Disclosure of another 0day malware - Update and Additional Information ~ Malware Reversing

At first I will provide an overview of the current AV detection rates, almost 2 weeks after publishing the MD5 hashes of this malware. I will also release the samples, so you can analyze it by yourself, if you are interested. Thereafter I show the statuses of the (known) Servers involved in this threat and give the directory listings. Next, I try to shed some light into the origin of this malware. At last I will provide a brief analysis of an older version of this malicious software (thanks Artem for providing the sample!). This older version is mentioned in the following reports:

https://www.symantec.com/security_response/writeup.jsp?docid=2011-090714-2907-99&tabid=2
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FSukwidon.A
http://home.mcafee.com/virusinfo/virusprofile.aspx?key=622012

Detection rates

Now that all malware samples were uploaded to Virustotal, here are the current detection rates:

Initial Dropper
Sample: sample.dll
MD5: D4E99548832B6999F00E8D223C6FABBD
https://www.virustotal.com/file/d5debe5d88e76a409b9bc3f69a02a7497d333934d66f6aaa30eb22e45b81a9ab/analysis/1356639455/
Detection ratio: 28/46

Downloader
Sample: netids.dll
MD5: CCAB60D3B6AA5FA0C23A5AE59EABCF54
https://www.virustotal.com/file/4a9efdfa479c8092fefee182eb7d285de23340e29e6966f1a7302a76503799a2/analysis/1356639377/
Detection ratio: 29/46

2nd Dropper
Sample: msmvs.exe
MD5: 66F368CAB3D5E64475A91F636C87AF15
https://www.virustotal.com/file/e8ac9acc6fa3283276bbb77cff2b54d963066659b65e48cd8803a2007839af25/analysis/1356639177/
Detection ratio: 22/46

3rd Dropper
Sample: conhost.dll
MD5: F1704AAF08CD66A2AC6CF8810C9E07C2
https://www.virustotal.com/file/74bdd9c250b0f4f27c0ecfeca967f53b35265c785d67406cc5e981a807d741bd/analysis/1356638799/
Detection ratio: 19/46

Final Payload
Sample: netui.dll
MD5: AA3E6AF90C144112A1AD0C19BDF873FF
https://www.virustotal.com/file/4536650c9c5e5e1bb57d9bedf7f9a543d6f09addf857f0d802fb64e437b6844a/analysis/1356639260/
Detection ratio: 14/46

You can find the (decrypted) samples on Kernelmode.info: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2308

Server statuses

The older malware variant contacts a Server (70.85.221.10) which is still online and responding. With the first 2 Servers of my analysis (Part 1-3) and this one, we have in total 3 Servers with the following statuses (and bruteforced directory listings):

200.106.145.122:
This was the Server where the final Payload of my analysis (staged in 2 Droppers) was downloaded.

Status: Down

200.74.244.118:
This is the Server where the final Payload of my analysis uploads the (encrypted) information it has gathered.

Status: Online and responding
Directory listing:
/~dr/
/~mk/
/~rpc/
/~aaxx/
/~agvn/
/~aman/
/~bint/
/~ckhp/
/~fact/
/~gale/
/~loox/
/~maxx/
/~mkrp/
/~pick/
/~qane/
/~qmbv/
/~rbtk/
/~rimm/
/~root/
/~sbts/
/~song/
/~take/
/~tamy/
/~tset/
/~wong/
/~ytak/
/~zwxc/
/~mailnull/
/~operator/
/cgi-bin/
/error/
/error/include/
/icons/

70.85.221.10:
This is the Server of the older version of this malware (see below).

Status: Online and responding
Directory listing:
/~baq/
/~alex/
/~aspn/
/~avmk/
/~bard/
/~blxk/
/~book/
/~crpc/
/~ford/
/~loxx/
/~maxx/
/~mntp/
/~pisk/
/~root/
/~svtq/
/~tomy/
/~xpcs/
/~yopo/
/~zomo/
/~mailnull/
/~operator/
/cgi-bin/
/error/
/error/include/
/icons/

We know that each individual directory a malware sample contacts, is hardcoded into it (e.g. "/~bint/" -> see Part 3). We also see that the used directories have 2 to 4 characters in front of the character "~". I think the directories "/~mailnull/" and "/~operator/" are used by the attacker for other purposes. So we have in total 27 (200.74.244.118) + 19 (70.85.221.10) = 46 malware samples from these 2 (known!) Servers. If we consider the purpose (information gathering, keylog, ...) and the used Exploits of the older sample (see https://www.symantec.com/security_response/writeup.jsp?docid=2011-090714-2907-99&tabid=2 -> CVE-2009-3129, CVE-2010-3333), I would claim this malware was and still is used for targeted attacks. Unfortunately I am unable to do any further analysis (who are the victims?), since I am not working for an AV company.

Malware origin

From the older sample's Server address I gathered some information from whois requests and Google searching. It looks like the malware's author speaks russian and his used personal data suggests he is from Georgia. Of course this is just speculation since hard facts are not available. But we should keep in mind that most quality malware comes from russian federation and his ex-Soviet allies, that's a fact! :-)

The author registered a couple of domains (some are still up), always with the same personal data:

"...
Registrant Name:Sofy T Gavashelishvili
Registrant Organization:
Registrant Street1:prospekt Revolucii, d.14
Registrant Street2:
Registrant Street3:
Registrant City:selo Elizavetovka
Registrant State/Province:AL
Registrant Postal Code:396446
Registrant Country:RU
Registrant Phone:+7.9645646929
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:sofy.gavashelishvili@gmail.com
..."

This person owns or owned the following domains:

Still up:
hothookup.net
junlper.net
Helpmicrosoft.net

Down:
windous.kz
sunmicrosystem.info
sweetcherry.org
Wind0ws.kz
sex-toy-shop.org

Regarding the whois information of his newer domains (200.74.244.118 and 200.74.244.118 -> see Part 1+2 in Appendix), where no public traces were left, I consider these domains as something from his past.

Older Malware Variant

Since this older variant uses various techniques already seen in the newer one, I will only show some notable parts.

Downloader
Sample: sample.dll
Size: 12.288 Bytes
Timestamp: 01.12.2010 07:16:04
MD5: 9e4817f7bf36a61b363e0911cc0f08b9
https://www.virustotal.com/file/9E4817F7BF36A61B363E0911CC0F08B9/analysis/

Decrypted strings:

n%D,3
GetProcAddress
LoadLibraryA
Sleep
KERNEL32.dll
??3@YAXPAX@Z
??2@YAPAXI@Z
__CxxFrameHandler
_EH_prolog
MSVCRT.dll
free
_initterm
malloc
_adjust_fdiv
dll.dll
Init1
Started
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
%.2x%.2x%.2x%.2x%_%s
brvc
sptr
http://%s/~%s/cgi-bin/%s.cgi?%s
msmvs.exe
dll:%.8x
ins:%.8x
netui.dll
aspn
70.85.221.10
kernel32.dll
GetProcessHeap
WaitForSingleObject
SetErrorMode
HeapFree
HeapAlloc
lstrlenA
CloseHandle
WriteFile
GetTempPathA
CreateFileA
GetLastError
DeleteFileA
Sleep
CreateThread
MultiByteToWideChar
WideCharToMultiByte
SetCurrentDirectoryA
CreateProcessA
GetVolumeInformationA
msvcrt.dll
memset
memcpy
strchr
sprintf
strstr
wcsstr
user32.dll
SetForegroundWindow
GetForegroundWindow
ole32.dll
CoInitialize
CoUninitialize
CoCreateInstance
oleaut32.dll
SysAllocString
SysFreeString
SafeArrayCreateVector
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayDestroy

At first we can see that there are 10 "NOP" instructions between some code blocks. The purpose for these NOPs is unknown to me, maybe it has something to do with the used Exploits (see above). Another idea is that they are used for fooling AV signatures to prevent detection (maybe in other variants these NOPs are garbage code).

Figure 1: NOP instructions between a couple of code blocks

This variant from 2010 also uses the Anti (AV) Emulation technique as described in my previous articles:

mov     [ebp+var_24], 54AF97E1h
movd    mm0, [ebp+var_24]
pslld   mm0, 2
movd    [ebp+var_24], mm0

As information, it only gets the Volume Serial number to build the following string that later is send to the Server:

<VolumeSerialNumber>_U

The most interesting part is the network communication with the Server. The malware uses a technique which was unknown to me, but it turned out that it is a very old method. It uses the COM (Component Object Model) to create an invisible instance of the Internet Explorer (iexplore.exe).

Figure 2: "Invisible" Internet Explorer process

This way it doesn't have to use suspicious API functions (Socket, WinInet or URLMon API functions), but instead can reach the same goal by calling the IWebBrowser2 interface functions. Additionally on most workstations the Internet Explorer is a trusted process in desktop firewall rules. The draw back of this method is for example, when the Internet Explorer is not the standard browser a window pops up, asking to make it standard. There are also other situations where a window can pop up and thus reveal the malware's presence. The technique of using Internet Explorer with COM is described in Nick Harbours excellent article:

https://www.mandiant.com/blog/reversing-malware-command-control-sockets/ -> Controlling Internet Explorer with COM

The purpose of this older variant is to download the file "msmvs.exe" from Server and execute it. So it's similiar to the newer variant, except that it isn't encapsulated in a Dropper.

The End (finally!!)

shooflypieSeptember 2, 2016 at 3:12 AM
I think I might have asked before - Don't suppose you saved a copy of those files on the open server and would be willing to share with other security researchers?

Nice write-up :)
R136a1September 4, 2016 at 12:47 AM
You can find all the samples here: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2308&hilit=0day

Malware Reversing

Thursday, December 27, 2012

Disclosure of another 0day malware - Update and Additional Information

2 comments: