Professional Documents
Culture Documents
http://www.strategicsec.com/
The password is infected. Now that we have our malware.exe file; lets upload it to
VirusTotal.com, select malware.exe from where you extracted it, scan it, and see what
comes up.
Save a copy of malware.exe onto the desktop and name it malware2.exe. Download
Strings from Sysinternals http://download.sysinternals.com/Files/Strings.zip and extract
strings.exe. With this new executable run strings.exe from the command prompt
against malware2.exe and output it to a file for easy inspection.
strings malware2.exe > malware.txt
Yet another way to view the file header contents is by using File Analyzer. Switch back
to the Windows machine, open a command prompt, navigate to the File Analyzer folder
and run:
fa c:\Documents and Settings\Administrator\Desktop\malware2.exe
As you can see it provides us with the same information as the above labs. You can see in
the Objects table ABC0, ABC1, ABC2 in the header information.
Upon analyzing the strings information, what can you tell about the malware now?
The malware is identified as Crxbot Alias Realmbot by LindemThe malware contains an IRC server hostname, channel name and
associated commands, which means it uses IRC for command and
control
There are numerous different network and security related registry
keys that this malware is programmed to manipulate.
There is a reference to an executable Winsec32.exe as well as a
Windows service Microsoft Svchost local services which may be how
the malware survives between reboots
There is a directory of common usernames and passwords included, in
addition to references to several default Windows administrative
shares.
A list of keywords such as Welcome to Gmail and PayPal may mean
that it watches for user activity and can capture credentials and/or
account numbers.
Lets also check the executable against www.threatexpert.com to see what it reports.
We can also use PE Explorer to let figure out how this application is packed.
PE Explorer saw through the disguise fairly easily with no special configuration needed.
Stud_PE is another application that can be leveraged to figure out how malware.exe
was packed.
Once youve loaded malware.exe into Stud_PE click on the Signature tab
Currently, we can see that there is nothing detected. But if we change it from Standard
to Hard then rescan the file. We get better results.
10
Finally, we will use the compare button in RegShot to compare both registry hives.
Once its completed the comparison, notepad should popup with the results.
Another tool that can be used to provide the same information as above is InCtrl5.
InCtrl5 works the same as Regshot because it will analyze changes in the registry, files
11
and folders, INI files and text files. This program is not installed and cant be
downloaded!
12
Once completed click Install Complete and it will scan the system again. You are then
greeted with an Installation Report.
13
A third way this can be done is to use InstallRite. Just like the previous 2 examples we
need to go through the prompts and select the executable we want to install.
14
This is the home screen, we want to click Install new software and create an InstallKit.
As you go through the prompts, leave everything as default. InstallRite will make a
snapshot of your registry. When you reach this screen, choose malware.exe as your
installation program.
15
When you are ready go ahead and hit next and InstallRite will install malware.exe. Once
its completed youll be brought back to the main screen. This time we want to Review
Installations.
16
Here you are greeted with a nice GUI environment where you can look at each type of
file or registry entry separately. It makes things a bit easier to read than the others.
What are some of the more noticeable changes?
Drops a file:
c:\WINDOWS\Winsec32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft
Svchost local services: Winsec32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Micros
oft Svchost local services: Winsec32.exe
HKEY_CURRENT_USER\Software\Microsoft\OLE\Microsoft Svchost local
services: Winsec32.exe
17
Looks like its trying to connect back to an IRC server, testirc1.sh1xy2bg.NET. Based on
the analysis that we have done so far and the packet capture. We can safely say that the
malware is communicating via IRC. There were references also found for the following
URLs
http://www.w32-gen.us
18
http://www.nivdav.net/Winsec32.exe
Below are a few additional references that show the usage of several other network
services and attacks. The malware acts as a service or daemon based on specific
commands issues over the IRC channel. These were found using the methods in the
above labs. Using strings against the unpacked binary.
IRC based software at testirc1.sh1xy2bg.NET
Testirc1.sh1xy2bg.NET
NICK %s
USER %s 0 0 :%s
PASS %s
MODE %s %s
Passwords
gemp123
happy12
*@legalize.it
Registry modifications
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
Software\Microsoft\OLE
SYSTEM\CurrentControlSet\Control\Lsa
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
Key logger
19
e-gold
PayPal
StormPay
WorldPay
Fotolog.net
Yahoo!
Bienvenido a Gmail
Welcome to Gmail
My Account login
MercadoLivre Brasil
[ESC]
[F1]
[F2]
HTTP Server
HTTP/1.0 200 OK
Server: myBot
Cache-Control: no-cache,no-store,max-age=0
Content-Type: %s
RealmBoT (httpd.p.l.g) .
. Failed to start worker thread, error: <%d>.
<TR> <TD COLSPAN=3><HR></TD> </TR>
</TABLE>
</BODY>
</HTML>
FTP Server
20
215 NzmxFtpd
SYST
230 User logged in.
PASS
331 Password required
220 TxmxFtpd 0wns j0
Remote Command
DdoS Attack
Ping / SYN / UDP
Floods
RealmBoT (ddos.p.l.g) .
. Done with flood (%iKB/sec).
ddos.syn
RealmBoT (ping.p.l.g) .
. Finished sending pings to %s.
RealmBoT (udp.p.l.g) .
. Finished sending packets to %s.
RealmBoT (udp.p.l.g) .
[SUPERSYN]: Done with flood (%iKB/sec)
RealmBoT (supersyn.p.l.g) .
. Flooding: (%s:%s) for %s seconds.
Password Cracking
mypass123
pw123
admin123
mypc123
secret
asdf
test123
VNC
21
Uptime
Uptime
Driveinfo
Driveinfo
22
Next we need to install inspIRCd and configure our IRC server. You can find the
download here:
http://www.inspircd.org/?p=download&version=1.2.7&os=win
You will also need the .NET Framework 3.5 from here:
http://www.microsoft.com/download/en/details.aspx?id=21
24
I named the account testuser and left everything the same. Once you click next youll
be greeted with a screen asking for which port to listen on. Since our malware connects
25
back on 6667, thats what we want to listen on. After everything is configured, connect to
the server and join channel #chalenge.
Next execute the malware and wait for it to join. Here is the output if you try and join
with the incorrect password.
/msgUSA[XP]4221645.loginsomepass
USA[XP]4221645AreyouaFucker?.(bothunter!
bothunter@127.0.0.1).
USA[XP]4221645Nopassforyou.
In order to login you need to use the gemp123 password, but it will throw an error.
/msgUSA[XP]0166582.logingemp123
USA[XP]4221645WTF!?noyetfucker!.(bothunter!
bothunter@127.0.0.1).
USA[XP]4221645Orders:NoTalkwithyou.
Whats nice about InspIRCD is that the server allows operators to mask their hostnames.
You will want to mask your hostname to legalize.it Now if you try and connect this is
what everything will look like.
/whoisbothunter
bothunterisbothunter@legalize.it*bothunter
bothunterisconnectingfrombothunter@127.0.0.1127.0.0.1
/msgUSA[XP]4221645.logingemp123
<USA[XP]4221645>[REALMBOT]:Thankfortrying.
26
Lab 10: How would you write a custom detection and removal
tool to determine if the malware is present on the system and
remove it?
In order to write a custom detection and removal tool for this specific malware we need
to look at a few things:
Look at all the running processes to see if there are any called
winsec32.exe
o If this process is found, it needs to be stopped
Next, even if the detection tool doesnt see the running process, look
through the WINDOWS directory for a file named winsec32.exe
Following the previous step the tool needs to look through the registry
for 3 keys and if they are found remove them.
27
o
o
o
28
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft
Svchost local services
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\M
icrosoft Svchost local
HKLM\Software\Microsoft\OLE\Microsoft Svchost local services