1. General function and functionality of the malware

Similar documents
TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

Inside a killer IMBot. Wei Ming Khoo University of Cambridge 19 Nov 2010

Software Fingerprinting for Automated Malicious Code Analysis

Buffer Overflows. Security 2011

Abysssec Research. 1) Advisory information. 2) Vulnerable version

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

Violating Database - Enforced Security Mechanisms

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

Software Vulnerabilities

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Fighting malware on your own

64-Bit NASM Notes. Invoking 64-Bit NASM

Systems Design & Programming Data Movement Instructions. Intel Assembly

REpsych. : psycholigical warfare in reverse engineering. def con 2015 // domas

Removing Sentinel SuperPro dongle from Applications and details on dongle way of cracking Shub-Nigurrath of ARTeam Version 1.

Title: Bugger The Debugger - Pre Interaction Debugger Code Execution

Bypassing Anti- Virus Scanners

A Tiny Guide to Programming in 32-bit x86 Assembly Language

Remote Zugang, sicher und einfach

Return-oriented programming without returns

Instruction Set Architecture

Packers Models. simple. malware. advanced. allocation. decryption. decompression. engine loading. integrity check. DRM Management

Bypassing Windows Hardware-enforced Data Execution Prevention

Packers. (5th April 2010) Ange Albertini Creative Commons Attribution 3.0

Mission 1: The Bot Hunter

Attacking x86 Windows Binaries by Jump Oriented Programming

Introduction to Reverse Engineering

Hotpatching and the Rise of Third-Party Patches

A Museum of API Obfuscation on Win32

Off-by-One exploitation tutorial

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Analysis of Win32.Scream

Disassembly of False Positives for Microsoft Word under SCRAP

CS61: Systems Programing and Machine Organization

Computer Organization and Architecture

INTRODUCTION TO MALWARE & MALWARE ANALYSIS

For a 64-bit system. I - Presentation Of The Shellcode

Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection

Lecture 27 C and Assembly

From Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?

Self Protection Techniques in Malware

esrever gnireenigne tfosorcim seiranib

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Sage 50 Payroll 2012 Authentication Bypass

Identification and Removal of

How Compilers Work. by Walter Bright. Digital Mars

Harnessing Intelligence from Malware Repositories

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

Reverse Engineering Malware Part 1

Assembly Language: Function Calls" Jennifer Rexford!

Introduction. What is an Operating System?

Practical taint analysis for protecting buggy binaries

EC 362 Problem Set #2

MACHINE ARCHITECTURE & LANGUAGE

l C-Programming l A real computer language l Data Representation l Everything goes down to bits and bytes l Machine representation Language

8. MACROS, Modules, and Mouse

WLSI Windows Local Shellcode Injection. Cesar Cerrudo Argeniss (

Operation Liberpy : Keyloggers and information theft in Latin America

Reversing C++ Paul Vincent Sabanal. Mark Vincent Yason

A-level COMPUTER SCIENCE

OPERATING SYSTEM SERVICES

:: RESEARCH PAPER :: ACCESS THROUGH ACCESS

windows maurizio pizzonia roma tre university

Where s the FEEB? The Effectiveness of Instruction Set Randomization

Glossary of Technical Terms Related to IPv6

Computer Organization and Assembly Language

Faculty of Engineering Student Number:

Stack Overflows. Mitchell Adair

Windows Administration Terminal Services, AD and the Windows Registry. INLS 576 Spring 2011 Tuesday, February 24, 2011

Using fuzzing to detect security vulnerabilities

Character Translation Methods

CS:APP Chapter 4 Computer Architecture Instruction Set Architecture. CS:APP2e

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov.

Introduction to Operating Systems. Perspective of the Computer. System Software. Indiana University Chen Yu

White paper: August Marcin Icewall Noga

Syscall Proxying - Simulating remote execution Maximiliano Caceres <maximiliano.caceres@corest.com> Copyright 2002 CORE SECURITY TECHNOLOGIES

Diving into a Silverlight Exploit and Shellcode - Analysis and Techniques

StarWind iscsi SAN Software: Using StarWind with MS Cluster on Windows Server 2003

Unpacked BCD Arithmetic. BCD (ASCII) Arithmetic. Where and Why is BCD used? From the SQL Server Manual. Packed BCD, ASCII, Unpacked BCD

March 2012 White Paper: Police trojan study. Marcin Icewall Noga Sergio de los Santos

PART B QUESTIONS AND ANSWERS UNIT I

Embedded Programming in C/C++: Lesson-1: Programming Elements and Programming in C

McAfee Labs Threat Advisory W32/Autorun.worm.aaeb-h

Bypassing Sanboxes for fun!!

Polycom RealPresence Resource Manager System Getting Started Guide

Hide and seek - how targeted attacks hide behind clean applications Szappanos Gábor

This report is a detailed analysis of the dropper and the payload of the HIMAN malware.

Avalanche Site Edition

X86-64 Architecture Guide

SMTP-32 Library. Simple Mail Transfer Protocol Dynamic Link Library for Microsoft Windows. Version 5.2

CSC 2405: Computer Systems II

LogMeIn Network Console Version 8 Getting Started Guide

Attacking Obfuscated Code with IDA Pro. Chris Eagle

Test Driven Development in Assembler a little story about growing software from nothing

Fast Byte-Granularity Software Fault Isolation

x64 Cheat Sheet Fall 2015

Reverse Engineering and Computer Security

Transcription:

1. General function and functionality of the malware The malware executes in a command shell, it begins by checking to see if the executing file contains the MZP file extension, and then continues to access the Windows Registry checking to see if a few local registry values exists. The malware will then try to search and display information regarding the executing host (such as a server) including but not limited to the password, port number, ICQ number, and E-mail address. 2. Behavioral patterns of malware The main portion of the malware gets the host information and then displays back on the command shell next to a predefined text describing the information. This pattern repeats four times until the last piece of server information, E-Mail Address, is displayed. For example: 004041DE CALL malware_.0040400c ; Function retrieving server information 004041E3 MOV EAX, DOWQRD PRT SS:[EBP-14] 004041E6 PUSH EAX 004041E7 MOV EAX,DWORD PRT DS:[4050E0] 004041EC MOV EDX,malware_.0040432C ; Password for server : 004041F1 CALL malware_.00403100 ; Check to see if string is empty 004041F6 POP EDX 004041F7 CALL malware_.00403100 ; Check to see if the popped value is empty 004041FC CALL malware_.00403c53 ; Display text on Cmd prompt 0040420B CALL malware_.0040400c ; Retrieve the next server information 00404219 MOV EDX,malware_.00404350 ; Portnumber to server : 0040421W CALL malware_.00403100 ; Check to see if string is empty 00404223 POP EDX 00404224 CALL malware_.00403100 ; Check to see if the popped value is empty 00404229 CALL malware_.00403c53 ; Display text on Cmd prompt 3. Local system interaction The malware uses functions from Windows imported link libraries: kernel32.dll, user32.dll, advapi32.dll, oleaut32.dll. The malware uses critical section objects for mutual exclusion synchronization in the thread of a single process. 0040181E CALL <JMP.&kernel32.InitializeCriticalSection> ; Allocate the memory used by a critical section 00401823 CMP BYTE PTR DS:[406031],0 0040182A JE SHORT malware_.00401836 0040182C PUSH malware_.00406420

00401831 CALL <JMP.&kernel32.EnterCriticalSection> ; Waits for ownership of the specified critical section object. While taking ownership of the specified critical section, the malware allocates a specific number of bytes from the local heap. 00401854 PUSH 0FF8 00401859 PUSH 0 0040185B CALL <JMP.&kernel32.LocalAlloc> from the heap. ; Allocates the specified number of bytes The malware looks for server values in an internal Kernel, but the malware goes into an error routine when the kernel returns nothing. 00404178 CALL malware_.00402560 0040417D CALL malware_.0040266c ; Calls an internal Kernel and then returns value 00404182 TEST EAX,EAX ; EAX returns 00000000 00404184 JLE malware_.0040429d ; Jumps to this error routine returning the word <ERROR> 0040266C PUSH EBP 00402686 LEA EDX,DWORD PTR SS:[EBP-4] ; Stack points to an internal kernel function call ntdll.kifastsystemcallret 4. Files and registry keys created, modified and accessed The malware will look for a registry key under the HKEY_CURRENT_USER name SOFTWARE\Borland\Delphi\RTL, and then in a later routine the malware looks for the Software\Borland\Locales registry key. If that registry key does not exist, then the malware will look for another key name Software\Borland\Delphi\Locales. After both of these registry keys were not found, the malware tries to loads itself as data file with an.enu, and then an.en extension file. ; Accessing the SOFTWARE\Borland\Delphi\RTL Registry Key. 00402774 PUSH malware_.004027f4 ; SOFTWARE\Borland\Delphi\RTL 00402779 PUSH 80000002 0040277E CALL <JMP.&advapi32.RegOpenKeyExA> ; Calling the RegOpenKey 00402783 TEST EAX,EAX 00402785 JNZ SHORT malware_.004027d4 ; Jump to the Open Reg Key function 00402787 XOR EAX,EAX 00402789 PUSH EBP 0040278A PUSH malware_.004027cd 0040278F PUSH DWORD PTR FS:[EAX] 00402792 MOV DWORD PTR FS:[EAX],ESP 00402795 MOV DWORD PTR SS:[EBP-C],4 0040279C LEA EAX,DWORD PTR SS:[EBP-C]

0040279F PUSH EAX ; Data 004027A0 PUSH 0 004027A6 PUSH 0 004027A8 PUSH malware_.00402810 ; FPUMaskValue 004027AD MOV EAX,DWORD PTR SS:[EBP-4] 004027B0 PUSH EAX ; hkey 004027B1 CALL <JMP.&advapi32.RegQueryValueExA> ; Query the registry value 004027B6 XOR EAX,EAX 004027B8 POP EDX 004027B9 POP ECX 004027BA POP ECX 004027BB MOV DWORD PTR FS:[EAX],EDX 004027BE PUSH malware_.004027d4 004027C3 MOV EAX,DWORD PTR SS:[EBP-4] 004027C6 PUSH EAX ; hkey 004027C7 CALL <JMP.&advapi32.RegCloseKey> ; Close the registry key 004027CC RETN ; Accessing the Software\Borland\Locales, and the Software\Borland\Delphi\Locales key. 00403398 PUSH malware_.00403524 ; Software\Borland\Locales 0040339D PUSH 80000001 004033A2 CALL <JMP.&advapi32.RegOpenKeyExA> ; Calling the RegOpenKey 004033A7 TEST EAX,EAX 004033A9 JE SHORT malware_.004033c9 ; If key not found, continue to look for a sub key 004033AB LEA EAX,DWORD PTR SS:[EBP-8] 004033AE PUSH EAX 004033AF PUSH 0F003F 004033B4 PUSH 0 004033B6 PUSH malware_.00403540 ; Software\Borland\Delphi\Locales 004033BB PUSH 80000001 004033C0 CALL <JMP.&advapi32.RegOpenKeyExA> ; Calling the RegOpenKey 004033C5 TEST EAX,EAX 004033C7 JNZ SHORT malware_.0040343b ; If key not found, jump to the 0040343B function. See 0040343B function in answer 6 because part of the function accesses local system information. I think the malware tries to replicate itself using file handling functions from kernel32.dll, but it goes into an error routine before a file writing function is called. 00403743 CALL <JMP.&kernel32.CreateFileA> 00403748 CMP EAX,-1 ; Compare to 0FFFFFFFFh 0040374B JE malware_.00403803 ; If compare result equals to zero, jump to an error routine, then exit malware 5. Network behavior (including hosts, domains and IP addresses accessed)

No Network behavior was found in the malware. 6. Time and local system dependant features No Time dependant features in malware, but it does get local language information with the call GetLocaleInfoA instruction at 004033A9. 0040343B MOV EAX,DWORD PTR SS:[EBP-4] 0040343E PUSH EAX 0040343F LEA EAX,DWORD PTR SS:[EBP-11D] 00403445 PUSH EAX 00403446 CALL <JMP.&kernel32.lstrcpy> ; Call the string copy function 0040344B PUSH 5 0040344D LEA EAX,DWORD PTR SS:[EBP-D] 00403450 PUSH EAX ; String data 00403453 CALL <JMP.&kernel32.GetThreadLocale> ; Calling the local thread from kernel32.dll 00403458 PUSH EAX 00403459 CALL <JMP.&kernel32.GetLocaleInfoA> ; Function call to lookup and return local system language information. 0040345E XOR ESI,ESI 00403460 CMP BYTE PTR SS:[EBP-11D],0 ; Stack contained value 43 = C 00403467 JE malware_.0040351c ; Value not equal, therefore function not jumped 7. Method and means of communication The malware display its results on the command prompt. Every time after a server information is found/or not found, the malware always go into a display text function. These following instructions are always executed when displaying server information. 004041F1 CALL malware_.00403100 004041F6 POP EDX 004041F7 CALL malware_.00403100 004041FC CALL malware_.00403c53 ; Check to see if string is empty ; Check to see if string is empty ; Display text on Cmd prompt 8. Original infection vector and propagation methodology This malware could be distributed under different names via Internet newsgroups and e-mails. This malware must be executed in order to infect user s machines. 9. Use of encryption for storage communication No use of encryption for storage communication in the malware. 10. Use of self modifying or encrypted code

According to PEiD program, the malware used UPX 0.89.6 1.02 / 1.05 1.24 -> Markus & Laszlo. The first instruction at 0040D280 is the PUSHAD instruction. PUSHAD decrements the stack pointer (ESP) by 32 to hold the eight double word values. The ECX value is 0012FFB0, and the ESP value is 0012FFA4. After highlighting all 4 bytes of the ECX address in the dump view panel (content of ESP), and went to the hardware breakpoint on access. The program went to a POPAD instruction, followed by JMP malware.00404128 at 0040D3CF. Advance execution by single stepping brought the program to 00404128 with a PUSH EBP instruction. 11. Any information concerning development of malware (compiler type, country of origin, author names/handles, etc.) The malware was created but Sub7, which was identified by the following decoded string, SUB7 Server Information Stealer v1.0 PoLYMoRPHiX. An Internet search found Sub7 as the name of a popular backdoor program. The malware was compiled in Borland C, which was also identified based on the decode string, Portions Copyright 1983,99 Borland. This malware could be one of the Sub7 distributed backdoor program gathering server information by execution.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information