Hi Guys

I was doing a pentest and came across this dll file which is loaded over svchost.exe or tried to be launched with rundll32.exe.

I tried to analyse the dll, but I'm absolutely new to DLL's.

The file is packed with UPX, so it's not protected and can be easily unpacked.
After loading it in IDA I can see the basic functions like DllMain, etc. but the malware code is somewhere else I tried to find wether there is something like obfuscation or hidden sections, etc. But I was not lucky.

I'd love to take a look at the internals like which reg keys are written, where the infection is going, etc.

Can someone maybe point me in a direction in what I'm missing or give me a hand?

Password for the archive is: infected

Best regards and thanks in advance.

d0ne

make own dll loader like:
LoadLibrary( "dllname" );
system("pause";
because they return from dllmain with NULL so dll not loaded but they unpack real dll into allocated memory and call it like: call edi, call ecx etc. where CreateThread will be called
so you can simply put breakpoint on CreateThread or put breakpoints on every call e?x there are not so many of them

PS: also in dllmain they check for file extension if name has .dll then they think its already installed and running as service if some other (usually .jpg) then they will install service and move file to system32.

good luck.

hi int0, Thanks for the quick reply. I wrote the little c tool to load the dll and attached it with ollydbg. Breakpoints on loadmodule, createthread and VirtualAlloc as I'm suspecting that the dll is loading a different part of itself into memory. Sadly I'm still not able to find for example the RegCreate and RegQuery calls which should be made by the malware.

It's the first time I'm trying to analyse a malware interesting but completely new to me.

I'll keep on trying.

oli

it unpacks "target" dll in memory & than calls.
& target.dll is UPX-packed again.. (MZ-Header not exist)
i dumped this upx-ed dll & written new header for u!
now u can more easy debug it..

code from your sample:

Yes exacly

Thank you very much int0 and evaluator, you made my week !
I was now able to get the original worm dll and disassemble it fully, now I can reverse the functionality. thank you thank you thank you!

There is just one thing I was wondering.
What's the best way to detect such dll loading without correct header? Or is it just routine and you know it because a lot of malware is doing it like that ?

greets

d0ne

Probably best way is to break on VirtualAlloc and check what will be written there. There is no generic way for such things just debugging

ye, i debugged it, sow where loads in memory.
then i run it again & set HW_break on last byte memory writes. here unpacker finishes. dump.
copy paste any UPX header & correct all things there..

Really easy to unpack it.

The problem arises at beginning, when you see after you've unupx'd the dll that it's still packed and there's spaghetti code (lots of jmp and redirection).

Just monitor VirtualAlloc/VirtualProtect until the allocated memory is marked as executable and it's ready to be executed. Dmp the section, add MZ/PE header, fix it and you're done.

(Or, if you want, you can go ahead with the analysis with a debugger without dumping anything)

I was wondering if any of you guys have analyzed the code of this worm where it generates random domain name. do anyone here reversed engineered the algorithm?

http://mhl-malware-scripts.googlecode.com/files/downatool.zip

You can get the reversed source code of the algorithm at the link above

rzr:

No big deal, but just a quick head's up. No need to quote the post immediately above yours. It just takes a little more room in the database.

At the bottom right of a previous post, there is an icon that looks like a page with a down arrow on it. That is the "quick reply" button, which opens a smaller "Reply" window. Otherwise, you can use the "Post Reply" button on the bottom left.

You only need the quote when the context of your reply might not make sense without the previous reference. Just keep in mind that the more you quote, the more of the database it uses. If it still makes sense, less is better.

Regards,

Thanks a lot for the link RZR!

@JMI: Sorry Got it

Thank you

Conficker/Downadup: Memory Injection Model.
Interesting use of APC's..

http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html



Also, another random domain name algo explained, for Srizbi:

http://blog.threatexpert.com/2008/11/srizbis-domain-calculator.html

Interesting article, tnx for sharing

Best article here

I'm new member, and I found interesting info about conficker here. Many thanks. Btw, any body know to running this malware? Coz i've try it on VMWare, but this malware seems doesn't running.

I don't really understand what it will gain from running LoadLibrary in each separate thread of a process though, since the DLL is loaded into the shared memory space of all the threads already during the initial LoadLibrary call?

bloatware ^ hahahaha

My guess,.. if the process doesn't have debug/admin privileges then injection via CreateRemoteThread will fail, perhaps even more pertinent in Vista with UAC enabled.

The second method of injection, that of issuing APC's with NtQueueApcThread, is probably a backup method, "Plan B".

The purpose of setting up the identical APC for each thread of the target process is to ensure that at least one of the threads will at some point enter an alertable state, such as when it calls a Wait() function (or even ExitThread). Such a signalled state is necessary for any outstanding APC's (think of them as callback routines) to execute.

just a question: all the code in this viruz is original by his author or he has found out something in ukrain forums ?

Boy, you can't step outside these days without tripping over a Conficker analysis..

How to unpack the conficker dll:
Comes with a working IDB of the meat of the virus.

http://vrt-sourcefire.blogspot.com/2009/02/making-conficker-cough-up-goods.html

Hello, thanks for link
I use IDa 5.2 but when i load the idb file it says "database corrupt"

Problem solved, i created the patch for my IDA v5.2 and now i can open a pirate database ...

I'd like to be able to create an IDS signature for the shellcode's decoding routine...
Can anyone (who has already analyzed conficker) please point me to the part of the code that performs the exploitation?

(alternatively, if you know where I can get network captures of the malware spreading, that would also work)

evaluator,

Mind to share with me how you unpack this sample.

no, forgot now.. but i wrote something. Debug-registers etc..

Look for the usage of a string "http://%d.%d.%d.%d:%d/%s", it is used by the shellcode which is a typical download and execute.

Hint: the shellcode is xored with 0xc4 on all variants I have seen so far.

good luck

For the Conficker fans, mentioned on Offensive Computing are two excellent technical reports from SRI:

http://www.offensivecomputing.net/?q=node/1120


An Analysis of Conficker's Logic and Rendezvous Points
http://mtc.sri.com/Conficker/

Conficker C Analysis
http://mtc.sri.com/Conficker/addendumC/

hey guys,
I am working on conficker variants. I am using VMware 6.5 with XP Sp2 loaded in it.
I have got few samples of conficker but my question is how to make a initial setup of VMware secured i.e. to protect my HOST PC from GUEST PC(s) infection to be spread over if the worm is having anti-virtualization/anti-vmware techniques to jump over network nodes.

hey int0 ,
could me send me some sample of conficker A,B,C. i am working on that i am not getting that ....and do you have any references or proper method for reverse engineering this conficker ....
could you please mail me to infotodo@yahoo.co.uk

here, another meeting with conflicker.
art of UPX-unpacking

passw: malware