Jump to content

FireEye Malware

Intelligence Lab

Threat research, analysis, and mitigation

« Previous Post | Main | Next Post »

A leap into the unknown - Part 1

A leap into the unknown is a series which will discuss some lesser known malware, that has a reasonably good command and control structure.  Most of this malware might not be totally new to the AVs, but they were never considered for more than just creating a signature.  Little or no effort has been made to disclose the motivation behind creating this malware, the CnC architecture, or the people behind it.  These articles are not to prove that "My (discovered) botnet is bigger than yours".  No offense to those who may already know about this malware and might not agree with the word 'unknown' in the title of this article. There is always someone who knows more than you do.

Lets start with our first malware. Here is the VirusTotal report.

MD5: 0078b75d32fc337e17ee42d87f15d5da

Name: You may see from the VT report that none of the AVs give it a proper name.  Most likely, detection for this malware is based on automated signature generation, and no one really looked into it for a detailed analysis. No worries.  Let me assign it a name: 'Fehler'. Why?  Let me explain.

Origin: After unpacking the executable, almost all of the strings found were written in German (thanks to Google Translate):

Fehler beim Einlesen des Programms: [Error in reading the program:]

Fehler %d beim Daten lesen (sockRead) [Error% d while reading data (sockread) ]

Due to excessive usage of the word Fehler ('Error' or 'Mistake' in English) throughout the malware code, this name really suits it.  Anyway, what's in a name?  Lets move on.

Upon execution, Fehler adds itself to the start up process so that it can run each time user logs on.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

                                                                     'UpDate' = <Path\Name.exe> -hide

It further tries to establish a connection to a host named 'kontakt3.evangelion.nu' on TCP port 9222.  Fehler uses a plain text, home grown protocol to communicate with its CnC.  Here is how the initial communication looks:

Cnc_commu

-----------------

ping
ping|k3333333|kontakt3.evangelion.nu|0|2|1.10.0|WinXP|
ping
ping|k3333333|kontakt3.evangelion.nu|0|3|1.10.0|WinXP|
get ServerUpdate.exe 0

Ok
.MZP...// Executable bytes of ServerUpdate.exe
Path=outlook express

Setup=10-s.exe
Silent=1
Overwrite=1
ping
ping
ping|k3333333|kontakt3.evangelion.nu|1|5|1.10.0|WinXP|ServerUpdate.exe
exit

-----------------

I'll break down this protocol into multiple pieces and try to explain it one by one.  The text in red are the packets from client to server.

Upon successful connection, the server sends a constant string, 'ping', to the malware.  The purpose of this ping is to ask the malware for certain information.  The information returned by 'Fehler' is a '|' separated long string like:

ping|k3333333|kontakt3.evangelion.nu|0|2|1.10.0|WinXP|

Each sub string followed by '|' character has a specific meaning.

1. ping

A hard coded string.  Like an op code, every 'ping' request from the server will result in a response from the malware having the same op code as an identifier.

2. k3333333|kontakt3.evangelion.nu

The malware extracts these values by reading its own binary image from the disk in read only mode.  It looks for the constant string '1234567890ABC'.  This string, followed by other information, exists at the very end of the malware binary image like this:

1234567890ABC|k3333333|kontakt3.evangelion.nu|0|

Cnc_string

Clearly '1234567890ABC' is a marker to locate information like the CnC domain.  I am not able to understand the purpose of  'k3333333'.  It is read and communicated as it is back to server. Storing the CnC information this way allows the malware author to keep creating new binary images with updated information without the need to re-compile.

A '0' following the domain is a flag to show whether Fehler has successfully downloaded the binary served by the CnC server.  We can see that after downloading 'ServerUpdate.exe', the next ping request shows this flag as '1'.

ping|k3333333|kontakt3.evangelion.nu|1|5|1.10.0|WinXP|ServerUpdate.exe

The number following this ('5' in the above packet) is the number of packets received by the malware.  This is a counter which is initialized with a 1.  '1.10.0' is a hard coded string which probably communicates  the version of the malware itself. WinXP is the OS of the victim machine, and this field might have any of the following values:

WinXP, Win2000, Server2003, WinNT, Win98, WinME, or Vista/2008.

The value following the OS version is an optional string which is communicated back to the server once the binary is downloaded.  So the format of the packet becomes:

ping|k3333333|<CnC domain>|<Is Binary Downloaded>|<Number of packet received>|<Malware Version>|<Victim OS>|<Updated binary name>

.text:0040214E                 push    offset unk_416304
.text:00402153                 push    eax
.text:00402154                 push    offset a1_10_0  ; "1.10.0"
.text:00402159                 lea     eax, [esp+858h+Dest]
.text:00402160                 push    [esp+858h+var_834]
.text:00402164                 push    IsUpCLientRegValue
.text:0040216A                 push    offset name     ; "localhost"
.text:0040216F                 push    offset STRING_k3333333
.text:00402174                 push    offset aPingSSDDSSS ; "ping|%s|%s|%d|%d|%s|%s|%s\n"
.text:00402179                 push    eax             ; Dest
.text:0040217A                 call    _sprintf

Fehler keeps of tracks of its downloads via two registry keys:

HKUSER\SOFTWARE\Schmidt-Pro\UpdateServer\UpClient

which holds the <Is Binary Downloaded> flag

HKUSER\SOFTWARE\Schmidt-Pro\UpdateServer\UpClientFile

which keeps track of <Updated binary name> like 'ServerUpdate.exe' in the above case.

Other than the 'ping' request, the malware has the following list of supported commands.

1. get: download the specified binary

syntax:  get <Binary to Download> <Exit Signal for Malware after download>

2. pause: close all connections to server

3. exit: quit signal to malware

4. install : Download the binary 'UpInstaller.exe' to the current drive, execute it, and then exit.

Although this is a limited set of commands, it is enough to execute any binary payload on the infected system.  Plus it also registers the victim machine to the CnC server.  In the above case 'ServerUpdate.exe' payload is a password stealer.   

Right after the download, 'ServerUpdate.exe' starts another communication to the host 'kontakt10.evangelion.nu ' on TCP port 9123.  The initial communication involves uploading the list of running services from the victim machine and stopping some of the critical services.

Payload

ServerUpdate has its own complete set of commands which I will discuss in my next article. 

The IP information for the CnCs involved is:

[Please note at the time of writing this article, the NS have been changed]

Fehler:

kontakt3.evangelion.nu -> 80.141.90.93

kontakt10.evangelion.nu -> 80.141.99.88

ServerUpdate.exe:

kontakt9.evangelion.nu -> 92.193.1.211

kontakt1.evangelion.nu -> 92.193.4.35

Atif Mushtaq @ FireEye Malware Intelligence Lab

Detailed Question/Comments : research SHIFT-2 fireeye DOT COM

Account Deleted on 2009.10.01 Malware Research

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d835018afd53ef0120a6053cb0970c

Listed below are links to weblogs that reference A leap into the unknown - Part 1:

Recent Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.