[rinn]

Hello.

Final pack of Turla files. Decrypted payload dll's extracted earlier from resource container. They share the same encryption as driver and other dlls in the main dropper.

AV play in spy games better than do their actual work.

https://www.virustotal.com/en/file/099a ... 394813556/
https://www.virustotal.com/en/file/a15c ... 394813576/
https://www.virustotal.com/en/file/564e ... 394813590/
https://www.virustotal.com/en/file/152c ... 394813624/
https://www.virustotal.com/en/file/9611 ... 394813641/
https://www.virustotal.com/en/file/4c8b ... 394813661/

Best Regards,
-rin

[R136a1]

Yet again a small comment from my side:

While clearing out my malware archive I found a small analysis of Turla I made in 2012, according to the 2009/2010 samples provided by Xylitol:
http://www.kernelmode.info/forum/viewto ... 6a1#p13574 :)

But my analysis doesn't contain any information that hasn't already been published in great detail, so I just want to add some domains which are not presented in BAE report:

• pressbrig1.tripod.com
• http://www.scifi.pages.at
• support4u.5u.com
• today-news.office-on-the.net (ping -> 62.65.252.15)

Domains with same IP-address (62.65.252.15):

• amazon-market.net
• today-news.ath.cx
• hotnews.ath.cx
• allnews.ath.cx
• today-news.sytes.net

Whois 62.65.252.15
IP Information for 62.65.252.15
IP Location: Estonia Estonia Tallinn Starman As
ASN: Estonia AS13272 STARMAN Starman AS (registered May 18, 2000)
Resolve Host: 62.65.252.15.cable.starman.ee
IP Address: 62.65.252.15 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
Whois Server whois.ripe.net
Reverse IP: 1 website uses this address. (example: amazon-market.net)
ONE-CLICK MONITORING
Create an IP Monitor to monitor future changes to “62.65.252.15”.
Log in or Open an Account

inetnum: 62.65.252.0 - 62.65.252.63
netname: EE-STARMAN-CLIENTS
descr: Starman Internet AS
descr: Server housing
country: EE
admin-c: SI185-RIPE
tech-c: SI185-RIPE
status: ASSIGNED PA
mnt-by: AS13272-MNT
source: RIPE # Filtered

role: Starman Internet
address: Starman AS
address: Akadeemia tee 28
address: 12618 Tallinn
address: Estonia
phone: +372 677 9933
fax-no: +372 677 9921
abuse-mailbox:
remarks: ------------------------------------------------------------------
remarks: all abuse notifications sent to ripe_@_starman.ee WILL BE IGNORED
remarks: ------------------------------------------------------------------
admin-c: MV88-RIPE
tech-c: MV88-RIPE
tech-c: MS19621-RIPE
nic-hdl: SI185-RIPE
mnt-by: AS13272-MNT
source: RIPE # Filtered

route: 62.65.192.0/18
descr: Starman AS
origin: AS13272
mnt-by: AS13272-MNT
source: RIPE # Filtered

[EP_X0FF]

Well I can add that old version of what is now known Turla wasn't named "Snake" or whatever, it clearly identifies itself as "CARBON SYSTEM" even with version number 3.61 as in our case (with malware dated back to October 2009). Have no idea how everybody missed this.

Starting likely from 2009 (release year of Windows 7, replaced totally failed Vista) Turla equiped with full Windows x64 support including x64 rootkit and x64 payload modules, which shifts TDL4 from first place (discovered in the July 2010) to the second place in rootkits "conquer x64" championship.

Modern Turla differs from the older variant, not only in core components code but also in new configuration store container-database. Earlier all params were stored in something like cfg file, see example.

Code: Select all

[NAME]
object_id=


[TIME]
user_winmin =  600000
user_winmax = 1200000
sys_winmin = 3600000
sys_winmax = 3700000
task_min = 20000
task_max = 30000
checkmin = 60000
checkmax = 70000
logmin =  600000
logmax = 1200000
lastconnect=
timestop=
active_con = 900000
time2task=3600000


[CW_LOCAL]
quantity = 0

[CW_INET]
quantity = 0


[TRANSPORT]
user_pipe = \\.\pipe\userpipe
system_pipe = \\.\pipe\iehelper


[DHCP]
server = 135


[LOG]
lastsend =
logperiod = 7200

[WORKDATA]
run_task=
run_task_system=

Authors information

Code: Select all

$Id: t_utils.c 5503 2007-02-26 13:14:30Z vlad $ 
$Id: t_status.c 5666 2007-03-19 16:18:00Z vlad $        
$Id: t_message1.c 5290 2007-01-26 11:15:03Z vlad $      
$Id: t_manager.c 8715 2007-11-29 16:04:46Z urik $       
$Id: t_byte1.c 5324 2007-01-30 12:45:35Z vlad $ 
$Id: np_win32_common.c 4483 2006-08-30 13:13:51Z vlad $ 
$Id: m_np.c 8825 2008-01-10 13:13:15Z vlad $    
$Id: m_frag.c 8715 2007-11-29 16:04:46Z urik $  
$Id: m2_to_b2_stub.c 4477 2006-08-28 15:58:21Z vlad $   
$Id: l1_check.c 4477 2006-08-28 15:58:21Z vlad $        
$Id: b_tcp.c 8474 2007-09-19 15:40:39Z vlad $   
$Id: b2_to_m2_stub.c 5273 2007-01-23 17:41:15Z vlad $   
$Id: thread.c 4593 2006-10-12 11:43:29Z urik $  
$Id: rw_lock.c 4482 2006-08-30 13:07:14Z vlad $ 
$Id: mutex.c 3940 2006-03-20 16:47:16Z vlad $   
$Id: load_lib_win32.c 10180 2008-11-20 12:13:01Z gilg $ 
$Id: hide_module_win32.c 10189 2008-11-25 14:25:41Z gilg $

[EP_X0FF]

Thread updated - R136a1 initial two years old post and response has been merged.

[R136a1]

Domain update

After further analyzing the domains of my last post I think that some don't belong to Turla, but instead to the Agent.btz/SillyFDC/Voronezh.1600 worm:

2008 Pentagon attack (offline):

• worldnews.ath.cx
• biznews.podzone.org

More (offline):

• biznews.ath.cx
• intellicast.ath.cx

New (online):

• today-news.ath.cx
• hotnews.ath.cx
• allnews.ath.cx

[natalliad]

Hi R136a1, thank you for the samples and analysis. Maybe you can help. Where do i find a reference to the used C&C domains? I looked in the injected in to a browser dll but couldn't locate anything. Are they dynamically generated or encrypted? Thanks!

[R136a1]

Hi R136a1, thank you for the samples and analysis. Maybe you can help. Where do i find a reference to the used C&C domains? I looked in the injected in to a browser dll but couldn't locate anything. Are they dynamically generated or encrypted? Thanks!

Good question! All the domains I have posted are from public resources like Virustotal, Threatexpert, Google, ...

As you said, we don't see any hardcoded domain names in the decrypted DLL provided by rinn (decrypted_inj_snake_...). Therefore they are encrypted and will probably be decrypted in memory on-the-fly. A good starting point to find the decryption routine is to look for APIs that need the plaintext server name such as gethostbyname() or InternetConnect() and trace back the appropriate parameter to some code that has the usual suspects like xor, add, ror, ... or CryptoAPI functions like CryptAcquireContext, ...

[AaLl86]

For your information, here is my analysis of Uroburos rootkit:
http://vrt-blog.snort.org/2014/04/snake ... buros.html

It's nothing new, but I think that it could be an interesting reading...
Andrea

[hx1997]

https://public.gdatasoftware.com/Web/Co ... _EN_v1.pdf

[rkhunter]

http://www.circl.lu/pub/tr-25/