Monday, September 9, 2013

#8 Back to the future - Analysis of an old Downloader

This article is an analysis of a Downloader first discovered ITW in 2006. It is widely detected by Anti-Virus vendors, also several reports are available:

http://www.threatexpert.com/report.aspx?md5=a595b08e16a0605e34c9bc310af89c2c
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=285381
https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Bckdr-QIB/detailed-analysis.aspx

It uses a couple of interesting techniques, although it later showed some were implemented in a sloppy way:

- Uses some sort of code obfuscation
- Sensitive strings are encrypted
- uses a kernelmode driver to hide its process

Virustotal statistics indicate this downloader is still in use, although the server of the sample I have analyzed isn't available anymore (more samples see Appendix).

Sample (UPX packed)
Target machine: x86
Size: 13.824 bytes
Compilation timestamp: 2006-11-25 19:29:09
SHA1: f18803def56bf6bfb067459ee6a9589d9f135c29
Virustotal: https://www.virustotal.com/de/file/2f771a5e0c9cda7bf8a6a771ba62585babb2df4eaa8be82accd9a3ca81d883a8/analysis/
Download (pw: infected): https://www.dropbox.com/s/8831saoza7nc1f7/downloader_f18803def56bf6bfb067459ee6a9589d9f135c29.zip
Appendix samples (pw: infected): https://www.dropbox.com/s/u4fei8nszhbwnn0/Appendix_samples.zip

Sunday, August 11, 2013

#7 Brief description of a signed Adware/PUP Downloader

To publish articles more frequently and thus making this Blog a bit more interesting, I decided to drop my intention to only write "in-depth" analyses about "special" malware. From today, I start to also release information about my "every day" discoveries, which in the past always ended up in the trash (and there was a lot of them :-)). Of course, these "every day" Blogposts can not be that technical and detailed as a complete malware analysis, but I hope it's interesting anyway.

To start with, this Blogpost is something like a warming phase to my upcoming article about a cross-platform (x86/x64) "Adware" family with some interesting techniques.

So let's go...

The downloader comes in two different sizes (376.9 KB, 381.5 KB) and with a lot of instances (see list of hashes at the end). Two samples of each size can be downloaded here:

Sample - 376.9 KB
VT Report: https://www.virustotal.com/en/file/12f5186551b9df98b7f994b69cebddc379141703204e313fe92497923bd1cca4/analysis/
Download (PW: infected): https://www.dropbox.com/s/djnja6c7fs5g9nu/Signed_AdwarePUP_Downloader_376-9.zip

Sample - 381.5 KB
VT Report: https://www.virustotal.com/en/file/0979c745740bf09e1ad53fd5e15b0753a6be6493cadbad9b94781e013b440155/analysis/
Download (PW: infected): https://www.dropbox.com/s/caul2lpb7y4apa2/Signed_AdwarePUP_Downloader_381-5.zip

Wednesday, June 19, 2013

#6 South Korea Incident - Analysis of a tiny Downloader

In this short Blogpost I am going to dissect a Downloader which is part of the ongoing "1Mission" campaign against targets in South Korea (thanks Chae Jong Bin for pointing me at). The Downloader comes in the form of a DLL and has the small size of 4 KB. What remains unknown is the way the DLL gets executed (through exploit/loader/...). Except its small size there isn't anything special about this malware. Unfortunately the file it wanted to download isn't available anymore, so there is no chance to dig deeper...

DLL sample
Size: 4.096 Bytes
Timestamp: 2013-05-30 03:54:37
MD5: 17e3e09c27d26c81c9f33882279d6319
SHA1: c467f59cddba2d029044f6f2b22b6b2123b341b6
Report: https://www.virustotal.com/en/file/5b011ebdf1a5a0fd93a933cb40b59fcb8c35667529e28cf0c9d63f92985c4d5d/analysis/
Download: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2690&p=19700#p19700

Wednesday, April 24, 2013

#5 South Korea Incident - New Malware samples

A few weeks ago, I started to reverse engineer a malicious x64 .dll (see Parts section below, No. 2) to begin to learn x64 (dis)assembly. From analysis it became apparent that the .dll was part of a bigger malware package. After a while searching on the Internet, I found some Droppers which contained similar files to the one I was analyzing. Luckily some of the files of these Droppers contained .pdb debug strings. At the same time there were the "South Korean Cyber Attacks" on banks and broadcasting organizations (see: http://www.symantec.com/connect/blogs/south-korean-banks-and-broadcasting-organizations-suffer-major-damage-cyber-attack and http://www.symantec.com/connect/blogs/are-2011-and-2013-south-korean-cyber-attacks-related). As it turned out, the Droppers I found are from the same attackers like described in the Symantec article. So I did another search on the Internet to find more malware samples which I will now present in this article. For me, it would take a long time to analyze all these samples, so I release them now that other people can also take a look at them.

To make it clear, this Blogpost is just an overview of the various malware samples and no analysis! Therefore all credit goes to the people who provided me the samples: Chae Jong Bin (MD5 hashes), Artem Baranov (samples), Xylitol (samples).

Sunday, January 20, 2013

#4 Analysis of an uncommon Downloader

This will be a quick analysis of a Downloader I recently came across (thanks to Artem for providing the sample!). What makes this malware special is the uncommon programming language which it uses to accomplish its tasks (actually a scripting language). The malware itself is very rudimentary, only the actual Downloader (spawns a shellcode) is a bit more advanced. Unfortunately the server isn't responding to the requests from the Downloader, so it is unclear what final purpose this malware has. I think the scripting languages and the shellcode were chosen to evade AV (heuristic) detections. The detection rates of the Dropper are still very low (6/46), even 2 years after its creation:

https://www.virustotal.com/file/5cc4dde981052073f4ddef5d67d0bf5d38a2777d7ed810f97b69b8e3c8e5b776/analysis/

I haven't uploaded the dropped files, but I guess detections rates are also very low if at all. This task is left to the reader. ;-)

What is interesting about this malware:
- Makes use of Gentee scripting language (actually uses CreateInstall, which was coded in Gentee)
- Makes use of AutoIt scripting language
- Spawns a shell to download additional component(s)

A dynamic analysis of this malware can be found at malwr.com:
http://malwr.com/analysis/dbabce375de619916e727d24679c6bd3

I try to give some additional information, so let's start with the Dropper.

Note: All files of this malware have the extension ".com", but they are all .exe files (just renamed to .com).

Thursday, December 27, 2012

#3 Disclosure of another 0day malware - Update and Additional Information

At first I will provide an overview of the current AV detection rates, almost 2 weeks after publishing the MD5 hashes of this malware. I will also release the samples, so you can analyze it by yourself, if you are interested. Thereafter I show the statuses of the (known) Servers involved in this threat and give the directory listings. Next, I try to shed some light into the origin of this malware. At last I will provide a brief analysis of an older version of this malicious software (thanks Artem for providing the sample!). This older version is mentioned in the following reports:

https://www.symantec.com/security_response/writeup.jsp?docid=2011-090714-2907-99&tabid=2
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FSukwidon.A
http://home.mcafee.com/virusinfo/virusprofile.aspx?key=622012

Sunday, December 16, 2012

#3 Disclosure of another 0day malware - Analysis of the final Payload (Part 3)

In the last Part of this series I partly analyzed the final Payload. I haven't finished the analysis of the malware due to lack of time (and interest), but I will provide as much as information I have discovered. It looks like this malware is a classic spying tool (information gathering), but it would be interesting to know who is the attacker and who are the victims. Unfortunately I don't have a chance to reveal the identity of both and speculation is also not possible since the lack of any hints.
The final Payload also wasn't uploaded to Virustotal, so the detection rates supposedly are very low.

Final Payload
Sample: netui.dll
Size: 37.376 Bytes
Timestamp: 09.06.2012 12:27:19
MD5: AA3E6AF90C144112A1AD0C19BDF873FF

We start by examing the Export functions of this .dll.