• Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg
  • Delicious

Anti-Malware Laboratory

Yet Another Malware Blog

About

An informal blog from your friendly neighborhood software security humans.

Blog Archive

  • ►  2015 (5)
    • ►  October (1)
    • ►  August (2)
    • ►  May (1)
    • ►  March (1)
  • ►  2014 (8)
    • ►  October (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (4)
    • ►  April (1)
  • ▼  2013 (12)
    • ▼  December (3)
      • A Hesperbot Core Analysis
      • PDF CVE-2013-5065 - Dropped BAD Malware
      • New PDF Exploit uses 2 new vuln's + JJencode
    • ►  November (5)
    • ►  August (2)
    • ►  March (2)
  • ►  2012 (35)
    • ►  April (4)
    • ►  March (12)
    • ►  February (17)
    • ►  January (2)

Categories

adobe (1) android (10) android february (1) baksmali (1) Black Hole (2) crimepack (1) disassembler (1) exploit (3) Exploits (4) Fakeav Winrar sfx (1) Fishbowl (1) flash (1) gift certificates (1) Google Authenticator (1) google play (1) hcp (1) java (1) Malware (5) mdac (1) Mobile (24) NSA Mobility Program (1) obfuscated script (1) pdf (1) Reversing (2) rhino (1) skype (1) smali (1) spam (1) test (1) Unpacking (1) vouchers (1) vulnerability (3)

Popular Posts

  • Bank of America spam: An Analysis
    An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The mess...
  • [BE CAUTIOUS] Dragon Ball Z: Resurrection of F MALWARE and SCAM
    Be wary of downloading movies in torrent sites.  Executables can also be executed with a file size as huge as a gigabyte...
  • Unpacking MFC Compiled CryptoWall Malware
    Unpacking MFC Compiled CryptoWall Malware Introduction First and foremost, this article does not intend to analyze what CryptoWall malw...

Visitors to this blog

Thursday, December 26, 2013

A Hesperbot Core Analysis

Posted on Thursday, December 26, 2013 by Unknown | No comments


A Hesperbot Core Analysis

Like most malware families, Hesperbot may originate in a spam email. Once executed, it will attempt to download its malicious modules through command-and-control (C&C) servers and monitor the activities of the infected computer. These “monitoring activities” may range from logging of keystrokes, recording of the screen, web browser hijacking and many more.

As I reverse engineer this trojan, I decided to divide it into three layers for easy understanding. These three layers are The Packer, The Injector and The Core.

Three Layers of Hesperbot:



The Packer

The packer makes use of the Thread Information Block (TIB) to retrieve NTDLL.DLL base address. The base address in turn is used in getting the virtual address of the APIs it needs by feeding it to its own hashing algorithm.

This Trojan uses the following hashes of APIs to operate:

For NTDLL.DLL:

  • 0x952A9E4: ZwAllocateVirtualMemory
  • 0xCFF13015: LdrProcessRelocationBlock

It uses ZwAllocateVirtualMemory in order to allot memory space to decrypt 24176hex of data starting from 0x00404438 virtual address where it transfers execution to decrypted data in memory.



Again it traverses TIB, but this time to get the base address of KERNEL32.DLL.

It then checks for the following hashes and saves them for later use.

For KERNEL32.DLL:

  • 0x3A35705F: VirtualFree
  • 0x697A6AFE: VirtualAlloc
  • 0xA9DE6F5A: VirtualProtect
  • 0xC8AC8026: LoadLibraryA
  • 0x1FC0EAEE: GetProcAddress



It allocates another memory space using kernel32.VirtualAlloc and decrypts part of its data (the dropper module). As you can see in the figure below, the encrypted data is on the left and the decrypted data consists of MZ-PE header on the right.



This data is then overwritten to the memory space of the original process in conjunction with the usage of kernel32.VirtualProtect to avoid access violation errors in the committed pages of the original process.



All the necessary APIs are then gathered and stored in its Import Address Table (IAT) using kernel32.LoadLibraryA and kernel32.GetProcAddress.

Code execution is then transferred subsequently to the injector module at 0x0044744F.

The Injector

The Trojan hashes and stores various system information which can be used to identify the infected computer once it connects to a C&C server.

  • computer name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
  • system version (like service pack number)
  • processor architecture (x86, AMD64, IA64)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId
It creates multiple randomly generated mutex and semaphore strings with the following format
<randommutex>.mutex
<randomsemaphore>.semaphore

A system infected with Hesperbot Trojan can be easily distinguished because of this.



It then creates two folders (Sun and a randomly generated directory) in which it store an encrypted copy of itself as <random>.bkp and <random>.dat. The folder location varies from operating systems:

For WinXP:

  • %ALLUSERSPROFILE%\Application Data\Sun\<random>.bkp
  • %ALLUSERSPROFILE%\Application Data\<RandomDirName>\<random>.dat

For Win7 and above:

  • %ALLUSERSPROFILE%\Sun\<random>.bkp
  • %ALLUSERSPROFILE%\ RandomDirName>\<random>.dat



It will then generate a platform-specific loader code, by checking the OS architechture by using GetNativeSystemInfo.



Hesperbot has three ways to inject its core module to explorer.exe and these all depends whether cmdguard.sys or klif.sys exists in the system. Three scenarios are listed below


  • SCENERIO 1: %systemroot%\system32\drivers\cmdguard.sys exists (Comodo Firewall Guard driver)
    • copy procedure to high memory and transfer execution
    • spawn suspended process of explorer.exe using kernel32.CreateProcessW
    • craft bytes in stack that will jump to malware code in memory
    • modify explorer.exe entry-point and insert the crafted bytes from stack using kernel32.VirtualProtectEx and kernel32.WriteProcessMemory
    • resume suspended process using ntdll.ZwResumeThread



  • SCENARIO 2: %systemroot%\system32\drivers\klif.sys exists (Kaspersky Antivirus system driver)
    • copy core procedure to memory
    • spawn suspended process of attrib.exe using kernel32.CreateProcessW
    • craft bytes in stack that will jump to malware code in memory
    • modify attrib.exe entry-point and insert the crafted bytes from stack using kernel32.VirtualProtectEx and kernel32.WriteProcessMemory
    • resume process of attrib.exe using ntdll.ZwResumeThread
    • injected code in attrib.exe uses kernel32.CreateRemoteThread in order to create a new thread that will inject the core module to explorer.exe




  • SCENARIO 3: cmdguard.sys and klif.sys do not exist
    • copy core procedure to memory
    • spawn suspended process of attrib.exe using kernel32.CreateProcessW
    • craft bytes in stack that will jump to malware code in memory
    • modify attrib.exe entry-point and insert the crafted bytes from stack using kernel32.VirtualProtectEx and kernel32.WriteProcessMemory
    • resume process of attrib.exe using ntdll.ZwResumeThread
    • injected code in attrib.exe that spawns explorer.exe in suspended state
    • making use of windows messaging vulnerability to trigger shellcode execution into explorer.exe address space. (This is commonly known as PowerLoader injection http://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html)
    • the shellcode uses CreateThread and VirtualAlloc to pass execution the core module





For debugging purposes, these are the steps on how I got to trace the shell code:

1.       First of all, know which shell code will be executed. For this sample of Hesperbot, the start of its shell code is at 0x0044A77C – E8 29 00 00 00

2. Replace the first byte 0xE8 to 0xCC (int 3). Save this modified copy.
3. In Ollydbg, goto Options->Just-in-time-debugging and click “Make OllyDbg just-in-time debugger” then exit Ollydbg.

4. Now execute your modified copy of the malware and it should crash windows explorer.

5. Hit the “Debug” button and Ollydbg should pop up, just replace back the modified byte from 0xCC to 0xE8 and start tracing that shell code!

These are the hashes of APIs that are used by Hesperbot Trojan in order to protect itself from easy detection by AV vendors.

  • 0xB02814b6 = kernel32.ExpandEnvironmentStringsW
  • 0x002CFE2B = kernel32.CreateFileW
  • 0xB376CE13 = kernel32.lstrlenW
  • 0xA24F346A = kernel32.CreateProcessW
  • 0x107B9483 = kernel32.WriteProcessMemory
  • 0x1A471325 = kernel32.VirtualProtectEx
  • 0xFDEB2A69 = kernel32.IsProcessorFeaturePresent
  • 0x8D70B719 = kernel32.IsWow64Process
  • 0x4B892318 = kernel32.CreateRemoteThread
  • 0x26662FCC = kernel32.CreateThread
  • 0xDF894B12 = kernel32.VirtualAlloc

  • 0x3708EE6B = ntdll.ZwCreateSection
  • 0xC477C525 = ntdll.ZwMapViewofSection
  • 0x2015436B = ntdll.ZwResumeThread
  • 0xB85C56EA = ntdll.ZwTerminateProcess
  • 0x3F66C5FF = ntdll.ZwGetContextThread
  • 0xD1E48C8B = ntdll.ZwSetContextThread
  • 0x4C7D8945 = ntdll.ZwDelayExecution
  • 0x7B005F26 = ntdll._allmul
  • 0x0BD5C7BD = ntdll.ZwQueryInformationProcess
  • 0x87CE75D8 = ntdll.ZwClose
  • 0xE3086B33 = ntdll.ZwOpenProcess
  • 0x35013E23 = ntdll.ZwTerminateThread
  • 0xA2E76D4C= ntdll.ZwOpenThread
  • 0x6DD66096 = ntdll.ZwQueryInformationThread
  • 0x8EAE85FE = ntdll.ZwReadVirtualMemory
  • 0xAAD44E29 = ntdll.ZwOpenSection
  • 0xB7EF35F4 = ntdll.RtlCreateUserThread

  • 0x9CD6615A = user32.FindWindowA
  • 0x4A4627DC = user32.GetWindowThreadProcessId
  • 0x3CC18006 = user32.SendMessageW
  • 0x8252D56B = user32.SetWindowLongW
  • 0x1FFBFCD8 = user32.GetClassName
  • 0x52BD91BC = user32.SystemParametersInfoW
  • 0xD563318F = user32.RegisterClassExW
  • 0x835DB020 = user32.CreateWindowExW
  • 0x8252D56B = user32.GetMessageW
  • 0x8252D56B = user32.TranslateMessage
  • 0x2776DB53 = user32.DispatchMessageW

The Hesperbot Core

Execution is then passed to the core module after injecting it to explorer.exe. Like always, it must gather first all the necessary APIs it needs by using kernel32.LoadLibrary and kernel32.GetProcAdress method.

It will then set its priority level to THREAD_PRIORITY_ABOVE_NORMAL to give more priority to itself than most active threads in explorer.exe.

It will also attempt to set explorer.exe’s integrity level to LOWINTEGRITYLEVEL_FULLACCESS, so that new processes (like other downloaded malicious modules) with higher integrity than explorer.exe can have read/write access to it.




Integrity levels are a new kernel security feature introduced in Windows Vista. You can read more about it in https://en.wikipedia.org/wiki/Mandatory_Integrity_Control.

The core then creates a mutex for itself with the format Global\inst_<randomstring> and Global\<randomstring>.

It then verifies which running process it is injected to. It does this by hashing its current process filename using its own hashing algorithm and comparing to a table of hashes found in its body. So far, these are the hashes of processes which I recovered from its table through trial and error. Understand that recovering these process names is near impossible because of how the hashing algorithm was designed by the malware author.

  • 0x11955DB8: explorer.exe
  • 0XAAF840B5: csrss.exe
  • 0X1FC97071: svchost.exe
  • 0x537B492F: iexplore.exe
  • 0x76379A9A: firefoxe.exe
  • 0XCA846265: chrome.exe
  • 0X6FB8169E: opera.exe
  • 0X9544710B: browser.exe
  • 0X78AB2C5C: webkit2webprocess.exe
  • 0X2771AA06: maxthon.exe
  • 0XB64FEEED: sleipnir.exe
  • 0XE80C41EC: deepnet.exe
  • 0X30B15DB3: seamonkey.exe
  • 0X532A495F: k-meleon.exe



As you can see, most of these hashes are process names of known web browsers. This gives us a hint that it will try to monitor web activity at some point.

The core module is the one responsible for creating a copy of the trojan in %windir%\<randomFolder>\<randomFileName>.exe. This executable is also referenced by a REGRUN entry at HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run “randomValueName” to ensure auto execution on windows startup.

It will check for a valid internet connection by querying websites like:

  • http://wikipedia.org
  • http://facebook.com
  • http://google.com
  • http://microsoft.com



It then attempts to connect to its control server using https service and port 443. Its control server can be any of the following:

  • whoischeck.biz
  • 192.31.186.116
  • 188.241.112.29
  • 5.63.152.44
  • 96.43.141.186
  • 94.126.178.29






If the default control server (which is whoischeck.biz) did not respond to the request, it continues to check for other control servers listed above using Domain Generator Algorithm (DGA) in which a random domain name is used in order to evade general antivirus detections.



It will then send the following information after a successful connection handshake is established:

  • Computername that will serve as the ID of the infected machine e.g. "WINXP-6F60CDCD2A3429D85B855BF7"
  • Bot name “tr-botnet”
  • Network adapter information like adapter name, ip address, gateway, dhcp server, etc.
  • Installed smart cards by using SCardEstablishContext, SCardListReadersW and SCardConnectW

This Trojan supposedly downloads other malicious modules from its control server like keylogger, screen recorder, Virtual Network Computing (VNC), network traffic interceptor, etc. However; as of this writing, its control servers seems to be taken down already and are not responding.

Conclusion

Reverse engineering hesperbot core is quite fascinating. It demonstrates numerous tricks up its sleeves to elude easy detection by most antivirus vendors like hashing of process names and needed APIs; encrypting and decrypting part of its codes in memory; and generating random domain names when connecting to its command-and-control server.

It also demonstrates three techniques to process injection. These are via (1)CreateProcess-ResumeThread, (2) CreateRemoteThread, (3) and by exploiting window messaging vulnerability using FindWindow-“shell_traywnd” – SetWindowLong trick.

Christopher D. Del Fierro
Read More

Friday, December 6, 2013

PDF CVE-2013-5065 - Dropped BAD Malware

Posted on Friday, December 06, 2013 by Unknown | No comments

This malware is definitely created by a professional as it has an advance method of installing itself. And the malware author knows that what he/she created is BAD.

0x0BAD - Signature of ShellCode for data stealing.

Installation

This malware was dropped by a PDF file that takes advantage of a known vulnerability which results to Privilege Escalation. To maintain its privilege to run as admin, it creates the following autostart key:

Software\Microsoft\Windows NT\Currentversion\Winlogon
Shell="explorer.exe, <malware_path_and_filename>"

This malware inject its code to windows taskbar by searching for Shell_TrayWnd window handle. And also, It uses ZwQuerySystemInformation to get all the running processes in the system wherein it will calculate the hash of the names of running processes. The hashes will then be compared to the hardcoded list of hashes of executable files that will be targeted for code injection. Here are targeted executables and their corresponding hashes:

69CD16BA - iexplore.exe
7B6061F9 - firefox.exe
880F19D2 - chrome.exe
DD87014F - opera.exe
74667F89 - explorer.exe

This malware uses hashes instead of directly providing the API name that it needs. It uses the TIB (FS[0x18]) to get all the loaded dll modules. Below are the list of APIs and their corresponding hashes:

1F8B758A - ntdll.dll
B05FD69A - LdrGetDllHandle
CCE8D5E4 - LdrLoadDll
FBAF20FE - ZwSetInformationThread
F84E6809 - ZwResumeThread
251E0CC9 - ZwDelayExecution
17CF5544 - RtlGetProcessHeaps
9B2E0E85 - RtlAllocateHeap
41324137 - ZwQuerySystemInformation
086A61AC - RtlReAllocateHeap
E4A0A8C0 - RtlFreeHeap
CD74BF79 - ZwOpenProcess
309A4C54 - ZwClose
73ED9B27 - ZwCreateSection
5D859023 - ZwMapViewOfSection
B62E0ECD - _snprintf
6828791B - ZwTerminateThread
0301DA7D - RtlDecompressBuffer
CE8286AD - ZwAllocateVirtualMemory

4F515588 - kernel32.dll
1A08B014 - CreateRemoteThread
C3B42C10 - GetModuleFileNameW
98D29F2E - GetModuleFileNameA
63A4DEA5 - GetShortPathNameW
412E83B3 - GetShortPathNameA
EB771CAF - CreateEventA
F6F15646 - ExpandEnvironmentStringsA
438EED48 - CloseHandle
A01B4F40 - GetFileAttributesA
69FB2CCE - GetFileAttributesW
5568AE6B - CreateFileA
DC0BC10F - WriteFile
534D310F - ExitProcess
2415842C - DeleteFileW
7DC71262 - DeleteFileA
293DF8B5 - GetProcessVersion

5B117232 - advapi32.dll
E4A8B4E0 - OpenProcessToken
3B97B437 - GetTokenInformation
5B1D4476 - EqualSid
1A726DBB - DuplicateTokenEx
F5E6C455 - RegCreateKeyExA
A63ACEB9 - RegSetValueExA
8F2D0F57 - RegCloseKey

5A4B3EDE - user32.dll
8FAFF46C - FindWindowA
D69D869A - PostMessageA
71669709 - SetWindowLongA

69DE0153 - shell32.dll
F955B5FA - ShellExecuteA

69304E4B - ole32.dll
5142539F - CoCreateGuid


Information Stealing

This malware has the following capabilities:

Delete files
Download and execute files
Send stolen data to server
Stop its own process

But the above routines will not get executed if the following network monitoring tools are running:

tcpdump.exe
windump.exe
ethereal.exe  
wireshark.exe
ettercap.exe  
snoop.exe
dsniff.exe

It steals the following information from a compromised machine:

Uptime of the machine
Temp folder
File listing on certain directory
Drive Types
Network Resources
TCP and UDP connection table
List of running processes
List of names of open windows
Machine Information (Manufacturer and Model)
Operating System version
Processor Information
Computer Name
Local Group
Local Users
Language
Timezone
Country
Installed Windows Updates

And then collates and encrypts the above mentioned data before sending them to the following sites via HTTP POST request:

http://{REMOVED}play.com/wp-includes/sitemap/?rank=78964
http://{REMOVED}ree.ir/wp-content/plugins/online-chat/?rank=87758



Read More

Thursday, December 5, 2013

New PDF Exploit uses 2 new vuln's + JJencode

Posted on Thursday, December 05, 2013 by Unknown | No comments
Last week, a new zero-day exploit has been found in the wild. The exploit is a vulnerability that allows attackers to escalate privilege and execute code in kernel or ring0 mode. More details of the CVE-2013-5065 vulnerability can be found in this Microsoft website. After we got a sample of the supposed PDF that was used in the targeted attack,we immediately went to work and here's what we found.


Close inspection of the raw file reveals that it contains a strange looking script at the end of its body. No clue can be obtained as to what this script is doing at initial glance. However, one of our colleague indicated that this obfuscation technique is already widely used by malicious scripts and has been out for some time now. The obfuscation itself is not malicious but since it provides the stealth and complexity that most malicious scripts require, it is favored by more malware authors. This obfuscation is called jjencode. More details about this technique can be found on this blog. De-obfuscating it was a trivial matter, and it can be easily seen that the script contains shellcode that is intended to be executed using an exploit technique ROP (return objected programming).


De-obfuscated script

The thing is, the supposed exploit code that escalates privileges using DeviceIoControl cannot be read on the said script, which probably is contained in the shellcode. And in order to make the shellcode work, it would require another exploit in the PDF. So in theory, this PDF malware needs two exploits in order for it to successfully attack the system. Knowing this, we went ahead and analyzed the PDF, made breakpoints on strategic places to catch its shellcode in action.

ROP in action

The picture above shows the script was able to put its shellcode in memory. It shows that the script has already gained control of the call stack. It will use a technique called ROP (return oriented programming), since normal buffer overflows would not work in this part of memory where security protections are implemented.

 Allocates memory using CreateFileMapping with FFFFFFFF handle

 Copies 0x400 bytes of shellcode in newly allocated memory

It uses a specific DLL where it would implement its API calls, allocates a separate memory region where it would resume the bulk of its shellcode action using CreateFileMapping. Once it successfully copies its shellcode in the new memory, it gets the APIs that it needs using hashes.

Comparison of hashes for needed API


  • ExitProcess
  • VirtualAlloc
  • DeviceIoControl
  • CreateFileA
  • GetCurrentProcessId
  • LoadLibraryA
  • WinExec
  • WriteFile
  • CloseHandle
  • GetTempPathA
  • GetTempFileNameA
  • GetFileSize
  • ReadFile
  • SetFilePointer
The picture below shows the shellcode attempts to invoke CreateFile with the given argument. This buffer should point to a string "\\\\.\\NDProxy", where it should give a handle and calling DeviceIoControl should perform the exploit EoP (Escalation of Privilege). In turn, this would allow the code to execute a dropped executable with a TMP extension in the %TEMP% folder. However, as you may have noticed, the initial code only copied 0x400 bytes of its code in the new memory. And the pointer to the buffer in CreateFileA indicates the string is located at offset 0x40e...

CreateFileA where buffer should point to "\\\\.\\NDProxy"


DeviceIoControl with the right arguments should perform EoP


It will then re-create an executable by decrypting it from the body of the malicious PDF.

Decrypting

Drops a TMP file in TEMP folder


If everything went right, executes a file in kernel mode









Read More
Newer Posts Older Posts Home
Subscribe to: Posts (Atom)
volute-glacial
volute-glacial
volute-glacial
volute-glacial
Copyright © Anti-Malware Laboratory | Powered by Blogger
Design by Fabthemes | Blogger Template by NewBloggerThemes.com