Thursday, December 27, 2012

Disclosure of another 0day malware - Update and Additional Information

At first I will provide an overview of the current AV detection rates, almost 2 weeks after publishing the MD5 hashes of this malware. I will also release the samples, so you can analyze it by yourself, if you are interested. Thereafter I show the statuses of the (known) Servers involved in this threat and give the directory listings. Next, I try to shed some light into the origin of this malware. At last I will provide a brief analysis of an older version of this malicious software (thanks Artem for providing the sample!). This older version is mentioned in the following reports:


Sunday, December 16, 2012

Disclosure of another 0day malware - Analysis of the final Payload (Part 3)

In the last Part of this series I partly analyzed the final Payload. I haven't finished the analysis of the malware due to lack of time (and interest), but I will provide as much as information I have discovered. It looks like this malware is a classic spying tool (information gathering), but it would be interesting to know who is the attacker and who are the victims. Unfortunately I don't have a chance to reveal the identity of both and speculation is also not possible since the lack of any hints.
The final Payload also wasn't uploaded to Virustotal, so the detection rates supposedly are very low.

Final Payload
Sample: netui.dll
Size: 37.376 Bytes
Timestamp: 09.06.2012 12:27:19
MD5: AA3E6AF90C144112A1AD0C19BDF873FF

We start by examing the Export functions of this .dll.


Saturday, December 15, 2012

Disclosure of another 0day malware - Analysis of 2nd Dropper and 3rd Dropper (Part 2)

In the second Part of this series we analyze the downloaded file (2nd Dropper) and the dropped file (3rd Dropper). At time of this analysis the files weren't uploaded on Virustotal, so I guess the detection rates are very low, if at all.

2nd Dropper
Sample: msmvs.exe
Size: 80.388 Bytes
Timestamp: 25.07.2012 06:51:13
MD5: 66F368CAB3D5E64475A91F636C87AF15

3rd Dropper
Sample: conhost.dll
Size: 62.976 Bytes
Timestamp: 25.09.2012 08:23:13
MD5: F1704AAF08CD66A2AC6CF8810C9E07C2


Disclosure of another 0day malware - Initial Dropper and Downloader (Part 1)

In this series I have analyzed an interesting malware that combines various techniques I haven't seen before. Part 1 of this series deals with the initial Dropper and the Downloader which both come in the form of a Dynamic Link Library (.dll). The initial Dropper drops and executes the Downloader (netids.dll). Part 2 deals with the downloaded file, which is just another Dropper (msmvs.exe). This Dropper drops a .dll (conhost.dll) which in turn drops the final Payload (also .dll). Part 3 deals with the final Payload (netui.dll). Note: Due to lack of time (and interest), I haven't completely analyzed the final Payload.

Figure 1: Overview of the malware components

I don't know how the initial Dropper will be delievered to the victim, because a .dll in some way has to be loaded (Export function call, rundll32.exe, ...). Some reports on ThreatExpert indicate that the Dropper is executed with the help of an exploit (Adobe Acrobat, Microsoft Word): (Note: Sometimes Threatexpert doesn't work)

Maybe the malware is used for a targeted attack in a spearfishing campaign. I also have found a Symantec report from 2011 mentioning some behaviours of the .dll, but it seems the one I have analyzed is a newer version of the malware family:

What makes this malware interesting:
- It makes use of an unknown (AV) Anti-Emulation technique
- Contains Anti-Debugging and Anti-Reversing techniques
- Suspicious strings and the payloads are encrypted
- Suspicious Windows API functions are dynamically resolved
- Downloader and final Payload are (also) implemented as a Windows Service
- Uses multiple encryption techniques (e.g. RC5/6)
- Uses the "Common Gateway Interface" (cgi) for data transfers
- Supports Unicode encoding


Tuesday, September 11, 2012

Disclosure of an interesting Botnet - The Server (Part 2)

So let's try to shed light onto the C&C server.

At first I want again to thank Chae Jong Bin! With his brief network analysis of this botnet, he gave me a solid background.

The first thing you realize when visiting is directory listing was activated. This gives us the chance to explore files and folders.
There are a lot of PHP Scripts, 3 .dat files and 3 subfolders.

Figure 1: Directory Listing of ".com/.info" unit

Monday, September 10, 2012

Disclosure of an interesting Botnet - The Executable (Part 1)

While searching for another interesting malware sample I came across a brief description from Chae Jong Bin of an yet unknown botnet. So thanks to him!
I took a quick look into the executable and decided to do further analysis, because the Bot is implemented as a Windows Service and I haven't analyzed such an executable before.

The first part of this analysis is about the "Static and Dynamnic Analysis" of the executable. Tools used are HxD Hexeditor, MiTeC EXE Explorer, OllyDbg, IDA Pro, Process Explorer and Wireshark. The second part deals with the C&C server(s) and its contents.
What's remarkable is the Bots very small size of just 12 KByte. A few months ago the CSIS Security Group A/S discovered the "World’s smallest trojan-banker" and it had size of 20 KByte, so... :-)

Sample: telnet.exe
Size: 12.288 Bytes
MD5: 44AD16455EFC3051FD00FE73E3BB7E40


Monday, August 20, 2012

The case of the gethostbyname() exception

While analyzing a malicious bot in OllyDbg (1.10) on my Windows XP SP3 Virtual Machine, I came across an odd exception (0x000006B0) which always occured trying to step over the Windows API function "gethostbyname()". Every time OllyDbg ended up in kernel32.dll after calling RtlRaiseException() (ntdll.dll). Because a search on Google doesn't gave me any answers I decided to find the cause on my own and hopefully solve the problem.

Figure 1: gethostbyname() exception

Saturday, August 11, 2012

Dropper of kernel-mode stealer

While searching for some interesting, unknown malware samples I came across a report that took my attention (
The malware has an user-mode and a kernel-mode component and looks like a legit program at first (.sys + .inf files). By typing one of the created registry entries (NdisrdMP.ndi) into the search mask I discovered several reports of earlier (and also widely detected) versions of this family. By looking at the dates, the first uploaded sample is from year 2009, so this malware family is at least used since then.
Unfortunately I hadn‘t access to the Threatexpert database, so I contacted rkhunter from if he could provide me a copy. So thanks goes to him!

This paper is about Static Analysis of the Dropper of this malware. You can find the rest of the analysis (Kernel-mode Payload + Additional Components) on rkhunters‘ Blog at

Whitepaper download: