Strategic Security, Inc.

http://www.strategicsec.com/

Malware Analysis Lab Manual

Lab 1: Describe your malware lab
The virtual machine that we will be using to analyze the malware will be a Windows XP
SP3 machine. We will be performing some of these labs several times in several different
ways. This is to show you that there is more than one way to skin a cat.
You can download the virtual machine from here:
http://www.hackettweb.com/r00kies-folder/Malware_Windows.vmwarevm.rar

The tools I will be using are:

PE Explorer http://www.heaventools.com/overview.htm
Wireshark www.wireshark.org
VirusTotal www.virustotal.com
ThreatExpert www.threatexpert.com
PEiD www.peid.info
Netcat http://netcat.sourceforge.net
Regshot http://sourceforge.net/projects/regshot
IDA Pro Freeware http://www.hex-rays.com/idapro/
Stud_PE - http://www.cgsoftlabs.ro/studpe.html
Ghex - Fedora respositories
File Analyzer - http://www.softpedia.com/get/Programming/Other-ProgrammingFiles/File-Analyzer.shtml
InstallRite - http://www.epsilonsquared.com/installrite.htm
mIRCd http://www.mirc.com/get.html
inspIRCd - http://www.inspircd.org/

Strategic Security, Inc.

http://www.strategicsec.com/

Lab 2: What information can you gather about the malware

without executing it?
Lets take our malware.zip file and extract the executable. (It is located on the desktop).
You will be greeted with a password prompt.

The password is infected. Now that we have our malware.exe file; lets upload it to
VirusTotal.com, select malware.exe from where you extracted it, scan it, and see what
comes up.

Strategic Security, Inc.

http://www.strategicsec.com/

It has been picked up by 40 of 42 different antivirus products.

Now lets unpack the executable using PE Explorer and examine the new file.

Save a copy of malware.exe onto the desktop and name it malware2.exe. Download
Strings from Sysinternals http://download.sysinternals.com/Files/Strings.zip and extract
strings.exe. With this new executable run strings.exe from the command prompt
against malware2.exe and output it to a file for easy inspection.
strings malware2.exe > malware.txt

Strategic Security, Inc.

http://www.strategicsec.com/

Yet another way to view the file header contents is by using File Analyzer. Switch back
to the Windows machine, open a command prompt, navigate to the File Analyzer folder
and run:
fa c:\Documents and Settings\Administrator\Desktop\malware2.exe

As you can see it provides us with the same information as the above labs. You can see in
the Objects table ABC0, ABC1, ABC2 in the header information.

Strategic Security, Inc.

http://www.strategicsec.com/

Upon analyzing the strings information, what can you tell about the malware now?

The malware is identified as Crxbot Alias Realmbot by LindemThe malware contains an IRC server hostname, channel name and
associated commands, which means it uses IRC for command and
control
There are numerous different network and security related registry
keys that this malware is programmed to manipulate.
There is a reference to an executable Winsec32.exe as well as a
Windows service Microsoft Svchost local services which may be how
the malware survives between reboots
There is a directory of common usernames and passwords included, in
addition to references to several default Windows administrative
shares.
A list of keywords such as Welcome to Gmail and PayPal may mean
that it watches for user activity and can capture credentials and/or
account numbers.

Lets also check the executable against www.threatexpert.com to see what it reports.

ThreatExpert reports this file as a Backdoor.IRCBot.

Strategic Security, Inc.

http://www.strategicsec.com/

Lab 3: Is the malware packed?

If so, how did you determine what it was?
Using PeiD we can run a Deep Scan to reveal that it is packed using UPX.

We can also use PE Explorer to let figure out how this application is packed.

PE Explorer saw through the disguise fairly easily with no special configuration needed.
Stud_PE is another application that can be leveraged to figure out how malware.exe
was packed.

Strategic Security, Inc.

http://www.strategicsec.com/

Once youve loaded malware.exe into Stud_PE click on the Signature tab

Strategic Security, Inc.

http://www.strategicsec.com/

Currently, we can see that there is nothing detected. But if we change it from Standard
to Hard then rescan the file. We get better results.

Strategic Security, Inc.

http://www.strategicsec.com/

Strategic Security, Inc.

http://www.strategicsec.com/

Lab 4: Describe the malwares behavior.

What files does it drop?
What registry keys does it create and/or modify?
What network connections does it create?
How does it auto-start, etc?
We are going to use RegShot to dump the registry before executing the malicious
executable. Then run RegShot again afterwards and compare the two registry dumps for
changes. Open RegShot and set it to output the information to the desktop

Go ahead and run 1st shot and save it as base.hiv

Now run malware.exe. Afterwards run the 2nd shot and save it as after.hiv

10

Strategic Security, Inc.

http://www.strategicsec.com/

Finally, we will use the compare button in RegShot to compare both registry hives.
Once its completed the comparison, notepad should popup with the results.

Another tool that can be used to provide the same information as above is InCtrl5.
InCtrl5 works the same as Regshot because it will analyze changes in the registry, files

11

Strategic Security, Inc.

http://www.strategicsec.com/

and folders, INI files and text files. This program is not installed and cant be
downloaded!

Choose malware.exe and click GO!

12

Strategic Security, Inc.

http://www.strategicsec.com/

Once completed click Install Complete and it will scan the system again. You are then
greeted with an Installation Report.

13

Strategic Security, Inc.

http://www.strategicsec.com/

A third way this can be done is to use InstallRite. Just like the previous 2 examples we
need to go through the prompts and select the executable we want to install.

14

Strategic Security, Inc.

http://www.strategicsec.com/

This is the home screen, we want to click Install new software and create an InstallKit.
As you go through the prompts, leave everything as default. InstallRite will make a
snapshot of your registry. When you reach this screen, choose malware.exe as your
installation program.

15

Strategic Security, Inc.

http://www.strategicsec.com/

When you are ready go ahead and hit next and InstallRite will install malware.exe. Once
its completed youll be brought back to the main screen. This time we want to Review
Installations.

16

Strategic Security, Inc.

http://www.strategicsec.com/

Here you are greeted with a nice GUI environment where you can look at each type of
file or registry entry separately. It makes things a bit easier to read than the others.
What are some of the more noticeable changes?
Drops a file:

c:\WINDOWS\Winsec32.exe

Creates registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft
Svchost local services: Winsec32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Micros
oft Svchost local services: Winsec32.exe
HKEY_CURRENT_USER\Software\Microsoft\OLE\Microsoft Svchost local
services: Winsec32.exe

17

Strategic Security, Inc.

http://www.strategicsec.com/

Lab 5: What type of command and control server does the

malware use?
Describe the server and interface this malware uses as well as
the domains and URLs access by the malware.
For this lets crack open Wireshark and see if the malware tries to connect back or open a
connection with anything.

Looks like its trying to connect back to an IRC server, testirc1.sh1xy2bg.NET. Based on
the analysis that we have done so far and the packet capture. We can safely say that the
malware is communicating via IRC. There were references also found for the following
URLs
http://www.w32-gen.us

18

Strategic Security, Inc.

http://www.strategicsec.com/

http://www.nivdav.net/Winsec32.exe

Below are a few additional references that show the usage of several other network
services and attacks. The malware acts as a service or daemon based on specific
commands issues over the IRC channel. These were found using the methods in the
above labs. Using strings against the unpacked binary.
IRC based software at testirc1.sh1xy2bg.NET

Testirc1.sh1xy2bg.NET
NICK %s
USER %s 0 0 :%s
PASS %s
MODE %s %s

IRC Channel used

#chalenge

Passwords

gemp123
happy12

Host auth pattern

*@legalize.it

Registry modifications

Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
Software\Microsoft\OLE
SYSTEM\CurrentControlSet\Control\Lsa

SQL/ODBC based functions

SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll

Key logger
19

Strategic Security, Inc.

http://www.strategicsec.com/

e-gold
PayPal
StormPay
WorldPay
Fotolog.net
Yahoo!
Bienvenido a Gmail
Welcome to Gmail
My Account login
MercadoLivre Brasil
[ESC]
[F1]
[F2]

HTTP Server

HTTP/1.0 200 OK
Server: myBot
Cache-Control: no-cache,no-store,max-age=0
Content-Type: %s
RealmBoT (httpd.p.l.g) .
. Failed to start worker thread, error: <%d>.
<TR> <TD COLSPAN=3><HR></TD> </TR>
</TABLE>
</BODY>
</HTML>

FTP Server

20

221 Goodbye happy r00ting.

425 Cant open data connection.
[REALMBOT-FTP] %s, port:%d now executing %s on
remote machine.
226 Transfer complete.
150 Opening BINARY mode data connection
LIST
425 Passive not supported on this server
200 Type set to A.
TYPE
257 / is current directory.
350 Restarting.
REST

Strategic Security, Inc.

http://www.strategicsec.com/

215 NzmxFtpd
SYST
230 User logged in.
PASS
331 Password required
220 TxmxFtpd 0wns j0

Remote Command

. Remote Command Prompt

cmd.exe

DdoS Attack
Ping / SYN / UDP
Floods

RealmBoT (ddos.p.l.g) .
. Done with flood (%iKB/sec).
ddos.syn
RealmBoT (ping.p.l.g) .
. Finished sending pings to %s.
RealmBoT (udp.p.l.g) .
. Finished sending packets to %s.
RealmBoT (udp.p.l.g) .
[SUPERSYN]: Done with flood (%iKB/sec)
RealmBoT (supersyn.p.l.g) .
. Flooding: (%s:%s) for %s seconds.

Password Cracking

mypass123
pw123
admin123
mypc123
secret
asdf
test123

VNC

.asc vnc 100 0 0 r b

RFB 003.008

Password list for bruteforce attacks

Too large to list

21

Strategic Security, Inc.

http://www.strategicsec.com/

Username list for bruteforce attacks

Too large to list

Uptime

Uptime

Driveinfo

Driveinfo

22

Strategic Security, Inc.

http://www.strategicsec.com/

Lab 6: What commands are present within the malware and

what do they do?
If possible, take control of the malware and run some of these
commands, documenting how you did it.
In the previous labs weve seen that communication is handled via an IRC server. In this
lab we will be setting up a fake DNS server with a dummy IRC server to trick the
malware into communicating with us.
First we need to edit the hosts file on our victim machine. We want to point
testirc1.sh1xy2bg.net to localhost.

The hosts file is located in the %SYSTEMROOT%\sytem32\drivers\etc directory.

23

Strategic Security, Inc.

http://www.strategicsec.com/

Next we need to install inspIRCd and configure our IRC server. You can find the
download here:
http://www.inspircd.org/?p=download&version=1.2.7&os=win
You will also need the .NET Framework 3.5 from here:
http://www.microsoft.com/download/en/details.aspx?id=21

Here I set everything up like this.

24

Strategic Security, Inc.

http://www.strategicsec.com/

Now we need to add an oper

I named the account testuser and left everything the same. Once you click next youll
be greeted with a screen asking for which port to listen on. Since our malware connects

25

Strategic Security, Inc.

http://www.strategicsec.com/

back on 6667, thats what we want to listen on. After everything is configured, connect to
the server and join channel #chalenge.
Next execute the malware and wait for it to join. Here is the output if you try and join
with the incorrect password.
/msgUSA[XP]4221645.loginsomepass

USA[XP]4221645AreyouaFucker?.(bothunter!
bothunter@127.0.0.1).
USA[XP]4221645Nopassforyou.
In order to login you need to use the gemp123 password, but it will throw an error.
/msgUSA[XP]0166582.logingemp123

USA[XP]4221645WTF!?noyetfucker!.(bothunter!
bothunter@127.0.0.1).
USA[XP]4221645Orders:NoTalkwithyou.
Whats nice about InspIRCD is that the server allows operators to mask their hostnames.
You will want to mask your hostname to legalize.it Now if you try and connect this is
what everything will look like.
/whoisbothunter
bothunterisbothunter@legalize.it*bothunter
bothunterisconnectingfrombothunter@127.0.0.1127.0.0.1

/msgUSA[XP]4221645.logingemp123
<USA[XP]4221645>[REALMBOT]:Thankfortrying.

26

Strategic Security, Inc.

http://www.strategicsec.com/

Lab 7: How would you classify this malware? Why?

Running it through VirusTotal and ThreatExpert along with the runtime behavior and
strings analysis all show that this is a variant of Rbot. Rbot is a common IRC controlled
bot.
You can lookup an extensive analysis of the Rbot family at
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=39437

Lab 8: What do you think the purpose of this malware is?

The bot seems to be a multipurpose bot that allows an attacker to gain control over the
host. Natively, it can be used to steal data such as authentication credentials and financial
information. Since it has file transfer and process controls, it can also be used to further
escalate the intrusion to include additional functionality as needed by the attacker.

Lab 9: Is it possible to find the malwares source code?

If so, how did you do it?
No. After doing a few google searches it appears that the links that existed to the source
previously have been taken down.

Lab 10: How would you write a custom detection and removal
tool to determine if the malware is present on the system and
remove it?
In order to write a custom detection and removal tool for this specific malware we need
to look at a few things:
Look at all the running processes to see if there are any called
winsec32.exe
o If this process is found, it needs to be stopped
Next, even if the detection tool doesnt see the running process, look
through the WINDOWS directory for a file named winsec32.exe
Following the previous step the tool needs to look through the registry
for 3 keys and if they are found remove them.

27

Strategic Security, Inc.

http://www.strategicsec.com/

o
o
o

28

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft
Svchost local services
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\M
icrosoft Svchost local
HKLM\Software\Microsoft\OLE\Microsoft Svchost local services