PCode Vobfus Malware

ANALYSIS

This version of VOBFUS malware is compiled in p-code or pseudo code (also known as packed code). Since this is p-code compiled, technically the size of the malware file is smaller than the native compiled version of the malware. And since this version needs a p-code interpreter at runtime in order to interpret p-code instructions, debugging the malware using OllyDBG will prove to be quite demanding especially to users not familiar with these types of instructions. You may also use a p-code debugger called WKTVBDebugger which already interprets p-code instructions.

In order to debug this malware in OllyDBG, we need to breakpoint in MSVBVM60.DllFunctionCall to trap all windows API that the malware uses.

Usage of MSVBVM60.DllFunctionCall API is illustrated below.

Upon execution, it will create a mutex with string “A”.

It will create a copy of itself as %USERPROFILE%\<RandomFileName>.exe with file attributes as READONLY, HIDDEN and SYSTEM. This copy will then be executed using USER32.ShellExecuteW.

Next is it will attempt to establish a connection to ns1.theimageparlour.net.

It will also get a list of all available drives in the system and checks for removable/shared drives. It will infect removable and shared network drives by dropping multiple copies of itself and autorun.inf with the following settings. 

This ensures automatic execution of the malware when autorun feature is enabled in removable drives. Dropped files in removable/shared drives are also set with attributes as READONLY, HIDDEN and SYSTEM. It will also drop multiple shortcut links that points to the malware.

Using CreateToolhelp32Snapshot, Process32First and Process32Next APIs, it will traverse thru running processes and will prevent users from manually closing the malware by hooking to TerminateProcess and TerminateThread APIs and modifying it in memory so that when this APIs are triggered, it will just do nothing. It does this by using WriteProcessMemory API and replaces the first byte of TerminateProcess and TerminateThread API to 0xC3 (RETN). 

Unlike its native compiled vobfus counterpart that only modifies terminate-related-apis in processes with “task” or “proc” strings, this p-code version of vobfus has a list of processes to skip. Processes listed below will be skipped.

•    taskmgr.exe
•    explorer.exe
•    svchost.exe
•    winlogon.exe
•    services.exe
•    lsass.exe
•    alg.exe
•    csrss.exe
•    smss.exes (Yes! This is not a typo)
•    spoolsv.exe
•    firefox.exe

It then creates its REGRUN entry to ensure activation every system startup.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] “<RandomFileName>” = %USERPROFILE%\<RandomFileName>.exe. 

It will also set the folder settings to hide system files (files with properties set to SYSTEM) in order to conceal the malware away from easy inspection. It does this by modifying the registry [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “ShowSuperHidden” = dword:00000000 (from dword:00000001).


On a note, this malware changes the ProductName, FileVersion, ProductVersion, InternalName and OriginalFileName of every dropped copy of itself to avoid easy hash detection by AV vendors.

MANUAL REMEDIATION

In order to successfully restore the system, first and foremost is we have to find a way on how to kill the vobfus malware running as a process. Remember that this version of vobfus has a process list to skip (as stated above) in modifying TerminateProcess and TerminateThread. Because of this, we can rename a copy of process explorer to explorer.exe in order to fool the malware.

To put it in steps:

1.       Rename procexp.exe to explorer.exe.

2.       Run explorer.exe (copy of procexp.exe).

3.       Terminate vobfus malware in memory.

4.       Delete the following registry entries using regedit:

a.       [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] “<RandomFileName>” = %USERPROFILE%\<RandomFileName>.exe

5.       Modify the following registry entry using regedit:

a.       [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “ShowSuperHidden” = dword:00000000 (from dword:00000001 to see hidden system files in explorer.)

6.       Manually delete copies of malware found in %USERPROFILE%\<RandomFileName>.exe and removable/shared drives including the created autorun.inf, ert.dll and shortcuts that point to vobfus.

As a recommendation, run a full system scan using Vipre to completely remove possible remnants of the malware.

SUMMARY

Platforms:  WINXP, WIN7, WIN8 x64

File-type: Win32 PE

Malware-type: WORM

Vtest first seen date: 12/29/2013 22:02

Vipre detection name: Trojan.Win32.Generic!BT

Installation

Dropped files

• %USERPROFILE%\<RandomFileName>.exe (copy of malware)
• Adds copy of itself to removable and shared drives (including floppy A:\) and may have filenames
• Adds shortcut links pointing to the malware in removable/shared drives such as:

Documents.lnk

Music.lnk

New Folder.lnk

Passwords.lnk

Pictures.lnk

Video.lnk

zAS.lnk

zbI.lnk

zdG.lnk

zKU.lnk

zTn.lnk

zug.lnk

zww.lnk

zYh.lnk

zYJ.lnk

• Creates autorun.inf file in removable/shared drives and points to malware copy
• May also drop another Trojan in removable/shared drives with filename ert.dll

Registry

Added registry

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] “<RandomFileName>” = %USERPROFILE%\<RandomFileName>.exe - to execute vobfus at system startup

Modified registry

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] “ShowSuperHidden” = dword:00000000 (from dword:00000001) – to hide vobfus dropped copy from users

Memory Residency

Invoked processes: %USERPROFILE%\<RandomFileName>.exe (malware dropped copy)

Backdoor/Bot/Stealer

Communicates to/from

Attempts to connect to ns4.theimageparlour.net

Propagates

Method of spreading: copies itself into removable and mapped network drives.

General Malware

Summary of payload

• drops malware copies to removable and mapped network drives
• modifies TerminateProcess and TerminateThread APIs loaded in every process except those process listed in its list to prevent them from terminating vobfus malware
• may attempt to connect to outside address in order to download updated copy of itself

Pertinent APIs used 

advapi32

CloseHandle

connect

CreateToolhelp32Snapshot

GetDiskFreeSpaceExW

GetDriveTypeW

GetFileAttributesW

GetLocaleInfoW

GetLogicalDrives

GetLogicalDriveStringsW

CreateMutexW

GetModuleHandleW

GetUserNameW

ExitProcess

htons

InternetCloseHandle

InternetOpenUrlW

InternetOpenW

InternetReadFile

kernel32

OpenProcess

Process32First

shell32

ShellExecuteW

SHGetSpecialFolderPathW

Sleep

socket

TerminateProcess

user32

wininet

WriteProcessMemory

WSAAsyncSelect

WSAStartup

wsock32

RegCreateKeyExW

RegSetValueExW

RegCloseKey

What makes it unique: Visual Basic compiled and obfuscation techniques