Snowball.dll file may be mistakenly deleted by someone, computer antivirus or system cleaning tools. Snowball.dll file is corrupted or damaged by virus infections. Some applications were installed or uninstalled improperly. The configuration entries of Snowball.dll file is still active in the systemregistry. In the Lucene 3.0.3 docs, SnowballAnalyzer is in: with documentation at: The Lucene download archives are at: Near as I can tell, SnowballAnalyzer is part of the base Lucene package (i.e. Not in contrib). Thanks Mark, It did not occur to me.
Almost a year after Operation SNOWGLOBE was publicly mentioned for the first time by the famous French newspaper Le Monde, security experts have now laid hands on malware samples that match the descriptions made by the Communication Security Establishment Canada (CSEC). The following analysis is the first report about the espionage malware dubbed Babar, which the whole computer security community searched for. After the disclosure about EvilBunny 1, Babar is now a second component identified to be related to Operation SNOWGLOBE and is believed to be coded by the same developers. Babar’s feature set includes keystroke logging, clipboard logging and, most interesting, the possibility to log audio conversations – the elephant has big ears! BackgroundThe revelation about the existence of yet another potentially nation-state driven spyware occurred in March 2014 when about top secret slides originating from 2011 and part of their content.
But the slides Le Monde published revealed only a small part of the picture – several slides were cut out, some information was redacted. Germany’s Der Spiegel re-published with far less deletions recently, in January 2015, and therefore gave a deeper insight about what CSEC actually says they have tracked down.The newly published documents reveal: the so called operation SNOWGLOBE, was discovered in 2009 (slide 9) and consists of three different “implants”, two were dubbed snowballs and one “more sophisticated implant, discovered in mid-2010” is tagged as snowman (slide 7). According to slide 22, “CSEC assesses, with moderate certainty, SNOWGLOBE to be a state-sponsored CNO Cyber Network Operation effort, put forth by a French intelligence agency.” The information given dates back to 2011 and nothing else has been published since. Now that specific Babar samples have been identified and analyzed, there might be new information, also with regards to similarities or differences between the two Remote Administration Tools (RATs) EvilBunny and Babar.We’d like to express special thanks to Marion Marschalek, Joan Calvet and the CIRCL Luxemburg team for their contributions for this report! We recommend reading Marion’s report “”, a complementary piece of work regarding the Babar malware.
Antivirus detectionThe first task for both, EvilBunny and Babar, is to list the installed antivirus software. They use the exact same technique to fulfill this task: WMI, the Windows Management Instrumentation.WMI is an interface provided by Microsoft to get information about and notifications from the system. The users can use WMI by using VBScript, PowerShell or C language. To detect the name of the antivirus solution installed and registered, the malware opens one of the following Windows Security Center WMI providers:. ROOTSecurityCenter (for operating systems before Windows Vista). ROOTSecurityCenter2 (Windows Vista and newer OS)The analyzed malware includes the two providers and the two versions of operating system (pre-Vista and post-Vista). Microsoft provides an SQL-like system to perform queries using the WMI.
This system is called WMI Query Language (short WQL). The malware performs the following query. API obfuscation Both cases:The two malicious programs both use API obfuscation in order to make the analysis more complicated. The purpose is to execute a Microsoft Windows API without naming it.
On our cases, the approach is the same in both malware families: when the malware needs to execute an external function (from a dynamic library), it uses a kind of “hash” instead of using the function name. The “hash” is provided to an internal function, this function establishes the relation between the “hash” and the address of the function. At the end, the address is executed. The only difference between EvilBunny and Babar, when it comes to API obfuscation, is the internal function used to establish the relation. An example below (where the “hash” is 0x46318AD1). Paul@gdata:/$ cat API.py#!/usr/bin/pythonimport sysimport pefiledef rol32 (num, count):num1 = (num (0x20 - count)) & 0xFFFFFFFFreturn num1 num2pe = pefile.PE(sys.argv1)for exp in pe.DIRECTORYENTRYEXPORT.symbols:cpt = 0for i in list(exp.name):key = rol32(cpt,7)cpt=ord(i)^keyprint exp.name+': 0x%08x'% (cpt)paul@gdata:/babar$./API.py kernel32.dllActivateActCtx: 0x5147f60fAddAtomA: 0x1e1865e5AddAtomW: 0x1e1865f3AddConsoleAliasA: 0x06dc97e5AddConsoleAliasW: 0x06dc97f3AddLocalAlternateComputerNameA: 0xedbafee8AddLocalAlternateComputerNameW: 0xedbafefe. Babar case:The Babar malware does not perform a kind of “CRC” regarding the function name.
The algorithm is more complex. However, the philosophy is the same: for each exported function name, the malware applies an algorithm in order to verify if the calculated “hash” matches the wanted “hash”.To create the correlation table in this case, our approach was to instrument the debugger using Python. On our samples, the instruction at 0x10040930 ( CMP ECX, EAX) is really interesting because ECX contains the desired “hash”, EAX contains the calculated “hash” of the current exported function and finally EBX contains the current exported function name. So we can create a short Immunity Debugger Python script to calculate these values for each exported function name and create the table.
The first line contains document viewer processes, the second line contains media document extensions and the third line contains instant messaging processes. The use of this information will be described below in the chapter Babar’s spy features.Finally, the last line contains the URLs of the command and control servers. Babar’s espionage featuresThe RAT has common features such as code execution, code injection into running processes, file stealing (the extensions listed in the configuration file come into play at this pint). However, Babar has additional features such as being a key logger in order to record key strokes and it also has the possibility to steal the clipboard content (frequently used to store passwords in case the user uses password storage application such as KeePass).
The data is stored in the file%COMMONAPPDATA%MSIupdate.msi. Here are two screenshots of the key logger API. And finally, as every elephant, Babar has big ears and the malware is able to listen to conversations and log them by using the dsound and winmm libraries.
We assume that the process list of the instant messaging services, seen in the configuration, is used to identify when the malware should enable this feature. The following screenshot shows the use of the wave. API to record the audio flow:Looking at the feature list, we can identify that this malware is meant to be a pure espionage tool. It is, regarding the current information, not harming the computer system itself but represents an elaborate instrument to function as wiretap and to exfiltrated data from computers infected. This leads to the assumption that the number of infected machines is rather small and chosen.
ConclusionAfter having more information about the malware attributed to operation SNOWGLOBE, taken from the re-published slides, the G DATA experts are sure to have found samples which match the descriptions. EvilBunny and Babar might correspond to two of the three “implants” mentioned as Snowballs and Snowman.The G DATA SecurityLabs are convinced that the number of similarities identified between EvilBunny and Babar show that both malware families originate from the same developers. The evil cartoon malware families share part of their code. The analyses suggest that the samples identified are newer versions of the malware CSEC described in the slides. This may be one reason for the absence of certain indications CSEC has mentioned.Nevertheless, unfortunately, the experts cannot contribute further information with regards to the malware’s origin nor the list of victims. The information CSEC provided was partly supported by indications found in the code, but no clue has been identified. The assertion of a “French intelligence community” being responsible remains unchanged.
Attributing malware to any origin, especially when dealing with specialized and professional malware, has always been difficult.With a possible nation-state background, this espionage software would not be spread as mass malware but activated against specific and chosen targets only. The main functions of this malware are data exfiltration and wiretapping.Even if many questions still remain unanswered, the analyses present mark an important step towards the validation of the slides leaked.