Thursday, May 27, 2010

A Trip Down Memory Lane with Torpig, part 1


A Trip Down Memory Lane with Mebroot/Torpig


Perpetual Horizon Security Research

These notes describe a basic analysis of a Mebroot/Torpig infection through memory dump and observation. This particular Mebroot/Torpig infection took place in Feb of 2010, and the box also contained some type of adware that may pollute the results a bit. I am very interested in any comments or suggestions about this process, and hope that the results of this analysis may be useful in some way to increase detection or prevention or at least raise some awareness. Plus, I think memory analysis is very interesting.

I'm wanting to dig much deeper into the memory dump analysis but have been unable to spend the time required. In the meanwhile, the blog sat dormant. Therefore, this entry shall be part I. I intend for part II to cover the memory analysis in more depth.

As far as I am aware, a Torpig infection starts with the vulnerable system being 0wned via a drive-by from the Neosploit exploit kit. Neosploit pushes mebroot, which then reboots the system, infects the bootsector and activates Torpig. Apparently Mebroot can be extended to use something other than Torpig but I've not heard of that happening. Perhaps people that work with anti-malware organizations full time would have more insight. Much detailed info has been published elsewhere - see the references section if needed.

A Torpig infection creates temporary files (with system, hidden attributes)  that can be enumerated in a variety of ways, the easiest of which is to use the DOS ATTRIB command in the Windows/Temp directory on the infected box.  The files in this case are as follows:

C:\Windows\Temp\$$$dq3e
C:\Windows\Temp\$67we.$

In the variety of published public research on Torpig, I determined that one file apparently holds the config (targeted banks and institution websites that are to be sniffed and their information stolen) and the other file contains the data stolen from the box. These two files, plus a third file $$yt7$$ have been discussed on various public forums as being related to Torpig. Other files may show up. Some time back, the Torpig victim (stolen data) file was in clear text and could be easily read. But now it is encrypted or encoded in some manner. I believe this topic has been discussed elsewhere.

Using Process Monitor, I saw that services.exe had handles to these two temporary files and therefore I created a memory dump with windd and analyzed it with Mandiant's Memoryze tool.  I enumerated the strings and other data from the services.exe process to obtain more insight into Torpig. Memoryze and Volatility seem to be the prime freeware memory analysis tools, although one can also use Windbg with a Microsoft crash dump file (or a raw memdump converted by Volatility into an MS crash dump file). I haven't yet standardized on the toolkit I wish to use. I like the open source nature of Volatility, the community around it, and the various plugins available. While Volatility is nice, some wanting to explore this area may enjoy the use of Mandiant's Memoryze and their Audit Viewer GUI instead.

The temp file that contains the Torpig configuration can be decoded. But one can also analyze memory strings which clearly shows the Torpig targets - generally the URL's that the malware cares about in order to steal credentials. These can be a bit jumbled up, but shouldn't be too hard to determine.

Any data pulled from memory will be in BOLD. A sample of the torpig config pulled from memory is as follows:

policecredit.com.au/easyaccess
tradingdirect.com
ine.com *acces
businesscreditcardsonline.co.uk
marfinegnatiabank.gr
*berkshire
millenniumbank.gr
lonline.com *b
centralbank.gov.cy
r.org *ccbank
bankofcyprus.com
ankonline.com *
universalbank.com.cy
keystoneonl
citibankonline.ca
om *fnbaonline
capitalonebank.com
cbusa.com *ce
nationalcity.com
onalcm.com *cnb

Including some targets that I didn't expect:

/controlpanel r57shell.php c99shell

Whoever is behind this particular Torpig install cares about people logging into r57 and c99 PHP shells. I suppose if the intention is to infect as much as possible, or to find drop space, I can see why they might want this info. If anyone is aware of the specifics of what they do with these shells, I'd be curious to know.

Other strings indicate potentially useful information:

IP address 72.51.34.52

A google search of this IP turns up a variety of Torpig related hits including some discussion on the Emerging Threats signatures discussion forum. According to some records, there are 31 websites hosted on that IP as follows - some of these are clearly stale records

#    http://creativeeyemediagroup.com/
#   http://discdevils.com/
#   http://farringtonelectricinc.com/
#   http://gavod.com/
#   http://key-east.com/
#   http://lawnbarbernj.com/
#   http://monmouthbeachnj.com/
#   http://ns1.key-east.net/
#   http://ns2.key-east.net/
#   http://pornojim.com/
#   http://rs-trim.com/
#   http://sk8town.net/
#   http://surfrider-nj.org/
#   http://surfriderjsc.org/
#   http://thecmrc.org/
#   http://volunteerpilots.org/
#   http://wmediagroup.com/

I'm sure many others have looked up the site information for this IP, but here it is again:
Peer 1 Network Inc. PEER1-BLK-08 (NET-72-51-0-0-1)
                                  72.51.0.0 - 72.51.63.255
ServerBeach PEER1-SERVERBEACH-06A (NET-72-51-32-0-1)
                                  72.51.32.0 - 72.51.47.255

In the emerging threats mailing list entry here:

http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-January/005885.html

It is discussed that the following IP's were triggering Torpig alerts for the following Emerging Threats rule written by Darren Spruel (thanks and greetings to Darren):

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Torpig Infection Reporting"; flow:established,to_server; content:"POST
"; depth:5; content:!"|0d 0a|User-Agent\: "; content:"|0d
0a|Content-Length\: 0|0d 0a|"; content:"|0d 0a|Connection\: close|0d
0a|"; pcre:"/^\/[0-9A-F]{16}\/[0-9A-Za-z\+\/]{100,}$/U";
classtype:trojan-activity; reference:url,www2.gmer.net/mbr/;
reference:url,www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf;
reference:url,doc.emergingthreats.net/2008660;
reference:url,offensivecomputing.net/?q=node/909;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Torpig;
sid:2008660; rev:6;)

2010-01-23 - present
     58 72.51.34.52
     60 66.135.61.80
     61 72.51.43.97

Back to memory strings - I am not sure what these are but they looked specific - I assume these are encoded in some way

gcroaefildi.t/E2Lgnbre=0\sye.akrudclr#fb3.syedslynn
Z*pbn.e/nieakn-p/oi.s ls=aoal[>+ tl=iiiiyhde>1

I would like to try to decode this but haven't gotten around to it yet. I would appreciate any pointers.

One thing I did before I took the memdump was to ensure that the Torpig infection came to life by browsing some financial websites from the infected box. I saw IP 66.135.61.80 being POSTed to when I sniffed the active Torpig infection. This is/was apparently a Torpig drop site.

Adjacent memory strings to the known drop site IP:

ikorki.com
kolpinik.com
pibidu.com

These .com domains were all known bad actors and were listed on various blacklists and malware lists in the last few years. I guess sewage has a way of recycling itself.

A visit to a site where my fake login info was dropped is reflected in memory - this is perhaps the Torpig log file being created, or info being prepared to be POSTed upstream. In this case, the IP address has been removed from the dump, but it was probably 66.135.61.80 if my memory serves.

The string [avorp1_251] shows up all over the services.exe memory space.

IP xxx.xx.xx.xx:
[avorp1_251]
Process: e:\program files\internet explorer\iexplore.exe
REQUEST:
HEADERS:
POST /US/JSO/signon/ProcessUsernameSignon.do HTTP/1.1
Host: online.citibank.com
Referer: https://online.citibank.com/US/JPS/portal/Index.do
POST_FORM:
SYNC_TOKEN=c4ea7aaade205da90239926136d0dcf3

AVORP1 is a string associated with Torpig/Mebroot activity for months. It's been seen in site URL's such as the following:

http://safeweb.norton.com/report/show?name=tfgoyqotdve.com

Norton SafeWeb alert "HTTP Neosploit Activity 2" is associated with the following URL's containing the string avorp1:

http://tfgoyqotdve.com/nte/avorp1.py/jU230d9c2eH5402e0a3V0100f060006R0ed7a373102T1f83e1df204L656e2d75730000000000K6e17283b

http://tfgoyqotdve.com/nte/AVORP1.py/jU230d9c2eH2468142cV0100f060006Rc670238e102T6fe91623204L656e2d75730000000000Kfd03ebcb

http://tfgoyqotdve.com/nte/avorp1%20.asp/jU230d9c2eH2305d035V0100f060006R31eee316102T6884d218204L656e2d75730000000000Kb3ce7f8b

And in the following Wepawet report:

http://wepawet.cs.ucsb.edu/view.php?type=js&hash=4ec2544c02437e9d3d25e96f419bdc06&t=1256321460

URL http://hioprxmetn.com/ld/avorp1/

MD5 4ec2544c02437e9d3d25e96f419bdc06
Analysis Started 2009-10-23 11:11:00

And more recently in the faked google.com.analytics.*.com sites.


Neosploit attacks in January 2010 as described by Julia Wolf of Fireeye at http://blog.fireeye.com/research/2010/01/pdf-obfuscation.html show that another popular string is AVORP1TREST11.

google.com.analytics.eicyxtaecun.com/nte/AVORP1TREST11.exe
google.com.analytics.eicyxtaecun.com/nte/AVORP1TREST11.php
google.com.analytics.eicyxtaecun.com/nte/AVORP1TREST11.py

Another interesting memory string is the following:


|7E2265255714757C|00.2|avorp1|7E2265255714757C|

Not sure what the byte sequence starting with 7E is, or the 00.2 string. I would appreciate any pointers. I had contemplated that the 7E numbers were perhaps four pointers to other memory locations but that didn't appear to be the case.

A full example of what appears to be a Torpig log entry is displayed below. The IP address of the host shows up just prior to [avorp1_251], which I interpret to mean that the IP is either the end of the start of the structure. kdata may be the last field. userid and pass are two of the values that I know are coming from user input as I used the username and password USER and PASSSWORD in each field.

[avorp1_251]
https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&ru=http%3A%2F%2Fwww.ebay.com%2F
https://signin.ebay.com/ws/eBayISAPI.dll?co_partnerId=2&siteid=0&UsingSSL=1
MfcISAPICommand(hidden): SignInWelcome
bhid(hidden): a1%3D5~a2%3D7~a3%3D22145~a4%3DMozilla~a5%3DMicrosoft%20Internet%20Explorer~a6%3D4.0%20(compatible%3B%20MSIE%206.0%3B%20Windows%20NT%205.1%3B%20SV1%3B%20FunWebProducts%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.0.4506.2152%3B%20.NET%20CLR%203.5.30729)~a7%3D%3BSP3%3B~a8%3Den-us~a9%3Dtrue~a10%3Dx86~a11%3Dtrue~a12%3DWin32~a13%3Den-us~a14%3DMozilla%2F4.0%20(compatible%3B%20MSIE%206.0%3B%20Windows%20NT%205.1%3B%20SV1%3B%20FunWebProducts%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.0.4506.2152%3B%20.NET%20CLR%203.5.30729)~a15%3Dtrue~a16%3Den-us~a17%3Dwindows-1252~a18%3Dsignin.ebay.com~a19%3D96~a20%3D96~a21%3Dtrue~a22%3D0~a23%3D1024~a24%3D768~a25%3D32~a26%3D738~a27%3D1024~a28%3DThu%20Mar%2011%2011%3A16%3A37%20CST%202010~a29%3D-6~a30%3Dabk%3D6%2C0%2C2900%2C5512%7Cwnt%3D6%2C0%2C2900%2C5512%7Cdht%3D5%2C5000%2C3130%2C0%7Cdhj%3D6%2C0%2C1%2C223%7Cdan%3D6%2C0%2C3%2C531%7Cdsh%3D9%2C0%2C0%2C4503%7Cie5%3D6%2C0%2C2900%2C5512%7Cicw%3D5%2C0%2C2918%2C1900%7Cieh%3D6%2C0%2C2600%2C0%7Ciee%3D4%2C74%2C9273%2C0%7Cwmp%3D9%2C0%2C0%2C4503%7Cobp%3D6%2C0%2C2900%2C5512%7Coex%3D6%2C0%2C2900%2C5512%7Cnet%3D4%2C4%2C0%2C3400%7Ctks%3D4%2C71%2C1968%2C1%7Cmvm%3D5%2C0%2C5000%2C0%7C~a31%3Dyes~a32%3Dx86~a33%3Dyes~a34%3Dno~a35%3Dno~a36%3Dno~a37%3Dno~a38%3Donline~a39%3Dno~a40%3DWin32~a41%3Dno~a42%3Dno~a43%3DT%3D0|o%3D187|r%3D78|p%3D110|i%3D93|g%3D63|-%3D140|F%3D235|U%3D109|C%3D110|K%3D78|Y%3D172|O%3D109|U%3D94|
UsingSSL(hidden): 1
inputversion(hidden): 2
lse(hidden): true
lsv(hidden): WIN 9,0,124,0
mid(hidden): AQAAASccLAJFAAUxMjc0ZTNhM2I1Yy5hMDZjMjEzLjJjZmYyLmZmZTRkZTgy+wVizZSnEDRRLAVVSKpmhNQL6Yk*
kgver(hidden): 1
kgupg(hidden): 1
kgstate(hidden): w
siteid(hidden): 0
co_partnerId(hidden): 2
ru(hidden): http://www.ebay.com/
i1(hidden): -1
pageType(hidden): -1
rtmData(hidden): PS=T.0
userid(text): USER
pass(password): PASSWORD
keepMeSignInOption(checkbox): 1
kdata(hidden): %1E%1F%10%1E1268327798856%1E1%1FT%1E1268327798981%1E1%1F%10%1E1268327799027%1E0%1FT%1E1268327799121%1E0%1FO%1E1268327799168%1E1%1FO%1E1268327799246%1E0%1FR%1E1268327799246%1E1%1FP%1E1268327799356%1E1%1FR%1E1268327799371%1E0%1FI%1E1268327799449%1E1%1FP%1E1268327799465%1E0%1FG%1E1268327799512%1E1%1FI%1E1268327799527%1E0%1FG%1E1268327799621%1E0%1F%BD%1E1268327799652%1E1%1F%BD%1E1268327799746%1E0%1F%10%1E1268327799809%1E1%1FF%1E1268327799887%1E1%1FU%1E1268327799981%1E1%1FF%1E1268327800012%1E0%1FU%1E1268327800059%1E0%1FC%1E1268327800106%1E1%1FK%1E1268327800184%1E1%1FC%1E1268327800231%1E0%1FK%1E1268327800277%1E0%1FY%1E1268327800356%1E1%1FY%1E1268327800465%1E0%1FO%1E1268327800465%1E1%1FU%1E1268327800559%1E1%1FO%1E1268327800590%1E0%1F%10%1E1268327800637%1E0%1FU%1E1268327800652%1E0%1F%09%1E1268327800762%1E1%1F%09%1E1268327800856%1E0%1F%10%1E1268327801043%1E1%1FF%1E1268327801121%1E1%1FF%1E1268327801231%1E0%1FU%1E1268327801231%1E1%1FU%1E1268327801293%1E0%1FC%1E1268327801356%1E1%1FK%1E1268327801418%1E1%1FC%1E1268327801449%1E0%1FK%1E1268327801527%1E0%1FY%1E1268327801637%1E1%1FY%1E1268327801731%1E0%1FO%1E1268327801731%1E1%1FU%1E1268327801824%1E1%1FO%1E1268327801856%1E0%1FU%1E1268327801918%1E0%1F%10%1E1268327802277%1E0%1F

Other intersting strings interspersed between Torpig/Mebroot structures:

DRIVERS\RDPCDD.sys
INDOWS\System32\DRIVERS\rdpdr.sys
INDOWS\system32\sessmgr.exe

While it may be unrelated, these remote desktop drivers makes me wonder about a remote desktop (RDP) connection associated with mebroot/torpig. I have noticed that a Torpig infection seems to copy the infected users profile over to the HelpAssistant user. It would be an interesting experiment to see who might login via RDP into such a system using this account in order to steal data. I did not reverse engineer the process enough to determine what the password on the HelpAssistant account might be, but I suspect that it's static or built in some other manner that would be easy for the attackers to utilize.

Memory string matching the HTTP POST with no User-Agent seen during sniffing of Torpig/Mebroot activity:

www.google.com
Date:
Content-Type: text/plain
Content-Type: application/x-www-form-urlencoded
Content-Type: application/octet-stream
POST %s HTTP/1.0
Host: %s
Content-Length: %d
Connection: close

An interesting tidbit here is that there is no User-Agent string present, making for an IDS signature.  I think there may even be an Emerging Threat signature to look for this.

Another POST in memory - funky looking domain name, uxggjtcf.biz:

uxggjtcf.biz
0.0.0.0
POST / HTTP/1.0
Host: www.google.com
Content-Length: 0
Connection: close

I did not check this domain name against any of the Torpig domain name generators to see if it matched but I suspect that it would.

POST / HTTP/1.0
Host: vehdsice.com
Content-Length: 17077
Connection: close
Content-Type: application/octet-stream
xbvvgkjv.com
xbvvgkjv.com

E:\WINDOWS\system32\..\temp\xsw2

The file xsw2 has been associated with Torpig/Sinowal downloads:

http://www.threatexpert.com/report.aspx?md5=2dc3e6c8aa7dde1d5b105ff71e566b63

E:\WINDOWS\system32\..\temp\$$$dq3e


Extracting Drivers from Memory for Scanning/Analysis

Memoryze comes with a driverdd function that allows drivers to be extracted from a memory dump. Nice tool, as I gather that it will pull out in-memory trojans this way. In my case, Avira's AntiVir (being tested at the time) detected a variety of malware in several of the extracted drivers:

driverdd -input C:\Analysis\Torpig\memdump.dmp

Submitting these dumped files to VirusTotal is almost an academic exercise, as far as I can determine. Since the box is under control of mebroot, an antivirus scanner isn't ever going to notice these files in the first place on a live running system, AFAIK.  While there are other ways to determine infection, such as dumping the 512K mebrooted bootsector with dd and uploading that to virustotal, and checking for the presence of the torpig temp files, it may also be a worthwhile exercise to develop some YARA signature rules to use with the Volatility memory analysis framework. A future exercise, but if the string [avorp1_251] is consistent, it should be easy to find with YARA. A question came up, if win32dd can dump suspicious elements from memory, why isn't there a way for an anti-malware app to do something similar? (I have spent no time checking the run-time versions of these AV tools to determine if any catch the presence of mebroot/torpig in memory).

These are some potential YARA fingerprints I whipped up - untested at this time.

rule Mebroot+Torpig
{
strings:
$a = "[avorp1_251]" fullword
$b = "Temp\$$$dq3e" fullword
$c = "Temp\$67we.$" fullword
$d = "Temp\xsw2" fullword
$e = "controlpanel r57shell.php c99shell" fullword
$f = "66.135.61.80" fullword
$g = "72.51.34.52" fullword

condition:
any of them
}


Anti-malware detections from the dumped drivers
(analysis performed around the end of March, 2010)

Virus or unwanted program 'TR/Rootkit.Gen [trojan]'
detected in file 'C:\Analysis\Torpig\Audits\CW-SECANALYSIS\20100327045903\%5cSystemRoot%5cSystem32%5cDrivers%5cRDPWD.SYS.

VirusTotal: 7 out of 42 detected.
http://www.virustotal.com/analisis/c509d9f073d55179b78f2ebfc1d891478bbae75183d39d6dca0f1b0340beff36-1269917250

AntiVir 7.10.5.248 2010.03.29 TR/Rootkit.Gen
AVG 9.0.0.787 2010.03.29 Generic17.AHIQ
K7AntiVirus 7.10.1004 2010.03.22 Trojan-Downloader.Win32.Bagle
McAfee-GW-Edition 6.8.5 2010.03.29 Trojan.Rootkit.Gen
PCTools 7.0.3.5 2010.03.30 HeurEngine.Packed-Verne
Symantec 20091.2.0.41 2010.03.30 Packed.Generic.99

In this and many of the other samples, generic signatures triggered frequently, except for K7AntiVirus seeing this as a Win32.Bagle downloader.

Virus or unwanted program 'TR/Rootkit.Gen [trojan]'
detected in file 'C:\Analysis\Torpig\Audits\CW-SECANALYSIS\20100327045903\%5cSystemRoot%5cSystem32%5cDRIVERS%5cflpydisk.sys.

http://www.virustotal.com/analisis/ceca1b0668bef28ec09a9afe4c3d66a25bd29cda2fad56444a689b89269bdeab-1269917678

Result: 7/42 (16.67%)

AntiVir 7.10.5.248 2010.03.29 TR/Rootkit.Gen
AVG 9.0.0.787 2010.03.29 Generic17.AHIQ
K7AntiVirus 7.10.1004 2010.03.22 Trojan-Downloader.Win32.Bagle
McAfee-GW-Edition 6.8.5 2010.03.29 Trojan.Rootkit.Gen
PCTools 7.0.3.5 2010.03.30 HeurEngine.Packed-Verne
Symantec 20091.2.0.41 2010.03.30 Packed.Generic.99

Virus or unwanted program 'TR/Rootkit.Gen [trojan]'
detected in file 'C:\Analysis\Torpig\Audits\CW-SECANALYSIS\20100327045903\%5cSystemRoot%5cSystem32%5cDRIVERS%5cipnat.sys.

http://www.virustotal.com/analisis/3fa363b83419ed29e052a5de6b561bcd0185afaa401c8d81d9f699a62e597c59-1269917883

ipnat.sys is detected by less AV vendors, however Sophos alerts this time.

Result: 6/39 (15.39%)

AntiVir 7.10.5.248 2010.03.29 TR/Rootkit.Gen
AVG 9.0.0.787 2010.03.29 Generic17.AHIQ
K7AntiVirus 7.10.1004 2010.03.22 Trojan-Downloader.Win32.Bagle
PCTools 7.0.3.5 2010.03.30 HeurEngine.Packed-Verne
Sophos 4.52.0 2010.03.30 Sus/Behav-192
Symantec 20091.2.0.41 2010.03.30 Packed.Generic.99


Virus or unwanted program 'TR/Rootkit.Gen [trojan]'
detected in file 'C:\Analysis\Torpig\Audits\CW-SECANALYSIS\20100327045903\%5cSystemRoot%5cSystem32%5cDRIVERS%5cmouclass.sys.

http://www.virustotal.com/analisis/6b43904b919fb26594b944125bf83926027102c64300c7d79717dccd8d36cf63-1269918061

Result: 7/42 (16.67%)

AntiVir 7.10.5.248 2010.03.29 TR/Rootkit.Gen
AVG 9.0.0.787 2010.03.29 Generic17.AHIQ
K7AntiVirus 7.10.1004 2010.03.22 Trojan-Downloader.Win32.Bagle
McAfee-GW-Edition 6.8.5 2010.03.29 Trojan.Rootkit.Gen
PCTools 7.0.3.5 2010.03.30 HeurEngine.Packed-Verne
Symantec 20091.2.0.41 2010.03.30 Packed.Generic.99


The file 'C:\Analysis\Torpig\Audits\CW-SECANALYSIS\20100327045903\%5cWINDOWS%5csystem32%5cntoskrnl.exe'
contained a virus or unwanted program 'TR/Patched.Gen' [trojan]

http://www.virustotal.com/analisis/94ecbbe8e664ba7f665079c5ea5e6258bf914815107d69f41da728b5c03f43e8-1269918286

Result: 5/42 (11.91%)

AntiVir 7.10.5.248 2010.03.29 TR/Patched.Gen
Authentium 5.2.0.5 2010.03.30 W32/Heuristic-CO3!Eldorado
F-Prot 4.5.1.85 2010.03.29 W32/Heuristic-CO3!Eldorado
McAfee-GW-Edition 6.8.5 2010.03.29 Trojan.Patched.Gen
Symantec 20091.2.0.41 2010.03.30 Suspicious.Insight


The file 'C:\Analysis\Torpig\Audits\CW-SECANALYSIS\20100327045903\ACPI.sys'
contained a virus or unwanted program 'TR/Rootkit.Gen' [trojan]

http://www.virustotal.com/analisis/c33a00799d1fb3069289a213c70b2fa832cdb3752ef8de49ba2b91d114f7f3c7-1269918439

Result: 7/42 (16.67%)

AntiVir 7.10.5.248 2010.03.29 TR/Rootkit.Gen
AVG 9.0.0.787 2010.03.29 Generic17.AHIQ
K7AntiVirus 7.10.1004 2010.03.22 Trojan-Downloader.Win32.Bagle
McAfee-GW-Edition 6.8.5 2010.03.29 Trojan.Rootkit.Gen
PCTools 7.0.3.5 2010.03.30 HeurEngine.Packed-Verne
Symantec 20091.2.0.41 2010.03.30 Packed.Generic.99


The file 'C:\Analysis\Torpig\Audits\CW-SECANALYSIS\20100327045903\MountMgr.sys'
contained a virus or unwanted program 'TR/Rootkit.Gen' [trojan]

http://www.virustotal.com/analisis/b04ba44b2d8eee62ea6d31051a8bd7b2fb8e7b3f1595353dbebe120c0e434029-1269919047

Result: 6/39 (15.39%)

AntiVir 7.10.5.248 2010.03.29 TR/Rootkit.Gen
AVG 9.0.0.787 2010.03.29 Generic17.AHIQ
K7AntiVirus 7.10.1004 2010.03.22 Trojan-Downloader.Win32.Bagle
PCTools 7.0.3.5 2010.03.30 HeurEngine.Packed-Verne
Symantec 20091.2.0.41 2010.03.30 Packed.Generic.99


Extracting the secondary loader from disk

Using dd, the last section of the infected disk was dumped to a file. The disk offset could be determined but in this case was a guess, and a PE header was found therein. Foremost was used to extract the PE file as such:

Foremost version 1.5.4 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Fri Mar 12 22:24:29 2010
Invocation: foremost -t exe -i diskdump-skip.dd -v
Output directory: /media/sdc1/Torpig/output
Configuration file: /etc/foremost.conf
------------------------------------------------------------------
File: diskdump-skip.dd
Start: Fri Mar 12 22:24:29 2010
Length: 122 MB (128000000 bytes)

Num Name (bs=512)       Size File Offset Comment

0: 00232150.exe     271 KB  118860800 08/23/2005 13:10:35
Finish: Fri Mar 12 22:24:29 2010

1 FILES EXTRACTED

exe:= 1
------------------------------------------------------------------

Foremost finished at Fri Mar 12 22:24:29 2010


VirusTotal recognized this file: Result: 13/42 (30.95%)

http://www.virustotal.com/analisis/bfb6902739b9e451c4a24aa0d634477a428eac869ba3ebd911161c691702c039-1268509923

a-squared 4.5.0.50 2010.03.13 Backdoor.Win32.Sinowal!IK
AntiVir 8.2.1.180 2010.03.12 TR/Crypt.ZPACK.Gen
AVG 9.0.0.787 2010.03.13 BackDoor.Generic12.ARAL
BitDefender 7.2 2010.03.13 Gen:Heur.Krypt.3
F-Secure 9.0.15370.0 2010.03.13 Gen:Heur.Krypt.3
GData 19 2010.03.13 Gen:Heur.Krypt.3
Ikarus T3.1.1.80.0 2010.03.13 Backdoor.Win32.Sinowal
Kaspersky 7.0.0.125 2010.03.13 Backdoor.Win32.Sinowal.fox
McAfee+Artemis 5919 2010.03.13 Artemis!17DF8A87A7ED
McAfee-GW-Edition 6.8.5 2010.03.13 Trojan.Crypt.ZPACK.Gen
NOD32 4942 2010.03.13 a variant of Win32/Mebroot.CK
Panda 10.0.2.2 2010.03.13 Trj/CI.A
Symantec 20091.2.0.41 2010.03.13 Suspicious.Insight

Since this file lives outside of accessability by the Windows OS, file detection seems a moot point. However, if there are memory remnants of this, that might lead to better detection. I did not attempt to run this file or to perform any further analysis. Apparently this driver file is encrypted, and has surely been looked at by others (although I don't recall reading much about it).


References and further reading:

http://www.trustdefender.com/blog/2009/07/09/the-nastiest-ebanking-trojan-mebroot-just-got-nastier/

http://www.threatexpert.com/report.aspx?md5=2dc3e6c8aa7dde1d5b105ff71e566b63

http://www.trustdefender.com/blog/2009/01/07/mbrmebrootsinowaltorpig-is-back-%E2%80%93-better-than-ever/

http://web17.webbpro.de/index.php/analysis-of-sinowal

http://web17.webbpro.de/index.php?page=advanced-analysis-of-sinowal

http://openpdf.com/ebook/torpig-pdf.html points to a bunch of documents about Torpig, some of which have received a lot of press in the security/malware research world. Some of those docs that I found very good:

http://www.csnc.ch/misc/files/publications/2009_scsII_andreas_greulich_ReverseCodeEngineering.pdf

http://www.mnin.org/write/2006_torpigsigs.pdf

The above is a 2006 document from the always informative and skilled Michael Hale Ligh.

http://www.cs.ucsb.edu/~vigna/courses/cs279/Slides/BotnetTorpig.pdf

http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf

The above is the excellent "Your Botnet is my Botnet: Analysis of a Botnet Takeover" paper describing a Torpig takeover, great work guys.

http://www.terena.org/activities/tf-csirt/meeting26/gayet-prg-vs-torpig.pdf

http://fserror.com/pdf/Torpig.pdf

The above document, by Ken Dunham from 2007, shows the plaintext files from a previous generation of Torpig development.

http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-ligh-sinclair.pdf