As seen in part 2 of this blog-post series, after the machine was compromised the bot was commanded to download yet another executable. This file was unpacked in the same manner as h2.exe, and seems to be packed by a custom FUD-crypter.
Hj3_unpacked.exe
MD5: 5deced762376b619560a801edaf3a722SHA1: 2f3dbdbd4aa88ace0d3c88865523482b83401f83
Since the imports table was quite big i decide to not apply imports address table (IAT) in this post, but there are many interesting functions and again just by looking at the imports we get a good idea of this specimens capabilities.
By using strings i quickly could identify the bots capabilities and i remembered that i had done some analysis on another variant before. It is the infamous NGRbot, as we already could identify by VT-report in Part1 of this article. With the same output from strings we could identify and confirm some of the findings in IAT and get a good network- as well as host-based information on how this bot operates.
Characteristics as documented several places on teh internets.
- Injects into all running processes. When injected into explorer.exe it starts to connect to an IRC C&C.
- Spread via MSN and USB.
- Injects iframes into ftp and http traffic to redirect traffic / block legal web traffic.
- Can redirect or block DNS requests to avoid updates from AV vendors.
- Flooding UDP, SYN, Slowloris
- Proactive defence with pdef+
- Made persistent by copying it self into "C:\Documents and Settings\$user\Application Data\Gjhqhw.scr" and by adding a entry same as filename(Gjhqhw) pointing to that location in HKU\S-1-5-21-XXX\Software\Microsoft\Windows\CurrentVersion\Run. (Safe-mode needed to remove this entry, else we would not see this entry)
By setting breakpoint on kernel32.OpenProcess and kernel32.CreateRemoteThread and by redirect them to a non system process i was able to parse each and every process that got injected. This made it quite time consuming and if it is not running inside the explorer.exe it will not execute anything at all.
In the pictures we can see the domain names used to connect to the irc c&c server and some of the supported commands. In the picture to the right we can see the location where the file is copied to in a way to make the bot more persistence.This bot will again use api.wipmania.com to get ip and geo location. When this bot it connected to its C&C server it will get commanded to download a root kit to fully compromise a victims machine. As we see in the picture below.
More conducted analysis here:
http://resources.infosecinstitute.com/ngr-rootkit/
http://blogs.mcafee.com/mcafee-labs/ngrbot-spreads-via-chat
http://blogs.mcafee.com/mcafee-labs/ngrbot-posing-as-skype-targets-social-networking-sites
Ingen kommentarer:
Legg inn en kommentar