0x10 Third Place

 

by Kamal Shankar

Molly knew she had to act fast. She stopped all activity on her laptop and dialed her big brother - Siduoks De (who incidentally happened to be a malware researcher) ..

"Hey Sid ! My laptop's hacked, what do I do ?"
Molly lovingly called her brother 'Sid' - a contracted form of 'Siduoks'.

"Calm down now.. I am here.", said Sid. Molly told him everything, including what 'strings' had just spewn out..

"I never liked The Geek, and now maybe it's him, but let work this out first..". Sid knew it was Molly's 16th bithday today and he felt very sorry for her.
He started to explain to Molly what
note.exe might be doing in his typical comforting and reassuring way :

"Based on the output of the strings command, what capabilities might be built into the malicious code ?", asked Molly.

note.exe is the malware causing you all the trouble. As far as I can tell from the output, it employs Microsoft's own OLE technology - DCOM to remotely control Internet Explorer. By the way Molly, if you want to see a working demo of remote controlling IE yourself, have a go at IE'en.

You can also have a look at a very good presentation which was given at BlackHat Asia around 2002 http://www.blackhat.com/presentations/bh-asia-02/Sensepost/bh-asia-02-sensepost.pdf regarding this topic.

I am also sure that note.exe has hooked some other APIs, most probably CreateProcess() etc, to propagate and hide itself, but I can never be sure until I have a look at it myself. I also feel your keyboard is being hooked too, and the keylogging module is logging and uploading the keys you are typing in to a remote site to which the attacker has access..

This is because the malware references EliRT which is a Win32 context injection/hooking module written by Radim Picha; if you want to at a later time, you may download it from here.

To top it off, note.exe may also hook onto Filesystem APIs like FindFile..() etc to hide downloaded malware ! So the output given by dir may even be misleading..

Thus note.exe may download other malware from the remote site if so instructed and run them stealth too !

The presence of the string GetProcAddress also implies that it dynamically loads APIs, which may become evident upon seeing the rest of the output..

I also notice the string ersion\Run/; which seems to be a portion of "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" under HKEY_LOCAL_MACHINE key of the Windows registry which indicates that "note.exe" will configure itself to run on system startup.

The string \VMWare Tools is also interesting as note.exe maybe trying to detect if it's running under VMWare (as used by many malware researchers), and it may change it's behaviour if so.

From what you have told me, as per the sniffer output, note.exe is communicating with a remote HTTPS/SSL site as port 443 is generally used for the HTTPS, altough the attacker could just as well be running any service at it.

However, the instance of iexplore.exe running invisibly gives a strong suggestion that note.exe is using DCOM (the attacker came to know your Windows login information) to remotely control Internet Explorer, and though the remote HTTPS site doing things like :

•Keystroke logging your laptop to get more information

•Spying on data transferred via IE

•giving futhur commands for his malware to execute

•download and execute other malware on poor Molly's machine

Incase you want what the real guys at SecurityFriday says :

•Remotely connects to or activates Internet Explorer

•Captures data sent and received using Internet Explorer

•Even on SSL encrypted websites (e.g. Hotmail), IE'en can capture user ID and password in plain text.

•Change the web page on the remote IE window.

•Make the remote IE window visible / invisible

The harm that can be done is endless..

Molly now knew that Sid would steadily help her out of this mess, so she became interested, and asked :

"What simple and popular method could the attacker have used to thwart strings analysis (as well as making binary disassembly more difficult) on note.exe? What tools could the attacker use to accomplish this goal?".

Sid laughed, and replied :

Really Molly, we are indeed fortunate that the attacker did not do so, which furthur leads me to believe that it's "The Geek" because never before have I seen malware which is not packed or encrypted ! More likely, he wanted you to catch him, so that he may boast and show off !

Yet, since you are interested, just packing note.exe would not only thwart string analysis, binary disassembly would become more difficult.

I can refer you to some very good packers in this aspect :

•UPX (http://upx.sourceforge.net)

•FSG

•ASpack/ASprotect....

There are so many free packers/encrypters out there, but the most well known is UPX. However, if you want something different, Google for Programmer's Tools . This is a site which has lots of such tools, but keeps on moving. (Last time I checked, it was http://protools.anticrack.de/). Once you are there, just select the "Packers" page (http://protools.anticrack.de/packers.htm)!

Well, as a plus, the attacker also could have put in anti-debugging code into his malware so that the malware would not run under a debugger. Altough UPX does not do this, the other packers and encrypters at protools does it for you. However, adding anti-debugging tricks to an executable would also make it unstable, but then who worries about stablity when coding the malware ;)

Molly was more curious than ever, "How could a malicious code researcher overcome the strings-obscuring and anti-disassembly technique(s) you described in your answer to question 2? What tools could a researcher use to accomplish this goal? " she asked.

Well Molly, we have to do this all the time ! First I go through the hexdump of the malware to find out what was used to pack or encrypt the executable. After locating it I unpack it using the corresponding unpacker. Then generally I follow these steps :

•Start RegMon (http://www.sysinternals.com/ntw2k/source/regmon.shtml ) and FileMon (http://www.sysinternals.com/ntw2k/source/filemon.shtml ) to see what registry and file entries the malware does

•Fire up Ethreal (http://ethereal.com) to monitor the network traffic generated by the malware (as done in this case..)

In this specfic case, I feel that the malware detects VMWare and tries to modify it's own behavious to fool the researcher. I will first write a tool myself which will hook onto some Registry functions like RegQueryValueEx(), RegOpenKeyEx() etc to make the malware believe that it's not running under VMWare by returning my own values !

As this malware uses DCOM, I would also use the OllyDbg (http://home.t-online.de/home/Ollydbg) tool to find out the internal details of the malware..

However, nothing beats a nice long beer/coffee session on a malware with just W32Dasm disassembler and the SoftICE debugger !

"Can you send me W32Dasm and SoftICE, Sid ?", quipped in Molly.

"I am afraid not, my dear - You have to pay for W32Dasm and to get SoftICE, you need approved permission and practising license to purchase a license for SoftICE.", said Sid.

"But I sure that you too will be a very sucessful researcher when you grow up, and then you can have all of them !"

Molly did not expect a refusal from her big bro, but software licensing does get messy sometimes..

She realized that the evening was coming near, and she had to do something about Jake as well as her broken laptop : "What should Molly do next to eradicate the malware and win Jake's heart?"

If possible, a hardware router firewall would be best. If that's not possible, a good software firewall like ZoneAlarm could be used to block that pesky 443 port. Once the 443 port got blocked, the attacker would be totally cut off control, unless he had some other backup plan..

"Whatever, but atleast it would give me some time to send the last batch of email and invitation cards to my friends for the party tonight !", Molly said with joy.

Yes ! But remember what I told you - there maybe a keylogger running, so see to it that you do not let any other application connect to the internet while you send in those emails. In fact, I would like you to SSH using PuTTY into my linux box and then send those emails !

"Thanks a lot, Sid !" , Molly said, heaving a sign of relief.

Send me a copy of note.exe too, so that I can find out exactly what has been going on in your system.

If possible, use the Task Manager to kill note.exe. Try to use the option "Kill process tree", so that all processes spawned by the malware gets killed.

If the Task Manager is not available, or it has been disabled by the malware, download kill.exe (which comes with the Windows NT Resource Kit) from my server and try the same.

But whatever you do, try not to reboot the machine into this OS installation again. If you have a second OS/ installation, boot your computer using that.

I will be sending you the latest antivirus definitions and Windows patches by CD - within this evening. Install them immediately. If possible, click on Windows Update on the start menu and update this installation too !

"Hey bro - any pointers to win Jake's heart?" , asked Molly nervously, now that her laptop woes were fixed.

You don't need anything extra for that my little sister ! Just be your sweet normal self. Just invite him over and talk !