Vladimir Putin embedded in uTorrent binary

Threat Intelligence Team, Nov 30, 2016 2:27:44 PM

Conspiracy theories about Vladimir Putin abound, but Avast Threat labs find another small mystery around the Russian president.

Putin_image_white_1920x1000px_RGB.jpgIs Vladimir Putin almighty? Some say that he’s behind everything that moves the world. We steer clear of any conspiracy theories, but what we can say for sure is that President Putin recently made it to the world of Torrent.

We dug deeper into a file, properly signed by BitTorrent Inc.

sign1-1.png

sign2.png

The claim is that it’s an uTorrent binary:

rsrc.png

Everything looks OK so far… but then we detect the binary! What’s wrong here? To get an answer, we have to look at the end of the file.

inject.png

When we take a closer look, a link catches our attention.

kremlin.png

Kremlin.ru is the official website of the president of Russia, and the link leads to this picture:

putin.png

According to the API functions contained in the small injected binary, it seems that the picture is downloaded under putin.exe name and executed. But, there’s another “but”.

bug.png

Due to the highlighted formal errors in the code of the injected binary, nothing actually happens and the binary is benign. All of this looks like a kind of Easter egg for those who dig deeper into file content. The mystery remains - who embedded young Vladimir into the uTorrent binary?

And now the last question.

How did the author manage to fool the integrity check to pass the digital signature verification? It’s a trick described in detail by our colleague Igor Glücksmann, here: https://recon.cx/2012/schedule/events/246.en.html).

File hash (SHA256): 09F189465AE23D29FC1D4CE5FE982787D0264DF70E74025DF8905F5EEA6B8B7B

 

Related articles