PRACTICAL MALWARE ANALYSIS: MALWARE -FOCUSED NETWORK SIGNATURES(LAB 14-02)

Tools Used

  1. IDA Pro
  2. Ollydbg
  3. Cerbero Profiler

Sample:

  1. Lab14-02.exe SHA256: 435be1c6e904836ad65f97f3eac4cbe19ee7ba0da48178fc7f00206270469165

VirusTotal:

  • Detection Rate: 39/56
  • Analyzed on 2016-03-18
  • Compilation Date: 2009-01-08 01:37:00
  • View report here

Lab 14-2
Analyze the malware found in file Lab14-02.exe. This malware has been configured
to beacon to a hard-coded loopback address in order to prevent it
from harming your system, but imagine that it is a hard-coded external
address.
Questions
1. What are the advantages or disadvantages of coding malware to use
direct IP addresses?

resources
Figure 1. IP in String Resource

Pro

If the attacker’s IP were to be blocked, other same variant of malware that uses different IP would not be affected.

Con

If the IP is blacklisted as malicious and blocked by the feds, the attacker would have lost access to the malware. If the attacker were to use a domain name, he can easily just redirect to another IP.

2. Which networking libraries does this malware use? What are the advantages
or disadvantages of using these libraries?

wininet
Figure 2. WININET

WININET library is used by this malware.

Pro

Caching and cookies are automatically set by the OS. If cache are not cleared before re-downloading of files, the malware could be getting a cached file instead of a new code that needs to be downloaded.

Con

User agent need to be set by the malware author, usually the user agent is hard coded.

3. What is the source of the URL that the malware uses for beaconing?
What advantages does this source offer?

As shown in figure 1, the url is hidden in the string resource. Once a malware is compiled, the attacker would just need to reset the resource to another ip without recompiling the malware. Also using a resource make do without an additional config file.

4. Which aspect of the HTTP protocol does the malware leverage to
achieve its objectives?

2 Threads are created by the malware. One to send data out in the user agent field after encoding it using custom base64. The other to receive data.

read
Figure 3. Read Data
write1
Figure 4. Send Data

Read Data Thread uses a static user agent “Internet Surf” as shown below.

InternetSurf
Figure 5. Internet Surf User-agent

5. What kind of information is communicated in the malware’s initial
beacon?

Setting a breakpoint @0x00401750, we will break before the malware attempts to send packets out. Here you will see a custom base64 encoded data being package ready to send out.

initial
Figure 6. Base64 encoded data

The decoded text is the cmd.exe prompt.

custom
Figrue 7. Decoded Base64

6. What are some disadvantages in the design of this malware’s communication
channels?

  1. Only outgoing traffic is encoded thus incoming commands are in plain for defender to see
  2. The user agent used is hard coded for one of the thread which makes it easy to form a signature to detect it.
  3. The other user agent looks out of place and defender can spot it if he/she go through the packet header.

7. Is the malware’s encoding scheme standard?

No. We can see the custom base64 key in the following figure.

strings
Figure 8. Custom base64 key

8. How is communication terminated?

In the subroutine @0x00401800, once the malware reads the word exit from the C2 server, the thread will exit.

exit
Figure 9. exit keyword

9. What is the purpose of this malware, and what role might it play in the
attacker’s arsenal?

Reverse Shell via http. On termination of the malware a subroutine (0x00401880) will be called to delete itself from the system.

delete
Figure 10. self delete

 

Advertisements
PRACTICAL MALWARE ANALYSIS: MALWARE -FOCUSED NETWORK SIGNATURES(LAB 14-02)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s