Certified Reverse Engineering Analyst (CREA) Practical Analyst Date Malware Jason Swallows 1 February 2010 Practical 1252
Item A - File Provided: malware.exe, MD5: 0783505871f4d862b78d4a709827d42d 1) General function and functionality of the malware Item A is a Windows-based worm that: Opens a port on 113 and spoofs identd for IRC connections. Connects to an IRC server, joins a channel and waits for commands from the author. Commands give broad control of the machine to the author Can steal keys for many games. Can spread by exploiting network shares with weak passwords (uses a list of common user names and passwords).
2) Behavioral patterns of malware Since Item A attempts to propagate by scanning network shares, it has the behavioral pattern of a worm. It also could be classified as a Bot, since it sits and waits for commands from the author.
3) Local system interaction Makes the file and registry modifications listed under Question #4. Kills the following processes (See Illustration 1 & 2) "regedit.exe" "MSBLAST.exe" "msconfig.exe" "teekids.exe" "netstat.exe" "Penis32.exe" "msblast.exe" "bbeagle.exe" "zapro.exe" "SysMonXP.exe" "navw32.exe" "winupd.exe" "navapw32.exe" "winsys.exe" "zonealarm.exe" "ssate.exe" "wincfg32.exetaskmon.exe" "rate.exe" "PandaAVEngine.exe" "d3dupdate.exe" "sysinfo.exe" "irun4.exe" "mscvb32.exe" "i11r54n4.exe
Illustration 2: 0x00429DB0 starts the list of processes to be killed
Illustration 1: If one of the processes above is identified, open it, then terminate it.
Deletes the following shares (See Illustration 3) IPC$ ADMIN$ C$ D$
Illustration 3: Delete network shares
When controlled via IRC, commands can be issued by the controller to achieve objectives on the local system. There are many commands, but I will just document a few here as examples. Command: capture or cap, Purpose: Can capture an image or movie from a webcam or the desktop
Illustration 3: Code sample from screen/cam capture process
Command: execute or e, Purpose: Attempts to run a program on the local system
Illustration 4: Code sample from execution process
Command: readfile or rf, Purpose: Allows controller to read a file from local system
Illustration 5: Code sample from file reading process
Other commands, which I won't go into, provide capabilities for the following: E-mailing File searching, listing, deleting, etc. DNS queries or cache flushing File downloading and uploading Clipboard capture Processes listing and stopping Rebooting System information Network scanning Denial of service attacks TFTP capabilities Many more! Opens a port on 113 and spoofs identd for IRC connections.
Illustration 6: A small section of the code for starting the listener.
Illustration 7: Sample of offsets to the received requests and related functions.
4) Files and registry keys created, modified and accessed File access/modification: Copies itself, as scrgrd.exe, to the %System% folder and creates a new process with the newly copied executable.
Illustration 6: The name for the new executable is scrgrd.exe
Illustration 7: Initialize CopyFileA to esi to be called later
Potentially accesses <Soldier of Fortune II Install Path>\base\mp\sof2key to check for a CD Key. Potentially access <Neverwinter Nights Install Path>\nwncdkey.ini to check for CD keys. Potentially files created, changed by author over IRC Registry (Creates, to ensure execution of the malware on startup) Creates HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Restore with the value %System%\scrgrd.exe Creates HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Restore with the value %System%\scrgrd.exe Creates HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Restore with the value %System%\scrgrd.exe
Illustration 8: Registry entry creation area.
Registry (Changes value of)
Sets the value of HKLM\Software\Microsoft\OLE\EnableDCOM to N Sets the value of HKLM\SYSTEM\CurrentControlSet\ Control\Lsa\restrictanonymous to 1 Registry (Checks for and gets value of) "HKCU\Software\\Valve\\CounterStrike\\Settings\CDKey" "HKCU\Software\\Eugen Systems\\The Gladiators\RegNumber" "HKCU\Software\\Valve\\Gunman\\Settings\Key" "HKCU\Software\\Valve\\Half-Life\\Settings\Key" "HKCU\Software\\JoWooD\\InstalledGames\\IG2\prvkey" "HKCU\Software\\3d0\\Status\CustomerNumber" "HKCU\Software\Silver Style Entertainment\Soldiers Of Anarchy\Settings\CDKey" "HKLM\Software\Microsoft\Windows\CurrentVersion\ProductId" "HKLM\Software\Unreal Technology\Installed Apps\UT2003\CDKey" "HKLM\Software\Unreal Technology\Installed Apps\UT2004\CDKey" "HKLM\Software\IGI 2 Retail\CDKey" "HKLM\Software\Electronic Arts\EA Distribution\Freedom Force\ergc" "HKLM\Software\Electronic Arts\EA GAMES\Battlefield 1942\ergc" "HKLM\Software\Electronic Arts\EA GAMES\Battlefield 1942 The Road to Rome\ergc" "HKLM\Software\Electronic Arts\EA GAMES\Battlefield 1942 Secret Weapons of WWII\ergc" "HKLM\Software\Electronic Arts\EA GAMES\Battlefield Vietnam\ergc" "HKLM\Software\Electronic Arts\EA GAMES\Black and White\ergc" "HKLM\Software\Electronic Arts\EA GAMES\Command and Conquer Generals Zero Hour\ergc" "HKLM\Software\Electronic Arts\EA GAMES\James Bond 007 Nightfire\ergc" "HKLM\Software\Electronic Arts\EA GAMES\Generals\ergc" "HKLM\Software\Electronic Arts\EA GAMES\Global Operations\ergc" "HKLM\Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault\ergc" "HKLM\Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault Breakthrough\ergc" "HKLM\Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault Spearhead\ergc" "HKLM\Software\Electronic Arts\EA GAMES\Need For Speed Hot Pursuit 2\ergc" "HKLM\Software\Electronic Arts\EA GAMES\Need For Speed Underground\ergc" "HKLM\Software\Electronic Arts\EA GAMES\Shogun Total War - Warlord Edition\ergc" "HKLM\Software\Electronic Arts\EA Sports\FIFA 2002\ergc" "HKLM\Software\Electronic Arts\EA Sports\FIFA 2003\ergc" "HKLM\Software\Electronic Arts\EA Sports\NHL 2002\ergc" "HKLM\Software\Electronic Arts\EA Sports\NHL 2003\ergc" "HKLM\Software\Electronic Arts\EA Sports\Nascar Racing 2002\ergc" "HKLM\Software\Electronic Arts\EA Sports\Nascar Racing 2003\ergc" "HKLM\Software\Red Storm Entertainment\RAVENSHIELD\CDKey" "HKLM\Software\Westwood\Tiberian Sun\Serial" "HKLM\Software\Westwood\Red Alert\Serial" "HKLM\Software\Westwood\Red Alert 2\Serial" "HKLM\Software\Westwood\NOX\Serial" "HKLM\Software\\Techland\\Chrome\SerialNumber" "HKLM\Software\Illusion Softworks\Hidden & Dangerous 2\key"

Illustration 9: A portion of the key stealer code.
Registry (Other) If "HKLM\Software\Activision\Soldier of Fortune II - Double Helix\InstallPath exists, gets its value, which is the installation path of this game, then under that path, checks for the file base\mp\sof2key to get the key If Software\\BioWare\\NWN\\Neverwinter\Location exists, gets its value, which is the installation path of this game, then under that path, checks for the file nwncdkey.ini. If this file is found, checks for the text Key1=, Key2= and Key3= to get the key for Neverwinter Nights and its expansion packs (assuming they are installed too).
5) Network behavior (including hosts, domains and IP addresses accessed) As mentioned earlier, Opens a port on 113 and spoofs identd for IRC connections Connects to an IRC server at: pwned.tr1n1.net, or pwned2.tr1n1.net Also scans the local network for shares protected by weak passwords Could also be used for network scans and DDOS attacks
6) Time and local system dependent features The local system must have a network connection for many of the features to work As noted earlier, the malware will pretend to be an identd server to fool IRC servers when connecting. Some of the local system attributes it will query to send back to the IRC server include: The computer's name The specified local Information about the operating system When reporting back to the author, it usually will include the local time Author can query many local system attributes over IRC
7) Method and means of communication Opens a server listener on port 113 that can receive commands Connects to an IRC server at pwned.tr1n1.net or pwned2.tr1n1.net, then joins the channel #scrub and waits for commands from the author
8) Original infection vector and propagation methodology Network shares protected by weak passwords Tricking someone into running the executable
9) Use of encryption for storage, communication None that I could find
10) Use of self modifying or encrypted code The executable is packed with UPX 0.89.6 - 1.02 / 1.05 1.24. I was able to unpack it manually using OllyDBG and Import Reconstructor. On initial analysis, it appears that the only library used is kernel32, since it is the only one statically linked. On further analysis, there is a particular function (at address 0x0040780C) that dynamically loads the other libraries which are used. See Figure for a sample from this function.
Illustration 10: Sample from Library Importing Function
As far as I can tell, there doesn't appear to be any encrypted code.
11) Any information concerning development of malware (compiler type, country of origin, author names/handles, etc.) The malware contains uses the Microsoft Visual C++ Runtime Library so it was probably compiled from within Visual Studio, possibly using CL.exe. The closest thing I could come to a signature by an author was the following strings: neTmaNiac netmaniac was here 12/12/04 13:13:13 netninjaz_place 131.131.131.131 3.72.0.0 I was not able to determine the country of origin from the provided executable.