One wrong click… Techniques to analyze malicious code Tyler Hudak

What we will cover Techniques to “externally” analyze malware General do’s and don’ts of analysis An analysis of an actual malware in the wild

What we will NOT cover How to debug / disassemble malware Every possible tool available Every possible malware infection vector Malware obfuscation or anti-forensics techniques

WARNING!!! The examples used within are real-world examples. If you go to these sites with an unprotected machine you WILL get infected. You have been warned.

Why learn malware analysis? Eventually you will find unknown malware in your systems You can either wait for the AV companies to analyze it or do it yourself It’s fun!!!

Our lab You should ALWAYS analyze malware on a “throw away” system NEVER use a machine on a production network VMWare is an excellent tool for this: Can easily restore to a previous point in time Can control network access of virtual OS Images allow re-use Almost limitless OS’ available (Windows, Linux, Solaris, Netware, *BSD, MS-DOS, …)

Our lab Host OS: Mandriva Linux LE 2005 Guest OS: Win XP SP1 (installed from disk – no patches) NAT networking Host OS Guest OS

Our situation User complains about slow PC or IDS picks up unusual activity Investigating shows unknown processes running on PC Looking through web logs/Internet cache shows access to suspicious site Let’s begin!

Copying malware off In initial stages, you would normally copy the unknown process/files off and do analysis on them before anything else. For the sake of the presentation, let’s pretend you can’t do that.

Checking out the site We need to check out the site the user went to Never go to the site in a web browser Download the source page using a tool (wget, curl, etc)

love.htm love.htm opens up three 0 by 0 iframes to download three more web pages This is a commonly used technique by spyware to load malicious code Use wget to download the other three to analyze

ip.htm Runs JavaScript from union1.50bang.com Sends information about your computer (browser, screen resolution, color depth) to Sets a cookie with a unique ID 50bang.com is in China – the same as joyiex.com

zx.htm Contains obfuscated JavaScript that gets executed Cannot tell what the JavaScript does However, modifying the code and loading it into a browser reveals what it does

zx.htm modified Code is modified to display a popup instead of writing the decoded JavaScript

zx.htm decoded zx.htm JavaScript uses a known vulnerability (MS04-013) to trick IE into executing a CHM file in the local zone context This allows malicious code – zx.htm within zx.chm in this case – to be downloaded and executed on the local machine. More information on MS at Use wget to download zx.chm to examine

zx.chm We’d like to look at zx.chm to see what it does but it will most likely execute malicious code upon opening Use KeyTools Utilities from KeyWorks Software to decompile CHM file Do NOT use the ‘Examine CHM File’ option as it may launch the malicious code Use the ‘Decompile’ Option

zx.chm decompiled Decompiling finds 3 files zx.exe (18,540 bytes) – we’ll see this later zx.htm – HTML file which runs zx.exe zx.hhp – MS Help Project file (created by KeyTools)

sp2/sp3.htm Calls a variant of a Windows XP SP2 remote execution technique (patched by MS05-001) Uses multiple vulnerabilities to execute bbs gif (encoded vbscript) Not sure what bbs00302.gif does, but can wager a guess it executes bbs00302.css, but what does that do?

File analysis Lots of tools that should be used to analyze a file Run ‘file’ against it to see what it is Should hash the file as well using your favorite cryptographic hash Can google for the hash and hope for results

String Analysis Look for any readable strings in the executable using ‘strings’ or ‘bintext’ from Foundstone Not many readable strings in bbs css, but it looks to be packed with FSG

Packed executables Programs available which “pack” executables making them smaller and harder to analyze upx, aspack, fsg, etc Have to download an unpacker else dump it from memory bbs css is packed with FSG (look for FSG! in file) Use unfsg2.0 to unpack and run through bintext again

Unpacked bbs css Lots of references to registry entries within the unpacked file Appears to overwrite registry entries to an unknown value Also looks like it will start up on boot References osrss.exe and coniem.exe

What do we know so far? Go to website and three web pages open One of the pages sends information about your computer to China Two others launch exploits and execute code on your local machine So – let’s go to the site and see what happens!

Before Infection Need to do a couple of steps before we infect our VMWare image 1. Create a snapshot of our image 2. Set up a sniffer 3. Set up the tools on our VMWare image

Sniffer Want to record any network traffic from our malware Use whatever sniffer you prefer (tcpdump, Ethereal, Snort, etc) Capture entire packet for reconstruction later

Regshot Takes and compares snapshots on a computer of the registry entries and files We’ll take a snapshot before and after infection From this any new/modified/deleted files will be found

Regmon / Filemon / TDIMon Monitors registry, files access and network access on a computer We can use this to find out what process is doing what All are available from

Let’s get infected! Once our tools are set up and running we can go to the website and get infected. After a minute or two we stop the tools and begin analysis.

Post Infection Steps Run second regshot and compare Run post-infection tools Save data off of VMWare image Pause VMWare Analyze

Regshot Compare The regshot compare showed a number of interesting things New files: C:\WINDOWS\system32\he1p.exe C:\WINDOWS\system32\she11.dll C:\WINDOWS\OSRSS.exe C:\arcldrer.exe

Regshot Compare New / changed registry entries HKU\ \Software\Microsoft\Windows\CurrentVersion\ Run\ctfnom.exe: "C:\WINDOWS\OSRSS.exe“ HKU\ \Software\Microsoft\Windows\CurrentVersion\ Policies\system\DisableTaskMgr: "1“ HKU\ \Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage: "1“ HKLM\SOFTWARE\Classes\txtfile\shell\open\command\: "C:\WINDOWS\System32\he1p.exe "%1"" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explor er\Advanced\Folder\Hidden\SHOWALL\CheckedValue: "0"

Post infection tools pslist Dumps current process list Shows OSRSS running Does not see any other files added running

Post infection tools F-port Shows what programs are listening to what ports Does not see any unusual processing listening to a port

What we know so far The infection caused 4 files to appear Only 1 file is currently running Nothing is listening on the network OSRSS.exe is set to start on boot he1p.exe will run whenever a.txt file is opened A number of Windows items were locked down to prevent us from fixing things easily

Copying Next we copy all of our data off of the image Make sure you grab any new files as well Use VMWare’s Shared Folders, SSH or FTP Once finished, pause VMWare image

File analysis 4 files were created from the infection It might be useful to look at them before we proceed Notice that the file sizes on three of the files are the same, and are the same as zx.exe. This is very unusual – they could be the same file.

File analysis Next, ‘file’ is run against them. The three files are Windows executables. she11.dll is a text file containing “

File analysis Finally, check the md5sum of each file. The same hash on the exe’s means they are the same file A quick look with bintext shows these are packed with FSG as well.

File analysis One of the files is unpacked with unfsg2.0 and put through bintext Has many of the same strings as seen with bbs css However, references to coniem.exe replaced with he1p.exe Perhaps different versions of malware?

Timeline Since we still don’t know much about what the programs did we can look at other logs. Useful to create a timeline from tdimon, filemon, regmon and ethereal logs. Load filemon and regmon into spreadsheet and sort by time - they have more accuracy. You can use this to start your timeline and add in the other logs as you progress.

Timeline Keep a running log of interesting events for each process. Expect to have LOTS of entries to go through.

13:03: – IE downloads 13:04: – IE copies zx.exe into c:\windows\downloaded program files 13:04: – IE executes zx.exe 13:03: – IE drops zx.exe into temporary Internet files zx.htm timeline 13:03: – IE downloads

13:04: – zx.exe creates c:\windows\osrss.exe – file size 18,540 13:04: – zx.exe creates c:\windows\system32\he1p.exe – file size 18,540 13:04: – – zx.exe sets the following registry keys: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\ctfnom.exe to c:\windows\osrss.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr to 1 HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage to 1 HKCR\txtfile\shell\open\command\(Default) to C:\WINDOWS\System32\he1p.exe %1"“ HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue to 0 zx.htm timeline

13:04: – osrss.exe tries to create itself but fails (sharing violation) 13:04: – osrss.exe tries to create c:\windows\system32\he1p.exe but fails (access denied) 13:04: – osrss.exe sets the following registry keys: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\ctfnom.exe to c:\windows\osrss.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr to 1 HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage to 1 HKCR\txtfile\shell\open\command\(Default) to C:\WINDOWS\System32\he1p.exe %1"“ HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue to 0 zx.htm timeline 13:04: – zx.exe executes c:\windows\osrss.exe

13:04: – osrss.exe makes a DNS query for 13:04: – osrss.exe shuts down zx.htm timeline 13:04: – IE deletes c:\windows\downloaded program files\zx.exe

13:03: – IE downloads 13:04: IE executes bbs gif 13:04: IE creates c:\ntdetect.hta - length 1,620 13:03: IE downloads sp3.htm timeline 13:03: IE downloads

13:04: mshta.exe reads c:\ntdetect.hta and executes it 13:04: c:\arcldrer.exe is executed by mshta.exe 13:04: mshta.exe closes c:\ntdetect.hta 13:04: mshta.exe creates c:\arcldrer.exe - length 18,540 sp3.htm timeline 13:04: mshta.exe searches for bbs css and finds it

13:04: arcldrer.exe recreates c:\windows\osrss.exe 13:04: arcldrer.exe tries to create c:\windows\system32\he1p.exe but fails (access denied) sp3.htm timeline 13:04: – arcldrer.exe sets the following registry keys: HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run\ctfnom.exe to c:\windows\osrss.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr to 1 HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage to 1 HKCR\txtfile\shell\open\command\(Default) to C:\WINDOWS\System32\he1p.exe %1"“ HKLM\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\CheckedValue to 0

13:04: arcldrer.exe executes c:\windows\osrss.exe 13:04: osrss.exe tries to create c:\windows\system32\he1p.exe but fails (access denied) 13:04: osrss.exe downloads 13:04: osrss.exe tries to create itself but fails (sharing violation) sp3.htm timeline 13:04: osrss.exe sets registry keys again

sp3.htm timeline 13:04: – osrss.exe sets the following registry keys: HKCU\Software\Microsoft\Internet Explorer\Main\Start Page to HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url1 to HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url2 to HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url3 to HKCU\Software\Microsoft\Internet Explorer\Main\SearchURL to HKCU\Software\Microsoft\Internet Explorer\Main\Local Page to HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar to HKCU\Software\Microsoft\Internet Explorer\Main\Search Page to HKCU\Software\Microsoft\Internet Explorer\Main\First Home Page to HKCU\Software\Microsoft\Internet Explorer\Main\default_page_url to HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL to

13:04: osrss.exe creates c:\windows\system32\she11.dll 13:04: mshta.exe creates c:\cmd.bat - length 79 13:04: mshta.exe executes cmd.exe to run cmd.bat 13:04: osrss.exe sets initial registry keys again sp3.htm timeline 13:04: osrss.exe deletes cache file for ie1.txt

13:04: cmd.bat deletes c:\ntdetect.hta 13:04: osrss.exe sets registry keys again 13:04: osrss.exe sets registry keys again 13:04: cmd.exe/cmd.bat stop running sp3.htm timeline 13:04: cmd.bat deletes itself 13:04: osrss.exe sets registry keys again

What do we know now? The site uses multiple exploits in IE to install multiple copies of the same malware and execute it (he1p.exe, osrss.exe, arcldrer.exe) A number of settings in IE are set to point to osrss.exe will run on boot up he1p.exe will be executed whenever a.txt file is double-clicked on The local computer is locked down to prevent settings from being changed or task manager from running All of this happens in about 17 seconds.

What do we NOT know? What happens when we double-click on a txt file? What happens on boot up? Will the malware do anything else? Let’s find out!

he1p.exe and txt files HKCR\txtfile\shell\open\command\(Default) is modified to point to he1p.exe instead of notepad.exe This registry key defines what application is run when a.txt file is opened To find out what happens: Unpause the VMWare image Start a new sniffer Take a regshot 1 st scan Start regmon, tdimon and filemon Double-click on a.txt file Wait a couple of seconds and then perform analysis

9:16: readme.txt file double-clicked in explorer.exe 9:16: explorer.exe executes he1p.exe 9:16: he1p.exe begins settings registry keys he1p.exe timeline 9:16: explorer.exe opens HKCR\txtfile\shell\open\command\(Default) reg key and sees to use he1p.exe 9:16: he1p.exe executes notepad.exe 9:16: notepad.exe opens readme.txt

9:16: he1p.exe tries to overwrite itself but fails (sharing violation) 9:16: currently running copy of osrss.exe shuts down he1p.exe timeline 9:16: he1p.exe tries to overwrite c:\windows\osrss.exe but fails (sharing violation) 9:16: he1p.exe executes a new copy of osrss.exe 9:16: he1p.exe shuts down

he1p.exe results No network traffic while clicking on the txt file Monitoring tools don’t show any new activity Regshot shows no new registry entries or files he1p.exe doesn’t do anything to the text file – it never even opens it! osrss.exe will shut down if another copy starts up Appears that he1p.exe is just put in the txt registry key to re-infect the system

On boot It can be difficult to start all utilities on boot up (not all support it) Regshot results would generate A LOT to go though after reboot We can do the next best thing – kill the process and restart it This doesn’t cover all possible situations, but should be close enough

On boot Malware prevents task manager from running, so we have to use pslist and pskill to kill the process Once the process is confirmed stopped, we set up the monitoring tools again and run the malware

9:21: c:\windows\osrss.exe executed 9:21: osrss.exe tries to create itself but fails (sharing violation) 9:21: osrss.exe recreates he1p.exe 9:21: osrss.exe sets initial registry keys On boot timeline 9:21: osrss.exe checks for c:\windows\system32\she11.dll 9:21: osrss.exe sets initial registry keys again and does so every 2 seconds 9:21: osrss.exe sets IE registry keys (homepage, etc) 9:21: osrss.exe opens and reads c:\windows\system32\she11.dll

On boot results No networking traffic shows up Only a modified he1p.exe shows up in regshot osrss.exe behaves as we have seen it behave thus far

Analysis results From our analysis of the malware we can conclude the following: 1. Going to with an unpatched IE infected the client with the same malware multiple times. 2. The malware will copy itself to c:\windows\osrss.exe and c:\windows\system32\he1p.exe.

Analysis results 3. Osrss.exe will be set to start on boot. 4. He1p.exe will be run whenever a txt file is opened. 5. The current user will be prevented from running the task manager. 6. The current user will be prevented from changing IE’s homepage. 7. The malware will download and place the results in c:\windows\system32\she11.dll.

Analysis results 8. The malware will set a number of IE settings (homepage, etc) to the contents of she11.dll. 9. When running, the malware will reset the registry keys every 2-5 seconds. 10. The malware will only allow 1 instance of itself to run at any given time. 11. The malware has a predictable flow of events.

Malware flow Malware Starts Startup and Lockdown registry keys set Create osrss.exe Create he1p.exe If she11.dll does not exist, download contents from Set IE registry keys with contents from she11.dll Set Startup and Lockdown registry keys again Am I osrss.exe? Start osrss.exe and kill my process No Yes

Virustotal.com results osrss.exe: variant of IM Lewor worm bbs css: TR/Dldr.Delf.CQ or variant of IM Lewor worm Bbs gif: Trojan.Phel More than half of the anti-virus programs didn’t find anything.

More information Lenny Zeltser’s Reverse Engineering Malware paper Tom Liston’s Follow the Bouncing Malware series at incidents.org Honeynet Project’s Reverse Challenge Hacker Disassembling Uncovered by Kris Kaspersky Malware: Fighting Malicious Code by Ed Skoudis The Art of Computer Virus Research and Defense by Peter Szor Google for: “reverse engineering” or “malware analysis”

Presentation

Questions?