Feb 9, 2008

Amateur Malware Analysis

by Eduardo Tongson filed under ,

A friend asked me to check his USB drive because it was not working. I attached it to my notebook and mounted it. Seems fine, I can access his files plus a bonus suspicious executable with a blurry folder icon. Apparently the USB port he was attaching the drive to is not working. I copied the executable and the autorun.ini from his drive.

It's a Satuday evening and I have some time to spare so I check out the suspected malware. Here I take a shot at malware analysis.

The autorun.ini is obvious:

[Autorun]
Open=scvhost.exe
Shellexe cute=scvhost.exe
Shell\Open\command=scvhost.exe
Shell=Open

Uploaded scvhost.exe to Jotti's malware scan.

Uploaded it to Norman Sandbox but it does not show any helpful information.
[ DetectionInfo ]
   * Sandbox name: NO_MALWARE
   * Signature name: DLoader.EGQI
   * Compressed: YES
   * TLS hooks: NO
   * Executable type: Application
   * Executable file structure: OK

[ General information ]
  * Decompressing UPX3.
  * File length:       225792 bytes.
  * MD5 hash: 24fcddb3010f0dc16079af055a9970f0.

I tried to uncompress it using UPX but it seems to be intentionally corrupted or compressed with UPOLYX.
$ upx-3.02-i386_linux/upx  -d scvhost.exe 
                       Ultimate Packer for eXecutables
  Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007
UPX 3.02        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 16th 2007

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: scvhost.exe: NotPackedException: not packed by UPX

Unpacked 0 files.

The uncompressed part of the executable reveals a couple of details. Looks like it was scripted with AutoIT.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
        <assemblyIdentity
            type="win32"
            processorArchitecture="*"
            version="3.0.0.0"
            name="AutoIt3"
        />

For dynamic analysis I used Sandboxie. The files it creates:
  • C:\WINDOWS\himhem.scr
  • C:\WINDOWS\scvhost.exe
  • C:\WINDOWS\system32\autorun.ini
  • C:\WINDOWS\system32\blastclnnn.exe
  • C:\WINDOWS\system32\scvhost.exe

Based on the created files this is a variant of W32.Blastclan.

It also creates these registry entries:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Yahoo Messengger" = "C:\WINDOWS\system32\scvhost.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "X"

I don't know why the Shell is set to X probably because it can't fetch a configuration file.

I dumped the malware's memory and found some interesting strings like this command for a scheduled run:
/C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\WINDOWS\system32\blastclnnn.exe

I also saw a reference to IsDebuggerPresent which checks for a user-mode debugger.

I ran a sniffer to watch the malware's network traffic. It tries to fetches these files:
  • http://setting3.yeahost.com/setting.xls
  • http://setting3.9999mb.com/setting.xls
  • http://setting3.9999mb.com/setting.doc
  • http://www.freewebs.com/setting3/setting.doc
Those are offline now.

Unfortunately I do not have a valid configuration for the malware to further analyse it. Scouring the anti-malware sites this worm seems to have several variants. Good evening.

0 comments:

Post a Comment