The malicious file (er PDF), shown below, employs the Right-to-Left Override (RLO) technique in order to mask the actual file type on a victim host susceptible to RLO. In the case of this file, analysis was conducted from within a Windows XP virtual machine, and since Windows XP doesn’t interpret this RLO technique, the file immediately appeared in its true state, when viewing file extensions (see diagram 1).
Conversely, on a Windows 7 platform, the RLO technique is understood. Therefor the malicious file would appear to be a regular PDF file to the unsuspecting user (see diagram 2).
Be that as it may, if the user (on whichever platform) were to notice the item type “Screen saver”, when using the Explorer “tiles” view (see diagram 3), an alarm bell should immediately sound since a SCR file is an executable binary.
The RLO technique has been used quite a bit in recent years to obfuscate the name of a malicious file. It works by inserting Unicode (U+202e) at a desired point, after which everything will appear in reverse (or right to left order). For example, the Unicode character was placed in front of the letter “f” in fdp.scr (hence the “square” in diagram 1), making it read as “rcs.pdf” (in diagram 2).
Closer examination of the SCR file; however, revealed it was actually a WinRAR Self-extracting (SFX) compressed archive file containing three objects which would be extracted with the SFX script display in diagram 4.
Upon execution of the "PDF", the contents are automatically extracted to the user’s %temp% directory (see diagram 5). Notice the lack of icon for “Explorer.exe”
Immediately thereafter, the malicious “Explorer.exe” is launched along with the benign PDF, but all the victim user would see during all this would be the opening of the benign PDF – a portion of which is displayed in diagram 6.
In addition, the malware injects itself into a “svchost.exe” process which invokes a keylogger straight away that writes unencrypted keylog data to “%temp%\dclogs.sys” (see appendix for an example of the keylog data).
Since this analysis was conducted from within an enclosed environment, any follow on communication between the victim host and command and control server was not observed during this analysis.
To maintain persistency on the victim host, the following registry key is created:
C:\Documents and Settings\<user>\Start Menu\Programs\Startup
Interestingly, the Startup folder contains a link file "(Empty).lnk" which points to
"C:\Documents and Settings\<user>\Local Settings\Temp\Explorer.exe" (see diagram 9).
Below is a chronological gist of activity as it occurs on a victim host (of note, the malicious dropper was renamed “asfdp.scr” for ease of interpretation):
And lastly, here's a sample of the keylogged data: