malware analysis

This is my exploration of a trojan horse sent to open@duckduckgo.com. The email, which claimed to hold "My eTicket", contained a malicious call to action and .zip file.

I began by attempting to locate the origin of the email. The relevant portion of the headers is excerpted below. These headers cannot be relied upon for identification (they are trivially forged). However, the email does not claim to be from delta.com, leading me to suspect the original domain is genuine - why pretend to be from an arbitrary domain?

Received: from unknown (HELO ) (89.77.209.23) by 0 with SMTP; 5 Mar 2013 22:11:01 -0000 From: "DELTA" <PFlFnLybzQlsh@lorusso.com> To: open@duckduckgo.com Message-ID: <20130305231057.D5B526351B50D849E929.5F438C@MARTA-F97BA78A4> Subject: Your eTicket MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_369841052092"

Domain Name: LORUSSO.COM Registrar: TUCOWS DOMAINS INC. Whois Server: whois.tucows.com Referral URL: http://domainhelp.opensrs.net Name Server: NS10.IXWEBHOSTING.COM Name Server: NS9.IXWEBHOSTING.COM Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 17-oct-2011 Creation Date: 25-oct-1998 Expiration Date: 24-oct-2017 Administrative Contact: Lorusso, David dave@lorusso.com 1200 Mahogany Lane Cedar Park, TX 78613 US +1.5123319487 Technical Contact: Lorusso, David dave@lorusso.com 1200 Mahogany Lane Cedar Park, TX 78613 US +1.5123319487

Taking a look at lorusso.com, it seems legitimate. Following with a WHOIS query, it still looks good.

Because I do not believe the email was sent by the owner of lorusso.com, this leaves two possibilities: a negligently open mail relay service, or a compromised system. To determine if the former is the case, I attempt to send my own email through his mail provider. To locate the resource, I first query the mail exchange record for the domain and it's corresponding address record.

$ dig mx lorusso.com +short 10 mail909.ixwebhosting.com. $ dig mail909.ixwebhosting.com +short 76.162.254.111 76.162.254.117 76.162.254.118 76.162.254.109 76.162.254.110 $ telnet 76.162.254.111 25 Trying 76.162.254.117... Connected to 76.162.254.117. Escape character is '^]'. 220 ironport4.opentransfer.com ESMTP helo dylanstestserver.com 250 ironport4.opentransfer.com mail from: dylansserver.com 250 sender <dylansserver.com> ok rcpt to: dylan@dylansserver.com 550 #5.1.0 Address rejected dylan@dylansserver.com quit 221 ironport4.opentransfer.com Connection closed by foreign host.

My request to forward mail through the server is denied appropriately. Without running an intrusive network scan of lorusso.com, at this point there is nothing left to do except to alert the technical contact of the domain.

Now to the payload. Inside a GNU/Linux VM I identify the file type, log a checksum, and unpack, recursively. I'm lucky - it's packed, but there is no obfuscation of the executable by its format.

$ file eTicket.zip eTicket.zip: Zip archive data, at least v2.0 to extract $ md5sum eTicket.zip 5f3aeef467f263e56b7a53f28497523c eTicket.zip $ unzip eTicket.zip Archive: eTicket.zip inflating: eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe $ file eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed $ md5sum eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe a98d8bf1d8b68477867ebae47f0d5086 eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe $ upx -d eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe $ file eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe: PE32 executable (GUI) Intel 80386, for MS Windows $ md5sum eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe 82c3c81779564d999787a3a15203fb33 eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe

Seeing the portable executable, I know the honeypot system I need. Before preparing it, I take quick peek inside the file:

$ strings eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe ... KERNEL32.DLL gdi32.dll user32.dll UnregisterWaitEx GetEnvironmentStringsA GetCommandLineW CreateDirectoryExA ExitProcess GetNumberFormatW GetCommandLineA EnumTimeFormatsA GetPrivateProfileStructW GetTextExtentPoint32W GetRgnBox SetColorSpace DeviceCapabilitiesExW DeleteDC PolyTextOutA GetBkColor GetFontLanguageInfo CreateFontW GetKerningPairsA GdiDeleteSpoolFileHandle GetMapMode GdiArtificialDecrementDriver CreateFontIndirectExA StartDocW SetROP2 UpdateColors OffsetViewportOrgEx GetOutlineTextMetricsA DeviceCapabilitiesExA CopyEnhMetaFileA Polyline SetAbortProc ExtEscape SetBrushOrgEx GetFontResourceInfoW StartPage GetDIBColorTable EudcUnloadLinkW OffsetWindowOrgEx IntersectClipRect SetMapMode CreateFontIndirectW GetTextFaceA GetRelAbs DescribePixelFormat GetLogColorSpaceW BeginPath GetPath GetCharacterPlacementW GdiPlayPrivatePageEMF SelectPalette CloseMetaFile CreateRectRgn EnumFontsA SetLayout EudcLoadLinkW InvertRgn EnumFontFamiliesExW SetRelAbs EnumFontFamiliesExA GetStretchBltMode GetCharacterPlacementA CreateFontIndirectA GdiPlayScript CreateDCA ExcludeClipRect SetMetaFileBitsEx GetDeviceCaps StartFormPage GetWorldTransform CombineTransform FlattenPath GdiPlayPageEMF CreatePolyPolygonRgn GetBkMode SelectFontLocal PolyPolyline CreateDCW GetTextExtentPoint32A SelectObject EnumFontFamiliesA RemoveFontResourceExW SetSystemPaletteUse GetPaletteEntries GetCharWidthFloatA Escape DeleteObject UpdateICMRegKeyA GetFontUnicodeRanges CreateCompatibleBitmap ExtCreatePen GetObjectW GetTextExtentPointI GdiComment GetWindowExtEx SelectBrushLocal GetCharWidthFloatW FloodFill EndPath LPtoDP WidenPath RemoveFontResourceW CopyEnhMetaFileW GetMetaFileA PolyPolygon PaintRgn CreatePalette GetGlyphIndicesA GdiGetSpoolFileHandle GetDIBits SetTextCharacterExtra PolylineTo SetMetaRgn GetKerningPairsW ExtCreateRegion GetCharWidthA SetColorAdjustment GetLayout SetMagicColors SetICMProfileW GetSystemPaletteEntries SetDIBits DeleteEnhMetaFile CreatePatternBrush SetWindowOrgEx GetTextExtentPointA UnrealizeObject PolyTextOutW ResetDCW CreateFontIndirectExW GetTextExtentExPointW CreateCompatibleDC GetLogColorSpaceA GetTextExtentPointW CreateDIBPatternBrushPt CreatePolygonRgn GdiPlayJournal ColorCorrectPalette RemoveFontMemResourceEx GetStockObject PatBlt FrameRgn UpdateICMRegKeyW GetCharABCWidthsA CreatePen CombineRgn GetEnhMetaFileW GetDCOrgEx GetBoundsRect LineDDA PlayEnhMetaFile RemoveFontResourceA GetSystemPaletteUse GdiPlayDCScript CreateColorSpaceW GetBitmapBits GetDCPenColor GetBrushOrgEx GetCharWidthI GetBitmapDimensionEx GetObjectType RemoveFontResourceExA SelectClipRgn TranslateCharsetInfo CreateEnhMetaFileW GetObjectA SetStretchBltMode GetFontAssocStatus SetDCBrushColor SetRectRgn Polygon SetMapperFlags EnumEnhMetaFile SetDIBColorTable GetDeviceGammaRamp StartDocA CreatePenIndirect StretchBlt VkKeyScanExA InvalidateRect ToUnicodeEx GetMenuDefaultItem AdjustWindowRect ReleaseCapture EnumDisplayDevicesW DdeDisconnect TranslateMDISysAccel SetClipboardViewer DrawTextA LoadMenuW CharNextW GetLastActivePopup CopyRect PrivateExtractIconsW IsWindow GetTabbedTextExtentA InvalidateRgn GetClipboardFormatNameA IMPQueryIMEW TranslateMessage CreateMenu SetWindowsHookExA DefWindowProcA GetDialogBaseUnits GetWindowRgn OpenDesktopW LockWindowUpdate ...

There are some interesting calls made, but I don't know enough about Windows internals to tell much from it. Instead, I'll move on to dynamic analysis. To create a safe, monitored environment, I will use another guest operating system, loaded with the following utilities:

VirtualBox appliance, Windows XP SP3

Internet Explorer 8 (updated)

Windows Security Essentials (updated)

RegShot (for registry and filesystem snapshots)

Windows Process Monitor (for live monitoring of system calls)

The host also requires configuration. I create a virtual network device (and an ethernet bridge) that can be attached to the virtual machine, watched and firewalled.

sudo modprobe vboxnetflt sudo brctl addbr br0 sudo brctl addif br0 eth0 sudo modprobe tun sudo ip tuntap mode tap sudo link set up tap0 sudo brctl addif br0 tap0 mkdir monitor && cd monitor sudo tcpdump -itap0 -vvvA -s0 -G 60 -W 1 -Uw baseline_ tcpdump -vvvA -r baseline_00

With a distinct, tapped interface, I listen for baseline network connections including ARP and UDP inside the LAN. This will help me eliminate noise from the network I/O of the infected system. Simultaneously, I create a new virtual machine snapshot to return to later. Meanwhile, inside the guest I take registry and filesystem snapshots with RegShot, as well as open the Process Monitor, filtering out friendly services. With a healthy signature obtained, I start a new listening process:

sudo tcpdump -itap0 -vvvA -s0 -C 128 -W 10 -Uw capture_

Environment prepared, I download and execute the trojan. The file disappears after triggering, and the process and network monitors flood with calls and packets. After about 3 minutes, I pause the VM, and begin the log analysis.

My first step now is to peek inside with my editor. There are a lot of HTTP requests, furthermore, a lot of requests that seem to passing parameters used for ad tracking.

$ strings capture_00 | grep http | wc -l 281 $ strings capture_00 | grep http | grep CLICK | wc -l 137 $ strings capture_00 | grep http | grep -v CLICK | grep impression | wc -l 73 $ strings capture_00 | grep Host | sort -u Host: 113594url.directdisplayad.com Host:239.255.255.250:1900 Host: 88.198.7.221 Host: ajax.googleapis.com Host: cache.adfeedstrk.com Host: cds.q2q3h3t3.hwcdn.net Host: connect.facebook.net Host: edge.sharethis.com Host: fonts.googleapis.com Host: html5shiv.googlecode.com Host: j.maxmind.com Host: redirect.ad-feeds.net Host: vjlvchretllifcsgynuq.com Host: wd.sharethis.com Host: w.sharethis.com Host: www.directorslive.com Host: xlotxdxtorwfmvuzfuvtspel.com

A bit more searching and it's clear that the malware is using my computer to send out hundreds of forged ad impressions every minute. It's also hitting something else interesting - j.maxmind.com is a geolocation service. It's possible that it's fetching this information to send back to a command and control sever. This of course points towards the next concern - that the program has also installed additional hooks such as a keylogger, which it could use to send keystrokes (including financial information) to its owner.

None of the outgoing packets look very interesting, but there's no way of predicting when it might try to make contact. Instead, I'll try to look for evidence of additional tampering locally. To do this, I look at the registry and file system diff, alongside the process monitor.

---------------------------------- Files deleted: 2 ---------------------------------- C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job C:\WINDOWS\Tasks\MpIdleTask.job

$ egrep -i 'Control.*firewall' registry.changes HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHAREDACCESS\0000\DeviceDesc: "Windows Firewall/Internet Connection Sharing (ICS)" HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications: 0x00000000 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions: 0x00000000 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions: 0x00000000 HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\All: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\DeviceDesc: "Windows Firewall/Internet Connection Sharing (ICS)" HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\All: 0x00000001

No more security scans! These deleted files ensure that the automatic malware scans will no longer run. Also modified and removed are firewall control settings. There don't seem to be any obvious changes to core system code such as DLLs that would be used by a keylogger - but I could easily be missing something. With the process monitor I see the file and registry modifications in real time, but nothing else jumps out at me.

Here is the baseline tcpdump, the capture tcpdump and the full filesystem and registry diff.