Feb 22 2010

Zeus may be old, but he isn’t afraid of change

Category: Malware,Password Stealing,Practical,TrojanParker @ 7:47 pm

I should really lay my cards on the table at the start of this item. I do not know that this is Zeus, it is currently a working assumption, noting a number of similarities between this new virus and other Zeus samples I have seen.

So first off, what is the same?

  • It changes the registry item HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit Inserting a dynamically changing executable, into the key data, to ensure its presence at each boot of the system. In my most recent infection instance, it changes the value data to C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\msicjg32.exe
  • It loads the executable and hides it from view, using rootkit techniques.
  • It conducts HTML injection attacks
  • It is capable of MitB / MitM attacks
  • It targets Banking credentials and more than likely other login details, such Paypal & Facebook.

What is new?

  • The virus no longer uses the static executable name sdra64.exe. Instead it chooses a pseudo random name at install. I have seen msrwez32.exe | msjrtr32.exe | msicjg32.exe, so it would appear a format msXXXX32.exe is used.
  • There is no creation of a c:\windows\system32\lowsec folder. So stolen data and configuration detail is stored somewhere other than usual. This would appear to come from a jpg that can be seen coming in if using packet capture. The file is normally at the C&C domain within a location of /images/arrowred.jpg If have not been able to obtain this file or indeed find anything that could even attempt to decrypt it, but I informed that config details are held within it.
  • As with all viruses, these processes grab config detail from Command & Control servers. To the best of my ability I believe these sites to be http;//216.119.129.14 and http;//209.172.59.132. With luck these will be offline soon. I have now seen that these files have a list of possible C&Cs and move around as quickly as they are taken offline. Those who need to know of them do, and I do not propose to begin retaining a list here.

Antivirus detection rates, as follows;

Product – Version – Update – Virus Alias
a-squared 4.5.0.50 2010.02.22 Worm.Win32.Pushbot!IK
AhnLab-V3 5.0.0.2 2010.02.22 -
AntiVir 8.2.1.172 2010.02.22 TR/Spy.ZBot.afdw
Antiy-AVL 2.0.3.7 2010.02.22 -
Authentium 5.2.0.5 2010.02.22 -
Avast 4.8.1351.0 2010.02.22 Win32:EggDrop-CG
AVG 9.0.0.730 2010.02.22 -
BitDefender 7.2 2010.02.22 Trojan.Generic.3193268
CAT-QuickHeal 10.00 2010.02.22 -
ClamAV 0.96.0.0-git 2010.02.22 Trojan.EggDrop-121
Comodo 4026 2010.02.22 TrojWare.Win32.Spy.Zbot.afdw
DrWeb 5.0.1.12222 2010.02.22 Trojan.DownLoad.35735
eSafe 7.0.17.0 2010.02.22 Win32.EggDrop
eTrust-Vet 35.2.7318 2010.02.22 -
F-Prot 4.5.1.85 2010.02.22 -
F-Secure 9.0.15370.0 2010.02.22 Trojan.Generic.3193268
Fortinet 4.0.14.0 2010.02.21 -
GData 19 2010.02.22 Trojan.Generic.3193268
Ikarus T3.1.1.80.0 2010.02.22 Worm.Win32.Pushbot
Jiangmin 13.0.900 2010.02.22 -
K7AntiVirus 7.10.980 2010.02.22 -
Kaspersky 7.0.0.125 2010.02.22 Trojan-Spy.Win32.Zbot.afdw
McAfee 5900 2010.02.22 -
McAfee+Artemis 5900 2010.02.22 Artemis!1B0138229529
McAfee-GW-Edition 6.8.5 2010.02.22 Heuristic.LooksLike.Trojan.Agent.B
Microsoft 1.5406 2010.02.22 -
NOD32 4888 2010.02.22 probably a variant of Win32/Injector.AXM
Norman 6.04.08 2010.02.22 -
nProtect 2009.1.8.0 2010.02.22 -
Panda 10.0.2.2 2010.02.22 Trj/CI.A
PCTools 7.0.3.5 2010.02.22 -
Prevx 3.0 2010.02.22 High Risk Cloaked Malware
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.22 Mal/Resdro-A
Sunbelt 5692 2010.02.22 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.02.22 Suspicious.Insight
TheHacker 6.5.1.6.205 2010.02.22 -
TrendMicro 9.120.0.1004 2010.02.22 -
VBA32 3.12.12.2 2010.02.22 -
ViRobot 2010.2.22.2196 2010.02.22 -

Removal

I am not yet confident in the exact way in which this malware functions, so I am not confident that the below is an absolute removal process. It does however appear to resolve the issue, so is better than nothing. As soon as I learn more, I will be sure to update.

  • Open regedit (normally via Start > Run) and drill down into the HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit string and note its value data.
  • You will need to kill a thread, loaded into memory, which retains the malicious presence within the Winlogon key, simply deleting the malicious value data is not enough.
  • Download and run the ProcessExplorer application from the TechNet website.
  • Access View and ensure that Lower Pane view is enabled.
  • On the top menu bar, select Find Handle or DLL. Within search type and search for the executable found within the Userinit data value. (msXXXX32.exe)
  • This should find and select executable within your Lower Pane. In the top pane, locate and double click on Winlogon.
  • From the new Window select the threads tab (this will sometimes produce an error, which can just be clicked past).
  • Once the threads have displayed, sort by CSwitch Data. There will be one thread which shows as constantly active (retains a numeric value).
  • Once this thread is identified, highlight it and select Kill from the bottom right.
  • Exit ProcessExplorer, reopen regedit and drill down onto the Winlogon\Userinit key. Delete the malicious value, from the userinit key data.
  • Restart the PC.
  • This should have stopped the virus loading at boot, allowing you to locate the executable within C:\windows\system32\. This should be purged from the system.

Tags: , ,

Feb 12 2010

Attempts to infect a machine fall flat

Category: Malware,Practical,TrojanParker @ 7:09 pm

Who would think that infecting a machine with a virus would be this difficult. Have done all I can think of but I only have muted success with getting a bloody malicious DLL to start messing with my data streams..

Will have a few more goes before I either give up or blame a poor implementation.

Tags:

Jan 04 2010

Yaludle

Category: Malware,Practical,Programs,TrojanParker @ 9:27 pm

Well another virus that’s on the radar, this time one carries an alias of Yaludle.
No real info re the installer, or exploit type but suffice to say this one is bad news and by replacing a number of key drivers within your registry, it ensures that it loads up every time your PC does.

As a very quick synopsis of the risks, this virus is capable of Man In The Browser / Man In The Middle attacks to take place, which will typically go after your banking credentials but as with many banking trojans, it is not against going after your other sensitive info with keylogging.

Anyway, to get rid of it, you need to do as follows;

  1. Close all instances of Internet Explorer.
  2. Open ProcessExplorer and Regedit.
  3. Get the DLL name from the registry key => HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 and write it somewhere. Should be in the format of 8 hex digits + 1.
  4. Use ProcessExplorer to search for that hex value. Locate and close all found handles that have that value (some may be mutex objects). In ProcessExplorer => View => Lower Pane View => Handles (or Ctrl+H) Find => Find Handle or DLL Search the first 4 digit of the file. You get a list of handles that relates to the malware. Close them with ProcessExplorer or handle.exe.

Delete these registry keys:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2
  • HKCU\Software\Macromedia\
  • HKCU\Software\AppDataLow\Software\Macromedia\
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WAB

Delete these files:

  • %Appdata%\ Macromedia \Common\
  • %Appdata%\Macromedia\Common\
  • (8-digit-hex).exe
  • %TMP%
  • (8-digit-hex).tmp

I also recommend clearing the Temp folders on that machine.

  • %Temp%
  • %Systemroot%\Temp

Having done all of that, a restart of the machine should load without any malicious Yaludle items present. For peace of mind, you can repeat step 4 of the above to ensure that no handles or other loaded objects still carry that hex value.

Dec 18 2009

Recent Viral Investigations

Category: Malware,Programs,Theory,TrojanParker @ 11:00 am

Below is a list of detail that I have gathered recently whilst investigating numerous malware incidents.

If you are that way inclined, there are a number of samples of most of these on my domain, but clearly only head to these if you know what you are doing. (You will be intentionally infecting your PC with a virus). Further more, be aware that the command & control or script issuing sites will be offline, largely affecting the viruses capacity to do evil, so that others infected in the traditional sense, do not suffer harm.

Zeus

Known capacities

  • Html injection
  • Communication with C&C
  • Man In The Middle / Man In The Browser
  • Capacity to engineer two factor beating scenarios
  • Receipt of customised javascript pages, to allow engineering of page specific attacks and exploits.

Known file locations / tell tale signs

  • Modified registry key HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit
    Value Data – C:\Windows\system32\ sdra64.exe.  Should be C:\Windows\system32\userinit.exe,Malicious executable  - C:\Windows\system32\ sdra64.exe
  • Config files – Located within C:\Windows\system32\lowsec There will typically be a  user.ds and local.ds file, although sometimes there will be others. These can all be assumed malicious, because the lowsec folder would never exist under normal circumstances.
  • The virus also carries with it the capacity to shut down or at least disable some antivirus and firewall programs. Therefore the unexplained ‘switch off’ of your AV may be indicative of an infection.

Removal

I have recorded and made a screen capture video of the removal available below. I learnt by following someone’s video guide, so I would suggest doing the same. I have however also recorded additional steps, for further ease.

  • Open regedit (normally via Start > Run) and drill down into the HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit string and note its value data.
  • Assuming that the sdra64.exe was present in the above key, then you are infected and you will need to kill a thread, loaded into memory, which retains the malicious presence within the Winlogon key.
  • Download and run the ProcessExplorer application from the TechNet website.
  • Access View and ensure that Lower Pane view is enabled.
  • On the top menu bar, select Find Handle or DLL. Within search type and search for sdra64.exe
  • This should find and select sdra64.exe within your Lower Pane. In the top pane, locate and double click on Winlogon.
  • From the new Window select the threads tab (this will sometimes produce an error which can just be clicked past).
  • Once the threads have displayed, sort by CSwitch Data. There will be one thread which shows as constantly active (retains a numeric value).
  • Once this thread is identified, highlight it and select Kill from the bottom right.
  • Exit ProcessExplorer, reopen regedit and drill down onto the Winlogon\Userinit key. Delete the sdra64 location data (typically this is c:\windows\system32\sdra64.exe)
  • Restart the PC.
  • This should have stopped the virus loading at boot, allowing you to locate the C:\windows\system32\sdra64.exe and ..\lowsec files (user.ds and local.ds) . All of these should be purged from the system.

Zeus Jabber

As the name suggests, this virus is an extension of the Zeus family trojan, so much of its technical ability and its file locations, mirror that of the above. Removal of this virus, is achieved in the same manner as removing the above, Zeus virus.

Known capacities

  • Html injection
  • Communication with C&C / admin via messenger service
  • There is some talk of MitB capacity, but I have yet to see this implemented successfully in the wild (far from proof that it does not retain this ability however).

Known file locations / tell tale signs

  • Modified registry key HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit
    Value Data – C:\Windows\system32\ sdra64.exe.  Should be C:\Windows\system32\userinit.exe,Malicious executable  - C:\Windows\system32\ sdra64.exe
  • Config files – Located within C:\Windows\system32\lowsec There will typically be a  user.ds and local.ds file, although sometimes there will be others. These can all be assumed malicious, because the lowsec folder would never exist under normal circumstances.
  • Drops php files into %system%/temp, typically containing credentials obtained in clear text (so a good way to see what data of yours have been stolen). These files should record the malicious servers IP address, so tracking and shutting down the related malicious or hosting servers for shut down is made somewhat easier.
  • Packet capture will show a lot of chatter, watch and record this to fathom how and who it is speaking with.
  • Config files cannot currently be decrypted by the ZeusDecoder @ ThreatExpert. Expect updates
  • The virus also carries with it the capacity to shut down or at least disable some antivirus and firewall programs. Therefore the unexplained ‘switch off’ of your AV may be indicative of an infection.

Removal

See above Zeus removal steps and video.

Silon v2

Known capacities

  • Key logging
  • HTML Injection
  • Man In The Middle / Man In The Browser
  • C&C communication
  • Capacity to engineer malicious two factor scenarios, allowing for Bank or other secure site security exploitation

Known file locations / tell tale signs

  • HKCR\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\InProcServer32\Default
  • Value data should read c:\windows\system32\msimtf.dll If however a Silon infection has occured, the malicious key data item will instead show a malicious msls50.dll
  • The virus will install its config details and C&C information within a newly created registry key. This registry key is created, using system specific values, arranged in a set format. In this instance it obtains your C drive’s serial ID and then applies its format to the 8 digit hex value (excluding the hyphen).  To find your drives serial ID, open a command prompt and type “vol”. This will provide you with the number in the format xxxx-xxxx.
  • Open your registry editor and search for a key containing those 8 digits (without the hyphen). You should find a key with these 8 digits and other permutations of those 8 digits. This will contain a ProcServer32 element which itself contains subkeys named 0, 1, 3 & 4. These all contain encrypted data and will look like nonsense, but actually contain the targeted website list and Command & Control server locations.
  • The virus will also create two files which it uses to store stolen credentials. To find these navigate to your c:\windows\temp folder, where two files using the drive ID in differing format.

Removal

Despite the viruses obvious technical ability, the removal is incredibly simple. I am working on a quick video to show this graphically, but the below should certainly suffice in the meantime.

  • Open regedit and drill down into the HKCR\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\InProcServer32\key.
  • Open the default key and over type the value data with the correct DLL location namely c:\windows\system32\msimtf.dll
  • Restart PC
  • Locate and delete malicious DLL from c:\windows\system32 folder. (Sometimes the dll is hidden, so you need to ensure hidden files are visible Tools > Folder Options > View > Show Hidden Files and Folders.
  • Delete the registry key named with your C:\ serial
  • Delete the located dump files from your hard drive, retained within C:\Windows\temp.

Dropper / installer not yet understood, Re-infection if executed again highly possible.

Tags: , , , , , , , , , , , , ,

Oct 19 2008

First attempt – Binary ‘analysis’.

Category: Malware,Practical,Programs,TrojanParker @ 9:11 pm

Trojan-Downloader.WMA.Wimad.o

Well, having tried for a few days to find a good source of viruses to play with and having come up with little except spyware, I visited my parents for Sunday Roast (Lamb, it was good). Whilst fixing their second PC, which is used by my sisters to download music via Limewire, I find that Nod32 has detected and quarantined 20 viruses so far, including Trojans. Finally giving me something to play with…

So roll up the first file,  “Sam Sparo Black n Gold Sexy girl has shaking orgasm.mp3″ – 450KB

OK, so initially I learned two things here.

  1. DO NOT take a regshot before you open Windows Media Player for the first time, the amount of registry changes it will make will make locating malware related additions a nightmare.
  2. IDA is completely above my head. I will have to learn what all those codes mean.

Beyond that I was able to see a few things changing and some data packets that indicated linked oddities.

Firstly the Trojan connects to a site at http:// 208.91.207.92 and commits a number of GET commands to load images, see below examples (Can you guess what kind of site it is?);

GET /r/100×100/w/r/Trouble702-19.jpg HTTP/1.1
GET /r/100×100/w/r/boredxxx-18.jpg HTTP/1.1
GET /r/100×100/w/r/caliCockluvr-30.jpg HTTP/1.1
GET /r/100×100/w/r/35608-S-3.jpg HTTP/1.1
GET /r/100×100/w/r/Trisha_69-20.jpg HTTP/1.1
GET /r/100×100/w/r/Savana-20.jpg HTTP/1.1
GET /r/100×100/w/r/sexyhannah-30.jpg HTTP/1.1
GET /r/100×100/w/r/fuckmyass-22.jpg HTTP/1.1
GET /user-images/12940/12940122-S-0.jpg HTTP/1.1
GET /user-images/9473/9473802-S-3.jpg HTTP/1.1

Having done all of that and loaded a new IE7 window full of naughty pics some odd network traffic picks up. From my potentially flawed view-point it looks like an attempt to first find out whether I’m behind a router and then attempt a remote connection .

192.168.0.13 192.168.0.1 ICMP Echo (ping) request
192.168.0.1 192.168.0.13 ICMP Echo (ping) reply
64.13.192.114 192.168.0.13 TCP http > remote-as [FIN, ACK] Seq=869 Ack=202 Win=6432 Len=0
192.168.0.13 64.13.192.114 TCP remote-as > http [ACK] Seq=202 Ack=870 Win=16812 Len=0
Z-Com_97:c9:39 Broadcast ARP Who has 192.168.0.1?  Tell 192.168.0.13
Netgear_bf:c2:8c Z-Com_97:c9:39 ARP 192.168.0.1 is at 00:0f:b5:bf:c2:8c
192.168.0.13 192.168.0.1 ICMP Echo (ping) request
192.168.0.1 192.168.0.13 ICMP Echo (ping) reply
192.168.0.13 85.92.200.253 TCP brvread > http [SYN] Seq=0 Win=16384 Len=0 MSS=1460
87.248.211.192 192.168.0.13 TCP [TCP Retransmission] [TCP segment of a reassembled PDU]
192.168.0.13 87.248.211.192 TCP td-postman > http [ACK] Seq=486 Ack=1361 Win=17680 Len=0 SLE=1416 SRE=1417
87.248.211.192 192.168.0.13 HTTP [TCP Retransmission] HTTP/1.1 200 OK  (PNG)
192.168.0.13 87.248.211.192 TCP td-postman > http [ACK] Seq=486 Ack=1417 Win=17625 Len=0
192.168.0.13 64.13.192.114 TCP remote-as > http [RST, ACK] Seq=202 Ack=870 Win=0 Len=0
192.168.0.13 87.248.211.192 TCP td-postman > http [FIN, ACK] Seq=486 Ack=1417 Win=17625 Len=0
87.248.211.192 192.168.0.13 TCP http > td-postman [ACK] Seq=1417 Ack=487 Win=65534 Len=0
192.168.0.13 208.67.222.222 DNS Standard query A playmoviesx.com
208.67.222.222 192.168.0.13 DNS Standard query response A 64.20.49.14
192.168.0.13 64.20.49.14 TCP kiosk > http [SYN] Seq=0 Win=16384 Len=0 MSS=1460
64.20.49.14 192.168.0.13 TCP http > kiosk [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1360
192.168.0.13 64.20.49.14 TCP kiosk > http [ACK] Seq=1 Ack=1 Win=17680 Len=0
192.168.0.13 64.20.49.14 HTTP GET /go/?a=vidwmv&t=search&cmp=wmv_audio&embedded=false HTTP/1.1
64.20.49.14 192.168.0.13 TCP http > kiosk [ACK] Seq=1 Ack=388 Win=6432 Len=0
64.20.49.14 192.168.0.13 HTTP HTTP/1.1 301 Moved Permanently  (text/html)
192.168.0.13 208.67.222.222 DNS Standard query A www.playmoviesx.com
192.168.0.13 64.20.49.14 TCP kiosk > http [ACK] Seq=388 Ack=764 Win=16917 Len=0

I’m guessing that the below GET request may be an attempt to utilise a script that can be dynamicaly updated and used to download further malware onto my PC, but am not 100%.

“GET/enter.php?prg=1&t=search&id=inxioltd2&cmp=wmv_audio HTTP/1.1″

When checking the DNS results for the main IP’s you get one for the UK, US and Netherlands, so no need to blaim the Eastern Block or Chinese for this one.

Finally there seems to have been some kind of tracking taking place with an IP 66.165.186.99, which is registered in the US. This IP conducts a TCP GET action against a imgcount.cgi string. There is also mention of instl_bootc which is a request to Install Bootstrap Protocol Client which I understand to be a prelude to the DHCP system and likely offer any sites / attackers further IP / MAC address info for my machine and network.

So nothing mental going on that I could see, no obvious sign of new running processes or of opened listening ports, but given that this was my first bit of analysis, I have probably missed lots.

Packet Traffic Info File
Registry Info File