Shylock In-Depth Malware Analysis

•September 30, 2011 • 4 Comments

Hi everyone!  We got a special piece of malware on the docket.  Mila over @ contagiodump and Trusteer reported a new type of malware called Shylock.  They were mum on the details aside from some threat report which was very sparse on information.  So I requested a sample and proceeded to do some RE on it.  So we’ll look into it together to combine traditional Reverse Engineering for the goal of finding artifacts to verify infection in Volatility.  (Download the Shylock infected memory sample here)

The dropper can be downloaded from here (the pw is “infected”) and does some basic decryption of itself then proceeds to create a few files.  One is a copy of itself in a random path as well as a .bat file that is ran from cmd.exe with the \c to change attributes on the dropped files then erase them after malicious code is injected into explorer.exe.  The dropper spawns this command shell to process the .bat file.  The bat file is pasted below.

if not exist "C:\re\shylock\4FDA5E7E8E682870E993F97AD26BA6B2" goto exit
attrib -R -S -H "C:\re\shylock\4FDA5E7E8E682870E993F97AD26BA6B2"
erase "C:\re\shylock\4FDA5E7E8E682870E993F97AD26BA6B2"
goto repeat
attrib -R -S -H "C:\Documents and Settings\vmuser1\Application Data\Adobe\Flash Player\D.tmp.bat"
erase "C:\Documents and Settings\vmuser1\Application Data\Adobe\Flash Player\D.tmp.bat"

A file is also copied in windows\system32 and a subsequent unique id is generated that will be in the.  After that it terminates itself and removes the dropper off the disk leaving all control up to the recently injected code into explorer.exe.

3 sections are allocated into explorer.exe and  a dll is decrypted and loaded by these 3 sections.  After this the injected code replicates itself into other processes by injecting them and hooking API’s.   I’m going to be showing code snippets that are from the injected code using the technique I posted on previously about Debugging Injected code with IDA Pro.

Well other artifacts that we can use to aid in analysis or diagnosis of a particular sample are Mutexes and Files.  Reversing the dropper (as well as recently published here, here, here) we can see that the malware creates an autorun key as it’s persistence mechanism with a unique key.

This function is copying a string of “MTX_” to the heap that will be parsed together with our unique ID.  Then fed into our call to CreateMutex.  You can see the pointer returned by the above screen shot is de-referenced then passed to a CreateMutex wrapper function that takes one argument.

Notice the function call is actually Create_Mutex_Arg0 which I’ve had to RE, rename as this function is actually a wrapper call to CreateMutex.   The wrapper code is displayed below.  If you wanted to find out exactly where this is in your injected code.  You’ll have to set a break point on kernel32_CreateMutex and see where it was referenced in your hijackdll as it could be loaded in a completely different spot than what’s in my IDB.

This final function actually calls the system API call to create this mutex.  Now let’s verify this artifact holds for us in our memory dump.  The way we can do this is to use the mutscan command and pipe this output to a file.  Doing this and we search for “MTX_” we get a few results that look like this.


You’ll notice a few of these in the mutscan as there is another value that is added which I haven’t yet reversed yet.  (I decided to publish this early due to Evilcry’s webpost.)  So that’s our first artifact and we’ll look into a file artifact next.  This just illustrates that you can do a rough once over debug/RE to find artifacts for a piece of malware that may not be published in a formal threat analysis from AV, researcher, someone else.

Next up we’re going to investigate a file artifact.  Shylock uses named pipes to communicate but also it uses this unique id that was referenced above.  The following screenshot shows the routine in which it is created.

So you can see here that the injected dll uses the CreateNamedPipeA command to setup the named pipe that it subsequently reads/writes from.  Now leveraging this information from our debugging/RE process we can use this to create another fingerprint from a Shylock infection.  We can verify this in Volatility with the filescan program using “python -f img.mem filescan > output.txt” and look for a named pipe that is a hexadecimal number 32 bytes in length.  Sure enough we find one for our infection here.

0x01b42340 0x819b8730    3    1 —— ‘\\919863BFD426AA00979BDF55477F92A7’

Now for extra credit you can attribute this to a specific process and you can see that it’s parent will be explorer.exe.  To do this you can use Volatility 1.3 and Andreas Schusters file plugins.  More artifacts may be coming soon what else can you find?


[1] –ContagioDump of Shylock

[2] – Evilcry’s Shylock Volatility Analysis

[3] – Symantec Shylock Report

Debugging Injected Code with IDA Pro

•September 27, 2011 • 7 Comments

Hello all!  Today I wanted to talk about how you go about debugging/analyzing injected code.  In today’s malware environment a lot of malicious code doesn’t sit resident in memory in the context of it’s own process.  Back in the day you could look at task manager and recognize some weird executable that didn’t belong.  Those days are mostly over.  The new(er) malware classes will typically inject malicious code and hook dll’s in legitimate looking processes (explorer.exe, winlogon.exe, svchost.exe, etc.) to evade detection.  This makes analyzing malware trickier as you need a wider skill set than opening up a bad binary in IDA.  I’m going to shed some light on that process when you run into this type of malware.

First off we need to find some malware that uses code injection.  Code injection is usually done through the WriteProcessMemory API call through Windows.  I’ve provided a sample here which just happens to be the shylock malware that was posted recently at Contagio.   Download to follow along (the password is infected).  This executable injects code into the explorer.exe process of the target machine (xp sp3 os running on virtualbox).  This is what we will be working with if you want to follow along.  Now I haven’t done a complete in depth-analysis on this yet (it’s coming) but I suspect there isn’t any VM breakout that will totally hose your host OS.  If there is well sorry bout that! 😛 You need to also make sure your vm is accessible from your host machine.  I used ‘Host-Only Networking‘ and made sure the guest was accessible from my host box.

So once you have your vm up (and it has an IP you can reach from your host box).  You’ll need to copy over to the share a file that exists in your IDA Pro file to enable remote debugging. The file is “win32_remote.exe”.  This is a server that allows IDA to connect up to a port on a remote server debugging to debug across the world or across memory in the sense of a VM.  Now one caveat with this program is that it only allows one debugging session per server (depending on version,  newer versions of IDA support multiple debugging sessions over the same port).  So if you want to debug 2 programs at the same time (which we will be doing) you need two instances of this running on different ports.  You specify the port with the -p flag and there is NO SPACES after the -p switch so if you want to set it up on port 1000 you’d run “win32_remote -p1000” from the command line.  Tiga also has posted a video tutorial about remote debugging with IDA.  His entire tutorial series is very good.

Open up a IDA Pro and Run -> Remote Win32 Debugger

Make sure your connection/paths are correct.

Click ok and  you’ll break at the entry point of the module

Now we’re going to set a breakpoint at WriteProcessMemory() (In IDA that equates to kernel32_WriteProcessMemory.  From here on out it will be referred to as WriteProcessMemory)

Hit f9 to go and it breaks on WriteProcessMemory() (How did I know how to break here?  I reversed the program roughly to get a feel for the program from the beginning up until this point.)

Now the code injection routine is a separate link here.  shows why we want to break on WriteProcessMemory().  There are a few basic methods on how to inject code into a process that is not yours  on Windows.  Here is a good breakdown describing those methods.  Most of the tactics revolve around WriteProcessMemory system call.  This particular piece of malware uses the third type of injection mentioned in the code project article.  Before this specific function was reached the malware took a snapshot of the system state and iterated through the processes until it found explorer.exe then called this function.  So the short version of the disassembly is that it opens the target process,  allocates some memory inside the process,  writes memory that was allocated (repeats 3 times), then starts a remote thread to execute this new code, wait for thread to exit then cleanup handles.  The reason 3 sections of memory are mapped into the target process is there is a loader there that reconstructs a dll in memory that is allocated inside Explorer.  This happens all before the exit status code is returned from the thread and the code is successfully injected.

Let’s fire up another IDA instance and use the Attach -> Remote Win32 Debugger and put in the port for the second server that was different than the first. Hit ok then we should see a process listing and let’s choose our injected process (explorer.exe) from the menu. If you took note of the injected code locations from CreateRemoteThread structure.

HANDLE WINAPI CreateRemoteThread(
  __in   HANDLE hProcess,
  __in   LPSECURITY_ATTRIBUTES lpThreadAttributes,
  __in   SIZE_T dwStackSize,
  __in   LPTHREAD_START_ROUTINE lpStartAddress,
  __in   LPVOID lpParameter,
  __in   DWORD dwCreationFlags,
  __out  LPDWORD lpThreadId
  __in   LPTHREAD_START_ROUTINE lpStartAddress,
lpStartAddress [in]
A pointer to the application-defined function of type LPTHREAD_START_ROUTINE to be executed by the thread and represents the starting address of the thread in the remote process. The function must exist in the remote process. For more information, see ThreadProc.

We can mark this location with a breakpoint once we attach to explorer.exe (before the thread is started but after the memory was written). Then we hit run in the shylock.exe (injector process) and then we should have a breakpoint hit in explorer.exe and sure enough we do. We can continue on reversing from here but let’s dump this segment and save it so we can annotate our debugging sessions and build on this previous knowledge. The way we can do this in IDA is take a memory snapshot.  We have to View -> Open Subviews -> Segments so that we can view a memory map. Noting our addresses from WriteProcessMemory we need to change those segments to Loader segments. Next up go to Debugger and take memory snapshot and choose only Loader Segments. If you notice in our column our only dump will be of the three sections we marked ‘Loader’ segment.  If you don’t mark them as Loader segments IDA will ignore them and exclude from putting them into the database/idb.  Here you have it and that’s how you dump injected code from any process with IDA Pro. Hope you enjoyed reading this article.


[1] – Tiga’s IDA video tutorials

[2] – CodeProject Code Injection methods

[3] – Contagio malware dump

[4] – IDA Docs Page

[5] – Virtualbox Networking Doc

Zeus Analysis in Volatility 2.0

•September 23, 2011 • 6 Comments

Well I wanted to post another article about memory forensics with my favorite open source tool right now…. Volatility.  Can’t say enough great things about the documentation (very well written and expansive) and the community is very helpful in answering questions (even noobish ones).  So after I read MHL’s Stuxnet Analysis with Volatility 2.0 it inspired me to do my own sort of analysis with a different piece of malware to see how many artifacts I could come up with.  I’ll be referencing some in-depth deep dives to confirm the analysis.  At the end of the article the links will be given to those reports in full.  I’m going to assume no prior knowledge is known about Zeus.  We can use Volatility to start as well as confirm with multiple artifacts we are in fact infected with Zeus beyond any doubts.

Luckily for us we don’t have to infect a VM, take a memory dump and then analyze it (or have a friend ask for our help to cleanup their computer like here).  The folks at Volatility have provided a sample image that’s infected with Zeus for you to practice on.  They are in need of contribution with additional malware if you have any laying around that you’d like to share.  So download the image and follow along.

C:\RE\volatility2.0\py\volatility-2.0>python -f zeus.vmem imageinfo
Volatile Systems Volatility Framework 2.0
Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with Win
AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (C:\RE\volatility2.0\py\volatility-2.0\zeus.vmem)
PAE type : PAE
DTB : 0x319000
KDBG : 0x80544ce0L
KPCR : 0xffdff000L
Image date and time : 2010-08-15 19:17:56
Image local date and time : 2010-08-15 19:17:56
Number of Processors : 1
Image Type : Service Pack 2

So we can tell this is a XP SP2 image, no big surprise here.  Let’s grab a process listing.

C:\RE\volatility2.0\py\volatility-2.0>python -f zeus.vmem pslist
Volatile Systems Volatility Framework 2.0
Offset(V)  Name                 PID    PPID   Thds   Hnds   Time
---------- -------------------- ------ ------ ------ ------ -------------------
0x810b1660 System                    4      0     58    379 1970-01-01 00:00:00
0xff2ab020 smss.exe                544      4      3     21 2010-08-11 06:06:21
0xff1ecda0 csrss.exe               608    544     10    410 2010-08-11 06:06:23
0xff1ec978 winlogon.exe            632    544     24    536 2010-08-11 06:06:23
0xff247020 services.exe            676    632     16    288 2010-08-11 06:06:24
0xff255020 lsass.exe               688    632     21    405 2010-08-11 06:06:24
0xff218230 vmacthlp.exe            844    676      1     37 2010-08-11 06:06:24
0x80ff88d8 svchost.exe             856    676     29    336 2010-08-11 06:06:24
0xff217560 svchost.exe             936    676     11    288 2010-08-11 06:06:24
0x80fbf910 svchost.exe            1028    676     88   1424 2010-08-11 06:06:24
0xff22d558 svchost.exe            1088    676      7     93 2010-08-11 06:06:25
0xff203b80 svchost.exe            1148    676     15    217 2010-08-11 06:06:26
0xff1d7da0 spoolsv.exe            1432    676     14    145 2010-08-11 06:06:26
0xff1b8b28 vmtoolsd.exe           1668    676      5    225 2010-08-11 06:06:35
0xff1fdc88 VMUpgradeHelper        1788    676      5    112 2010-08-11 06:06:38
0xff143b28 TPAutoConnSvc.e        1968    676      5    106 2010-08-11 06:06:39
0xff25a7e0 alg.exe                 216    676      8    120 2010-08-11 06:06:39
0xff364310 wscntfy.exe             888   1028      1     40 2010-08-11 06:06:49
0xff38b5f8 TPAutoConnect.e        1084   1968      1     68 2010-08-11 06:06:52
0x80f60da0 wuauclt.exe            1732   1028      7    189 2010-08-11 06:07:44
0xff3865d0 explorer.exe           1724   1708     13    326 2010-08-11 06:09:29
0xff3667e8 VMwareTray.exe          432   1724      1     60 2010-08-11 06:09:31
0xff374980 VMwareUser.exe          452   1724      8    207 2010-08-11 06:09:32
0x80f94588 wuauclt.exe             468   1028      4    142 2010-08-11 06:09:37
0xff224020 cmd.exe                 124   1668      0 ------ 2010-08-15 19:17:55

Nothing immediately stands out to me as they all look like legitimate processes that are running on the box.  Let’s see if any of them are hiding with a new command fresh out of 2.0 which is psxview.

C:\RE\volatility2.0\py\volatility-2.0>python -f zeus.vmem psxview
Volatile Systems Volatility Framework 2.0
Offset       Name                 Pid      pslist     psscan     thrdproc   psp
id     csr_hnds   csr_list
0x80fbf910L  svchost.exe          1028     1          1          1          1
1          0
0x80ff88d8L  svchost.exe          856      1          1          1          1
1          0
0xff1d7da0L  spoolsv.exe          1432     1          1          1          1
1          0
0x80f60da0L  wuauclt.exe          1732     1          1          1          1
1          0
0xff2ab020L  smss.exe             544      1          1          1          1
0          0
0xff3667e8L  VMwareTray.exe       432      1          1          1          1
1          0
0xff247020L  services.exe         676      1          1          1          1
1          0
0xff217560L  svchost.exe          936      1          1          1          1
1          0
0xff143b28L  TPAutoConnSvc.e      1968     1          1          1          1
1          0
0xff203b80L  svchost.exe          1148     1          1          1          1
1          0
0xff1b8b28L  vmtoolsd.exe         1668     1          1          1          1
1          0
0xff255020L  lsass.exe            688      1          1          1          1
1          0
0xff3865d0L  explorer.exe         1724     1          1          1          1
1          0
0xff22d558L  svchost.exe          1088     1          1          1          1
1          0
0xff374980L  VMwareUser.exe       452      1          1          1          1
1          0
0xff1fdc88L  VMUpgradeHelper      1788     1          1          1          1
1          0
0xff218230L  vmacthlp.exe         844      1          1          1          1
1          0
0xff364310L  wscntfy.exe          888      1          1          1          1
1          0
0x80f94588L  wuauclt.exe          468      1          1          1          1
1          0
0xff25a7e0L  alg.exe              216      1          1          1          1
1          0
0xff1ecda0L  csrss.exe            608      1          1          1          1
0          0
0xff38b5f8L  TPAutoConnect.e      1084     1          1          1          1
1          0
0xff1ec978L  winlogon.exe         632      1          1          1          1
1          0
0xff224020L  cmd.exe              124      1          0          0          1
0          0
0x810b1660L  System               4        1          1          1          1
0          0

This uses multiple methods for looking at processes artifacts in memory.  If you see any that are 0’s for psscan, pslist and thrdproc it’s an attempt to hide the process by DKOM (Direct Kernel Object Manipulation).  Nothing interesting here so let’s see about some network connections.

C:\RE\volatility2.0\py\volatility-2.0>python -f zeus.vmem connections
Volatile Systems Volatility Framework 2.0
Offset(V)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ------

Well that’s disappointing.  No active connections at the time the memory dump was taken.  Let’s go a little deeper and scan for connections that may have been previously closed with connscan.

C:\RE\volatility2.0\py\volatility-2.0>python -f zeus.vmem connscan
Volatile Systems Volatility Framework 2.0
Offset     Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ------
0x02214988             856
0x06015ab0                 856

Bingo!  We have 2 connections here that look to be listed to PID 856.  That’s SVChost which is odd.  Let’s see where these connections are located.  A whois report reveals that the IP is located in Moldova.

IP Address
Location MD MD, Moldova, Republic of
City -, – –
Organization PE Voronov Evgen Sergiyovich
ISP PE Voronov Evgen Sergiyovich

It’s well known that a lot of malware calls Eastern Europe and Asia home.  So this is pretty suspicious but since it looks like all our processes appear legitimate we might be facing some malware that utilizes code injection.  To detect these types of processes MHL has released a great plugin here that utilizes malfind.  It will detect injected processes so let’s run that on our target image.

C:\RE\volatility2.0\py\volatility-2.0>python -f zeus.vmem malfind --dump-dir c:\re\zeus_demo
VMwareTray.exe       432    0x00d70000 0xd95fff00 VadS     0      PAGE_EXECUTE_R
Dumped to: c:\re\zeus_demo\VMwareTray.exe.4be97e8.00d70000-00d95fff.dmp
0x00d70000   4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00    MZ..............

0x00d70010   b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......

0x00d70020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

0x00d70030   00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00    ................

0x00d70040   0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68    ........!..L.!Th

0x00d70050   69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f    is program canno

0x00d70060   74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20    t be run in DOS

0x00d70070   6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00    mode....$.......

VMwareTray.exe       432    0x00e30000 0xe30fff00 VadS     0      PAGE_EXECUTE_R
Dumped to: c:\re\zeus_demo\VMwareTray.exe.4be97e8.00e30000-00e30fff.dmp
0x00e30000   b8 35 00 00 00 e9 cd d7 ad 7b b8 91 00 00 00 e9    .5.......{......

0x00e30010   4f df ad 7b 8b ff 55 8b ec e9 ef 17 3e 76 8b ff    O..{..U.....>v..

0x00e30020   55 8b ec e9 95 76 39 76 8b ff 55 8b ec e9 be 53    U....v9v..U....S

0x00e30030   3a 76 8b ff 55 8b ec e9 d6 18 3e 76 8b ff 55 8b    :v..U.....>v..U.

0x00e30040   ec e9 14 95 39 76 8b ff 55 8b ec e9 4f 7e 3c 76    ....9v..U...O~<v

0x00e30050   8b ff 55 8b ec e9 0a 32 3a 76 8b ff 55 8b ec e9    ..U....2:v..U...

0x00e30060   7d 61 39 76 6a 2c 68 b8 8d 1c 77 e9 01 8c 39 76    }a9vj,h...w...9v

0x00e30070   8b ff 55 8b ec e9 c4 95 c8 70 8b ff 55 8b ec e9    ..U......p..U...

00e30000: b835000000                       MOV EAX, 0x35
00e30005: e9cdd7ad7b                       JMP 0x7c90d7d7
00e3000a: b891000000                       MOV EAX, 0x91
00e3000f: e94fdfad7b                       JMP 0x7c90df63
00e30014: 8bff                             MOV EDI, EDI
00e30016: 55                               PUSH EBP
00e30017: 8bec                             MOV EBP, ESP
00e30019: e9ef173e76                       JMP 0x7721180d
00e3001e: 8bff                             MOV EDI, EDI
00e30020: 55                               PUSH EBP

Well we have a lot of output so looks like a lot of our processes are injected with malcode.  The reason this plugin can find it is due to the fact of looking for kernel memory structures that work very closely with VirtualAlloc.  These memory structures are in a VAD tree and work closely with memory management aspects of the kernel.    There’s a lot more detailed explanation in the references section if you care to read further on the subject.  The plugin outputs hexdumps as well as assembly code at the base location of where the injected code was detected.  You can also pipe this output to a text file if it won’t fit in your console.

With all this output from our plugin let’s revisit our pstree command so we can get a hierarchical view on how the code injection may have cascaded.

C:\RE\volatility2.0\py\volatility-2.0>python -f zeus.vmem pstree
Volatile Systems Volatility Framework 2.0
Name                                        Pid    PPid   Thds   Hnds   Time
0x810B1660:System                               4      0     58    379 1970-01-
01 00:00:00
. 0xFF2AB020:smss.exe                          544      4      3     21 2010-08-
11 06:06:21
.. 0xFF1EC978:winlogon.exe                     632    544     24    536 2010-08-
11 06:06:23
... 0xFF255020:lsass.exe                       688    632     21    405 2010-08-
11 06:06:24
... 0xFF247020:services.exe                    676    632     16    288 2010-08-
11 06:06:24
.... 0xFF1B8B28:vmtoolsd.exe                  1668    676      5    225 2010-08-
11 06:06:35
..... 0xFF224020:cmd.exe                       124   1668      0 ------ 2010-08-
15 19:17:55
.... 0x80FF88D8:svchost.exe                    856    676     29    336 2010-08-
11 06:06:24
.... 0xFF1D7DA0:spoolsv.exe                   1432    676     14    145 2010-08-
11 06:06:26
.... 0x80FBF910:svchost.exe                   1028    676     88   1424 2010-08-
11 06:06:24
..... 0x80F60DA0:wuauclt.exe                  1732   1028      7    189 2010-08-
11 06:07:44
..... 0x80F94588:wuauclt.exe                   468   1028      4    142 2010-08-
11 06:09:37
..... 0xFF364310:wscntfy.exe                   888   1028      1     40 2010-08-
11 06:06:49
.... 0xFF217560:svchost.exe                    936    676     11    288 2010-08-
11 06:06:24
.... 0xFF143B28:TPAutoConnSvc.e               1968    676      5    106 2010-08-
11 06:06:39
..... 0xFF38B5F8:TPAutoConnect.e              1084   1968      1     68 2010-08-
11 06:06:52
.... 0xFF22D558:svchost.exe                   1088    676      7     93 2010-08-
11 06:06:25
.... 0xFF218230:vmacthlp.exe                   844    676      1     37 2010-08-
11 06:06:24
.... 0xFF25A7E0:alg.exe                        216    676      8    120 2010-08-
11 06:06:39
.... 0xFF203B80:svchost.exe                   1148    676     15    217 2010-08-
11 06:06:26
.... 0xFF1FDC88:VMUpgradeHelper               1788    676      5    112 2010-08-
11 06:06:38
.. 0xFF1ECDA0:csrss.exe                        608    544     10    410 2010-08-
11 06:06:23
0xFF3865D0:explorer.exe                      1724   1708     13    326 2010-08-
11 06:09:29
. 0xFF374980:VMwareUser.exe                    452   1724      8    207 2010-08-
11 06:09:32
. 0xFF3667E8:VMwareTray.exe                    432   1724      1     60 2010-08-
11 06:09:31

We did notice that services.exe looked to have some code injected into it.  Let’s take the parent process (winlogon.dmp that was dumped by malfind) and submit it to virustotal as PID 676 seems to be where the code injection is originating from in a hierarchical sense.

Sure enough 26/44 say it’s malicious.  Seems most of the scans detect it as Zbot.   So let’s Google around find some reports and see if we can verify it’s presence elsewhere.  Now that we’re armed with some reports let’s verify some other artifacts on the system just to make sure this is Zbot.

“The install function searches for the “winlogon.exe” process, allocates some memory within it and decrypts itself into the process.”

Well what do you know it looks like Zbot/Zeus injects it’s code into winlogon.exe This was apparent after we did our malfind as it detected injected code into other processes. If you would use procexedump through volatility it would be fine if you submitted to an avscan as it uses the pe header to dump the memory image. The new code sections that were allocated and later written to will not be reflected in the original pe header that was loaded into memory. This is the exact reason why we had to use malfind (Thanks again MHL!) above and couldn’t just procdump based on pid.

“The bot executable is written to the hard drive as “C:\WINDOWS\system32\sdra64.exe”.”

Volatility has a useful plugin here that allows us to identify file handles that are still hanging around in memory filescan.

C:\RE\volatility2.0\py\volatility-2.0>python -f zeus.vmem filescan
Volatile Systems Volatility Framework 2.0
Offset(V) Obj Type #Ptr #Hnd Access Name
0x01090778 0x8109d560 1 0 R--r-d '\\WINDOWS\\system32\\winrnr.dll'
0x010915b0 0x8109d560 1 0 R--rwd '\\WINDOWS\\system32\\oleaut32.dll'
0x01091648 0x8109d560 1 0 R--rwd '\\WINDOWS\\system32\\rpcrt4.dll'
0x01091810 0x8109d560 1 0 R--rwd '\\WINDOWS\\system32\\csrss.exe'
0x01092270 0x8109d560 1 1 RW-rw- '\\WINDOWS\\WindowsUpdate.log'
0x029d9b28 0x8109d560 1 1 R----- '\\WINDOWS\\system32\\sdra64.exe'
0x029d9cd8 0x8109d560 1 0 -WD--- '\\WINDOWS\\system32\\sdra64.exe'

“The directory “C:\WINDOWS\system32\lowsec\” is created. This directory is not visible in Windows Explorer but can be seen from the command line. Its purpose is to contain the following files:

local.ds: Contains the most recently downloaded DynamicConfig file.
user.ds: Contains logged information.
user.ds.lll: Temporarily created if transmission of logs to the drop server fails.

These artifacts can also be found in the above file scan to further bolster the case that this is definitely Zeus.

“The Winlogon (“HKLM/SOFTWARE/Microsoft/WindowsNT/CurrentVersion/Winlogon”) registry key’s value is appended with the path of the bot executable: C:/WINDOWS/system32/sdra64.exe. This will cause the bot to execute when the computer restarts.”

Volatility sure enough has a feature to allow us to investigate registry entries. Namely the printkey command. So let’s check the reg key from our Zbot analysis to see that this is here too.

C:\RE\volatility2.0\py\volatility-2.0>python -f zeus.vmem printkey -K "Mi
crosoft\Windows NT\CurrentVersion\Winlogon"
Volatile Systems Volatility Framework 2.0
Legend: (S) = Stable (V) = Volatile
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software
Key name: Winlogon (S)
Last updated: 2010-08-15 19:17:23
(S) GPExtensions
(S) Notify
(S) SpecialAccounts
(V) Credentials

REG_DWORD AutoRestartShell : (S) 1
REG_SZ DefaultDomainName : (S) BILLY-DB5B96DD3
REG_SZ DefaultUserName : (S) Administrator
REG_SZ LegalNoticeCaption : (S)
REG_SZ LegalNoticeText : (S)
REG_SZ PowerdownAfterShutdown : (S) 0
REG_SZ ReportBootOk : (S) 1
REG_SZ Shell : (S) Explorer.exe
REG_SZ ShutdownWithoutLogon : (S) 0
REG_SZ System : (S)
REG_SZ Userinit : (S) C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\
REG_SZ VmApplet : (S) rundll32 shell32,Control_RunDLL “sysdm.cpl”

REG_DWORD SfcQuota : (S) 4294967295
REG_SZ allocatecdroms : (S) 0
REG_SZ allocatedasd : (S) 0
REG_SZ allocatefloppies : (S) 0
REG_SZ cachedlogonscount : (S) 10
REG_DWORD forceunlocklogon : (S) 0
REG_DWORD passwordexpirywarning : (S) 14
REG_SZ scremoveoption : (S) 0
REG_DWORD AllowMultipleTSSessions : (S) 1
REG_EXPAND_SZ UIHost : (S) logonui.exe
REG_DWORD LogonType : (S) 1
REG_SZ Background : (S) 0 0 0
REG_SZ AutoAdminLogon : (S) 0
REG_SZ DebugServerCommand : (S) no
REG_DWORD SFCDisable : (S) 0
REG_SZ WinStationsDisabled : (S) 0
REG_DWORD HibernationPreviouslyEnabled : (S) 1
REG_DWORD ShowLogonOptions : (S) 0
REG_SZ AltDefaultUserName : (S) Administrator
REG_SZ AltDefaultDomainName : (S) BILLY-DB5B96DD3

Well that key is certainly apparent and this is our persistence mechanism. So the Zeus/Zbot injector process is called at start-up to insert it’s hooks and malicious code in our legitimate looking processes to evade detection. This would be something you’d want to clean up if you were re-mediating the system as well.

“The Windows XP firewall is disabled. This causes a Windows Security Center warning icon to appear in the system tray, the only visible indication that the computer has been infected.”

It looks like Zeus/Zbot also takes care of disabling the Windows Firewall so your not annoyed with any popups while it’s pilfering through your banking data. Googling around there are some registry forensics blogs that keep track of the location for windows firewall settings. Using our command printkey we can detect if this is enabled or disabled in this specific image.

C:\RE\volatility2.0\py\volatility-2.0>python -f zeus.vmem printkey -K "Co
Volatile Systems Volatility Framework 2.0
Legend: (S) = Stable (V) = Volatile
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: StandardProfile (S)
Last updated: 2010-08-15 19:17:24

(S) AuthorizedApplications

REG_DWORD EnableFirewall : (S) 0

So the firewall is currently disabled and if you notice the timestamp on the key as well. It looks like this was last updated at 2010-8-15 at 19:17:24. This is tidbit of information that you could use in a timeline analysis if you had to document to this level of detail. The specific Zeus/Zbot may not modify this key every time but check if its set according to it’s specifications. I’m not sure as I don’t have the file but it would be a reasonable assumption. Also the EnableFirewall key was not in the DomainProfile but only the StandardProfile for you registry pros out there.

“A closer look at its binary file reveals that the spyware was designed to monitor known ZBOT mutexes, _AVIRA_ and __SYSTEM__.”

C:\RE\volatility2.0\py\volatility-2.0>python -f zeus.vmem mutantscan
Volatile Systems Volatility Framework 2.0
0x05ca17e8 0x810ae5e0 2 1 1 0x00000000 '_AVIRA_2108'

Well there is certainly a mutex that has been recent in memory for AVIRA which ironically enough is the name of an antivirus engine. It was sent to poke fun at the anti-virus companies by the programmer’s of Zeus. It also looks from the above mutex that we have a 1.x version of Zeus/Zbot as in 2.x versions they use randomly generated GUID’s over mutexes to communicate.

So there we have it using Volatility we can get a look at a Zeus/Zbot infection and determine steps here for possible remediation just based on a memory dump. We’d have more resources if we were able to have access to the system as well so we could study the injector process to see if it has any other persistence mechanisms. It’s doubtful since this matches so closely to the typical Zeus/Zbot signature. I hope you enjoyed reading this article!

Edit: Looks like another Zeus article was written and is linked here to give you another viewpoint on this piece of malware.


[1] –

[2] –

[3] –

[4] –

[5] –

Volatility 2.0 Plugin Vscan

•September 17, 2011 • 3 Comments

I came across a program the other day that is very powerful when it comes to IR (Incident Response).  So wanting to learn more about the platform I dived right in and decided to create a plugin. What if you could automatically carve out a file from a memory image and submit  said carving to an online virus scanning service?  That’d be awesome and make for quick work to triage any memory dumps you may have laying around, assuming you can isolate the suspicious process.  This idea was born out of a larger project in development called Avalanche.  It’s goal is to bring a lot of these tools together for a quick analysis ala Mandiant Redline or HB Gary Responder Pro but built around Python.

For those who don’t know what Volatility is.  It’s a great open source memory forensics framework written in python.  It’s being actively developed by a great community (it even supports Windows 8 at the time of this writing).  The tool operates on memory dumps.  These are dumps of physical ram to an image much like a disk image but just has snapshots of the current state of your machine.  There are some advantages to full disk dumps such as size and context.  Some information exists in memory that is difficult to discern from disk images (api hooking, process injection, listening sockets, current and previous ip connections, hidden processes).  Memory dumps make these data points easily accessible.

Volatility has some practice images on their wiki that you can play with as well.  The install of the plugin is pretty simple.  Download the file and unzip it to the plugins directory.  Now if you want to use VirusTotal you will need to hardcode your api key into as well as download SimpleJson.  AVsubmit is code that was shared via MHL in the Malware Analyst’s Cookbook.  All of it’s code snippets are freely available here.  I’ve heard great things about the book and mine is in the mail.

So usage is pretty simple.  Run this command.

python vscan -f target.img -p 100 -s Jotti

Volatile Systems Volatility Framework 2.0
Dumping explorer.exe, pid:   1724 output: executable.1724.exe
[-] Uploading to a virus scan service.  Results may be slow on queue
File already exists, initialization not required.
[*] Using Jotti...
Initialized session cookie: sessionid=800d68a1e60bf4a8c7f3c3f0a0c983d0ab03c3d2
Initialized APC: 1b38781678971428acde9fe921396eecabecc8a2
Checking Jotti's databse for file with MD5: 7161D1047247D94471CBA21ACB8BAB9E
The file does not already exist on Jotti...
Attempting to upload the sample, please wait...
You can find the new analysis here:
Trying to get results for the next 600 seconds...
Try 0
Try 1
Try 2
Try 3
Try 4
Try 5
drweb => scan clean
fsecure => scan clean
cpsecure => scan clean
arcavir => scan clean
fprot => scan clean
avast => scan clean
vba32 => scan clean
clamav => scan clean
gdata => scan clean
kaspersky => scan clean
bitdefender => scan clean
panda => scan clean
sophos => scan clean
avira => scan clean
ikarus => scan clean
avg => scan clean
nod32 => scan clean
emsisoft => scan clean
quickheal => scan clean
virusbuster => scan clean
Added sample to database with ID 4

This dumps a target process from a memory image and submits it to the service of your choosing.  Be warned that if the process has code injected into it may yield some false positives (Zeus/Zbot).  In this case I use the malfind plugin via MHL’s scripts and it will dump out a process based on the VAD tree entries that it finds suspicious.  After these items are dumped to disk you can still use the avscan plugin by just passing the -F flag to specify a file that has recently been dumped.

python -f zeus.vmem vscan -E c:\zeus\winlogon.exe.66f0978.00ae0000-00b05fff.dmp -S jotti
Volatile Systems Volatility Framework 2.0
[*] Submitting [c:\zeus\winlogon.exe.66f0978.00ae0000-00b05fff.dmp] to [jotti
File already exists, initialization not required.
[*] Using Jotti...
Initialized session cookie: sessionid=7e90a75eb406c0f64ac3662a3a5e0ca325bc94f6
Initialized APC: 55521be59f3ec0b6385dfb43eb6a3a7885ded3c7
Checking Jotti's databse for file with MD5: B5CAE4218DC957F4419AEAA675C21B7F
You can find the existing analysis here:
Trying to get results for the next 600 seconds...
Try 0
drweb => Trojan.PWS.Panda.199
fsecure => Trojan.Spy.Zbot.EHO
cpsecure => scan clean
arcavir => scan clean
fprot => W32/Zbot.AF.gen!Eldorado
avast => Win32:Zbot-BCW
vba32 => scan clean
clamav => scan clean
gdata => Trojan.Spy.Zbot.EHO
kaspersky => scan clean
bitdefender => Trojan.Spy.Zbot.EHO
panda => scan clean
sophos => Sus/Behav-1010
avira => TR/Hijacker.Gen
ikarus => Trojan-Spy.Zbot
avg => Win32/Cryptor
nod32 => Win32/Kryptik.AY
emsisoft => Trojan-Spy.Zbot!IK
quickheal => scan clean
virusbuster => scan clean
Added sample to database with ID 8

You could also extend the plugin to do this for files that are going to be dumped on disk by  I hope you find the plugin useful and perhaps have inspired you to contribute something as well to this awesome project!  Download the plugin here.

Heap Homework

•May 15, 2011 • 1 Comment

Well after looking at some bugs the other day I determined that my lack of knowledge on the heap was a problem. To mitigate this I’m going to include a lot of links that pertain to heap information. This way I can come back to review it and become more familiar with this aspect of memory management. Links are in no particular order. Please note not all the techniques here are valid with the latest technology but this should be a good start on understanding the heap and it’s implications when dealing with exploitation. Please add more links to heap knowledge in comments if you know some must reads.

Ben Hawkes Vista Heap Attacks good overview of heap layout/attack vectors and recipes as he calls them to setup your heap state.
Low Fragmentation Heap by Chris Valasek given in Argentina at ektoparty? Same one was delivered at Blackhat USA 2010
Advanced Doug lea’s malloc exploits Phrack
Max’s Vudoo Paper in Phrack
Dion Blazakis JIT Spraying
Filling Adobe’s Heap good overview on how to fillup the heap with data in different programs. Not limited to adobe nor javascript.
Once upon a free() Phrack
Heap Feng Shui by Alexander Sotirov Great talk on heap techniques and he releases his heaplib.js code to manipulate the heap in javascript.
HeapDraw visualization tool for seeing the output of memory allocations in your target application.
Heap Massage by Gera
Yet another free() article at phrack
Sean Heelan TCMalloc Scripts importance of scripts and heap information
Reliable windows heap exploits
Double free vulnerabilities
Huku’s phrack article on another free()
Runtime detection of heap overflows
Heaps About Heaps by Insomniac Security

MSDN Related articles
Using pageheap.exe to debug heap corruption bugs
Windows 7 Fault Tolerant Heap Details
Preventing usermode heap corruption in MS Windows mirror

•May 13, 2011 • 15 Comments

Well after the disappointing take down of I took it upon myself to mirror the crackmes (thanks for the inspiration @darelgrif) as well as the solutions that were on that site. Please find the following linked zip that contains almost 1000 crackme’s for all levels. Solutions will be coming in the following days. Please enjoy and mirror/spread. Nothing disappears once it’s been posted on the internet. If your curious how I did this python and urllib2 scraped the links from a popular archiving site. Enjoy! collection mirror #1 collection mirror #2 collection mirror #3 collection mirror #4 collection mirror #5 collection mirror #6

Solutions are below. solutions mirror#1 solutions mirror#2 solutions mirror#3

Codegate 2011 Writeups Collection

•March 8, 2011 • Leave a Comment

So Codegate 2011 just wrapped up this past weekend and it was a great competition. Some very unique challenges to read over in the coming days but here is a collection of write ups I’ve found so far. If you find some that are missing feel free to comment and I’ll edit them in. I’m sure more will be published in the coming days on Twitter using #codegate. Enjoy!

Sourcecode for all the challenges…

Vuln 100 (French)

Vuln 200

Vuln 300

Vuln 400

Vuln 500

Issue 100

Issue 200

Issue 300

Issue 400

Issue 500

Forensic 100 (French)

Forensic 200 (French)

Forensic 300 (colombian)

Forensic 400

Forensic 500

Crypto 100

Crypto 200

Crypto 300

Crypto 400

Crypto 500

Binary 100 (French)

Binary 200

Binary 300

Binary 400

Binary 500

Network 100

Network 200

Network 300

Network 400

Network 500