A few days ago here at Avert Labs we have received yet another interesting malicious file related to the now not-so-famous Tibetan situation. At the beginning it looked like a simple Flash movie, at least judging from the icon. ;-)

Executing the file, called RaceForTibet.exe, shows a cartoon with a very skilled Chinese gymnast performing some amazingly convoluted exercise on a “vaulting Bbox” for which the jury immediately scored her a shocking 0! Whilst the gymnast’s performance is “re-wound,” a number of fairly stark photographs of real events, taking place throughout China and Tibet, are shown as a flashback.

As a malware researcher I just could not keep myself from looking further into the file to see if it was anything more than some political movie about events taking place in Tibet and China, especially after several recent posts [1] [2] discussing the Fribet Trojan.

Here are some screenshots of the cartoon that runs using “mini flash-player 2.6”:

flash-tibet-1 flash-tibet-2 flash-tibet-3
flash-tibet-4 flash-tibet-5 flash-tibet-6

For the next step I decided to use our “Rootkit Detective” to check for hidden processes and hooks, and turns out a number of files were silently dropped on my PC!

So here comes the “Pro-Tibetan Movement rootkit”:

rtk-hooker-tibet

As you can see a number of files are now on my system and completely hidden from “user-land”. The original file (RaceforTibet.exe) initially drops a file called “dopydwi.sys” in the %windir%/system32/ drivers folder.

Here is an interesting part of this hidden system driver shown in IDA:

sys-driver-tibet

We can now start to see the bigger picture here! The rootkit is actually a keylogger posing as a political message; in fact you can notice above the call to the function “GetKeyboardState“.

Also below we can see the file is creating a device called “ServiceDll”, which will be used to load the driver:

create-dvc-tibet

And here we can see the patching of the SSDT, hooking a large number of Windows API functions by changing their address.

sdt-ida-tibet

The DLL file dropped on the system is going to be used to do the actual keylogging and it’s loaded through the device shown on the first IDA screenshot above.

To complete the picture, a hidden log file kept on the system (dopydwi.log) stores all the information gathered on the compromised machine.

Here is the output of a log file I captured:

[2008-04-10 07:14:53] Ethereal: Save file as [C:\Program Files\Ethereal\ethereal.exe] tibetan-capture
[2008-04-10 09:37:08] Save Image [C:\Program Files\GIMP-2.0\bin\gimp-2.2.exe] sdt-bigj
[2008-04-10 09:45:22] Mozilla Firefox Start Page - Mozilla Firefox [C:\Program Files\Mozilla Firefox\firefox.exe]
www.avertlabs.com
logtest.txt
[2008-04-10 09:46:24] Google - Windows Internet Explorer [C:\Program Files\Internet Explorer\iexplore.exe]
testing search engine

The remote IP where this data is sent to is located in China (humorously enough).

So just when much trouble is taking place, we can also continue to see an increase in attacks carried out by people taking advantage of the media hype and interest raised across the globe over these dramatic circumstances.

Will you watch the Olympic games? Best not if they claim to appear via e-mail as a Flash executable movie! ;-)