While investigating a suspicious downloaded executable I came to employ some quick reverse engineering tricks to identify the purpose of the unknown binary. The initial binary was called "macromedia-flashplayerupdate.exe", ....fishy!!!! At the time a virus scan of the binary showed no identification.
I first started by running the binary on a test system using InCtrl5, a Windows based installation logger. This showed me that the binary dropped a secondary EXE called "aspimgr.exe" and installed it as a service.
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr "ImagePath"
- Type: REG_EXPAND_SZ
- Data: C:\WINDOWS\system32\aspimgr.exe
- c:\Documents and Settings\user\Local Settings\Temp\_check32.bat
- Date: 12/29/2007 9:58 PM
- Size: 181 bytes
- c:\WINDOWS\s32.txt
- Date: 8/18/2004 11:00 AM
- Size: 63 bytes
- c:\WINDOWS\ws386.ini
- Date: 8/18/2004 11:00 AM
- Size: 12 bytes
- c:\WINDOWS\Prefetch\ASPIMGR.EXE-105B8CCF.pf
- Date: 12/29/2007 9:58 PM
- Size: 10,858 bytes
- c:\WINDOWS\Prefetch\MACROMEDIA-FLASHPLAYERUPDATE.-30FC0E47.pf
- Date: 12/29/2007 9:58 PM
- Size: 7,590 bytes
Date: 12/29/2007 9:58 PM
- Size: 65,536 bytes
Files deleted: 1
- c:\Documents and Settings\user\Desktop\macromedia-flashplayerupdate.exe
- Date: 12/29/2007 9:57 PM
- Size: 49,152 bytes
A quick strings look at the dropped EXE showed no significant information, and a run through PEiD did not show signs of a packer. This activity is obviously suspicious and most likely malicious, however a deeper understanding of the binaries functionality is crutial to responding to any incident, so here we go!
Although no useful strings were uncovered in the initial binary, I used a quick trick using IDA Pro and Ollydbg.
Ollydbg has a setting to break on newly loaded DLL's. Pres Alt+O and select the "Events" tab and check "Break on new module (DLL)".
Let the binary run and it will break each time a new DLL is loaded. This is a trial and error procedure, however I like to stop and dump process memory when interesting DLL's are loaded such as ws2_32.dll and shell32.dll.
From here we can use LordPE to dump the memory of the running process by locating the process in the list and right clicking and selecting "dump full". ImportREC then can be used to reconstruct the IAT, as shown below.
LordPE:
And importREC:
This newly constructed binary, though not perfect, can be loaded into IDA Pro for analysis. Here we can see a disassembly excerpt of the same section in the pre and post dumped file:
Pre:
.text:004037FB sub_4037FB proc near ; CODE XREF: _main+1Ep
.text:004037FB.text:004037FB var_4 = dword ptr -4
.text:004037FB.text:004037FB push offset asc_40E2B0 ; "H"
.text:00403800 call sub_401866
.text:00403805 mov [esp+4+var_4], offset aV_2 ; "V"
.text:0040380C call sub_401866
.text:00403811 mov [esp+4+var_4], offset unk_40E2C8
.text:00403818 call sub_401866
.text:0040381D mov [esp+4+var_4], offset asc_40E2D4 ; "["
.text:00403824 call sub_401866
.text:00403829 mov [esp+4+var_4], offset unk_40E2DC
.text:00403830 call sub_401866
.text:00403835 mov [esp+4+var_4], offset aU_0 ; "u"
.text:0040383C call sub_401866
.text:00403841 mov [esp+4+var_4], offset asc_40E314 ; "l"
.text:00403848 call sub_401866
.text:0040384D mov [esp+4+var_4], offset asc_40E344 ; "l"
.text:00403854 call sub_401866
.text:00403859 mov [esp+4+var_4], offset unk_40E36C
.text:00403860 call sub_401866
.text:00403865 mov [esp+4+var_4], offset unk_40E398
.text:0040386C call sub_401866
.text:00403871 mov [esp+4+var_4], offset unk_40E3B8
.text:00403878 call sub_401866
.text:0040387D mov [esp+4+var_4], offset unk_40E3E0
And Post:
.text:004037FB sub_4037FB proc near ; CODE XREF: _main+1Ep
.text:004037FB.text:004037FB var_4 = dword ptr -4
.text:004037FB.text:004037FB push offset unk_40E2B0
.text:00403800 call sub_401866
.text:00403805 mov [esp+4+var_4], offset unk_40E2BC
.text:0040380C call sub_401866
.text:00403811 mov [esp+4+var_4], offset unk_40E2C8
.text:00403818 call sub_401866
.text:0040381D mov [esp+4+var_4], offset a@ ; "@"
.text:00403824 call sub_401866
.text:00403829 mov [esp+4+var_4], offset unk_40E2DC
.text:00403830 call sub_401866
.text:00403835 mov [esp+4+var_4], offset cp ; "ns.uk2.net"
.text:0040383C call sub_401866
.text:00403841 mov [esp+4+var_4], offset aWww_yahoo_com ; "www.yahoo.com"
.text:00403848 call sub_401866
.text:0040384D mov [esp+4+var_4], offset aWww_web_de ; "www.web.de"
.text:00403854 call sub_401866
.text:00403859 mov [esp+4+var_4], offset a192_168_32_2 ; "192.168.32.2"
.text:00403860 call sub_401866
.text:00403865 mov [esp+4+var_4], offset a127_0_0_1 ; "127.0.0.1"
.text:0040386C call sub_401866
.text:00403871 mov [esp+4+var_4], offset aCBugs_txt ; "c:\\bugs.txt"
.text:00403878 call sub_401866
.text:0040387D mov [esp+4+var_4], offset aCLogevents_log ; "c:\\logEvents.log"
From here we get file names, hard coded IP's and domain names and URL's. Further down we can see the following strings:
.text:004039F1 mov [esp+4+var_4], offset aBcc ; "Bcc:"
.text:004039F8 call sub_401866
.text:004039FD mov [esp+4+var_4], offset aSubject ; "Subject:"
….
.text:00404009 mov [esp+4+var_4], offset aGoldCerts ; "gold-certs"
.text:00404010 call sub_401866
.text:00404015 mov [esp+4+var_4], offset aThe_bat ; "the.bat"
.text:0040401C call sub_401866
.text:00404021 mov [esp+4+var_4], offset aPage ; "page"
.text:00404028 call sub_401866
.text:0040402D mov [esp+4+var_4], offset aAdmin ; "admin"
.text:00404034 call sub_401866
.text:00404039 mov [esp+4+var_4], offset aSupport ; "support"
A mass mailer! A quick Google search and we learn that we are dealing with a Mytob type mass mailing worm. This technique was effective for this particular malware, and from here we can quickly identify additional infected hosts and respond accordingly. We simply let the malware decrypt it's own strings and stuff them back into the program....and then dump!!! All in all this initial analysis only took a total of only 10 minutes, so response time remains quick.
2 comments:
Tag! Your turn for 6 quirks.. It's about time you blog in 2008 anyway.
Good stuff man,
Post a Comment