Thursday, December 27, 2012

Disclosure of another 0day malware - Update and Additional Information

At first I will provide an overview of the current AV detection rates, almost 2 weeks after publishing the MD5 hashes of this malware. I will also release the samples, so you can analyze it by yourself, if you are interested. Thereafter I show the statuses of the (known) Servers involved in this threat and give the directory listings. Next, I try to shed some light into the origin of this malware. At last I will provide a brief analysis of an older version of this malicious software (thanks Artem for providing the sample!). This older version is mentioned in the following reports:

https://www.symantec.com/security_response/writeup.jsp?docid=2011-090714-2907-99&tabid=2
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FSukwidon.A
http://home.mcafee.com/virusinfo/virusprofile.aspx?key=622012


Detection rates

Now that all malware samples were uploaded to Virustotal, here are the current detection rates:

Initial Dropper
Sample: sample.dll
MD5: D4E99548832B6999F00E8D223C6FABBD
https://www.virustotal.com/file/d5debe5d88e76a409b9bc3f69a02a7497d333934d66f6aaa30eb22e45b81a9ab/analysis/1356639455/
Detection ratio: 28/46

Downloader
Sample: netids.dll
MD5: CCAB60D3B6AA5FA0C23A5AE59EABCF54
https://www.virustotal.com/file/4a9efdfa479c8092fefee182eb7d285de23340e29e6966f1a7302a76503799a2/analysis/1356639377/
Detection ratio: 29/46

2nd Dropper
Sample: msmvs.exe
MD5: 66F368CAB3D5E64475A91F636C87AF15
https://www.virustotal.com/file/e8ac9acc6fa3283276bbb77cff2b54d963066659b65e48cd8803a2007839af25/analysis/1356639177/
Detection ratio: 22/46

3rd Dropper
Sample: conhost.dll
MD5: F1704AAF08CD66A2AC6CF8810C9E07C2
https://www.virustotal.com/file/74bdd9c250b0f4f27c0ecfeca967f53b35265c785d67406cc5e981a807d741bd/analysis/1356638799/
Detection ratio: 19/46

Final Payload
Sample: netui.dll
MD5: AA3E6AF90C144112A1AD0C19BDF873FF
https://www.virustotal.com/file/4536650c9c5e5e1bb57d9bedf7f9a543d6f09addf857f0d802fb64e437b6844a/analysis/1356639260/
Detection ratio: 14/46

You can find the (decrypted) samples on Kernelmode.info: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2308


Server statuses

The older malware variant contacts a Server (70.85.221.10) which is still online and responding. With the first 2 Servers of my analysis (Part 1-3) and this one, we have in total 3 Servers with the following statuses (and bruteforced directory listings):

200.106.145.122:
This was the Server where the final Payload of my analysis (staged in 2 Droppers) was downloaded.

Status: Down

200.74.244.118:
This is the Server where the final Payload of my analysis uploads the (encrypted) information it has gathered.

Status: Online and responding
Directory listing:
/~dr/
/~mk/
/~rpc/
/~aaxx/
/~agvn/
/~aman/
/~bint/
/~ckhp/
/~fact/
/~gale/
/~loox/
/~maxx/
/~mkrp/
/~pick/
/~qane/
/~qmbv/
/~rbtk/
/~rimm/
/~root/
/~sbts/
/~song/
/~take/
/~tamy/
/~tset/
/~wong/
/~ytak/
/~zwxc/
/~mailnull/
/~operator/
/cgi-bin/
/error/
/error/include/
/icons/

70.85.221.10:
This is the Server of the older version of this malware (see below).

Status: Online and responding
Directory listing:
/~baq/
/~alex/
/~aspn/
/~avmk/
/~bard/
/~blxk/
/~book/
/~crpc/
/~ford/
/~loxx/
/~maxx/
/~mntp/
/~pisk/
/~root/
/~svtq/
/~tomy/
/~xpcs/
/~yopo/
/~zomo/
/~mailnull/
/~operator/
/cgi-bin/
/error/
/error/include/
/icons/

We know that each individual directory a malware sample contacts, is hardcoded into it (e.g. "/~bint/" -> see Part 3). We also see that the used directories have 2 to 4 characters in front of the character "~". I think the directories "/~mailnull/" and "/~operator/" are used by the attacker for other purposes. So we have in total 27 (200.74.244.118) + 19 (70.85.221.10) = 46 malware samples from these 2 (known!) Servers. If we consider the purpose (information gathering, keylog, ...) and the used Exploits of the older sample (see https://www.symantec.com/security_response/writeup.jsp?docid=2011-090714-2907-99&tabid=2 -> CVE-2009-3129, CVE-2010-3333), I would claim this malware was and still is used for targeted attacks. Unfortunately I am unable to do any further analysis (who are the victims?), since I am not working for an AV company.


Malware origin

From the older sample's Server address I gathered some information from whois requests and Google searching. It looks like the malware's author speaks russian and his used personal data suggests he is from Georgia. Of course this is just speculation since hard facts are not available. But we should keep in mind that most quality malware comes from russian federation and his ex-Soviet allies, that's a fact! :-)

The author registered a couple of domains (some are still up), always with the same personal data:

"...
Registrant Name:Sofy T Gavashelishvili
Registrant Organization:
Registrant Street1:prospekt Revolucii, d.14
Registrant Street2:
Registrant Street3:
Registrant City:selo Elizavetovka
Registrant State/Province:AL
Registrant Postal Code:396446
Registrant Country:RU
Registrant Phone:+7.9645646929
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:sofy.gavashelishvili@gmail.com
..."

This person owns or owned the following domains:

Still up:
hothookup.net
junlper.net
Helpmicrosoft.net

Down:
windous.kz
sunmicrosystem.info
sweetcherry.org
Wind0ws.kz
sex-toy-shop.org

Regarding the whois information of his newer domains (200.74.244.118 and 200.74.244.118 -> see Part 1+2 in Appendix), where no public traces were left, I consider these domains as something from his past.


Older Malware Variant

Since this older variant uses various techniques already seen in the newer one, I will only show some notable parts.

Downloader
Sample: sample.dll
Size: 12.288 Bytes
Timestamp: 01.12.2010 07:16:04
MD5: 9e4817f7bf36a61b363e0911cc0f08b9
https://www.virustotal.com/file/9E4817F7BF36A61B363E0911CC0F08B9/analysis/

Decrypted strings:

n%D,3                                                           
GetProcAddress                                                  
LoadLibraryA                                                    
Sleep                                                           
KERNEL32.dll                                                    
??3@YAXPAX@Z                                                    
??2@YAPAXI@Z                                                    
__CxxFrameHandler                                               
_EH_prolog                                                      
MSVCRT.dll                                                      
free                                                            
_initterm                                                       
malloc                                                          
_adjust_fdiv                                                    
dll.dll                                                         
Init1                                                           
Started                                                         
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
%.2x%.2x%.2x%.2x%_%s                                            
brvc                                                            
sptr                                                            
http://%s/~%s/cgi-bin/%s.cgi?%s                                 
msmvs.exe                                                       
dll:%.8x                                                        
ins:%.8x                                                        
netui.dll                                                       
aspn                                                            
70.85.221.10                                                    
kernel32.dll                                                    
GetProcessHeap                                                  
WaitForSingleObject                                             
SetErrorMode                                                    
HeapFree                                                        
HeapAlloc                                                       
lstrlenA                                                        
CloseHandle                                                     
WriteFile                                                       
GetTempPathA                                                    
CreateFileA                                                     
GetLastError                                                    
DeleteFileA                                                     
Sleep                                                           
CreateThread                                                    
MultiByteToWideChar                                             
WideCharToMultiByte                                             
SetCurrentDirectoryA                                            
CreateProcessA                                                  
GetVolumeInformationA                                           
msvcrt.dll                                                      
memset                                                          
memcpy                                                          
strchr                                                          
sprintf                                                         
strstr                                                          
wcsstr                                                          
user32.dll                                                      
SetForegroundWindow                                             
GetForegroundWindow                                             
ole32.dll                                                       
CoInitialize                                                    
CoUninitialize                                                  
CoCreateInstance                                                
oleaut32.dll                                                    
SysAllocString                                                  
SysFreeString                                                   
SafeArrayCreateVector                                           
SafeArrayAccessData                                             
SafeArrayUnaccessData                                           
SafeArrayDestroy                                                

At first we can see that there are 10 "NOP" instructions between some code blocks. The purpose for these NOPs is unknown to me, maybe it has something to do with the used Exploits (see above). Another idea is that they are used for fooling AV signatures to prevent detection (maybe in other variants these NOPs are garbage code).

Figure 1: NOP instructions between a couple of code blocks

This variant from 2010 also uses the Anti (AV) Emulation technique as described in my previous articles:

mov     [ebp+var_24], 54AF97E1h
movd    mm0, [ebp+var_24]
pslld   mm0, 2
movd    [ebp+var_24], mm0

As information, it only gets the Volume Serial number to build the following string that later is send to the Server:

<VolumeSerialNumber>_U

The most interesting part is the network communication with the Server. The malware uses a technique which was unknown to me, but it turned out that it is a very old method. It uses the COM (Component Object Model) to create an invisible instance of the Internet Explorer (iexplore.exe).

Figure 2: "Invisible" Internet Explorer process

This way it doesn't have to use suspicious API functions (Socket, WinInet or URLMon API functions), but instead can reach the same goal by calling the IWebBrowser2 interface functions. Additionally on most workstations the Internet Explorer is a trusted process in desktop firewall rules. The draw back of this method is for example, when the Internet Explorer is not the standard browser a window pops up, asking to make it standard. There are also other situations where a window can pop up and thus reveal the malware's presence. The technique of using Internet Explorer with COM is described in Nick Harbours excellent article:

https://www.mandiant.com/blog/reversing-malware-command-control-sockets/ -> Controlling Internet Explorer with COM

The purpose of this older variant is to download the file "msmvs.exe" from Server and execute it. So it's similiar to the newer variant, except that it isn't encapsulated in a Dropper.

The End (finally!!)
Share:

3 comments:

  1. I think I might have asked before - Don't suppose you saved a copy of those files on the open server and would be willing to share with other security researchers?

    Nice write-up :)

    ReplyDelete
  2. You can find all the samples here: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2308&hilit=0day

    ReplyDelete