One wrong click… Techniques to analyze malicious code Tyler Hudak

One wrong click…

Techniques to analyzemalicious code

Tyler Hudak

What we will cover

Techniques to “externally” analyze malware General do’s and don’ts of analysis An analysis of an actual malware in the wild

What we will NOT cover

How to debug / disassemble malware Every possible tool available Every possible malware infection vector Malware obfuscation or anti-forensics techniques

WARNING!!!

The examples used within are real-world examples.

If you go to these sites with an unprotected machine you WILL get infected.

You have been warned.

Why learn malware analysis?

Eventually you will find unknown malware in your systems

You can either wait for the AV companies to analyze it or do it yourself

It’s fun!!!

Our lab You should ALWAYS analyze malware on a “throw away” system NEVER use a machine on a production network VMWare is an excellent tool for this:

• Can easily restore to a previous point in time

• Can control network access of virtual OS

• Images allow re-use

• Almost limitless OS’ available (Windows, Linux, Solaris, Netware, *BSD, MS-DOS, …)

Our lab

Host OS: Mandriva Linux LE 2005

Guest OS: Win XP SP1 (installed from disk – no patches) NAT networking

Host OS

192.168.1.1

Guest OS

192.168.1.2

Our situation

User complains about slow PC or IDS picks up unusual activity Investigating shows unknown processes running on PC Looking through web logs/Internet cache shows access to suspicious site http://play.joyiex.com/love.htm

Let’s begin!

Copying malware off

In initial stages, you would normally copy the unknown process/files off and do analysis on them before anything else. For the sake of the presentation, let’s pretend you can’t do that.

Checking out the site

We need to check out the site the user went to

Never go to the site in a web browser

Download the source page using a tool (wget, curl, etc)

love.htm

love.htm opens up three 0 by 0 iframes to download three more web pages

This is a commonly used technique by spyware to load malicious code

Use wget to download the other three to analyze

ip.htm Runs JavaScript from union1.50bang.com

Sends information about your computer (browser, screen resolution, color depth) to www.50bang.com

Sets a cookie with a unique ID

50bang.com is in China – the same as joyiex.com

zx.htm

Contains obfuscated JavaScript that gets executed

Cannot tell what the JavaScript does

However, modifying the code and loading it into a browser reveals what it does

zx.htm modifiedCode is modified to display a popup instead of writing the decoded JavaScript

zx.htm decoded

zx.htm JavaScript uses a known vulnerability (MS04-013) to trick IE into executing a CHM file in the local zone context

This allows malicious code – zx.htm within zx.chm in this case – to be downloaded and executed on the local machine.

More information on MS04-013 at http://www.securityfocus.com/bid/9658/info.

Use wget to download zx.chm to examine

zx.chmWe’d like to look at zx.chm to see what it does but it will most likely execute malicious code upon opening

Use KeyTools Utilities from KeyWorks Software to decompile CHM file

Do NOT use the ‘Examine CHM File’ option as it may launch the malicious code

Use the ‘Decompile’ Option

zx.chm decompiled

Decompiling finds 3 files zx.exe (18,540 bytes) – we’ll see this later zx.htm – HTML file which runs zx.exe zx.hhp – MS Help Project file (created by

KeyTools)

sp2/sp3.htm Calls a variant of a Windows XP SP2 remote

execution technique (patched by MS05-001)

Uses multiple vulnerabilities to execute bbs003302.gif (encoded vbscript)

Not sure what bbs00302.gif does, but can wager a guess it executes bbs00302.css, but what does that do?

File analysis

Lots of tools that should be used to analyze a file

Run ‘file’ against it to see what it is

Should hash the file as well using your favorite cryptographic hash

Can google for the hash and hope for results

String Analysis

Look for any readable strings in the executable using ‘strings’ or ‘bintext’ from Foundstone

Not many readable strings in bbs003302.css, but it looks to be packed with FSG

Packed executables

Programs available which “pack” executables making them smaller and harder to analyze

• upx, aspack, fsg, etc

Have to download an unpacker else dump it from memory bbs003302.css is packed with FSG (look for FSG! in file)

Use unfsg2.0 to unpack and run through bintext again

Unpacked bbs003302.css

Lots of references to registry entries within the unpacked file

Appears to overwrite registry entries to an unknown value

Also looks like it will start up on boot

References osrss.exe and coniem.exe

What do we know so far?

Go to website and three web pages open One of the pages sends information about your computer to China Two others launch exploits and execute code on your local machine

So – let’s go to the site and see what happens!

Before Infection

Need to do a couple of steps before we infect our VMWare image

1. Create a snapshot of our image2. Set up a sniffer3. Set up the tools on our VMWare image

Sniffer

Want to record any network traffic from our malware

Use whatever sniffer you prefer (tcpdump, Ethereal, Snort, etc)

Capture entire packet for reconstruction later

Regshot

Takes and compares snapshots on a computer of the registry entries and files We’ll take a snapshot before and after infection From this any new/modified/deleted files will be found

Regmon / Filemon / TDIMon

Monitors registry, files access and network access on a computer

We can use this to find out what process is doing what

All are available from www.sysinternals.com

Let’s get infected!

Once our tools are set up and running we can go to the website and get infected.

After a minute or two we stop the tools and begin analysis.

Post Infection Steps

Run second regshot and compare Run post-infection tools Save data off of VMWare image Pause VMWare Analyze

Regshot Compare

The regshot compare showed a number of interesting things

New files: C:\WINDOWS\system32\he1p.exe C:\WINDOWS\system32\she11.dll C:\WINDOWS\OSRSS.exe C:\arcldrer.exe

Regshot Compare

New / changed registry entries HKU\<USER>\Software\Microsoft\Windows\

CurrentVersion\Run\ctfnom.exe: "C:\WINDOWS\OSRSS.exe“

HKU\<USER>\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr: "1“

HKU\<USER>\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage: "1“

HKLM\SOFTWARE\Classes\txtfile\shell\open\command\: "C:\WINDOWS\System32\he1p.exe "%1""

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: "0"

Post infection tools

pslist Dumps

current process list

Shows OSRSS running

Does not see any other files added running

Post infection tools

F-port Shows what

programs are listening to what ports

Does not see any unusual processing listening to a port

What we know so far

The infection caused 4 files to appear Only 1 file is currently running Nothing is listening on the network OSRSS.exe is set to start on boot he1p.exe will run whenever a .txt file is opened A number of Windows items were locked down to prevent us from fixing things easily

Copying

Next we copy all of our data off of the image

Make sure you grab any new files as well

Use VMWare’s Shared Folders, SSH or FTP

Once finished, pause VMWare image

File analysis

4 files were created from the infection

It might be useful to look at them before we proceed

Notice that the file sizes on three of the files are the same, and are the same as zx.exe.

This is very unusual – they could be the same file.

File analysis

• Next, ‘file’ is run against them.

• The three files are Windows executables.

• she11.dll is a text file containing “http://www.joyiex.com”

File analysis

• Finally, check the md5sum of each file.

• The same hash on the exe’s means they are the same file

• A quick look with bintext shows these are packed with FSG as well.

File analysis

• One of the files is unpacked with unfsg2.0 and put through bintext

• Has many of the same strings as seen with bbs003302.css

• However, references to coniem.exe replaced with he1p.exe

• Perhaps different versions of malware?

Timeline

Since we still don’t know much about what the programs did we can look at other logs.

Useful to create a timeline from tdimon, filemon, regmon and ethereal logs.

Load filemon and regmon into spreadsheet and sort by time - they have more accuracy.

You can use this to start your timeline and add in the other logs as you progress.

Timeline

Keep a running log of interesting events for each process.

Expect to have LOTS of entries to go through.

13:03:49.211 – IE downloads http://play.joyiex.com/love.htm

13:04:00.247 – IE copies zx.exe into c:\windows\downloaded program files

13:04:00.305 – IE executes zx.exe

13:03:54.568 – IE drops zx.exe into temporary Internet files

zx.htm timeline

13:03:49.852 – IE downloads http://play.joyiex.com/zx.htm

13:04:00.524 – zx.exe creates c:\windows\osrss.exe – file size 18,540

13:04:00.539 – zx.exe creates c:\windows\system32\he1p.exe – file size 18,540

13:04:00.477 – 00.524 – zx.exe sets the following registry keys:

• HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\ctfnom.exe to c:\windows\osrss.exe

• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr to 1

• HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage to 1

• HKCR\txtfile\shell\open\command\(Default) to C:\WINDOWS\System32\he1p.exe %1"“

• HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue to 0

zx.htm timeline

13:04:01.055 – osrss.exe tries to create itself but fails (sharing violation)13:04:01.055 – osrss.exe tries to create c:\windows\system32\he1p.exe but fails (access denied)

13:04:01.008 – osrss.exe sets the following registry keys:






zx.htm timeline

13:04:00.789 – zx.exe executes c:\windows\osrss.exe

13:04:02.318 – osrss.exe makes a DNS query for www.cd321.com

13:04:03.305 – osrss.exe shuts down

zx.htm timeline

13:04:03.524 – IE deletes c:\windows\downloaded program files\zx.exe

13:03:49.914 – IE downloads http://play.joyiex.com/sp2/sp3.htm

13:04:01.336 - IE executes bbs003302.gif

13:04:01.555 - IE creates c:\ntdetect.hta - length 1,620

13:03:55.414 - IE downloads http://play.joyiex.com/sp2/bbs003302.css

sp3.htm timeline

13:03:51.055 - IE downloads http://play.joyiex.com/sp2/bbs003302.gif

13:04:02.586 - mshta.exe reads c:\ntdetect.hta and executes it

13:04:03.149 - c:\arcldrer.exe is executed by mshta.exe

13:04:03.149 - mshta.exe closes c:\ntdetect.hta

13:04:03.086 - mshta.exe creates c:\arcldrer.exe - length 18,540

sp3.htm timeline

13:04:03.086 - mshta.exe searches for bbs003302.css and finds it

13:04:03.305 - arcldrer.exe recreates c:\windows\osrss.exe

13:04:03.305 - arcldrer.exe tries to create c:\windows\system32\he1p.exe but fails (access denied)

sp3.htm timeline

13:04:01.008 – arcldrer.exe sets the following registry keys:






13:04:03.352 - arcldrer.exe executes c:\windows\osrss.exe

13:04:03.493 - osrss.exe tries to create c:\windows\system32\he1p.exe but fails (access denied)

13:04:05.273 - osrss.exe downloads http://www.cd321.com/ie1.txt

13:04:03.493 - osrss.exe tries to create itself but fails (sharing violation)

sp3.htm timeline

13:04:03.680 - osrss.exe sets registry keys again

sp3.htm timeline

13:04:01.008 – osrss.exe sets the following registry keys:

• HKCU\Software\Microsoft\Internet Explorer\Main\Start Page to http://www.joyiex.com

• HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url1 to http://www.joyiex.com



• HKCU\Software\Microsoft\Internet Explorer\Main\SearchURL to http://www.joyiex.com

• HKCU\Software\Microsoft\Internet Explorer\Main\Local Page to http://www.joyiex.com

• HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar to http://www.joyiex.com

• HKCU\Software\Microsoft\Internet Explorer\Main\Search Page to http://www.joyiex.com

• HKCU\Software\Microsoft\Internet Explorer\Main\First Home Page to http://www.joyiex.com

• HKCU\Software\Microsoft\Internet Explorer\Main\default_page_url to http://www.joyiex.com

• HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL to http://www.joyiex.com

13:04:05.633 - osrss.exe creates c:\windows\system32\she11.dll

13:04:06.164 - mshta.exe creates c:\cmd.bat - length 79

13:04:06.243 - mshta.exe executes cmd.exe to run cmd.bat

13:04:05.993 - osrss.exe sets initial registry keys again

sp3.htm timeline

13:04:05.633 - osrss.exe deletes cache file for ie1.txt

13:04:06.352 - cmd.bat deletes c:\ntdetect.hta



13:04:06.352 - cmd.exe/cmd.bat stop running

sp3.htm timeline

13:04:06.352 - cmd.bat deletes itself


What do we know now?

The site uses multiple exploits in IE to install multiple copies of the same malware and execute it (he1p.exe, osrss.exe, arcldrer.exe)A number of settings in IE are set to point to www.joyiex.comosrss.exe will run on boot uphe1p.exe will be executed whenever a .txt file is double-clicked onThe local computer is locked down to prevent settings from being changed or task manager from running

All of this happens in about 17 seconds.

What do we NOT know?

What happens when we double-click on a txt file?

What happens on boot up?

Will the malware do anything else?

Let’s find out!

he1p.exe and txt files

HKCR\txtfile\shell\open\command\(Default) is modified to point to he1p.exe instead of notepad.exe

This registry key defines what application is run when a .txt file is opened

To find out what happens: Unpause the VMWare image Start a new sniffer Take a regshot 1st scan Start regmon, tdimon and filemon Double-click on a .txt file Wait a couple of seconds and then perform analysis

9:16:32.371 - readme.txt file double-clicked in explorer.exe

9:16:32.481 - explorer.exe executes he1p.exe

9:16:33.262 - he1p.exe begins settings registry keys

he1p.exe timeline

9:16:32.403 - explorer.exe opens HKCR\txtfile\shell\open\command\(Default) reg key and sees to use he1p.exe

9:16:33.387 - he1p.exe executes notepad.exe

9:16:33.715 - notepad.exe opens readme.txt

9:16:34.012 - he1p.exe tries to overwrite itself but fails (sharing violation)

9:16:34.012 - currently running copy of osrss.exe shuts down

he1p.exe timeline

9:16:33.996 - he1p.exe tries to overwrite c:\windows\osrss.exe but fails (sharing violation)

9:16:34.028 - he1p.exe executes a new copy of osrss.exe

9:16:34.199 - he1p.exe shuts down

he1p.exe results

No network traffic while clicking on the txt file Monitoring tools don’t show any new activity Regshot shows no new registry entries or files he1p.exe doesn’t do anything to the text file – it never even opens it! osrss.exe will shut down if another copy starts up

Appears that he1p.exe is just put in the txt registry key to re-infect the system

On boot

It can be difficult to start all utilities on boot up (not all support it)

Regshot results would generate A LOT to go though after reboot

We can do the next best thing – kill the process and restart it

This doesn’t cover all possible situations, but should be close enough

On boot

Malware prevents task manager from running, so we have to use pslist and pskill to kill the process

Once the process is confirmed stopped, we set up the monitoring tools again and run the malware

9:21:01.981 c:\windows\osrss.exe executed

9:21:02.043 osrss.exe tries to create itself but fails (sharing violation)9:21:02.043 osrss.exe recreates he1p.exe

9:21:02.028 osrss.exe sets initial registry keys

On boot timeline

9:21:01.996 osrss.exe checks for c:\windows\system32\she11.dll

9:21:04.543 osrss.exe sets initial registry keys again and does so every 2 seconds

9:21:02.043 osrss.exe sets IE registry keys (homepage, etc)

9:21:02.043 osrss.exe opens and reads c:\windows\system32\she11.dll

On boot results

No networking traffic shows upOnly a modified he1p.exe shows up in regshot

osrss.exe behaves as we have seen it behave thus far

Analysis results

From our analysis of the malware we can conclude the following:

1. Going to http://play.joyiex.com/love.htm with an unpatched IE infected the client with the same malware multiple times.

2. The malware will copy itself to c:\windows\osrss.exe and c:\windows\system32\he1p.exe.

Analysis results

3. Osrss.exe will be set to start on boot.

4. He1p.exe will be run whenever a txt file is opened.

5. The current user will be prevented from running the task manager.

6. The current user will be prevented from changing IE’s homepage.

7. The malware will download http://www.cd321.com/tm/ie1.txt and place the results in c:\windows\system32\she11.dll.

Analysis results

8. The malware will set a number of IE settings (homepage, etc) to the contents of she11.dll.

9. When running, the malware will reset the registry keys every 2-5 seconds.

10. The malware will only allow 1 instance of itself to run at any given time.

11. The malware has a predictable flow of events.

Malware flow

Malware

Starts

Startup and Lockdown

registry keys set

Create osrss.exe

Create he1p.exe

If she11.dll does not exist, download

contents from www.cd321.co

m

Set IE registry keys with

contents from she11.dll

Set Startup and Lockdown registry keys

again

Am I osrss.exe?Start osrss.exe

and kill my process

No

Yes

Virustotal.com results

osrss.exe: variant of IM Lewor worm

bbs003302.css: TR/Dldr.Delf.CQ or variant of IM Lewor worm

Bbs003302.gif: Trojan.Phel

More than half of the anti-virus programs didn’t find anything.

More information

Lenny Zeltser’s Reverse Engineering Malware paper Tom Liston’s Follow the Bouncing Malware series at incidents.orgHoneynet Project’s Reverse ChallengeHacker Disassembling Uncovered by Kris KasperskyMalware: Fighting Malicious Code by Ed SkoudisThe Art of Computer Virus Research and Defense by Peter SzorGoogle for: “reverse engineering” or “malware analysis”

Presentation

http://www.hudakville.com/infosec

Questions?

Documents

One wrong click… Techniques to analyze malicious code Tyler Hudak