Resume
At this point we found or self in the last state of our analysis where we are going to understand what does the Malware once it is injected and it starts to do the real Malware actions to the victim machine.
We have seen before that in section .data that provides as some idea of what kind of actions it can takes:
- Anti-virus detection
- IRC commands: USER, NICK, JOIN, PART, PRIVMSG, QUIT, PONG, PING, PRIVMSG
- Browsers injection: i e x p l o r e . e x e f i r e f o x . e x e
Registers (persistent):
- S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n
- S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ P o l i c i e s \ S y s t e m
- S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n
Auto Update
Hijacking
DDOS: SYN flood, UDP flood.
Propagation:
- USB
- Malicious HTML injection
- FTP brute force
- DNS poisoning
- Network Shared folder
Credential stealing
Attach to iExplorer
To be able to keep debugging the new injected code. As we saw before it receives input parameters that we will not be capable of provided if we just execute the dump executable. So to stop just in the malicious startAddress what I did was:
- Stop just before “CreateRemoteThread” execution
- Attach to iExlorer and set a breakpoint in the malicious start address:
- Execute call “CreateRemoteThread” and switch to iExplorer debugger to keep debugging.
Note: we know the start address (startAddress != entry-point) because it was passed as argument to “CreateRemoteThread” 10BC374
- In iExplorer debug process to be able to debug just the malicious code in a comfortable way, I suggest to identify and suspend iExplore’s thread who is in charge of the thread management (it will the only which is active).
IExplorer Injected code analysis
An interesting thing that we can see is that the execution is not going to start from the PE Entry-point (0040B090) otherwise it will start from the address (0040C374) as we identified when the RemoteThread was launch. That indicates that it will inject piece of code depending of what actions it pretends to do in an irregular flow.
Scenario set up
The first actions it does once it is injected are the followed:
- Loads all the DLL’s function that it will need.
- Privilege escalation:
- In order to provide itself “SeDebugPrivilege” it does as follow:
- First of all it opens a process token which will be its own token because OpenProcessToken receive as handler parameter “FFFFFFFF” which is a Pseudo handler of “GetCurrentProcess”.
- It checks if it has been injected in a process with “SeDebugPrivilege”.
- If not it will modify the privileges.
- Hooking Ntdll API
Note: it will not affect the other processes but as it tries to inject everywhere …
- ZwResumeThread
- LdrLoadDll
Threads nightmare
At this point the code will be executed by pieces creating different threads to do specific tasks. At the beginning it will create two new threads which will point different code blocks that at the same time they will create more threads :S. Coming up next it will be schematized the different threads that I was able to identified and what functionalities are assigned to each one.
- Get system information, address: 010BB2F0 (0040B2F0)
- Inject itself in other process, address: 010BCE58 (0040CE58)
- Thread launcher, address: 010B8B20 (00408B20)
- Botnet communication, address: 010B91E0 (004091E0)
- Create Windows address: 010BAB60 (0040AB60)
- Orders deliverer: Creates Pipe and launch the orders switch thread. Address 010B8D00 (00408D00)
- Orders switch, address: 010B8DD0 (00408DD0)
Modules and Features
Now it is going to wait for orders from the bot master. As we have seen all the IRCs servers are down so we only can analyse the static code of each important functionality that we have mentioned before.
Note: As the code is fragmented and it is quite long the fastest way to find interesting function is to check the String and find where they are in used.
Rootkit
The Malware comes with rootkit component to hide its presence in the infected machine. The Malware injects code into all running processes in the machine and hooks different APIs such as:
- wininet.dll.InternetWriteFile
- wininet.dll.HttpSendRequestW
- wininet.dll.HttpSendRequestA
- ws2_32.dll.getaddrinfo
- ws2_32.dll.send
- nspr4.dll.PR_Write
- kernel32.dll.CopyFileW
- kernel32.dll.CopyFileA
- kernel32.dll.CreateFileW
- kernel32.dll.CreateFileA
- kernel32.dll.MoveFileW
- kernel32.dll.MoveFileA
With the hooks, the Malware has the power to intercept the browser activities of the victim, steal credentials, instruct the bot for further download of Malware by the remote attacker etc.
Ruskill
The Ruskill module will, if enabled for a download command, monitor the downloaded files as it executes. Ruskill will flag any files that it copies itself or creates to be deleted at the next system reboot by the module pdef and it will notify his master of each detection (file, DNS or registry modification).
Proactive defence
The PDef module is an advanced threat detection and removal system. It monitors a range of file and networking API’s to detect and neutralize other threats that are running on the system. Currently this module can detect, block and remove Malware that spreads via USB drives, browser exploit packs, and bots that use IRC to communicate.
DNS Modifier
This module can block domains from being accessed and redirect domains/IP addresses to others.
Slowloris
This module is for web servers running Apache HTTPd. It’s designed to use low bandwidth and to maintain connections as long as possible, thus consuming all available resources.
SYN Flood
This module is also design to target web servers running Apache HTTPd. It is a form of DDOS in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
The SYN flood module is good alternative for web servers that Slowloris fails to take down.
UDP Flood
The main intention of a UDP flood is to saturate the Internet pipe. Another impact of this attack is on the network and security elements on the way to the target server, and most typically the firewalls. Firewalls open a state for each UDP packet and will be overwhelmed by the flood connections very fast.
Browser Login Grabber
This module hooks nspr4.dll and analyses POST requests made by web browser to capture usernames and passwords on the fly.
FTP Login Grabber
This module hooks ws2_32!send to grab the FTP logins as they are used.
MSN Spreader
The module also hooks ws2_32!send to detect MSN messages being send. It will then monitor outgoing messages and wait until a determinate number messages are sent to replace one with a custom spread message (a link to download the Malware).
USB Spreader
It waits for USB devices to be plugged and then attempts to infect it using multiple .lnk methods and an obfuscated “autorun” file. Following we can see an example of an “autorun” file:
[autorun]
shell\open\command=
shell\explore\command=
con=shell32.dll,7
useautoplay=1
action=Open folder to view files
shellexecute=
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %%cd%%%s
/c "start %%cd%%RECYCLER\%s
Conclusion
Finally we have already finished of fantastic analysis of the “NrgBot”. The fist time I saw it I have to confess that I thought that it was just another regular bot but as we have seen it much more than that. So the moral is to never underestimate a new sample and let your curiosity flow freely :).
With this series of post I pretended to show how I usually proceed when I faced a new Malware analysis and I hope that it has been illustrative for all the reader.
Tools
* IDA pro
* Wireshark