Introduction to Malware Techniques and Logics Part 1 by Gunther

Download Introduction to Malware Techniques and Logics Part 1 by Gunther

Post on 21-Apr-2015

41 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

INTRODUCTION TO MALWARE TECHNIQUES AND LOGICS PART 1

Author: Gunther Editor: Shub-Nigurrath

ARTeam

Introduction to Malware Techniques and Logics part 1

FOREWORDSFollowing the great works by EvilCry, I have decided its time to release some of my past and present works on Malware Analysis (some of them will be coming soon). This is in the hope of igniting some interests in Malware Analysis via Reverse Engineers mindset. This tutorial is written to provide a better understanding of where to find information and what is the aim of most Trojans. Their aim is simply to steal information or to act as a Bot in a Botnet. Please note that this article has been written for learning purposes and not for complex functionality. In the early days, there were many incidents where users received emails with malicious CHM (Microsoft Compiled HTML Help) and DOC (Microsoft Office Word Document) attachments containing Trojan Riler which is also known as BackDoor-BCB. So I have decided to impart some of my knowledge on Forensics in order to complete this tutorial, writing Introduction to Malware Techniques and Logics part 1. The tutorial will cover different issues: How to decompile .CHM files. How to detect and analyse the shellcode How to dump the backdoor components How to discover the communication protocol

I hope that this could begin a new chapter in the ongoing series of Reverse Engineering and Forensics guides from ARTeam and spark a new interest. Todays topic will go over Introduction to Malware Techniques and Logics part 1. This paper attempts to document an approach on how the malware developers make use of the Macros and vulnerabilities to install malicious software on the vulnerable machine. We hope this document will help the future Reverse Engineers and Forensics guys / gals to conduct a more viable and comprehensive research. This article does not claim to be complete, exclusivity and is geared towards beginners.

[THIS

TUTORIAL

COMES

WITH

AN

ARCHIVE

MALWARE_SAMPLE_BEWARE.ZIP, WHICH CONTAINS THE MALWARE SAMPLES DISCUSSED HERE. BEWARE THAT THIS SHOULD BE EXPLORED IN A SAFE ENVIRONMENT ONLY. WE MUST NOT BE CONSIDERED RESPONSIBLE FOR DAMAGES OR DATA LOSS YOU MIGHT HAVE, THE OPERATION IS TOTALLY AT YOUR OWN RISK. PASSWORD: INFECTED AND THEN INTERNAL ZIP HAS PASSWORD PASSWORD ALL IN LOWERCASE AND WITHOUT QUOTES.

2

Introduction to Malware Techniques and Logics part 1

1

TABLE OF CONTENTS

Forewords .......................................................................................................................................................2 Disclaimer/License...........................................................................................................................................4 Verification ......................................................................................................................................................4 1.1 Initial Analysis ......................................................................................................................................5 1.1.1 Focus on Analysis .......................................................................................................................... 5 1.1.2 Verification of CHM file format ...................................................................................................... 6 1.1.3 Interesting Information Extracted from chm File Format ................................................................ 7 1.2 Decompilation Process of .CHM file...................................................................................................... 8 1.2.1 Extraction of Internal files within .CHM file .................................................................................... 8 1.2.2 Analysing the .htm file ................................................................................................................... 9 1.2.3 Analysing the Other Files ............................................................................................................. 10 1.2.4 Converting back to HHP, HHC, HHK format .................................................................................. 10 1.2.5 Dumping of TRojan Dropper ........................................................................................................ 12 1.3 Hiding within .Doc file ........................................................................................................................ 13 1.3.1 Extraction of Streams from .Doc file............................................................................................. 14 1.3.2 VBA Macros................................................................................................................................. 14 1.3.3 Finding Shellcode ........................................................................................................................ 14 1.3.4 Lets do some Shellcode Analysis ................................................................................................. 16 1.3.5 Microsoft Word Macro Name Buffer Overflow Vulnerability ........................................................ 17 1.4 Trojan Dropper Winsrv.exe ................................................................................................................ 18 1.4.1 Dumping of BackDoor Components ............................................................................................. 19 1.4.2 Installation of BackDoor Components. ......................................................................................... 20 1.4.3 BackDoor Component Files .......................................................................................................... 20 1.4.4 Discovery of Communication Protocol ......................................................................................... 21 1.4.5 Deciphering of Communication Protocol...................................................................................... 22 1.4.6 Handshake .................................................................................................................................. 22 1.4.7 Command Loop ........................................................................................................................... 22 1.4.8 Multiple Sessions Supported........................................................................................................ 23 1.4.9 Information about the Controller................................................................................................. 23 1.5 Conclusions ........................................................................................................................................ 23

22.1 2.2 2.3

INITIAL ANALYSIS

24

Preliminary Analysis on the malware ................................................................................................. 24 Live Analysis on the malware ............................................................................................................. 25 HoneyPot Analysis on the malware .................................................................................................... 26

3

Introduction to Malware Techniques and Logics part 1

2.4

Conclusions ........................................................................................................................................ 30

3 4

APPENDIX A: CONTENT OF THE .HTM FILE APPENDIX B: DISASSEMBLY OF SHELLCODE

31 33

DISCLAIMER/LICENSEAll code included with this tutorial is free to use and modify; we only ask that you mention where you found it. This eZine is also free to distribute in its current unaltered form, with all the included supplements. We have potentially illegal stuff inside. All the commercial programs used within our tutorials have been used only for the purpose of demonstrating the theories and methods described. These documents are released under the license of not using the information inside them to attack systems of programs for piracy. If you do it will be against our rules. No distribution of patched applications has been done under any media or host. The applications used were most of the times already been patched by other fellows, and cracked versions were available since a lot of time. ARTeam or the authors of the papers shouldnt be considered responsible for damages to the companies holding rights on those programs. The scope of this document as well as any other ARTeam tutorial is of sharing knowledge and teaching how to patch applications, how to bypass protections and generally speaking how to improve the RCE art. We are not releasing any cracked application. We are not at all encouraging people to release cracked applications; damages if there will be any have to be claimed to persons badly using information, not under our license. This disclaimer applies to all ARTeam releases and tutorials!

VERIFICATIONARTeam.esfv can be opened in the ARTeamESFVChecker to verify all files have been released by ARTeam and are unaltered. The ARTeamESFVChecker can be obtained in the release section of the ARTeam site: http://releases.accessroot.com

4

Introduction to Malware Techniques and Logics part 1

2 2.1

SAMPLE NUMBER ONE INITIAL ANALYSIS

I will start off this Malware Analysis on the introduction from how the Trojan is being pushed out to the public and targeted people to the actual dissection of the whole thing. There were incidents that many users received emails with malicious CHM (Microsoft Compiled HTML Help) and DOC (Microsoft Office Word Document) attachments containing Trojan Riler (also known as BackDoor-BCB). Trojan Riler has two distinct groups of components playing different roles: I. II. Trojan dropper WINSRV.EXE or WINHEINI.EXE (they are the same) that is dumped from the carrier files (CHM and DOC) when these carrier files are opened. When this dropper is executed, it drops and installs the backdoor components when executed. Backdoor components (WINSSI.EXE, SPORDER.DLL, WINMEDL.DLL and SYNUSB.DLL) that are dumped by the Trojan dropper. These backdoor components provide functionality to connect to a remote host to allow for remote control and remote access to the compromised machines.

During the analysis of the emails, Ive learnt that the address of the send had been spoofed. This analysis will describe the process on these two malicious attachments to extract information about the attackers and also to reverse-engineer the functionalities of all the Trojan components...

2.1.1 FOCUS ON ANALYSISI have received 2 samples of this malware in the form of .chm and .doc files and I found out that the Trojan was embedded in (or compiled into) the CHM file in compressed form (LZH). My analysis will focus on the following: I. II. III. IV. Verify that declared file types of the carriers of the Trojan dropper. (This step is important as it will aid us in choosing the correct tools so that we could dissect the files for further analysis.) Clues that can be extracted from the carriers of the Trojan dropper. Functions of the Trojan dropper WINSRV.EXE or WINHEINI.EXE. Functions of the backdoor components (WINSSI.EXE, SPORDER.DLL, SYNUSB.DLL and WINMEDL.DLL) that are dropped by the Trojan dropper, WINSRV.EXE.

5

Introduction to Malware Techniques and Logics part 1

2.1.2 VERIFICATION OF CHM FILE FORMATIn order to verify that the .chm file is really just another innocent .chm file, I have decided to use Hex Editor to view the content of for verification purposes. You can more information on Microsofts HTML Compiled Help (.CHM) Format published here: http://www.speakeasy.org/~russotto/chm/chmformat.html http://bonedaddy.net/pabs3/chmspec/0.1.2/Formats.html.

Figure 1 Hex-Editor View of Sample.chm

6

Introduction to Malware Techniques and Logics part 1

2.1.3 INTERESTING INFORMATION EXTRACTED FROM CHM FILE FORMATThere are some interesting information to which we can extract from the sample.chm. So we need to understand the .CHM file headers first.

File Offset:0000: char[4] 0004: DWORD 0008: DWORD 000C: DWORD 0010: DWORD

Content at File Offset:ITSF 0x03 (Version number) 0x60 or 96 (Total header length) 0x01 (Unknown) A timestamp. With reference to http://bonedaddy.net/pabs3/chmspec/0.1.2/ITSF.html, this is derived from GetFileTime() function and is the value of the dwLowDateTime member of the last write time parameter. 0x0804 = Chinese Simplified 1 (Windows Language ID) With reference to http://bonedaddy.net/pabs3/chmspec/0.1.2/ITSF.html, this ID is the user language ID (from GetUserDefaultLCID) of the Operating System at the time of compilation. 10 fd 01 7c aa 7b d0 11 9e 0c 00 a0 c9 22 e6 ec GUID = 7C01FD10-7BAA-11D0-9E0C-00A0-C922-E6EC 11 fd 01 7c aa 7b d0 11 9e 0c 00 a0 c9 22 e6 ec GUID = 7C01FD11-7BAA-11D0-9E0C-00A0-C922-E6ECTable 1 Main Header of .chm file format

0014: DWORD

0018: GUID 0018: GUID

File Offset:0030: DWORD

Content at File Offset:$0409 = English (Windows Language ID) With reference to http://bonedaddy.net/pabs3/chmspec/0.1.2/ITSF.html, this came from the program that compiled the ITSF. On Win32, it comes from ITSS.DLL (a Microsoft HMTL Help Author DLL).Table 2 Portion of Directory Header of .chm file format

From the above 2 tables, we can deduce that primary language of the Operating System used by the attacker who crafted the CHM probably is using Chinese Simplified according to the language identified in main header of the CHM.

1

Language ID to Language Name translation information obtained from http://windowsitpro.com/article/articleid/15816/where-in-theregistry-is-the-language-setting-for-each-user-stored.html Where in the registry is the language setting for each user stored?

7

Introduction to Malware Techniques and Logics part 1

2.2

DECOMPILATION PROCESS OF .CHM FILE

Ok, now that we have identified that there is indeed an .exe file within the .chm carrier file. Lets try to decompile it and extract the .exe file. We are going to use a CHM decompiler, chmdeco, from http://bonedaddy.net/pabs3/hhm/#chmdeco It is a program that converts the internal files of CHM files back into the hhp, hhc, hhk etc. These hhp, hhc and hhk etc files are used to compile the CHM documentation. Before we even begin to convert the .chm file back into the hhp, hhc, hhk etc. The .exe file needs to be extracted.

2.2.1 EXTRACTION OF INTERNAL FILES WITHIN .CHM FILEFor the extraction process, I am going to use an utility, istorage.exe, that comes with the chmdeco package for the extraction. It can extract files (streams) from Microsoft compound file objects (also known as Microsoft OLE2 file or Microsoft Structured Storage) and also extract files from CHM files. This is done through OLE StgOpenStorage function, the IStorage interface (for Microsoft compound file objects) and the ITStorage interface (InfoTech Storag...

Recommended

View more >