Transcript One wrong click…

One wrong click…
Techniques to analyze
malicious code
Tyler Hudak
What we will cover
Techniques to “externally” analyze
malware
General do’s and don’ts of analysis
An analysis of an actual malware in the
wild
What we will NOT cover
How to debug / disassemble malware
Every possible tool available
Every possible malware infection vector
Malware obfuscation or anti-forensics
techniques
WARNING!!!
The examples used within
are real-world examples.
If you go to these sites
with an unprotected machine you WILL
get infected.
You have been warned.
Why learn malware analysis?
Eventually you will find unknown
malware in your systems
You can either wait for the AV
companies to analyze it or do it yourself
It’s fun!!!
Our lab
You should ALWAYS analyze malware on a
“throw away” system
NEVER use a machine on a production
network
VMWare is an excellent tool for this:
• Can easily restore to a previous point in time
• Can control network access of virtual OS
• Images allow re-use
• Almost limitless OS’ available (Windows, Linux, Solaris,
Netware, *BSD, MS-DOS, …)
Our lab
Host OS: Mandriva Linux LE 2005
Guest OS: Win XP SP1 (installed from disk –
no patches)
NAT networking
Host OS
Guest OS
192.168.1.1
192.168.1.2
Our situation
User complains about slow PC or IDS picks
up unusual activity
Investigating shows unknown processes
running on PC
Looking through web logs/Internet cache
shows access to suspicious site

http://play.joyiex.com/love.htm
Let’s begin!
Copying malware off
In initial stages, you would normally copy
the unknown process/files off and do analysis
on them before anything else.
For the sake of the presentation, let’s
pretend you can’t do that.
Checking out the site
We need to check out the site the user went to
Never go to the site in a web browser
Download the source page using a tool (wget,
curl, etc)
love.htm
love.htm opens up three 0 by 0 iframes to download
three more web pages
This is a commonly used technique by spyware to
load malicious code
Use wget to download the other three to analyze
ip.htm
Runs JavaScript from union1.50bang.com
Sends information about your computer (browser,
screen resolution, color depth) to www.50bang.com
Sets a cookie with a unique ID
50bang.com is in China – the same as joyiex.com
zx.htm
Contains obfuscated JavaScript that gets executed
Cannot tell what the JavaScript does
However, modifying the code and loading it into a browser
reveals what it does
zx.htm modified
Code is modified to
display a popup instead
of writing the decoded
JavaScript
zx.htm decoded
zx.htm JavaScript uses a known vulnerability
(MS04-013) to trick IE into executing a CHM file
in the local zone context
This allows malicious code – zx.htm within
zx.chm in this case – to be downloaded and
executed on the local machine.
More information on MS04-013 at
http://www.securityfocus.com/bid/9658/info.
Use wget to download zx.chm to examine
zx.chm
We’d like to look at zx.chm
to see what it does but it will
most likely execute malicious
code upon opening
Use KeyTools Utilities from
KeyWorks Software to
decompile CHM file
Do NOT use the ‘Examine
CHM File’ option as it may
launch the malicious code
Use the ‘Decompile’ Option
zx.chm decompiled
Decompiling finds 3 files
 zx.exe (18,540 bytes) – we’ll see this later
 zx.htm – HTML file which runs zx.exe
 zx.hhp – MS Help Project file (created by
KeyTools)
sp2/sp3.htm
Calls a variant of a Windows XP SP2 remote execution
technique (patched by MS05-001)
Uses multiple vulnerabilities to execute bbs003302.gif
(encoded vbscript)
Not sure what bbs00302.gif does, but can wager a guess it
executes bbs00302.css, but what does that do?
File analysis
Lots of tools that should be used to analyze a file
Run ‘file’ against it to see what it is
Should hash the file as well using your favorite
cryptographic hash
Can google for the hash and hope for results
String Analysis
Look for any readable strings in the executable
using ‘strings’ or ‘bintext’ from Foundstone
Not many readable strings in bbs003302.css, but it
looks to be packed with FSG
Packed executables
Programs available which “pack” executables
making them smaller and harder to analyze
• upx, aspack, fsg, etc
Have to download an unpacker else dump it
from memory
bbs003302.css is packed with
FSG (look for FSG! in file)
Use unfsg2.0 to unpack and
run through bintext again
Unpacked bbs003302.css
Lots of references to registry entries within the
unpacked file
Appears to
overwrite registry
entries to an
unknown value
Also looks like it
will start up on boot
References
osrss.exe and
coniem.exe
What do we know so far?
Go to website and three web pages open
One of the pages sends information about
your computer to China
Two others launch exploits and execute code
on your local machine
So – let’s go to the site and see what happens!
Before Infection
Need to do a couple of steps before we
infect our VMWare image
1. Create a snapshot of our image
2. Set up a sniffer
3. Set up the tools on our VMWare image
Sniffer
Want to record any
network traffic from
our malware
Use whatever sniffer
you prefer (tcpdump,
Ethereal, Snort, etc)
Capture entire packet
for reconstruction later
Regshot
Takes and compares
snapshots on a
computer of the registry
entries and files
We’ll take a snapshot
before and after
infection
From this any
new/modified/deleted
files will be found
Regmon / Filemon / TDIMon
Monitors registry, files access and network
access on a computer
We can use this to find out what process is
doing what
All are available from www.sysinternals.com
Let’s get infected!
Once our tools are set up and running we
can go to the website and get infected.
After a minute or two we stop the tools and
begin analysis.
Post Infection Steps
Run second regshot and compare
Run post-infection tools
Save data off of VMWare image
Pause VMWare
Analyze
Regshot Compare
The regshot compare showed a number of
interesting things
New files:




C:\WINDOWS\system32\he1p.exe
C:\WINDOWS\system32\she11.dll
C:\WINDOWS\OSRSS.exe
C:\arcldrer.exe
Regshot Compare
New / changed registry entries





HKU\<USER>\Software\Microsoft\Windows\CurrentVersion\
Run\ctfnom.exe: "C:\WINDOWS\OSRSS.exe“
HKU\<USER>\Software\Microsoft\Windows\CurrentVersion\
Policies\system\DisableTaskMgr: "1“
HKU\<USER>\Software\Policies\Microsoft\Internet
Explorer\Control Panel\HomePage: "1“
HKLM\SOFTWARE\Classes\txtfile\shell\open\command\:
"C:\WINDOWS\System32\he1p.exe "%1""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explor
er\Advanced\Folder\Hidden\SHOWALL\CheckedValue: "0"
Post infection tools
pslist



Dumps
current
process list
Shows
OSRSS
running
Does not see
any other
files added
running
Post infection tools
F-port


Shows what
programs are
listening to
what ports
Does not see
any unusual
processing
listening to a
port
What we know so far
The infection caused 4 files to appear
Only 1 file is currently running
Nothing is listening on the network
OSRSS.exe is set to start on boot
he1p.exe will run whenever a .txt file is
opened
A number of Windows items were locked
down to prevent us from fixing things easily
Copying
Next we copy all of our data off of the image
Make sure you grab any new files as well
Use VMWare’s Shared Folders, SSH or FTP
Once finished, pause VMWare image
File analysis
4 files were created from the infection
It might be useful to look at them before we
proceed
Notice that the file sizes on three of the files are
the same, and are the same as zx.exe.
This is very unusual – they could be the same file.
File analysis
• Next, ‘file’ is run against them.
• The three files are Windows executables.
• she11.dll is a text file containing
“http://www.joyiex.com”
File analysis
• Finally, check the md5sum of each file.
• The same hash on the exe’s means they are the same file
• A quick look with bintext shows these are packed with
FSG as well.
File analysis
• One of the files is
unpacked with unfsg2.0
and put through bintext
• Has many of the same
strings as seen with
bbs003302.css
• However, references to
coniem.exe replaced with
he1p.exe
• Perhaps different
versions of malware?
Timeline
Since we still don’t know much about what
the programs did we can look at other logs.
Useful to create a timeline from tdimon,
filemon, regmon and ethereal logs.
Load filemon and regmon into spreadsheet
and sort by time - they have more accuracy.
You can use this to start your timeline and
add in the other logs as you progress.
Timeline
Keep a running log of interesting events for
each process.
Expect to have LOTS of entries to go
through.
zx.htm timeline
13:03:49.211 – IE downloads http://play.joyiex.com/love.htm
13:03:49.852 – IE downloads http://play.joyiex.com/zx.htm
13:03:54.568 – IE drops zx.exe into temporary Internet files
13:04:00.247 – IE copies zx.exe into c:\windows\downloaded program
files
13:04:00.305 – IE executes zx.exe
zx.htm timeline
13:04:00.477 – 00.524 – zx.exe sets the following registry keys:
•
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\ctfnom.exe to c:\windows\osrss.exe
• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr to 1
• HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage to 1
• HKCR\txtfile\shell\open\command\(Default) to C:\WINDOWS\System32\he1p.exe %1"“
• HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue
to 0
13:04:00.524 – zx.exe creates c:\windows\osrss.exe – file size 18,540
13:04:00.539 – zx.exe creates c:\windows\system32\he1p.exe – file size
18,540
zx.htm timeline
13:04:00.789 – zx.exe executes c:\windows\osrss.exe
13:04:01.008 – osrss.exe sets the following registry keys:
•
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\ctfnom.exe to c:\windows\osrss.exe
• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr to 1
• HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage to 1
• HKCR\txtfile\shell\open\command\(Default) to C:\WINDOWS\System32\he1p.exe %1"“
• HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue to 0
13:04:01.055 – osrss.exe tries to create itself but fails (sharing violation)
13:04:01.055 – osrss.exe tries to create c:\windows\system32\he1p.exe
but fails (access denied)
zx.htm timeline
13:04:02.318 – osrss.exe makes a DNS query for www.cd321.com
13:04:03.305 – osrss.exe shuts down
13:04:03.524 – IE deletes c:\windows\downloaded program
files\zx.exe
sp3.htm timeline
13:03:49.914 – IE downloads http://play.joyiex.com/sp2/sp3.htm
13:03:51.055 - IE downloads http://play.joyiex.com/sp2/bbs003302.gif
13:03:55.414 - IE downloads http://play.joyiex.com/sp2/bbs003302.css
13:04:01.336 - IE executes bbs003302.gif
13:04:01.555 - IE creates c:\ntdetect.hta - length 1,620
sp3.htm timeline
13:04:02.586 - mshta.exe reads c:\ntdetect.hta and executes it
13:04:03.086 - mshta.exe searches for bbs003302.css and finds it
13:04:03.086 - mshta.exe creates c:\arcldrer.exe - length 18,540
13:04:03.149 - c:\arcldrer.exe is executed by mshta.exe
13:04:03.149 - mshta.exe closes c:\ntdetect.hta
sp3.htm timeline
13:04:01.008 – arcldrer.exe sets the following registry keys:
•
HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\ctfnom.exe to c:\windows\osrss.exe
• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr to 1
• HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage to 1
• HKCR\txtfile\shell\open\command\(Default) to C:\WINDOWS\System32\he1p.exe %1"“
• HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue to 0
13:04:03.305 - arcldrer.exe recreates c:\windows\osrss.exe
13:04:03.305 - arcldrer.exe tries to create
c:\windows\system32\he1p.exe but fails (access denied)
sp3.htm timeline
13:04:03.352 - arcldrer.exe executes c:\windows\osrss.exe
13:04:03.680 - osrss.exe sets registry keys again
13:04:03.493 - osrss.exe tries to create itself but fails (sharing violation)
13:04:03.493 - osrss.exe tries to create c:\windows\system32\he1p.exe
but fails (access denied)
13:04:05.273 - osrss.exe downloads http://www.cd321.com/ie1.txt
sp3.htm timeline
13:04:01.008 – osrss.exe sets the following registry keys:
•
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page to http://www.joyiex.com
• HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url1 to http://www.joyiex.com
• HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url2 to http://www.joyiex.com
• HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url3 to http://www.joyiex.com
• HKCU\Software\Microsoft\Internet Explorer\Main\SearchURL to http://www.joyiex.com
• HKCU\Software\Microsoft\Internet Explorer\Main\Local Page to http://www.joyiex.com
• HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar to http://www.joyiex.com
• HKCU\Software\Microsoft\Internet Explorer\Main\Search Page to http://www.joyiex.com
• HKCU\Software\Microsoft\Internet Explorer\Main\First Home Page to http://www.joyiex.com
• HKCU\Software\Microsoft\Internet Explorer\Main\default_page_url to http://www.joyiex.com
• HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL to http://www.joyiex.com
sp3.htm timeline
13:04:05.633 - osrss.exe creates c:\windows\system32\she11.dll
13:04:05.633 - osrss.exe deletes cache file for ie1.txt
13:04:05.993 - osrss.exe sets initial registry keys again
13:04:06.164 - mshta.exe creates c:\cmd.bat - length 79
13:04:06.243 - mshta.exe executes cmd.exe to run cmd.bat
sp3.htm timeline
13:04:06.352 - cmd.bat deletes c:\ntdetect.hta
13:04:06.352 - cmd.bat deletes itself
13:04:06.352 - cmd.exe/cmd.bat stop running
13:04:08.508 - osrss.exe sets registry keys again
13:04:13.539 - osrss.exe sets registry keys again
13:04:18.555 - osrss.exe sets registry keys again
What do we know now?
The site uses multiple exploits in IE to install multiple copies of
the same malware and execute it (he1p.exe, osrss.exe,
arcldrer.exe)
A number of settings in IE are set to point to www.joyiex.com
osrss.exe will run on boot up
he1p.exe will be executed whenever a .txt file is double-clicked
on
The local computer is locked down to prevent settings from
being changed or task manager from running
All of this happens in about 17 seconds.
What do we NOT know?
What happens when we double-click on a txt file?
What happens on boot up?
Will the malware do anything else?
Let’s find out!
he1p.exe and txt files
HKCR\txtfile\shell\open\command\(Default) is
modified to point to he1p.exe instead of notepad.exe
This registry key defines what application is run when
a .txt file is opened
To find out what happens:






Unpause the VMWare image
Start a new sniffer
Take a regshot 1st scan
Start regmon, tdimon and filemon
Double-click on a .txt file
Wait a couple of seconds and then perform analysis
he1p.exe timeline
9:16:32.371 - readme.txt file double-clicked in explorer.exe
9:16:32.403 - explorer.exe opens
HKCR\txtfile\shell\open\command\(Default) reg key and sees to use
he1p.exe
9:16:32.481 - explorer.exe executes he1p.exe
9:16:33.262 - he1p.exe begins settings registry keys
9:16:33.387 - he1p.exe executes notepad.exe
9:16:33.715 - notepad.exe opens readme.txt
he1p.exe timeline
9:16:33.996 - he1p.exe tries to overwrite c:\windows\osrss.exe but fails
(sharing violation)
9:16:34.012 - he1p.exe tries to overwrite itself but fails (sharing
violation)
9:16:34.012 - currently running copy of osrss.exe shuts down
9:16:34.028 - he1p.exe executes a new copy of osrss.exe
9:16:34.199 - he1p.exe shuts down
he1p.exe results
No network traffic while clicking on the txt file
Monitoring tools don’t show any new activity
Regshot shows no new registry entries or files
he1p.exe doesn’t do anything to the text file – it
never even opens it!
osrss.exe will shut down if another copy starts up
Appears that he1p.exe is just put in the txt registry
key to re-infect the system
On boot
It can be difficult to start all utilities on boot up (not
all support it)
Regshot results would generate A LOT to go though
after reboot
We can do the next best thing – kill the process and
restart it
This doesn’t cover all possible situations, but should
be close enough
On boot
Malware prevents task manager from running, so we
have to use pslist and pskill to kill the process
Once the process is confirmed stopped, we set up
the monitoring tools again and run the malware
On boot timeline
9:21:01.981 c:\windows\osrss.exe executed
9:21:01.996 osrss.exe checks for c:\windows\system32\she11.dll
9:21:02.028 osrss.exe sets initial registry keys
9:21:02.043 osrss.exe tries to create itself but fails (sharing violation)
9:21:02.043 osrss.exe recreates he1p.exe
9:21:02.043 osrss.exe opens and reads c:\windows\system32\she11.dll
9:21:02.043 osrss.exe sets IE registry keys (homepage, etc)
9:21:04.543 osrss.exe sets initial registry keys again and does so every 2
seconds
On boot results
No networking traffic shows up
Only a modified he1p.exe shows up in
regshot
osrss.exe behaves as we have seen it behave
thus far
Analysis results
From our analysis of the malware we can
conclude the following:
1. Going to http://play.joyiex.com/love.htm with an
2.
unpatched IE infected the client with the same
malware multiple times.
The malware will copy itself to
c:\windows\osrss.exe and
c:\windows\system32\he1p.exe.
Analysis results
3. Osrss.exe will be set to start on boot.
4. He1p.exe will be run whenever a txt file is opened.
5. The current user will be prevented from running
the task manager.
6. The current user will be prevented from changing
IE’s homepage.
7. The malware will download
http://www.cd321.com/tm/ie1.txt and place the
results in c:\windows\system32\she11.dll.
Analysis results
8. The malware will set a number of IE settings
(homepage, etc) to the contents of she11.dll.
9. When running, the malware will reset the registry
keys every 2-5 seconds.
10. The malware will only allow 1 instance of itself to
run at any given time.
11. The malware has a predictable flow of events.
Malware flow
Malware
Startup and
Lockdown
registry keys set
Starts
Start osrss.exe
and kill my
process
No
Create
osrss.exe
Am I osrss.exe?
Create
he1p.exe
Set IE registry
keys with
contents from
she11.dll
Set Startup and
Lockdown
registry keys
again
Yes
If she11.dll does
not exist,
download
contents from
www.cd321.com
Virustotal.com results
osrss.exe: variant of IM
Lewor worm
bbs003302.css:
TR/Dldr.Delf.CQ or variant
of IM Lewor worm
Bbs003302.gif:
Trojan.Phel
More than half of the anti-virus programs didn’t find
anything.
More information
Lenny Zeltser’s Reverse Engineering Malware paper
Tom Liston’s Follow the Bouncing Malware series at
incidents.org
Honeynet Project’s Reverse Challenge
Hacker Disassembling Uncovered by Kris Kaspersky
Malware: Fighting Malicious Code by Ed Skoudis
The Art of Computer Virus Research and Defense by
Peter Szor
Google for: “reverse engineering” or “malware
analysis”
Presentation
http://www.hudakville.com/infosec
Questions?