Saturday Night Fever... And Win32.Agent.dwd malware analysis :-p


Well, it's about noon here, on saturday night, and I should be away with friends, drinking a bit, having fun, meeting new people... But things are a bit different this saturday night. Yes, I'm stuck home, being sick. Just like a malware, flue has spread amongst co-workers, and it finally struck me yesterday.

What could I do then, except spending some time on my laptop, lying in my bed ?

As the "social monster" I am supposed to be, like one of my co-worker has called me, I thought I would spend some time talking with one or two friends on IRC or MSN (well, I'm using "pidgin" under my Linux for MSN protocol, of course).

So I've been chatting a bit, and then, suddenly, a friend asked me :

"hey, is this you ? http://members.lycos.co.uk/xxxx/?=myemailaddress"

I immediately tried to tell her that she was having a malware on her computer, but it seems that she didn't get my message. Luckily enough, I had her phone-number so I called her and explained her some things ;-)

Now as curious as I can be, I got to this url and of course, it opened a window asking me if I wanted to download a file called "naked0453.com" , which I did.

I immediately sent this file for analysis to virustotal.com (Hi Julio ;-)) and got this result:

So now I could have googled around to find more information about this Trojan.Win32.Agent.dwd, but it would have been no fun.

Instead, I decided to launch the naked0453.com file ... Of course, under a special environment : a Windows XP SP2 in a VirtualBox. My sniffer (Wireshark) already on of course, to check for the network communication.

Well as soon as I ran the binary, it opened a window containing the "supposed" me :



Ok, it definitely is not me, I feel better, none of my ex-girlfriend has sent naked pics of me through Internet ;-P

Anyway, some files have been dropped on my system when I launched the binary:

* a file "services.exe" in my C:\Documents and Settings\user\localsettings\temp.
* some temporary files (image.jpg for example)

The services.exe binary is immediately run by the "naked" binary.

Once again, I ran the binary on virustotal.com, obtaining the following results:



As you can see, the malware itself is less detected than his dropper, which is usual. And oh, Armadillo is there... But I don't have reversing skills anyway :-p

Of course, the malware has also added himself in Windows registry, so that it will restart when Windows reboots.

Another funny thing is that services.exe (I'll call it the malware from now on) has been reading my autoexec.bat file, but I don't know why.


A remote thread is also injected in c:\windows\explorer.exe

I'm hushing through all these files manipulation because I'm not finding it so sexy : my main interest is to check what the malware has done on the network.

Letting Wireshark run for some time, I see there is quite an amount of communication. After some ten minutes, I stopped it, and put my Windows XP in my VirtualBox in his precedent state. (uninfected)

The first packets sent by the malware are DNS requests :

1 0.000000 192.168.x.x 192.168.x.x DNS Standard query A james.ccpower.ru
2 0.003170 192.168.x.x 192.168.x.x DNS Standard query response A 127.0.0.1
3 3.848609 192.168.x.x 192.168.x.x DNS Standard query A asl.aldanma.net
4 3.852151 192.168.x.x 192.168.x.x DNS Standard query response A 209.205.196.3


james.ccpower.ru points to 127.0.0.1, being useless. But we see that asl.aldanma.net is resolved to 209.205.196.3.

Immediately afterwards (5th packet) the malware establishes a connection to a IRC server at asl.aldanma.net :

NICK FQ[FRA-0H-hebxpefcz
USER heh heh heh :kakap
:log.on.sys 001 FQ[FRA-0H-hebxpefcz :Cisco
:log.on.sys 005 FQ[FRA-0H-hebxpefcz

:log.on.sys 422 FQ[FRA-0H-hebxpefcz :
:FQ[FRA-0H-hebxpefcz MODE FQ[FRA-0H-hebxpefcz :+i
JOIN #.niw
:FQ[FRA-0H-hebxpefcz!heh@AFontenayssB-x-x-x-x.wx-x.abo.wanadoo.fr JOIN :#.niw
:log.on.sys 353 FQ[FRA-0H-hebxpefcz @ #.niw :FQ[FRA-0H-hebxpefcz @abc
:log.on.sys 366 FQ[FRA-0H-hebxpefcz #.niw :End of /NAMES list.
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................
PING :log.on.sys
PONG :log.on.sys

:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ 32415c24f4c28fb144f37921a7f4dc26 .........................
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ a7d10aaf0e52b98963bc13232d4e88f1 .................................
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................
PING :log.on.sys
PONG :log.on.sys

:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ 32415c24f4c28fb144f37921a7f4dc26 .........................
PING :log.on.sys
PONG :log.on.sys

:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................
:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :........ 32415c24f4c28fb144f37921a7f4dc26 .........................
PING :log.on.sys
PONG :log.on.sys

:abc!rL@318BDD43.C22E0C0.495A4415.IP PRIVMSG #.niw :..... ............................................


As we can see, the malware connects to the IRC server using a nick "FQ[FRA-0H-hebxpefcz" which at least contains a country reference.It also uses a user name "heh heh heh :kakap"
The answer from the server, the MOTD, is "Cisco".
The bot (malware) then joins the secret channel #.niw on the server.

We see only one user on the channel, with operator rights, called "abc". I would have liked seeing all bots connected at the same time but it seemed that the server was configured to hide everything. Even whois'ing was forbidden on the server.

After that, my machine started to connect to a lot of different web servers, getting hundreds of files (porn, affiliation, more malware...) but I had no time to keep digging, and furthermore I have to write another post on this blog about "Solutions Linux 2008" ... :-p

So this fast funny analysis is over, and as you can see it took me quite some time to publish it (mainly because I was away on hollidays) ;-)

Commentaires

1. Le jeudi 31 janvier 2008, 08:41 par Bruno Kerouanton

Very interesting analysis, indeed. I'll probably mention it in my next scheduled training session. Have you got the time to get further on in analyzing those other webservers and binaries ?

I also learned something else, thanks to your post : They let you take holidays ? I believed you never took any days off !!!

Cheers,

Bruno

2. Le jeudi 31 janvier 2008, 08:49 par Bruno Kerouanton

I forgot to mention that I did some tests on the URLs you mention. james.ccpower.ru is quite interesting, as it's not redirecting to 127.0.0.1 as you say, but it's a Socks4/5 service provided by a russian company. I already noticed that most similar services are located around this geographical region !
Just to clarify the point about proxies, the benefit for the user is that he appears to come from another place as he is, thus "anonymizing" the connexion, but on the other hand ha has got to be really confident in the proxy provider, which has got access to every single packet in transit, and who charges the services with credit card... Personally I wouldn't even't dare to try such service located in Russia ! That makes me believe that most users of foreign proxy services are just doing illegal stuff and want to hide a little bit of their trafic. That's the point.

3. Le vendredi 1 février 2008, 15:48 par Cédric Pernet

@Bruno : Well thank you for your kind comments, if I would have known I would have digged further on. Unfortunately, I've already been deleting everything. I just wanted to show to some people that a fast malware analysis can be fun.
Now concerning james.ccpower.ru, it has changed often since then : at the time of writing this short comment, it is not pointing anymore to .RU but to .NL ;-)

4. Le dimanche 3 février 2008, 23:30 par MiiB

Well done.. a very interesting fast analysis. After reading this post I've tried "VirtualBox". This could be a good solution when you know that some malware detects VMware products.
Concerning proxies in general and .RU services in particular, as wrote Bruno, I don't understand too how people can trust in those !
But you know, fraudster is a job like others : they also need to pay if they want their own swimming pool :-p

5. Le mardi 5 février 2008, 11:52 par Cédric Pernet

@MiB: Nice to know that I convinced someone to use VirtualBox, I really enjoy this product.

Ajouter un commentaire

Le code HTML est affiché comme du texte et les adresses web sont automatiquement transformées.

La discussion continue ailleurs

URL de rétrolien : http://bl0g.cedricpernet.net/trackback/58

Fil des commentaires de ce billet