Analyzing IRCBots III

Here I am for the third and final installment of our 3 installment post: Analyzing IRCBots. In the first post I showed you a static and behavioural analysis while in then second post we saw Code patching and analysis. We also conclude the behavior of the malware and categorized it under IRC bot. Those who missed last two posts, can find them here and here respectively.

In this post I will show you how to write a small Bot Removal tool and generate an AntiVirus signature for this specific bot using ClamAV signature generation tool.

Removal process is just inverse of installation process. By inverse I means, to remove Bot from our system we need to remove its traces which includes, registry keys, installed binary, processes, created files, installed hooks, drivers etc etc. Luckily our Bot was not that advance to install hooks.

To remove this bot we need to do following things.                                               checksystem

  1. Kill its process
  2. Remove Executable
  3. Remove installed Registry Keys

Manual Removal

  • Open Command prompt and type “taskkill /IM winsec32.exe”
  • Now change the working directory to %SYSTEMROOT% and change the properties of Malware executable

c:\WINDOWS> attrib -h -r -s winsec32.exe

  • Now Delete the file from explorer or from command line.
  • Open Registry from start->run->regedit and remove following key/values

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Svchost local services
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Svchost local services

  • Reboot the system and check for the process “winsec32.exe” using “tasklist” command or from Task Manager

If no process by Winsec32.exe is running; you have successfully cleaned bot from your system.

I wrote a small tool to automate the removal process. Following is a code snippet of the tool. Refer to screenshots to see tool in action.

    RegKey = Registry.LocalMachine.OpenSubKey(key1, true);
       Names = RegKey.GetValueNames();                    fixsystem   
       foreach (string keyName in Names)
       {                
          Value = RegKey.GetValue(keyName).ToString();
           if (Value.Contains("winsec32"))
           {               
               try         // Deleting the Malware added registry values.
               {
                   RegKey.DeleteValue(keyName, true);
                   logString = string.Format("[+] Malware Key: {0} Deleted!", Value);
                   lbStatus.Items.Add(logString);
                }
                catch (Exception ee)
                {
                    EMessage = string.Format("[-] {0}",ee.Message.ToString());
                    MessageBox.Show(EMessage, "RemoveBot",
                    MessageBoxButtons.OK, MessageBoxIcon.Error);
                }                    
           }
           Process[] processes = Process.GetProcessesByName("winsec32");
           logString = string.Format("[+] Killing the Process Tree.");
           lbStatus.Items.Add(logString);
           foreach (Process proc in processes)
            {
                try
                {
                    proc.Kill();
                }
                catch(Win32Exception Wee)
                {
                    EMessage = string.Format("[-] {0}", Wee.Message);
                    result =  MessageBox.Show(EMessage, "RemoveBot",
                    MessageBoxButtons.OK, MessageBoxIcon.Error);                    
                }
            }

Let me know if anyone wants to test out the tool.

Writing Signature for the Bot:

When we hear or listed to the word virus signature, first question comes to our mind that What the hell is Signature? Whenever you dont understand complex terms like this, just find the basic meaning of the word instead of thinking about its complexities. So in plain English signature is nothing but an entity that identifies something. Everyone has their own so called unique signatures and based on their signature bank used to identify their customers.

If we apply the same anology with viruses and worms; signatures are nothing but hex representation of some unique virus/worm pattern. This signature once feeded in Antivirus software, they detect it and takes configured/available action.

Signature bases scanning system can be easily evaded and hence lot of advace Anti-virus techniques like behavioral analysis, Heuristics algorithms etc are developed. However every Anti-virus softwares has signature database and it updates itself in regular interval of time.

For our IRCBot, we will write signature for the ClamAv Antivius System. Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways etc. Once installed on system, it has a tool named sigtool to generate the malware signatures.

Ok So we know, signature should contain the hex code of some unique pattern from worm. We will choose some so called unique string from the malware. We can choose this string from our output of strings command.

Now open your favorite HEX Editor and search for the ASCII string. Once found, copy its HEX values and paste it in some scratchpad. Choose some complex string and some nearby hex values to avoid the false positives. Flase positives are serious problems in AV industry. You need to be careful while developing the signature. Following are some string and their hex values which I chose for our sample signature.

Signature I: Crxbot Alias REalmbot -by Lindem-
746F707065642E20282564207468726561642873292073746F707065642E2900000000000B1A000050000000070000000400000001000000010000002E003100437278626F7420416C696173205245616C6D626F74202D6279204C696E64656D2D00000067656D703132330074657374697263312E73683178793262672E4E4554000000236368616C656E6765000000686170707931320057696E73656333322E657865
Signature II: RealmBoT (net.p.l.g)
707269766D7367006972632E61610000616464616C696173000000006972632E67680000676574686F7374005265616C6D426F5420286E65742E702E6C2E6729202EBBBB2E2020436F6D6D616E6420756E6B6E6F776E2E005265616C6D426F5420286E65742E702E6C2E6729
Signature III: [REALMBOT] : Goodbye idiot and nice try.
5265616C6D426F54286972632E702E6C2E6729202EBBBB2E202053797374656D20496E666F2E00005B5245414C4D424F545D203A20476F6F64627965206964696F7420616E64206E696365207472792E000000005265616C6D426F54202870726F63

Sigtool has many options and wildcards that can be used for generating the signature. The simplest way of generating a signature is by taking its MD5 hash. There are tutorials and good documentation of usage of these wildcards on internet. I am not going to repeat them here.  I will show you following two examples of signature recognized by ClamAv Anti-Virus.

  1. IRCBot.A(Bughira)=746F707065642E20282564207468726561642873292073746F707065642E2900000000000B1A000050000000070000000400000001000000010000002E003100437278626F7420416C696173205245616C6D626F74202D6279204C696E64656D2D00000067656D703132330074657374697263312E73683178793262672E4E4554000000236368616C656E6765000000686170707931320057696E73656333322E657865*707269766D7367006972632E61610000616464616C696173000000006972632E67680000676574686F7374005265616C6D426F5420286E65742E702E6C2E6729202EBBBB2E2020436F6D6D616E6420756E6B6E6F776E2E005265616C6D426F5420286E65742E702E6C2E6729
  2. IRCBot.A.Bughira:1:*:707269766D7367006972632E61610000616464616C696173000000006972632E67680000676574686F7374005265616C6D426F5420286E65742E702E6C2E6729202EBBBB2E2020436F6D6D616E6420756E6B6E6F776E2E005265616C6D426F5420286E65742E702E6C2E6729

In First example, IRCBot.A(Bughira) is just a name of the bot and the hex string is the actual signature. We need to follow standards for virus nominiclature. Theres a well documented way followed by Symantec SecurityResponse team. You can follow it here.

Once this whole gibrish line is saved with signature.db file and Fed to ClamAv; it will scan for our signature in the files.

Second signature is bit advance version  of ClamAV signature. Its more granular. Following are the fields used in the signature.

VirusName:FileType:Offset:Signature

Where,

  • VirusName: Name of the virus
  • FileType: Type of File to be scanned.
      • 0: AnyFile                                 clam11
      • 1: PE Files
      • 2: OLE File
      • 3: HTML File
      • 4: Graphics File
      • 5: ELF file
      • 6: ASCII
  • Offset: Is an asterisk or a decimal number ‘n’ possibly combined with a special modifier:
      • *: Any
      • n: Absolute Offset.
      • EOF-n: End of file – ‘n’ offset
  • Signature: Is the actual Hex code.

There are other advance Modifiers and Wild cards that can be used to avoid false positives. ClamAV has documented them well. You can find the documentatio here. The advance signature need to be saved under .ndb file.  Refer the screenshots to see Our generated signature in action.

clam23

This post does not cover virus signature generation in any sense.  These signature are developed just for educational purpose. Real signatures are way complex and advance but this will surely get you started.

I hope you find this series of post useful. I will post more on latest Malware analysis soon.

Till then stay safely Plugged.

See Also:

Advertisements