• Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg
  • Delicious

Anti-Malware Laboratory

Yet Another Malware Blog

About

An informal blog from your friendly neighborhood software security humans.

Blog Archive

  • ►  2015 (5)
    • ►  October (1)
    • ►  August (2)
    • ►  May (1)
    • ►  March (1)
  • ▼  2014 (8)
    • ►  October (1)
    • ►  July (1)
    • ►  June (1)
    • ▼  May (4)
      • Spam mail from fake FedEx
      • A Trojan Startpage Bundled Promo
      • PCode Vobfus Malware
      • Native Vobfus Malware
    • ►  April (1)
  • ►  2013 (12)
    • ►  December (3)
    • ►  November (5)
    • ►  August (2)
    • ►  March (2)
  • ►  2012 (35)
    • ►  April (4)
    • ►  March (12)
    • ►  February (17)
    • ►  January (2)

Categories

adobe (1) android (10) android february (1) baksmali (1) Black Hole (2) crimepack (1) disassembler (1) exploit (3) Exploits (4) Fakeav Winrar sfx (1) Fishbowl (1) flash (1) gift certificates (1) Google Authenticator (1) google play (1) hcp (1) java (1) Malware (5) mdac (1) Mobile (24) NSA Mobility Program (1) obfuscated script (1) pdf (1) Reversing (2) rhino (1) skype (1) smali (1) spam (1) test (1) Unpacking (1) vouchers (1) vulnerability (3)

Popular Posts

  • Bank of America spam: An Analysis
    An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The mess...
  • [BE CAUTIOUS] Dragon Ball Z: Resurrection of F MALWARE and SCAM
    Be wary of downloading movies in torrent sites.  Executables can also be executed with a file size as huge as a gigabyte...
  • Unpacking MFC Compiled CryptoWall Malware
    Unpacking MFC Compiled CryptoWall Malware Introduction First and foremost, this article does not intend to analyze what CryptoWall malw...

Visitors to this blog

Thursday, May 1, 2014

Native Vobfus Malware

Posted on Thursday, May 01, 2014 by Unknown | No comments

ANALYSIS

VOBFUS – stands for VB Obfuscated malware, is a Visual Basic compiled (pseudo code or native code) malware that demonstrates obfuscation techniques with the purpose of eluding signature based detections by most antivirus softwares.

The sample being analyzed (a5e979799c725b45c39cfe87257107d2) is native code compiled. Let’s skip all the obfuscation techniques and focus on what the actual vobfus malware does.

At some point after the malware’s self-de-obfuscation in memory, a call to MSVBVM60.rtcStrConvVar2 API will be performed and the actual vobfus strings (in Unicode format) will be revealed. Based solely on the revealed strings, we can now at least have a vague idea on what it does or what it will do.

The malware uses MSVBVM60.DllFunctionCall in order to execute Windows API functions (APIs like CreateToolhelp32Snapshot, GetDiskFreeSpaceExW, GetUserNameW, etc.).

The figure below demonstrates how kernel32.sleep is traversed using MSVBVM60.DllFunctionCall.

First and foremost, it will gather information about the system like username, logical drives, drive types, and disk free space. It will create a mutex named “A” upon execution.

Vobfus will create a copy of itself as %USERPROFILE%\<RandomFileName>.exe with file attributes set to READONLY, HIDDEN, and SYSTEM and proceeds to execute it.

Using CreateToolhelp32Snapshot, Process32First and Process32Next APIs, it will search thru running processes and monitors for the presence of strings such as “task” (for task manager) or “proc” (for process explorer). When found existing, it will prevent users from manually closing the malware by hooking to TerminateProcess and TerminateThread APIs loaded into task manager or process explorer so that when this APIs are triggered, it will just do nothing. It does this by using WriteProcessMemory API and replaces the first byte of TerminateProcess and TerminateThread API to 0xC3 (RETN).

It then creates its REGRUN entry to ensure activation every system startup.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] “<RandomFileName>” = %USERPROFILE%\<RandomFileName>.exe.

It disables windows update by adding this registry entry [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU] “NoAutoUpdate” = dword:00000001.

It will also set the folder settings to hide system files (files with properties set to SYSTEM) in order to conceal the malware away from easy inspection. It does this by modifying the registry [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “ShowSuperHidden” = dword:00000000 (from dword:00000001).

It then attempts to connect to the following sites (sending the information gathered earlier) and may attempt to download an updated copy of itself.
·         ns1.player1352.com
·         ns1.player1352.net
·         ns1.player1352.org

It will also try to copy itself into removable drives like floppy, USB, etc. with filenames such as Passwords.exe, Porn.exe, Secret.exe and Sexy.exe. An autorun.inf file will also be created in the removable drive that will point to the malware copy in order to automatically execute it when the drive is mounted. A file x.mpeg may also be created but with 0 bytes in size.

It also modifies/updates ICON resource section of the files Passwords.exe, Porn.exe, Secret.exe and Sexy.exe in an attempt to avoid CRC signature based detection of some antivirus softwares.

MANUAL REMEDIATION

In order to successfully restore the system, first and foremost is we have to find a way on how to kill the vobfus malware running as a process. Remember that vobfus monitors for running processes with names having “task” or “proc” and when found, will hook TerminateProcess and TerminateThread that successfully prevents task manager or process explorer’s ability to terminate processes. So, to solve this problem, we can actually trick the malware by renaming process explorer’s executable to any name as long as it does not contain “task” or “proc” keywords.

To put it in steps:
1. Rename procexp.exe to 1.exe.
2. Run 1.exe (copy of procexp.exe).
3. Terminate vobfus malware in memory.
4. Delete the following registry entries using regedit:
a. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] “<RandomFileName>” = %USERPROFILE%\<RandomFileName>.exe
b. [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU] “NoAutoUpdate” = dword:00000001
5. Modify the following registry entry using regedit:
a. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “ShowSuperHidden” = dword:00000000 (from dword:00000001 to see hidden system files in explorer.)
6. Manually delete copies of malware found in %USERPROFILE%\<RandomFileName>.exe and removable drives including the created autorun.inf, x.mpeg, Passwords.exe, Porn.exe, Secret.exe and Sexy.exe.
7. As a recommendation, run a full system scan using Vipre to completely remove possible remnants of the malware.

SUMMARY

Platforms:  WINXP, WIN7, WIN8 x64
File-type: Win32 PE
Malware-type: WORM
Vtest first seen date: 12/31/2013 02:58
Vipre detection name: Trojan.Win32.Generic!BT
Installation
Dropped files
  • %USERPROFILE%\<RandomFileName>.exe (copy of malware)
  • Adds copy of itself to removable drives (including floppy A:\) and may have filenames such as Passwords.exe, Porn.exe, Secret.exe, Sexy.exe
  • Creates autorun.inf file in removable drives and points to malware copy
  • May create x.mpeg file in removable drives with 0 bytes

Registry
Added registry
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] “<RandomFileName>” = %USERPROFILE%\<RandomFileName>.exe - to execute vobfus at system startup
  • [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU] “NoAutoUpdate” = dword:00000001 – to prevent windows update on system

Modified registry
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “ShowSuperHidden” = dword:00000000 (from dword:00000001) – to hide vobfus dropped copy from users

Memory Residency
Invoked processes: %USERPROFILE%\<RandomFileName>.exe (malware dropped copy)
Backdoor/Bot/Stealer
Communicates to/from
  • Attempts to connect to ns1.player1352.com
  • Attempts to connect to ns1.player1352.net
  • Attempts to connect to ns1.player1352.org

Propagates
Method of spreading: copies itself into removable and mapped network drives.
General Malware
Summary of payload
  • drops malware copies to removable and mapped network drives
  • modifies TerminateProcess and TerminateThread APIs loaded in task manager or process explorer to prevent them from terminating vobfus malware
  • may attempt to connect to outside address in order to download updated copy of itself

Pertinent APIs used
advapi32
CloseHandle
connect
CreateToolhelp32Snapshot
GetDiskFreeSpaceExW
GetDriveTypeW
GetFileAttributesW
GetLocaleInfoW
GetLogicalDrives
GetLogicalDriveStringsW
CreateMutexW
GetModuleHandleW
GetUserNameW
ExitProcess
htons
InternetCloseHandle
InternetOpenUrlW
InternetOpenW
InternetReadFile
kernel32
OpenProcess
Process32First
recv
shell32
ShellExecuteW
SHGetSpecialFolderPathW
Sleep
socket
TerminateProcess
user32
wininet
WriteProcessMemory
WSAAsyncSelect
WSAStartup
ws2_32
RegCreateKeyExW
RegSetValueExW
RegCloseKey
What makes it unique: Visual Basic compiled and obfuscation techniques

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
volute-glacial
volute-glacial
 volute-glacial
volute-glacial
Copyright © Anti-Malware Laboratory | Powered by Blogger
Design by Fabthemes | Blogger Template by NewBloggerThemes.com