613bfbdd2a95e98fc00391d5.
We have (finally) the malware of Red October !!!