Strategic Security, Inc. © http://www.strategicsec.com/
Malware Analysis Lab Manual Lab 1: Describe your malware lab The virtual machine that we will be using to analyze the malware will be a Windows XP SP3 machine. We will be performing some of these labs several times in several different ways. This is to show you that there is more than one way to skin a cat. You can download the virtual machine from here: http://www.hackettweb.com/r00kies-folder/Malware_Windows.vmwarevm.rar
The tools I will be using are: PE Explorer – http://www.heaventools.com/overview.htm Wireshark – www.wireshark.org VirusTotal – www.virustotal.com ThreatExpert – www.threatexpert.com PEiD – www.peid.info Netcat – http://netcat.sourceforge.net Regshot – http://sourceforge.net/projects/regshot IDA Pro Freeware – http://www.hex-rays.com/idapro/ Stud_PE - http://www.cgsoftlabs.ro/studpe.html Ghex - Fedora respositories File Analyzer - http://www.softpedia.com/get/Programming/Other-ProgrammingFiles/File-Analyzer.shtml InstallRite - http://www.epsilonsquared.com/installrite.htm mIRCd – http://www.mirc.com/get.html inspIRCd - http://www.inspircd.org/
1
Strategic Security, Inc. © http://www.strategicsec.com/
Lab 2: What information can you gather about the malware without executing it? Let’s take our malware.zip file and extract the executable. (It is located on the desktop). You will be greeted with a password prompt.
The password is “infected”. Now that we have our malware.exe file; let’s upload it to VirusTotal.com, select malware.exe from where you extracted it, scan it, and see what comes up.
2
Strategic Security, Inc. © http://www.strategicsec.com/
It has been picked up by 40 of 42 different antivirus products. Now let’s unpack the executable using PE Explorer and examine the new file.
Save a copy of malware.exe onto the desktop and name it malware2.exe. Download Strings from Sysinternals http://download.sysinternals.com/Files/Strings.zip and extract strings.exe. With this new executable run “strings.exe” from the command prompt against “malware2.exe” and output it to a file for easy inspection. strings malware2.exe > malware.txt
3
Strategic Security, Inc. © http://www.strategicsec.com/
Yet another way to view the file header contents is by using File Analyzer. Switch back to the Windows machine, open a command prompt, navigate to the File Analyzer folder and run: fa “c:\Documents and Settings\Administrator\Desktop\malware2.exe”
As you can see it provides us with the same information as the above labs. You can see in the “Objects table” ABC0, ABC1, ABC2 in the header information.
4
Strategic Security, Inc. © http://www.strategicsec.com/
Upon analyzing the strings information, what can you tell about the malware now?
The malware is identified as Crxbot Alias Realmbot –by LindemThe malware contains an IRC server hostname, channel name and associated commands, which means it uses IRC for command and control There are numerous different network and security related registry keys that this malware is programmed to manipulate. There is a reference to an executable “Winsec32.exe” as well as a Windows service “Microsoft Svchost local services” which may be how the malware survives between reboots There is a directory of common usernames and passwords included, in addition to references to several default Windows administrative shares. A list of keywords such as “Welcome to Gmail” and “PayPal” may mean that it watches for user activity and can capture credentials and/or account numbers.
Let’s also check the executable against www.threatexpert.com to see what it reports.
ThreatExpert reports this file as a Backdoor.IRCBot.
5
Strategic Security, Inc. © http://www.strategicsec.com/
Lab 3: Is the malware packed? If so, how did you determine what it was? Using PeiD we can run a “Deep Scan” to reveal that it is packed using UPX.
We can also use PE Explorer to let figure out how this application is packed.
PE Explorer saw through the disguise fairly easily with no special configuration needed. “Stud_PE” is another application that can be leveraged to figure out how “malware.exe” was packed.
6
Strategic Security, Inc. © http://www.strategicsec.com/
Once you’ve loaded “malware.exe” into Stud_PE click on the “Signature” tab
7
Strategic Security, Inc. © http://www.strategicsec.com/
Currently, we can see that there is nothing detected. But if we change it from “Standard” to “Hard” then rescan the file. We get better results.
8
Strategic Security, Inc. © http://www.strategicsec.com/
9
Strategic Security, Inc. © http://www.strategicsec.com/
Lab 4: Describe the malware’s behavior. What files does it drop? What registry keys does it create and/or modify? What network connections does it create? How does it auto-start, etc? We are going to use RegShot to dump the registry before executing the malicious executable. Then run RegShot again afterwards and compare the two registry dumps for changes. Open RegShot and set it to output the information to the desktop
Go ahead and run “1st shot” and save it as “base.hiv” Now run malware.exe. Afterwards run the “2nd shot” and save it as “after.hiv”
10
Strategic Security, Inc. © http://www.strategicsec.com/
Finally, we will use the “compare” button in RegShot to compare both registry hives. Once it’s completed the comparison, notepad should popup with the results.
Another tool that can be used to provide the same information as above is InCtrl5. InCtrl5 works the same as Regshot because it will analyze changes in the registry, files
11
Strategic Security, Inc. © http://www.strategicsec.com/
and folders, INI files and text files. This program is not installed and can’t be downloaded!
Choose malware.exe and click “GO!”
12
Strategic Security, Inc. © http://www.strategicsec.com/
Once completed click “Install Complete” and it will scan the system again. You are then greeted with an Installation Report.
13
Strategic Security, Inc. © http://www.strategicsec.com/
A third way this can be done is to use InstallRite. Just like the previous 2 examples we need to go through the prompts and select the executable we want to install.
14
Strategic Security, Inc. © http://www.strategicsec.com/
This is the home screen, we want to click “Install new software and create an InstallKit. As you go through the prompts, leave everything as default. InstallRite will make a snapshot of your registry. When you reach this screen, choose “malware.exe” as your installation program.
15
Strategic Security, Inc. © http://www.strategicsec.com/
When you are ready go ahead and hit next and InstallRite will install malware.exe. Once its completed you’ll be brought back to the main screen. This time we want to “Review Installations.”
16
Strategic Security, Inc. © http://www.strategicsec.com/
Here you are greeted with a nice GUI environment where you can look at each type of file or registry entry separately. It makes things a bit easier to read than the others. What are some of the more noticeable changes? Drops a file:
c:\WINDOWS\Winsec32.exe
Creates registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Svchost local services: “Winsec32.exe” HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Micros oft Svchost local services: “Winsec32.exe” HKEY_CURRENT_USER\Software\Microsoft\OLE\Microsoft Svchost local services: “Winsec32.exe”
17
Strategic Security, Inc. © http://www.strategicsec.com/
Lab 5: What type of command and control server does the malware use? Describe the server and interface this malware uses as well as the domains and URLs access by the malware. For this let’s crack open Wireshark and see if the malware tries to connect back or open a connection with anything.
Looks like it’s trying to connect back to an IRC server, testirc1.sh1xy2bg.NET. Based on the analysis that we have done so far and the packet capture. We can safely say that the malware is communicating via IRC. There were references also found for the following URLs http://www.w32-gen.us
18
Strategic Security, Inc. © http://www.strategicsec.com/
http://www.nivdav.net/Winsec32.exe
Below are a few additional references that show the usage of several other network services and attacks. The malware acts as a service or daemon based on specific commands issues over the IRC channel. These were found using the methods in the above labs. Using strings against the unpacked binary. IRC based software at testirc1.sh1xy2bg.NET
Testirc1.sh1xy2bg.NET NICK %s USER %s 0 0 :%s PASS %s MODE %s %s
IRC Channel used #chalenge
Passwords
gemp123 happy12
Host auth pattern
*@legalize.it
Registry modifications
Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\RunServices Software\Microsoft\OLE SYSTEM\CurrentControlSet\Control\Lsa
SQL/ODBC based functions
SQLDisconnect SQLFreeHandle SQLAllocHandle SQLExecDirect SQLSetEnvAttr SQLDriverConnect odbc32.dll
Key logger 19
Strategic Security, Inc. © http://www.strategicsec.com/
e-gold PayPal StormPay WorldPay Fotolog.net Yahoo! Bienvenido a Gmail Welcome to Gmail My Account login MercadoLivre Brasil [ESC] [F1] [F2]
HTTP Server
HTTP/1.0 200 OK Server: myBot Cache-Control: no-cache,no-store,max-age=0 Content-Type: %s RealmBoT (httpd.p.l.g) . . Failed to start worker thread, error: .
FTP Server
20
221 Goodbye happy r00ting. 425 Can’t open data connection. [REALMBOT-FTP] %s, port:%d now executing %s on remote machine. 226 Transfer complete. 150 Opening BINARY mode data connection LIST 425 Passive not supported on this server 200 Type set to A. TYPE 257 “/” is current directory. 350 Restarting. REST
Strategic Security, Inc. © http://www.strategicsec.com/
215 NzmxFtpd SYST 230 User logged in. PASS 331 Password required 220 TxmxFtpd 0wns j0
Remote Command
. Remote Command Prompt cmd.exe
DdoS Attack Ping / SYN / UDP Floods
RealmBoT (ddos.p.l.g) . . Done with flood (%iKB/sec). ddos.syn RealmBoT (ping.p.l.g) . . Finished sending pings to %s. RealmBoT (udp.p.l.g) . . Finished sending packets to %s. RealmBoT (udp.p.l.g) . [SUPERSYN]: Done with flood (%iKB/sec) RealmBoT (supersyn.p.l.g) . . Flooding: (%s:%s) for %s seconds.
Password Cracking
mypass123 pw123 admin123 mypc123 secret asdf test123
VNC
.asc vnc 100 0 0 –r –b RFB 003.008
Password list for bruteforce attacks Too large to list
21
Strategic Security, Inc. © http://www.strategicsec.com/
Username list for bruteforce attacks Too large to list
Uptime
Uptime
Driveinfo
Driveinfo
22
Strategic Security, Inc. © http://www.strategicsec.com/
Lab 6: What commands are present within the malware and what do they do? If possible, take control of the malware and run some of these commands, documenting how you did it. In the previous labs we’ve seen that communication is handled via an IRC server. In this lab we will be setting up a fake DNS server with a dummy IRC server to trick the malware into communicating with us. First we need to edit the “hosts” file on our victim machine. We want to point testirc1.sh1xy2bg.net to localhost.
The “hosts” file is located in the %SYSTEMROOT%\sytem32\drivers\etc directory. 23
Strategic Security, Inc. © http://www.strategicsec.com/
Next we need to install inspIRCd and configure our IRC server. You can find the download here: http://www.inspircd.org/?p=download&version=1.2.7&os=win You will also need the .NET Framework 3.5 from here: http://www.microsoft.com/download/en/details.aspx?id=21
Here I set everything up like this.
24
Strategic Security, Inc. © http://www.strategicsec.com/
Now we need to “add an oper”
I named the account “testuser” and left everything the same. Once you click next you’ll be greeted with a screen asking for which port to listen on. Since our malware connects
25
Strategic Security, Inc. © http://www.strategicsec.com/
back on 6667, that’s what we want to listen on. After everything is configured, connect to the server and join channel #chalenge. Next execute the malware and wait for it to join. Here is the output if you try and join with the incorrect password. /msg USA[XP]4221645 .login somepass USA[XP]4221645 Are you a Fucker?. (bothunter!
[email protected]). USA[XP]4221645 No pass for you. In order to login you need to use the gemp123 password, but it will throw an error. /msg USA[XP]0166582 .login gemp123 USA[XP]4221645 WTF!? no yet fucker!. (bothunter!
[email protected]). USA[XP]4221645 Orders: No Talk with you. What’s nice about InspIRCD is that the server allows operators to mask their hostnames. You will want to mask your hostname to “legalize.it” Now if you try and connect this is what everything will look like. /whois bothunter bothunter is
[email protected] * bothunter bothunter is connecting from
[email protected] 127.0.0.1 /msg USA[XP]4221645 .login gemp123 [REALMBOT] : Thank for trying.
26
Strategic Security, Inc. © http://www.strategicsec.com/
Lab 7: How would you classify this malware? Why? Running it through VirusTotal and ThreatExpert along with the runtime behavior and strings analysis all show that this is a variant of Rbot. Rbot is a common IRC controlled bot. You can lookup an extensive analysis of the Rbot family at http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=39437
Lab 8: What do you think the purpose of this malware is? The bot seems to be a multipurpose bot that allows an attacker to gain control over the host. Natively, it can be used to steal data such as authentication credentials and financial information. Since it has file transfer and process controls, it can also be used to further escalate the intrusion to include additional functionality as needed by the attacker.
Lab 9: Is it possible to find the malware’s source code? If so, how did you do it? No. After doing a few google searches it appears that the links that existed to the source previously have been taken down.
Lab 10: How would you write a custom detection and removal tool to determine if the malware is present on the system and remove it? In order to write a custom detection and removal tool for this specific malware we need to look at a few things: Look at all the running processes to see if there are any called winsec32.exe o If this process is found, it needs to be stopped Next, even if the detection tool doesn’t see the running process, look through the WINDOWS directory for a file named winsec32.exe Following the previous step the tool needs to look through the registry for 3 keys and if they are found remove them.
27
Strategic Security, Inc. © http://www.strategicsec.com/
o o o
28
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Svchost local services HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\M icrosoft Svchost local HKLM\Software\Microsoft\OLE\Microsoft Svchost local services
