Well, it's about noon here, on saturday night, and I should be away with friends, drinking a bit, having fun, meeting new people... But things are a bit different this saturday night. Yes, I'm stuck home, being sick. Just like a malware, flue has spread amongst co-workers, and it finally struck me yesterday.
What could I do then, except spending some time on my laptop, lying in my bed ?
As the "social monster" I am supposed to be, like one of my co-worker has called me, I thought I would spend some time talking with one or two friends on IRC or MSN (well, I'm using "pidgin" under my Linux for MSN protocol, of course).
So I've been chatting a bit, and then, suddenly, a friend asked me :
"hey, is this you ? http://members.lycos.co.uk/xxxx/?=myemailaddress"
I immediately tried to tell her that she was having a malware on her computer, but it seems that she didn't get my message. Luckily enough, I had her phone-number so I called her and explained her some things ;-)
Now as curious as I can be, I got to this url and of course, it opened a window asking me if I wanted to download a file called "naked0453.com" , which I did.
I immediately sent this file for analysis to
virustotal.com (Hi Julio ;-)) and got this result:
So now I could have googled around to find more information about this Trojan.Win32.Agent.dwd, but it would have been no fun.
Instead, I decided to launch the naked0453.com file ... Of course, under a special environment : a Windows XP SP2 in a VirtualBox. My sniffer (Wireshark) already on of course, to check for the network communication.
Well as soon as I ran the binary, it opened a window containing the "supposed" me :
Ok, it definitely is not me, I feel better, none of my ex-girlfriend has sent naked pics of me through Internet ;-P
Anyway, some files have been dropped on my system when I launched the binary:
* a file "services.exe" in my C:\Documents and Settings\user\localsettings\temp.
* some temporary files (image.jpg for example)
The services.exe binary is immediately run by the "naked" binary.
Once again, I ran the binary on virustotal.com, obtaining the following results:
As you can see, the malware itself is less detected than his dropper, which is usual. And oh, Armadillo is there... But I don't have reversing skills anyway :-p
Of course, the malware has also added himself in Windows registry, so that it will restart when Windows reboots.
Another funny thing is that services.exe (I'll call it the malware from now on) has been reading my autoexec.bat file, but I don't know why.
A remote thread is also injected in c:\windows\explorer.exe
I'm hushing through all these files manipulation because I'm not finding it so sexy : my main interest is to check what the malware has done on the network.
Letting Wireshark run for some time, I see there is quite an amount of communication. After some ten minutes, I stopped it, and put my Windows XP in my VirtualBox in his precedent state. (uninfected)
The first packets sent by the malware are DNS requests :
1 0.000000 192.168.x.x 192.168.x.x DNS Standard query A james.ccpower.ru
2 0.003170 192.168.x.x 192.168.x.x DNS Standard query response A 127.0.0.1
3 3.848609 192.168.x.x 192.168.x.x DNS Standard query A asl.aldanma.net
4 3.852151 192.168.x.x 192.168.x.x DNS Standard query response A 209.205.196.3
james.ccpower.ru points to 127.0.0.1, being useless. But we see that asl.aldanma.net is resolved to 209.205.196.3.
Immediately afterwards (5th packet) the malware establishes a connection to a IRC server at asl.aldanma.net :
NICK FQ[FRA-0H-hebxpefcz
USER heh heh heh :kakap
:log.on.sys 001 FQ[FRA-0H-hebxpefcz :Cisco
:log.on.sys 005 FQ[FRA-0H-hebxpefcz
:log.on.sys 422 FQ[FRA-0H-hebxpefcz :
:FQ[FRA-0H-hebxpefcz MODE FQ[FRA-0H-hebxpefcz :+i
JOIN #.niw
:FQ[FRA-0H-hebxpefcz!heh@AFontenayssB-x-x-x-x.wx-x.abo.wanadoo.fr JOIN :#.niw
:log.on.sys 353 FQ[FRA-0H-hebxpefcz @ #.niw :FQ[FRA-0H-hebxpefcz @abc
:log.on.sys 366 FQ[FRA-0H-hebxpefcz #.niw :End of /NAMES list.
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................
PING :log.on.sys
PONG :log.on.sys
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ 32415c24f4c28fb144f37921a7f4dc26 .........................
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ a7d10aaf0e52b98963bc13232d4e88f1 .................................
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................
PING :log.on.sys
PONG :log.on.sys
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ 32415c24f4c28fb144f37921a7f4dc26 .........................
PING :log.on.sys
PONG :log.on.sys
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ 32415c24f4c28fb144f37921a7f4dc26 .........................
PING :log.on.sys
PONG :log.on.sys
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................
As we can see, the malware connects to the IRC server using a nick "FQ[FRA-0H-hebxpefcz" which at least contains a country reference.It also uses a user name "heh heh heh :kakap"
The answer from the server, the MOTD, is "Cisco".
The bot (malware) then joins the secret channel #.niw on the server.
We see only one user on the channel, with operator rights, called "abc".
I would have liked seeing all bots connected at the same time but it seemed that the server was configured to hide everything. Even whois'ing was forbidden on the server.
After that, my machine started to connect to a lot of different web servers, getting hundreds of files (porn, affiliation, more malware...) but I had no time to keep digging, and furthermore I have to write another post on this blog about "Solutions Linux 2008" ... :-p
So this fast funny analysis is over, and as you can see it took me quite some time to publish it (mainly because I was away on hollidays) ;-)
