blabberer
April 3rd, 2007, 10:12
recently i was playing as usual with some of my weird ideas in an unknown comp
i happened to stop very early in the process creation routine
my process was calc.exe and i knew i should have only a memory map in 0x1000000 which is its preferred address
but what i see is one entry at 0x400000 wtf who is lurking here ?
lets dump it
the pe header looks suspicious enough
the section headers even more weirder
ponk tsgdz wtf
mind you an active antivirus with updated virus definition is running in the background and it is not detecting it
so its time to stop what i was doing and look for what this crap is
lets first dump this memory as it is
right click --> create backup
right click --> save backup to file
lets save it with default name to desktop
lets un strings on it
>strings _00400000.mem > resu.txt
woot 12 kb worth strings lets check out
lets check if this is avl
been here for quiet a few days it seems dunno how much information it has stolen so far and dont know how many ppl have unwittingly given thier credit card numbers and thier wives names to this dacoit of program
and this ntos leads me this paper
http://www.securescience.net/securescienceblog/malwarecasestudy.html
http://ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
enjoy reading nice dissection from the looks of the paper
when i get time i would corroborate this paper with my captive till then
happy malwarezzing
edit looks like the actual ntos.exe that i couldnt delete
and the memory dump are vastly different
probably the one i dumped is a father
but after my surgery the cancer isnt in the memory map so obviously i have bought time it seems
ill have to dig into my memdump on how it behaves
no entry at 0x400000 for the moment
i at the moment have no time to play with this
uploaded here for anyone to check out
it is live infected the first layer of zip is password proteced
password is infected
it contains a renamed zip ntoscrapzip rename it back to ntoscrap.zip
this contains three files
1)ntos.exe
2)_00400000.mem (real dump from my memory map)
3)one more crap that was in autorun (not detected by av dont know wtf is it
i hate unknown autoruns so i try to grab them all name ismcshield.exe
i happened to stop very early in the process creation routine
my process was calc.exe and i knew i should have only a memory map in 0x1000000 which is its preferred address
Code:
Memory map
Address Size (Decimal) Owner Section Contains Type Access Initial Mapped as
00010000 00001000 (4096.) Priv 00021004 RW RW
00020000 00001000 (4096.) Priv 00021004 RW RW
0006E000 00001000 (4096.) Priv 00021104 RW Guar RW
0006F000 00001000 (4096.) stack of mai Priv 00021104 RW Guar RW
00070000 00001000 (4096.) Map 00041002 R R
00080000 00002000 (8192.) Map 00041002 R R
00400000 0001B000 (110592.) Priv 00021002 R
01000000 0001F000 (126976.) Imag 01001002 R RWE
77F50000 000A7000 (684032.) Imag 01001002 R RWE
7FFB0000 00024000 (147456.) Map 00041002 R R
7FFDE000 00001000 (4096.) data block o Priv 00021040 RWE RWE
7FFDF000 00001000 (4096.) Priv 00021040 RWE RWE
7FFE0000 00001000 (4096.) Priv 00021002 R R
but what i see is one entry at 0x400000 wtf who is lurking here ?
lets dump it
the pe header looks suspicious enough
Code:
00400000 4D 5A 40 00 00 00 00 00 01 00 00 00 80 EE 36 00 MZ@........€6.
00400010 60 EA 00 00 60 EA 00 00 60 EA 00 00 80 4F 12 00 `..`..`..€O.
the section headers even more weirder
Code:
00400000 MZ@........€6.`..`..`..€O.`..&......................
00400040 ^}f}(@xIŠG™˜7•7*”95l!(^}f}(@ŒNzV†QŽSŽFW5œ;`?
00400080 tgŽx[*@•ž}L&QSe”˜M/6!`5$W‰(KlF
004000C0 괧Y›V€CD)HŒf‘“.G;ova*ud—h‹"]†10
00400100 3*E™2-<–ƒ:„7iˆ+B_PJ‡.9{R\#Z>.bqp
00400140 sj…4'N8rm|OA.zUw^k‚=.ŸŠ%TnyX’.œ cš~I,?
00400180 tgŽx[*@•ž}L&QSe”˜M/6!`5$W‰(KlF
004001C0 괧Y›V€CD)HŒf‘PE..L.rE.........K...
00400200 .$.................@.................................
00400240 .......................................................
00400280 ..............................................................
004002C0 .........................tsdgz........h.................@..
00400300 .fcj....4.........l..............@...tmn....0.........n..
00400340 ............@...ponkl............~.............. ..........
ponk tsgdz wtf
mind you an active antivirus with updated virus definition is running in the background and it is not detecting it
so its time to stop what i was doing and look for what this crap is
lets first dump this memory as it is
right click --> create backup
right click --> save backup to file
lets save it with default name to desktop
Code:
dir /s/b *.mem
\Desktop\_00400000.mem
lets un strings on it
>strings _00400000.mem > resu.txt
woot 12 kb worth strings lets check out
Code:
Strings v2.2
Copyright (C) 1999-2005 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\WINDOWS\System32\wsnpoem\video.dll
C:\WINDOWS\System32\ntos.exe
Service Pack 1
C:\WINDOWS\System32\wsnpoem\audio.dll
Connection: close
HTTP/1.0 200 Connection established
Content-Length:
*keep-alive*
Connection:
Proxy-Connection:
http://
CONNECT
lets check if this is avl
Code:
C:\WINDOWS\system32\wsnpoem>dir
Volume in drive C has no label.
Volume Serial Number is 276D-07F3
Directory of C:\WINDOWS\system32\wsnpoem
03/02/2007 09:25 AM <DIR> .
03/02/2007 09:25 AM <DIR> ..
04/03/2007 07:49 PM 2,815 video.dll
04/03/2007 08:00 PM 0 audio.dll
2 File(s) 2,815 bytes
2 Dir(s) 578,920,448 bytes free
C:\WINDOWS\system32\wsnpoem>
C:\WINDOWS\system32>dir /s /b nto*.*
C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\Setup\ntoc.dll
C:\WINDOWS\system32\dllcache\ntoc.dll
C:\WINDOWS\system32>del ntos.exe
C:\WINDOWS\system32\ntos.exe
The process cannot access the file because it is being used by another process.
some fsck is using it but it is not visible in taskmgr
C:\WINDOWS\system32>
Code:
C:\>tasklist
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 48 K
SMSS.EXE 376 Console 0 40 K
CSRSS.EXE 548 Console 0 1,220 K
WINLOGON.EXE 584 Console 0 1,044 K
SERVICES.EXE 972 Console 0 968 K
LSASS.EXE 984 Console 0 1,400 K
SVCHOST.EXE 1296 Console 0 1,884 K
SVCHOST.EXE 1388 Console 0 6,664 K
SVCHOST.EXE 1576 Console 0 708 K
SVCHOST.EXE 1600 Console 0 1,640 K
ccEvtMgr.exe 1752 Console 0 496 K
SPOOLSV.EXE 1884 Console 0 692 K
Navapsvc.exe 708 Console 0 704 K
ccApp.exe 748 Console 0 892 K
UTSCSI.EXE 944 Console 0 36 K
EXPLORER.EXE 1148 Console 0 13,856 K
iexplore.exe 1924 Console 0 9,392 K
cmd.exe 684 Console 0 716 K
tasklist.exe 516 Console 0 3,608 K
wmiprvse.exe 1904 Console 0 4,788 K
C:\>
been here for quiet a few days it seems
dunno how much information it has stolen so far and dont know how many ppl have unwittingly given thier credit card numbers and thier wives names to this dacoit of program and this ntos leads me this paper
http://www.securescience.net/securescienceblog/malwarecasestudy.html
http://ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
enjoy reading nice dissection from the looks of the paper
when i get time i would corroborate this paper with my captive till then
happy malwarezzing
edit looks like the actual ntos.exe that i couldnt delete
and the memory dump are vastly different
probably the one i dumped is a father
Code:
>dir
Volume in drive C has no label.
Volume Serial Number is 276D-07F3
02/19/2007 01:17 AM <DIR> .
02/19/2007 01:17 AM <DIR> ..
03/25/2007 02:07 PM 50,756 mcshield.exe
04/03/2007 08:04 PM 633,663 pubMalwareCaseStudy.pdf
04/03/2007 08:17 PM 110,592 _00400000.mem
12/24/2005 09:34 AM 36,864 strings.exe
04/03/2007 08:22 PM 12,280 resu.txt
04/03/2007 08:28 PM 4,256 resu1.txt
07/15/2003 12:00 PM 134,656 NTOS.EXE
9 File(s) 2,589,726 bytes
2 Dir(s) 576,405,504 bytes free
but after my surgery the cancer isnt in the memory map so obviously i have bought time it seems
ill have to dig into my memdump on how it behaves
Code:
Memory map
Address Size Owner Section Contains Type Access Initial Mapped as
00010000 00001000 Priv RW RW
00020000 00001000 Priv RW RW
0006E000 00001000 Priv RW Guar RW
0006F000 00001000 stack of mai Priv RW Guar RW
00070000 00001000 Map R R
00080000 00002000 Map R R
01000000 0001F000 Imag R RWE
77F50000 000A7000 Imag R RWE
7FFB0000 00024000 Map R R
7FFDE000 00001000 data block o Priv RWE RWE
7FFDF000 00001000 Priv RWE RWE
7FFE0000 00001000 Priv R R
no entry at 0x400000 for the moment
i at the moment have no time to play with this
uploaded here for anyone to check out
it is live infected the first layer of zip is password proteced
password is infected
it contains a renamed zip ntoscrapzip rename it back to ntoscrap.zip
this contains three files
1)ntos.exe
2)_00400000.mem (real dump from my memory map)
3)one more crap that was in autorun (not detected by av dont know wtf is it
i hate unknown autoruns so i try to grab them all name ismcshield.exe
This (http://www.woodmann.com/forum/showthread.php?t=9981) is almost the same trojan. I think it is (a variant of) Trojan-Spy.Win32.Banker.cmb.