Conspiracy theories about Vladimir Putin abound, but Avast Threat Labs team finds another small mystery around the Russian president.
Is Vladimir Putin almighty? Some say that he’s behind everything that moves the world. We steer clear of any conspiracy theories, but what we can say for sure is that President Putin recently made it to the world of Torrent.
We dug deeper into a file, properly signed by BitTorrent Inc.
The claim is that it’s an uTorrent binary:
Everything looks okay so far … but then we detect the binary! What’s wrong here? To get an answer, we have to look at the end of the file.
When we take a closer look, a link catches our attention.
Kremlin.ru is the official website of the president of Russia, and the link leads to this picture:
According to the API functions contained in the small injected binary, it seems that the picture is downloaded under putin.exe name and executed. But, there’s another “but.”
Due to the highlighted formal errors in the code of the injected binary, nothing actually happens and the binary is benign. All of this looks like a kind of Easter egg for those who dig deeper into file content. The mystery remains: who embedded young Vladimir into the uTorrent binary?
And now the last question.
How did the author manage to fool the integrity check to pass the digital signature verification? It’s a trick described in detail by our colleague Igor Glücksmann, here: https://recon.cx/2012/schedule/events/246.en.html).
File hash (SHA256): 09F189465AE23D29FC1D4CE5FE982787D0264DF70E74025DF8905F5EEA6B8B7B