2013/03/12/malware analysis

This is my exploration of a trojan horse sent to open@duckduckgo.com. The email, which claimed to hold "My eTicket", contained a malicious call to action and .zip file.

I began by attempting to locate the origin of the email. The relevant portion of the headers is excerpted below. These headers cannot be relied upon for identification (they are trivially forged). However, the email does not claim to be from delta.com, leading me to suspect the original domain is genuine - why pretend to be from an arbitrary domain?

Received: from unknown (HELO ) (89.77.209.23)
  by 0 with SMTP; 5 Mar 2013 22:11:01 -0000
From: "DELTA" <PFlFnLybzQlsh@lorusso.com>
To: open@duckduckgo.com
Message-ID: <20130305231057.D5B526351B50D849E929.5F438C@MARTA-F97BA78A4>
Subject: Your eTicket
MIME-Version: 1.0
Content-Type: multipart/related;
  boundary="----=_Part_369841052092"
Taking a look at lorusso.com, it seems legitimate. Following with a WHOIS query, it still looks good.
Domain Name: LORUSSO.COM
Registrar: TUCOWS DOMAINS INC.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net
Name Server: NS10.IXWEBHOSTING.COM
Name Server: NS9.IXWEBHOSTING.COM
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 17-oct-2011
Creation Date: 25-oct-1998
Expiration Date: 24-oct-2017

Administrative Contact:
   Lorusso, David  dave@lorusso.com
   1200 Mahogany Lane
   Cedar Park, TX 78613
   US
   +1.5123319487
Technical Contact:
   Lorusso, David  dave@lorusso.com
   1200 Mahogany Lane
   Cedar Park, TX 78613
   US
   +1.5123319487

Because I do not believe the email was sent by the owner of lorusso.com, this leaves two possibilities: a negligently open mail relay service, or a compromised system. To determine if the former is the case, I attempt to send my own email through his mail provider. To locate the resource, I first query the mail exchange record for the domain and it's corresponding address record.

$ dig mx lorusso.com +short
10 mail909.ixwebhosting.com.

$ dig mail909.ixwebhosting.com +short
76.162.254.111
76.162.254.117
76.162.254.118
76.162.254.109
76.162.254.110

$ telnet 76.162.254.111 25
Trying 76.162.254.117...
Connected to 76.162.254.117.
Escape character is '^]'.
220 ironport4.opentransfer.com ESMTP
helo dylanstestserver.com
250 ironport4.opentransfer.com
mail from: dylansserver.com
250 sender <dylansserver.com> ok
rcpt to: dylan@dylansserver.com
550 #5.1.0 Address rejected dylan@dylansserver.com
quit
221 ironport4.opentransfer.com
Connection closed by foreign host.

My request to forward mail through the server is denied appropriately. Without running an intrusive network scan of lorusso.com, at this point there is nothing left to do except to alert the technical contact of the domain.

Now to the payload. Inside a GNU/Linux VM I identify the file type, log a checksum, and unpack, recursively. I'm lucky - it's packed, but there is no obfuscation of the executable by its format.

$ file eTicket.zip
eTicket.zip: Zip archive data, at least v2.0 to extract

$ md5sum eTicket.zip
5f3aeef467f263e56b7a53f28497523c  eTicket.zip

$ unzip eTicket.zip
Archive:  eTicket.zip
  inflating: eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe

$ file eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

$ md5sum eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
a98d8bf1d8b68477867ebae47f0d5086  eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe

$ upx -d eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe 

$ file eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe 
eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe: PE32 executable (GUI) Intel 80386, for MS Windows

$ md5sum eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
82c3c81779564d999787a3a15203fb33  eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe

Seeing the portable executable, I know the honeypot system I need. Before preparing it, I take quick peek inside the file:

$ strings eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
...
KERNEL32.DLL
gdi32.dll
user32.dll
UnregisterWaitEx
GetEnvironmentStringsA
GetCommandLineW
CreateDirectoryExA
ExitProcess
GetNumberFormatW
GetCommandLineA
EnumTimeFormatsA
GetPrivateProfileStructW
GetTextExtentPoint32W
GetRgnBox
SetColorSpace
DeviceCapabilitiesExW
DeleteDC
PolyTextOutA
GetBkColor
GetFontLanguageInfo
CreateFontW
GetKerningPairsA
GdiDeleteSpoolFileHandle
GetMapMode
GdiArtificialDecrementDriver
CreateFontIndirectExA
StartDocW
SetROP2
UpdateColors
OffsetViewportOrgEx
GetOutlineTextMetricsA
DeviceCapabilitiesExA
CopyEnhMetaFileA
Polyline
SetAbortProc
ExtEscape
SetBrushOrgEx
GetFontResourceInfoW
StartPage
GetDIBColorTable
EudcUnloadLinkW
OffsetWindowOrgEx
IntersectClipRect
SetMapMode
CreateFontIndirectW
GetTextFaceA
GetRelAbs
DescribePixelFormat
GetLogColorSpaceW
BeginPath
GetPath
GetCharacterPlacementW
GdiPlayPrivatePageEMF
SelectPalette
CloseMetaFile
CreateRectRgn
EnumFontsA
SetLayout
EudcLoadLinkW
InvertRgn
EnumFontFamiliesExW
SetRelAbs
EnumFontFamiliesExA
GetStretchBltMode
GetCharacterPlacementA
CreateFontIndirectA
GdiPlayScript
CreateDCA
ExcludeClipRect
SetMetaFileBitsEx
GetDeviceCaps
StartFormPage
GetWorldTransform
CombineTransform
FlattenPath
GdiPlayPageEMF
CreatePolyPolygonRgn
GetBkMode
SelectFontLocal
PolyPolyline
CreateDCW
GetTextExtentPoint32A
SelectObject
EnumFontFamiliesA
RemoveFontResourceExW
SetSystemPaletteUse
GetPaletteEntries
GetCharWidthFloatA
Escape
DeleteObject
UpdateICMRegKeyA
GetFontUnicodeRanges
CreateCompatibleBitmap
ExtCreatePen
GetObjectW
GetTextExtentPointI
GdiComment
GetWindowExtEx
SelectBrushLocal
GetCharWidthFloatW
FloodFill
EndPath
LPtoDP
WidenPath
RemoveFontResourceW
CopyEnhMetaFileW
GetMetaFileA
PolyPolygon
PaintRgn
CreatePalette
GetGlyphIndicesA
GdiGetSpoolFileHandle
GetDIBits
SetTextCharacterExtra
PolylineTo
SetMetaRgn
GetKerningPairsW
ExtCreateRegion
GetCharWidthA
SetColorAdjustment
GetLayout
SetMagicColors
SetICMProfileW
GetSystemPaletteEntries
SetDIBits
DeleteEnhMetaFile
CreatePatternBrush
SetWindowOrgEx
GetTextExtentPointA
UnrealizeObject
PolyTextOutW
ResetDCW
CreateFontIndirectExW
GetTextExtentExPointW
CreateCompatibleDC
GetLogColorSpaceA
GetTextExtentPointW
CreateDIBPatternBrushPt
CreatePolygonRgn
GdiPlayJournal
ColorCorrectPalette
RemoveFontMemResourceEx
GetStockObject
PatBlt
FrameRgn
UpdateICMRegKeyW
GetCharABCWidthsA
CreatePen
CombineRgn
GetEnhMetaFileW
GetDCOrgEx
GetBoundsRect
LineDDA
PlayEnhMetaFile
RemoveFontResourceA
GetSystemPaletteUse
GdiPlayDCScript
CreateColorSpaceW
GetBitmapBits
GetDCPenColor
GetBrushOrgEx
GetCharWidthI
GetBitmapDimensionEx
GetObjectType
RemoveFontResourceExA
SelectClipRgn
TranslateCharsetInfo
CreateEnhMetaFileW
GetObjectA
SetStretchBltMode
GetFontAssocStatus
SetDCBrushColor
SetRectRgn
Polygon
SetMapperFlags
EnumEnhMetaFile
SetDIBColorTable
GetDeviceGammaRamp
StartDocA
CreatePenIndirect
StretchBlt
VkKeyScanExA
InvalidateRect
ToUnicodeEx
GetMenuDefaultItem
AdjustWindowRect
ReleaseCapture
EnumDisplayDevicesW
DdeDisconnect
TranslateMDISysAccel
SetClipboardViewer
DrawTextA
LoadMenuW
CharNextW
GetLastActivePopup
CopyRect
PrivateExtractIconsW
IsWindow
GetTabbedTextExtentA
InvalidateRgn
GetClipboardFormatNameA
IMPQueryIMEW
TranslateMessage
CreateMenu
SetWindowsHookExA
DefWindowProcA
GetDialogBaseUnits
GetWindowRgn
OpenDesktopW
LockWindowUpdate
...

There are some interesting calls made, but I don't know enough about Windows internals to tell much from it. Instead, I'll move on to dynamic analysis. To create a safe, monitored environment, I will use another guest operating system, loaded with the following utilities:

  • VirtualBox appliance, Windows XP SP3
  • Internet Explorer 8 (updated)
  • Windows Security Essentials (updated)
  • RegShot (for registry and filesystem snapshots)
  • Windows Process Monitor (for live monitoring of system calls)

The host also requires configuration. I create a virtual network device (and an ethernet bridge) that can be attached to the virtual machine, watched and firewalled.

sudo modprobe vboxnetflt

sudo brctl addbr br0
sudo brctl addif br0 eth0

sudo modprobe tun
sudo ip tuntap mode tap
sudo link set up tap0
sudo brctl addif br0 tap0

mkdir monitor && cd monitor
sudo tcpdump -itap0 -vvvA -s0 -G 60 -W 1 -Uw baseline_
tcpdump -vvvA -r baseline_00

With a distinct, tapped interface, I listen for baseline network connections including ARP and UDP inside the LAN. This will help me eliminate noise from the network I/O of the infected system. Simultaneously, I create a new virtual machine snapshot to return to later. Meanwhile, inside the guest I take registry and filesystem snapshots with RegShot, as well as open the Process Monitor, filtering out friendly services. With a healthy signature obtained, I start a new listening process:

sudo tcpdump -itap0 -vvvA -s0 -C 128 -W 10 -Uw capture_

Environment prepared, I download and execute the trojan. The file disappears after triggering, and the process and network monitors flood with calls and packets. After about 3 minutes, I pause the VM, and begin the log analysis.

My first step now is to peek inside with my editor. There are a lot of HTTP requests, furthermore, a lot of requests that seem to passing parameters used for ad tracking.

$ strings capture_00 | grep http | wc -l
281
$ strings capture_00 | grep http | grep CLICK | wc -l
137
$ strings capture_00 | grep http | grep -v CLICK | grep impression | wc -l
73
$ strings capture_00 | grep Host | sort -u
Host: 113594url.directdisplayad.com
Host:239.255.255.250:1900
Host: 88.198.7.221
Host: ajax.googleapis.com
Host: cache.adfeedstrk.com
Host: cds.q2q3h3t3.hwcdn.net
Host: connect.facebook.net
Host: edge.sharethis.com
Host: fonts.googleapis.com
Host: html5shiv.googlecode.com
Host: j.maxmind.com
Host: redirect.ad-feeds.net
Host: vjlvchretllifcsgynuq.com
Host: wd.sharethis.com
Host: w.sharethis.com
Host: www.directorslive.com
Host: xlotxdxtorwfmvuzfuvtspel.com

A bit more searching and it's clear that the malware is using my computer to send out hundreds of forged ad impressions every minute. It's also hitting something else interesting - j.maxmind.com is a geolocation service. It's possible that it's fetching this information to send back to a command and control sever. This of course points towards the next concern - that the program has also installed additional hooks such as a keylogger, which it could use to send keystrokes (including financial information) to its owner.

None of the outgoing packets look very interesting, but there's no way of predicting when it might try to make contact. Instead, I'll try to look for evidence of additional tampering locally. To do this, I look at the registry and file system diff, alongside the process monitor.

----------------------------------
Files deleted: 2
----------------------------------
C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
C:\WINDOWS\Tasks\MpIdleTask.job
$ egrep -i 'Control.*firewall' registry.changes
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHAREDACCESS\0000\DeviceDesc: "Windows Firewall/Internet Connection Sharing (ICS)"
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\All: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\DeviceDesc: "Windows Firewall/Internet Connection Sharing (ICS)"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\All: 0x00000001

No more security scans! These deleted files ensure that the automatic malware scans will no longer run. Also modified and removed are firewall control settings. There don't seem to be any obvious changes to core system code such as DLLs that would be used by a keylogger - but I could easily be missing something. With the process monitor I see the file and registry modifications in real time, but nothing else jumps out at me.

Here is the baseline tcpdump, the capture tcpdump and the full filesystem and registry diff.