Hacking The Malware
Hacking The Malware
Hacking The Malware
“It's getting harder to trust your IM buddies: A new worm in the wild purports to
be a warning from one of your buddies about a computer virus.”
– darkreading.com
RAHUL MOHANDAS
http://rahulmohandas.blogspot.com/
Section 2: Methodology................................................................................................................3
2.1 Controlled Environment..................................................................................................3
2.2 Static and Dynamic Analysis.............…………................................................................3
2.3 Preparation and Verification.....................................................................................…..4
Section 6: References....................................................................…………..............................25
1
Section 1: Introduction
1.1 Overview:
This paper attempts to document an approach on how the hackers make use of the
vulnerabilities to install malicious software on the vulnerable machine. A comprehensive
reverse code engineered analysis of the malicious software (Win32.Qucan.a) and the
various protection schemes against the worm by various security products are also
discussed.
I also describe an approach to setting up a flexible laboratory environment using virtual
workstation software such as VMware, and demonstrate the process of reverse
engineering a worm using a range of system monitoring tools in conjunction with a
disassembler.
I hope this document will help the Malware researchers, Intrusion Analysts and other
Security professionals to conduct a more viable and comprehensive research.
2
Section 2: Methodology
There are many ways to study a program's behavior. With static analysis, we study a
program without actually executing it. Tools of the trade are disassemblers, decompilers,
source code analyzers, and even such basic utilities as strings. Static analysis has the
advantage that it can reveal how a program would behave under unusual conditions,
because we can examine parts of a program that normally do not execute. In real life,
static analysis gives an approximate picture at best. It is impossible to fully predict the
behavior of all but the smallest programs. I will illustrate static analysis with a real life
example lateron.
With dynamic analysis, we study a program as it executes. Here, tools of the trade are
debuggers, function call tracers, registry monitors, file system monitors, and network
sniffers. The advantage of dynamic analysis is that it can be fast and accurate. It is not
possible to predict the behavior of a non-trivial program and it is also not possible to
make a non-trivial program traverse all paths through its code.
3
2.3 Preparation and Verification
Type of
Process Purpose of Action References
Analysis
Static VirusTotal is a free file Verify if the worm http://www.virus
analysis— analysis service that works is detected by any of total.com/
Virus scan using several antivirus the AV scanners
engines.
Static Verify the installation of the To display Windows Strings
analysis— strings command. contiguous sets of tool available at
Strings ASCII characters www.sysinternal
research included in a file. I s.com
used the free, open-
source version of
Windows strings
Dynamic Run file integrity checker and To verify that http://www.winal
analysis — reconcile any changes. system is in a known ysis.com
File Winalysis helps to make trusted state before
integrity compressed snapshot of the malware makes
checking computer configurations.ions. any changes.
Dynamic Verify the installation of the This indicates which www.sysinternal
analysis— Filemon program processes are s.com
File opening, reading,
monitoring and writing files.
4
Type of
Process Purpose of Action References
Analysis
Dynamic Check which ports are To see which TCP www.foundstone
analysis— running locally, using Fport and UDP ports are .com and
Network or TCPView listening on the www.sysinternal
monitoring trusted system, to s.com
act as a comparison
point after the
malware is installed.
Dynamic Conduct a port scan from To verify the results www.insecure.or
analysis— across the LAN, using Nmap of the local port g
Network or Foundstone Inc’s check by comparing http://www.foun
monitoring Superscan. them to a remote dstone.com/
portscan.
Dynamic Conduct a vulnerability scan To look for www.nessus.org
analysis— from across the LAN, using backdoor listeners
Network Nessus recognized by
monitoring Nessus.
Dynamic Verify the installation of a To gather all traffic www.ethereal.co
analysis— sniffer on a separate system going to and from m/download.htm
Network on the LAN. the target system, l,
monitoring using a sniffer www.tcpdump.or
loaded on a system g, and
other than the victim www.snort.org
machine. If the
malware tries to
send something
across the network, I
want to gather all
packets to see what
is happening
Dynamic Verify the installation of the To record all TCP www.sysinternal
analysis— TDImon tool (Windows) and UDP activity on s.com
Network a Windows machine.
monitoring
Dynamic Verify the installation of a To determine if the www.ntsecurity.
analysis— promiscuous mode checker network interface is nu/toolbox/promi
Network Promiscdetect.exe (Windows) running in scdetect/)
monitoring promiscuous mode,
gathering packets
destined for all
systems on the LAN.
5
Type of
Process Purpose of Action References
Analysis
Dynamic Verify the installation of To display a real- www.sysinternal
Analysis Regmon time indication of all s.com
registry registry activity,
monitoring including creating,
reading, and writing
registry keys.
6
Section 3: Method of Infection
The anti-virus vendors call these types of infection vectors as ‘Downloaders’, in the sense
Downloaders are designed to grab files from a remote website and execute the files that
have been downloaded. The worm IM-Worm.Win32.Qucan.a exe files are downloaded
from remote websites exploiting a publicly announced vulnerability (Microsoft Data
Access Components (MDAC) Function vulnerability) in Internet Explorer.
“A remote code execution vulnerability exists in the RDS.Dataspace ActiveX control that
is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC.
An attacker who successfully exploited this vulnerability could take complete control of
an affected system.”
Using the ms06-014 exploit two files host.exe and host2.exe are downloaded from the
remote website to the system. More detailed analysis of the exploit and the payload are
given the sections later on.
3.2 Exploit Unleashed – ms06-014 exploit
7
The exploit is written in vbscript and this exploit is used to download the worm
files,host1.exe and host2.exe from the remote site. Variants of this worm are also
reported by different anti-virus vendors.
Then something unusual i noticed about this page is a suspicious url encoded javascript
which un-mangles and finally evaluates the resulting piece of code. Here the encrypted
parameter seems to be
8
JavaScript offers functions that take a string and evaluate it as a piece of code. This
process is repeated several times (so the "decrypted" string may actually contain another
string to be decrypted). The best we can do at this point is to place hooks on these
commonly used functions and to redirect them to a log window instead of execution,
where the data can be conveniently interpreted.
It is clear that the first line (document.write()) must define the function somefunc()
which is most probably the decryptor. Our goal is to hook document.write and instead of
execution the output should be redirected to some log window so that we can analyze the
result. (A quick alternative would be to replace document.write with alert and observe the
output or the output can also be directed to some debug window and observed).
So I completed the initial analysis of the exploit and the vulnerability used to deliver the
payload. With the latest increase in the number of Internet explorer based vulnerabilities,
it is highly probable in the future, we see more refined and powerful exploits to deliver
malicious files to the user’s computer.
9
Section 4: Worm Architecture
I went ahead and downloaded the upx utility to unpack the exe file. The file can be
uncompressed by using the command
upx –d filename.exe
Again I performed a string analysis on the unpacked host2.exe, now I am getting some
meaning out of the executable file. I loaded up the unpacked file in the IDAPro
disassembler.
I could make out that the executable is programmed to kill the anti-virus processes and
firewalls like zonealarm. It uses the windows command ‘taskkill’ to kill the processes.
But ‘taskill’ is a command which was introduced from Windows XP onwards(Windows
2000 support tools has kill command utility which does the same function). So customers
running XP and 2003 would be more impacted than people running Windows 2000. Here
is a complete list of all the processes that will be terminated by this piece of application.
10
bkav2006.exe, Anti-Trojan.exe, ANTS.exe, apvxdwin.exe, ATCON.exe,
ATUPDATER.exe, ATWATCH.exe, AUPDATE.exe, AUTODOWN.exe,
AUTOTRACE.exe, AUTOUPDATE.exe, Avconsol.exe, AVP.exe, AVP32.exe,
avpcc.exe, avpm.exe, AVPUPD.exe, Avsynmgr.exe, AVWUPD32.exe,
AVXQUAR.exe, bdmcon.exe, bdoesrv.exe, bdss.exe, CMGrdian.exe,
drwebupw.exe, GUARD.exe, iamapp.exe, iamserv.exe, ICLOAD95.exe,
ICLOADNT.exe, ICMON.exe, ICSSUPPNT.exe, ICSUPP95.exe,
ICSUPPNT.exe, LUCOMSERVER.exe, MCAGENT.exe, mcupdate.exe,
MINILOG.exe, MOOLIVE.exe, NAVAPW32.exe, NMAIN.exe,
NPROTECT.exe, NSCHED32.exe, NUPGRADE.exe, regedit.exe,
regedt32.exe, RuLaunch.exe, Vshwin32.exe, VsStat.exe, zatutor.exe,
zonealarm.exe
Moving deeper down I noticed it making some registry modifications, like disabling the
task manager, registry and changing the default page in Internet explorer.
Here is the entire list of modifications made by the program in the registry .
The malware also deletes values from the registry such as auto startup applications.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VMware Tools
Deleted Value
11
4.2.2 Analysis of host.exe
Like the previous executable I started with a strings analysis with the ‘Strings’ from
sysinternals. The initial strings analysis showed the presence of upx packer. Again I went
ahead and un-compressed the file using the upx utility and performed the strings analysis.
Now the characters in the executable are making sense. I then loaded up the executable in
IDAPro disassembler. A deeper analysis of the strings revealed that this executable is
using various GUI and registry related functions like altering and creating new values in
the registry. I could make out that this program is coded in some scripting language
which could interact with the windows API. The following lines from the strings utility
confirmed my doubts.
Now I could confirm that the executable was programmed in “Auto It”. So what exactly
is AutoIt and what are the capabilities of this scripting language?
Since the strings analysis did not exactly provide me a detailed insight how the worm
works, my next step was to try and decompile the worm. AutoIt comes with a decompiler
called EXE2AUT, using which you can convert executables back to aut3 script files. But
to convert you have to provide a passphrase without which the EXE2AUT will not allow
decompilation. My next hurdle was with the executable was protected with a passphrase.
The password is not directly stored in the executable, it is stored as a 10 byte password
hash. With some help from the CW2K tutorials I was able to crack open the executable to
reveal the entire source code. I could make out that the worm was written on 20th
September from the source code headers.
12
4.3 The Program code – Exposed
In this section I will explain the source code, and what exactly is the script programmed
to do.
1.
Initially the worm tries to download host.exe and host2.exe and copies them to the
windows directory and renames them as svhost32.exe and svhost.exe .
3.
The above code checks for the specified text in the Internet explorer title bar. If it is
present, it automatically perform a left mouse-click at the specified location which my
best guess is to some ad-link.
13
4.
This malware is also designed to disable various task manager and registry functions.
It also modifies the Yahoo messenger launchcast , Y! BUZZ urls and links to the
malicious website. There are good chances that these malicious websites when opened in
Yahoo messenger plugin window may result in loss of sensitive cookie or credential
information.
The worm then creates auto startup entries in the registry as svhost32.exe and svhost.exe
5.
Now let us see what are the applications targeted and what is the impact..
Initially it checks for
So whenever any of these windows are active it can take action like send keystrokes
ClipPut($website)
BlockInput (1)
The clipput() function copies the link to the clipboard and it blocks the keyboard input by
the user.
6. Yahoo Messenger
Next it targets Yahoo messenger,
From the list of malicious websites it sends one link to the user with any of the messages
14
Here is the Yahoo messenger propagation code.
The above code will add a custom status message which points to any of the 13 malicious
links and then it selects all the users and send the link to all the users in the messenger
list.
15
8. Windows Live Messenger (Code Trimmed)
Registry monitor
16
Process Explorer
Yahoo Messenger
A message window (like the one below) automatically appears at frequent interval of
times containing the download link.
17
4.5 The Evolution
I am seeing more stealthier and sophisticated variants of this worm in the wild. These
variants are capable of downloading the worm update files from the internet and
executing it. This is done by downloading an additional payload at the time of infection
which downloads MSINET.OCX from the malicious site and registers it using
regsvr32 MSINET.OCX
“The Internet Transfer ActiveX Control (MSINET.OCX) provides you with access to the
Internet and the World Wide Web using the two most common protocols: Hypertext
Transfer Protocol (HTTP) and File Transfer Protocol (FTP). When you use the internet
transfer control with HTTP, you can retrieve HTML documents from the Internet or an
intranet. Using the internet transfer control with FTP, you can log on to FTP servers and
download or upload files; the control supports many of the most common FTP commands
such as GET, DIR, DELETE and CD.”
18
The worm is programmed to check the remote update.txt file , if any update exists it
downloads the latest worm executable.
19
Section 5: Defensive Measures
20
1. HOST.EXE – packed with UPX
21
Since both the files are packed using upx packer I unpacked the files using the upx utility
and did a scan on both the files.
3. HOST_UNPACKED.EXE
3. HOST2_UNPACKED.EXE
22
The screenshot tells clearly displays the detection rate.
1. Only 20% of the engines were able to detect the worm when I for scanned
host_unpacked.exe
2. Only 42.3 % of the engines were able to detect the worm when I scanned for host2.exe
Antivir, Bit defender , Fortinet and Kaspersky, UNA were able to detect all the 4 cases.
UNA, The Hacker, CAT-Quickheal detects all the AutoIt scrips as Trojan.
23
On 10th October there were around 1,800,000 pageviews of which 62,000 are unique
visitors.
On11th October there were around 1,500,000 page views of which 110,000 are unique
visitors.
A closer analysis on the unique users per day shows the alarming rate at which new
systems are getting infected.
24
Section 6: References
Instant Message, Instant Infection Kelly Jackson Higgins, Senior Editor, OCTOBER 4,
2006 URL: http://www.darkreading.com/document.asp?doc_id=105252
W32/YahLover.worm - Mcafee
URL: http://vil.nai.com/vil/content/v_140628.htm
Martin Roesch. Snort – The Open Source Network Intrusion Detection System.
URL: http://www.snort.org/.
Virustotal Service
URL: http://www.virustotal.com/
25