Thursday, January 19, 2012

Ramnit, Zeus and the BAT! Part 3


After parts 1 and 2 we can safely say the machine is infected.This next part will go through the building of the MandiantIOC using Ioc Editor in order to hopefully identify other infected hosts.

One issue I am keeping an eye on is trying to identify indicators that would hopefully be present in numerous samples. Malware writers are incorporating new ways to subvert AV identification techniques (And have been know to brag online that the malware is not detected).

Driver Inspection

I’m going to start with the driver (imjvxcsr.sys) associated with the misspelled service: Micorsoft Windows Service.
Looking at the drivers name it looks randomly generated but after infecting the same host a few times the driver name is consistent on the host.

The directory where the driver is located always seems to be C:\Documents and Settings\User\Local Settings\Temp as seen in the SSDT hooks tab in Audit Viewer and Redline

image

Using Redline to review Drivers and Devices we can see that we have a device also associated with the driver








By selecting the Driver and reviewing the driver information we can review any strings associated with the driver.






















Upon reviewing the Strings we can see an number of possible IOCs
  • \systemsroot\temp\%x
  • \Device\631D2408D44C4f47AC647AB96987D4D5
  • \DosDevices\631D2408D44C4f47AC647AB96987D4D5
  • c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
Chae Jong Bin @2gg also tweeted that the demetra project path was located in a sample.
Using the OpenIOC Framework we can start with the following
  • Driver StringList is c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb
  • Driver StringList is \Device\631D2408D44C4f47AC647AB96987D4D5
  • Driver StringList is \DosDevices\631D2408D44C4f47AC647AB96987D4D5

Hook Inspection

If we then review the Hooks section using Redline or Audit Viewer we can use it to further enhance our indicator.






Using the evidence above we can use the Hooking Module, Hooked Module and Hook Description.
Using the OpenIOC Framework we can use the following to enhance our IOC
  • Hook HookDescription is SystemCall
  • Hook Hooking Module contains \Local~1\Temp\
  • Hook Hooked Module is ntoskrnl.exe

Process Inspection

Using the default indicator from Redline and Audit Viewer we can build an IOC for the svchost.exe with unexpected arguments (this can be expanded on if your environment has additional valid svchost arguments) .
  • Process name is svchost.exe
  • Process arguments is not C:\WINDOWS\System32\svchost.exe -k netsvcs
  • Process arguments is not C:\WINDOWS\system32\svchost -k rpcss
  • Process arguments is not C:\WINDOWS\System32\svchost.exe -k LocalService
  • Process arguments is not C:\WINDOWS\System32\svchost.exe -k NetworkService
  • Process arguments is not C:\WINDOWS\system32\svchost -k DcomLaunch
  • Process arguments is not C:\WINDOWS\system32\svchost.exe -k imgsvc
In turn pick one of the suspicious svchost.exe to review using Redline and Audit Viewer to review Process Handles, Mutex’s and Strings. From the analysis we can use the following IOC’s as possible indicators (Please note Ramnit is quite verbose and as such offers a lot of string values to review, the items below can easily be expanded on/removed due to false positives).

There are other string values that look to be passwords, email addresses and DNS hostnames.

By reviewing the String List below we can also make the assumption that Ramnit has integrated some of the components seen in Zeus, these references can be found in the leaked source code which can be found online.
  • Process Handle contains \Start Menu\Programs\Startup\
  • Process Handle contains CTF.Compart.MutexDefaultS-1-5-21
  • Process Handle contains CTF.Layouts.MutexDefaultS-1-5-21
  • Process Handle contains CTF.TMD.MutexDefaultS-1-5-21
  • Process Handle contains CTF.TimListCache.FMPDefaultS-1-5-21
  • Process Handle contains CTF.Asm.MutexDefaultS-1-5-21
  • Process Handle contains CTF.LBES.MutexDefaultS-1-5-21
  • Process String contains LOCALS~1\Temp\~TM4.tmp
  • Process String is Hide Browser v1.1
  • Process String is 220 220 RMNetwork FTP
  • Process String is Ftp Grabber v1.0
  • Process String is Virus Module v1.0 (exe, dll only)
  • Process String is VNC Module v1.0 (Zeus Model)
  • Process String is Byob Ernie Gild Lotto 2002-2006
  • Process String is Reich.exe
  • Process String is \Start Menu\Programs\Startup\
When we review a number of the other processes we can also find the following Process Strings and Handle which seems to be in multiple processes.
  • Process String is <%IDBOT%><%REMOTE={*}%><#{*} {*}#>ECHOADDSUBSETDATECONTENT POST
  • Process Handle Name is !IETld!Mutex
  • Process StringList is \\.\631D2408D44C4f47AC647AB96987D4D5
Next its the additional executable that was dropped during one of the infections, this already gives us an insight into the functionality available to Ramnit I.E the ability to drop and execute additional files.

By reviewing the NETWORK ACTIVITY Section for Install.exe (PID 3424) we can assume this is our spamming engine. By reviewing the Process Strings can can confirm this functionality.


Further review shows reference to Delphi and in particular what looks to be a backup location for the source code. A number of stings also mention a few Email clients\providers(Outlook,The Bat, POPPeeper).
Using the OpenIOC one possible IOC could be the following:
  • Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clMailMessage.pas
  • Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clSocket.pas
  • Process StringList isX:\old_backup\Delphi\Mailer4\cl\Sources\clCertificate.pas
  • Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clSspiTls.pas
  • Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clTlsSocket.pas
  • Process StringList isX:\old_backup\Delphi\Mailer4\cl\Sources\clSocks.pas
  • Process StringList is X:\old_backup\Delphi\Mailer4\cl\Sources\clTcpClient.pas
  • Process StringList is TModule_POPPeeper
  • Process StringList is TModule_Eudora
  • Process StringList is TModule_Gmail
  • Process StringList is TModule_IncrediMail
  • Process StringList is TModule_GroupMailFree
  • Process StringList is TModule_VypressAuvis
  • Process StringList is TModule_The_Bat
  • Process StringList is TModule_Outlook0
  • Process StringList is TOutlookIdentItem

Published IOC

All we need to do now is put it together and introduce the logic to get the hits.A complete IOC that has been tested is below, the IOC has been tested against multiple audit files and did not produce and false positives.
OR:
  • DriverItem/StringList/string is ' c:\project\demetra\loader~1\drivers\ssdt\driver~1\objfre_win7_x86\i386\SdtRestore.pdb'
  • DriverItem/StringList/string is ' \Device\631D2408D44C4f47AC647AB96987D4D5'
  • DriverItem/StringList/string is ' 631D2408D44C4f47AC647AB96987D4D5'
  • ProcessItem/HandleList/Handle/Name is ' !IETld!Mutex'
  • ProcessItem/StringList/string is ' \\.\631D2408D44C4f47AC647AB96987D4D5'
  • ProcessItem/StringList/string contains ' <%IDBOT%><%REMOTE={*}%><#{*} {*}#>ECHOADDSUBSETDATECONTENT POST'
  • AND:
    • HookItem/HookDescription is ' SystemCall'
    • HookItem/HookedModule is ' ntoskrnl.exe'
    • HookItem/HookingModule contains ' \LOCALS~1\Temp\'
  • AND:
    • ProcessItem/StringList/string contains ' Micorsoft Windows Service'
    • ProcessItem/StringList/string contains ' TANGrabber'
    • ProcessItem/name is ' services.exe'
  • AND:
    • ProcessItem/arguments isnot ' C:\WINDOWS\System32\svchost.exe -k netsvcs'
    • ProcessItem/arguments isnot ' C:\WINDOWS\system32\svchost -k rpcss'
    • ProcessItem/arguments isnot ' C:\WINDOWS\System32\svchost.exe -k LocalService'
    • ProcessItem/arguments isnot ' C:\WINDOWS\System32\svchost.exe -k NetworkService'
    • ProcessItem/arguments isnot ' C:\WINDOWS\system32\svchost -k DcomLaunch'
    • ProcessItem/arguments isnot ' C:\WINDOWS\system32\svchost.exe -k imgsvc'
    • ProcessItem/name is ' svchost.exe'
  • AND:
    • ProcessItem/name is ' svchost.exe'
    • OR:
      • ProcessItem/HandleList/Handle/Name contains ' CTF.Compart.MutexDefaultS-1-5-21'
      • ProcessItem/HandleList/Handle/Name contains ' CTF.Layouts.MutexDefaultS-1-5-21'
      • ProcessItem/HandleList/Handle/Name contains ' CTF.TMD.MutexDefaultS-1-5-21'
      • ProcessItem/HandleList/Handle/Name contains ' CTF.TimListCache.FMPDefaultS-1-5-21'
      • ProcessItem/HandleList/Handle/Name contains ' CTF.Asm.MutexDefaultS-1-5-21'
      • ProcessItem/HandleList/Handle/Name contains ' CTF.LBES.MutexDefaultS-1-5-21'
      • ProcessItem/HandleList/Handle/Name contains ' \Start Menu\Programs\Startup\'
      • ProcessItem/StringList/string contains ' LOCALS~1\Temp\~TM4.tmp'
      • ProcessItem/StringList/string is ' Hide Browser v1.1'
      • ProcessItem/StringList/string is ' 220 220 RMNetwork FTP'
      • ProcessItem/StringList/string is ' Ftp Grabber v1.0'
      • ProcessItem/StringList/string is ' Virus Module v1.0 (exe, dll only)'
      • ProcessItem/StringList/string is ' VNC Module v1.0 (Zeus Model)'
      • ProcessItem/StringList/string is ' Byob Ernie Gild Lotto 2002-2006'
      • ProcessItem/StringList/string is ' Reich.exe'
  • AND:
    • ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clMailMessage.pas'
    • ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clSocket.pas'
    • ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clCertificate.pas'
    • ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clSspiTls.pas'
    • ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clTlsSocket.pas'
    • ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clSocks.pas'
    • ProcessItem/StringList/string is ' X:\old_backup\Delphi\Mailer4\cl\Sources\clTcpClient.pas'
    • ProcessItem/StringList/string is ' TModule_POPPeeper'
    • ProcessItem/StringList/string is ' TModule_Eudora'
    • ProcessItem/StringList/string is ' TModule_Gmail'
    • ProcessItem/StringList/string is ' TModule_IncrediMail'
    • ProcessItem/StringList/string is ' TModule_GroupMailFree'
    • ProcessItem/StringList/string is ' TModule_VypressAuvis'
    • ProcessItem/StringList/string is ' TModule_The_Bat'
    • ProcessItem/StringList/string is ' TModule_Outlook0'
    • ProcessItem/StringList/string is ' TOutlookIdentItem'
A published IOC can be located on the Mandiant Forums as well as on the http://ioc.forensicartifacts.com/ website
Happy Hunting, Please leave feedback if the IOC produces false positives and needs amending or improving.

Ramnit, Zeus and the BAT! Part 2

Memory Analysis

Please note the memory sample reviewed in this next section does not correlate with the logs reviewed above (I.E PIDs are different, and one other artifact occurred during the memory dump. All will be revealed)

After the VM was snapshot and paused analysis could be conducted on the vmem file.

A number of tools were used to conduct the analysis including the following:

  • Mandiant’s Redline (and also AuditViewer with Memoryze)
  • Volatility

The reason a number of tools were used was because each tool has advantages and disadvantages.

Process List and Process Tree

The output below was generated from Volatility using the pslist command. As can been seen below Sample1.exe is the ParentPID of two svchost.exe processes  (The snapshot was taken before Sample1.exe terminated see Ramnit Zeus and Bat part 1).

During one of the infections an additional process was started by one of the svchost.exe (PID 2000) the process was called install.exe (PID 3424). We will analyse the file later.

Offset(V)  Name                 PID    PPID   Thds   Hnds   Time
---------- -------------------- ------ ------ ------ ------ -------------------
0x823c8830 System                    4      0     67    510 1970-01-01 00:00:00      
0x82193da0 smss.exe                556      4      3     19 2012-01-11 22:13:40      
0x81fff978 csrss.exe               624    556     12    732 2012-01-11 22:13:43      
0x81f67978 winlogon.exe            648    556     21    519 2012-01-11 22:13:43      
0x81ef7880 services.exe            692    648     20    298 2012-01-11 22:13:43      
0x81f91418 lsass.exe               704    648     27    424 2012-01-11 22:13:43      
0x82209198 vmacthlp.exe            860    692      5     40 2012-01-11 22:13:44      
0x81e654f0 svchost.exe             872    692     25    223 2012-01-11 22:13:44      
0x81ea7360 svchost.exe             956    692     15    284 2012-01-11 22:13:45      
0x81f42c10 svchost.exe            1068    692     93   1600 2012-01-11 22:13:45      
0x81e9c528 svchost.exe            1200    692     10     93 2012-01-11 22:13:46      
0x822adbf0 svchost.exe            1300    692     18    177 2012-01-11 22:13:46      
0x822bc840 spoolsv.exe            1428    692     18    133 2012-01-11 22:13:46      
0x81e1e6a0 svchost.exe            1532    692      9    116 2012-01-11 22:13:55      
0x81e28da0 EngineServer.ex        1604    692      8     53 2012-01-11 22:13:55      
0x81e755e8 FrameworkServic        1628    692     14    238 2012-01-11 22:13:55      
0x820353e8 VsTskMgr.exe           1692    692     28    273 2012-01-11 22:13:58      
0x82194a58 mfevtps.exe            1716    692     10    157 2012-01-11 22:13:59      
0x822537a8 naPrdMgr.exe           1724    872      9     98 2012-01-11 22:13:59      
0x81ee8760 VMwareService.e        1928    692      7    157 2012-01-11 22:13:59      
0x81e4dda0 Mcshield.exe           2012    692     17    131 2012-01-11 22:14:00      
0x81de7968 mfeann.exe              204   2012     13    127 2012-01-11 22:14:05      
0x81eff6a0 explorer.exe            708    492     23    616 2012-01-11 22:14:08      
0x81fb0a20 alg.exe                 524    692     10    117 2012-01-11 22:14:32      
0x8223bda0 VMwareTray.exe         1048    708      5     50 2012-01-11 22:14:33      
0x81ecb588 wscntfy.exe             416   1068      5     51 2012-01-11 22:14:33      
0x821ec918 VMwareUser.exe         1464    708     10    212 2012-01-11 22:14:34      
0x8225f6a8 UdaterUI.exe           1612    708     10    121 2012-01-11 22:14:35      
0x81f22a20 shstat.exe              900    708      0 ------ 2012-01-11 22:14:35      
0x81e81550 AdobeARM.exe           2092    708     12    197 2012-01-11 22:14:38      
0x81d1fda0 ctfmon.exe             2216    708      5     89 2012-01-11 22:14:39      
0x81f047c8 McTray.exe             2296   1612      5     46 2012-01-11 22:14:39      
0x81f8d7b0 mcconsol.exe           3796    900      9    176 2012-01-11 22:15:12      
0x81cf3a20 cmd.exe                2108    708      5     53 2012-01-11 22:15:47      
0x81f1c5c8 CaptureBAT.exe         2992   2108      0 ------ 2012-01-11 22:16:13      
0x81fc8ab0 CaptureBAT.exe         3788   2108     10     56 2012-01-11 22:16:57      
0x8213f458 Sample1.exe                 4000    708      0 ------ 2012-01-11 22:17:04      
0x821e1bf0 svchost.exe            2640   4000     13    125 2012-01-11 22:17:05      
0x82070200 svchost.exe            2000   4000     10    119 2012-01-11 22:17:05      
0x820b9ad0 install.exe            3424   2000     12    159 2012-01-11 22:17:42      
0x82049b60 iexplore.exe           2200    708      0 ------ 2012-01-13 19:36:33      
0x81a629b8 iexplore.exe            516    708     26    367 2012-01-13 19:37:49      
0x81a535a0 iexplore.exe           2480    516     27    550 2012-01-13 19:37:51

Upon analysing the memory dump using Redline the following processes are flagged straight away and highlighted red.

svchost.exe PID 2000

svchost.exe PID 2640

image

Redline reports that the reason the processes were flagged was due to both processes having unexpected arguments in fact the processes don't have any.

 “C:\WINDOWS\system32\svchost.exe”

We get a different visual representation of the memory dump using Mandiant’s Memoryze and Audit Viewer.

The reason for all the additional flags is due to the fact that Audit Viewer has identified the injected memory sections.

image

Redline also displays the Injected Memory Sections and upon initial analysis it can be seen that they nearly all start at the the same Region address:0x20010000

image

Network Activity

Offset(V)  Local Address             Remote Address            Pid  
---------- ------------------------- ------------------------- ------
0x820c0008 192.168.0.18:1806         173.194.41.95:80            2480
0x81e307a8 192.168.0.18:1810         173.194.67.104:80           2480
0x81ab0008 192.168.0.18:1807         209.85.147.94:80            2480
0x82066a58 192.168.0.18:1802         204.212.40.2:25             3424
0x81f65a50 192.168.0.18:1052         209.85.147.105:80           2000
0x81a994f0 192.168.0.18:1809         209.85.147.94:80            2480
0x81a994f0 192.168.0.18:1805         209.85.147.94:80            2480
0x81f29720 192.168.0.18:1033         209.85.147.105:80           2000
0x82055008 192.168.0.18:1500         209.85.229.99:80            2000
0x8206c370 192.168.0.18:1803         74.125.43.27:25             3424
0x81a9db28 192.168.0.18:1799         202.136.110.213:25          3424
0x81a9db28 192.168.0.18:1715         202.136.110.213:25          3424

Straight away the interesting connections that stand out are the connections to port 25 (SMTP) this will be expanded on later. The IP Addresses are located in Australia, and  The United States

Services

Using Volatility (svcscan) we can review the Services that were running at the time the snapshot was taken, upon first analysis nothing really seems to be amiss apart from the misspelled: Micorsoft Windows Service

Offset(P)  #Ptr #Hnd Start        Size Service key          Name
0x01f26f38    3    0 0xb2746000 333952 'Srv'                'Srv'        '\\FileSystem\\Srv'
0x01fe0190    3    0 0xf8b72000  15488 'mssmbios'           'mssmbios'   '\\Driver\\mssmbios'
0x01fe0838    3    0 0xf80f5000 384768 'Update'             'Update'     '\\Driver\\Update'
0x01fe3950    2    0 0xb2102000  68512 'mfeapfk'            'mfeapfk'    '\\Driver\\mfeapfk'
0x01fffa08    5    0 0xf8ab6000  11008 'vmscsi'             'vmscsi'     '\\Driver\\vmscsi'
0x02042a18    5    0 0xb1e81000 264832 'HTTP'               'HTTP'       '\\Driver\\HTTP'
0x0204bf38    5    0 0xf88ba000  56576 'mfetdik'            'mfetdik'    '\\Driver\\mfetdik'
0x0204cb10    4    0 0xb2cc0000 113152 'vmhgfs'             'vmhgfs'     '\\FileSystem\\vmhgfs'
0x0204f300    3    0 0xf883a000  41472 'RasPppoe'           'RasPppoe'   '\\Driver\\RasPppoe'
0x02060df0   19    0 0xf8376000 333376 'mfehidk'            'mfehidk'    '\\Driver\\mfehidk'
0x02061860    5    0 0xf83c8000 105344 'Mup'                'Mup'        '\\FileSystem\\Mup'
0x02061ce8   17    0 0xf83e2000 182656 'NDIS'               'NDIS'       '\\Driver\\NDIS'
0x02064bb8    3    0 0xf882a000  51328 'Rasl2tp'            'Rasl2tp'    '\\Driver\\Rasl2tp'
0x02071168    6    0 0xf853b000 125056 'Ftdisk'             'Ftdisk'     '\\Driver\\Ftdisk'
0x0207b240    3    0 0xf8a82000  21760 'TDTCP'              'TDTCP'      '\\Driver\\TDTCP'
0x0207d178    2    0 0xb21db000  11648 'CaptureFileMonitor' 'CaptureFileMonitor' '\\FileSystem\\CaptureFileMonitor'
0x02091790    3    0 0xf88ca000  34688 'NetBIOS'            'NetBIOS'    '\\FileSystem\\NetBIOS'
0x02092f38    5    0 0xb2cfe000 162816 'NetBT'              'NetBT'      '\\Driver\\NetBT'
0x02095838    5    0 0xf8153000 196224 'rdpdr'              'rdpdr'      '\\Driver\\rdpdr'
0x02096030    4    0 0xf8263000  12160 'mouhid'             'mouhid'     '\\Driver\\mouhid'
0x02098030    7    0 0xf8bb0000   7936 'Fs_Rec'             'Fs_Rec'     '\\FileSystem\\Fs_Rec'
0x0209cf38    6    0 0xf8972000  23040 'Mouclass'           'Mouclass'   '\\Driver\\Mouclass'
0x020ab1b0    6    0 0xf84fd000  96512 'atapi'              'atapi'      '\\Driver\\atapi'
0x020ab2a8    5    0 0xf86ba000  52352 'VolSnap'            'VolSnap'    '\\Driver\\VolSnap'
0x020ab3a0    4    0 0xf8922000  19712 'PartMgr'            'PartMgr'    '\\Driver\\PartMgr'
0x020b2030    4    0 0xf87fa000  40704 'es1371'             'es1371'     '\\Driver\\es1371'
0x020bcf38    3    0 0xf89c2000  19072 'Msfs'               'Msfs'       '\\FileSystem\\Msfs'
0x020bd030    3    0 0xf8b52000  13952 'CmBatt'             'CmBatt'     '\\Driver\\CmBatt'
0x020bd560    3    0 0xf89ca000  30848 'Npfs'               'Npfs'       '\\FileSystem\\Npfs'
0x020c2548    3    0 0xf86ea000  42368 'agp440'             'agp440'     '\\Driver\\agp440'
0x020e8be0    3    0 0xf8c26000   7296 'CaptureRegistryMonitor' 'CaptureRegistryMonitor' '\\Driver\\CaptureRegistryMonitor'
0x020fd788    4    0 0xb2c25000 455296 'MRxSmb'             'MRxSmb'     '\\FileSystem\\MRxSmb'
0x02101790    3    0 0xb2cdc000 138496 'AFD'                'AFD'        '\\Driver\\AFD'
0x02101be0    7    0 0xb2d74000 361600 'Tcpip'              'Tcpip'      '\\Driver\\Tcpip'
0x02103678    6    0 0xf88aa000  59520 'usbhub'             'usbhub'     '\\Driver\\usbhub'
0x02106bd8    3    0 0xf8bb6000   4224 'RDPCDD'             'RDPCDD'     '\\Driver\\RDPCDD'
0x02126928    3    0 0xb27e8000 180608 'MRxDAV'             'MRxDAV'     '\\FileSystem\\MRxDAV'
0x02128970    4    0 0xb1c2d000 143744 'Fastfat'            'Fastfat'    '\\FileSystem\\Fastfat'
0x02130730    3    0 0xf89a2000  16512 'Raspti'             'Raspti'     '\\Driver\\Raspti'
0x02134360    2    0 0xb20ed000  84352 'mfeavfk'            'mfeavfk'    '\\Driver\\mfeavfk'
0x02134880    3    0 0xb25a6000  60800 'sysaudio'           'sysaudio'   '\\Driver\\sysaudio'
0x02161160    4    0 0xf8b9e000   5504 'IntelIde'           'IntelIde'   '\\Driver\\IntelIde'
0x02164cc0    3    0 0xf8d3a000   2944 'Null'               'Null'       '\\Driver\\Null'
0x0216f030    7    0 0xf8cd2000   3072 'audstub'            'audstub'    '\\Driver\\audstub'
0x02170110    5    0 0xf89d2000  32128 'usbccgp'            'usbccgp'    '\\Driver\\usbccgp'
0x0218f6e0    3    0 0xf885a000  35072 'Gpc'                'Gpc'        '\\Driver\\Gpc'
0x0218fbb8    5    0 0xf8183000  69120 'PSched'             'PSched'     '\\Driver\\PSched'
0x021905f0   13    0 0x00000000      0 '\\Driver\\Win32k'   'Win32k'     '\\Driver\\Win32k'
0x021a1030    4    0 0xf896a000  24576 'Kbdclass'           'Kbdclass'   '\\Driver\\Kbdclass'
0x021ada30    6    0 0xf8515000 153344 'dmio'               'dmio'       '\\Driver\\dmio'
0x021adc48    3    0 0xf8ba0000   5888 'dmload'             'dmload'     '\\Driver\\dmload'
0x021f09f8    5    0 0xf887a000  40704 'TermDD'             'TermDD'     '\\Driver\\TermDD'
0x021fdec8    3    0 0xf8325000  12032 'WS2IFSL'            'WS2IFSL'    '\\Driver\\WS2IFSL'
0x02209030    3    0 0xf881a000  36352 'intelppm'           'intelppm'   '\\Driver\\intelppm'
0x0220bda0    3    0 0xf87da000  48256 'vmci'               'vmci'       '\\Driver\\vmci'
0x02222460    3    0 0xf8bb4000   4224 'mnmdd'              'mnmdd'      '\\Driver\\mnmdd'
0x02230270    5    0 0xb2411000  83072 'wdmaud'             'wdmaud'     '\\Driver\\wdmaud'
0x02232f38    3    0 0xb2c95000 175744 'Rdbss'              'Rdbss'      '\\FileSystem\\Rdbss'
0x02236408    3    0 0xf8335000   8832 'RasAcd'             'RasAcd'     '\\Driver\\RasAcd'
0x02236ca8    3    0 0xf89ba000  20992 'VgaSave'            'VgaSave'    '\\Driver\\VgaSave'
0x0223bcc0    3    0 0xf8bb2000   4224 'Beep'               'Beep'       '\\Driver\\Beep'
0x022f11e8    3    0 0xf8952000  32768 'Micorsoft Windows Service' 'Micorsoft Windows Service' '\\Driver\\Micorsoft Windows Service'
0x02349500    3    0 0xb17f2000 172416 'kmixer'             'kmixer'     '\\Driver\\kmixer'
0x02389bb8    9    0 0xf8bac000   4352 'swenum'             'swenum'     '\\Driver\\swenum'
0x0238ef38    6    0 0xf826b000  10368 'hidusb'             'hidusb'     '\\Driver\\hidusb'
0x0239b7f0    6    0 0xf899a000  17792 'Ptilink'            'Ptilink'    '\\Driver\\Ptilink'
0x0239c5d8    3    0 0xf88ea000  36864 'vmdebug'            'vmdebug'    '\\Driver\\vmdebug'
0x023a04b8    4    0 0xf87ca000  57600 'redbook'            'redbook'    '\\Driver\\redbook'
0x023a6418    3    0 0xf8b96000  10624 'gameenum'           'gameenum'   '\\Driver\\gameenum'
0x023e9030    3    0 0xf873a000  63744 'Cdfs'               'Cdfs'       '\\FileSystem\\Cdfs'
0x023ea5d0    3    0 0xf8c1e000   6272 'CaptureProcessMonitor' 'CaptureProcessMonitor' '\\Driver\\CaptureProcessMonitor'
0x023fcf38    2    0 0xb21bb000  36288 'mfebopk'            'mfebopk'    '\\Driver\\mfebopk'
0x02405740    3    0 0xb2dcd000  75264 'IPSec'              'IPSec'      '\\Driver\\IPSec'
0x024178d0    5    0 0xf878a000  52480 'i8042prt'           'i8042prt'   '\\Driver\\i8042prt'
0x02437da0    3    0 0xb1eea000 139520 'RDPWD'              'RDPWD'      '\\Driver\\RDPWD'
0x02439030    3    0 0xf8be2000   6784 'ParVdm'             'ParVdm'     '\\Driver\\ParVdm'
0x02439430    3    0 0xb2a59000  14592 'Ndisuio'            'Ndisuio'    '\\Driver\\Ndisuio'
0x02439da0    3    0 0xf8be4000   7680 'VMMEMCTL'           'VMMEMCTL'   '\\Driver\\VMMEMCTL'
0x02450f38    3    0 0xf88fa000  44544 'Fips'               'Fips'       '\\Driver\\Fips'
0x02458a50    3    0 0xb2d4e000 152832 'IpNat'              'IpNat'      '\\Driver\\IpNat'
0x0245d030    3    0 0xf87aa000  42112 'Imapi'              'Imapi'      '\\Driver\\Imapi'
0x0245d610    3    0 0xf87ba000  62976 'Cdrom'              'Cdrom'      '\\Driver\\Cdrom'
0x024682a0    4    0 0xf8234000  91520 'NdisWan'            'NdisWan'    '\\Driver\\NdisWan'
0x02468d78    6    0 0xf8b56000  10112 'NdisTapi'           'NdisTapi'   '\\Driver\\NdisTapi'
0x02472640    4    0 0xf8309000  80128 'Parport'            'Parport'    '\\Driver\\Parport'
0x024ad8a8    3    0 0xf898a000  29696 'vmxnet'             'vmxnet'     '\\Driver\\vmxnet'
0x024b3b70   16    0 0xf84c5000 129792 'FltMgr'             'FltMgr'     '\\FileSystem\\FltMgr'
0x024c00b0    7    0 0xf86aa000  42368 'MountMgr'           'MountMgr'   '\\Driver\\MountMgr'
0x024edca8    3    0 0xf890a000  34560 'Wanarp'             'Wanarp'     '\\Driver\\Wanarp'
0x024ef838    3    0 0xf884a000  48384 'PptpMiniport'       'PptpMiniport' '\\Driver\\PptpMiniport'
0x024efb30    3    0 0xf89aa000  20480 'Flpydisk'           'Flpydisk'   '\\Driver\\Flpydisk'
0x024f9150    3    0 0xf8ba8000   4736 'vmmouse'            'vmmouse'    '\\Driver\\vmmouse'
0x0250d290    4    0 0xf897a000  27392 'Fdc'                'Fdc'        '\\Driver\\Fdc'
0x0250e278    4    0 0xf8982000  20608 'usbuhci'            'usbuhci'    '\\Driver\\usbuhci'
0x0250f200    4    0 0xf8b4a000  15744 'serenum'            'serenum'    '\\Driver\\serenum'
0x0250f378    3    0 0xf87ea000  57216 'vmx_svga'           'vmx_svga'   '\\Driver\\vmx_svga'
0x0250f9f8    4    0 0xf879a000  64512 'Serial'             'Serial'     '\\Driver\\Serial'
0x02517c78    3    0 0xf888a000  40576 'NDProxy'            'NDProxy'    '\\Driver\\NDProxy'
0x02519778    4    0 0xf840f000 574976 'Ntfs'               'Ntfs'       '\\FileSystem\\Ntfs'
0x02519988    3    0 0xf849c000  92288 'KSecDD'             'KSecDD'     '\\Driver\\KSecDD'
0x02519b98    7    0 0xf84b3000  73472 'sr'                 'sr'         '\\FileSystem\\sr'
0x0251ccc8    4    0 0xf86ca000  36352 'Disk'               'Disk'       '\\Driver\\Disk'
0x0253e218    4    0 0xf8aae000  10240 'Compbatt'           'Compbatt'   '\\Driver\\Compbatt'
0x025ab560    5    0 0x00000000      0                      'RAW'        '\\FileSystem\\RAW'
0x025acf38   81    0 0xf855a000  68224 'PCI'                'PCI'        '\\Driver\\PCI'
0x025af2d8    4    0 0x00000000      0 '\\Driver\\ACPI_HAL' 'ACPI_HAL'   '\\Driver\\ACPI_HAL'
0x025c5308    4    0 0xf869a000  37248 'isapnp'             'isapnp'     '\\Driver\\isapnp'
0x025e2980   64    0 0xf856b000 187776 'ACPI'               'ACPI'       '\\Driver\\ACPI'
0x025e6ce8    4    0 0x00000000      0 '\\Driver\\WMIxWDM'  'WMIxWDM'    '\\Driver\\WMIxWDM'
0x025eb290   65    0 0x00000000      0 '\\Driver\\PnpManager' 'PnpManager' '\\Driver\\PnpManager'

Using the driverirp Volatility command we can output a drivers IRP (Major Function) table, here we can see that we have a driver (imjvxcsr.sys) associated with the misspelled Micorsoft Windows Service

0xf8952000   'Micorsoft Windows Service' IRP_MJ_CREATE                        0xf89541b8   imjvxcsr.sys     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_CREATE_NAMED_PIPE             0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_CLOSE                         0xf89541b8   imjvxcsr.sys     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_READ                          0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_WRITE                         0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_INFORMATION             0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_INFORMATION               0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_EA                      0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_EA                        0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_FLUSH_BUFFERS                 0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_VOLUME_INFORMATION      0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_VOLUME_INFORMATION        0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_DIRECTORY_CONTROL             0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_FILE_SYSTEM_CONTROL           0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_DEVICE_CONTROL                0xf89541d8   imjvxcsr.sys     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_INTERNAL_DEVICE_CONTROL       0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SHUTDOWN                      0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_LOCK_CONTROL                  0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_CLEANUP                       0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_CREATE_MAILSLOT               0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_SECURITY                0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_SECURITY                  0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_POWER                         0xf89541b8   imjvxcsr.sys     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SYSTEM_CONTROL                0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_DEVICE_CHANGE                 0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_QUERY_QUOTA                   0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_SET_QUOTA                     0x804f355a   ntoskrnl.exe     -            -
0xf8952000   'Micorsoft Windows Service' IRP_MJ_PNP                           0x804f355a   ntoskrnl.exe     -            -

Hooks

If we review the Hooks tab in Audit Viewer or the Hooks section in Redline  and in particular the System Service Descriptor Table Hooks we see our driver (imjvxcsr.sys) identified in the previous section

image

This can also be verified using the ssdt or the threads –F HookedSSDT Volatility commands.

ssdt command
Entry 0x0029: 0xf89546ac (NtCreateKey) owned by imjvxcsr.sys
Entry 0x0077: 0xf8954562 (NtOpenKey) owned by imjvxcsr.sys

threads –F HookedSSDT command

ETHREAD: 0x81f1cbc8 Pid: 692 Tid: 3980
Tags: HookedSSDT
Created: 2012-01-11 22:18:34
Exited: -
Owning Process: 0x81ef7880 'services.exe'
Attached Process: 0x81ef7880 'services.exe'
State: Waiting:WrQueue
BasePriority: 0x9
Priority: 0x9
TEB: 0x7ffd9000
StartAddress: 0x7c8106f9
ServiceTable: 0x80553020
  [0] 0x80501b9c
      [0x29] NtCreateKey 0xf89546ac imjvxcsr.sys
      [0x77] NtOpenKey 0xf8954562 imjvxcsr.sys
  [1] -
  [2] -
  [3] -
Win32Thread: 0x00000000
CrossThreadFlags:
Eip: 0x7c90e514
  eax=0x77e76c7d ebx=0xffffffff ecx=0x00090640 edx=0x0072fb78 esi=0x000ac2e8 edi=0x00000000
  eip=0x7c90e514 esp=0x006efeac ebp=0x006efed8 err=0x00000000
  cs=0x1b ss=0x23 ds=0x23 es=0x23 gs=0x00 efl=0x00000246
  dr0=0x00000000 dr1=0x00000000 dr2=0x00000000 dr3=0x00000000 dr6=0x00000000 dr7=0x00000000

Part 3 Building an IOC to follow.

Wednesday, January 18, 2012

Ramnit, Zeus and the BAT! Part 1

Please note the samples analysed were provided by Andre M. DiMino @sempersecurus (http://sempersecurus.org).

Sample No MD5 Executable name
Sample1 2f5d28f9792c7d114bed7fdcec00f550 Sample1.exe
Sample2 76991eefea6cb01e1d7435ae973858e6 Sample2.exe

 

Initial File Analysis

Initial analysis of the files show that both files are packed using UPX and import 3 libraries

Kernel32.dll

6 functions (LoadLibraryA,GetProcAddress,VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess)

Comctl32.dll

1 Functions (InitCommonControls)

SHLWAPI.dll

1Function (StrCharA)

 

Dynamic Analysis

Both samples were analysed using Dynamic analysis techniques using various monitoring tools (CaptureBat.exe  and Preservation( see Malware Analysis Cookbook Chapter 9)).

The process below was used to setup the environment

  • Start Monitoring tools (see Preservation and Capturebat section below)
  • Execute samples
  • Snapshot Virtual Machine

    After the final stage was completed the VM was rolled back to a previous state and the same process used for the next sample.

    Monitoring Tools

    The analysis was conducted by first executing preservation.exe with the preservation.exe ln argument this logs everything to the c:\preservation\ directory

    CaptureBat was executed next and configured to capture file, process and registry access as well as capture network activity using the following arguments.

    capturebat.exe –cn –l c:\preservation\Capture.txt

    Initial Log Review

    Preservation Output

    Please note!! Various sections of the log below have been removed

    Upon initial execution of Sample1.exe we can see it starts an instance of  the svchost.exe process (PID 4048)

    [PROCESS START] explorer.exe (PID:2140) started Sample1.exe (PID 2496)
    [THREAD START] explorer.exe (PID:2140) started thread (TID 2520)
    [IMAGE LOAD] Sample1.exe (PID:2496) loaded \Device\HarddiskVolume1\Documents and Settings\nosuchuser\Desktop\ramnit\Sample1.exe


    First SVCHOST Instance

    [PROCESS START] Sample1.exe (PID:2496) started svchost.exe (PID 4048)

    [THREAD START] Sample1.exe (PID:2496) started thread (TID 1244)

    [IMAGE LOAD] svchost.exe (PID:4048) loaded \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

    Second SVCHOST Instance

    The malware sample then starts another instance of svchost.exe (PID 2384)

    [PROCESS START] Sample1.exe (PID:2496) started svchost.exe (PID 2384)
    [THREAD START] Sample1.exe (PID:2496) started thread (TID 3020)
    [IMAGE LOAD] svchost.exe (PID:2384) loaded \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

    Sample1 Third Process Initiated

    Sample 1 then goes onto create another pseudo-randomly named executable located in the \Temp directory.The pseudo-randomly nature has been observed by restoring the VM to a previous state and re-infecting the machine(with the same sample) each time the file is named the same apart from the last 2 characters.My assumption at this point is the file name is created using some information from the host machine.

    On the host infected the following remained static during a number of infections: sggjahylqiethd<XX>.exe

    After the randomly named executable is initiated the original executable Sample1.exe is terminated.

    By reviewing the log below it can also be ascertained that services.exe  starts a new service , during each infection the Service name was identical the misspelled:

    Micorsoft Windows Service

    After the service starts we then see System (PID:4) load a suspicious driver: imjvxcsr.sys from the Temp directory.


    [PROCESS START] Sample1.exe (PID:2496) started sggjahylqiethdj (PID 3900)
    [THREAD START] Sample1.exe (PID:2496) started thread (TID 2972)
    [IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \Device\HarddiskVolume1\DOCUME~1\nosuchuser\LOCALS~1\Temp\sggjahylqiethdjp.exe
    [IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \SystemRoot\System32\ntdll.dll
    [IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \WINDOWS\system32\kernel32.dll
    [PROCESS TERMINATE] Sample1.exe (PID:2496) terminating Sample1.exe (PID 2496)
    [THREAD START] System (PID:4) started thread (TID 1416)
    [IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \WINDOWS\system32\comctl32.dll
    [IMAGE LOAD] sggjahylqiethdj (PID:3900) loaded \WINDOWS\system32\advapi32.dll
    [THREAD START] System (PID:4) started thread (TID 2900)
    [THREAD START] services.exe (PID:760) started thread (TID 3968)
    [DRIVER LOAD] services.exe (PID:760) loading driver \Registry\Machine\System\CurrentControlSet\Services\Micorsoft Windows Service
    ----Removed Multiple Thread Starts and Image Loads ----

    [IMAGE LOAD] System (PID:4) loaded \??\C:\DOCUME~1\nosuchuser\LOCALS~1\Temp\imjvxcsr.sys
    [FILE DELETE] System (PID:4) deleting file \systemroot\temp\3ab95fd5
    [THREAD START] System (PID:4) started thread (TID 4020)

    CaptureBat Output

    The CaputureBat log has all the associated artifacts identified above with the addition of registry entries, file creation and network activity.

    A number of other observations can be seen from the log below:

  • An additional executable (bbioufwf.exe) is created on the file system
  • The file is added to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key
  • The file is also added to the users Startup folder to add persistence (Note when reviewing the file system this file does not appear due to the rootkit)
  • A number of logs are written to by svchost on the local system (log names again appear to be pseudo-randomly generated).
  • A number of temporary files  ~TM<N>.tmp files are created in the Temp folder. This file contains some references to IE cookies but also seems to contain encrypted data.
  • svchost also infects a number of files located in the Program Files directory

    "16/1/2012 13:16:30.23","file","Write","System","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\sutykcno\bbioufwf.exe"

    "16/1/2012 13:16:30.616","registry","SetValueKey","C:\WINDOWS\system32\svchost.exe","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BbiOufwf"

    "16/1/2012 13:16:27.398","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Start Menu\Programs\Startup\bbioufwf.exe"

    "16/1/2012 13:16:27.429","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\cclgvecb.log"

    "16/1/2012 13:16:27.491","file","Delete","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\sutykcno\px3.tmp"

    "16/1/2012 13:16:34.601","file","Write","C:\Documents and Settings\nosuchuser\Local Settings\Temp\sggjahylqiethdjp.exe","C:\Documents and Settings\nosuchuser\Local Settings\Temp\imjvxcsr.sys"

    "16/1/2012 13:17:30.929","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\hlgbbwvv.log"

    "16/1/2012 13:17:31.804","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Application Data\dsstrbjb.log"

    "16/1/2012 13:17:37.7","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Documents and Settings\nosuchuser\Local Settings\Temp\~TM4.tmp"

    "16/1/2012 13:20:34.335","file","Write","C:\WINDOWS\system32\svchost.exe","C:\Program Files\Adobe\Acrobat_com\Acrobat_com.exe"

    Part 2 Memory Analysis to follow.

  •