Saint virus day
(notes an amateur antivirus)
When you receive a congratulatory letter with a link on the eve of Valentine's Day, you really want to know what is there with this link. All in one voice argue that such suspicious links in no case can not be opened, but we know that if you carefully, you can. For example, download such a page, and then see carefully in your favorite text editor.
In my case there was something like
<meta http-equiv = "refresh" content = "1; url = ' valentine.exe '">
...
<a href=" valentine.exe "> blah-blah </a>
Unsolicited invitation to become a new user of the virus. You can also gently download valentine.exe, and change it into .txt, so as not to start up by accident, you can pick it up from the inside.
')
Kaspersky’s online file scanner identifies this file as being infected with the “Email-Worm.Win32.Zhelatin.vg” virus.
To say that the amount of information reported on viruses does not suit me - to say nothing. It is simply too little. It does not say, first, what should not be done. Secondly, it zombies users "keep the anti-virus database updated." Updated databases - it is, of course, very good, I'm all for it. Only from the first wave of the epidemic, these bases will not save, because they simply do not have the signatures of the viruses that have not yet been released.
Therefore, in order to dissipate - at least for myself - the atmosphere of darkness and horror surrounding the internal structure of the virus, I rolled up my sleeves and found out the following.
The general scheme of the virus is:
1. The original “valentine.exe” extracts a piece of code from its body, which is first decrypted and then unpacked using the RtlUncompressBuffer function. This code is stored in the% SYSTEMROOT% / system32 / diperto $ p- $ t.sys file, where $ p and $ t are process and thread identifiers (in hexadecimal format) of the “valentine.exe” that writes the file. A% SYSTEMROOT% / system32 / diperto.ini file is also created:
[config]
[local]
uport = 1211
[peers]
The port changes randomly. The magic word “peers” can mean that an infected computer will enter the botnet.
2. “valentine.exe” loads the driver “diperto.sys” using the Windows API functions, and then stops its work.
3. “diperto.sys” creates a device called “DRV_MODULE_MYDR”, as well as an event named “Ir <fk ^ 7k”. All this can be seen with WinObj.exe
4. After initialization, the driver starts a new thread in the kernel mode, which in turn extracts a piece of encrypted code from the driver's body. The code is "encrypted" by an "exclusive or" operation and is a Windows executable file.
5. Then he finds a process called “services.exe” —the Windows service controller — connects to it, allocates a new block of memory in the address space of the process, to which the decrypted piece of code is written.
6. To transfer control to the malicious code, the driver uses an APC - asynchronous procedure call. Using the KeInsertQueueApc function, it queues an asynchronous call that will be “delivered” after any next system call from the victim process. After that, the driver stops working.
7. In short, it all looks like this:
valentive -> decrypts a piece of itself -> diperto.sys -> decrypts a piece of itself -> services.exe.
At this stage, there are two questions: a) why all these manipulations? b) how do we protect this beast?
The answer to the second question, in general, is obvious. It is enough to close the write access to% SYSTEMROOT% / system32, as a result, the very first step breaks off and the virus goes through the forest. But, imagine for a moment that it is mutated, and can write a file to any other place. Then the only thing that can save us is to take away the right to register and download drivers (which, in essence, is similar to the right to write to the registry section "HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services").
By default, only Adminisrtrators group has such rights.
Well, now the most interesting question is why so many gestures? But why? Usually, this operation of introducing code and launching it for execution is performed using the “OpenProceess - VirtualAllocEx - WriteProcessMemory - CreateRemoteThread ” bundle , which antiviruses pay close attention to. In our case, the chain looks like this: "KeAttachProcess - ZwAllocateVirtualMemory - rep movds - KeInsertQueueApc" . "Rep movsd" means that the malicious code is copied directly into the victim's space, without using any functions at all. To date, to identify this kind of penetration antiviruses are not able to.
Some statistics:
- the size of the original file: 117 248 bytes.
- driver file size: 129,920 bytes.
- original file compiled by MINGW GCC. Which, by the way, helps turn the brain inside out when you try to track function calls in an unfamiliar style
- the original file is stuffed with fake calls like CreateWaitableTimer (0, 0, 0); or IsBadHugeReadPtr (0, 0); or DeleteAtom (0). It is not entirely clear who they are designed to confuse - antivirus or human.
In the second part, we will look at how the virus that is embedded in the services.exe process works.
When you receive a congratulatory letter with a link on the eve of Valentine's Day, you really want to know what is there with this link. All in one voice argue that such suspicious links in no case can not be opened, but we know that if you carefully, you can. For example, download such a page, and then see carefully in your favorite text editor.
In my case there was something like
<meta http-equiv = "refresh" content = "1; url = ' valentine.exe '">
...
<a href=" valentine.exe "> blah-blah </a>
Unsolicited invitation to become a new user of the virus. You can also gently download valentine.exe, and change it into .txt, so as not to start up by accident, you can pick it up from the inside.
')
Kaspersky’s online file scanner identifies this file as being infected with the “Email-Worm.Win32.Zhelatin.vg” virus.
To say that the amount of information reported on viruses does not suit me - to say nothing. It is simply too little. It does not say, first, what should not be done. Secondly, it zombies users "keep the anti-virus database updated." Updated databases - it is, of course, very good, I'm all for it. Only from the first wave of the epidemic, these bases will not save, because they simply do not have the signatures of the viruses that have not yet been released.
Therefore, in order to dissipate - at least for myself - the atmosphere of darkness and horror surrounding the internal structure of the virus, I rolled up my sleeves and found out the following.
The general scheme of the virus is:
1. The original “valentine.exe” extracts a piece of code from its body, which is first decrypted and then unpacked using the RtlUncompressBuffer function. This code is stored in the% SYSTEMROOT% / system32 / diperto $ p- $ t.sys file, where $ p and $ t are process and thread identifiers (in hexadecimal format) of the “valentine.exe” that writes the file. A% SYSTEMROOT% / system32 / diperto.ini file is also created:
[config]
[local]
uport = 1211
[peers]
The port changes randomly. The magic word “peers” can mean that an infected computer will enter the botnet.
2. “valentine.exe” loads the driver “diperto.sys” using the Windows API functions, and then stops its work.
3. “diperto.sys” creates a device called “DRV_MODULE_MYDR”, as well as an event named “Ir <fk ^ 7k”. All this can be seen with WinObj.exe
4. After initialization, the driver starts a new thread in the kernel mode, which in turn extracts a piece of encrypted code from the driver's body. The code is "encrypted" by an "exclusive or" operation and is a Windows executable file.
5. Then he finds a process called “services.exe” —the Windows service controller — connects to it, allocates a new block of memory in the address space of the process, to which the decrypted piece of code is written.
6. To transfer control to the malicious code, the driver uses an APC - asynchronous procedure call. Using the KeInsertQueueApc function, it queues an asynchronous call that will be “delivered” after any next system call from the victim process. After that, the driver stops working.
7. In short, it all looks like this:
valentive -> decrypts a piece of itself -> diperto.sys -> decrypts a piece of itself -> services.exe.
At this stage, there are two questions: a) why all these manipulations? b) how do we protect this beast?
The answer to the second question, in general, is obvious. It is enough to close the write access to% SYSTEMROOT% / system32, as a result, the very first step breaks off and the virus goes through the forest. But, imagine for a moment that it is mutated, and can write a file to any other place. Then the only thing that can save us is to take away the right to register and download drivers (which, in essence, is similar to the right to write to the registry section "HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services").
By default, only Adminisrtrators group has such rights.
Well, now the most interesting question is why so many gestures? But why? Usually, this operation of introducing code and launching it for execution is performed using the “OpenProceess - VirtualAllocEx - WriteProcessMemory - CreateRemoteThread ” bundle , which antiviruses pay close attention to. In our case, the chain looks like this: "KeAttachProcess - ZwAllocateVirtualMemory - rep movds - KeInsertQueueApc" . "Rep movsd" means that the malicious code is copied directly into the victim's space, without using any functions at all. To date, to identify this kind of penetration antiviruses are not able to.
Some statistics:
- the size of the original file: 117 248 bytes.
- driver file size: 129,920 bytes.
- original file compiled by MINGW GCC. Which, by the way, helps turn the brain inside out when you try to track function calls in an unfamiliar style
mov [esp], a mov [esp + 4], b mov [esp + 8], c call F; calls F (a, b, c);
- the original file is stuffed with fake calls like CreateWaitableTimer (0, 0, 0); or IsBadHugeReadPtr (0, 0); or DeleteAtom (0). It is not entirely clear who they are designed to confuse - antivirus or human.
In the second part, we will look at how the virus that is embedded in the services.exe process works.
Source: https://habr.com/ru/post/20770/
All Articles