From looking at strings in Malware it is quite often easy to work out what its designed todo.
To find some live Malware samples, I am going to use some known driveby download sites. This will dump a list of URLs to a file:
D3ADLiN3@box:~# links2 -dump http://www.malwareurl.com/search.php?domain=\&s=exploits\&match=0\&rp=100\&urls=on\&redirs=on\&ip=on\&reverse=on\&as=on | awk '{print $1}' | sed 's/|//' | egrep "[A-Za-z0-9\/]" | awk '{print "http://"$1}' >> MalURLS.txtNow I use WGet to access the pages safely. I spoof the UserAgent so I don't get blacklisted by download kits, and by using a IE6 UserAgent hopefully I will trigger more attacks.
D3ADLiN3@box:~# wget -i MalURLS.txt -T 1 -t 3 --user-agent="Mozilla/4.0 (MSIE 6.0; Windows NT 5.1)"
Once WGet has finished downloading, there are a variety of HTML pages and executable left over.
So I have picked a random executable downloaded called 1009.exe.
Now lets take a look at the file:
D3ADLiN3@box:~# packer.py 1009.exe -> Nothing Found D3ADLiN3@box:~# yara rules 1009.exe -> Delphi D3ADLiN3@box:~# clamscan 1009.exe 1009.exe: Trojan.Killav-157 FOUND
OK so AV has detected the file as a Anti Virus Killer, and it appears to be unpacked and written in Delphi.
Opening the file in hexeditor, I can confirm the file is not Crypted or Packed because all there strings within the file are clearly visible and not obfuscated in anyway.
So lets dump the all the strings out of the file:
D3ADLiN3@box:~# strings 1009.exe > strings_1009.exe
Now couple of things jump out straight away: Av Love Av Av Av Av Av, bluedragonfly, U_GuiHack360, KillAv, upmyself.
A quick Google on some of these come up with some obvious results:
"U_GuiHack360" appears to be a method to kill Norton 360 AV/Firewall GUI.
"Av Love Av Av Av Av Av" links to a website about Malware.
There is list of different AV executables, most probably for process killing.
There are references to Registry Keys:
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
These keys are related to display options for Hidden files in Windows Explorer.
We also find references to what appear to be the startup methods:
Software\Microsoft\Windows\CurrentVersion\policies
software\microsoft\windows\currentversion\run
software\microsoft\windows\currentversion\runonce
software\microsoft\windows\currentversion\runonceex
software\microsoft\windows\currentversion\runservices
The Malware author also seems to be using "Image File Execution Options" Debugger method to kill AV (or possibly as a startup method?):
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
This lesser known registry key is designed to Debug applications by first launching a Debugger which in turns launches the application to be debugged.
So for example, if you wanted to debug notepad.exe with OllyDbg you would make an entry like so:
This would launch Ollydbg which would then load notepad.exe
If you use a debugger/process which does not redirect it will load the debugger instead of the process. So for example if you changed the Ollydbg to calc.exe instead, each time you tried to load notepad.exe it would launch calc.exe.
This can be used by Malware in 2 ways:
1) Hijacking an existing process which is set to startup (eg: default builtin windows service (eg: Windows Update)) and use this as a startup method.
2) Hijack a legitimate process and set it to load something useless instead. For example, the Malware could add each Anti Virus process to the list and set something like svchost.exe to load instead. This would stop the AV process from loading and instead load svchost.exe which would do nothing.
We also find a reference to "SeDebugPrivilege" which could be used to help killing AV Processes or for Process Injection.
There are references to the following strings: FireWall, Virus, Anti, NOD32, Sniffer, DeBug.
I would suggest this is most probably used as a generic 'Anti-Anti', searching and closing Windows which contains the strings in there window title.
We can also see what I believe are the Delphi Modules used in the file: bluedragonfly, U_GuiHack360, 3Messages, KWindows, UTypes, SysInit, System, KillAv, SysUtils, ImageHlp, SysConst, process, GetIp, ?WinInet, WinSock, HardwareInfo, 0Nb30, anti, upmyself, Jencrypt, @other, TlHelp32.
There are also some URLs in the file:
http://www.xxx.cn/Count.asp http://121.11.81.46:88/haozi.txt
Going back into the Hexeditor, I search for the xxx.cn and find some other interesting strings next to it: "?mac=" and "&ver=Test&os=Windows". To me, this looks like some sort of tracking system, probably to count the number of infections.
Looking at the next URL in the file, I downloaded the haozi.txt and opened it up:
http://121.11.81.46:88/1005.exe 105.exe http://121.11.81.46:88/han.exe han.exe http://121.11.81.46:88/dog1.exe dog1.exe http://121.11.81.46:88/dog2.exe dog2.exe http://121.11.81.46:88/dogarp.exe
This appears to be a "Task List" for an Intelligent Downloader. Whats the difference between a Intelligent Downloader and Regular Downloader? A Regular Downloader normally has a URL hardcoded, a Intelligent Downloader will goto a URL to find a task of things to download (in this case 5 other binaries). The benefit of using a Intelligent Downloader is the Malware author can change the location of his Malware files, and his Downloader will keep functioning a lot longer than a Regular Downloader (assuming the Task List URL doesn't die).
So lets download and scan the files:
D3ADLiN3@box:~# clamscan *.exe 1005.exe: OK dog1.exe: OK dog2.exe: Trojan.Downloader-13207 FOUND dogarp.exe: Trojan.Agent-16390 FOUND han.exe: OK D3ADLiN3@box:~# packer.py 1005.exe -> Nothing Found D3ADLiN3@box:~# packer.py dog1.exe -> ['UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser'] D3ADLiN3@box:~# packer.py dog2.exe -> ['TASM / MASM'] D3ADLiN3@box:~# packer.py dogarp.exe -> Nothing Found D3ADLiN3@box:~# packer.py han.exe -> ['Microsoft Visual C++'] D3ADLiN3@box:~# yara rules 1005.exe -> Armadillo D3ADLiN3@box:~# yara rules dog1.exe -> UPX D3ADLiN3@box:~# yara rules dog2.exe -> Nothing Found D3ADLiN3@box:~# yara rules dogarp.exe -> DecodedIframe D3ADLiN3@box:~# yara rules han.exe -> Armadillo
We can see one of the files is packed with UPX, we can unpack this file and analyse the original file:
D3ADLiN3@box:~# upx -d dog1.exe -o dog1_unpacked.exe Ultimate Packer for eXecutables Copyright (C) 1996 - 2010 UPX 3.05 Markus Oberhumer, Laszlo Molnar & John Reiser Apr 27th 2010 File size Ratio Format Name -------------------- ------ ----------- ----------- 23552 -> 11264 47.83% win32/pe dog1_unpacked.exe Unpacked 1 file. D3ADLiN3@box:~# packer.py dog1_unpacked.exe -> Nothing Found D3ADLiN3@box:~# yara rules dog1_unpacked.exe -> Nothing Found D3ADLiN3@box:~# clamscan dog1_unpacked.exe dog1_unpacked.exe: OK
(Im not going to reverse these files today).
So without even running and debugging the file, we can see a number of features of this Downloader, and the further Malware its configured to Download.
What did the Malware author do wrong?
The Malware author made no attempt at Crypting, Packing or Obfuscating the Downloader or its settings. To make things more difficult the Malware author should have encrypted the Reg Keys, Process Names, URLs, obfuscated Module Names, encrypted the config file, and Crypted and/or Packed the actual Executable.
