Viral steganography
For a start - a couple of introductory remarks. First note: in connection with the darned right hand, it is inconvenient for me to type, therefore typos can be. Second note: for someone, everything that is written below may not be new, but what can we do about it! But the rest, I hope, will be interesting. Go!
Many users consider firewalls and traffic filters as reliable protection against viruses. In general, these tools can be configured to significantly complicate the life of viruses, but this will be a rather difficult problem. About a couple of moments that I have to face and tell you. Under the cut, as always, a lot of technical details, code and sometimes disjointed thoughts.
At the showdown - Trojan.DownLoad.921 in our DrWeb terminology.
The file is 20992 bytes in size, packed with UPX. It is a DLL with two exported functions: ClearAV and DoWork. Written, according to information from PEiD, on VC version 6.
')
Foot print
An interesting feature of the Trojan in the code located at the beginning of some functions:
.text: 10004490
.text: 10004490; BOOL __stdcall DllMain (HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
.text: 10004490 _DllMain @ 12:; CODE XREF: DllEntryPoint + 4Bp
.text: 10004490 push ebp
.text: 10004491 mov ebp, esp
.text: 10004493 sub esp, 108h
.text: 10004499 push esi
.text: 1000449A push edi
.text: 1000449B nop
.text: 1000449C nop
.text: 1000449D clc
.text: 1000449E jnb short near ptr loc_100044A0 + 1
.text: 100044A0
.text: 100044A0 loc_100044A0:; CODE XREF: .text: 1000449Ej
.text: 100044A0 call near ptr loc_1000468C + 1
.text: 100044A5 add cl, ch
.text: 100044A7 pop edx
Or in a more understandable way:
.text: 10004490
.text: 10004490; BOOL __stdcall DllMain (HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
.text: 10004490 _DllMain @ 12:; CODE XREF: DllEntryPoint + 4Bp
.text: 10004490 push ebp
.text: 10004491 mov ebp, esp
.text: 10004493 sub esp, 108h
.text: 10004499 push esi
.text: 1000449A push edi
.text: 1000449B nop
.text: 1000449C nop
.text: 1000449D clc
.text: 1000449E jnb short loc_100044A1
.text: 1000449E; - .text: 100044A0 db 0E8h; sh
.text: 100044A1; - .text: 100044A1
.text: 100044A1 loc_100044A1:; CODE XREF: .text: 1000449Ej
.text: 100044A1 call loc_100044A7
.text: 100044A1; - .text: 100044A6 db 0E9h; u
.text: 100044A7; - .text: 100044A7
.text: 100044A7 loc_100044A7:; CODE XREF: .text: loc_100044A1j
.text: 100044A7 pop edx
The conditional transition (in this case to the address 1000449E) is always performed, that is, instead of call we have jnb + call. Quite a characteristic "fingerprint", which, I think, serves to complicate the analysis. But IDA makes it easy to work with such code.
The victims
After executing the startup code, the trojan checks which process has loaded it. Only processes with the names flashget.exe, Thunder.exe, QQMusic.exe, QQLive.exe, QQDownload.exe, svchost.exe, explorer.exe will satisfy the Trojan. By program names, it is clear that the Trojan is aimed primarily at Chinese users. If the loaded DLL application satisfies the Trojan, then a new application thread containing the payload is created. Further actions are performed in the new thread.
Payload
The Trojan's active activity begins with the decryption of the URL (it did not understand the decryption algorithm) and the download of the file from the server.com/logo1.gif address to the file named package.tmp in the current user's temporary directory. The download file is indeed a gif image, but when you view it in Hiew, you can see the EXE file inside! There is steganography - the concealment of the fact of the transfer of something extra. An attempt to download a file (like all other downloadable files) is made 5 times with a pause of 20 seconds. In the downloaded file, the last 4 bytes is the offset of the "Trojan" information from the beginning of the file, which includes the length of the EXE file. Extracts the embedded file to the current user's temporary directory. After successfully extracting the file, DeleteUrlCacheEntry is called, I think, to hide the fact that the file was being loaded. The server.com/logo2.gif , server.com/logo3.gif and server.com/logo4.gif files are downloaded in the same way. The total volume is about 860 KB!
After the files are downloaded, a completely incomprehensible operation is performed: the MAC address of the network card is obtained and compared with 2 hard-wired addresses. And the whole address is compared, not just the manufacturer. And the addresses of non-VMWare cards are sewn. The only logical thought is to protect the authors from their brainchild. Obtaining the MAC address is done in a brutal way - through a call to ipconfig / all with parsing the answer! Be that as it may, even if the MAC addresses match, the trojan will not complete the work, it will just skip a piece of code.
If the MAC addresses do not match, a window search is performed. Apparently, the QQ2006 window is being searched for - the Chinese equivalent of ICQ. True, the search is conducted on the full title (including the build number), which is probably the authors' mistake. If a window is found, control is transferred to the same code as when MAC addresses are matched. Otherwise, it downloads and saves the file server2.cn/logo.gif (the process is similar to the one described above).
After that, an attempt is made to launch the fragments extracted from the GIF-files, the file extracted from the server2.cn/logo.gif does not start. The success of the launch is not checked, but if it fails there will be quite a lot of attempts.
Virus upgrade
Then the server.com/xin/version.gif file is loaded, which is an ini-file. It contains the version number that is read and compared with the version of the Trojan that is hard-wired in its body. If the INI file is successfully loaded and the version is larger than that of the Trojan, the server.com/xin/update.gif file will be loaded (and this is already a normal EXE file).
At the end of the work, a call is made to the MAYASYS device. Presumably, the file downloaded in the update procedure is directly related to this device.
Other functions
ClearAV supposedly hides some processes, while simultaneously interacting with the MAYASYS device (which I, of course, haven’t had in the system). Which processes should be hidden is not clear, because the Trojan was not launched in the conditions for which it was designed.
Further actions of the function are clear from its name: it kills working antiviruses: Casper, Rising Personal FireWall, Symantec (it seems) and still completely incomprehensible antivirus (and maybe a virus :-).
The DoWork function calls ClearAV, and then produces an Inject into the explorer.exe process.
Confronting firewalls
The most obvious way to protect against Trojans - a ban on the transfer of data to all applications, except for the clearly specified. But here it does not work: the Trojan is a DLL and is designed to be loaded from svchost and explorer. And if the ban on network activity for explorer is still possible to understand, then svchost to prohibit is a bad thing. It is the turn of filtering by ports: the trojan wants the 80th, and svchost can usually do without it. There is still QQ, which can also load the trojan into memory. I don’t know the features of network operation of this software, but I’m boldly suppose that it uses port 80. Oppa, arrived: a ban on the port and the application is no longer put. And if you look at the requested files, everything will be pretty harmless - gif-pictures. You need content filtering, and even that is not easy. In a simple way, the filter is bypassed, as required. More serious ways to circumvent the filters are described in one of the articles by Chris Kaspersky. Strongly, by the way, I recommend reading all the articles of his authorship ;-)
Conclusion
The Trojan, which is part of a malware complex, got into the analysis. In my opinion, it should include at least the device driver MAYASYS and the dropper, which dumps the analyzed DLL onto the disk and writes it into the system. In the future, it was the driver and dropper were found. In a rather simple and unsophisticated way, the Trojan bypasses firewalls that can protect it from far from any infection.
Unclear points: is the ClearAV function really a rootkit? Why are MAC addresses checked? What window is looking for a trojan? Why download files that never run?
Many users consider firewalls and traffic filters as reliable protection against viruses. In general, these tools can be configured to significantly complicate the life of viruses, but this will be a rather difficult problem. About a couple of moments that I have to face and tell you. Under the cut, as always, a lot of technical details, code and sometimes disjointed thoughts.
At the showdown - Trojan.DownLoad.921 in our DrWeb terminology.
The file is 20992 bytes in size, packed with UPX. It is a DLL with two exported functions: ClearAV and DoWork. Written, according to information from PEiD, on VC version 6.
')
Foot print
An interesting feature of the Trojan in the code located at the beginning of some functions:
.text: 10004490
.text: 10004490; BOOL __stdcall DllMain (HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
.text: 10004490 _DllMain @ 12:; CODE XREF: DllEntryPoint + 4Bp
.text: 10004490 push ebp
.text: 10004491 mov ebp, esp
.text: 10004493 sub esp, 108h
.text: 10004499 push esi
.text: 1000449A push edi
.text: 1000449B nop
.text: 1000449C nop
.text: 1000449D clc
.text: 1000449E jnb short near ptr loc_100044A0 + 1
.text: 100044A0
.text: 100044A0 loc_100044A0:; CODE XREF: .text: 1000449Ej
.text: 100044A0 call near ptr loc_1000468C + 1
.text: 100044A5 add cl, ch
.text: 100044A7 pop edx
Or in a more understandable way:
.text: 10004490
.text: 10004490; BOOL __stdcall DllMain (HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
.text: 10004490 _DllMain @ 12:; CODE XREF: DllEntryPoint + 4Bp
.text: 10004490 push ebp
.text: 10004491 mov ebp, esp
.text: 10004493 sub esp, 108h
.text: 10004499 push esi
.text: 1000449A push edi
.text: 1000449B nop
.text: 1000449C nop
.text: 1000449D clc
.text: 1000449E jnb short loc_100044A1
.text: 1000449E; - .text: 100044A0 db 0E8h; sh
.text: 100044A1; - .text: 100044A1
.text: 100044A1 loc_100044A1:; CODE XREF: .text: 1000449Ej
.text: 100044A1 call loc_100044A7
.text: 100044A1; - .text: 100044A6 db 0E9h; u
.text: 100044A7; - .text: 100044A7
.text: 100044A7 loc_100044A7:; CODE XREF: .text: loc_100044A1j
.text: 100044A7 pop edx
The conditional transition (in this case to the address 1000449E) is always performed, that is, instead of call we have jnb + call. Quite a characteristic "fingerprint", which, I think, serves to complicate the analysis. But IDA makes it easy to work with such code.
The victims
After executing the startup code, the trojan checks which process has loaded it. Only processes with the names flashget.exe, Thunder.exe, QQMusic.exe, QQLive.exe, QQDownload.exe, svchost.exe, explorer.exe will satisfy the Trojan. By program names, it is clear that the Trojan is aimed primarily at Chinese users. If the loaded DLL application satisfies the Trojan, then a new application thread containing the payload is created. Further actions are performed in the new thread.
Payload
The Trojan's active activity begins with the decryption of the URL (it did not understand the decryption algorithm) and the download of the file from the server.com/logo1.gif address to the file named package.tmp in the current user's temporary directory. The download file is indeed a gif image, but when you view it in Hiew, you can see the EXE file inside! There is steganography - the concealment of the fact of the transfer of something extra. An attempt to download a file (like all other downloadable files) is made 5 times with a pause of 20 seconds. In the downloaded file, the last 4 bytes is the offset of the "Trojan" information from the beginning of the file, which includes the length of the EXE file. Extracts the embedded file to the current user's temporary directory. After successfully extracting the file, DeleteUrlCacheEntry is called, I think, to hide the fact that the file was being loaded. The server.com/logo2.gif , server.com/logo3.gif and server.com/logo4.gif files are downloaded in the same way. The total volume is about 860 KB!
After the files are downloaded, a completely incomprehensible operation is performed: the MAC address of the network card is obtained and compared with 2 hard-wired addresses. And the whole address is compared, not just the manufacturer. And the addresses of non-VMWare cards are sewn. The only logical thought is to protect the authors from their brainchild. Obtaining the MAC address is done in a brutal way - through a call to ipconfig / all with parsing the answer! Be that as it may, even if the MAC addresses match, the trojan will not complete the work, it will just skip a piece of code.
If the MAC addresses do not match, a window search is performed. Apparently, the QQ2006 window is being searched for - the Chinese equivalent of ICQ. True, the search is conducted on the full title (including the build number), which is probably the authors' mistake. If a window is found, control is transferred to the same code as when MAC addresses are matched. Otherwise, it downloads and saves the file server2.cn/logo.gif (the process is similar to the one described above).
After that, an attempt is made to launch the fragments extracted from the GIF-files, the file extracted from the server2.cn/logo.gif does not start. The success of the launch is not checked, but if it fails there will be quite a lot of attempts.
Virus upgrade
Then the server.com/xin/version.gif file is loaded, which is an ini-file. It contains the version number that is read and compared with the version of the Trojan that is hard-wired in its body. If the INI file is successfully loaded and the version is larger than that of the Trojan, the server.com/xin/update.gif file will be loaded (and this is already a normal EXE file).
At the end of the work, a call is made to the MAYASYS device. Presumably, the file downloaded in the update procedure is directly related to this device.
Other functions
ClearAV supposedly hides some processes, while simultaneously interacting with the MAYASYS device (which I, of course, haven’t had in the system). Which processes should be hidden is not clear, because the Trojan was not launched in the conditions for which it was designed.
Further actions of the function are clear from its name: it kills working antiviruses: Casper, Rising Personal FireWall, Symantec (it seems) and still completely incomprehensible antivirus (and maybe a virus :-).
The DoWork function calls ClearAV, and then produces an Inject into the explorer.exe process.
Confronting firewalls
The most obvious way to protect against Trojans - a ban on the transfer of data to all applications, except for the clearly specified. But here it does not work: the Trojan is a DLL and is designed to be loaded from svchost and explorer. And if the ban on network activity for explorer is still possible to understand, then svchost to prohibit is a bad thing. It is the turn of filtering by ports: the trojan wants the 80th, and svchost can usually do without it. There is still QQ, which can also load the trojan into memory. I don’t know the features of network operation of this software, but I’m boldly suppose that it uses port 80. Oppa, arrived: a ban on the port and the application is no longer put. And if you look at the requested files, everything will be pretty harmless - gif-pictures. You need content filtering, and even that is not easy. In a simple way, the filter is bypassed, as required. More serious ways to circumvent the filters are described in one of the articles by Chris Kaspersky. Strongly, by the way, I recommend reading all the articles of his authorship ;-)
Conclusion
The Trojan, which is part of a malware complex, got into the analysis. In my opinion, it should include at least the device driver MAYASYS and the dropper, which dumps the analyzed DLL onto the disk and writes it into the system. In the future, it was the driver and dropper were found. In a rather simple and unsophisticated way, the Trojan bypasses firewalls that can protect it from far from any infection.
Unclear points: is the ClearAV function really a rootkit? Why are MAC addresses checked? What window is looking for a trojan? Why download files that never run?
Source: https://habr.com/ru/post/28304/
All Articles