I’ve read Bluetouff article here. From that point, I decided to take a rapid look at how is that possible?

Be careful, this must be considered as a MALWARE!

For starters, the installer is packed with UPX but it doesn’t need any serial for the installation to take place. The serial is only there to activate the software.

After installing the software, you get a bunch of executables :

  • cdtsvc.exe : service of download control
  • cdtsvc64.exe : same as cdtsvc.exe but for 64 bits
  • cdtupd.exe : probably the executable for checking updates

It seems that none of the executables are packed or whatsoever.

Just analyzing cdtsvc.exe, I got quite a bunch of informations on the executable itself. Looking at C string Resources and unicode strings, you get to have those informations :

1
2
3
4
5
6
7
8

Path :
C:\\Documents and Settings\\jbroutin\\Mes documents\\Visual Studio 2008\\Projects\\ddp-hadopi\\hadopi-client-gui\\trunk\\Release\\cdtsvc.pdb

RSA Key :
BgIAAACkAABSU0ExAAQAAAEAAQCzLXpRE/3Y3n9F1lf2wlRsQGzgs4gfBRNj/PmPArxOtJ1Z1ra8bTktvDCyLsImEc12d6DvVeYsAIgjMZNxQqczzhEla7ZAXQXOOBo38ZUZot961pXx76GCRMAfAYz2S3O79bBGCtJ5wh3UcmvAUcEmdqLzFebBw7Ef+qxyfgamyw==

URL :
http://update-cdt.nordnet.fr/hadopi-server-technical-ws-1

The author of the software is named jbroutin, chances are that his last name is Broutin. It clearly show HADOPI projects and using Visual Studio 2008.

Looking at the code, we can confirm that he’s using C++ or some other kind of oriented object langage (there are lots of get() and set()).

Nordnet contacted Bluetouff so the URL makes sense. It might be the URL for the Java Applet Bluetouff was talking about. I just can’t imagine the damage it could be done injecting code in it.

For the RSA Key, I don’t know what it’s for for now. The RSA Key shown here is encoded using Base64 for those who were asking themselves.

Looking more, we see stuffs like these :

1

hadopi

Ok we now know that we really are dealing with some HADOPI crap.

going further :

1
2
3
4
5

HTTP/1.0

[...]

Content-Type: application/x-www-form-urlencoded

No wonder that Bluetouff get to have a lot of informations using Wireshark …

We haven’t even looked at the code yet that we have quite some infos …

Cross-referencing the string with “HTTP/1.0” we land in a subroutine at address 0x405574.

This routine seems to construct some kind of URLs and make a request with it.

Looking at where it’s called from, you get a bunch of function but at the top is 0x4027EB. This seems to be the main routine which set up the service and stuffs.

I look at one of the functions that called directly 0x405574 and there was 0x406991 : this function seems to check for some kind of updates and licence check too but I dunno, what would be cdtupd.exe then?

From 0x406991 I got this sequence of numbers :

1
2
3
4
5
6
7

0.2.1.1.3
0.2.1.3.2

33.1.1.1
33.2.1.3
33.2.2.1
33.2.1.2

I don’t know about the first two (they might be OID, reverse DNS, or something else). For the second groups, they look like IPs.

I tried to have a DNS query with all of thoses, but I only get an answer for 33.1.1.1 :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

m_101@m_101:~$ nslookup 33.1.1.1
Server:  192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
*** Can't find 1.1.1.33.in-addr.arpa.: No answer

Authoritative answers can be found from:
33.in-addr.arpa
 origin = CON1R.NIPR.MIL
 mail addr = DANIEL\.KNOPPS.DISA.MIL
 serial = 2010061101
 refresh = 10800
 retry = 900
 expire = 1209600
 minimum = 10800

I also found some strange stuffs by cross referencing an API called CreateToolhelp32Snapshot() . I landed in routine 0x40C225, why the hell is the software going around all the processes? I didnt dig further but it seems strange to me.

That’s all I got for today, it took me around 20 minutes to get all that … what about the people who spent hours on this? They might already have a clone or something else entirely.

m_101

Resources