I got Trojanned [Archive] - RCE Messageboard's Regroupment

rendari

August 5th, 2009, 16:17

Someone sent me an exe at work, and I opened it on my work computer. Shortly thereafter my firewall blocked explorer.exe. I had the sinking suspicion that I had just been infected, so I fired up Olly and took a look. Looks like the enclosed exe is an exe bundler with the real exe I want and a trojan. They are both extracted to the user's temp folder, the trojan being called bot.exe. The trojan at first glance is legitimate, with a legit import table and just a bunch of user32 calls. However, upon looking closer you will see that the User32 calls are just obfuscation, and in reality it seems like it's setting up to inject some shell code for a privilige escalation exploit? I don't know; the interesting stuff starts here:

Code:

004036C5   |.  52                       |PUSH EDX                                                       ; /s2 => "LoadLibraryA"

004036C6   |.  8B45 BC                  |MOV EAX,[LOCAL.17]                                             ; |

004036C9   |.  8B8D 30FCFFFF            |MOV ECX,[LOCAL.244]                                            ; |

004036CF   |.  8B1481                   |MOV EDX,DWORD PTR DS:[ECX+EAX*4]                               ; |

004036D2   |.  0355 DC                  |ADD EDX,[LOCAL.9]                                              ; |

004036D5   |.  52                       |PUSH EDX                                                       ; |s1

004036D6   |.  E8 FD2F0000              |CALL <JMP.&MSVCRT.strcmp>                                      ; \strcmp

004036DB   |.  83C4 08                  |ADD ESP,8

004036DE   |.  85C0                     |TEST EAX,EAX

004036E0   |.  0F85 9E000000            |JNZ bot.00403784

004036E6   |.  6A 00                    |PUSH 0                                                         ; /lParam = 0

004036E8   |.  6A 05                    |PUSH 5                                                         ; |wParam = 5

004036EA   |.  68 82010000              |PUSH 182                                                       ; |Message = LB_DELETESTRING

004036EF   |.  68 EE030000              |PUSH 3EE                                                       ; |ControlID = 3EE (1006.)

004036F4   |.  6A 00                    |PUSH 0                                                         ; |hWnd = NULL

004036F6   |.  FF15 C4704000            |CALL DWORD PTR DS:[<&USER32.SendDlgItemMessageA>]              ; \SendDlgItemMessageA

004036FC   |.  6A 00                    |PUSH 0                                                         ; /ObjType = WHITE_BRUSH

004036FE   |.  FF15 00704000            |CALL DWORD PTR DS:[<&GDI32.GetStockObject>]                    ; \GetStockObject

00403704   |.  50                       |PUSH EAX                                                       ; /hBrush

00403705   |.  68 408F4000              |PUSH bot.00408F40                                              ; |pRect = 00408F40 {0.,0.,0.,0.}

0040370A   |.  A1 7C8E4000              |MOV EAX,DWORD PTR DS:[408E7C]                                  ; |

0040370F   |.  50                       |PUSH EAX                                                       ; |hDC => NULL

00403710   |.  FF15 C8704000            |CALL DWORD PTR DS:[<&USER32.FillRect>]                         ; \FillRect

00403716   |.  6A 00                    |PUSH 0                                                         ; /hDC = NULL

00403718   |.  FF15 0C704000            |CALL DWORD PTR DS:[<&GDI32.CreateCompatibleDC>]                ; \CreateCompatibleDC

0040371E   |.  A3 5C8E4000              |MOV DWORD PTR DS:[408E5C],EAX

00403723   |.  8B0D 04BF4000            |MOV ECX,DWORD PTR DS:[40BF04]

00403729   |.  890D 4C8F4000            |MOV DWORD PTR DS:[408F4C],ECX

0040372F   |.  8B55 BC                  |MOV EDX,[LOCAL.17]

00403732   |.  8B85 40FCFFFF            |MOV EAX,[LOCAL.240]

00403738   |.  33C9                     |XOR ECX,ECX

0040373A   |.  66:8B0C50                |MOV CX,WORD PTR DS:[EAX+EDX*2]

0040373E   |.  8B55 B8                  |MOV EDX,[LOCAL.18]

00403741   |.  8B048A                   |MOV EAX,DWORD PTR DS:[EDX+ECX*4]

00403744   |.  0345 DC                  |ADD EAX,[LOCAL.9]

00403747   |.  A3 8CBE4000              |MOV DWORD PTR DS:[40BE8C],EAX

0040374C   |.  8B0D 00BF4000            |MOV ECX,DWORD PTR DS:[40BF00]

00403752   |.  890D 488F4000            |MOV DWORD PTR DS:[408F48],ECX

00403758   |.  6A 00                    |PUSH 0                                                         ; /lParam = 0

0040375A   |.  6A 05                    |PUSH 5                                                         ; |wParam = 5

0040375C   |.  68 82010000              |PUSH 182                                                       ; |Message = LB_DELETESTRING

00403761   |.  68 EE030000              |PUSH 3EE                                                       ; |ControlID = 3EE (1006.)

00403766   |.  6A 00                    |PUSH 0                                                         ; |hWnd = NULL

00403768   |.  FF15 C4704000            |CALL DWORD PTR DS:[<&USER32.SendDlgItemMessageA>]              ; \SendDlgItemMessageA

0040376E   |.  C705 448F4000 00000000   |MOV DWORD PTR DS:[408F44],0

00403778   |.  8B15 04BF4000            |MOV EDX,DWORD PTR DS:[40BF04]

0040377E   |.  8915 4C8F4000            |MOV DWORD PTR DS:[408F4C],EDX

00403784   |>  6A 00                    |PUSH 0                                                         ; /hDC = NULL

00403786   |.  FF15 0C704000            |CALL DWORD PTR DS:[<&GDI32.CreateCompatibleDC>]                ; \CreateCompatibleDC

0040378C   |.  A3 5C8E4000              |MOV DWORD PTR DS:[408E5C],EAX

00403791   |.  6A 00                    |PUSH 0                                                         ; /lParam = 0

00403793   |.  6A 05                    |PUSH 5                                                         ; |wParam = 5

00403795   |.  68 82010000              |PUSH 182                                                       ; |Message = LB_DELETESTRING

0040379A   |.  68 EE030000              |PUSH 3EE                                                       ; |ControlID = 3EE (1006.)

0040379F   |.  6A 00                    |PUSH 0                                                         ; |hWnd = NULL

004037A1   |.  FF15 C4704000            |CALL DWORD PTR DS:[<&USER32.SendDlgItemMessageA>]              ; \SendDlgItemMessageA

004037A7   |.  A1 488E4000              |MOV EAX,DWORD PTR DS:[408E48]

004037AC   |.  50                       |PUSH EAX                                                       ; /s2 => "GetProcAddress"

004037AD   |.  8B4D BC                  |MOV ECX,[LOCAL.17]                                             ; |

004037B0   |.  8B95 30FCFFFF            |MOV EDX,[LOCAL.244]                                            ; |

004037B6   |.  8B048A                   |MOV EAX,DWORD PTR DS:[EDX+ECX*4]                               ; |

004037B9   |.  0345 DC                  |ADD EAX,[LOCAL.9]                                              ; |

004037BC   |.  50                       |PUSH EAX                                                       ; |s1

004037BD   |.  E8 162F0000              |CALL <JMP.&MSVCRT.strcmp>                                      ; \strcmp

It's cycling through kernel32.dll looking for GetProcAddress and LoadLibraryA, from whence it grabs the addresses using a custom getprocaddress. After that I lose track of it, as I am inexperienced in malware debugging and have never written malware before. That's why I decided on posting it here, hope someone might tell me what it does and how badly I've been compromised. I know at least a half dozen other people ran this on their work machines so I need to get in touch with them, as well as the IT department that someone so thoughtfully outsourced to India

But I plan on sitting down with this thing later; which brings up my 2nd question: will VMWare be good enough and sterilized enough of an environment to analyze this SOB out of?

Thanks guys,

-rendari

ATTATCHMENT IS MALWARE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
PASSWORD IS: malware

rendari

August 5th, 2009, 16:24

Sat down with it a bit after writing this post. A ways down from this routine it builds it's own import tables, checks user name not to infect the creator? and starts checking for regmon procmon etc using FindWindowA. Then I lose it, but I dunno it's reacreating itself and writing to other processes via VirtualAllocEx and WriteProcMem... I didn't take a look at what it was writing tho.

Kayaker

August 6th, 2009, 01:02

Oh Boy, have you got some explaining to do to the IT guys in India

After all the imports are resolved (uses PEB_LDR_DATA.InMemoryOrderModuleList to get base address kernel32), it loops looking for an RT_RCDATA embedded resource:

Code:



00403EC6                 call    FindResourceA

...

00403F0F                 call    LoadResource

00403F15                 mov     [ebp+RCDATA_Start], eax

There is a decryption routine

Code:



00403FF8                 push    360h            ; Size (memmove)

00403FFD                 push    55Fh            ; int

00404002                 push    360h            ; int

00404007                 mov     eax, [ebp+RCDATA_Start1]

0040400D                 push    eax             ; RCDATA_Start1 40D5FC

0040400E                 mov     ecx, [ebp+RCDATA_Start2]

00404011                 add     ecx, 55Fh

00404017                 push    ecx             ; RCDATA_Start2 40DB5B

00404018                 call    DecryptResource

0040401D                 add     esp, 10h

00404020                 push    eax             ; Src

00404021                 lea     edx, [ebp+Dst]

00404027                 push    edx             ; Dst

00404028                 call    ds:memmove

And we get this:

Code:



0010:0040DB5B 00020002  00020002  00000000  00000000      ................

0010:0040DB6B 00000410  00040001  72420001  6867756F      ..........Brough

0010:0040DB7B 6F742074  756F7920  20794220  656B6F54      t to you By Toke

0010:0040DB8B 0000006E  00000000  00000000  00000000      n...............

0010:0040DB9B 00000000  00000000  00000000  00000000      ................

0010:0040DBAB 00000000  00000000  00000000  00000000      ................

0010:0040DBBB 00000000  00000000  00000000  00000000      ................

0010:0040DBCB 00000000  00000000  00000000  00000000      ................

0010:0040DBDB 00000000  00000000  00000000  00000000      ................

0010:0040DBEB 00000000  00000000  754A0000  52207473      ..........Just R

0010:0040DBFB 6D656D65  20726562  206F6877  20756F79      emember who you

0010:0040DC0B 20746F67  73696874  6F726620  49202C6D      got this from, I

0010:0040DC1B 6C657220  65736165  74692064  6E697320       released it sin

0010:0040DC2B 70206563  6C706F65  696C2065  6320656B      ce people like c

0010:0040DC3B 656E6F72  656C2072  20686365  746F6C61      roner leech alot

0010:0040DC4B 6854202E  206B6E61  20756F79  20646E61      . Thank you and

0010:0040DC5B 656D6572  7265626D  ----202C  --------      remember, ------

0010:0040DC6B 65726120  62206120  68636E75  20666F20       are a bunch of

0010:0040DC7B 7362756E  74697720  6D732068  206C6C61      nubs with small

0010:0040DC8B 6B636964  20736569  4F4E2028  4D4F4820      dickies ( NO HOM

0010:0040DC9B 2E29204F  6A6E4520  0000796F  00000000      O ). Enjoy......

0010:0040DCAB 00000000  00000000  00000000  00000000      ................

0010:0040DCBB 00000000  00000000  00000000  00000000      ................

0010:0040DCCB 00000000  00000000  00000000  00000000      ................

0010:0040DCDB 00000000  00000000  00000000  00000000      ................

0010:0040DCEB 00000000  00000000  00000000  00000000      ................

0010:0040DCFB 00000000  00000000  00000000  00000000      ................

0010:0040DD0B 00000000  00000000  00000000  00000000      ................

0010:0040DD1B 00000000  00000000  00000000  00000000      ................

0010:0040DD2B 00000000  00000000  00000000  00000000      ................

0010:0040DD3B 00000000  00000000  00000000  00000000      ................

0010:0040DD4B 00000000  00000000  00000000  00000000      ................

0010:0040DD5B 00000000  00000000  00000000  00000000      ................

0010:0040DD6B 00000000  00000000  00000000  00000000      ................

0010:0040DD7B 00000000  00000000  00000000  00000000      ................

0010:0040DD8B 00000000  00000000  00000000  00000000      ................

0010:0040DD9B 00000000  00000000  00000000  00000000      ................

0010:0040DDAB 00000000  00000000  00000000  00000000      ................

0010:0040DDBB 00000000  00000000  00000000  00000000      ................

0010:0040DDCB 00000000  00000000  00000000  00000000      ................

0010:0040DDDB 00000000  00000000  00000000  00000000      ................

0010:0040DDEB 00000000  00000000  00000000  654B0000      ..............Ke

0010:0040DDFB 00000079  00000000  00000000  00000000      y...............

0010:0040DE0B 00000000  00000000  00000000  00000000      ................

0010:0040DE1B 00000000  00000000  00000000  00000000      ................

0010:0040DE2B 00000000  00000000  00000000  53250000      ..............%S

0010:0040DE3B 65747379  6F6F526D  735C2574  65747379      ystemRoot%\syste

0010:0040DE4B 5C32336D  656C6966  6578652E  00000000      m32\file.exe....

0010:0040DE5B 00000000  00000000  00000000  00000000      ................

0010:0040DE6B 00000000  00000000  00000000  00000000      ................

0010:0040DE7B 00000000  00000000  00000000  00000000      ................

0010:0040DE8B 00000000  00000000  00000000  00000000      ................

0010:0040DE9B 00000000  00000000  00000000  00000000      ................

0010:0040DEAB 00000000  00000000  00000000  00000000      ................

I haven't followed it any further. You might want to start with deleting that identified filename in %SystemRoot% if it exists.

Good luck

Kayaker

r0main

August 11th, 2009, 14:36

Hi,

It's Zbot.
It drops sdra64.exe to %Windir%\system32 and adds its path to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
It also creates the folder %Windir%\system32\lowsec.

Clean the registry key, reboot and delete the dropped files.

Regards,

r0main

rendari

August 11th, 2009, 20:34

Thanks a lot romain! You appear to be correct

Cheers!

Lula8r

August 24th, 2009, 05:59

I do not use antivirus at all .... but i do use ghosts ... norton ghost is the best. Whenever there is a new virus i got back previous version on xp in 5 minutes.

evlncrn8

August 24th, 2009, 11:26

for unknown viruses maybe, but for ones that are detected, then having the anti virus running would save more time than having to ghost back and forth, also it really depends on how many times you ghost doesn't it

dezuzi

September 16th, 2009, 23:45

Quote:

[Originally Posted by r0main;82363]Hi,

It's Zbot.
It drops sdra64.exe to %Windir%\system32 and adds its path to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
It also creates the folder %Windir%\system32\lowsec.

Clean the registry key, reboot and delete the dropped files.

Regards,

r0main

yes sdra64.exe will be started after a reboot, you cant touch it because winlogon.exe has a handle opened with it when its first ran(you'll have to close the handle)

so before a reboot its not executed yet, it also creates two files in *TEMP called bot.exe and HsLogViewer2.exe although it runs sdra64.exe only afaik

When sdra64 is ran it checks for certain monitoring tools such as:
SbieDLL.dll
C:\sample.exe
C:\windows\system32\sample_1.exe
Process monitor, file monitor, registry monitor
Wireshark network analyzer

While its running it creates another instance(suspended) of itself and rewrites its memory so its not executing the same code the first instance is ran.
Then it resumes the created process and exists the first.