Saturday, December 29, 2007

Quick and Dirty RE


While investigating a suspicious downloaded executable I came to employ some quick reverse engineering tricks to identify the purpose of the unknown binary. The initial binary was called "macromedia-flashplayerupdate.exe", ....fishy!!!! At the time a virus scan of the binary showed no identification.

I first started by running the binary on a test system using InCtrl5, a Windows based installation logger. This showed me that the binary dropped a secondary EXE called "aspimgr.exe" and installed it as a service.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr "ImagePath"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\aspimgr.exe
Files added: 6
c:\Documents and Settings\user\Local Settings\Temp\_check32.bat
Date: 12/29/2007 9:58 PM
Size: 181 bytes
c:\WINDOWS\s32.txt
Date: 8/18/2004 11:00 AM
Size: 63 bytes
c:\WINDOWS\ws386.ini
Date: 8/18/2004 11:00 AM
Size: 12 bytes
c:\WINDOWS\Prefetch\ASPIMGR.EXE-105B8CCF.pf
Date: 12/29/2007 9:58 PM
Size: 10,858 bytes
c:\WINDOWS\Prefetch\MACROMEDIA-FLASHPLAYERUPDATE.-30FC0E47.pf
Date: 12/29/2007 9:58 PM
Size: 7,590 bytes
c:\WINDOWS\system32\aspimgr.exe
Date: 12/29/2007 9:58 PM
Size: 65,536 bytes

Files deleted: 1

c:\Documents and Settings\user\Desktop\macromedia-flashplayerupdate.exe
Date: 12/29/2007 9:57 PM
Size: 49,152 bytes

A quick strings look at the dropped EXE showed no significant information, and a run through PEiD did not show signs of a packer. This activity is obviously suspicious and most likely malicious, however a deeper understanding of the binaries functionality is crutial to responding to any incident, so here we go!

Although no useful strings were uncovered in the initial binary, I used a quick trick using IDA Pro and Ollydbg.

Ollydbg has a setting to break on newly loaded DLL's. Pres Alt+O and select the "Events" tab and check "Break on new module (DLL)".



Let the binary run and it will break each time a new DLL is loaded. This is a trial and error procedure, however I like to stop and dump process memory when interesting DLL's are loaded such as ws2_32.dll and shell32.dll.

From here we can use LordPE to dump the memory of the running process by locating the process in the list and right clicking and selecting "dump full". ImportREC then can be used to reconstruct the IAT, as shown below.

LordPE:


And importREC:



This newly constructed binary, though not perfect, can be loaded into IDA Pro for analysis. Here we can see a disassembly excerpt of the same section in the pre and post dumped file:

Pre:

.text:004037FB sub_4037FB      proc near               ; CODE XREF: _main+1Ep
.text:004037FB
.text:004037FB var_4           = dword ptr -4
.text:004037FB
.text:004037FB           push    offset asc_40E2B0 ; "H"
.text:00403800           call    sub_401866
.text:00403805           mov     [esp+4+var_4], offset aV_2 ; "V"
.text:0040380C           call    sub_401866
.text:00403811           mov     [esp+4+var_4], offset unk_40E2C8
.text:00403818           call    sub_401866
.text:0040381D           mov     [esp+4+var_4], offset asc_40E2D4 ; "["
.text:00403824           call    sub_401866
.text:00403829           mov     [esp+4+var_4], offset unk_40E2DC
.text:00403830           call    sub_401866
.text:00403835           mov     [esp+4+var_4], offset aU_0 ; "u"
.text:0040383C           call    sub_401866
.text:00403841           mov     [esp+4+var_4], offset asc_40E314 ; "l"
.text:00403848           call    sub_401866
.text:0040384D           mov     [esp+4+var_4], offset asc_40E344 ; "l"
.text:00403854           call    sub_401866
.text:00403859           mov     [esp+4+var_4], offset unk_40E36C
.text:00403860           call    sub_401866
.text:00403865           mov     [esp+4+var_4], offset unk_40E398
.text:0040386C           call    sub_401866
.text:00403871           mov     [esp+4+var_4], offset unk_40E3B8
.text:00403878           call    sub_401866
.text:0040387D           mov     [esp+4+var_4], offset unk_40E3E0

And Post:

.text:004037FB sub_4037FB      proc near               ; CODE XREF: _main+1Ep
.text:004037FB
.text:004037FB var_4           = dword ptr -4
.text:004037FB
.text:004037FB           push    offset unk_40E2B0
.text:00403800           call    sub_401866
.text:00403805           mov     [esp+4+var_4], offset unk_40E2BC
.text:0040380C           call    sub_401866
.text:00403811           mov     [esp+4+var_4], offset unk_40E2C8
.text:00403818           call    sub_401866
.text:0040381D           mov     [esp+4+var_4], offset a@ ; "@"
.text:00403824           call    sub_401866
.text:00403829           mov     [esp+4+var_4], offset unk_40E2DC
.text:00403830           call    sub_401866
.text:00403835           mov     [esp+4+var_4], offset cp ; "ns.uk2.net"
.text:0040383C           call    sub_401866
.text:00403841           mov     [esp+4+var_4], offset aWww_yahoo_com ; "www.yahoo.com"
.text:00403848           call    sub_401866
.text:0040384D           mov     [esp+4+var_4], offset aWww_web_de ; "www.web.de"
.text:00403854           call    sub_401866
.text:00403859           mov     [esp+4+var_4], offset a192_168_32_2 ; "192.168.32.2"
.text:00403860           call    sub_401866
.text:00403865           mov     [esp+4+var_4], offset a127_0_0_1 ; "127.0.0.1"
.text:0040386C           call    sub_401866
.text:00403871           mov     [esp+4+var_4], offset aCBugs_txt ; "c:\\bugs.txt"
.text:00403878           call    sub_401866
.text:0040387D           mov     [esp+4+var_4], offset aCLogevents_log ; "c:\\logEvents.log"

From here we get file names, hard coded IP's and domain names and URL's. Further down we can see the following strings:

.text:004039F1                 mov     [esp+4+var_4], offset aBcc ; "Bcc:"
.text:004039F8                 call    sub_401866
.text:004039FD                 mov     [esp+4+var_4], offset aSubject ; "Subject:"
….

.text:00404009 mov [esp+4+var_4], offset aGoldCerts ; "gold-certs"
.text:00404010                 call    sub_401866
.text:00404015                 mov     [esp+4+var_4], offset aThe_bat ; "the.bat"
.text:0040401C                 call    sub_401866
.text:00404021                 mov     [esp+4+var_4], offset aPage ; "page"
.text:00404028                 call    sub_401866
.text:0040402D                 mov     [esp+4+var_4], offset aAdmin ; "admin"
.text:00404034                 call    sub_401866
.text:00404039                 mov     [esp+4+var_4], offset aSupport ; "support"

A mass mailer! A quick Google search and we learn that we are dealing with a Mytob type mass mailing worm. This technique was effective for this particular malware, and from here we can quickly identify additional infected hosts and respond accordingly. We simply let the malware decrypt it's own strings and stuff them back into the program....and then dump!!! All in all this initial analysis only took a total of only 10 minutes, so response time remains quick.