characters long. While I was first stepping through this sequence, all of these
four strings were empty. This made the code proceed to the code sequence that
follows instead of calling into a longish function at 00403016 that would
have been called if there was a match on one of the usernames. Let’s look at
what the function does next (when the usernames don’t match).
00402F29 PUSH ZoneLock.004050BE ; <%s> = “tounge”
00402F2E PUSH ZoneLock.00405110 ; <%s> = “morris”
00402F33 PUSH ZoneLock.004054A1 ; format = “%s %s”
00402F38 LEA EAX,DWORD PTR SS:[EBP-260]
00402F3E PUSH EAX ; s
00402F3F CALL <JMP.&CRTDLL.sprintf>
00402F44 LEA EAX,DWORD PTR SS:[EBP-260]
00402F4A PUSH EAX ; s2
00402F4B PUSH ESI ; s1
00402F4C CALL <JMP.&CRTDLL.strcmp>This is an interesting sequence. The first part uses sprintfto produce the
string morris tounge, which is then checked against the current message
being processed. If there is a mismatch, the function performs one more check
on the current command string (even though it’s been confirmed to be
PRIVMSG), and returns. If the current command is“!morris tounge”, the
program stores the originating username in the currently available slot on that
string array from 004051C5. That is, upon receiving this Morris message, the
program is storing the name of the user it’s currently talking to in an array.
This is the array that starts at 004051C5;the same array that was scanned for
the attacker’s name earlier. What does this tell you? It looks like the string
!morris toungeis the secret password for the Backdoor program. It will
only start processing commands from a user that has transmitted this particu-
lar message!
One unusual thing about the preceding code snippet that generates and
checks whether this is the correct password is that the sprintfcall seems to
be redundant. Why not just call strcmpwith a pointer to the full morris
toungestring? Why construct it in runtime if it’s a predefined, hard-coded
string? A quick search for other references to this address shows that it is sta-
tic; there doesn’t seem to be any other place in the code that modifies this
sequence in any way. Therefore, the only reason I can think of is that the author
of this program didn’t want the string “morris tounge” to actually appear
in the program in one piece. If you look at the code snippet, you’ll see that each
of the words come from a different area in the program’s data section. This is
essentially a primitive antireversing scheme that’s supposed to make it a bit
more difficult to find the password string when searching through the pro-
gram binary.
Reversing Malware 301