Well, actually it isn’t the genuine WinDirStat but a trojanized version posing as WinDirStat and it’s masquerading under the disguise of the good Unicode version of
windirstat.exe which is contained in the installer. So it’s named that as well.
Now, the report I got from a WinDirStat user from Sweden (thanks again!) was that MalwareBytes had detected WDS once again. I assumed false positive and it turned out that it was at least for the particular file that the Swedish user had (SHA1: 26e14a532e1e050eb20755a0b7a5fea99dd80588)1 – which was the genuine file from the genuine version 1.1.2 installer. That is the installer with the following two cryptographic hashes2:
- MD5: 3abf1c149873e25d4e266225fbf37cbf
- SHA1: 6fa92dd2ca691c11dfbfc0a239e34369897a7fab
We’ve had this before, but this time it was a slightly different case.
I contacted Doug from MalwareBytes. We had been in touch some time before. So I got a contact for the malware research at MalwareBytes and was able to inquire about the file. It turned out that the file aforementioned Swedish user had inquired about wasn’t under detection, but another file with the MD5 hash a84aad50293bf5c49fc465797b5afdad. Now I didn’t have that file in my release archive so I asked for the file3 and was then able to look at the actual trojanized file. And what struck me was that all external traits shown by this file matched closely the Unicode build from the 1.1.2 installer. The size matched, the timestamp in the PE header matched, just some things like the sections and a whole lot of code or data had been changed in the middle of the file.
So I loaded the genuine file into IDA Pro and the entry point looked like this:
.text:004471B4 _wWinMain@16 proc near .text:004471B4 .text:004471B4 hInstance = dword ptr 4 .text:004471B4 hPrevInstance = dword ptr 8 .text:004471B4 lpCmdLine = dword ptr 0Ch .text:004471B4 nShowCmd = dword ptr 10h .text:004471B4 .text:004471B4 jmp _wWinMain@16_0 .text:004471B4 _wWinMain@16 endp
and when I did the same on the trojanized file it looked like this:
.text:004471B4 _wWinMain@16 proc far .text:004471B4 enter 0FFFFA5D1h, 7Fh .text:004471B8 xchg eax, ebp .text:004471B9 loc_4471B9: .text:004471B9 or al, 19h .text:004471BB inc ecx .text:004471BC retf 0BECAh .text:004471BC _wWinMain@16 endp ; sp-analysis failed
Holy moly, Batman! Someone actually trojanized WinDirStat and it looks like EPO4 just from a brief look.
Again, this file is named
windirstat.exe and to the naked eye it looks like the Unicode build from the 1.1.2 installer, but in actuality this is a trojanized version of the genuine file. Now I don’t have the time to investigate into what exactly this thing is doing, but it bears all the hallmarks of malware and therefore from my perspective that file isn’t a false positive.
If you download files. check that their hashes match what is expected. Future releases of WDS will be signed with an Authenticode certificate, so it will also make it harder to trojanize WinDirStat.
I checked last night and at least the downloads from SourceForge.net and DownloadBestSoft were genuine. No danger there. Still: you are encouraged to double or triple check! And keep in mind that MD5 is broken, so never ever rely on MD5 alone.
the clean files are:
- 3abf1c149873e25d4e266225fbf37cbf *windirstat1_1_2_setup.exe
- 3f3dd4476249ae664e3365e5bb651601 *release/windirstat.exe
- 24cd9a82fcfc658dd3ae7ba25c958ffb *urelease/windirstat.exe
- 6fa92dd2ca691c11dfbfc0a239e34369897a7fab *windirstat1_1_2_setup.exe
- 752e1687d58de3bef927d9ad24c0ed3da3754e17 *release/windirstat.exe
- 26e14a532e1e050eb20755a0b7a5fea99dd80588 *urelease/windirstat.exe
- that false positive has been fixed meanwhile. [↩]
- keep in mind that MD5 has been broken, so you should never rely on it alone anyway. It is possible to forge binaries that match the MD5 hash of another binary as recent government-sanctioned malware has shown. [↩]
- Usually you won’t get a file that is deemed malicious from any anti-malware company, but since I work in the AV industry as well and had contact with Doug before, I had the credentials. [↩]
- Entry Point Obfuscation [↩]
Pingback: No relief | Oliver's rants and musings