Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Malware Analysis: Tools are only so good SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware Analysis: Tools are only so good

Well, today wasn't exactly a tough handler's shift so I thought I would look in my spam folder for something interesting. 
There is always something interesting in there, subject wise most are things which aren't even mentionable in public.  However, in many of these emails are links and at the end of the link is the world of malware.  So, I feel compelled to follow them (in a nice, safe environment).  Today's attempt was a complete success on the first piece of spam I opened.  Sure enough I found a nice executable at the other end just waiting to be downloaded.  What a relaxing way to spend a Saturday, doing a little malware analysis.

I opened it in Ollydbg, got past the packer and took a look at the strings in the file.  Sure enough, this file wasn't one filled with good intentions.  If you a look at the strings below, you can see what I'm talking about at first glance. 
 
Address    Disassembly                               Text string
00401000   MOV EAX,1                                 (Initial CPU selection)
00401037   MOV DWORD PTR SS:[ESP+14],my_hots_.00410  ASCII "CbEvtSvc"
004010CB   PUSH my_hots_.00410C04                    UNICODE "-k"
004010DA   PUSH my_hots_.00410C0C                    UNICODE "netsvcs"
0040110C   PUSH my_hots_.00410C04                    UNICODE "-k"
004014A5   MOV ECX,my_hots_.00410D58                 ASCII " "
00401710   PUSH my_hots_.00410C3C                    ASCII "user"
00401731   PUSH my_hots_.00410C44                    ASCII "os=%d&ver=%s&idx=%s&user=%s"
004018B5   PUSH my_hots_.00410C60                    ASCII "%s&ioctl=%d&data=%s"
004018F4   PUSH my_hots_.00410C30                    ASCII "74.50.109.2"
004018FD   PUSH my_hots_.00410C78                    ASCII "ldr/client03/ldrctl.php"
00401902   PUSH my_hots_.00410C90                    ASCII "POST /%s HTTP/1.1
Connection: Close
Content-Type: application/x-www-form-urlencoded
User-Agent: User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: %s
Content-Length: %d

%s"
00401C37   PUSH my_hots_.00410C30                    ASCII "74.50.109.2"
00401C4A   PUSH my_hots_.00410C30                    ASCII "74.50.109.2"
0040340A   PUSH my_hots_.00410EA8                    ASCII "%s-%x"
00403561   PUSH my_hots_.00410EB0                    ASCII "%s\%d.exe"
0040361A   PUSH my_hots_.00410EC0                    ASCII "D7EB6085-E70A-4f5a-9921-E6BD244A8C17"
00403915   PUSH my_hots_.00410EE8                    ASCII "%d.%d.%d.%d"
00403B29   PUSH my_hots_.00410EF8                    ASCII "CbEvtSvc.exe"
00403BC5   PUSH my_hots_.00410F08                    ASCII "%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs"
00403BD5   PUSH my_hots_.00410BF8                    ASCII "CbEvtSvc"



I checked out the IP found in the strings above and grabbed its source code.  The only thing on the page was this:


"<html><body><h1>It works!</h1></body></html>"


So now I'm wondering if this malware has fangs yet or if its being distributed in a trial mode.  I launched the malware on
one of my VM windows images and found that it looked pretty benign.  Here is where it started to get interesting. I used a
tool called RegShot to get a "before" snapshot of my machine state.  After launching the malware I used it to get an "after"
snapshot of my machine state.  There didn't seem to be any files dropped on my harddrive, however there is a mention of a
file above called "CbEvtSvc.exe".  When I launched the malware, I also had some other tools running.  I like to use other
tools too when I'm doing behavioral analysis like:  RegMon, FileMon, ProcessExplorer, TCPView, etc.  Both RegMon and FileMon show that CbEvtSvc.exe was busy on my system.  As a matter of fact, FileMon had this entry:

3:11:24 PM    my_hots_video.e:796    CREATE    C:\WINNT\system32\CbEvtSvc.exe    SUCCESS    Options: OverwriteIf Sequential  Access: 00130196   
3:11:24 PM    WINLOGON.EXE:160    DIRECTORY    C:\WINNT\system32    SUCCESS    Change Notify   
3:11:24 PM    my_hots_video.e:796    SET INFORMATION     C:\WINNT\system32\CbEvtSvc.exe    SUCCESS    Length: 87040   
3:11:24 PM    WINLOGON.EXE:160    DIRECTORY    C:\WINNT\system32    SUCCESS    Change Notify   
3:11:24 PM    my_hots_video.e:796    QUERY INFORMATION    C:\Documents and Settings\Administrator\Desktop\my_hots_video.exe    SUCCESS    Length: 87040   
3:11:24 PM    my_hots_video.e:796    WRITE     C:\WINNT\system32\CbEvtSvc.exe    SUCCESS    Offset: 0 Length: 65536   
3:11:24 PM    my_hots_video.e:796    WRITE    C:\WINNT\system32\CbEvtSvc.exe    SUCCESS    Offset: 65536 Length: 21504   
3:11:24 PM    my_hots_video.e:796    SET INFORMATION     C:\WINNT\system32\CbEvtSvc.exe    SUCCESS    FileBasicInformation   
3:11:24 PM    WINLOGON.EXE:160    DIRECTORY    C:\WINNT\system32        Change Notify   
3:11:24 PM    my_hots_video.e:796    CLOSE    C:\Documents and Settings\Administrator\Desktop\my_hots_video.exe 
SUCCESS       
3:11:24 PM    my_hots_video.e:796    CLOSE    C:\WINNT\system32\CbEvtSvc.exe    SUCCESS       


So the file had been created, but where was it?  I used explorer to look for it and found nothing.  I then used cmd.exe to
look at the directory for the file and nothing was there.  I thought maybe its hidden and I can reference it another way.  From the command prompt, I tried to run the following command in system32 directory:  dir *cb*  and guess what, my window closed on me.  I tried this method again and could find any other variety of files this way as long as it wasn't the first letters of that filename.  Now I'm thinking rootkit capabilities...cool!  Since my antivirus did not have issues when I downloaded the file using wget, I thought I'd throw it at a few sites and see what they thought of my new toy.  Norman Sandbox provided this analysis which disturbed me:

my_hots_video : Not detected by Sandbox (Signature: NO_VIRUS)


 [ DetectionInfo ]
   * Sandbox name: NO_MALWARE
   * Signature name: NO_VIRUS
   * Compressed: NO
   * TLS hooks: NO
   * Executable type: Application
   * Executable file structure: OK

 [ General information ]
   * File length:        87040 bytes.
   * MD5 hash: 1f4d13b31116860e0a3b692052856941


VirusTotal provided me results showing 14/36 (38.89%) vendors had detection for this file.  Not great coverage by any means, but at least some vendors know that its bad and have a signature for it.


I'm not done with this file yet, its rather interesting.  What I really wanted to point out is that my tools did not provide me with accurate answers.  Tools are simply that...just tools.  As you work with malware, its important to have many ways to confirm your results.  Its just as important NOT to totally rely on your tools to provide you with the answers.  You HAVE to understand the tools your using.  Don't become so dependant on one way of verifying something.  I run many tools at the same time when I work with malware.  Each has a different purpose as well as strengths and weaknesses.  It's important to know them and not just rely on a single method.  In essence you want to look at malware from many different angles and never forget that your tools are only so good and may not provide you with the right answer.  Nothing can replace your analysis skills and your ability to understand what your seeing.

Lorna

165 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!