Well, today wasn't exactly a tough handler's shift so I thought I would look in my spam folder for something interesting.
There is always something interesting in there, subject wise most are things which aren't even mentionable in public. However, in many of these emails are links and at the end of the link is the world of malware. So, I feel compelled to follow them (in a nice, safe environment). Today's attempt was a complete success on the first piece of spam I opened. Sure enough I found a nice executable at the other end just waiting to be downloaded. What a relaxing way to spend a Saturday, doing a little malware analysis.
I opened it in Ollydbg, got past the packer and took a look at the strings in the file. Sure enough, this file wasn't one filled with good intentions. If you a look at the strings below, you can see what I'm talking about at first glance.
Address Disassembly Text string
00401000 MOV EAX,1 (Initial CPU selection)
00401037 MOV DWORD PTR SS:[ESP+14],my_hots_.00410 ASCII "CbEvtSvc"
004010CB PUSH my_hots_.00410C04 UNICODE "-k"
004010DA PUSH my_hots_.00410C0C UNICODE "netsvcs"
0040110C PUSH my_hots_.00410C04 UNICODE "-k"
004014A5 MOV ECX,my_hots_.00410D58 ASCII " "
00401710 PUSH my_hots_.00410C3C ASCII "user"
00401731 PUSH my_hots_.00410C44 ASCII "os=%d&ver=%s&idx=%s&user=%s"
004018B5 PUSH my_hots_.00410C60 ASCII "%s&ioctl=%d&data=%s"
004018F4 PUSH my_hots_.00410C30 ASCII "74.50.109.2"
004018FD PUSH my_hots_.00410C78 ASCII "ldr/client03/ldrctl.php"
00401902 PUSH my_hots_.00410C90 ASCII "POST /%s HTTP/1.1
Connection: Close
Content-Type: application/x-www-form-urlencoded
User-Agent: User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: %s
Content-Length: %d
%s"
00401C37 PUSH my_hots_.00410C30 ASCII "74.50.109.2"
00401C4A PUSH my_hots_.00410C30 ASCII "74.50.109.2"
0040340A PUSH my_hots_.00410EA8 ASCII "%s-%x"
00403561 PUSH my_hots_.00410EB0 ASCII "%s\%d.exe"
0040361A PUSH my_hots_.00410EC0 ASCII "D7EB6085-E70A-4f5a-9921-E6BD244A8C17"
00403915 PUSH my_hots_.00410EE8 ASCII "%d.%d.%d.%d"
00403B29 PUSH my_hots_.00410EF8 ASCII "CbEvtSvc.exe"
00403BC5 PUSH my_hots_.00410F08 ASCII "%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs"
00403BD5 PUSH my_hots_.00410BF8 ASCII "CbEvtSvc"
I checked out the IP found in the strings above and grabbed its source code. The only thing on the page was this:
"<html><body><h1>It works!</h1></body></html>"
So now I'm wondering if this malware has fangs yet or if its being distributed in a trial mode. I launched the malware on
one of my VM windows images and found that it looked pretty benign. Here is where it started to get interesting. I used a
tool called RegShot to get a "before" snapshot of my machine state. After launching the malware I used it to get an "after"
snapshot of my machine state. There didn't seem to be any files dropped on my harddrive, however there is a mention of a
file above called "CbEvtSvc.exe". When I launched the malware, I also had some other tools running. I like to use other
tools too when I'm doing behavioral analysis like: RegMon, FileMon, ProcessExplorer, TCPView, etc. Both RegMon and FileMon show that CbEvtSvc.exe was busy on my system. As a matter of fact, FileMon had this entry:
3:11:24 PM my_hots_video.e:796 CREATE C:\WINNT\system32\CbEvtSvc.exe SUCCESS Options: OverwriteIf Sequential Access: 00130196
3:11:24 PM WINLOGON.EXE:160 DIRECTORY C:\WINNT\system32 SUCCESS Change Notify
3:11:24 PM my_hots_video.e:796 SET INFORMATION C:\WINNT\system32\CbEvtSvc.exe SUCCESS Length: 87040
3:11:24 PM WINLOGON.EXE:160 DIRECTORY C:\WINNT\system32 SUCCESS Change Notify
3:11:24 PM my_hots_video.e:796 QUERY INFORMATION C:\Documents and Settings\Administrator\Desktop\my_hots_video.exe SUCCESS Length: 87040
3:11:24 PM my_hots_video.e:796 WRITE C:\WINNT\system32\CbEvtSvc.exe SUCCESS Offset: 0 Length: 65536
3:11:24 PM my_hots_video.e:796 WRITE C:\WINNT\system32\CbEvtSvc.exe SUCCESS Offset: 65536 Length: 21504
3:11:24 PM my_hots_video.e:796 SET INFORMATION C:\WINNT\system32\CbEvtSvc.exe SUCCESS FileBasicInformation
3:11:24 PM WINLOGON.EXE:160 DIRECTORY C:\WINNT\system32 Change Notify
3:11:24 PM my_hots_video.e:796 CLOSE C:\Documents and Settings\Administrator\Desktop\my_hots_video.exe
SUCCESS
3:11:24 PM my_hots_video.e:796 CLOSE C:\WINNT\system32\CbEvtSvc.exe SUCCESS
So the file had been created, but where was it? I used explorer to look for it and found nothing. I then used cmd.exe to
look at the directory for the file and nothing was there. I thought maybe its hidden and I can reference it another way. From the command prompt, I tried to run the following command in system32 directory: dir *cb* and guess what, my window closed on me. I tried this method again and could find any other variety of files this way as long as it wasn't the first letters of that filename. Now I'm thinking rootkit capabilities...cool! Since my antivirus did not have issues when I downloaded the file using wget, I thought I'd throw it at a few sites and see what they thought of my new toy. Norman Sandbox provided this analysis which disturbed me:
my_hots_video : Not detected by Sandbox (Signature: NO_VIRUS)
[ DetectionInfo ]
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS
* Compressed: NO
* TLS hooks: NO
* Executable type: Application
* Executable file structure: OK
[ General information ]
* File length: 87040 bytes.
* MD5 hash: 1f4d13b31116860e0a3b692052856941
VirusTotal provided me results showing 14/36 (38.89%) vendors had detection for this file. Not great coverage by any means, but at least some vendors know that its bad and have a signature for it.
I'm not done with this file yet, its rather interesting. What I really wanted to point out is that my tools did not provide me with accurate answers. Tools are simply that...just tools. As you work with malware, its important to have many ways to confirm your results. Its just as important NOT to totally rely on your tools to provide you with the answers. You HAVE to understand the tools your using. Don't become so dependant on one way of verifying something. I run many tools at the same time when I work with malware. Each has a different purpose as well as strengths and weaknesses. It's important to know them and not just rely on a single method. In essence you want to look at malware from many different angles and never forget that your tools are only so good and may not provide you with the right answer.
Nothing can replace your analysis skills and your ability to understand what your seeing.
Originally Posted by SparkyJJO
Something to add to the anti-spyware list. Malwarebytes works great, I have had a couple systems I was working on that spybot removed stuff, ad-aware removed some stuff, but there was still a few things left. Malwarebytes took care of the rest
Posting Permissions
Reply With Quote
Bookmarks