Component Object Model technology (COM)

Microsoft Windows provides an interface for inter process communication. It allows developers to control the objects of other applications. This technology, called COM, can be used to control Internet Explorer. It’s very useful for malware developers because it allows them to manipulate the browser that is being used by a legitimate user. The advantages are as follows:

The HTTP communication is performed by the user’s iexplore.exe process (not by the malware itself).

If the targeted infrastructure uses a proxy (with authentication), the malware can reuse the proxy token stored in the user session. (The malware developers don’t have to worry about the proxy configuration on the infected machine.)

Analysis by reverse engineering is more complicated – there’s no obvious evidence of malicious network behaviour or socket usage etc.

The user does not usually notice the additional communication being carried out by the browser – the session is hidden.

Listing 1 shows an example of harmless COM usage to get the content of a web page.

if (SUCCEEDED(OleInitialize(NULL))) { IWebBrowser2* pBrowser2; HRESULT hr; IDispatch* pHtmlDoc = NULL; CoCreateInstance(CLSID_InternetExplorer, NULL, CLSCTX_LOCAL_SERVER, IID_IWebBrowser2, (void**)&pBrowser2); if (pBrowser2) { VARIANT vEmpty; VariantInit(&vEmpty); BSTR bstrURL = SysAllocString(L”http://www.gdata.de”); HRESULT hr = pBrowser2->Navigate(bstrURL, &vEmpty, &vEmpty, &vEmpty, &vEmpty); if (SUCCEEDED(hr)) { hr = pBrowser2->get_Document(&pHtmlDoc); } else { pBrowser2->Quit(); } SysFreeString(bstrURL); pBrowser2->Release(); } OleUninitialize(); } Listing 1: Harmless COM usage.

If we go back to our sample and look at it from an analyst’s point of view, the malware uses two specific and interesting functions: CoInitialize() (which is called by OleInitialize() in the example shown in Listing 1) and CoCreateInstance(). The first is used to initialize the COM library on the current thread. The second function is used to create an object of the class associated with a specified CLSID. As can be seen in Listing 1, the CLSID is the first argument and represents the object to manipulate (in our case Internet Explorer). Figure 1 shows an IDA screenshot of this function in our sample.

Figure 1. Use of CoCreateInstance().

Figure 2 shows the first argument (the CLSID).

Figure 2. CLSID value.

The value is: 0002DF01-0000-0000-C000-000000000046. We can find what is behind this ID in the Windows registry: HKEY_CLASSES_ROOT\CLSID (see Figure 3).

Figure 3. CLSID correspondence.

The registry value confirms that our sample creates an instance of Internet Explorer. Thanks to this information, we know that the malware manipulates Internet Explorer.