Pages

Sunday, January 29, 2012

Caught and analyzed

In last september, I was playing with Dionaea honeypot which is a great tool (see previous article). After have caught some malwares I would to analyse one of them.


Informations about the file

According to the VirusTotal report, the file I've choose to analyzed is an IRC bot. VT shows an interesting information : the malware seems to be packed with PolyCrypt. In fact the packer version is exactly PolyCrypt PE 2.1.5. During the analysis I have found these string relating to the packer software : "PolyCrypt PE (c) 2004-2005, JLabSoftware.".

After unpacking, we can take a look to the imported DLL and functions : details here

And now we can start the real work : the reverse of the malware !


Let's start the analysis


At startup, the malware creates a script file located at c:\a.bat. The script can be downloaded here.


The script creates file 1.reg in temp directory (c:\Documents and Settings\%user%\Local Settings\Temp), then run regedit with the created reg file before to delete 1.reg and himself.
The reg file disables DCOM, RemoteConnect, restricts anonymous access, disables admin shares (for example C$), changes a lot of TCP/IP parameters and increases the number of possible simultaneous connections to a single HTTP 1.0/1.1 server (50 and 50 instead of respectively 4 and 2). It's obvious that the aim of this last registry modification is to increase DOS effects.

After that registry tweaking, the malware copy himself in c:\windows\system32\host.exe (host.exe is the original filename during spreading). It sets the create, modify and access time of explorer.exe to host.exe. Then, it runs the malware copy which will delete the first malware file.

The malware will edit registry to be executed after reboot. So it adds an entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{Run,RunServices} and in HKEY_CURRENT_USER\Software\Microsoft\OLE named "Windows Update" with "host.exe" as value. Then a thread checks running processes every 30 seconds, a list of around 600 process name is parsed. A second thread disables DCOM, restricts anonymous access and disables IPC$ share every 2 minutes. And the last created thread, checks every 120 milliseconds that the malware will be executing at OS startup. After the creation of these 3 threads, Internet status is checked every 30 seconds and if the victim host has Internet access, the payload is run.


Payload

Of course, as this malware is an IRC bot, it implements some IRC commands like USER, PASS, NICK, JOIN, PONG, NOTICE, PRIVMSG, QUIT... After each action, the bot will send to the IRC C&C server NOTICE or PRIVMSG message to report the success or not of the action.

This payload has many features :
- keylogger
- Ping, TCP, UDP, HTTP flood
- DNS cache flush
- ARP table flush
- send email (spam)
- search files and directories
- move files
- get informations about the system : CPU number, CPU frequency, memory usage, disk space, disk type (network, cdrom ...), username, OS version (95, 98, ME, NT, 2000, 2003, XP or Unkown), user domain ...
- get informations about the network : IP, hostname, connection type
- get serial of 42 games (Counter-Strike, FIFA 2003... whole list here), Windows product key and the customer number
- get clipboard data
- list running AV/FW and other "security products" (ollydbg ...). The list contains around 600 processes.
- list registered services and their status (unknown, paused, pausing, continuing, starting, stoping, stoped, running, stopped)
- manage services
- restore the system in a healthy state (delete the registry key and the malware file)
- download and run binary files
- send files
- kill processes
- reverse shell (after authentication on the bot)
- update mecanism
- network sniffing
- TCP ports scan
- basic FTP server
- basic HTTP server used to download files and to send back file and directory search report
- bruteforce SQL server using a built-in list of around 1700 passwords (list here). If logon success, it will download by FTP the malware and run it thanks to "EXEC master..xp_cmdshell".
- video recording using webcam
- screenshot capabilities
- add $C, $IPC, and $ADMIN network shares
- ...


Commands

A non-exhaustive list of IRC commands can be downloaded here.


C&C

Botnet owners use IRC to exchange informations with bots, send commands ... The domain name used to contact the C&C is blah.swXXXXXXXme.com and seems to be located in England (isp : ValueVPS Limited - Hosting network).  The IRC server used by this C&C server is UnrealIRCd 3.2.7 which is listening on port 7878. Channels listed are #GuardBot-Admin, #uk, #fuckoff and #b (joined by bots). A password (imallowed2020) is required to join #b channel.
Bots name are something similare to [GSA]-123456.

Port 7878 isn't the only open port :
  • 80/tcp    open     http         Apache httpd 2.2.14 ((Fedora))
  • 99/tcp    open     ssh          OpenSSH 5.1 (protocol 2.0)
  • 6001/tcp  open     irc          Unreal ircd (used to link to other irc servers)
  • 7878/tcp  open     irc          Unreal ircd (used by irc clients)
  • 10000/tcp open     http        MiniServ 1.530 (Webmin httpd)
  • 65146/tcp open     irc          Unreal ircd (used by irc clients)

Apache is hosting the default apache webpage and on port 10000 we can find Webmin interface to administrate the server.
OS seems to be a Fedora 12 with a 2.6 kernel.

This C&C server doesn't control a huge botnet. I have done several connections to this botnet, and the number of bots was between 467 and 1393. According IRC stats, the max number of IRC users (bots) was 4088.

STATS u
:pwned28.ircd.net 242 [GSA]-370921 :Server Up 0 days, 21:46:20
:pwned28.ircd.net 250 [GSA]-370921 :Highest connection count: 1393 (4088 clients)

In addition, this server suffer from reliability problems. During my analysis, it was sometimes unavailable (january 9th, 12th...).


How to delete it ?

As this malware isn't an advanced one, it's easy to remove it from an infected computer. First you have to kill "host.exe" process using task manager or an other tool. Then you must delete the file "host.exe" located in c:\windows\system32\. With default view options, the file is invisible. You need to uncheck "Hide protected operating system files" in Windows view options. Finally, in the registry you have to delete the key "Windows Update" stored in HKEY_CURRENT_USER\Software\Microsoft\OLE and in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\{Run,RunServices}. It could be great to restore all other registry values modified by a.bat file at the beginning of the infection but you will need original values to do that ...


Comments

This malware isn't very stealth because we can found it quite easily in file system and it's even easier with task manager. According to Windows version that the malware can detect and the list of games, I can say that's an old malware with no advanced protections against RE.

Nowadays, some (a lot of ?) malware are developed by governments and cybercriminal groups. I think that's not the case of this trojan because of its "simplicity", the unreliable C&C server and some strings found in it, like "Goodbye happy r00ting.", "NzmxFtpd Owns j0" and "Nice try, idiot." doesn't look professionnal.

I have found on the Internet, a SNORT rules file which list IP address used by the C&C server. So if you have an IDS in your company, you can use this rules file which contains a list of known C&C servers, to generate alerts when an host is communicating with one of these servers.