Analyzing IRCBOTS: Part II

OK we know from previous post that malware is trying to connect testirc1.sh1xy2bg.NET. To learn more about its intentions, i added fake DNS entry in the XP host configuration file and pointed testirc1.sh1xy2bg.NET to my BackTrack 3 Machine. I then rebooted the live analysis machine and started Wireshark again on BT3 system.

As malware has configured itself to start whenever windows boots, it gets executed and tries to connect his master. This time its DNS query gets resolved and it tries to connect to TCP port 6667. TCP port 6667 is happened to be an IRC port.  Recall that I have already installed IRC server on the BT3 machine.  Lets start IRC Service and re-start the malware from process from Process Explorer.

This time malware connects to IRC server and joins the channel name “Chalenge” with password “happy12”. Refer to wireshark trace screenshot. Malware then changes the channel mode to monitor and hidden by mode -mnst channel control command. Changes the topic to “.asc vnc 100 0 0 -r -b”
Now I can conclude that malware is getting controlled via IRC Channel. Now the question arises: Which type of and what services malware provides to
his master? There are two ways to find this out

  1. Code Analysis Via Reverse Engineering
  2. Controlling the malware by connecting it.

I chose both ways simultaneously. I installed XChat2, IRC client and also joined the same channel. Unpacked strings output gave me some clues regarding the possible command malware might accept like sysinfo, driveinfo, uptime, netinfo etc.
Malware didnt respond, When I tried sending these command. There can be again two reasons behind such behavior.

  • I  am trying wrong commands
  • Malware has authentication.

Second reason looks obvious as why will malware author allow any Tom, Dick and Harry to control his bot? So lets find out the password for connecting malware.
Lets try to authenticate ourself as malware master. I decided to try password kind of strings from gathered string output as potential password.

<bughira> .login admin123
-USA[XP]1123037- Are you a Fucker?. (bughira!BT@738FBBA.E0CB536.5CF86F75.IP).
-USA[XP]1123037- No pass for you.

To find the password we will need to start looking into binary source code of the Malware as Password has to be hardcoded in the source code. OK lets start hunting for the string “No Pass for you” in IDA pro. IDA Pro is one of the most famous and best suited debugger/disassembler for malware analysis.
The code from the snapshot has a reference for the string named “gemp123” which is being checked against our user input.

.text:004089BE ProcessCredentials:                             ; CODE XREF: sub_403EF2+6D2j
.text:004089BE                                         ; sub_403EF2+6E7j
.text:004089BE                 mov     esi, [ebp+esi+var_9C]
.text:004089C5                 cmp     esi, ebx
.text:004089C7                 mov     dword ptr [ebp+dwProcessId], esi
.text:004089CA                 jz      loc_404369
.text:004089D0                 cmp     [ebp+var_A8], ebx
.text:004089D6                 jnz     loc_404369
.text:004089DC                 push    offset asc_425B84 	; Use Delimiter "!"
.text:004089E1                 push    [ebp+var_A0]    		; Our Supplied Nick and Domain name.
.text:004089E7                 call    _strtok			; Separate NickName from the string.
.text:004089EC                 mov     esi, eax
.text:004089EE                 push    offset word_475DB4 	; char *
.text:004089F3                 push    ebx             		; char *
.text:004089F4                 inc     esi
.text:004089F5                 call    _strtok
.text:004089FA                 push    offset asc_423648 	; "~"
.text:004089FF                 push    eax             		; Push the domain name string to get exact domain name token
.text:00408A00                 call    _strtok
.text:00408A05                 push    dword ptr [ebp+PId] 	; Push our supplied password
.text:00408A08                 mov     edi, eax                 ; Store complete domain string in EDI for further usage if needed.
.text:00408A0A                 push    offset aGemp123 		; Password for the Malware : "gemp123"
.text:00408A0F                 call    _strcmp			; Compare supplied password with gemp123
.text:00408A14                 add     esp, 20h			; ReOrganize stack
.text:00408A17                 test    eax, eax			; Check the return value of strcmp
.text:00408A19                 jz      short loc_408A66		; If Zero,Login Successful
.text:00408A1B                 lea     eax, [ebp+var_C8] 	; Login Failed. Insult Connected user.
.text:00408A21                 push    edi			; Push our Domain name
.text:00408A22                 push    eax			; Push Our nick Name
.text:00408A23                 lea     eax, [ebp+var_C8]        ;
.text:00408A29                 push    eax             		; Push Malware Bot name
.text:00408A2A                 push    offset WrnPassMsg 	; "NOTICE %s :Are you a Fucker?. (%s!%s).\r"...
.text:00408A2F                 push    [ebp+arg_4]     		;  Socket Descriptor
.text:00408A32                 call    SendMessage		; Send Message over socket.
.text:00408A37                 lea     eax, [ebp+var_C8]
.text:00408A3D                 push    eax             		; Push Malware Bot name.
.text:00408A3E                 push    offset WrnPassMesg1	; "NOTICE %s :No pass for you.\r\n"
.text:00408A43                 push    [ebp+arg_4]     		; Socket Descriptor
.text:00408A46                 call    SendMessage		; Send message over a socket
.text:00408A4B                 push    edi			; Push Domain name and other information for
.text:00408A4C                 push    esi			; logging purpose.
.text:00408A4D                 push    offset aRealmbotIrc_35 	; "RealmBoT (irc.p.l.g) .++.  *Failed pass"...

Lets try to use “gemp123” as a password.

<bughira> .login gemp123
-USA[XP]2866523- WTF!? no yet fucker!. (bughira!BT@738FBBA.E0CB536.5CF86F75.IP).
-USA[XP]2866523- Orders: No Talk with you.

It looks like password is correct but malware is not liking something that may be my nickname or something else. Let try to digg more under debugger.
Again I searched for the string “WTF!? no yet fucker!.” under IDA and get all its references.  When streching eyes in Hex code, I found a function which was checking my nickname and domain with “*@legalize.it”. This made me sure that malware is accepting master only from legalize.it domain. S/He may use any nick name.

I decided to patch the malware source code and make it accept request from any domain. Refer to the screenshot where actual patching is being done.

patching1I saved the binary with same name and restarted the process Winsec32.exe and this is what I got.
.login gemp123
[REALMBOT] : Thank for trying.

Bingo!!! We are inn. Lets explore the malware functionality by trying the earlier commands. Refer to the screenshots for the output of tried commands.

commandsJust searching throught the binary code helped me finding out different functionality of the malware. I was able to confirm that malware has capability to perform different DoS and DDos attacks.

When you ask Malware to start Webserver, you will get Following Screenshot  kinda Output. Similarly Malware can also start FTP server on Victim Machine allowing its master to use space for data storage.

webserver

Malware is also capable of exploiting DCOM and VNC vulnerabilities on unpatched system.Following are the some of the  commands supported by Malware.

        login authentication (login password)
        logout                
        chghttp                Change HTTP Settings.
        lockdown.off           Disables 'secure' mode visit irc.v
        web.off                Disable httpd
        ftpd.off               Disable ftpd
        log.off                Disable logging
        proxy.redirect.off     Disable TCP redirector
        ddos.off               Disable all DDoS attacks
        syn.off                Disable SYN flood
        udp.off                Disable UDP flood
        ping.off               Disable ping flood
        proc.off               List processes (?)
        clone.off              kills clone
        clone                  creates a clone of self secure.stop Terminates thread processes
        scanstop               Stop Port scan thread.
        id                     Returns PID of its own process.
        status                 Sends Status information
        reboot                 As name suggest, reboots the host machine
        clearlog               Clears the maintained log file.
        opencmd                Open a command shell
        closecmd               Closes a command shell
        flusharp               Flushes the ARP cache
        flushdns               Flush DNS Cache
        prockillid             Kills a proceess by PID
        readfile               Read specific file from Disk
        keylog.on              Start Keylogging thread
        update                 Updates itself from http://www.Nivdav.net/Winsec32.exe
        execute                Execute specified command on remote system
        udpflood               Start UDP Flood DoS module
        pingflood              Start PING Flood DoS Module.
        advscan                Start port and service scan thread.
        ftp.upload             Upload file using FTP

Malware also tried to scan random hosts for  VNC service. Random IP addresses calculated from my network configuration. Here are some of the IP address contacted.

		192.168.209.95:5900
		192.168.155.129:5900
		192.168.1.19:5900
		192.168.105.160:5900
		192.168.206.49:5900
		192.168.52.194:5900
		192.168.153.83:5900
		192.168.1.225:5900
		192.168.103.113:5900
		192.168.204.2:5900

Static Binary analysis under IDA pro revealed much more information about malware like

  • When Malware copies itslef in %SYSTEMROOT% folder, it creates a file with READONLY|SYSTEM|HIDDEN permissions.
  • Malware makes sure only single copy of itself in running my creating a Mutex at the beginnning.
  • Malware first checks if host has internet connection or network attached.
  • Malware tries to exploit SMB shares.

Looking at the supported commands list we can categorized this malware under IRC bot category capable of performing DoS and DDoS attacks. We can also sub-categorized it under Keylogging, Credential Stealing.
I will conclude second installment here and will post about generating Signature of Malware and code snippets of removal tool in last and final part of this series.  I hope to you guys soon..

References:

  1. Analyzing IRCBOTS: Part I( Static and Behavioural Analysis)
  2. Analyzing IRCBOTS: Part III( Removal Tool and Signature Generation)
  3. IDA Pro
  4. OllyDbg
Advertisements

About this entry