月曜日, 10月 10, 2011

[Hack Tool] "WPE PRO" a Windows Packet/Socket Sniffer & Injector (Japanese Version)

==========================
Introduction :
==========================

The sample was found in the URL attached in the emails and some online forums in Japan which was stated as a suspicous software. There are doubt about goodware vs malware regarding to this matter. Since some Antivirus detect this software as the hacktools. Upon requested I analyze the sample which the following report which can explain why so many antivirus detected this as malware.

Sample Details
Sample was detected in the following URL: hxxp://kujira.digi2.jp/WPE.zip
With the below details:
Filename: WPE.zip
FileType: ZIP
File size : 389251 bytes
MD5 : 02fa76696a526a7bbc49c412f95278f1
SHA1 : bc161764e101b6537a70390d348e0be2af3ad5d0
SHA256: e0b7cc3ac23649e1f52aa9305ccdc03049586fdeb3ff2f547eb566a629861d86
Icon:

The zip archive itself is clean, find no malicious object in it, and has the following headers:
MIMEType: application/zip
ZipBitFlag: 0
ZipCRC: 0x54dcc470
ZipCompressedSize: 365103
ZipCompression: Deflated
ZipFileName: WPE/WPE PRO.exe
ZipModifyDate: 2008:01:16 17:07:21
ZipRequiredVersion: 20
ZipUncompressedSize: 831488

Inside of the zip found the 3(three) files:
-rwx------ 1 831488 Jan 15 2008 WPE PRO.exe*
-rwx------ 1 184320 Jan 15 2008 WpeSpy.dll*
-rwx------ 1 265 Sep 10 10:38 ピグライフ隠れアクション集.spt*
The icons looks like below:


What are these files?
These are the Winsock Packet Editor (WPE Pro 0.9a) Pro, is a packet sniffing/editing tool which is generally used to hack multiplayer games. The maker homepage is http://www.wpepro.net , this software is not a new issue, but still becoming subject for some game players as an exchange info so we found these in the internet until now. Originally was developed in English Windows environment but the sample I saw showing me that it has the Japanese language mod too. It looks like antivirus scanning function in some honeypot detection has triggering some alerts.

WPE Pro can be used for the bad purpose to hack softwares in a Windows PC by sniffing packet info's which goes to the Winsock or inject the information through it, or, it can be also used for the good purpose as the Penetration Test tools and other security purpose. The maker stated in the homepage of products that the program is clean from any malicious code, however he admitted there are many antivirus products detect this as malware and block its operation.

These are good usage reference and bad usage reference of this software too in some sites.

The detected sample (is a zip WE PRO) package contains 2 binary files, one exe (WPE PRO.exe) and another is a runtime library file (WpeSpy.dll), we cannot execute "WPE PRO.exe" file without WpeSpy.dll, and the other .spt file is the configuration setup files. WPE PRO.exe without WpeSpy.dll (vise versa) will be useless.

I'll make it clear, WE PRO is a software to sniff and/or to inject packet/data/info of another software in Windows OS, shortly, is a hack tool. Depends on the usage of this software, can be used for some malicious acts, like demonstrated at the below youtube video, or for the research purpose (good ones).

If we scan the WPE PRO component files we will get the malware results (for the reference I used Virus Total) as per below:
1. WPE PRO.exe
2. WpeSpy.dll
3. ピグライフ隠れアクション集.spt
4. Wpe.zip


==========================
Proof of concept:
==========================


Why WPE PRO is judged as "not a virus"? Why some antivirus block this software?
Is it WPE really a malware? Are the questions found in the internet now, since the refence of this software is so few I would like to analyze in malware-analysis-like and explain the software itself as per below:

Behaviour Analysis:

The program itself runs nicely, it starts and ends under the user's control and not making any backdoors unless (we define it to). If you runs it it will show the GUI like below (in Japanese environment)


In order to use this software you must select one of the process in your PC to hack, I tested in my VMware and took the below screenshot images of it:



You can save the packet data too:


*)For the Demo of malicious usage of this software see the "reference section" below.

Code Analysis:

Below is the some analysis dumps of the WPESPY.DLL & WE PRO.EXE which by the security point of view shows some malicious acts like disabling the DEP, accessing and intercepting other processes, etc..(sorry I am not going into the details about it). Yes, a person can use this software to hack, and by my point of view this software was developed for this purpose.
Please see the sump data below then please see the youtube demo in theh reference section.

1. WPESPY.DLL

Compile Time: 2004-03-23 16:41:19
Bynary Type: Valid PE file (Identified packer :Microsoft Visual C++ 6.0 DLL)
File Size : 184 KB
Claimed CRC and Actual CRC are different: Claimed: 0 & Actual: 229432
Image Base : 0x10000000
Address Of Entry Point: 0x4040
Loaded DLL: (KERNEL32.dll, USER32.dll, WSOCK32.dll)
Anti Debugging traces:
0x10008070 GetCurrentProcess
0x10008078 GetProcAddress
0x1000807c LoadLibraryA
DEP Setting Change traces:
0x10008068 VirtualProtect
0x100080dc HeapCreate
0x100080e8 VirtualAlloc
TLS aware Traces:
0x10008014 TlsSetValue
0x10008018 TlsAlloc
0x1000801c TlsFree
0x100080a0 TlsGetValue

2. WE PRO.EXE

Compile Time: 2004-03-23 16:41:37
Bynary Type: Valid PE file (Identified packer :Microsoft Visual C++ v6.0)
File Size : 831 KB
Claimed CRC and Actual CRC are different: Claimed: 0 & Actual: 873185
Image Base : 0x400000
Address Of Entry Point: 0x4e076
Loaded DLL:
WS2_32.dll
WpeSpy.dll
KERNEL32.dll
USER32.dll
GDI32.dll
comdlg32.dll
WINSPOOL.DRV
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
oledlg.dll
ole32.dll
Anti Debugging traces:
0x48f248 GetProcAddress
0x48f250 CloseHandle
0x48f2f0 LoadLibraryA
0x48f358 GetCurrentThread
0x48f3c0 GetCurrentProcess
0x48f42c GetTickCount
File System Activity Traces:
0x48f2c8 CopyFileA
0x48f2f4 WriteProcessMemory
0x48f354 GetFileAttributesA
0x48f39c MoveFileA
0x48f3bc CreateFileA
System Hook Calls:
0x48f240 VirtualProtectEx
0x48f2fc VirtualAllocEx
0x48f558 CallNextHookEx
Keyboard Hook Calls:
0x48f474 GetAsyncKeyState
0x48f62c GetKeyState
DEP Setting Change traces:
0x48f268 VirtualAlloc
0x48f270 HeapCreate
TLS aware Traces
0x48f31c TlsGetValue
0x48f324 TlsSetValue
0x48f330 TlsFree
0x48f338 TlsAlloc


References::
There are a lot of the opinion in internet about this software. Please see the reference below and you judge it well.
http://www.wpepro.net
http://www.filecart.com/winsock-packet-editor-wpe-pro.html
http://bots-and-programs.onlinegamehacker.com/f154/wpe-pro-0-9a-22251/
http://www.threatexpert.com
http://www.malwareblacklist.com
A hacking in action using this software is found in You Tube, in this case is using the DLL injection to change a value of an online game:

----
ゼロデイ・ジャパン
http://0day.jp
マルウェア研究所
アドリアン・ヘンドリック
Sponsored by: 株式会社ケイエルジェイテック

3 件のコメント:

  1. In france, WPE Pro is mainly used by cheaters in world of warcraft private servers.

    返信削除
  2. Thank's for the comment, Steven. Looks like some gamers in Japan is starting to use it too..

    返信削除
  3. can you help me how to run wpe on VM Ware or Sandboxie.

    返信削除