Rather than let this entry stagnate on the hard drive, I've elected to share it while it may still be of potential research interest.
This is a brief (and incomplete) analysis of a semi-targeted malware attack attempt from June 23, 2010. The attack failed, but not before enough artifacts were obtained to take a peek at the motives at play. I call this semi-targeted because the mail message was apparently not received by a large number of people and the hosted binaries vanished very quickly. These factors may not be enough for this to truly be a semi-targeted attack, but in the absence of other information this designation will have to do.
Detection statistics reflect the date & time of initial analysis (late June 2010), not the time of the creation of this entry (August 2010, slacker)
The fake careerbuilder.com link actually pointed to http://www.zewiundbebe-jou.ch/resume.pdf which was a PE file that had yet to be specifically encountered by VirusTotal although it did trigger various generic signatures.
File size: 83968 bytes
MD5 : 1717b7fff97d37a1e1a0029d83492de1
SHA1 : c79a326f8411e9488bdc3779753e1e3489aaedea
Static antivirus via VirusTotal indicated detection by 20/41 (48.78%)
http://www.virustotal.com/analisis/ec44c6ab3090bb91ec04e37a5fe31c313c92e8455c9f6d579cdc7ce29 6d723be-1277318724
ThreatExpert is a huge time-saver, except in the case that it cannot analyze something because it's been built in such a manner to bypass Threat Expert specifically or generically (TDSS comes to mind, along with some VM-packer based binaries that I've tried to run through the sandbox)
The interesting portions of the ThreatExpert report from the successful scan of the first binary
(http://www.threatexpert.com/report.aspx?md5=1717b7fff97d37a1e1a0029d83492de1) are as follows:
Alias:
New Malware.ai [McAfee]
TrojanDownloader:Win32/Small.gen!AO [Microsoft]
Running the binary in ThreatExpert results in the following (real or faked?) Adobe message one sees when trying to open content made in a newer version. I'm not certain which version of Adobe Reader is installed inside ThreatExpert, but various HTTP transactions to Adobe took place around the same time as the display of this message which makes me think that it's a legitimate message and not a fake.
Files created:
C:\resume.pdf 31,268 bytes MD5: 0xAB48D6582C0DE8936EBD891D246AD359
%Windir%\inf\alg.exe 660,992 bytes MD5: 0x100C62729E997E6FCC1997E7BDDED0D7
Alg.exe is configured to run as a service named “WSALG2” with display name “Application Layer
Gateway Service2”. Initially the service is stopped. The following Registry Keys were created:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSALG2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSALG2\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSALG2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSALG2\Security
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSALG2\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00
02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00
01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01
00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSALG2]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%Windir%\inf\alg.exe"
DisplayName = "Application Layer Gateway Service2"
ObjectName = "LocalSystem"
Description = "Provides support for 3rd party protocol plug-ins for
Internet Connection Sharing and the Windows Firewall."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSALG2\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00
02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00
01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01
00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSALG2]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%Windir%\inf\alg.exe"
DisplayName = "Application Layer Gateway Service2"
ObjectName = "LocalSystem"
Description = "Provides support for 3rd party protocol plug-ins for
Internet Connection Sharing and the Windows Firewall."
ThreatExpert says the file may come from Belize. The binary was built with Delphi.
A variety of outbound HTTP connections were made to 194.150.249.52 (resolves as
ns84.tophost.ch but was queried as zewiundbebe-jou.ch in this case) and 208.50.81.170 (no
DNS name, hosted by Global Crossing, likely a load balanced adobe update site)
The data identified by the following URLs was then requested from the remote web
server:
http://www.zewiundbebe-jou.ch/resume.jpg <- we care about this one
http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/DataScript.js
http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/CodeScript.js
http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/UIScript.js
http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/ResourceScript.js
http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/MasterScript.js
Similar malware incidents are documented in the next two links:
http://threatexpert.com/report.aspx?md5=eb3140416c06fa8cb7851076dd100dfb
The common elements are that the malware drops c:\resume.pdf, uses the \inf folder, creates a service
named WSALG2 with display name “Application Layer Gateway Service2”, creates identical registry
entries for the service, appears to be from Belize.
http://www.threatexpert.com/report.aspx?md5=8033dffa899dcd16769f389073f9f053
Another description of an incident -
http://greatis.com/blog/how-to-remove-malware/svchost-exe-csrss-exe.htm
shows similar characteristics with references to the Win32.Genome malware family and references to
Banload.
resume.jpg is clearly a file of interest in this case. It’s another Delphi binary file.
File size: 660992 bytes
MD5 : 100c62729e997e6fcc1997e7bdded0d7
As this is the secondary payload and likely to be considered of higher value to the attacker, I suspect it was engineered to evade more antivirus tools. VirusTotal detection is lower, 8/41, about 20%.
http://www.virustotal.com/analisis/7ece2a68bf14afe658edbbb83c6f8f3a8b1bd989cc55f5daf844411bf9 545018-1277328611
This time, ThreatExpert generates almost no output with resume.jpg except to tell us that it’s probably from Belize. Not too useful.
Anubis is able to deliver a partial analysis of the file -
http://anubis.iseclab.org/?action=result&task_id=14746a621c57c8164e100e15a56aadc5c&format=html
Interesting items from the Anubis analysis:
- Registry Values Read:
“Cicero Unaware Application Support (CUAS). CUAS is a feature of the Microsoft Windows XP operating
system that provides support for Advanced Text Services. Examples of these services include
handwriting recognition, speech recognition, and East Asian keyboard input services.”
http://support.microsoft.com/kb/822656
Hmm, East Asian keyboard input services. Anyone who has studied any sort of malware knows that this could be significant, suggesting that the malware either does, or does not want to target a particular population.
Query of \Safer\CodeIdentifiers\TransparentEnabled Checks if Windows Software Restriction Policies
are enabled. In this case, they are (value of 1).
TSUserEnabled checks to see if terminal server users have slightly higher permissions due to their
placement in the TERMINAL SERVER USER group.
Language Hotkey is perhaps being queried to determine the language in use on the infected system.
Next, the EventLog RPC service named pipe PIPE\Eventlog is read and modified, and a control code is
involved in three interactions. The control code is 0x0011C017 which is FSCTL_PIPE_TRANSCEIVE,
involved in the sending and receiving of data from an open pipe. There are two elements, a request
and a response. If data is in the buffer when the request is called, it’s written to the pipe in a binary
blob. The response gives a status message on how the blob was handled. I’m not sure this is relevant for
the analysis, but Anubis doesn’t go into enough detail to determine.
http://msdn.microsoft.com/en-us/library/dd240221%28v=PROT.13%29.aspx
Some interaction with Ksecdd.sys takes place, but I am unable to determine relevance.
Several mutexes are created:
CTF.Asm.MutexDefaultS-1-5-21-842925246- 1425521274-308236825-500
CTF.Compart.MutexDefaultS- 1-5-21-842925246-1425521274-308236825-500
CTF.LBES.MutexDefaultS-1- 5-21-842925246-1425521274-308236825-500
CTF.Layouts.MutexDefaultS- 1-5-21-842925246-1425521274-308236825-500
CTF.TMD.MutexDefaultS-1- 5-21-842925246-1425521274-308236825-500
CTF.TimListCache.FMPDefaultS- 1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500
The relevance of these is unknown and is either left as an exercise to the reader or is something I might look into at a later time.
A Structured Exception Handling (SEH) exception takes place one time:
Exception 0x406d1388 at 0x7c812aeb
Apparently calling RaiseException with this code gets the attention of a debugger and may be used to
name threads (http://www.highprogrammer.com/alan/windev/visualstudio.html). This URL refers to
Visual Studio, however this binary is written in Delphi. RaiseException may not care.
In this case, I suspect (but have not verified) that it may be used to interfere with execution in a
debugging/emulated environment. It was mentioned that 0x406d1388 messes up WINE in the following
message: http://www.winehq.org/pipermail/wine-devel/2001-April/000540.html
Analyzing strings from the binary in IDA points us to other conclusions not possible in the sandboxed
environments.
The binary spoofs a typical browser user-agent (labeled “Browser_Spoof” here)
.text:00484DC0 Browser_Spoof db 'Mozilla/4.0 (compatible; MSIE 6.1; Windows XP; .NET CLR 1.1.4322;'
.text:00484DC0 ; DATA XREF: sub_484C00+55o
.text:00484DC0 db ' .NET CLR 2.0.50727)',0
Binary contains a variety of obvious commands to an HTTP-based command and control server, such as the
checkupdate command (labeled ‘CheckUpdate” here). Such command structures make for useful IDS signatures.
.text:00484E20 CheckUpdate db '?action=checkupdate&v=',0 ; DATA XREF: sub_484C00+6Fo
An update command:
.text:00484E84 Update db '?action=update&v=',0 ; DATA XREF: sub_484C00+EFo
A chkcmd command:
.text:00484F2D push offset a?actionChkcmdV ; "?action=chkcmd&v="
Offers some type of WebDAV functionality (TRACE, OPTIONS, DELETE)
Contains cookie handling code (Comment URL, DISCARD, Port)
Is proxy aware (or maybe runs it’s own proxy?)
.text:0047F398 aProxyAuthoriza db 'Proxy-Authorization',0 ; DATA XREF: sub_47F2C8+3Ao
Options to install, uninstall, and silent:
A reference to an Eastern European character set:
.data:00487D74 dd offset aEasteurope_cha ; "EASTEUROPE_CHARSET"
Other malware has looked for a certain character set and then taken actions based on that. For instance,
Russian users could be excluded from an attack.
The binaries stashed on the attack website were removed from the site in less than 24 hours. Can't imagine that anyone would need them at this stage, but if you do drop me a line or tweet.
I've just learned that the same MD5 for the second binary is still floating about, according to a ThreatExpert report from August 9, 2010:
http://www.threatexpert.com/report.aspx?md5=100c62729e997e6fcc1997e7bdded0d7
TE is able to identity keylogger and trojan downloader capabilities, but nothing further.
If any researcher has any additional info about this malware, the HTTP command structure or other info I would appreciate any feedback or commentary.
As time allows I may try to analyze this further but at this rate it will be a while. Until then, may your shields be strong.
Detection statistics reflect the date & time of initial analysis (late June 2010), not the time of the creation of this entry (August 2010, slacker)
June 23, 2010 an email was received:
The fake careerbuilder.com link actually pointed to http://www.zewiundbebe-jou.ch/resume.pdf which was a PE file that had yet to be specifically encountered by VirusTotal although it did trigger various generic signatures.
File size: 83968 bytes
MD5 : 1717b7fff97d37a1e1a0029d83492de1
SHA1 : c79a326f8411e9488bdc3779753e1e3489aaedea
Static antivirus via VirusTotal indicated detection by 20/41 (48.78%)
http://www.virustotal.com/analisis/ec44c6ab3090bb91ec04e37a5fe31c313c92e8455c9f6d579cdc7ce29 6d723be-1277318724
Antivirus | Version | Last Update | Result |
a-squared | 5.0.0.30 | 2010.06.23 | Win32.SuspectCrc!IK |
AntiVir | 8.2.4.2 | 2010.06.23 | TR/Dldr.Delphi.Gen |
Authentium | 5.2.0.5 | 2010.06.23 | W32/Delfloader.B.gen!Eldorado |
BitDefender | 7.2 | 2010.06.23 | Gen:Trojan.FirewallBypass.fKW@aqsq81n |
Comodo | 5195 | 2010.06.23 | Heur.Packed.Unknown |
F-Prot | 4.6.1.107 | 2010.06.23 | W32/Delfloader.B.gen!Eldorado |
F-Secure | 9.0.15370.0 | 2010.06.23 | Gen:Trojan.FirewallBypass.fKW@aqsq81n |
GData | 21 | 2010.06.23 | Gen:Trojan.FirewallBypass.fKW@aqsq81n |
Ikarus | T3.1.1.84.0 | 2010.06.23 | Win32.SuspectCrc |
Kaspersky | 7.0.0.125 | 2010.06.23 | Heur.Trojan.Generic |
McAfee | 5.400.0.1158 | 2010.06.23 | Suspect-06!1717B7FFF97D |
McAfee-GW-Edition | 2010.1 | 2010.06.23 | Heuristic.BehavesLike.Win32.Keylogger.J |
Microsoft | 1.5902 | 2010.06.23 | TrojanDownloader:Win32/Small.gen!AO |
NOD32 | 5223 | 2010.06.23 | probably a variant of Win32/TrojanDownloader.Banload.BJY |
Norman | 6.05.10 | 2010.06.23 | W32/Downloader |
nProtect | 2010-06-23.02 | 2010.06.23 | Gen:Trojan.FirewallBypass.fKW@aqsq81n |
Panda | 10.0.2.7 | 2010.06.23 | Trj/CI.A |
Rising | 22.53.02.04 | 2010.06.23 | Trojan.DL.Win32.Downloader.GEN |
Sophos | 4.54.0 | 2010.06.23 | Sus/Delf-J |
VBA32 | 3.12.12.5 | 2010.06.23 | suspected of Win32.Trojan.Downloader (http://...) |
ThreatExpert is a huge time-saver, except in the case that it cannot analyze something because it's been built in such a manner to bypass Threat Expert specifically or generically (TDSS comes to mind, along with some VM-packer based binaries that I've tried to run through the sandbox)
The interesting portions of the ThreatExpert report from the successful scan of the first binary
(http://www.threatexpert.com/report.aspx?md5=1717b7fff97d37a1e1a0029d83492de1) are as follows:
Alias:
New Malware.ai [McAfee]
TrojanDownloader:Win32/Small.gen!AO [Microsoft]
Running the binary in ThreatExpert results in the following (real or faked?) Adobe message one sees when trying to open content made in a newer version. I'm not certain which version of Adobe Reader is installed inside ThreatExpert, but various HTTP transactions to Adobe took place around the same time as the display of this message which makes me think that it's a legitimate message and not a fake.
Files created:
C:\resume.pdf 31,268 bytes MD5: 0xAB48D6582C0DE8936EBD891D246AD359
%Windir%\inf\alg.exe 660,992 bytes MD5: 0x100C62729E997E6FCC1997E7BDDED0D7
Alg.exe is configured to run as a service named “WSALG2” with display name “Application Layer
Gateway Service2”. Initially the service is stopped. The following Registry Keys were created:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSALG2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSALG2\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSALG2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSALG2\Security
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSALG2\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00
02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00
01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01
00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSALG2]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%Windir%\inf\alg.exe"
DisplayName = "Application Layer Gateway Service2"
ObjectName = "LocalSystem"
Description = "Provides support for 3rd party protocol plug-ins for
Internet Connection Sharing and the Windows Firewall."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSALG2\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00
02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00
01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01
00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSALG2]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%Windir%\inf\alg.exe"
DisplayName = "Application Layer Gateway Service2"
ObjectName = "LocalSystem"
Description = "Provides support for 3rd party protocol plug-ins for
Internet Connection Sharing and the Windows Firewall."
ThreatExpert says the file may come from Belize. The binary was built with Delphi.
A variety of outbound HTTP connections were made to 194.150.249.52 (resolves as
ns84.tophost.ch but was queried as zewiundbebe-jou.ch in this case) and 208.50.81.170 (no
DNS name, hosted by Global Crossing, likely a load balanced adobe update site)
The data identified by the following URLs was then requested from the remote web
server:
http://www.zewiundbebe-jou.ch/resume.jpg <- we care about this one
http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/DataScript.js
http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/CodeScript.js
http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/UIScript.js
http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/ResourceScript.js
http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/MasterScript.js
Similar malware incidents are documented in the next two links:
http://threatexpert.com/report.aspx?md5=eb3140416c06fa8cb7851076dd100dfb
The common elements are that the malware drops c:\resume.pdf, uses the \inf folder, creates a service
named WSALG2 with display name “Application Layer Gateway Service2”, creates identical registry
entries for the service, appears to be from Belize.
http://www.threatexpert.com/report.aspx?md5=8033dffa899dcd16769f389073f9f053
Another description of an incident -
http://greatis.com/blog/how-to-remove-malware/svchost-exe-csrss-exe.htm
shows similar characteristics with references to the Win32.Genome malware family and references to
Banload.
resume.jpg is clearly a file of interest in this case. It’s another Delphi binary file.
File size: 660992 bytes
MD5 : 100c62729e997e6fcc1997e7bdded0d7
As this is the secondary payload and likely to be considered of higher value to the attacker, I suspect it was engineered to evade more antivirus tools. VirusTotal detection is lower, 8/41, about 20%.
http://www.virustotal.com/analisis/7ece2a68bf14afe658edbbb83c6f8f3a8b1bd989cc55f5daf844411bf9 545018-1277328611
Antivirus | Version | Last Update | Result |
AntiVir | 8.2.2.6 | 2010.06.21 | TR/ATRAPS.Gen |
Authentium | 5.2.0.5 | 2010.06.22 | W32/SysVenFak.A.gen!Eldorado |
BitDefender | 7.2 | 2010.06.22 | Gen:Trojan.Heur.OK0@trs3QZoiC |
Comodo | 5180 | 2010.06.22 | TrojWare.Win32.Spy.Banker.Gen |
F-Prot | 4.6.1.107 | 2010.06.21 | W32/SysVenFak.A.gen!Eldorado |
F-Secure | 9.0.15370.0 | 2010.06.22 | Gen:Trojan.Heur.OK0@trs3QZoiC |
GData | 21 | 2010.06.22 | Gen:Trojan.Heur.OK0@trs3QZoiC |
Prevx | 3.0 | 2010.06.23 | Medium Risk Malware |
Additional information | |||
File size: 660992 bytes | |||
MD5: 100c62729e997e6fcc1997e7bdded0d7 |
This time, ThreatExpert generates almost no output with resume.jpg except to tell us that it’s probably from Belize. Not too useful.
Anubis is able to deliver a partial analysis of the file -
http://anubis.iseclab.org/?action=result&task_id=14746a621c57c8164e100e15a56aadc5c&format=html
Interesting items from the Anubis analysis:
- Registry Values Read:
Key | Name | Value | Times |
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ | CUAS | 0 | 1 |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes | MS Shell Dlg 2 | Tahoma | 4 |
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager | CriticalSectionTimeout | 2592000 | 1 |
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | TransparentEnabled | 1 | 1 |
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName | ComputerName | PC | 3 |
HKLM\System\CurrentControlSet\Control\ServiceCurrent | 8 | 1 | |
HKLM\System\CurrentControlSet\Control\Terminal Server | TSUserEnabled | 0 | 1 |
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle | Language Hotkey | 1 | 2 |
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle | Layout Hotkey | 2 | 2 |
“Cicero Unaware Application Support (CUAS). CUAS is a feature of the Microsoft Windows XP operating
system that provides support for Advanced Text Services. Examples of these services include
handwriting recognition, speech recognition, and East Asian keyboard input services.”
http://support.microsoft.com/kb/822656
Hmm, East Asian keyboard input services. Anyone who has studied any sort of malware knows that this could be significant, suggesting that the malware either does, or does not want to target a particular population.
Query of \Safer\CodeIdentifiers\TransparentEnabled Checks if Windows Software Restriction Policies
are enabled. In this case, they are (value of 1).
TSUserEnabled checks to see if terminal server users have slightly higher permissions due to their
placement in the TERMINAL SERVER USER group.
Language Hotkey is perhaps being queried to determine the language in use on the infected system.
Next, the EventLog RPC service named pipe PIPE\Eventlog is read and modified, and a control code is
involved in three interactions. The control code is 0x0011C017 which is FSCTL_PIPE_TRANSCEIVE,
involved in the sending and receiving of data from an open pipe. There are two elements, a request
and a response. If data is in the buffer when the request is called, it’s written to the pipe in a binary
blob. The response gives a status message on how the blob was handled. I’m not sure this is relevant for
the analysis, but Anubis doesn’t go into enough detail to determine.
http://msdn.microsoft.com/en-us/library/dd240221%28v=PROT.13%29.aspx
Some interaction with Ksecdd.sys takes place, but I am unable to determine relevance.
Several mutexes are created:
CTF.Asm.MutexDefaultS-1-5-21-842925246- 1425521274-308236825-500
CTF.Compart.MutexDefaultS- 1-5-21-842925246-1425521274-308236825-500
CTF.LBES.MutexDefaultS-1- 5-21-842925246-1425521274-308236825-500
CTF.Layouts.MutexDefaultS- 1-5-21-842925246-1425521274-308236825-500
CTF.TMD.MutexDefaultS-1- 5-21-842925246-1425521274-308236825-500
CTF.TimListCache.FMPDefaultS- 1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500
The relevance of these is unknown and is either left as an exercise to the reader or is something I might look into at a later time.
A Structured Exception Handling (SEH) exception takes place one time:
Exception 0x406d1388 at 0x7c812aeb
Apparently calling RaiseException with this code gets the attention of a debugger and may be used to
name threads (http://www.highprogrammer.com/alan/windev/visualstudio.html). This URL refers to
Visual Studio, however this binary is written in Delphi. RaiseException may not care.
In this case, I suspect (but have not verified) that it may be used to interfere with execution in a
debugging/emulated environment. It was mentioned that 0x406d1388 messes up WINE in the following
message: http://www.winehq.org/pipermail/wine-devel/2001-April/000540.html
Analyzing strings from the binary in IDA points us to other conclusions not possible in the sandboxed
environments.
The binary spoofs a typical browser user-agent (labeled “Browser_Spoof” here)
.text:00484DC0 Browser_Spoof db 'Mozilla/4.0 (compatible; MSIE 6.1; Windows XP; .NET CLR 1.1.4322;'
.text:00484DC0 ; DATA XREF: sub_484C00+55o
.text:00484DC0 db ' .NET CLR 2.0.50727)',0
Binary contains a variety of obvious commands to an HTTP-based command and control server, such as the
checkupdate command (labeled ‘CheckUpdate” here). Such command structures make for useful IDS signatures.
.text:00484E20 CheckUpdate db '?action=checkupdate&v=',0 ; DATA XREF: sub_484C00+6Fo
An update command:
.text:00484E84 Update db '?action=update&v=',0 ; DATA XREF: sub_484C00+EFo
A chkcmd command:
.text:00484F2D push offset a?actionChkcmdV ; "?action=chkcmd&v="
Offers some type of WebDAV functionality (TRACE, OPTIONS, DELETE)
Contains cookie handling code (Comment URL, DISCARD, Port)
Is proxy aware (or maybe runs it’s own proxy?)
.text:0047F398 aProxyAuthoriza db 'Proxy-Authorization',0 ; DATA XREF: sub_47F2C8+3Ao
.text:0047F398 ; sub_47F2C8+98o
.text:0047F3AC dd 0FFFFFFFFh, 8
.text:0047F3B4 aUsername_0 db 'Username',0 ; DATA XREF: sub_47F2C8+62o
.text:0047F3BD align 10h
.text:0047F3C0 dd 0FFFFFFFFh, 8
.text:0047F3C8 aPassword_0 db 'Password',0 ; DATA XREF: sub_47F2C8+72o
Options to install, uninstall, and silent:
.text:0045DB64 mov eax, offset aInstall ; "INSTALL"
.text:0045DDA0 aSilent db 'SILENT',0 ; DATA XREF: sub_45DB38+3Ao
.text:0045DDB0 aUninstall db 'UNINSTALL',0 ; DATA XREF: sub_45DB38:loc_45DB8Do
A reference to an Eastern European character set:
.data:00487D74 dd offset aEasteurope_cha ; "EASTEUROPE_CHARSET"
Other malware has looked for a certain character set and then taken actions based on that. For instance,
Russian users could be excluded from an attack.
The binaries stashed on the attack website were removed from the site in less than 24 hours. Can't imagine that anyone would need them at this stage, but if you do drop me a line or tweet.
I've just learned that the same MD5 for the second binary is still floating about, according to a ThreatExpert report from August 9, 2010:
http://www.threatexpert.com/report.aspx?md5=100c62729e997e6fcc1997e7bdded0d7
TE is able to identity keylogger and trojan downloader capabilities, but nothing further.
If any researcher has any additional info about this malware, the HTTP command structure or other info I would appreciate any feedback or commentary.
As time allows I may try to analyze this further but at this rate it will be a while. Until then, may your shields be strong.