Wednesday, August 25, 2010

A Shot in the Dark - Analysis of a Failed Malware Attack

Rather than let this entry stagnate on the hard drive, I've elected to share it while it may still be of potential research interest. 
This is a brief (and incomplete) analysis of a semi-targeted malware attack attempt from June 23, 2010. The attack failed, but not before enough artifacts were obtained to take a peek at the motives at play. I call this semi-targeted because the mail message was apparently not received by a large number of people and the hosted binaries vanished very quickly. These factors may not be enough for this to truly be a semi-targeted attack, but in the absence of other information this designation will have to do.

Detection statistics reflect the date & time of initial analysis (late June 2010), not the time of the creation of this entry (August 2010, slacker)

June 23, 2010 an email was received:  





The fake careerbuilder.com link actually pointed to http://www.zewiundbebe-jou.ch/resume.pdf which was a PE file that had yet to be specifically encountered by VirusTotal although it did trigger various generic signatures.

File size: 83968 bytes
MD5   : 1717b7fff97d37a1e1a0029d83492de1
SHA1  : c79a326f8411e9488bdc3779753e1e3489aaedea

Static antivirus via VirusTotal indicated detection by 20/41 (48.78%)

http://www.virustotal.com/analisis/ec44c6ab3090bb91ec04e37a5fe31c313c92e8455c9f6d579cdc7ce29 6d723be-1277318724


Antivirus
Version
Last Update
Result
a-squared
5.0.0.30
2010.06.23
Win32.SuspectCrc!IK
AhnLab-V3
2010.06.23.01
2010.06.23
-
AntiVir
8.2.4.2
2010.06.23
TR/Dldr.Delphi.Gen
Antiy-AVL
2.0.3.7
2010.06.23
-
Authentium
5.2.0.5
2010.06.23
W32/Delfloader.B.gen!Eldorado
Avast
4.8.1351.0
2010.06.23
-
Avast5
5.0.332.0
2010.06.23
-
AVG
9.0.0.836
2010.06.23
-
BitDefender
7.2
2010.06.23
Gen:Trojan.FirewallBypass.fKW@aqsq81n
CAT-QuickHeal
10.00
2010.06.23
-
ClamAV
0.96.0.3-git
2010.06.23
-
Comodo
5195
2010.06.23
Heur.Packed.Unknown
DrWeb
5.0.2.03300
2010.06.23
-
eSafe
7.0.17.0
2010.06.23
-
eTrust-Vet
36.1.7661
2010.06.23
-
F-Prot
4.6.1.107
2010.06.23
W32/Delfloader.B.gen!Eldorado
F-Secure
9.0.15370.0
2010.06.23
Gen:Trojan.FirewallBypass.fKW@aqsq81n
Fortinet
4.1.133.0
2010.06.23
-
GData
21
2010.06.23
Gen:Trojan.FirewallBypass.fKW@aqsq81n
Ikarus
T3.1.1.84.0
2010.06.23
Win32.SuspectCrc
Jiangmin
13.0.900
2010.06.15
-
Kaspersky
7.0.0.125
2010.06.23
Heur.Trojan.Generic
McAfee
5.400.0.1158
2010.06.23
Suspect-06!1717B7FFF97D
McAfee-GW-Edition
2010.1
2010.06.23
Heuristic.BehavesLike.Win32.Keylogger.J
Microsoft
1.5902
2010.06.23
TrojanDownloader:Win32/Small.gen!AO
NOD32
5223
2010.06.23
probably a variant of Win32/TrojanDownloader.Banload.BJY
Norman
6.05.10
2010.06.23
W32/Downloader
nProtect
2010-06-23.02
2010.06.23
Gen:Trojan.FirewallBypass.fKW@aqsq81n
Panda
10.0.2.7
2010.06.23
Trj/CI.A
PCTools
7.0.3.5
2010.06.23
-
Prevx
3.0
2010.06.23
-
Rising
22.53.02.04
2010.06.23
Trojan.DL.Win32.Downloader.GEN
Sophos
4.54.0
2010.06.23
Sus/Delf-J
Sunbelt
6494
2010.06.23
-
Symantec
20101.1.0.89
2010.06.23
-
TheHacker
6.5.2.0.303
2010.06.23
-
TrendMicro
9.120.0.1004
2010.06.23
-
TrendMicro-HouseCall
9.120.0.1004
2010.06.23
-
VBA32
3.12.12.5
2010.06.23
suspected of Win32.Trojan.Downloader (http://...)
ViRobot
2010.6.21.3896
2010.06.23
-
VirusBuster
5.0.27.0
2010.06.23
-


ThreatExpert is a huge time-saver, except in the case that it cannot analyze something because it's been built in such a manner to bypass Threat Expert specifically or generically (TDSS comes to mind, along with some VM-packer based  binaries that I've tried to run through the sandbox)

The interesting portions of the ThreatExpert report from the successful scan of the first binary
(http://www.threatexpert.com/report.aspx?md5=1717b7fff97d37a1e1a0029d83492de1) are as follows:

Alias:
New Malware.ai  [McAfee]
TrojanDownloader:Win32/Small.gen!AO  [Microsoft]

Running the binary in ThreatExpert results in the following (real or faked?) Adobe message one sees when trying to open content made in a newer version. I'm not certain which version of Adobe Reader is installed inside ThreatExpert, but various HTTP transactions to Adobe took place around the same time as the display of this message which makes me think that it's a legitimate message and not a fake.














Files created:

C:\resume.pdf     31,268 bytes  MD5: 0xAB48D6582C0DE8936EBD891D246AD359
%Windir%\inf\alg.exe   660,992 bytes MD5: 0x100C62729E997E6FCC1997E7BDDED0D7

Alg.exe is configured to run as a service named “WSALG2” with display name “Application Layer
Gateway Service2”. Initially the service is stopped. The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSALG2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSALG2\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSALG2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSALG2\Security

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSALG2\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00
02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00
01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01
00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSALG2]
  Type = 0x00000110
  Start = 0x00000002
  ErrorControl = 0x00000001
  ImagePath = "%Windir%\inf\alg.exe"
  DisplayName = "Application Layer Gateway Service2"
  ObjectName = "LocalSystem"
  Description = "Provides support for 3rd party protocol plug-ins for
Internet Connection Sharing and the Windows Firewall."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSALG2\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00
02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00
01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01
00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSALG2]
  Type = 0x00000110
  Start = 0x00000002
  ErrorControl = 0x00000001
  ImagePath = "%Windir%\inf\alg.exe"
  DisplayName = "Application Layer Gateway Service2"
  ObjectName = "LocalSystem"
  Description = "Provides support for 3rd party protocol plug-ins for
Internet Connection Sharing and the Windows Firewall."

ThreatExpert says the file may come from Belize. The binary was built with Delphi.

A variety of outbound HTTP connections were made to 194.150.249.52 (resolves as
ns84.tophost.ch but was queried as zewiundbebe-jou.ch in this case) and 208.50.81.170 (no
DNS name, hosted by Global Crossing, likely a load balanced adobe update site)

The data identified by the following URLs was then requested from the remote web
server:

  http://www.zewiundbebe-jou.ch/resume.jpg  <- we care about this one
  http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/DataScript.js
  http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/CodeScript.js
  http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/UIScript.js
  http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/ResourceScript.js
  http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/MasterScript.js

Similar malware incidents are documented in the next two links:

http://threatexpert.com/report.aspx?md5=eb3140416c06fa8cb7851076dd100dfb 

The common elements are that the malware drops c:\resume.pdf, uses the \inf folder, creates a service
named WSALG2 with display name “Application Layer Gateway Service2”, creates identical registry
entries for the service, appears to be from Belize.

http://www.threatexpert.com/report.aspx?md5=8033dffa899dcd16769f389073f9f053 

 Another description of an incident -

http://greatis.com/blog/how-to-remove-malware/svchost-exe-csrss-exe.htm 

shows similar characteristics with references to the Win32.Genome malware family and references to
Banload.

resume.jpg is clearly a file of interest in this case. It’s another Delphi binary file.

File size: 660992 bytes
MD5   : 100c62729e997e6fcc1997e7bdded0d7

As this is the secondary payload and likely to be considered of higher value to the attacker, I suspect it was engineered to evade more antivirus tools. VirusTotal detection is lower, 8/41, about 20%.

http://www.virustotal.com/analisis/7ece2a68bf14afe658edbbb83c6f8f3a8b1bd989cc55f5daf844411bf9 545018-1277328611

Antivirus
Version
Last Update
Result
a-squared
5.0.0.30
2010.06.22
-
AhnLab-V3
2010.06.22.00
2010.06.22
-
AntiVir
8.2.2.6
2010.06.21
TR/ATRAPS.Gen
Antiy-AVL
2.0.3.7
2010.06.22
-
Authentium
5.2.0.5
2010.06.22
W32/SysVenFak.A.gen!Eldorado
Avast
4.8.1351.0
2010.06.21
-
Avast5
5.0.332.0
2010.06.21
-
AVG
9.0.0.787
2010.06.21
-
BitDefender
7.2
2010.06.22
Gen:Trojan.Heur.OK0@trs3QZoiC
CAT-QuickHeal
10.00
2010.06.22
-
ClamAV
0.96.0.3-git
2010.06.22
-
Comodo
5180
2010.06.22
TrojWare.Win32.Spy.Banker.Gen
DrWeb
5.0.2.03300
2010.06.22
-
eSafe
7.0.17.0
2010.06.20
-
eTrust-Vet
36.1.7657
2010.06.22
-
F-Prot
4.6.1.107
2010.06.21
W32/SysVenFak.A.gen!Eldorado
F-Secure
9.0.15370.0
2010.06.22
Gen:Trojan.Heur.OK0@trs3QZoiC
Fortinet
4.1.133.0
2010.06.21
-
GData
21
2010.06.22
Gen:Trojan.Heur.OK0@trs3QZoiC
Ikarus
T3.1.1.84.0
2010.06.22
-
Jiangmin
13.0.900
2010.06.15
-
Kaspersky
7.0.0.125
2010.06.22
-
McAfee
5.400.0.1158
2010.06.22
-
McAfee-GW-Edition
2010.1
2010.06.22
-
Microsoft
1.5902
2010.06.22
-
NOD32
5216
2010.06.21
-
Norman
6.05.06
2010.06.21
-
nProtect
2010-06-21.01
2010.06.21
-
Panda
10.0.2.7
2010.06.21
-
PCTools
7.0.3.5
2010.06.22
-
Prevx
3.0
2010.06.23
Medium Risk Malware
Rising
22.53.01.04
2010.06.22
-
Sophos
4.54.0
2010.06.22
-
Sunbelt
6483
2010.06.21
-
Symantec
20101.1.0.89
2010.06.22
-
TheHacker
6.5.2.0.302
2010.06.22
-
TrendMicro
9.120.0.1004
2010.06.22
-
TrendMicro-HouseCall
9.120.0.1004
2010.06.22
-
VBA32
3.12.12.5
2010.06.22
-
ViRobot
2010.6.21.3896
2010.06.22
-
VirusBuster
5.0.27.0
2010.06.21
-
Additional information
File size: 660992 bytes
MD5: 100c62729e997e6fcc1997e7bdded0d7

This time, ThreatExpert generates almost no output with resume.jpg except to tell us that it’s probably from Belize. Not too useful.

Anubis is able to deliver a partial analysis of the file -

http://anubis.iseclab.org/?action=result&task_id=14746a621c57c8164e100e15a56aadc5c&format=html 

Interesting items from the Anubis analysis:

- Registry Values Read:

Key
Name
Value
Times
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​ 
CUAS 
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​FontSubstitutes 
MS Shell Dlg 2 
Tahoma 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager 
CriticalSectionTimeout 
2592000 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers 
TransparentEnabled 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName 
ComputerName 
PC 
HKLM\​System\​CurrentControlSet\​Control\​ServiceCurrent 

HKLM\​System\​CurrentControlSet\​Control\​Terminal Server 
TSUserEnabled 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle 
Language Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle 
Layout Hotkey 


“Cicero Unaware Application Support (CUAS). CUAS is a feature of the Microsoft Windows XP operating
system that provides support for Advanced Text Services. Examples of these services include
handwriting recognition, speech recognition, and East Asian keyboard input services.”
http://support.microsoft.com/kb/822656 

Hmm, East Asian keyboard input services. Anyone who has studied any sort of malware knows that this could be significant, suggesting that the malware either does, or does not want to target a particular population.

Query of \Safer\CodeIdentifiers\TransparentEnabled Checks if Windows Software Restriction Policies
are enabled. In this case, they are (value of 1).

TSUserEnabled checks to see if terminal server users have slightly higher permissions due to their
placement in the TERMINAL SERVER USER group.

Language Hotkey is perhaps being queried to determine the language in use on the infected system.

Next,  the EventLog RPC service named pipe PIPE\Eventlog  is read and modified, and a control code is
involved in three interactions. The control code is 0x0011C017 which is FSCTL_PIPE_TRANSCEIVE,
involved in the sending and receiving of data from an open pipe.  There are two elements, a  request
and a response.  If data is in the buffer when the request is called, it’s written to the pipe in a binary
blob. The response gives a status message on how the blob was handled.  I’m not sure this is relevant for
the analysis, but Anubis doesn’t go into enough detail to determine.

http://msdn.microsoft.com/en-us/library/dd240221%28v=PROT.13%29.aspx 

Some interaction with Ksecdd.sys takes place, but I am unable to determine relevance.

Several mutexes are created:

CTF.Asm.MutexDefaultS-1-5-21-842925246- 1425521274-308236825-500
CTF.Compart.MutexDefaultS- 1-5-21-842925246-1425521274-308236825-500
CTF.LBES.MutexDefaultS-1- 5-21-842925246-1425521274-308236825-500
CTF.Layouts.MutexDefaultS- 1-5-21-842925246-1425521274-308236825-500
CTF.TMD.MutexDefaultS-1- 5-21-842925246-1425521274-308236825-500
CTF.TimListCache.FMPDefaultS- 1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500

The relevance of these is unknown and is either left as an exercise to the reader or is something I might look into at a later time.

A Structured Exception Handling (SEH) exception takes place one time:

Exception 0x406d1388 at 0x7c812aeb

Apparently calling RaiseException with this code gets the attention of a debugger and may be used to
name threads  (http://www.highprogrammer.com/alan/windev/visualstudio.html). This URL refers to
Visual Studio, however this binary is written in Delphi. RaiseException may not care.

In this case, I suspect (but have not verified) that it may be used to interfere with execution in a
debugging/emulated environment.  It was mentioned that 0x406d1388 messes up WINE in the following
message: http://www.winehq.org/pipermail/wine-devel/2001-April/000540.html


Analyzing strings from the binary in IDA points us to other conclusions not possible in the sandboxed
environments.

The binary spoofs a typical browser user-agent (labeled “Browser_Spoof” here)

.text:00484DC0 Browser_Spoof   db 'Mozilla/4.0 (compatible; MSIE 6.1; Windows XP; .NET CLR 1.1.4322;' 
.text:00484DC0                 ; DATA XREF: sub_484C00+55o 
.text:00484DC0                 db ' .NET CLR 2.0.50727)',0 

Binary contains a variety of obvious commands to an HTTP-based command and control server, such as the
checkupdate command  (labeled ‘CheckUpdate” here). Such command structures make for useful IDS signatures.

.text:00484E20 CheckUpdate     db '?action=checkupdate&v=',0 ; DATA XREF: sub_484C00+6Fo 

An update command:

.text:00484E84 Update          db '?action=update&v=',0 ; DATA XREF: sub_484C00+EFo 

A chkcmd command:

.text:00484F2D                 push    offset a?actionChkcmdV ; "?action=chkcmd&v=" 


Offers some type of WebDAV functionality (TRACE, OPTIONS, DELETE)


























Contains cookie handling code (Comment URL, DISCARD, Port)



























Is proxy aware (or maybe runs it’s own proxy?)
.text:0047F398 aProxyAuthoriza db 'Proxy-Authorization',0 ; DATA XREF: sub_47F2C8+3Ao

.text:0047F398                                         ; sub_47F2C8+98o
.text:0047F3AC                 dd 0FFFFFFFFh, 8
.text:0047F3B4 aUsername_0     db 'Username',0         ; DATA XREF: sub_47F2C8+62o
.text:0047F3BD                 align 10h
.text:0047F3C0                 dd 0FFFFFFFFh, 8
.text:0047F3C8 aPassword_0     db 'Password',0         ; DATA XREF: sub_47F2C8+72o

Options to install, uninstall, and silent:

.text:0045DB64                 mov     eax, offset aInstall ; "INSTALL"
.text:0045DDA0 aSilent         db 'SILENT',0           ; DATA XREF: sub_45DB38+3Ao
.text:0045DDB0 aUninstall      db 'UNINSTALL',0        ; DATA XREF: sub_45DB38:loc_45DB8Do

 A reference to an Eastern European character set:

.data:00487D74                 dd offset aEasteurope_cha ; "EASTEUROPE_CHARSET"

Other malware has looked for a certain character set and then taken actions based on that. For instance,
Russian users could be excluded from an attack.

The binaries stashed on the attack website were removed from the site in less than 24 hours. Can't imagine that anyone would need them at this stage, but if you do drop me a line or tweet.

I've just learned that the same MD5 for the second binary is still floating about, according to a ThreatExpert report from August 9, 2010:

http://www.threatexpert.com/report.aspx?md5=100c62729e997e6fcc1997e7bdded0d7

TE is able to identity keylogger and trojan downloader capabilities, but nothing further.

If any researcher has any additional info about this malware, the HTTP command structure or other info I would appreciate any feedback or commentary.

As time allows I may try to analyze this further but at this rate it will be a while. Until then, may your shields be strong.