Analyzing IRCBOTS: Part I

IRC based malware bots caught enormous attention in 2005-06. Though existence of IRC based Malwares are slowing down, Nailing them down is really interesting task.
The sole purpose of Malware is to serve his master and follow his order. There are many ways adopted by Malware authors to achieve this, however controlling Malware from Intener Relay Chat (IRC) channel was most popular one in 90s. These worms has their own IRC client code and they respond to various commands via connected channel.

Most important feature of Malware is command and control. IRC is just another implementation of the Command and Control.  EggDrop and PrettyPark.worm were the early and widely used implementations of this technique.

In this and up coming posts I will analyze one of the well know IRC bot variant identified as W32.Spybot Worm by Symantec. Name varies as we change Anti-virus softwares. Here are few from well known:-

  • Win32.Spybot.gen [Computer Associates]
  • Worm.P2P.SpyBot.gen [Kaspersky]
  • W32/Spybot-Fam [Sophos]
  • W32/Spybot.worm.gen [McAfee]
  • WORM_SPYBOT.GEN [Trend]

Microsoft Malware Protection Center has rated this worm with high severity. OK Enough talking..Lets get started.

Malware Analysis LAB Setup

My Malware LAB is completely virtual setup. It is made up of 2 Virtual Machines hosted Under VMWare Workstation 6.0 over Fully patched Windows Vista. ( I know it kinda suck using Vista, but can’t help it. Official reasons. 😦 ) Host Machine is running on

  • Intel Centrino Duo Processor
  • 2 GB Memory

Two Guest OS’s includes

  • Microsoft XP SP2 ( where we will execute our malware)
  • BackTrack 3 ( From where we will analyse the network behavior of Malware)

BackTrack3 System is installed with lot of serivces like – HTTP, FTP, IRC, DNS, SNORT etc while Windows XP is installed with all the necessary tools for malware analysis.  These gues OS’s are networked together with NAT network configuraion and necessary measures are taken to prevent Malware from infecting Host machine.

Static Analysis of Binary

When submitted sample to PE Explorer, Following information was gathered.

  • File size: 75264 bytes
  • MD5 Hash : 59a95f668e1bd00f30fe8c99af675691
  • SHA1 Hash: 2d1c8898ccc33c58c552f7a7091b165088c180d5

PE Structure Information

  • EntryPointAddress: 0x7ae20
  • TimeStamp         : 0x450c3eda (Sat Sep 16 18:13:46 2006)
  • Machine Type      : 0x14c (I386)

Section_Name     virtual_Address virtual_size     disk_siz     Entropy     md5_Sum
ABC0             0x1000             0x68000         0x0         0.00     d41d8cd98f00b204e9800998ecf8427e
ABC1             0x69000         0x12000         0x12000     7.91     5075428f083b5554b0ed1da234b2f26e
ABC2             0x7b000         0x1000             0x200         2.05     26ea18324a0f6ccd929a29124910d790
The section names looks unusual. As normal Binary will have .text, .data, .rdata as sections. Malware author has changed the sections for sure. To check weather Malware is packed with any packers, we will launch binary within PEiD and RDG. Refer to screenshots for more details.peid1

Normal PEiD Scan was not able to detect the packer as section names were changed while Deep and Hardcore scans detected packer as UPX. Knowing packer name, I launched UPX utility to decompress it. UPX decompressor tool failed to decompress it saying “File is modified/hacked/protected.” This is for sure related with our section name.

upx_failed

I opened binary in Hex Editor and Changed the ABC to UPX and now UPX decompressor utility was able to decode the packer. Refer to modification and UPX decompressor screenshots.

mod_bin

I skipped the string listings of packed binary as there will be hardly any interesting strings.

working_upx

Once the binary is unpacked its size is changed to 169K and strings showed lot of interesting string.  We can take  following educated guesses about malware functionality based on  string output.

Interested strings are pasted below each educated guess.

Malware may create a bat file that tries to modify some registry keys.

c:a.bat
@echo off
Echo REGEDIT4>%temp%1.reg
Echo.>>%temp%1.reg
Echo  [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetBTParameters]>>%temp%1.reg
Echo “TransportBindName”=””>>%temp%1.reg
Echo.>>%temp%1.reg
Echo  [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess]>>%temp%1.reg
Echo “Start”=dword:00000004>>%temp%1.reg
Echo.>>%temp%1.reg
Echo  [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv]>>%temp%1.reg

Malware may contact Following URLS/servers

  1. http://www.W32-gen.us (-National Virus Site-)
  2. http://www.Nivdav.net/Winsec32.exe

Malware may target following listed websites.

e-gold            PayPal            StormPay

WorldPay        Fotolog.net        Terra – Fotolog

Yahoo!            Domain Search    Bienvenido a Gmail

Welcome to Gmail     Domain Name Registration

Domain Name    My Account Login    Iniciar sesi

Malware may also try password attacks to search for weak passwords.

guessme | youwontguessme |     uwontguessme | mirc |  kiddie | scriptkiddie | script | hax0r | hacker | l337
l33t | leet | killer | 0wn3d | w00t | heaven | spaceman | satanic | satanik | satan | gobo | Matthew | Matt
Mat | mypass123 | mypass | pw123 | admin123 | mypc123 | mypc | love | pwd | login | home | zxcv | yxcv | qwer
secret | asdf | win | test123 | abc | aaa | crash | fucked | netfuck | irule owned 0wned net-devil netdevil

Malware may launch DoS , DDoS attacks.

RealmBoT (ddos.p.l.g) .
.  Done with flood (%iKB/sec).
RealmBoT (ddos.p.l.g) .
RealmBoT (udp.p.l.g) .
.  Finished sending packets to %s.
RealmBoT (udp.p.l.g) .
.  Error sending pings to %s.
[SUPERSYN]: Done with flood (%iKB/sec)

Malware may download files from master server.

RealmBoT (download.p.l.g) .
.  Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.
RealmBoT (download.p.l.g) .
.  Opened: %s.
RealmBoT (download.p.l.g) .
.  Downloaded %.1f KB to %s @ %.1f KB/sec.

Malware may have FTP server code inside.

[REALMBOT-FTP] : Server started on Port: %d, File: %s, Request: %s.

[REALMBOT-FTP] %s, port:%d now executing %s on remote machine.

226 Transfer complete.

150 Opening BINARY mode data connection

RETR

200 PORT command successful.

Malware may be using IRC channel to serve his master.

RealmBoT (irc.p.l.g) .
.  Connected to %s.
NICK %s
USER %s 0 0 :%s
PASS %s
MODE %s %s
USERHOST %s
RealmBoT (irc.p.l.g) .
.  User: %s logged in.
[REALMBOT] : Thank for trying.
RealmBoT (irc.p.l.g) .

You can see, lot of behavioral guesses can be made just by looking into the strings used in binary. To confirm our guesses and find out more information about the malware, we will start its behavioral analysis by executing it on Live Analysis Machine.

I started all monitor tools including Wireshark from BT3 Machine and Process Explorer before executing the binary. Base Registry shot was also taken and saved to monitor all the registry manipulation performed by Malware. Malware was allowed to run for 1 minute and then forcefully killed from process explorer. I will go through all the observed changes one by one.

Process Manipulation:

new_malprocessLike all other binaries, malware also created its process and executed another process name Winsec32.exe from c:WINDOWS Directory. After giving birth to its child; malware killed itself.

Registry Manipulation:

When malware was forcefully killed, I took another Registry shot and compared it with the base shot. Malware is planting itself to launch every time system boots.

5600    20.27277565    Winsec32.exe:1028    SetValue    HKLMSoftwareMicrosoftWindowsCurrentVersionRunMicrosoft Svchost local services    SUCCESS    “Winsec32.exe”
5606    20.27297401    Winsec32.exe:1028    SetValue    HKCUSoftwareMicrosoftOLEMicrosoft Svchost local services    SUCCESS    “Winsec32.exe”

It also disabled the proxy used by our Inter Browser by adding following entry.

6462    20.32703018    Winsec32.exe:1028    SetValue    HKCCSoftwareMicrosoftwindowsCurrentVersionInternet SettingsProxyEnable    SUCCESS    0x0

Lot of other Registry keys and their values are queried by malware. I will not go in details of each one.

File System Manipulation:

We saw that Original Malware binary process kills itself and generate new process named Winsec32.exe. Here is the proof showing process named Malware.exe has written Winsec32.exe under C:WINDOWS.

863    4:38:59 PM  malware.exe:1820    WRITE     C:WINDOWSWinsec32.exe    SUCCESS    Offset: 0 Length: 65536
864    4:38:59 PM  malware.exe:1820    WRITE    C:WINDOWSWinsec32.exe    SUCCESS    Offset: 65536 Length: 9728

No other write from Malware shows that, Malware is not executing the code to create a bat file and do registry manipulations. This shows malware is reusing/sharing code from other bots.

Network Traffic:

A Trace from Wireshark shows, there was continues DNS queries for testirc1.sh1xy2bg.NET domain from my live analysis machine. As virtual Lab set up is not routed to internet;  malware will never get the response back.

dns1

Well…I will stop here for this post. Its 3 a.m in morning and my eyes are burning. I will continue rest of my analysis  journey (code patching and Code Analysis) in the next installments of this 3 part series.

Till then stay safely plugged 8)

See Also:

Advertisements

About this entry