Results 1 to 4 of 4

Thread: a nice paper on a trojan/malware

  1. #1
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15

    a nice paper on a trojan/malware

    recently i was playing as usual with some of my weird ideas in an unknown comp

    i happened to stop very early in the process creation routine

    my process was calc.exe and i knew i should have only a memory map in 0x1000000 which is its preferred address

    Code:
    Memory map
    Address           Size     (Decimal)          Owner      Section    Contains      Type                           Access    Initial   Mapped as
    00010000          00001000 (4096.)                                                Priv 00021004                  RW        RW
    00020000          00001000 (4096.)                                                Priv 00021004                  RW        RW
    0006E000          00001000 (4096.)                                                Priv 00021104                  RW  Guar  RW
    0006F000          00001000 (4096.)                                  stack of mai  Priv 00021104                  RW  Guar  RW
    00070000          00001000 (4096.)                                                Map  00041002                  R         R
    00080000          00002000 (8192.)                                                Map  00041002                  R         R
    00400000          0001B000 (110592.)                                              Priv 00021002                  R
    01000000          0001F000 (126976.)                                              Imag 01001002                  R         RWE
    77F50000          000A7000 (684032.)                                              Imag 01001002                  R         RWE
    7FFB0000          00024000 (147456.)                                              Map  00041002                  R         R
    7FFDE000          00001000 (4096.)                                  data block o  Priv 00021040                  RWE       RWE
    7FFDF000          00001000 (4096.)                                                Priv 00021040                  RWE       RWE
    7FFE0000          00001000 (4096.)                                                Priv 00021002                  R         R

    but what i see is one entry at 0x400000 wtf who is lurking here ?
    lets dump it
    the pe header looks suspicious enough
    Code:
    00400000  4D 5A 40 00 00 00 00 00 01 00 00 00 80 EE 36 00  MZ@........€6.
    00400010  60 EA 00 00 60 EA 00 00 60 EA 00 00 80 4F 12 00  `..`..`..€O.
    the section headers even more weirder

    Code:
    00400000  MZ@........€6.`..`..`..€O.`..&......................
    00400040  ^}f}(@xIŠG™˜7•7*”95l!(^}f}(@ŒNzV†QŽSŽFW5œ;`?
    00400080  tgŽx[*@•ž}L&QSe”˜M/6!`5$W‰(KlF
    004000C0  괧Y›V€CD)HŒf‘“.G;ova*ud—h‹"]†10
    00400100  3*E™2-<–ƒ:„7iˆ+B_PJ‡.9{R\#Z>.bqp
    00400140  sj…4'N8rm|OA.zUw^k‚=.ŸŠ%TnyX’.œ cš~I,?
    00400180  tgŽx[*@•ž}L&QSe”˜M/6!`5$W‰(KlF
    004001C0  괧Y›V€CD)HŒf‘PE..L.rE.........K...
    00400200  .$.................@.................................
    00400240  .......................................................
    00400280  ..............................................................
    004002C0  .........................tsdgz........h.................@..
    00400300  .fcj....4.........l..............@...tmn....0.........n..
    00400340  ............@...ponkl............~.............. ..........
    ponk tsgdz wtf

    mind you an active antivirus with updated virus definition is running in the background and it is not detecting it

    so its time to stop what i was doing and look for what this crap is

    lets first dump this memory as it is

    right click --> create backup
    right click --> save backup to file
    lets save it with default name to desktop
    Code:
    dir /s/b *.mem
    \Desktop\_00400000.mem
    lets un strings on it
    >strings _00400000.mem > resu.txt

    woot 12 kb worth strings lets check out

    Code:
    Strings v2.2
    Copyright (C) 1999-2005 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    C:\WINDOWS\System32\wsnpoem\video.dll
    C:\WINDOWS\System32\ntos.exe
    Service Pack 1
    C:\WINDOWS\System32\wsnpoem\audio.dll
    Connection: close
    HTTP/1.0 200 Connection established
    Content-Length: 
    *keep-alive*
    Connection: 
    Proxy-Connection: 
    http://
    CONNECT
    lets check if this is avl

    Code:
    C:\WINDOWS\system32\wsnpoem>dir
     Volume in drive C has no label.
     Volume Serial Number is 276D-07F3
    
     Directory of C:\WINDOWS\system32\wsnpoem
    
    03/02/2007  09:25 AM    <DIR>          .
    03/02/2007  09:25 AM    <DIR>          ..
    04/03/2007  07:49 PM             2,815 video.dll
    04/03/2007  08:00 PM                 0 audio.dll
                   2 File(s)          2,815 bytes
                   2 Dir(s)     578,920,448 bytes free
    
    C:\WINDOWS\system32\wsnpoem>
    
    C:\WINDOWS\system32>dir /s /b nto*.*
    C:\WINDOWS\system32\ntoskrnl.exe
    C:\WINDOWS\system32\ntos.exe
    C:\WINDOWS\system32\Setup\ntoc.dll
    C:\WINDOWS\system32\dllcache\ntoc.dll
    
    C:\WINDOWS\system32>del ntos.exe
    C:\WINDOWS\system32\ntos.exe
    The process cannot access the file because it is being used by another process.  
    
    some fsck is using it but it is not visible in taskmgr
    
    C:\WINDOWS\system32>
    Code:
    C:\>tasklist
    
    Image Name                   PID Session Name     Session#    Mem Usage
    ========================= ====== ================ ======== ============
    System Idle Process            0 Console                 0         20 K
    System                         4 Console                 0         48 K
    SMSS.EXE                     376 Console                 0         40 K
    CSRSS.EXE                    548 Console                 0      1,220 K
    WINLOGON.EXE                 584 Console                 0      1,044 K
    SERVICES.EXE                 972 Console                 0        968 K
    LSASS.EXE                    984 Console                 0      1,400 K
    SVCHOST.EXE                 1296 Console                 0      1,884 K
    SVCHOST.EXE                 1388 Console                 0      6,664 K
    SVCHOST.EXE                 1576 Console                 0        708 K
    SVCHOST.EXE                 1600 Console                 0      1,640 K
    ccEvtMgr.exe                1752 Console                 0        496 K
    SPOOLSV.EXE                 1884 Console                 0        692 K
    Navapsvc.exe                 708 Console                 0        704 K
    ccApp.exe                    748 Console                 0        892 K
    UTSCSI.EXE                   944 Console                 0         36 K
    EXPLORER.EXE                1148 Console                 0     13,856 K
    iexplore.exe                1924 Console                 0      9,392 K
    cmd.exe                      684 Console                 0        716 K
    tasklist.exe                 516 Console                 0      3,608 K
    wmiprvse.exe                1904 Console                 0      4,788 K
    
    C:\>
    been here for quiet a few days it seems dunno how much information it has stolen so far and dont know how many ppl have unwittingly given thier credit card numbers and thier wives names to this dacoit of program

    and this ntos leads me this paper

    http://www.securescience.net/securescienceblog/malwarecasestudy.html
    http://ip.securescience.net/advisories/pubMalwareCaseStudy.pdf

    enjoy reading nice dissection from the looks of the paper

    when i get time i would corroborate this paper with my captive till then
    happy malwarezzing

    edit looks like the actual ntos.exe that i couldnt delete
    and the memory dump are vastly different

    probably the one i dumped is a father

    Code:
    
    >dir
     Volume in drive C has no label.
     Volume Serial Number is 276D-07F3
    
    
    02/19/2007  01:17 AM    <DIR>          .
    02/19/2007  01:17 AM    <DIR>          ..
    03/25/2007  02:07 PM            50,756 mcshield.exe
    04/03/2007  08:04 PM           633,663 pubMalwareCaseStudy.pdf
    04/03/2007  08:17 PM           110,592 _00400000.mem
    12/24/2005  09:34 AM            36,864 strings.exe
    04/03/2007  08:22 PM            12,280 resu.txt
    04/03/2007  08:28 PM             4,256 resu1.txt
    07/15/2003  12:00 PM           134,656 NTOS.EXE
                   9 File(s)      2,589,726 bytes
                   2 Dir(s)     576,405,504 bytes free
    but after my surgery the cancer isnt in the memory map so obviously i have bought time it seems

    ill have to dig into my memdump on how it behaves

    Code:
    Memory map
    Address    Size       Owner      Section    Contains      Type   Access    Initial   Mapped as
    00010000   00001000                                       Priv   RW        RW
    00020000   00001000                                       Priv   RW        RW
    0006E000   00001000                                       Priv   RW  Guar  RW
    0006F000   00001000                         stack of mai  Priv   RW  Guar  RW
    00070000   00001000                                       Map    R         R
    00080000   00002000                                       Map    R         R
    01000000   0001F000                                       Imag   R         RWE
    77F50000   000A7000                                       Imag   R         RWE
    7FFB0000   00024000                                       Map    R         R
    7FFDE000   00001000                         data block o  Priv   RWE       RWE
    7FFDF000   00001000                                       Priv   RWE       RWE
    7FFE0000   00001000                                       Priv   R         R
    no entry at 0x400000 for the moment

    i at the moment have no time to play with this
    uploaded here for anyone to check out
    it is live infected the first layer of zip is password proteced
    password is infected
    it contains a renamed zip ntoscrapzip rename it back to ntoscrap.zip
    this contains three files
    1)ntos.exe
    2)_00400000.mem (real dump from my memory map)
    3)one more crap that was in autorun (not detected by av dont know wtf is it
    i hate unknown autoruns so i try to grab them all name ismcshield.exe
    Attached Files Attached Files
    Last edited by blabberer; April 3rd, 2007 at 11:30.

  2. #2
    There is also some discussion of it in this Trojan in a Thread at Lavasoft:

    http://www.lavasoftsupport.com/index.php?showtopic=4792

    which also has links to study of the beast:

    http://www.securescience.net/securescience...ecasestudy.html

    which, in turn, links back to your

    http://ip.securescience.net/advisories/pubMalwareCaseStudy.pdf

    case study.

    Their comments include:

    FAO HJT log experts,one of the following 2 entries will signify the presents of this trojan. Its removal is not difficult,kill the principal executable(Ntos.exe) and the infection/effects are neutered.

    O4 - HKLM\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
    or
    F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\Userinit.exe,D:\WINDOWS\system32\ntos.exe

    They also report that:

    "The bad news is as with Morphine z-lob this trojan is now being repacked as regular as clockwork(names,file size etc) to evade detections & cleaning routines but yet still retaining its thoroughly unpleasent operative capabilities listed in the PDF research paper. ."

    There's also a CastleCops Thread found here:

    http://www.castlecops.com/t171215-barclay_ntos_exe.html

    Regards,
    JMI

  3. #3
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    Please search before posting This is almost the same trojan. I think it is (a variant of) Trojan-Spy.Win32.Banker.cmb.
    Probably yours is an earlier version because the one I am studying has some of the strings you found in an encrypted form, doesn't use hardcoded addresses and has another "better" way of finding out the service pack.
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  4. #4
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    I checked out mcshield and it looks like MiniRAT (aka Trojan.XK). The description of Trojan.XK matches my disassembly and it drops a dll with one export: miniratMain.

    Virustotal links:
    mcshield exe: http://www.virustotal.com/vt/en/resultadof?3c6ca50ecd345efecce3d9b888796db1
    dropped DLL: http://www.virustotal.com/vt/en/resultadof?82458088f306ef1e209e62069994fd13
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

Similar Threads

  1. Some words on how to decrypt trojan Ascesso
    By ZaiRoN in forum Blogs Forum
    Replies: 0
    Last Post: October 15th, 2007, 22:38
  2. Another trojan I couldn't identify the packer
    By Cthulhu in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: April 9th, 2007, 14:18
  3. Hm. Aggravating paper requirements again in SE.
    By nikolatesla20 in forum Off Topic
    Replies: 4
    Last Post: January 17th, 2006, 07:11
  4. security related ASM paper
    By Zero in forum Off Topic
    Replies: 0
    Last Post: February 26th, 2003, 06:54
  5. Pencil and paper decryption ?
    By Artifex in forum RCE Cryptographics
    Replies: 11
    Last Post: August 31st, 2002, 07:28

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •