It seems Chinese skids are just as hilarious as Western skids when it comes to shitty malware. I've just reversed a Chinese bot:
- Download+exec is broken (URL, not dl path, passed to WinExec)
- Various pacotes functions that seem copypasted from elsewhere, one leaks ~64kb memory per thread.
- Totally broken functionality to add a privileged user thanks to misunderstanding of MultiByteToWideChar
- Requires admin privs, no UAC bypass.
At least it's very well detected by antivirus engines. https://www.virustotal.com/#/file/dd44b2ab72f74e4452c1cd0589950efb88253dfaa26e8862b330754ce84f810d/detection
@slipstream Cool. Where'd you pick this specimen up from? And what tools do you use for decompiling etc?
@digitalLove I found this one by looking for chinese HFS servers on Shodan (which, btw, is something I don't normally do; maybe I should do that more, haha. Perhaps I could also massscan chinese IP ranges on some odd ports looking for HFS servers too...).
I use IDA+Hex-Rays mainly.
@slipstream Hah, sweet. Definitely worth a look. I have used IDA in the past. Looking for good open source tools atm. But I don't do much reverse engineering tbh. Keep up the good work (: Following
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!