Get documents about "CCFC2011-ISFS-Frankie
Document Sample
Malware
Forensics
ISFS
Frankie
Li
April
12,
2011
1
Who
am
I
• Council
Member
of
ISFS
(www.isfs.org.hk)
• Part
Time
lecturer
of
HKU
SPACE
-‐
PDITF
• Member
of
(ISC)2
-‐
CISSP,
PISA,
ACFE(Associate)
• A
Sunday
researcher
• Malware
hobbyist
2
Today’s
works
• To
perform
staOc
(code)
analysis
and
dynamic
analysis
(behavioral)
of
a
malware
(bot/Trojan
horse)
• Slackbot
(2000)
Chinese
version,
a
bot
can
perform
DDoS
using
IRC
as
command
and
control
(C&C)
centre
3
A
short
Malware
history
• In
the
past
• Now?
– Mischief
– From
curiosity
to
financial
gain
– One
man
show
– A
complete
business
model
– Targeted
on
protocols
– Targeted
on
the
OS
– Targeted
to
applicaOon.
(such
as:
browsers,
pdf
and
flash
files)
rather
than
OS
– By
way
of
installing
itself
at:
– Ring3:
API
hooking/code
injecOon
– Ring0:
SSDT
hooking/kernel
mode
driver
– Development
becomes
more
easier
because
of
modularizaOon
4
InvesOgaOon
and
Forensics
Methodologies
• The
Locard’s
exchange
principle
–
with
contact
between
two
items,
there
will
be
an
exchange
(ie
any
exchange
leaves
a
trace)
• Malware
is
not
an
excepOon,
but
it
can
hide
its
traces
(arOfacts)
or
even
itself
aaer
executed
(a.k.a.
de-‐obfuscaOon)
• Purpose:
to
retain
forensics
soundness
• Forensics
procedures:
IdenOficaOon,
PreservaOon,
Analysis,
DocumentaOon
and
PresentaOon
of
digital
(or
malware)
evidence
5
What
to
Documented
• Summary
of
the
analysis
– An
abstract
of
the
analysis
results,
such
as
key
observaOons,
recommendaOon,
limitaOons,
report
date
and
authors
(show
PestControl_report.htm)
• IdenOficaOon
– The
type
of
file,
name,
size,
hash,
known
name,
current
detected
capabiliOes
(show
ThreatExpert.htm)
• CharacterisOcs
– The
sample’s
capabiliOes
for
infecOng
files,
self-‐preservaOon,
spreading,
leaking
data,
interacOng
with
the
adacker
(remote
adacker
interacOons),
and
so
on.
• Dependencies
– Files
and
network
resources
related
to
the
specimen’s
funcOonality,
such
as
supported
OS
versions
and
required
iniOalizaOon
files,
custom
DLLs,
executables,
URLs
and
scripts
• Dynamic
and
code
analysis
findings
– Dynamic,
code-‐dynamic
analysis,
staOc
analysis
and
memory
analysis
observaOons
• SupporOng
figures
and
snapshots
– logs,
screenshots,
string
excerpts,
funcOon
lisOngs,
flowcharts
and
other
exhibits
that
support
the
invesOgators
analysis
• Incident
interpretaOon
and
recommendaOons
– Indicators
for
detecOng
the
sample
on
other
systems
and
networks
and
possible
for
prevenOon
steps
From:
SANS
Forensics
610
6
Our
Lab
• Three
VMs
are
used:
REMnux*,
WinXP,
WinXP_2.0
(2-‐
NICs,
NAT
NIC
is
off
by
default)
• All
NICs
are
configured
as
Host-‐only,
except
the
NAT
inside
WinXP_2.0
for
Internet
access
• Drag
and
drop
&
copy
and
paste
are
enabled
• REMnux
is
configured
as
default
gateway
• WinXP
is
used
to
test
slackbot
• WinXP_2
is
used
to
build
slackbot
and
be
used
as
a
second
vicOm
• Some
snapshots
are
created
to
keep
different
stage
of
in-‐depth
analysis
*REMnux
2.0
is
Lenny
Zeltser
and
can
be
download
from
sourceforge.net
.
This
lab
version
has
been
added
with
Chinese
character
support
and
Vmware-‐Tools.
A
second
NIC
is
also
added,
but
disable.
7
The
Lab
8
IniOalizaOons
of
the
VMs
• All
VMs:
check
NIC
configured
Host-‐only
and
Connect
at
power
on
• REMnux:
ID=“remnux”,
PW=“malware”,
startx,
ifconfig
–a
(IP
address=192.168.80.130)
• WinXP:
check
IP
address
under
Network,
TCP/
IP,
ProperOes
(IP
address=192.168.80.110
&
default
gateway=192.168.80.130)
• Ping
each
others
or
check
firewall
serng
to
allow
ICMP
response
if
no
response
9
iauzzy.exe
• Official
name:
Slackbot
v1.0
by
slim
• Executable
is
distributed
with
a
builder
called
sbconfig.exe
(found:
WinXP_2.0)
• Freely
download
without
source
code
• A
Chinese
version,
downloaded
from
hdp://
bbs.mmbest.com
• A
tool
that
use
IRC
as
C&C
• Some
hidden/un-‐documented
funcOons
hdp://www.pestpatrol.com/zks/pesOnfo/s/slackbot.asp
hdp://www.threatexpert.com/report.aspx?md5=635d7d7c9518c10b0e5138b945e4060f
10
First
Lab
• Start
REMnux:
lea-‐click
for
user
menu
(xterm,
firefox
&
wireshark),
sudo
PW=“malware”
• Start
WinXP
– On
the
desktop
you
can
found
“iauzzy.exe”
– Slackbot
folder
contains
difference
versions
– Don’t
touch
Zeus
folder
(it
is
to
be
used
in
next
session)
• If
you
have
double,
create
snapshot
to
prevent
unnecessary
start
over
11
Dynamic
Analysis
Procedures
• Check
hash:
md5sum
• Check
Strings:
bintext,
FileAnlyzer,
strings
• Create
staOc
snapshots:
autoruns,
HijackThis,
TCPView,
RegShot
(with
Process
Monitor
paused)
• Create
dynamic
snapshots:
Process
Monitor,
Process
Explorer,
What’s
Running,
CaptureBAT
• Check
Network
AcOviOes
• Configure
REMnux
to
provide
tailored
responses
to
the
malware
12
Check
Hash
• Select
file,
right-‐click,
Md5
Hash
• Right-‐click
“My
Computer”,
right-‐click,
“Cmd”,
type
“md5sum
iauzzy.exe
>
md5sum.txt”
• The
md5
hash:
635D7D7C9518C10B0E5138B945E4060F
13
Check
Strings
• Drag
&
drop
“iauzzy.exe”
to
bintext
icon
• Right-‐click
“My
Computer”,
right-‐click,
“cmd”,
then
type
>strings
“iauzzy.exe”
>
“iauzzy_strings.txt”
• Select
“iauzzy.exe”,
right-‐click,
Analyze
file
with
FileAlyzer
(noted:
it
may
unpack
the
sample)
– Select
“Hex-‐dump”,
click
on
List
strings
then
“Hex/Strings
(new)
tab
&
other
tabs
– Check
DLL
calls,
strange
messages,
URLs,
Filenames,
Registry
LocaOons
(only
some
DLLs
imported)
– Check
addiOonal
informaOon
under:
General,
PE,
DisAsm,
Import/Export
table
14
StaOc
Snapshots
• Try
capture
snapshots
in
orders
– Autoruns
• make
sure
scanning
is
completed
• OpOon
checked
“Hide
Microsoa
and
Windows
Entries”
and
“Verify
Code
Signatures”
• Check
Autorun
Entry
under
“Everything”
&
pay
adenOon
to
“Publisher”
column
– HijackThis
• Do
a
system
scan
only
• Save
log
to
“Document”
15
StaOc
Snapshots
– TCPView
• Click
on
“A”
to
disable
resolve
address
• Sort
by
“Protocol”
• Adjust
screen
to
show
“State”
– RegShot
• Start
Process
Monitor
and
Process
Explorer
• Under
Process
Monitor,
Disable
capturing
and
clear
log
• Adjust
Process
Explorer
to
show
process
under
“Explorer”
• Create
1shot
with
“Shot
and
Save”
16
Dynamic
Snapshots
• What’s
Running
– Take
snapshot,
Save
snapshot
• Process
Monitor
– Turn
on
auto-‐scroll
capturing
(VERY
IMPORTANT)
• Process
Explorer
– Monitor
process
running
(get
ready
to
write
down
abnormal
behavior
of
processes)
• Execute
the
binary
(“iauzzy.exe”
was
replaced
by
another
process
called
“qqt.exe”,
check
image
path
C:\windows\qqt.exe)
• Based
on
the
name
of
the
new
process,
set
up
filter
on
Process
Monitor.
Don’t
forget
to
check
the
SOngs
(Image
and
Memory)
• What’s
Running
– Take
another
snapshot
– Compare
snapshots
• Stop
Process
Monitor
and
save
capture
(save
full
log
in
PML
&
CSV)
17
StaOc
Snapshots
• Capture
infected
staOc
snapshots
– Regshot:
2nd
snapshot
and
compare
snapshots
(don’t
capture
unOl
Process
Monitor
is
stopped
because
your
machine
may
hang)
– TCPView
– HijackThis
– Autoruns
18
Compare
snapshots
• Check
any
changes
(add/removed)
aaer
infected:
Registry
entries,
Files,
Hash
(compare
hash
value
for
new
file)
• Process
Explorer:
– iauzzy.exe
changed
to
C:\WINDOWS\qqt.exe,
the
image
was
not
removed.
MD5:
635D7D7C9518C10B0E5138B945E4060F
(same)
• Process
Monitor:
– Use
“qqt.exe”,
“Explorer”
“iauzzy.exe”
to
filter
process
and
use
“CreateFile”,
“Load
Image”,
“ Thread
Create”,
“Process
Create”
or
“*set*”
to
highlight
file
system
changes
• Autoruns:
– HKLM\SOFTWARE\...\Run\Update\qqt.exe
• HijackThis:
– O4
HKLM\...Run:
C:\WINDOWS\qqt.exe
• TCPView:
no
change
19
More
snapshots
• Take
a
new
VM
snapshot
(dynamic
tested)
• Reverse
WinXP
snapshot
back
to
“Start
slackbot
Analysis”,
redo
checking
• Capture
BAT
– Right-‐click
“My
Computer”,
select
“C:\Program
Files
\Capture”,
then
right-‐click
“Cmd”
– Type
>
CaptureBAT.exe
–c
–l
[filename]
– Terminate
Capture
BAT
by
pressing
Enter
• Backup
the
newly
created
zip
file,
then
reverse
snapshot
back
to
“Start
Analysis”
20
Check
Network
AcOviOes
• At
REMnux,
start
wireshark
(PW=“malware”)
• Ctrl+E
to
start
capture
• Follow
TCP
Stream
• Record
findings
and
save
logs
• Findings:
it
tried
to
resolve
domain
names
of
– Slack.isfs.org.hk
– TesOrc.8866.org
– www.mmbest.com
• Kill
qqt.exe
21
Modeling
the
REMnux
• Based
on
the
Wireshark
findings,
we
have
to
tailor
our
lab
environment
to
fulfill
all
network
needs
requested
by
the
malware
• To
analyze
the
network
requests,
we
have
to
implement
the
services
and
monitor
the
requests
and
responses
one
at
a
Ome
• Document
all
procedures
you
performed
and
write
down
(or
create
logs)
for
all
requests/
responses
22
Check
Network
AcOviOes
(1)
• WinXP:
– Configure
WinXP
to
resolve
“slack.isfs.org.hk”
to
192.168.80.130
by
ediOng
the
“hosts”
file
under
C:\WINDOWS\system32\drivers
\etc
[or
use
“fakedns”]
• REMnux:
– start
Wireshark
capture
again
• WinXP:
– Execute
the
binary
at
C:\WINDOWS\qqt.exe
for
some
Ome,
then
kill
the
process
• REMnux:
– Check
Wireshark
using
“Follow
TCP
Stream”
– Found
WinXP
tries
to
connect
port
6667
to
“slack.isfs.org.hk”
– Save
the
capture
23
Check
Network
AcOviOes
(2)
• REMnux:
– Provide
it
with
IRC
connecOon
by
>
ircd
start
[jumped
1
step]
– Join
the
channel
#zeus
(/join
#zeus)
– start
Wireshark
capture
again
• WinXP:
– Execute
the
binary
at
C:\WINDOWS\qqt.exe
for
some
Ome,
then
kill
the
process
• REMnux:
– Check
Wireshark
using
“Follow
TCP
Stream”
– Found
the
bot
using
user=[ldqzpme]
join
the
channel
again
– Save
the
capture
– From
the
irc
client
[Irrssi],
we
found
the
same:
[ldqzpme]
joined
#zeus
24
Check
Network
AcOviOes
(3)
• WinXP:
– Configure
WinXP
to
resolve
“ TesOrc.8866.org”
to
192.168.80.130
by
ediOng
the
“hosts”
file
under
C:\WINDOWS\system32\drivers\etc
• REMnux:
– start
Wireshark
capture
again
• WinXP:
– Execute
the
binary
at
C:\WINDOWS\qqt.exe
for
some
Ome,
then
kill
the
process
• REMnux:
– Check
Wireshark
using
“Follow
TCP
Stream”
– Found
WinXP
tries
to
connect
port
103
to
“ TesOrc.8866.org”
– Set
up
nc
–l
–p
103
and
wireshark,
found
it
is
accessing
irc
using
103
– The
bot
provides
IRC
like
command
to
the
server
– Save
the
capture
25
Check
Network
AcOviOes
(4)
• REMnux:
– Try
to
reconfig
the
ircd
listen
to
port
103,
but
not
successful
[port
under
1024
is
not
allowed]
• WinXP:
– Use
fpipe
to
do
the
port
redirecOon
– >fpipe
-‐l
103
-‐r
6667
192.168.80.130
– Change
the
hosts
file
to
point
“ TesOrc.8866.org”
to
localhost
• REMnux:
– Check
Wireshark
using
“Follow
TCP
Stream”
– Found
the
bot
using
user=[byrd]
joined
the
channel
#zeus
but
using
another
user=[xneawrpn]
joined
another
channel
#...
790308?
(hex=09
09
09
20
37
39
30
33
30
38
3f)
26
Check
Network
AcOviOes
(5)
• WinXP:
– Configure
WinXP
to
resolve
“www.mmbest.com”
to
192.168.80.130
by
ediOng
the
“hosts”
file
under
C:\WINDOWS
\system32\drivers\etc
• REMnux:
– start
Wireshark
capture
again
• WinXP:
– Execute
the
binary
at
C:\WINDOWS\qqt.exe
for
some
Ome,
then
kill
the
process
• REMnux:
– Check
Wireshark
using
“Follow
TCP
Stream”
– Found
WinXP
tries
to
connect
port
80
to
www.mmbest.com
27
Check
Network
AcOviOes
(5)
• REMnux:
– Use
netcat
to
listen
the
port
80
• WinXP:
– Execute
the
binary
at
C:\WINDOWS\qqt.exe
for
some
Ome,
then
kill
the
process
• REMnux:
– Check
Wireshark
using
“Follow
TCP
Stream”
– Found
the
bot
tried
to
connect
a
web
server
by
providing
referrer
using
hdp://tesOrc.8866.org18000/
ads.cgi
and
pretend
itself
as
host
of
www.mmbest.com
28
StaOc
(Code)
Analysis
• Keep
all
hints
found
from
dynamic
analysis
• Unpack,
if
required
• Strings:
any
interesOng
text
and
to
check
API
calls
• Disassemble:
check
program
structure
and
funcOons
• Debugging:
run
the
malware
under
debugger
allows
us
to
test
its
funcOonaliOes
“dynamically”
and
help
us
to
find
more
of
it
by
analysis
the
binary
image
29
Summary
of
findings
of
Dynamic
Analysis
• Strings
indicated
that
it
is
UPX
packed
• The
binary
iauzzy.exe
created
another
image
of
itself
under
C:\Windows\qqt.exe
and
create
a
process
for
this
binary
• It
created
a
registry
key
at
HKLM\SOFTWARE\...\Run
\Update\qqt.exe
• The
new
binary
tried
to
contact
three
URLs:
– Slack.isfs.org.hk
(contact
TCP
port
6667
and
tried
to
join
an
IRC
channel
#zeus)
– TesOrc.8866.org
(contact
TCP
port
103
and
tried
to
join
an
IRC
channel
#...
790308?)
– www.mmbest.com
(contact
TCP
port
80
and
tried
to
send
HTTP
request
by
providing
referrer
using
hdp://tesOrc.
8866.org18000/ads.cgi)
30
Reverse
Engineering
101
• Some
basic
knowledge
of:
– PE
format,
very
important
– Packing
(aka
compression
&
de-‐obfusaOon)
– C
programming
language
– Memory
– AI-‐32
Processors
and
Assemble
language
– How-‐to
of
using
IDA
Pro,
Disassembler
– How-‐to
of
using
OllyDbg
(Immunity),
Debugger
31
PE
(Portable
Executable)
Format
(1)
• Read
the
ARTeam
Tutorial
• NaOve
format
for:
Win32
executable,
32-‐bit
DLLs,
.NET
executables
and
kernel
mode
drivers
• Divided
by
secOons
(names
are
irrelevant
which
are
ignored
by
OS)
– Executable
Code
SecOon,
named
.text
– Data
SecOons,
named
.data,
.rdata
or
.bss
– Resources
SecOon,
named
.rsrc
– Export
Data
SecOon,
named
.edata
– Import
Data
SecOon,
named
.idata
– Debug
SecOon,
named,
.debug
32
PE
(Portable
Executable)
Format
(2)
• Point
of
interest
(PE
Header
-‐20
bytes)
– Machine
014CH
xi386
– NumberOfSecOon
– TimeDateStamp
– SizeOfSecOonHeader
• Point
of
interest
(OpOon
Header
–
224
bytes)
– AddressOfEntryPoint:
RVA
of
first
instrucOon
– ImageBase:
RVA
based
(99%
at
400000h)
– SizeOfImage
– DataDirectory:
arrange
16
members,
including
0-‐Export
symbols,
1-‐import
symbols,
12-‐import
address
table
(IAT).
Here
symobls
means
funcOons
and
Under
Olly,
Alt-‐M,
right-‐click
PE
header
and
select
Dump
in
CPU.
Under
CPU
window,
right-‐click
again,
select
special
then
PE
header
to
display
33
C
programming
language
• Main
()
– <return
value
type>
main
<args>
{<funcOon
call>}
• FuncOon()
or
subrouOne
– <return
value
type>funcOon
name
<funcOon
args>
• C
Libraries
• For
and
while
loops
• If/else
34
Memory
• Lidle
endian
for
Intel
processor,
high-‐order
bytes
should
be
wriden
first
• Memory
are
segmented
• Programs
in
Memory
– .text
secOon
(read
only)
– .data
secOon
(global
iniOalized
variables)
– .bss
secOon
(global
non-‐iniOalized
variables)
– Heap
(dynamically
allocated
variables,
including
arrays
and
be
controlled
by
malloc()
and
free()
statements)
– Stack
(keep
track
of
funcOon
calls)
35
AI-‐32
Processors
• AI-‐32
CPU
General
registers
– EAX:
Accumulator
register,
return
value
of
funcOons
– EBX:
Base
register,
interrupt
return
values
– ECX:
Counter
register,
loop
instrucOons
– EDX:
Data
register
– ESI:
Source
index
register,
string
and
array
copying
– EDI:
DesOnaOon
index
register,
like
ESI
– EBP:
Stack
base
pointer
register,
base
of
the
stack
– ESP:
Stack
pointer,
the
top
address
of
the
stack
– EIP:
Index
pointer,
the
offset
of
next
instrucOon
• Segment
registers:
CS,
SS,
DS,
ES,
FS,
GS
• The
Stack,
used
to
pass
parameters
to
funcOons
or
maintain
call
chains
(in
Windows
stack
is
used
to
store
SHE)
– PUSH/POP
36
Some
Assembler
Basic
InstrucOons
• ADD
desOnaOon,
source
• CALL
something
• RETN
• CMP
desOnaOon,
source
• INC
increment
the
register
• JE
Jump
if
equal
• JMP
Jump
always
• JNE
Jump
if
not
equal
• LEA
Load
effecOve
address,
like
MOV
• MOV
Move
desOnaOon,
source
• NOP
No
operaOon
• POP
desOnaOon,
load
the
value
from
the
top
of
the
Stack
• PUSH
operand,
store
a
value
to
the
Stack
• RET
Return
• XOR
desOnaOon,
source,
perform
logical
exclusive
OR
37
Code
Analysis
by
using
IDA
Pro
• Views
– IDA
View
is
the
disassembly
lisOng
– HEX
View
is
the
hexadecimal
view
– Names
View
is
the
Imported
FuncOons
– FuncOons
View
shows
where
to
find
the
jumps
to
the
Imported
FuncOon
• Some
simple
keys
– At
IDA
View
Windows,
hit
spacebar
to
switch
between
disassembly
view
and
graph
lisOng
view
– Ctrl-‐
and
Ctrl+
to
unzoom/zoom
– Name
Windows
contains
all
FuncOons
(SubrouOnes)
– Select
and
click
(enter
into)
and
Esc
(to
return),
Ctrl+E
to
Start
– G
( jump
to
memory)
38
Code
Analysis
by
using
OllyDbg
• OllyDbg
is
a
Ring
3
debugger
• By
loading
the
malware
under
OllyDbg,
we
can
set
break
points
and
control
the
execuOon
step
by
step
and
monitoring
how
it
is
funcOoning
• My
term:
it
is
a
kind
of
“Code
Analysis
in
a
dynamically
way”
• Some
keys:
– F9
Run
– F8
Step
over
(execuOng
funcOons
at
once)
– F7
Step
into
(entering
funcOons)
– F2
Set
soaware
breakpoint
– Ctrl+F2
Restart
program
– Ctrl+F9
Execute
Oll
return
– “Enter”
and
“-‐”,
See
into
&
go
back
39
Now
let’s
start…
40
Packed?
• Bintext:
crypOc
text,
a
few
API
calls
• FileAlyzer:
it
is
UPX
“compressed”,
similar
to
bintext
even
“unpacking”
it
• Strings:
UPX0,
UPX1,
UPX3,
slackbot
v.10
and
some
API
calls
• PEiD:
UPX
0.896
–
1.02
-‐>
Markus
&
Laszlo,
Entropy
7.8
(Packed),
EP
Check
(Packed)
• It’s
easy,
unpack
it…!
• Before
we
go,
do
you
remember
something
under
Process
Explorer
(sOngs
on
the
image
and
in
the
memory)
and
the
changes
of
image
path
41
Unpacking
(1)
• UPX
– UPX
–d
(decompress
switch,
it
overwrite
the
source)
– FileAlyzer
(decompress
in
the
second
Ome)
and
it
created
a
decompressed
binary
• Qunpack
– OEP
is
required,
but
some
opOons
provided
– Use
ForceOEP,
it
found
OEP
at
004011CB
and
create
the
IAT
(import
table)
which
points
to
all
used
API
calls
at
address
over
0x70000000
• Manual
unpack
– OllyDby:
find
the
OEP
and
then
apply
the
OllyDump
– SomeOmes
we
need
Import
REConstructor
(ImportREC)
to
rebuild
the
IAT
42
Unpacking
(2)
Unpacked
with
UPX
Unpacked
with
Qunpack
43
SOngs
of
the
unpacked
• Check
strings
on
the
unpacked
binary
• Found:
– Some
paderns
– Wording
like:
download
done,
url
visiOng
done,
packets
sent,
file
executed,
cone
sent,
removing
startup,
update
– Some
IRC
commands:
NICK,
NICK,
PING,
PART,
QUIT,
JOIN,
USER,
PASS,
PRIVMSG
44
OllyDbg
Walkthroughs
• To
– Understanding
the
binary’s
flow
– Control
the
flow
by
serng
up
break
points
(F2)
– Step
by
step
tracing
of
the
main
and
funcOons
by
using
F8
and
checking
API
calls
and
study
by
Step
in
funcOon,
F7
– Enter
and
“-‐”
to
see
and
go
back
between
funcOons
– Recovering
hard
coded
password,
aaer
decoded
– Basically
code
analysis
in
a
dynamical
way
45
Run
the
startup
binary
inside
OllyDbg
• Inside
OllyDbg,
right-‐click
select
“Search
for”,
All
referenced
text
strings”,
then
move
to
the
top
and
right-‐click
again,
“Search
for
text”
for
some
commands,
like:
!@sysinfo,
!@id,
!
@run,
!@login
or
“yesss?”
• Set
break
point
(BP)
at
those
selected
text
• Run
command
on
the
channel
and
switch
back
to
WinXP
and
F8
(Step
through)
46
Try
interesOng
commands
• !@id
• !@sysinfo
• !@run
• !@login
• !@reboot
• !@update
• !@webdl
• !@remove
47
!@id
48
!@run
• !@run
stop
at
!@login
we
need
to
login
before
we
can
execute
the
!@run
command
49
!@login
to
!@run
• BP
@
0040208B:
“the
!@login
strings
• F7
@
004012A3:
step
into
the
funcOon
• XOR
@004012DF:
encoding
subrouOne
• Aaer
some
F8,
BP+F9
(to
bypass
the
loops),
EAX
get
a
possible
password
of
“wiedo”@
004012F4
• Aaer
returning,
strcmp
was
used
to
compare
“s2”=wiedo
and
“s1”=
[what’s
entered]
• BP
@00402DC8:
wriOng
message
to
the
channel
• It
replies:
(xchat)
?
• Try
again
!@run
notepad
• File
executed
50
!@reboot
• BP
@00401F9A:
strings
!
@reboot
• F7
@00401FB6:
Generate
the
message
to
send
to
the
channel
• F7
@00401FC0:
go
to
the
rebooOng
rouOne
• API
calls
@00004012FB:
GetVersionExA,
OpenProcessToken,
LookupPrivilegeValueA,
AdjustTokenPrivileges,
ExitWindowsEx
51
!@update
• BP
@00402981:
!@update
• No
response
if
a
full
url
is
not
provided
• BP
@00402CA3:
EP
of
the
updaOng
subrouOne
• @0040123C:
a
random
file
name
generated
• @00402D05@0040209E:
to
write
msg
to
the
channel
• @00402D14@00403068:
to
download
and
wriOng
the
file
• BP
@00402D2A004020D9E:
to
wriOng
msg
to
the
channel
• BP
@00402D55CreateProc
52
!@remove
• BP
@0040200E:
entering
remove
subrouOne
• BP
@00402036:
start
removing
stuff.
First,
the
registry
• BP
@00402079
@00402F23:
to
close
socket
• BP
@00402081
@00402A22:
to
ExitProcess
53
TesOrc.8866.org
• REMnux:
Wireshark
shows
tesOrc.8866.org
tried
to
connect
port
103
• REMnux:
However,
ircd
cannot
be
bound
to
port
103
• WinXP:
configure
to
listen
on
port
103
and
forward
to
remote
port
6667
to
192.168.80.130
by
changing
the
hosts
file
to
resolve
tesOrc.8866.org
to
localhost
• REMnux:
a
secret
channel
of
[hex=09
09
09
20
37
39
30
33
30
38
3f]
joined,
but
no
way
to
configure
at
the
xterm
or
xchat
to
type
in
the
hexadecimal
characters
• WinXP:
set
BP
@00402EFE
and
@00402EF2
and
found
EAX
contains
the
address
of
the
secret
channel
hexdecimal
character.
Right-‐click
on
the
address
of
0016BDC8
and
go
to
“follow
in
dump”
and
make
change
of
the
hexadecimal
characters
of
to
ASCII
e.g
“77777777777”
at
the
Hex
dump
windows
• REMnux:
/join
the
channel
using
“77777777777”
to
see
what’s
happened
54
TesOrc.8866.org
-‐
!@login
• BP
@0040208B:
found
a
secret
password
of
[kluki]
for
the
secret
channel
@004020B2
• BP
@004020B2:
patch
the
password
to
7502088,
or
• BP
@004020C3:
to
NOP
so
that
any
password
will
pass
through
• The
malware
provide
a
secret
channel
for
the
author
to
send
commands
to
the
vicOm
using
undocumented
password
• Meaning:
if
you
download
the
package
and
send
out
the
malware
the
author
can
control
it
without
your
knowledge…!
55
www.mmbest.com
• REMnux:
wireshark
shows
it
wants
to
connect
port
80
• REMnux:
use
netcat
to
see
what
it
is
going
to
do
by
>
sudo
nc
–l
–p
80
• REMnux:
found
it
provide
a
referrer
of
“hdp://tesOrc.
8866.org180000/
ads.cgi”
56
Others
• Where
is
the
strings
of
!@webdl,
“yesss?”
• MulOple
bots
under
control?
• If
unpacked
bot
was
used:
– Sysupd.exe
found
– The
bot
will
not
connect
to
slack.isfs.org
• It’s
your
exercise…..
57
End
of
the
workshop
• Books
I’ve
read
• Or,
do
you
want
me
to
go
through
the
manual
unpacking….?
58
Books
59
Books
60
Books
61
Books
62
Manual
Unpacking
(1)
• Packer
usually
compress
the
binary
and
appended
the
code
with
a
stub
containing
the
decompression
algorithm.
The
EP
of
the
binary
has
been
moved
to
the
start
of
the
stub
and
aaer
the
stub
has
done
its
job,
execute
a
jump
[usually
a
long
jump]
to
the
OEP
and
start
the
unpacked
binary
• Unpacking
is
to
let
a
process,
by
the
help
of
using
a
debugger,
to
let
the
stub
decompress
or
decode
the
binary
in
the
memory
and
dump
the
memory
to
a
file
at
the
point
of
OEP.
• However,
the
binary
will
not
run
because
the
dumped
binary
has
its
secOons
aligned
to
memory
page
boundaries
rather
than
file
alignment
values.
The
import
directory
[for
calling
API]
is
clearly
wrong
and
will
need
fixing.
63
Manual
Unpacking
(2)
• In
order
to
keep
all
CPU
register
values
(EAX,
EBX…EDI)
in
a
safe
place
before
running
the
decompress
or
decode
algorithm,
the
stub
has
to
PUSH
all
register
value
to
the
Stack
by
using
an
instrucOon
PUSHAD.
• Immediate
before
running
the
unpacked
binary,
the
stub
has
to
restore
all
these
values
by
using
another
instrucOon
POPAD
• If
we
put
a
Hardware
BP
on
the
first
4-‐bytes
(AI-‐32
CPU
each
register
holds
4-‐bytes)
of
the
stack
(the
ESP
–
Stack
Pointer
Register)
at
Ome
of
the
PUSHAD,
OllyDbg
will
break
when
the
same
4-‐bytes
are
accessed
at
the
POPAD
instrucOon
and
we
will
be
sirng
right
in
front
of
the
JMP
to
OEP.
Then
F9
+
some
F8
to
follow
the
long
jump
to
OEP.
64
