Quantcast
Channel: MalwareTech
Viewing all 95 articles
Browse latest View live

NeXuS AKA Chronic IRC Bot

August 4, 2012, 8:31 am
$
0
0

Introduction

"NeXuS" is a new bot being sold on Hack Forums. The thread originally drew a lot of attention after the seller refused to reveal who coded it or prove that the code was not ripped. He even tried to convince people who had managed to swipe a copy of the executable that they had a fake one and the real one was in fact 4KB (impossible). We still aren't sure who the actual coder is, but what we are sure of is the seller is a complete blithering idiot. Here is a picture of the thread:


The analysis

After extracting the binary from the encrypted package which may or may not be part of the project we are met with this.

The program works through a variety of check to detect antivirus and research environment. The actual checks aren't worth showing as they're your typical checks a non creative coder would find from googling "anti sandbox". What is interesting here is that all the checks are made from the same function and called one after the other, a single JMP instruction is all that is needed to bypass all of them.


Once past the research environment checks the program loads all the required libraries, it does this by a call to LoadLibrary for every library needed. This method is not very optimized and could be easily replaced by a simple loop, of course loops are far too mainstream for this guy. After the libraries are loaded the program then proceeds to the installs phase. 


During the install phase a function is called to decrypt most of the strings the program will need. Because loops are too mainstream for this coder, we have about 50 different calls to the same decryption function (one for each string). The above code is only a small snippet of the function which carries on like that for an entire page. 

After decryption of strings, the program attempts to open a handle to the mutex "oieg029egkdjgkwdg3oi" via OpenMutexA, if the call fails signifying the mutex already exists the program waits for the mutex to close and then exits. If the mutex does not exist, the program continues installing. If the program has not been run from its install location (appdata) it will copy itself there, and run again. In addition to dropping to appdata it will create 2 keys at SOFTWARE\Microsoft\Windows\CurrentVersion\Run one under HKCU and another under HKLM.



The program then injects itself into explorer using functions like NtAllocateVirtualMemory, NtWriteVirtualMemory and CreateRemoteThread (age old injection method detected by nearly all anti-viruses). After the injection into explorer the current process will create the same thread that was injected into explorer, then the main thread will sleep until the newly created thread terminates. 

How real hackers handle threading

Rather than creating a new thread and having the old one wait for it to finish, the coder could have just done what he wanted on the current thread, why they didn't is beyond me.

Once inside explorer the program injects into every running process and then creates a few threads in explorer, I'm going to run trough this last bit quickly as I'm short on time.


here is a list of threads created in explorer and what they do:
USB Thread - Listens for USB devices and infects them with an shortcut based spreading mechanism.
Registry Persistence Thread - Creates an event to listen for key changes on the programs start up key.
Inter Process Communication Thread - Allows the program to send messages to instances of itself that are injected into other processes.
IRC Thread - For Command and Control via IRC.

The "Rootkit"

This isn't an actual rootkit but a pseudo one that uses a bunch of documented functions in abusive and sometimes silly ways. The actual file for the program isn't hidden any deeper than calling SetFileAttributes with the hidden flag (Setting windows to show hidden files will evade this). Both the File and the registry key are protected by using documented windows functions as opposed to hooking low level and undocumented ones.


The File protection is done by the injected code inside every process creating a thread that calls LockFile on a 1 second loop (me thinks the coder didn't read the documentation properly).

This code will cause the registry key to be rewritten every time it is changed. It is a very simplistic method but will stop most basic computer users from removing or overwriting the key. 

The End

As I am running out of time that will be all for now, I will do an analysis of the bot killer, IRC function and form grabber at a later date. The seller is likely going to try and claim that since I wrote this analysis, the bot has change hugely and gone from being a piece of beginner work to a TDL4 successor, but we all know the truth. I do not usually do much documented reversing and this is my first analysis, that will be all until next time. 
Search

Andromeda v2.4

November 25, 2012, 10:15 am
$
0
0

  1. Installation
    1. Original Process
    2. Remote Process
  2. Hooking
  3. Communication & Commands
    1. Communication
    2. Download
    3. Add Plugin
    4. The other ones
  4. Anti-Emulation/Anti-Debugging 
    1. RDTSC
    2. Harddrive names
    3. Blacklist Process 
  5. Miscellaneous 
    1.  
    2. Where are all my strings?
    3. Domain Name

 1. Installation
1.1 Original Process
In the original process the Environment Variable "src" is set to the filename.
Depending on the Bittype a different process is created - in suspend mode.
On x86 it starts "%WINDIR%\system32\wuauclt.exe" while on x64 it starts "%WINDIR%\syswow64\svchost.exe".

The injection isn't exactly private - w4fku gave a POC for something similar.
Here is it anyway:
    NtCreateSectuon(&SectionHandle, 0xF001f, 0, &SizeOfImage, 0x40, 0, 0)
    NtMapViewOfSection(SectionHandle, -1, &Ptr0xfdd8, 0, 0, 0, &SizeOfImage, 1, 0, 4);
    BtUnmapViewOfSection(-1, 0xA70000)
    CreateProcess(0, StringMemory, ... CREATE_SUPENDED, ...) // StringMemory = "C:\Windows\system32\wuauclt.exe"
    DWPRD Time = 0xfff08dc0
    DelayExecution(0, &Time)
    NtMapViewOfSection(SectionHandle, PI->ProcessHandle, &RemoteImageBase, 0, 0, 0, &SizeOfImage, 1, 0, 0x40)
    RemoteImageBase += RemoteMainThread
    QueueUserAPC(RemoteImageBase, PI->ThreadHandle, 0)
    ResumeThread(PI->ThreadHandle)
    NtClose(SectionHandle)
    VirtualFree(StringMemory)

1.2 Remote Process
If the User is a admin (CheckTokenMemberShip()) it installes into "%ALLUSERPROFILE%" and autostarts using an uncommon Registry Path ("software\microsoft\windows\currentversion\Policies\Explorer\Run") - with a random Keyname.
If not it only installs into "%USERPROFILE%".

Andromeda installs into to a partly random filename. The first characters are "ms" the rest are random. The extension is also random ("exe", "com", "scr", "pif", "cmd", "bat", "com", "exe")
The File Creation & Access time are set to those of the injected process.

To protect the registry key it RegSetKeySecurity() to "D:(A;;KA;;;WD)".
   
2. Hooking
Nothing particular interesting - Normal jumps

3. Communication & Commands
1. Communication
Communication is encrypted. The unencrypted  login string is "id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu".
bv is the Internet Explorer Version.

For responses the format is "id:%lu|tid:%lu|result:%lu".

The HTTP Headers are "POST /%s HTTP/1.1\r\nHost: %s\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\nConnection: close\r\n" and "GET /%s HTTP/1.0\r\nHost: %s\r\n\r\nUser-Agent: Mozilla/4.0\r\nConnection: close\r\n". 

2. Download
The commandbyte is 1.
The file is downloaded to "%TEMP%", with a random name derived from GetTickCount
It is then executed using CreateProcess.

3. Add Plugin
The command ID is 4.
The plugins are saved in "software\microsoft". The plugins aren't saved in plaintext - take a look at 1FB2 & 2210 in the new process (I actually didn't).
The plugin gets the handle to the main file in DllMain (as the lpReserved parameter).

4. The other ones
Command id 5: Delte Plugin
Command id 6: Restart bot
Command id 9: Delete bot

 4. Ant-Emulation/Anti-Debuggin
 1. RDTSC
Andromeda uses this old, well-known trick. The timing difference is 200.
 2. Harddrive names
"system\currentcontrolset\services\disk\enum" gets enumerated, lowercase'd and then compared (Not using strcmp() or similar but as DWORD; Also not from the beginning to skip the "IDE\.." bullshit) to
  •  "awmw" (That seems a little misspelled..)
  •  "xobv" which will detect VirtualBox
  •  "uemq" which will detect QEMU
     It does not detect VirtualPC.
 3. Blacklist Process
I have no idea which those actually are - I tested a few obvious candidates and they didn't match
  0x4ce5fd07 0x9191326c 0x31e23af 0x91d47df6 0xe8cffc54 0x8c6d8c 9xa8d9ba9e 9x5cd7ba5e

5. Miscellaneous
Because Andrmeda does all of its work in a remote process with only shellcode injected debugging gets
a lot more time consuming.

2. Where are all my strings?
In the original binary there are only a handful of strings. All APIs are loaded by hash, the blacklist    processes are stored hashed, ...
If there is absolutely no way around actually using a string Andro often pushes the string (not a pointer but the actual string) onto the stack, and pushes the stack pointer. 

3. Domain Name
Does not use DNS_Query but DnsWriteQuestionToBuffer_W  and sendto for its important Domains.
It uses the google servers 8.8.8.8 or 8.8.4.4

WebCrab

November 25, 2012, 10:22 am
$
0
0
I just quickly dump some details.

The injection and process enumeration is fairly standard and works on all OS. It checks whether a process has already been infected by creating a mutex with the name derived from the Process ID.
Defiantly not off-the-shelf is the general architecture: WebCrab features a Matryoshka doll principle. The important code (Injection, Hooking, Grabbing, Sending) is only executed on the heap and protected by some Anti-Debugging checks (PEB->BeingDebugged).

Now for the Criticism:
WebCrab CURRENTLY does not grab Basic Authentication - that is absolutely needed e.g. to get cpanels.
I have spoken to pr0t0typ3 and he will include that shortly.
The injection uses
      OpenProcess
      VirtualAllocEx
      WriteProcessMemory
      CreateRemoteThread
Enumeration with the normal Process32First and Next.
After each iteration over the currently running processes it sleeps for 0x7D0

The hooking (@1000 in the second layer) is also fairly standart - LDE (@ 2670 in the second layer), padding with NOP, ...
Bot ID is generated using Computer & User name.

Data is sent via POST

BetaBot and the endless stream of misinformation

June 1, 2013, 2:56 pm
$
0
0

Introduction

well I've been planning to write a technical analysis of betabot for a while and I'm just about getting round to it. However as my part of this blog is supposed to be a comedy blog that mocks hopeless people in the cybercrime world, this bot does not really fit with the general theme. However the journalism around betabot does, so today we will discuss the journalism and possibly follow up this post with an analysis of betabot later on. 

What is betabot?

In order for you to see how badly wrong the "Chinese whispers" surrounding betabot went, first you need to know what betabot is. Here is a link to the Sales Thread and a Pastebin of the the thread text. As we can see from this information betabot is HTTP bot with: Ring 3 rootkit, Formgrabber, Botkiller, Proactive defense and various antivirus killers / bypasses. We will go into more details a bit later in the post. 

Banking Bot vs Trojan

Meet the Formgrabber

A formgrabber is a piece of software that is injected into the web browser, upon injection the software patches code within the web browser in order to capture post data. This feature is only useful for catching username + password logins for sites such as facebook. Fromgrabbers are easily foiled by two-factor authentication and one time passwords, making them no good for getting credentials to secure sites, such as web based banking sites.

Meet the Webinjects

When it comes to bank accounts, there is far more security. I'm not going to sit here and list all the security i know of, so I will give one example: Most people will notice when they use a bank account to pay for something, they are required to provide additional information that they did not have to supply in order to login to the banking site. In short, the formgrabber could grab the username + password for the bank account, but would need further details to actually use the account. Because the extra information is never requested by the banking site, the only way to get it is to ask the user. Asking the user politely to reveal their full bank details is unlikely to succeed, criminals have come up with a solution: Webinjects. Webinjects are an extension to a formgrabber that allow the malware to modify webpages, as well as log form data from them. Now that the malware can modify the webpage, they can add an extra field to request the needed data that usually isn't requested.

Betabot

Reading the betabot sales thread, we can see that betabot has only a formgrabber and no webinjects. This would make it practically useless for snuffing bank details and only successful at harvesting logins for sites like facebook and twatter. Most people would agree that by nature a HTTP bot with a formgrabber does not constitute a banking trojan, but merely an advanced trojan.

 I was also able to contact the main developer using the information provided in the sales thread and ask him a few questions.

Me: Is betabot purposed as a banking trojan or has it ever been? 
Developer: no it has never been and never will, very little of it is even of any use for that stuff.
Me: Your bot mentions it has a formgrabber, is this formgrabber preconfigured to grab data from any sites, if so, which ones?
Developer: there is no preconfiguration. the user is responsible for adding those at their discretion.

Now that we have a bit of an idea about what betabot is or isn't, let's look at what other researchers/journalists had to say. 

What security researchers think betabot is

RSA

RSA Appears to be one of the first major blogs to post about betabot. The article for the most part is correct, except for a few opinions / misconceptions. "Beta Bot actually started out as an HTTP bot and not a banking Trojan, but it has since evolved, donned a trigger list, and was repurposed for financial fraud that includes targets such as banks, ecommerce and even Bitcoin wallets." From all the information in the sales and development thread, it does not appear that betabot was ever purposed as a banking trojan, it also appears that not only does betabot not target banks (nor have the capability to), it is not configured to target anything and any formgrabber configurations are entirely up to the user. 

SC Magazine

This is probably one of my favorites, despite being entirely based on RSA's blog post, the editor seem to have a hard time quoting correctly and even manages to misinterpret just about everything said in the blog post. 

RSA: "It logs stolen data in a MySQL database and it seems to target a mixed bag of entities including large financial institutions ,payment platforms, social networking sites, online retailers, gaming platforms, webmail providers, FTP and file-sharing user credentials, as well as domain registrars for the common malware use of registering new resources."

SC: "The trojan ended up on the radar of RSA researchers when they detected that about 20 victims, primarily in the United States, had been infected, including banks, payment platforms, social networking sites, webmail providers, domain registrars, online retailers and gaming platforms."

Here RSA is talking about what sites their sample of betabot has been configured to steal data from (i can't find any evidence of it targeting "large financial institutions" but that's not the problem with these quotes). If we look at how our SC Magazine write interpreted the quote we can see that they seem to think betabot, despite apparently being sold to many criminals, has only been detected on 20 victims "when they detected that about 20 victims, primarily in the United States, had been infected.but, it doesn't stop there! The editor goes on to claim betabot has infected such targets as "banks, payment platforms, social networking sites, webmail providers, domain registrars, online retailers and gaming platforms.". As you will notice, they have taken the list from RSA's post and changed to context from "steals data from" to "infected". As most gaming platforms run custom operating systems and social networking sites, webmail providers, domain registrars and online retailers tend to run linux, I imagine this is a very unlikely scenario, however if you do find windows malware running on your xbox 360, please don't hesitate to contact us!

SC Magazine goes on to "quote" a security researcher who in this post goes by the name of "Limor Kessem", "Kessem" and even "Kassem". "Before releasing the trojan, the developer spent 18 months repurposing a simple piece of malware so that it could be used for financial fraud, Kassem said. "(As we can see from the sales thread and what's left of the development thread, betabot was written in the given time period and not re-purposed from existing code "Beta Bot is the product of nearly a year and a half of hard work, long nights, and uncanny dedication."). It is not really know if Mr Kessem actually said these things or if the quotes were a product of this SC Magazine editor's poor quoting skills and overactive imagination.

Since writing this SC Magazine has updated their post and the original can be seen here.

ThreatPost

ThreatPost appears to have taken SC Magazine's idea and bastardized it even further, as well as the same misconceptions posted in the SC Magazine post we have this "The Trojan goes on to log stolen data in a MySQL database, download malicious files, remotely control the infected PC and trick users into making fake banking transactions." The part that states the bot can "trick users into making fake banking transaction", doesn't seem to make sense in any context. What would be the point of tricking users into making fake transactions? Betabot also doesn't have the ability to trick users into making real transactions. 

NBC Magazine

This post seems to also be based on SC Magazine's interpretation of RSA's interpretation of betabot, however takes the quotes even more out of context. "Unless you run a bank or a large financial site, you're unlikely to encounter the Beta Bot.In addition to what I've already said about betabot infecting bank systems and game platforms, it is important to note betabot, like most trojans, is targeted at the end-user and not the bank systems, so it is incredibly likely that average PC users will encounter betabot.

Conclusion

Unlike most of these blogs stated, betabot is not sold on "underground crime forums" and as of now the main sales thread is posted on US hosted security forum hackforums.net, which also happens to be the first search result on google for "hacking forum" (underground forum hiding in plain site?). As well as the sales thread this forum includes a lot of information about the trojan, from the developer himself. The site requires no special skills to  get an account on (unless you class providing a username, email and password as a special skill). It makes me question how much of the security news i read is actually at all factual, when journalists and security researchers would rather quote eachother and post their interpretations of other journalists interpretations instead of going out and do the research themselves. It is also interesting that there is currently no real technical analysis of betabot, only a description of what a user would see when running the bot. 

Rise of the dual architecture usermode rootkit

June 3, 2013, 5:09 pm
$
0
0

A bit about past rootkits

In the past it has been very common to see usermode rootkits that only attack one architecture, which has usually been 32-bit. A standard rootkit injects code into specific/all running processes in order to modify code inside them, this then allows it to hide itself by manipulating results returned by the program. The problem arose when 64-bit systems were introduced. As 64-bit operating systems run under 64-bit (duh) this means 64-bit kernel, addresses and registers. In order for 32-bit applications to run on a 64-bit system a subsystem was introduced which we know as WoW64 (Windows on Windows 64-Bit). WoW64, in short, is responsible for emulating the 32-bit code and translating 32-bit calls to 64-bit in order for the system to call kernel functions. This layer makes it near impossible to interact with 64-bit processes from a 32-bit process (Running under WoW64), in the way a rootkit would need to (Writing process memory, Creating Threads). Because of this issue most rootkit developers have opted to only support 32-bit systems, as they are more widespread, while others have opted to write 2 separate rootkits (one for each architecture) and pack them into a 32-bit dropper. 

WoW64, in short, is responsible for emulating the 32-bit code and translating 32-bit calls to 64-bit in order for the system to call kernel functions. 

32-bit System Calls

On 32-bit systems, a call to a kernel function is made by setting up a few registers and then executing an instruction to enter into kernel mode, here is an example of NtOpenFile in ntdll on Windows XP 32-bit.

Example of a typical ntdll function on 32-bit Windows XP
All this is doing is setting EAX to the ordinal of NtOpenFile withing the SSDT (System Service Dispatch Table) then calling the address pointed to by 0x7FFE0300, so let's see what it points to.

> dd 0x7FFE0300 L1
7ffe0300  77ab64f0

> u 0x77AB64F0 L3
ntdll!KiFastSystemCall:
77ab64f0 8bd4         mov    edx,esp
77ab64f2 0f34          sysenter
77ab64f4 c3             ret

As we can see it is a simple stub that stores the current stack pointer into EDX, then uses SYSENTER to transfer execution to the kernel. 

64-bit System Calls from WoW64

On 64-bit systems when a process running under WoW64 needs to make a call to the kernel, things are slightly more complicated. The 32-bit process has 2 versions of ntdll loaded, a 32-bit one which is exposed to the process and a 64-bit one which sits behind the WoW64 layer.  Let's take a look at a NtOpenFile in the 32-bit ntdll. 

Example of a typical ntdll function on 64-bit Windows XP (Wow64)
This is similar to the 32-bit version: load SSDT ordinal into EAX, however in this call we also see that it loads the address of the first argument into EDX, ready to be translated. Let's see what FS:0x0C points to (to avoid confusion i will add the the FS segment points to the WoW64 TEB (Thread Environment Block) which on my OS is at address 0x7EFDD000). 

> dd 0x7EFDD000+0xC0 L1
7efdd0c0  749b2320

> u 0x749b2320 L1

wow64cpu!X86SwitchTo64BitMode:
749b2320 ea1e279b743300 jmp 0033:wow64cpu!CpupReturnFromSimulatedCode: (749b271e)

What we find here is a far jump to an address with the segment selects 0x33, now let's take a look what's at the address of the JMP.

> u 0x749B271E L1
wow64cpu!CpupReturnFromSimulatedCode:
749b271e 67448b0424            mov     r8d,[esp]
749b2723 458985bc000000     mov     [r13+0xbc],r8d
749b272a 4189a5c8000000     mov     [r13+0xc8],esp
749b2731 498ba42480140000 mov     rsp,[r12+0x1480]

Would you look at that, It's 64-bit code! If we continue to disassemble this function we can see that it sets up the stack and converts the arguments, before ending up at the same place our 32-bit counterpart ended up at.

> u 0x749B2DD0 L3
wow64cpu!CpupSyscallStub:
749b2dd0 4189adb8000000    mov     [r13+0xb8],ebp
749b2dd7 0f05                       syscall
749b2dd9 c3                          ret
Home sweet home! You will notice this code is slightly different from the previous, this is because we are in 64-bit mode, it is important to note here we have SYSCALL instead of SYSENTER, i believe this is to do with CPU make and current mode, however they both essentially do the same thing: transfer execution to kernel mode.

What does it all mean

Well performing a far jump (or possibly a far call) using the segment selector 0x33 (64-bit code segment) as seen with "jmp 0033:wow64cpu!CpupReturnFromSimulatedCode" results in you breaking out of WoW64 and into the magical land of 64-bit code. Because you can choose where the jump lands after it breaks out of WoW64 it is actually possible to "jmp 0033:LocationWithinMyProgram", which will result in you switching your WoW64 process into a 64-bit process until you switch back by performing a jump with the segment selector 0x23 (32-bit code segment).

A full tutorial for this method was posted on VxHeavens about 7 years ago, giving it the name Heavens Gate,  however only recently it has started to be abused by rootkit developers. Because this method allows a 32-bit (WoW64) process to execute 64-bit code, it is now being used by rootkit developers to inject both 64-bit and 32-bit processes from a single 32-bit process on WoW64 compatible systems. However the method isn't without it's downsides: Once in 64-bit mode it is very difficult to load any 64-bit dlls, leaving developers with only ntdll functions to play with, then there's the issue of how you go about storing 32-bit and 64-bit instructions in the same application whilst still having it work on 32-bit systems. 

 Conclusion

Already this year I have witnessed the release of 3 rootkits abusing this method, I am currently trying to get a sample in order to perform a further analysis, but it has been tricky due to these rootkits not attracting much interest. I guess we will have to wait and see if these rootkits become a game changer or just another flop using a method that should have stayed dead and buried. 

Carberp source code, days away from full leak

June 22, 2013, 7:08 am
$
0
0

Brief history

Carberp was a banking bot that first came up on researchers' radars in the last part of 2010. By the end of 2011 the bot had been spotted in the wild, testing with bootkit functionality. Come the end of 2012 the full kit, including the bootkit, were put on sale for a price of $40,000 on various crime forums. 
Carberp uses the bootkit component W32/Rovnix, which has quite a history. Around 2011 the source code for Win32/Rovnix.B was sold on various forums for as little as $5,000. Rovnix was also seen being utilized by ZeroKit (according to ESET) another bot being sold on underground sites. 

The Sale

From what i can gather the source code has been sold in the past to a small number of groups, but this was before the inclusion of the bootkit and the source sale was very controlled. Towards the end of may, there was a lot of talk about the carberp source being sold, people claiming to have it, and large number of random people selling full bins for ridiculously low prices. At this point i was planning to write an article about the possible leak, but was unable to find enough proof before trusteer (and others) beat me to it. According to group-ib, according to random news sources, according to me: The carberp sale was due to a disagreement among the team after a member, batman, sold the source against the group's will (I can't confirm this is true, but it appears the source was stolen from an SVN). 
The source first went on sale for around $50,000, which is a low price compared to the fact the full bot sold for $40,000. As more and more people got a hold of the source, it began to turn into a race for who could make the most sales before the code was leaked, before long there were people selling the full source code for as low as $2,000. Currently the leak is in what I like to think is the final stage: Many people have the source, people are passing the code around for free, screenshots are being posted on public boards, and people are teasing others with links to passworded rar files. The next thing to happen is of course a full scale leak like we saw with Zeus, Grum and countless other bots (this is likely to happen in the next few days).

The Archive

The bootkit is of course the signature component of carberp. From the source we can confirm two main things: The bootkit was a 3rd part component (the coding style does not match that of the bot/plugins), and the source code is in fact that of W32/Rovnix. I don't really have a lot to write about the source as this is a security blog, not a cybercrime How-To, but some things stood out to me: The bootloader appears to have been updated to work on windows 8, which according to just about everyone, it didn't before. We can also see a component that appears not to have been talked about in any carberp analysis: A kernel mode socket layer that implements the TCP/IP and HTTP protocols, using NDIS hooks, in order to bypass firewalls.
As well as carberp based sources there are a few other interesting things in the archive. Firstly there is a lot of 3rd party sources: Zeus, Stoned bootkit and reverse-engineered Mebroot (Sinowal) by Peter Klissenger, RDP xTerm and hVNC. Also there appears to be a fair amount of sensitive information such as: conversation logs (one of them contracting a freelance coder), jabbers, screenshots, pc names, login details, and even a phone number. 

Conclusion

Nothing good comes from leaks like this. AV companies get a massive surge of infected users and spin-off bots are usually created (Citadel, one of the most popular banking Trojans, was forged from the leaked Zeus source code). I guess we can only hope that major antivirus vendors are able to upgrade their software in order to deal with this threat, before more damage is done. Also, the first 5 people to ask me where to get the source will receive a virtual slap in the face (all expenses paid) and my everlasting disapproval. ;)

Related Resources

Carberp / Rovnix Analysis

Arrests

(yes i am ESET fanboy)

Carberp source code now leaked

June 24, 2013, 1:12 pm
$
0
0

The Bootpocalypse

While security blogs are still flooding the internet with the old news of the carberp source going on sale for $50k, I'd like to take some time to give you some slightly more recent news and a recap. 

  • Towards the end of last month it became apparent to me that the carberp source had gone on sale. There was a sudden influx of people selling carberp binaries using a non cracked builder, hinting towards having the source, as well as a few screenshots and videos flying around. Around this time I was eager to blog about the sale, however couldn't find enough solid evidence to make a post. 
  • On the 8th of June it was confirmed (to me) that the carberp source on sale was legitimate, but I was still waiting for a sales thread screenshot before posting my article. 
  • By the 18th of June i still hadn't got a screenshot, Trusteer had beaten me to blogging about the sale, and i gave up writing my article. 
  • About a day later i was in the right place at the right time and managed to get the full carberp source, totally free.
  • Up until the 22nd I had withheld my new and improved post due the the fact that although the source was fairly easy to come across, it was still widely believe to be only in the hands of people with $50k to spare.
  • By that same evening the rar file i had been given (apparently from a private board) had been posted on exploitin, a fairly easy to access Russian community, however the password was not posted. 
  • Some time between the exploitin thread being posted and this morning, the rar password was revealed, on the same forum, but the post required members to have 150 posts in order to view.
  • About an hour ago a slightly incorrect version of the password is posted on dk, an invite only English community, by someone from exploitin. 
  • Less than 5 minutes after the dk post, the password is posted twice on a public board known as tf, both times the thread is removed withing a few seconds.
  • [Added 22:20 UTC]: Corrected rar was allegedly password has been posted on dk.
  • [Added 22:39 UTC]: Password was just posted on public forum along with link to rar. 
As of now it appears a much larger amount of public forum members have access to the source. Although the leak still seems fairly under control, the correct password has not yet been posted on any public boards, it looks as if we can expect a public leak in the next few hours. Password + rar has been posted in public for the first time. My predictions for the week ahead are strong winds, with a chance of bootkits and apocalyptic firestorms.

. As this will probably be my last post about the carberp leak (unless anything interesting happens), i will take the opportunity to post a few screenshots of interest.




First proof of carberp source posted on a public board

A close, but incorrect, version of the rar password posted on dk (pic from )

Top of install.c (commonly posted screenshot)

The folders of bootkit project

Kernel mode TCP/IP using NDIS hook

Carberp using gapz code injection technique
Carberp gets leaked on public board



PowerLoader Injection - Something truly amazing

August 13, 2013, 6:16 am
$
0
0

I'm not dead

It has been a while since i wrote an article (I've been pretty busy in real life), so I decided to get writing. This article will probably only make sense to people from a malware research / programming background, but to compensate i will be posting a fairly non technical article in the near future. 

I will be talking about the infamous injection method from PowerLoader 2.0, which has been seen in many different malware families such as: Carberp, Redyms and Gapz. Recently, after looking at the difference between 0vercl0ck's proof of concept and the real deal, a friend asked me "Why does PowerLoader go to all the trouble of using ROP chains instead of just executing the shellcode like 0vercl0ck does.", I already had a perfect idea of why, but decided to do some digging and answer the question "How?", this digging resulted in me finding something that truly impressed me, (I try not to admire the work of criminals as i don't want to seem like a psychopath ;) ). I would have written this article sooner, but i was totally unaware that no blogs had really gone into depth on this method, i like to be unique!

The Purpose

Most antiviruses don't treat all processes the same, a known "trusted" process is usually far less likely to flag up any warnings from the antivirus. In this case, the goal of malware is to inject code into one of these "trusted" processes in order to run with less risk of detection. Of course antiviruses will attempt to catch injection too, so the challenge is for malware to find a way into the trusted process without being detected.

In order to give a better idea of the stealthiness of PowerLoader I have listed below some common telltale signs of a malicious process attempting to inject. 

(The following only apply to a process trying to perform any of these actions on another process)
  • Allocating heap space
  • Creating threads
  • Overwriting process/module memory
  • Manipulating thread context 
  • Queuing asynchronous procedure calls (APCs)
Proactive antiviruses will check for processes trying to perform these actions and could likely result in the user being alerted to a malicious process. The aim of PowerLoader is to subvert this, (which seems to be a success as it is not picked up by antiviruses, and does not cross off anything on the list). 

Writing the code to explorer

In the case of PowerLoader, the trusted process targeted is explorer. I won't be putting any images/reversed code for this part as it has already been well documented by ESET.

PowerLoader gets the malicious code into the process by opening an existing, shared section already mapped into explorer, removing the need to allocate heap space or overwrite process memory. PowerLoader then proceeds to map the shellcode onto the end of the chosen section. Below is a list of targeted shared sections.
  • \BaseNamedObjects\ShimSharedMemory
  • \BaseNamedObjects\windows_shell_global_counters
  • \BaseNamedObjects\MSCTF.Shared.SFM.MIH
  • \BaseNamedObjects\MSCTF.Shared.SFM.AMF
  • \BaseNamedObjects\UrlZonesSM_Administrator
  • \BaseNamedObjects\UrlZonesSM_SYSTEM

Executing the code

In order to execute the remote code without creating a thread, PowerLoader uses a little trick with the explorer tray window procedure. By opening "Shell_TrayWnd" and calling SetWindowLong, PowerLoader is able to set a variable used by the window procedure to point to a specific address in its shellcode. Here PowerLoader sets the address to a pointer to a pointer to KiUserApcDispatcher, whereas 0vercl0ck's code will just set it to a pointer to a pointer to the payload (which resides in a shared section).

When SendNotifyMessage is called by the malware, the window procedure inside explorer is triggered and this is what happens.
Figure 1: A snippet from the Window Procedure
Now this code is simple, it will perform a double indirection that will result in the address pointed to by the pointer that was set using SetWindowLong, being executed.

This is where PowerLoader differs from 0vercl0ck's version. The instruction "call dword ptr eax" will read the value pointed to by EAX and then call it. The read part won't trigger DEP (Data Execution Prevention), if the section is not executable (in later versions of windows it is execute-protected), however if EAX points to an address inside the section, DEP will be triggered. Because the sections protection is only set to Read/Write in later versions of windows, 0vercl0ck's code will likely trigger DEP and crash explorer, however, because PowerLoader's pointer points to KiUserApcDispatcher (resides in ntdll), DEP is not triggered. 

Well how does one get from KiUserApcDispatcher to code execution, without executing the non-executable shellcode, I hear you ask?

ROP Chains, Unicorns, and Rainbows

This part greatly interested me, partly because I have never seen a ROP chain in the wild before but mainly because it is the most advanced injection method I have ever come across. In order to understand how PowerLoader gets from KiUserApcDispatcher, to shellcode execution, we need to do some disassembling. 

In Figure 1, we see the Window Procedure pushing ESI onto the stack, then calling KiUserApcDispatcher. It is important to remember ESI contains the address (held in the shellcode) of the pointer to the KiUserApcDispatcher pointer.

So let's see dissasemble KiUserApcDispatcher.

Figure 2: KiUserApcDispatcher

Pay attention to the first 3 instructions. "lea edi, [esp+10h]" is loading the last parameter into the EDI register. If you remember in Figure 1, the last parameter pushed to the stack was ESI, which contains an address within the shellcode. Next it pops the return address into the EAX and then calls it, this results in execution being transferred back to the Window Procedure.

So really nothing has happened here, We've just set the EDI to an address inside the shellcode and then gone back to where we came from. So in order to see what happens next, we are going to have to dig deeper. Here is some more of the Window Procedure. 
Figure 3: More of the Window Procedure shown in Figure 1
Now in this disassembly we need to pay attention to the instructions underlined in red and orange, the blue box is the code we already discussed (executes KiUserApcDispatcher and sets EDI to ESI), the rest of the code can be ignored. As you can see, the function makes 2 more calls (EAX+8, followed by EAX+4), if you remember earlier, EAX is an address in the shellcode, so the next call is to the address 8 Bytes below. 

Let's take a look at the shellcode shall we?

Figure 4: A small snippet from the shellcode
When SetWindowLong was called by PowerLoader it set the ESI (Blue Box Figure 3) to 00100E0C (Which holds the address 00100E20), The code then performs and indirection and EAX ends up pointing to KiUserApcDispatchPtr (00100E20). Using some very basic maths, EAX+8 points to 00100E28 and EAX+4 to 00100E24.

What are 00100E28 & 00100E24? When the shellcode was made during runtime, PowerLoader searched for some byte sequences in explorer using ReadProcessMemory, then stored the addresses of those sequences in the shellcode. The sequences are instruction within the executable regions of explorer's memory, their purpose is to perform certain operations as PowerLoader can't execute any of its own code yet, due to the section being execute-protected.

00100E28 points to some code in explorer that executes the instruction "STD" followed by "RET", As a result the instruction underlined in red will result in the direction flag being set and execution being returned to the Window Procedure.

Until now, nothing makes any sense at all. We've set the ESI to an address in the shellcode (Figure 1), we've set the EDI to an address on the stack (Figure2), and we've set the direction flag. What happens next makes sense of it all. EAX+4 is called from the window procedure, as we established EAX+4 is a pointer in our shellcode, but what does it point to? Again, we need to do some disassembling.

Figure 4: A random function in shell32.dll
Remember i said PowerLoader scanned some byte sequences in explorer? Well these bytes were found, in this case inside some random shell32 function (it doesn't matter). Now the pointer doesn't point to the start of the function, it points somewhere in the middle, as a result, only the bytes in the red box are executed. It should become apparent what is happening. The instruction "REP MOVSD" will move ECX (0x94) bytes from the address in ESI to the address in EDI. Earlier the code managed to use code within explorer to set the ESI to the shellcode address, the EDI to an address on the stack, then Set the direction flag to 1. Because of this, the shellcode starting at address 00100E0C will  be copied to the stack backwards (The copying will start at the address in ESI, copy a DWORD, then subtract the address by 4 and repeat. 
(Remember: because all addresses points to executable code within explorer address space, and they are called using a pointer, no code in the shellcode is actually executed, thus resulting in no nasty DEP errors.)

This is where things start to heat up, PowerLoader has just used code located within explorer to overwrite some of the stack with some shellcode, which means although still incapable of directly executing its own code, PowerLoader has control over return addresses and stack based parameters.

Let's have a look at the code that was copied.

Figure 5: The ROP Shellcode that is written to the stack

Once the code copying the ROP Shellcode to the stack is done, it hits the ret instruction, but because the stack has been overwritten, it instead ends up executing code pointed to by the ROP Shellcode, Each bit of code has a ret instruction which causes the next ROP gadget to be executed. I stepped through in a debugger, below i have made a list of the ROP Gadgets in order of execution, each line is a different gadget. 

  1. Direction Flag Clear
  2. Pop 0x70 into EAX
  3. Call _alloca_probe
  4. WriteProcessMemory
  5. Pop the address of ntdll!atan into EAX
  6. Jmp to EAX
Some things to note:
  • The _alloca_probe function is undocumented but I believe it takes the value in EAX and check that the stack can hold that many items, if not it triggers the guard page to allocate more stack space (0x70 is in EAX)
  • The parameters for WriteProcessMemory are at address 00090DA0, these parameters cause WriteProcessMemory to read the shellcode from the shared section, then write it over ntdll!atan which we can assume isn't used by explorer. 
  • Finally the last instruction jumps to ntdll!atan and the code begins execution.

TLDR / Recap

PowerLoader bypasses the execution protection on the shared sections, by using code found inside explorer to copy a ROP Chain to the stack, then uses the ROP Chain to manipulate the call stack into causing Explorer to call WriteProcessMemory and overwrite an unused function in ntdll with some shellcode to complete the injection. 

Conclusion

So there we have it, from non-executable section to shellcode execution by using explorer's own code against itself. I'll try and get a new article up soon, sorry for the inactivity <3


Search

Cybercrime - A Tale of Two Economies

August 20, 2013, 8:06 am
$
0
0

Something Different

Currently I'm waiting for something before I put up my next malware article, so while I'm waiting I decided I'd write something a little different. Everywhere there are articles about fraud and advanced malware sold on underground forum, but I'm going to go into depth on something else, a cybercrime economy that exists entirely in the open (most of the forums can be found on the first page of a google search for "hacking forum"). Brian Krebs has some good articles about this, I'm going to try and condense everything i have gathered into one post.

Underground Economy Overview

A brief example of how the underground economy works is shown in the below image, this image took me many hours to make using some expensive graphics software.


In this example the money enters the economy by fraudsters buying cards, then using the cards to transfer money and buy more cards. The majority of the major players, who are moving large amounts of money, make use of money mules transfer/launder money. 

For the most part, the underground economy is driven by fraud, however there are other drivers, such as extortion (winlockers & ddos).

Open Economy

The open economy is very different from what goes on in the underground, the majority of the money comes from buyers having real world jobs, thus there is a lot less money being moved around. Products on the open market tend to cost between $1 and $500, whereas their underground counterparts tend to have prices anywhere in the thousands to tens of thousands. A very interesting thing about the open economy is the lack of protection: very few people use any form of IP masking (such as a VPN or Proxy), most people do not try to conceal their location or refrain from posting personal information, the main payment processor used is PayPal, and very little money laundering is done. 

Products

Nearly all of the products sold on the open market are similar to those sold on underground marketplaces, despite the much lower price tag and some modification for "legallity" sake. Below I will contrast and compare some of the different products.

Booter
A booter is a user friendly distributed denial of service (DDoS) tool. Usually web based, the booter allows a user to login, enter an IP, then click a button and flood the given IP. Unlike most underground DDoS services, booters tend not to use infected computers to flood then given ip, instead they uses a collection of servers BOUGHT by the service owner. 

The main purpose of these tools are for cheating in online Xbox games. When playing a multiplayer game such a call of duty or halo, it is possible for any player in the game to obtain another player's IP Address. If a player is then DDoS for around a minute, the system will drop them from the game, giving the opposition an advantage. Due to the fact that only a small amount of time is needed for them to be dropped from the game, most services have a 90 - 200 second limit on the attack, making the tool unusable for website attacks. 

Stresser
The "stresser" or "stress tester" tool is a spin off from the booter, the name is designed to make the service seem legitimate and legal (used for stress-testing your own servers). This service will also come accompanied with a Terms of Service (ToS), which makes the user promise not to use the service for naughty things illegal activities. Despite the fluffy name and even fluffier ToS, the service is still illegal and the majority of the the servers attacked are not owned by the attacker, most of these servers are gameserver or websites, including KrebsOnSecurity

This tool is again fairly similar to the DDoS services offered on the underground, however the use differs. Underground DDoS services tend to be used for extorting large web based companies, whereas the stress-testers seems to have the primary purpose of  causing problems for people the customers don't like. Brian Krebs has a good article here.

Winlockers
When you're a teenager writing malware which you justify to yourself and friends by claiming it is legal, extorting unfortunate victims out hundred of dollars seems a little hardcore. The solution? Surveys! The open market "developers" have opted to replace MoneyPak based payment extortion, with forcing the user to complete surveys in order to regain access to their computer. How these people see a combination of extortion and slave labor as less illegal than just extortion is anyone's guess. 

Installs Service
Installs for installs is a service where one user offers to give another user X amount of infected computers, in return for that user returning the favor, thus both users end up with X more infected computers on their botnet (for free). As a result of the rampant uses of services like this, it is likely that any mass sink-holing of these botnets would reveal that: nearly all botnets on these open forums share the same infected computers (for most people being a member of 1 botnet is bad enough, now imagine being a member of 40). 


Note: There are also services selling access to infected hosts (installs).

Botnets
Malware used to make a botnet is very similar to that on the underground, except usually coded by much less experienced coders and doesn't include high profile features. While malware is most commonly geared towards fraud on the underground, this malware is more geared towards DDoS and theft of login information for personal use (steam accounts, facebook pages, netflix logins). 

It is important to note that in order to steal basic site logins, software called a "formgrabber" or "formstealer" is needed. This software is capable of stealing logins from POST data, however theft of bank logins and credit card information requires extra software known as webinject, which allows page manipulation. Bots with formstealers are not regarded as banking malware, due to their inability to steal banking information, however they can be mistaken for such. They usually otherwise would not end up in the news. 

Java Driveby (JDB)
A Java Driveby, despite the name, is not a drive-by exploit. Java has a feature that allows sites to execute java code if the user clicks "Run", the code will be executed on the system, and will then download and execute malware. These are similar to exploit packs such as BlackHole, except instead of using exploits, the application will simply ask the user nicely to execute the code. 



What is being done

Now, when you hear that junior cybercriminals are running around without VPNs or Proxies, using PayPal to accept payments, and giving out personal information, you wonder how they can survive. It would appear that nothing is being done about the amateur cybercrime network. The FBI are too busy going after serious criminals and PayPal just doesn't seem to care, allowing a entire section of the cybercrime economy to exist out in the open. 

Occasionally these junior criminals end up in the wrong place at the wrong time, get into fights with multibillionionare companies, or attract the attention of local police, in which case they sometimes end up being charged or exposed. There are admittedly some humorous sides to it.

The End

I know this article is very different from what I usual post, I appreciate that some people may not like it, therefore I will have a new analysis up fairly soon. ;)

Personal Security - What Can Be Done?

August 25, 2013, 10:10 am
$
0
0

Introduction

It's no secret that keeping your computer free from malware has become much harder. I remember about 12 years ago my friend showing me a CD and announcing that it was an antivirus, which would keep his computer free of all viruses. Back then having an antivirus would pretty much make your computer untouchable, antiviruses were unicorns and rainbows to anyone who had the money to spend, But sadly times have changed. 

The Problem With Antiviruses

To the average end-user, antiviruses are a false sense of security. This isn't the fault of the antivirus company, their job is to play catch up with the professional malware developers. Generally when a new piece of advanced malware is created: The antivirus company must first acquire a sample, reverse engineer and research how to deal with it, followed by finally writing or updating some software to combat it. With certain threats such as bootkits ,which do not store files within the file-system, it is not a case of just updating the signature database and saying goodbye to the infection, it is usually required that special tools are constructed to remove the threat (TDSSKiller is a good example of one of these special tools). 

Of-course antiviruses do employ methods to combat future malware as-well. proactive protection is a good example of this, however it has its' limits. A common goal of professional malware developers is to make the malware seem as legitimate as possible, this makes it hard for antiviruses to distinguish between advanced malware and legitimate software, The antivirus could just alert the user to any possible sign of a threat then let them decide what to do, however for the average end user-this is likely to cause many issues. 

Antivirus companies need to appeal to the masses, which means making the software as user friendly as possible. Sadly the average user doesn't know what they're doing when it comes to security, so the result is the antivirus only being able to offer some protection. Even the more advanced computer users are still not aware that keeping your antivirus up to date, not opening risky email attachments, and not downloading software from non-trusted publishers just won't cut it.

Drive-by Exploits

Drive-by Exploits are the root of all evil when it comes to security, who'd have thought you could get infected by visiting your favorite site or clicking a link that appears to have been sent by a friend. For the few of you who don't know, a Drive-by Exploit is the use of  web-browser or web-browser plugin based exploits to execute malicious code. The exploit can be in the form of any page or document a web-browser might view, triggered by your visiting a page, and the end result being attacker specified code getting executed on your computer, all with no signs that anything is wrong. 

There's already a large attack surface if you think about all the sites that could be hacked and loaded with malicious code, however, it doesn't stop there. Many sites host 3rd party adverts to generate revenue, these 3rd party ad-distributed can be hacked, but even simpler, an attacker can sign up with the company, then pay them to distribute an advert that they may or may not know contains malicious code. There's also people spreading links on hacked social network or email accounts.

Staying Safe (Anti-Malware Edition)

Here are some of the methods I use to minimize risk of infection and malware related loss. Some will appeal to the more technical PC users, while others are aimed at the average user. 

Adblock
Adblock is a pretty self explanatory plugin that blocks nearly all adverts on a webpage, this reduces the attack surface for drive-by exploits. Obviously there are some ethical issues with adblock: you are causing multi-billion dollar companies, that care greatly about your well being, losses in the 10s of dollars. Ok that was a joke, but some small companies and individuals also use adverts to generate revenue, ads can sometimes be their only source of income and helps keep their services free. It is however possible to customize adblock and only block ad-distributors which are known not to put any security measures in place.

Browser Plugins
Let's face it, you don't need that plugin to tell you what the weather is currently like outside. It is beneficial, from a security standpoint, to disable ALL plugins you don't desperately need. Web-browsers such as chrome allow you to set the browser to ask you before it uses a plugin, this allows you to set the plugins you do need (flash player, PDF Reader, etc), to only be run when you want them to be (Eg. Only on trusted sites). I also recommend you consider moving to detroit and leaving your front door open all night, before you consider installing java into your browser.

Javascript
Personally I have my browser set to only run javascript on white-listed sites. Going through and having to white-list every site you trust or that requires javascript is a pain, but it does add a nice layer of protection. I'm sure there are some nice plugins that make it easier to stop unwanted javascript being executed, but I have opted to keep with the old-school method. 

Virtual Machines
In my opinion, this method of security beats all the rest put together. A virtual machine (VM) is software that is used to provide a savable, contained, and virtual instance of a computer. You can install windows and it will behave exactly like a real computer, except for one difference: You can save, rollback, roll forward and suspend the virtual computer. This is not like windows restore, it is literally as if someone replaced the content of you hard drive and RAM with the content that existed during the save. Because of such functionality it is possible to get infected, then rollback the VM to a snapshot you saved before you were infected, it will be like nothing ever happened. 

A screenshot of a VM, in-case my terrible explanation didn't quite cut it.
I recommend creating 2 virtual machines, they do not need any more than 512mb of ram and 20gb of disk space. 1 VM will be for running software you don't trust, you always assume this system is infected and only use it to run non-trusted software, you never use it to login to any accounts you wouldn't want stolen. The other VM will be for logging into valuable accounts (no, not facebook), ideally this VM will only be used for bank accounts or any highly sensitive information. For this VM I recommend installing a clean copy of windows, setting up the internet connection, downloading your favorite browser, then immediately creating a snapshot of the current state. This state is your non-infected state, you will login to your account, do what you need to do, then revert the VM to the non-infected state. Reverting the VM after each use is a safety measure, if somehow you managed to visit a site and get infected, the malware will be lost in the revert, preventing it from stealing any details from your next use. 

Other PC Users
Just because someone is using a limited or guest user account, it doesn't mean any malware they introduce to the system isn't capable of elevating privilege and infecting your account. It is important to educate everyone who regularly uses your computer and keep an eye on those who don't, family members and friends make for great malware infection-vectors. 

USB
Although the days of autorun.inf exploits are long gone, some USB infection methods still exist. The most common USB infection method at the moment requires the user to be tricked into running a malicious file. Look out for any files, shortcuts, or folders you don't remember putting there. Remember that it's not just exe files you have to be weary of, it is possible for malware to create or redirect shortcuts in order to run an executable. I would probably go as far as not having any shortcuts on my USB drive.

Common Sense
This is mans' best defense against just about anything. Here is a list of common sense tips.
  • If an email seems to good to be true, it is. 
  • Just because a file or link was sent from a friends account, it doesn't mean they sent it.
  • Any popup telling you to download or run a file is fake.
  • Only use flash player, if a site insists you need to download their video player, they can go F themselves.
  • Any files that are downloaded automatically when you visit a page should be deleted and not run. 
  • Watch out for fake buttons. Some download sites have fake "download" buttons that lead to malware, if the file doesn't look like the file you expected, it probably isn't. 
  • Don't download software from sites that aren't trusted.
  • Don't go clicking links without thinking, if someone sends you a link and doesn't specify what it is, it's probably something you don't want to visit. 

File Extensions
Don't trust a file just because it doesn't end in exe: html, pdf, bat, com, scr and lnk are just a few of the possibly malicious files. It is also a good idea to disable "hide known file extensions", it makes it easier for an attacker to disguise files. A jpg file icon and an name of image.jpg.exe is all it takes. 

Page Modification
It is possible for malware to modify webpages, if you notice the page is asking you for information that it didn't before, check the page on another computer, if it's not the same, there is a good chance your computer is infected. 

Conclusion

These are just a couple of my tips from preventing malware damage or infection, I will likely update the list as i remember more. It is important to have a good antivirus and firewall, however you should still act as if you have no software to protect you. 

Paranoia is a naive persons' word for cautious. 
 

Win64/Vabushky - The Great Code Heist

September 2, 2013, 7:09 pm
$
0
0

Introduction

This analysis is of a new winlocker dropper that was first seen in the wild last month, the binary is 64 bit, packed with MPRESS, and contains 3 local privilege escalation exploits (CVE-2013-3660, CVE-2012-1864, and CVE-2012-0217), as well as the PowerLoader injection method. 2 of the exploits and the powerloader injection were stolen from carberp leak. I, as well as a few others, thought the dropper may be PowerLoader, however I now have my doubts, I will explain why at the end.

Data Gathering

The first thing the loader does is query some system information, then post it to the command and control server (C&C).

The function I have named "PostArch" simply posts the string "x64" to the C&C, the rest of the functions query the version information of the following file: win32k.sys, ntoskrnl.exe, ntkrnlpa.exe, ntkrnlmp.exe, and ntkrpamp.exe, then post it to the command and control.
The first header is for the "PostArch" function, the second is for the rest. Any data is url encoded so the file version data is "f=win32k.sys&v=6.1.7600.16617&", this format is used for every file and the last "&" doesn't do anything but the coder appends it anyway.

Exploitation

The loader will inject into explorer using an x64 version of the infamous Shell_TrayWnd Injection (Explained Here). Once inside explorer the first exploit is executed, if it fail: the next one is executed, and so on. 

The code flow of the elevation attempt
The exploits are as follows:
  • EPATHOBJ::pprFlattenRec (CVE-2013-3660)
  • String Atom Class Name (CVE-2012-1864)
  • (Intel / x64) SYSRET (CVE-2012-0217)                                  
Each exploit will try to elevate the process privileges, if successful, a dll will be written to the temporary directory, under the name "dll.dll", then executed (The dll is also packed with MPRESS).

Let's take take a look at the dll after unpacking. 
The real entry point of the packed dll
All that is happening here is the dll makes sure the "fdwReason" parameter of the entry point is "DLL_PROCESS_ATTACH" (The dll is being loaded). Next it gets the full path to the process that the dll is currently loaded in, then signals an event to notify the main process that the load was successful. After this, the filename is extracted from the file path and stored in the RSI register.

Let's take a look at what is does with this value.

First check (Are we in logonui process)
Second check (Are we in utilman process)
The jump destination if we are inside utilman or logonui
Here the dll checks if the operating system version is 6 and platform id is "VER_PLATFORM_WIN32_NT", which makes sure the OS is Vista+, then attempts to get the process id of its parent, followed by suspending all threads inside the parent process. If any of the following operations fail, it just skips ahead to the next stage.


This is the last stage, here the dll extracts and drops a second dll to "C:\Windows\System32\vBszKyhVp.dll". The loader then looks for an svchost process running as "NETWORK SERVICE", opens a handle to the process, allocates some memory inside, writes the dll path to the allocated memory, and calls "RtlCreateUserThread". The thread start address is set to the address of "LoadLibrary" and the parameter set to address of the allocated memory, as a result the thread in svchost will call loadlibrary with the dll path set to the path of the dropped dll, which will cause the process to load the dll.

The 2nd dll is responsible for downloading some images and installing a winlocker, it is also packed with MPRESS, I'll probably reverse it and write about it in a part 2.

Why I'm not sure this is PowerLoader

Basically the code seems too closely related, the first dropper creates an event that is then signaled by the 1st dll that is dropped, the dll also checks what process it is in, which could change based on which exploit was successful. The way that the dll interacts with the dropper makes me think that they were both coded by the same person. As well as this, the dropper sets a registry key with the screen resolution, which is used by the locker to get the correct size screen-lock image, this rules out the 1st dll being part of the PowerLoader dropper.

Originally, what made me think it was PowerLoader was the string that said "powerloader".

After a while reversing this sample, I realized that the string is probably just referring to the elevation method used, seeming as this code indicates which method was successful (atom exploit, sysret exploit, epathobj exploit, powerloader injection). To me, it seems more likely that this is all part of the same project and most of the primary dropper code was stolen from carberp.

Possibly more exploits to come

I did notice a few bits of unused code in the dropper that seemed to imply more exploits were on the way.

Checking if the process is sysprep then exiting

Exports for UAC Injection

These 2 images make me think the coders are in the process of implementing a user account control bypass, there is a public bypass that exploit auto-elevating processes on windows 7 (sysprep being one of them). Also, earlier in the article i showed 2 checks (one for logonui.exe and one for utilman.exe). The atom exploit (CVE-2012-1864) will result in the dll getting loaded into logonui process, however, none of the exploits seem to load the dll into utilman, which leads me to think they were testing another exploit.

Conclusion

The Shell_TrayWnd Injection and CVE-2012-1864 + CVE-2012-0217 were both taken from the carberp leak (this is probably the biggest theft of code from the leak that i have seen so far). Because the winlocker component seems interesting, I will likely write a part 2 and reverse it.

Thanks to R136a1 for the sample and collaboration on reversing. :)







Fighting Hooks With Hooks - Sandbox Escape

September 17, 2013, 2:58 am
$
0
0

Introduction

I was pretty bored today and couldn't think of an article to write, decided I'd come up with an example of escaping a sandbox. Most sandboxes use hooks placed within user-mode dlls in order to monitor process activity. If someone was able to remove or bypass these hooks, they would be able to escape the sandbox.

A common method used by advanced malware is to write a custom implementation of "LoadLibrary" / "LdrLoadDll". Using this code they can manually map a new, clean, copy of a dll and use it to evade hooks. Because of the nature of PE files, it is generally quite complex to do this and required a good understanding of PE files and the PE loader. As it happens, there is currently no working, easy to find, code to do this on Google, so such methods are not seen is script-kiddie malware and I'd like to keep it that way. Instead I will be showing a nice little hack that works in a similar way, however will be fairly easy for sandbox developers to deal with. 

How It Works

When i was thinking of which way to attack the sandbox, I thought it would be amusing (at least for me) to use hooks to facilitate the escape, I managed to do it using a single hook: "RtlEqualUnicodeString".

First, if we look at the call path for "LoadLibrary" we will see it eventually ends up at "LdrLoadDll" which internally calls "LdrpLoadDll". Inside "LdrpLoadDll" is a call to LdrpCheckForLoadedDll, this function is responsible for iterating through the list of currently loaded dlls ("PEB_LDR_DATA->InMemoryOrderModuleList") and checking that the target dll isn't already loaded.

A snippet from LdrpCheckForLoadedDll

By hooking "RtlEqualUnicodeString" or "RtlCompareUnicodeString", which is called internally by "RtlEqualUnicodeString", we can trick LdrpLoadDll into loading an already loaded dll. Because of the way "GetModuleHandle" works, any subsequent calls will return a handle to the original dll and not our new one. 

Now that we can trick the loader into loading new dlls, we can load a new copy of ntdll which will not be hooked. Using the address returned by "LdrLoadDll", we can call "GetProcAddress" to get a pointer to "RtlCreateUserProcess" within the new dll. Now we can create a new process whilst bypassing any hooks to catch new process creation.

Prevention

This method can easily be prevented by using a hook within LdrLoadDll. Each time LdrLoadDll is called, check if the name is that of a module we need to hook, if it is, call the original LdrLoadDll, then pass the address returned to the hooking function. Remember, we cannot use GetModuleHandle or equivalent.

An Example


Process with 2 copies of ntdll loaded



Ring3 / Ring0 Rootkit Hook Detection 1/2

September 23, 2013, 7:25 pm
$
0
0

Introduction

The cybercrime underworld hasn't given me any exciting malware to reverse and I'm running out of ideas for new posts, so I'm going to do a 2 part article about the techniques used by rootkits to intercept function calls, and how to detect them. The first part will explain some hooking methods, the second part will explain how to detect them. As I haven't done any kernel mode stuff on this blog, I will be looking at both user mode and kernel mode hooks on a x86 windows system. 

Execution Flow

In order to get a better understanding of the attack surface, I've made a simplified flow chart of a call to the WriteFile function in kernel32.dll. This is just an example to highlight key points, I chose the WriteFile function as it makes for a nice example, and disk I/O is commonly intercepted by malware, however most of the stuff on this graph will apply to lots of functions. 

If you haven't realized you can click the image to make it bigger, this article probably isn't for you.
(1)
  • WriteFile is just a simple wrapper for NtWriteFile. 
  • Can be hooked with inline, IAT or EAT hooks. 
  • Hooking this function will intercept all calls to WriteFile in whichever process the hooks are placed.
  • All paths used inside kernel32 are generally Dos Paths (C:\file.txt).

 

(2)
  • NtWriteFile is a small stub that sets the EAX register to a 32bit value (I'll explain this value later), then calls KiFastSystemCall. 
  • Can be hooked with inline, IAT, or EAT hooks. 
  • Hooking this function will intercept all calls to CreateFile, NtWriteFile or ZwWriteFile in whichever process the hooks are placed.
  • All paths used by ntdll file functions are generally NT Paths (\??\C:\file.txt).
(2.1)
  • In order to call KiFastSystemCall NtWriteFile moves the address 0x7FFE0300 (KiFastSystemCall / KiFastSystemCall Pointer) into the EDX register, then it does "call edx" or "call dword ptr [edx]"
  • The rootkit could replace the address 0x7FFE0300 within the NtWriteFile function body in order to hook it.
  • Hooking this function will intercept all calls to CreateFile, NtWriteFile or ZwWriteFile in whichever process the hooks are placed.
  • All paths used by ntdll file functions are generally NT Paths (\??\C:\file.txt).

 

(3)
  • KiFastSystemCall is a small stub that moves the stack pointer into the EDX register then executes the sysenter.
  • The stub is only 5 bytes in size and the last instruction (RETN) is pointed to by KiFastSystemCallRet, this only leaves 4 writable bytes (not enough space for a near call/jmp). Furthermore, the address is hard-coded which makes IAT or EAT hooks impossible. 
  • Sometimes the KiFastSystemCall stub resides in KUSER_SHARED_DATA, in which case it is not writable from usermode. 
  • By hooking this function, the rootkit gains the ability to intercept all user mode calls to kernel functions.

 

(4)
  • The SYSENTER instruction is what transfers execution from user mode to kernel mode, in order to execute an kernel function. when the instruction is executed, the CPU sets the code segment to the content  of the SYSENTER_CS register, the stack pointer to the content of the SYSENTER_ESP register, and the EIP to the content of the SYSENTER_EIP register. The SYSENTER_EIP register points to the KiFastCallEntry function ntoskrnl, as a result of this, the cpu will begin executing KiFastCallEntry.
  • These registers are known as MSRs (Model Specific Register), they are only readable by using the cpu instruction RDMSR (Read MSR) and writable using the WRMSR (Write MSR) instruction. These instructions are both privileged (can only be executed from ring 0) therefore, in order to hook, a kernel driver must be loaded.
  • By modifying the SYSENTER_EIP, the rootkit gains the ability to intercept all user mode calls to kernel functions, but we cannot intercept any kernel mode calls, because only user mode call use SYENTER.

 

(5)
  • KiFastCallEntry is responsible for taking the 32bit value from the EAX register (this is the value we mentioned in 2). The first 11 bits are the ordinal of the SSDT function to use (SSDT_Address+(Ordinal*4)), the 12th and 13th byte determine which SSDT to use, the rest of the bits are ignored. Once the function has worked out which SSDT to use, it calls the address at the given ordinal in the table.
  • Can be hooked with an inline hooks.
  • By hooking this function, the rootkit can intercept all user mode calls to kernel functions, as well as all kernel mode calls to functions starting with Zw, but not those starting with Nt.
(5.1)
  • Because the SSDT is a table of function pointers, it is also possible to hook calls by replacing the pointer within the SSDT. For every kernel function in ntdll, there is an equivalent pointer within the SSDT, therefore we can hook any function at will just by replacing the pointer. We are also able to hook all kernel mode calls to functions starting with Zw using this method, however, we cannot hook kernel mode calls to functions starting with Nt.

 

(6)
  • NtWriteFile...Again. We saw a call to NtWriteFile in 2, however that was just an ntdll.dll stub to enter into kernel mode, this is the actual NtWriteFile call pointed to by the address at the given SSDT ordinal.
  • NtWriteFile builds an IRP (I/O Request packet) and supplies it to IopSynchronousServiceTail, it also passes a device object associated with the file being written.
  • Can be hooked with an inline hook.
  • By hooking this function, the rootkit can intercept user mode and kernel mode calls to NtWriteFile and ZwWriteFile.

 

(7)
  • IopSynchronousServiceTail may only be used on certain versions of windows, it is just a simple wrapper for IofCallDriver, so I'll skip this.

 

(8)
  • IofCallDriver takes a device object pointer (PDEVICE_OBJECT) and IRP pointer (PIRP) (both supplied by NtWriteFile). The device object contains a pointer to the driver object of the driver associated with that device (PDRIVER_OBJECT). The driver object contains a member called "MajorFunction", this is an array of 28 driver defined function pointers (a bit like an EAT or the SSDT), Here is a full list of IRP major function names. IofCallDriver will call one of the IRP major functions, based on which one is specified by the "MajorFunction" member in the IO_STACK_LOCATION for the supplied IRP.

    In the case of file operations, the device object given by NtWriteFile will nearly always be \filesystem\ntfs (aka ntfs.sys) or a filter device attached to \FileSystem\Ntfs, because filter drivers pass on the call to the device below below them until it gets to \FileSystem\Ntfs, we can assume the call will always end up at \filesystem\ntfs unless one of the filter drivers cancels it.
  • By hooking IofCallDriver, the rootkit can intercept practically any call to any driver. In order to only intercept calls to a certain driver, the rootkit can check the "DriverName" member pointed to by the driver object which is pointed to by the device object. Alternatively to intercept calls to a certain device, the rootkit could call ObQueryNameString on the device object (It is important to note that not all devices have names). The rootkit can also filter only specific IRP major function calls, this is done by calling "IoGetCurrentIrpStackLocation" on the IRP pointer, then checking the "MajorFunction" member of the returned IO_STACK_LOCATION. 

 

(9)
  • The IRP_MJ_WRITE function is responsible for writing files within the filesystem. 
  • By attaching a filter device to the device stack of \FileSystem\Ntfs or by replacing an IRP major function pointer with one of its own, the rootkit can intercept any call to \FileSystem\Ntfs. In order to intercept NtWriteFile calls, the rootkit would need to inspect IRP_MJ_WRITE calls in the filter device, or replace the IRP_MJ_WRITE pointer in the driver object.

 

(10)
  • This refers to the volume and partition drivers that are used by \FileSystem\Ntfs, these are not normally targeted by rootkits, therefore i have left them out. 
  • These drivers can be hooked in the same way as 9.

 

(11)
  • The NTFS filesystem uses the IRP_MJ_WRITE major function of the class driver "\Driver\Disk" aka disk.sys, in order to write a disk. Because \Driver\Disk is much lower level than the NTFS filesystem driver, there are no file name, instead it is only possible to work with LBAs (Logical Block Addresses). Logical Block Addressing in a linear method of addressing the disk by sectors, each sector is usually 512, 1024, 2048, or 4096 bytes. The sector number starts at 0 (Master Boot Record) and goes up to whatever, depending on the size of the disk.  
  • Hooking of drivers lower than ntfs.sys is usually only seen in kernel mode payload drivers used by bootkits. This is due to the fact that bootkits tend to only work with files outside of the NTFS filesystem, therefore not having to worry with translating file names to LBAs.  

 

(12)
  • The disk subsystem refers to any driver(s) below disk.sys, generally this a port/miniport driver, which is a hardware or protocol specific driver. In most cases this will be atapi.sys or scsiport.sys which are for ATA and SCSI complaint disk devices. 
  •  At this level a new IRP major function is used, IRP_MJ_SCSI, which is an alias for IRP_MJ_INTERNAL_DEVICE_CONTROL. Here, the rootkit will have to work with SCSI_REQUEST_BLOCK parameters, which further complicates things compared to a disk.sys hook. 
  • Any port/miniport hooks are usually only found in advanced kernel mode payload drivers used by bootkits. 

Clarification

  • The term "kernel function" refers to any function beginning with Nt or Zw. I call these kernel functions because the code resides in the kernel, for a user mode application to call one of these functions, it must enter the kernel via SYSENTER.
  • Only 1, 2, and 3 can be hooked from user mode, the rest require a kernel mode driver.
  • The reason hooks places at 5 and 5.1 cannot intercept kernel mode calls to functions starting with Nt is due to how these functions work. Any function beginning with Nt, when called from kernel mode refers to the actual function within ntoskrnl. However, when a function beginning with Zw is called from kernel mode, it sets the EAX register to the same number that was set in 2, then it calls KiSystemService. KiSystemService falls into KiFastCallEntry, I use the word fall, because it does not call or jmp, KiFastCallEntry is at an an offset into KiSystemService, thus KiFastCallEntry is actually a part of the KiSystemService Function. If you are still confused, the above graph should help.
  • In user mode both Nt and Zw calls follow exactly the same path. Again, refer to the above graph if you are confused.
  • By hooking at a certain point in the flow chart, the rootkit is able to accept all calls to that point and from above it. In other words, by hooking at 3 the rootkit can intercept all successful calls made to 3, 2, and 1.
  • If while reading the kernel mode parts of this article, you are anywhere on the confused scale between "I'm not sure i get this" and "OMFGWTFBBQ", you probably need to read up on some windows kernel basics (especially driver/device stacks, I/O request packets and IRP major functions).

Conclusion

This is part 1 of a 2 part article, the next part will be coming soon and will explain how to detect (and possibly remove) the hooks explained in this article. If you have any questions or I've explained something badly, leave a comment and I'll amend the article.

Part 2: http://touchmymalware.blogspot.ru/2013/10/ring3-ring0-rootkit-hook-detection-22.html

Ring3 / Ring0 Rootkit Hook Detection 2/2

October 8, 2013, 9:56 pm
$
0
0

Introduction

This article was actually planned to be posted the day after the first, however; I've not had much sleep the past few weeks, then I got sick, so it was very delayed. I'm pleased with how popular the previous article was, so in the future I plan to write more like this.  

In this part of the article i will be explaining some of the different ways to detect, bypass and remove hooks placed by malware.

Part 1

If you haven't read part 1 of this article, here it is: http://touchmymalware.blogspot.ru/2013/09/ring3-ring0-rootkit-hook-detection-12.html

IAT Hooks

Description
The Import Address Table (IAT) is a table of jumps "jmp dword ptr ds:[address]". Because functions in dlls change address, instead of calling a dll function directly, the application will make a call to the relevant jmp in its own jump table. When the application is executed the loader will place a pointer to each required dll function at the appropriate address in the IAT. 

I'm not sure this actually helps
if a rootkit were to inject itself inside the application and modify the addresses in the IAT, it would be able to receive control every time a target function is called. 

Bypass
Because the Export Address Table (EAT) of each dll remains intact, an application could easily bypass IAT hooks by just calling GetProcAddress to get the real address of each dll function. In order to prevent such a simple bypass, a rootkit would likely hook GetProcAddress/LdrGetProcedureAddress and use it to return fake addresses. These hooks can be bypassed by writing your own GetProcAddress implementation and using it to get the real function addresses.

Detection


Inline Hooks

Description
Inline hooking is a method of receiving control when a function is called, but before the function has done its job. The flow of execution is redirected by modifying the first few (usually 5) bytes of a target function. A standard way to do this is to overwrite the first 5 bytes of the function with a jump to malicious code, the malicious code can then read the function arguments and do whatever it needs. If the malicious code requires results from the original function (the one it hooked): it may call the function by executing the 5 bytes that were overwritten then jump 5 bytes into the original function, which will miss the malicious jump/call to avoid infinite recursion/redirection.

Example of an inline hook jumping to malicious code then executing the original function
Bypass / Detection (Ring 3)
In usermode inline hooks are usually place inside functions that are exported by a dll. The most accurate way to detect and bypass these hooks would be to compare each dll against the original code. First a program would need to get a list of each dll that is loaded, find the original file and read it, align and load the sections into memory then perform base relocation. Once the new copy of the dll is loaded into memory, the application can walk the export address table and compare each function vs that in the original dll. In order to bypass hooks, an application can then either replace the overwritten code using the code from the newly loaded dll, alternatively, it could resolve imports in the newly loaded dll and use it instead (be aware that some dlls will not work if more than 1 instance is loaded). 

This method of bypassing dll hooks practically involves writing your own implementation of LoadLibrary, it's really not for the beginners or faint-hearted. As much as I would like to post the code to do this, I won't, because it can (and will) be used by scriptkiddies to bypass usermode antivirus sandboxes or fight with other rootkits. 
(We can also use manual dll loading to detect / fix EAT hooks, I won't go into this in detail as EAT hooks are very uncommon). 

Bypass / Detection (Ring 0)
In kernel mode, inter-modular jumps are a lot more rare. Hooks in ntoskrnl can usually be detected by disassembling each instruction in each function, then looking for jumps or calls that point outside of ntoskrnl (into driver bodies, etc). It is also possible to use the same method explained for usermode hook detection: a driver could read each ntoskrnl module from disk, load it into memory and compare the instructions against the original. 

For inline hooks within drivers, scanning for jmp / call instructions that point outside of the driver body is much more likely to result in false positives, however, non-standard drivers that are the target of jumps / calls inside standard kernel drivers should raise a red flag. It is also possible to read drivers from disk. As drivers generally do not export many functions and IRP major function pointers are only initialized at runtime, it would probably be required that you compare the entire code section of the original and new driver. It is important to note that relative calls / jumps are susceptible to changes during relocation, this means that there will naturally be some differences between the original and new driver, however both relative calls / jumps should point to the same place. 


SSDT Hooks

Description
The System Serivce Dispatch Table (SSDT) is a table of pointers for various Zw/Nt functions, that are callable from usermode.  A malicious application can replace pointers in the SSDT with pointers to its own code.
Example call paths for Nt/Zw functions


Detection (Ring 0)
All pointers in the SSDT should point to code within ntoskrnl, if any pointer is pointing outside of ntsokrnl it is likely hooked. It's possible a rootkit could modify ntoskrnl.exe (or one of the related modules) in memory and slip some code into an empty space, in which case the pointer would still point to within ntoskrnl. As far as I'm aware, functions starting with "Zw" are intercepted by SSDT hooks, but those beginning with "Nt" are not, therefore an application should be able to detect SSDT hooks by comparing Nt* function addresses with the equivalent pointer in the SSDT.

Bypass
A simple way to bypass SSDT hooks would be by calling only Nt* functions instead of the Zw* equivalent. It is also possible to find the original SSDT by loading ntoskrnl.exe (this can be done easily with LoadLibraryEx in usermode) then finding the export "KeServiceDescriptorTable" and using it to calculate the offset of KiServiceTable within the disk image (Usermode applications can use NtQuerySystemInformation to get the kernel base address) , a kernel driver is required to replace the SSDT.

SYSENTER_EIP Hook

Description
SYSENTER_EIP points to the code to be executed when the SYSENTER instruction is used. Usermode applications use SYSENTER to transition into kernel mode and call a kernel function (Those beginning with Nt/Zw), usually it would point to KiFastCallEntry, but can be replaced in order to hook all usermode calls to kernel functions.

Detection / Bypass
SYSENTER_EIP hooking does not effect kernel mode drivers, and cannot be bypassed from usermode. In order to allow usermode applications to bypass this hook, a kernel driver must set SYSENTER_EIP to its original value (KiFastCallEntry), this can be done using the WRMSR instruction, however because KiFastCallEntry is not exported by ntoskrnl, getting the address could be tricky.

IRP Major Function Hook

Description
The driver object of each driver contains a table of 28 function pointer, these pointer are to be called by other drivers via IoCallDriver or alternative means, the pointers correspond to operations such as read/write (IRP_MJ_READ/IRP_MJ_WRITE). These pointers can easily be replace by another driver.

Detection
Generally all IRP major function pointers for a driver should point to code within the driver's address space, this is not always the case, but is a good start to identifying malicious drivers which have redirected the IRP major functions of legitimate drivers to their own code.

Bypass
Due to IRP major function pointers being initialized from withing the driver entry point (during runtime), it's not really possible to get the original values by reading the original driver from disk, there are also issues with loading a new copy of the driver due to collisions. The only way I can think of for bypassing these sorts of hooks would be calling the lower driver (Drivers are generally stacked and the top driver passes the data to the driver below and so on, if the lowest driver isn't hooked, an application could just send the request directly to the lowest driver).

Conclusion

I can't think of what to write for a conclusion, so here's a picture of a man being chased by a seal.

Seal of disapproval


KINS Source Code Leaked

October 8, 2013, 11:42 pm
$
0
0

Much Ado About Nothing

Today the KINS source code was posted publicly after being sold to just about everyone and their dog. As expected it's just a Zeus modification containing code taken from various places (there is also evidence of the bootkit).


As you can see in this image, there is evidence of a bootkit present in the solution, however the files have been deleted by either the seller or someone who had the source before me. The files that have been deleted have the same names as those in the rovnix bootkit (from leaked carberp), I can say with 100% certainty that the bootkit being used by KINS is the one from the carberp leak.



This is some basic code to allow execution of 64-bit instructions from inside a 32-bit (wow64) process, I explained how this sort of thing is done in a previous blog post. The code was taken from rewolf's blog.



The above code makes use of the code taken from rewolf, it allows the bot to escape from the wow64 emulation layer. This code is useful because the wow64 layer prevents 32-bit processes from injecting into 64-bit processes on a 64-bit system, KINS makes use of this code to inject 64-bit processes from inside a 32-bit (wow64) process.


After a quick look, I wasn't able to find any evidence of a rootkit, however i did find this. The code keeps attempting to read the malware's file until it is successful, then keep rewriting the file and registry key every 2 seconds. You'll noticed the local variable "hFile" isn't actually used, so the check is useless.

That's all

I just highlighted the interesting stuff i found in the source, the rest of the code is taken from Zeus, however there is a lot of evidence in the solution that point to the presence of a bootkit and some exploits: ms10-073, ms10-092, and a spooler elevation (possibly MS10-061). You can also read xylitol's post about it here.

Search

End of The Line for Solar Bot (Win32/Napolar)?

October 18, 2013, 8:31 am
$
0
0

Solar Bot

Solar Bot is a new type of usermode rootkit that created much hype by being "the first of it's kind". The rootkit is able to inject and hook both 32-bit and 64-bit processes, making it effective on 64-bit systems, which is uncommon for usermode rootkits. Solar bot makes uses of an inter-segment instructions to jump between 32 and 64-bit shellcode distributed with the bot (This is done by using jump/call instructions with the segment selector 0x33 to escape the wow64 emulation layer, I have posted a full explanation here). Although the method of executing 64-bit code within a 32-Bit(wow64) process is not new, it hasn't been seen being abused by malware before.

History

In the last half of 2012 a bot named RDDK (Remote Data Disclosure Kit) was being advertised on opensc.ws, this bot was nearly identical to the bot now know as Solar. The kit was much discussed, yet never actually got sold. A powerpoint released by the seller can be found here

A pre-sales discussion thread for RDDK

In early 2013 after the disappearance of opensc.ws, a new bot "Vector Bot" was introduced onto trojanforge.com, where most of the old opensc members took refuge. Due to the features being very similar (even down to the programming language), this bot was believe to be the completed version of RDDK. After many questions about the origin of Vector Bot, the seller claimed he purchased the RDDK project from a coder on opensc. About a month or so after Vector began being sold, the coder disappeared, leaving behind all the old customers with no support or updates. 

Around August/June, yet another bot with the same features appeared for sale on trojanforge. Despite much speculation that it was the return of the Vector Bot seller, after having ditched all his old customers, the bot made many sales and was much talked about. 

Source Sale

Shortly after trojanforge went offline, a sales thread for the source code was posted on exploit.in, a Russian forum, for an ambitious price of 100 bitcoins ($15,000 USD).


Sale of the source code usually signifies the end for a piece of malware. It is unlikely that the seller will continue sales, however, we might not see the source code leaked like with previous bots. Leaks usually occur with sources that are mass sold. Not only is the price incredibly high for malware of this kinds, but it is being sold in English on a Russian board, which usually results in significantly less sales. 

Botnet Takedowns - fun and good publicity, nothing more

November 14, 2013, 7:21 pm
$
0
0

Takedowns

For the past year or so the Khelios botnet has been in the news after constant attempts to take it down. recently the ZeroAccess botnet has also been subject to similar publicity, but what do these efforts actually achieve? Not much.

Damage

ZeroAccess and Khelios are what i like to refer to as "non-aggressive botnets".  To me this simply means that the botnet takes a less aggressive stance toward generating income: usually by opting to mine bitcoins, perform click-fraud, or send spam, whilst renaming undetected to the user. These sorts of botnets tend to try and inconvenience the user as little as possible, so that they can hold onto the computer for as long as possible. If you compare this to the botnets that are encrypting users files and forcing them to buy them back, or stealing bank details and selling them to fraudsters, it suddenly looks a whole less damaging in the grand scheme of things.  

Resilience

Now I'm not sure i remember the last time i heard a bot master say: "oh no, the security experts have ransacked my botnet, I must pack up shop and apply for a job at McDonald." but I imagine it wasn't recently. The fact is, taking down these large botnets run by career cyber-criminals only causes minor financial setbacks and does little justice for the victims. As we saw with Khelios, the developer's response was to come back each time with a new version of the bot which was more resistant to takedowns. Targeting the same botnets over and over is only likely to result in some new super-malware that is near impossible to sinkhole. Peer-to-peer botnets are usually very complex and a lot of work goes into them, why? To be sinkhole proof. When criminal groups are willing to put so much effort into avoiding sinkholing, it's likely that at most they will change tactics, but never walk away. 

Conclusion

The main motivator in taking down these high profile botnets appears to be publicity. I salute the security researchers that are doing this, but I think when anti-virus companies are pouring time and money into taking down botnets that are not causing extensive harm to the user, the efforts are misguided. I'd like to see more efforts go into dealing with the ransomware operations that seem to be growing in popularity, dealing with the botnets that are supplying cardshops with fresh credit cards, or just taking antivirus software to the next level. 




MtGox Nearly Breaks Bitcoin...Again

November 19, 2013, 10:02 pm
$
0
0

Previous Incident 

In April 2013 large trading volume caused the MtGox trading engine to begin lagging. As soon as the trading engine lag started to build, traders panic sold due to the increasing risk of loss from trading blind. Of course the panic selling just added to the trading volume, thus adding to the lag (which reached 2h on peak). At the end of it all, when the lag died down, we were left with scenes of destruction and broke dreams.

What does the Gox say? Probably nothing with this much lag.


Today

At about 4:25 UCT an extremely large market sell order of about 4,000 bitcoin was placed, this caused the price to drop nearly $100 USD in under 2 minutes. The MtGox trading engine began to lag as the 4,000 bitcoin order hit all the corresponding buy orders as the price fell. According to MtGox, protection had been put in since the April 2013 crash, this protection canceled and rolled back all of the trades during the lag period, however, this somehow caused the engine to go into a loop where the sell order would be executed then rolled back then executed again, until stopped by MtGox.

"<@MagicalTux> very large sell order matching too many buy orders, causing the security system to stop the trade and rollback anything that was caused by it"

The initial sell order beginning


A view of the loop as plotted on the chart after the lag was gone

Current State

Although the MtGox lag did initially drag down the price on all other exchanges, it has since settled, although the market appears to still be in a downward trends. It's unsure if the gigantic sell order was neglectful or a deliberate attempt to cause panic, it's also not sure what happened to that order in the end, if it was ever processed or remains rolled back. 
Some facts are still unclear and i will update if any more information comes out. 

Portable Executable Injection For Beginners

November 21, 2013, 5:46 am
$
0
0

Process Injection

Process injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and  bypassing antivirus / firewalls by injecting whitelisted processes. The most common method of process injection is DLL Injection, which is popular due to how easy it is. A program can simply drop a DLL to the disk and then use "CreateRemoteThread" to call "LoadLibrary" in the target process, the loader will then take care of the rest. PE Injection is generally favored over DLL Injection by malware, because it does not require dropping any files to the disk.

Portable Executable Basics

When running in memory most, but not all, portable executables make use of 2 structures we need to know about: IAT (Import Address Table), and Reloc (Base Relocation Table). I will briefly explain their purpose, without going into unnecessary detail. 

Import Address Table
When a DLL is loaded into memory it is not guaranteed to be loaded at the same address every time, to deal with this: the application makes use of an Import Address Table. The IAT simply allows for the addresses of DLL functions to be set by the PE loader, without having to modify the code of the application. It does this by having all calls to dll functions point to a jump in the processes's own jump table, the IAT then allows the address the jumps targets to easily be found and changed by the PE loader. 

Base Relocation Table
As with DLLs, it is also possible that the application itself is not loaded at the same address every time. For the most part this isn't a problem because the application uses relative addressing, however because absolute addresses will need to be changed if the process base address changes, whenever an absolute address is used, it must be easily located. The Base Relocation Table is a table of pointers to every absolute address used in the code. During process initialization, if the process is not being loaded at its base address, the PE loader will modify all the absolute addresses to work with the new base address.  

Portable Executable Injection

The Import Address Table and Reloc Table remain in memory once the process initialization is finished, this makes for a very easy way to inject a process. With the ability to be loaded at any base address and use DLLs at any address, the process can simply get its current base address and image size from the PE header, and copy itself to any region of memory in almost any process. Here is the entire procedure broken down.
  1. Get the current images base address and size (usually from the PE header).
  2. Allocate enough memory for the image inside the processes own address space (VirtualAlloc).
  3. Have the process copy its own image into the locally allocated memory (memcpy).
  4. Allocate memory large enough to fit the image in the target process (VirtualAllocEx).
  5. Calculate the offset of the reloc table for the image that was copied into the local memory.
  6. Iterate the reloc table of the local image and modify all absolute addresses to work at the address returned by VirtualAllocEx.
  7. Copy the local image into the memory region allocated in the target process (WriteProcessMemory).
  8. Calculate the remote address of the function to be executed in the remote process by subtracting the address of the function in the current process by the base address of the current process, then adding it to the address of the allocated memory in the target process.
  9. Create a new thread with the start address set to the remote address of the function (CreateRemoteThread).
  10. In some cases once the image is executed in the remote process, it may have to fix its own IAT so that it can call functions imported from DLLs, however; DLLs are usually at the same address in all processes, so this wouldn't be necessary. 

Identifying Injection

It is usually fairly easy to identify an executable that is attempting to inject into another. There are a few telltale signs to look for. The below tips are just guidelines and can lead to false positives, they also cannot be relied on to identify 100% of all injecting malware. 
  • A processes allocating memory inside another process (NtAllocateVirtualMemory, VirtualAllocEx, NtMapViewOfSection), especially if the memory is allocated with the PAGE_EXECUTE flag.
  • A process setting the PAGE_EXECUTE flag of a memory region in another process (NtProtectVirtualMemory, VirtualProtectEx).
  • A process creating a thread in another process (NtCreateThread(Ex), RtlCreateUserThread, CreateRemoteThread), especially if the thread points to code within a memory region, which was also allocated by the same process.
  • A process appending code to shared sections.


Extra

I will likely extend this article at a later date, possibly even add it to a series of articles about all the different injection methods. I'll also read over the article when I'm less tired and correct any stupid mistakes.

Selfish Mining - How to make Yourself Broke

November 23, 2013, 7:25 am
$
0
0

Selfish Mining

Selfish Mining in short is theoretical concept in which a malicious pool of miners could gain a better income by deliberately forking the blockchain. If a mining pool were to not immediately broadcast blocks, but instead add them to their own private chain, when the private chain becomes longer than the current chain; the malicious pool can publish their longer chain directly after a legitimate pool finds a block, causing the network to orphan the legitimate pool's block and give the reward to the malicious pool. By operating in such a way: every time the malicious pool orphans blocks mined by legitimate pools, the effort of the legitimate miners is wasted and they get no reward. In theory this could cause legitimate miners to jump ship into the malicious pool, giving the malicious pool more power, thus giving them a better ability to orphan other pools blocks. Eventually the malicious pool will be able to combine orphaning other pool's blocks + hashing power, in order to execute the 51% attack with less than 51% of the bitcoin network's hashing power. Full explanation here.

The Problem

As most people know, bitcoin has no intrinsic value and is entirely based on supply an demand. Traders make up the majority of bitcoin holder and as seen in the April 2013 crash, they are willing to liquidate their coins at the first sight of bad news. As soon as the selfish mining attack was noticed (easily noticed by the same pool repeatedly orphaning other pool's blocks), traders would begin to liquidate their coins, causing the value to drop. For the same reason the selfish mining attack could work (greed) other traders would see the value drop and also dash  to cash out. Before long there's a gigantic snowball of people liquidating their coins to the point where bitcoin is nearly worthless.

Most miners are also bitcoin investors. Due to the ever rising price per a coin, miners prefer to keep their coins as they increase in value with age. In the long run it is far more profitable to mine normally and keep hold of coins, than to mine maliciously and risk diminishing their value. Although this does not prevent the selfish mining attack, it makes it far less likely for non malicious miners to join a malicious pool, thus it would likely require the selfish pool to have a much larger number of malicious miners, before they could cause enough losses to bring in legitimate miners. It's also likely the malicious pool would be identified and miners warned not to join it, I would also guess it would lead to distributed denial of service attacks against the malicious pool. 

Conclusion

I don't doubt that a pool could selfishly mine, however, I do doubt it would ever grow large enough to cause noticeable problems for other miners. I'm also sure the pool would never get big enough to preform any of the attacks outlined in the 51% attack explanation. These are some of my theoretical problems with this theoretical attack, though i do think the attack is an incredibly cool concept, I don't believe it could be as damaging as stated. 
Viewing all 95 articles
Browse latest View live
Search