W32.WaleDac Analysis

Since Jan20th 2009, a worm named W32.Waledac is a culprit for sending spam emails.  People found reporting spam emails linking to http://store.worldnewsdot.com or http://topwale.com
I also went on the site to check what is all this fuss about by pointing my Firefox on the URL.  I was presented with nice picture filled with tempting hearts and roses asking me to choose among them. When i clicked the heart, site tried to download onlyyou.exe on my system and this is how it started.site

First of all, let me tell you, File name can change as per index page of site. For example,  Planty of people were presented with fake Obama home page and file named barackblog.exe or obamanews.exe was tried to download. Links to ecards.exe etc are also confirmed by some visitors.

Following is the analysis of OnlyYou.exe aka W32.waldac worm.

Lab Setup:
Host System: Windows Vista( Fully patched, installed with updates Antivirus Software)
Guest Systems:

1) Windows XP SP2 (Fully patched)

IP:192.168.230.128 (Analyzer Machine.)
2) BackTrack3

IP:192.168.230.129 ( Sniffing and Application server.)

I downloaded the onlyyou.exe file and copied it on my Analysis Sandbox.  Lets start with the Static Analysis on the downloaded Potential Malware.

The best way to start static analysis of Malware is to calculate hash values and find out the strings used in Malware. Hash calculation is helpful to check if malware has dumped its copy somewhere on system. Malware binary file was of File Size: 386KB

As most of the malwares are always compressed or packed, I tried to detect the packer using famous PEiD tool.
peid

As PEiD failed to detect the packer, i tried malware under RDG packer Detector but invein and replied with nada. olly

To confirm weather malware is packed or not i opened the Malware
under ollydbg and got error saying “Text section of exe is heavily compressed or encrypted.” This confirmed that Malware is compressed with some custom made packer or
has its own encryption/decryption routine inside.

We will cut this whole analysis in Static, behaviour and Code Analysis Section.

As I knew malware has encrypted sections, there are slim chances of getting something interesting out from the strings.

As a part of Static Analysis, I ran linux Objdump tool on Malware and found out the IAT has following entries.
<snip>

The Import Tables (interpreted .text section contents)
vma:            Hint    Time      Forward  DLL       First
Table   Stamp     Chain    Name      Thunk
00060190       0006021c 00000000 00000000 000603f2 00001000

DLL Name: ADVAPI32.dll
vma:  Hint/Ord Member-Name Bound-To
60310     419  RegOpenCurrentUser
60326      11  AccessCheckByTypeAndAuditAlarmW
60348     421  RegOpenKeyExA
60358      68  ConvertAccessToSecurityDescriptorA
6037e     392  QueryWindows31FilesMigration
6039e     258  ImpersonateLoggedOnUser
603b8     408  RegEnumKeyA
603c6      55  ChangeServiceConfigA
603de     526  SystemFunction028

000601a4       00060244 00000000 00000000 00060524 00001028

DLL Name: KERNEL32.dll
vma:  Hint/Ord Member-Name Bound-To
60400     415  GlobalAddAtomA
60412     520  NlsConvertIntegerToString
6042e     605  RtlZeroMemory
6043e     502  LockFileEx
6044c      38  CompareStringW
6045e     110  DosPathToSessionPathA
60476     136  EnumSystemLanguageGroupsW
60492     243  GetConsoleCommandHistoryA
604ae     806  _llseek
604b8     515  MoveFileW
604c4     661  SetEvent
604d0     120  EnumCalendarInfoW
604e4     264  GetConsoleWindow
604f8     259  GetConsoleNlsMode
6050c     625  SetConsoleCtrlHandler

000601b8       00060284 00000000 00000000 000605be 00001068

DLL Name: USER32.dll
vma:  Hint/Ord Member-Name Bound-To
60532     482  PeekMessageA
60542     112  DdeGetLastError
60554     329  GetSystemMenu
60564     286  GetLastInputInfo
60578     538  SendMessageCallbackA
60590     145  DestroyWindow
605a0     686  WinHelpA
605ac     466  NotifyWinEvent

000601cc       000602a8 00000000 00000000 0006063a 0000108c
</snip>

You can also use DumpBin utility shipped with Visual Studio package to acheive the similar output.

As Static Analysis did not show any sort of malicious nature of the binary except that its Text section was compressed. So i decided to execute it under controlled VMWare Environment and start the behaviour Analysis.

On my XP VM, I ran process Explorer, Regmon, TDIMon, FileMon before executing the malware. I paused Regmon, TDIMon and FileMon by pressing Ctrl+E and Ran another tool called Regshot to take snapshot of registry.

Then I resumed RegMon, TDIMon and FileMon by pressing Ctrl+E again and double clicked on the onlyYou.exe and allowed malware to run for around 1 minute.
Following are my observations.
REGSHOT:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg: “C:\OnlyYou\onlyyou.exe”
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer: “192.168.230.2”
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpDomain: “localdomain”
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer: “192.168.230.2”
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomain: “localdomain”

HKU\******\Software\Microsoft\Windows\CurrentVersion\RList: <Hex Values>
HKU\******\Software\Microsoft\Windows\CurrentVersion\MyID: <Hex Values>

Output from regShotconfirmed that Malware has setup itself as a startup item by adding itself under well know startup entry keys. The HEX data from RList and MyID may be used as a part of payload.

RegMon:

3495    92.38476563    explorer.exe:912    QueryValue    HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\OnlyYou\onlyyou.exe    NOT FOUND

3504    92.44725800    explorer.exe:912    SetValue    HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\OnlyYou\onlyyou.exe    SUCCESS    “Ccjnjori Utility”

4689    94.05957794    onlyyou.exe:1384    OpenKey    HKCU\Software\Microsoft\Windows\CurrentVersion    SUCCESS    Access: 0x20019
4690    94.06147003    onlyyou.exe:1384    QueryValue    HKCU\Software\Microsoft\Windows\CurrentVersion\RList    NOT FOUND
4691    94.06368256    onlyyou.exe:1384    CloseKey    HKCU\Software\Microsoft\Windows\CurrentVersion    SUCCESS
4692    94.06376648    onlyyou.exe:1384    OpenKey    HKCU\Software\Microsoft\Windows\CurrentVersion    SUCCESS    Access: 0x20006
4693    94.06613922    onlyyou.exe:1384    SetValue    HKCU\Software\Microsoft\Windows\CurrentVersion\RList    SUCCESS    A4 1D F8 0B F7 E8 5A F6 …

Above output from RegMon confirmed our RegShot comparison.

TDIMon:

96    191.85986878    onlyyou.exe:1384    8142ED50    IRP_MJ_CLEANUP    TCP:0.0.0.0:1158        SUCCESS
97    191.87842114    onlyyou.exe:1384    81926BE8    IRP_MJ_CREATE    TCP:0.0.0.0:0        SUCCESS    Address Open
98    191.87860105    onlyyou.exe:1384    81926BE8    TDI_SET_EVENT_HANDLER    TCP:0.0.0.0:1159        SUCCESS    Error Event
99    191.87863932    onlyyou.exe:1384    81926BE8    TDI_SET_EVENT_HANDLER    TCP:0.0.0.0:1159        SUCCESS    Disconnect Event
100    191.87866475    onlyyou.exe:1384    81926BE8    TDI_SET_EVENT_HANDLER    TCP:0.0.0.0:1159        SUCCESS    Receive Event
101    191.87868849    onlyyou.exe:1384    81926BE8    TDI_SET_EVENT_HANDLER    TCP:0.0.0.0:1159        SUCCESS    Expedited Receive Event
102    191.87871196    onlyyou.exe:1384    81926BE8    TDI_SET_EVENT_HANDLER    TCP:0.0.0.0:1159        SUCCESS    Chained Receive Event
103    191.87873822    onlyyou.exe:1384    81926BE8    TDI_QUERY_INFORMATION    TCP:0.0.0.0:1159        SUCCESS    Query Address
104    191.87883125    onlyyou.exe:1384    81926BE8    TDI_QUERY_INFORMATION    TCP:0.0.0.0:1159        SUCCESS    Query Address
105    191.87891506    onlyyou.exe:1384    81926640    IRP_MJ_CREATE    TCP:Connection obj        SUCCESS    Context:0x81891718
106    191.87898378    onlyyou.exe:1384    81926640    TDI_ASSOCIATE_ADDRESS    TCP:Connection obj        SUCCESS    TCP:0.0.0.0:1159
107    191.87902988    onlyyou.exe:1384    81926640    TDI_CONNECT    TCP:0.0.0.0:1159    119.63.67.148:80    CONNECTION_REFUSED-138

Above TDIMon Output confirmed that, malware indeed is trying to reach some IP address on port no 80. I dig deeper into TDIMon logs and list out all the IP addresses where malware tried to connect to.

Looking at the  Wireshark trace from BackTrack VM showed outbound connections to several IP addresses Collected from TDIMon logs.  Malware was continuously trying to reach those IP’s on port 80. Here are the list of IP address contacted.

153.90.198.143
121.245.118.96
213.93.5.156
89.137.140.188
116.74.166.23
84.21.11.130
72.18.126.44
195.130.117.153
69.107.115.240
88.113.75.58
83.228.103.150
69.247.34.53
24.32.227.16
98.233.247.137
76.103.225.218
88.113.149.71
84.16.228.132
88.113.75.58
189.12.244.154
88.169.36.169
153.90.198.143
76.103.255.218
98.233.247.137
83.228.103.150
173.33.196.175
89.137.140.188

When process was running, i took a dump of in memory strings. Here is snip of its output.
</snip>
Content-Type: application/x-www-form-urlencoded
X-Request-Kind-Code: nodes
Content-Type: application/x-www-form-urlencoded
X-Request-Kind-Code: servers
mime-mhs-bodies
mime-mhs-headings
MIME MHS
mime-mhs
mailPreferenceOption
janetMailbox
organizationalStatus
friendlyCountryName
pagerTelephoneNumber
mobileTelephoneNumber
personalTitle
homePostalAddress
associatedName
associatedDomain
cNAMERecord
sOARecord
nSRecord
mXRecord
pilotAttributeType27
aRecord
lastModifiedBy
lastModifiedTime
otherMailbox
secretary
homeTelephoneNumber
documentLocation
documentAuthor
documentVersion
documentTitle
documentIdentifier
manager
userClass
photo
roomNumber
favouriteDrink
info
rfc822Mailbox
mail
textEncodedORAddress
userId
UID

</snip>
Looking at above string memory values, we can conclude that Malware was indeed encrypted/compressed. Looking at the imported functions names and their usage on MSDN confirmed that Malware is trying to send emails and spread through it.

FileMon showed that Malware is reading each and every file on the system and trying to search for potential target Email addresses to spam.  It can scan through almost all file types except following file types.
.avi
.mov
.wmv
.wave
.wav
.wma
.ogg
.vob
.jpg
.jpeg
.gif
.bmp
.exe
.dll
.ocx
.class
.msi
.zip
.rar
.jar
.hxw
.hxh
.hxn
.hxd

Malware steals the confidential data from the infected system, encrypt it and send it over to above mentioned IP address.
The IP addresses are hardcoded inside the malware.

Symptoms:
1) Existance of file OnlyYou.exe/barackblog.exe/obamanews.exe/ecards.exe on the system.
2) Existance of “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg” registry Key with path of one of above mentioned binary files.
3) Existance of process with name one of the above binary name.
4) Frequent connection attempts to above mentioned IP addresses.

Removal Procedure:
1) Remove following registry key using RegEdit.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg
2) Kill the relevant process.

References:

1) Symantec Security Response
2) RegMon
3) FileMon
4) Process Explorer
5) TDIMon ( You will not find it on Microsoft but a small google search will )

Please do not open emails from untrusted or unknown people. Update your antivirus signatures and stay safe.

Update:

1) Jeremy from Sudosecure has built a really impressive tool for tracking the Waledac worm. It seems worm is really making its mark. It list out most of the binary names used by the worm. Tracking system shows cards.exe has been installed on most of the infected systems.  Its Worth checking out.

2) Microsoft Malware Protection Center finally generated alert for WaleDac Worm. Read it Here.  You can see snap of Fake Obama Website and an Email snip that  spammed to gather victims.

Advertisements

About this entry