Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1400829
  • 博文数量: 416
  • 博客积分: 13005
  • 博客等级: 上将
  • 技术积分: 3297
  • 用 户 组: 普通用户
  • 注册时间: 2006-04-05 16:26
文章分类

全部博文(416)

文章存档

2014年(1)

2013年(4)

2012年(46)

2011年(64)

2010年(12)

2009年(4)

2008年(40)

2007年(187)

2006年(58)

分类: 网络与安全

2011-08-17 16:01:42



Part 2: Reverse Engineering the Kernel-Mode Device Driver Stealth Rootkit
Part 3: Reverse Engineering the Kernel-Mode Device Driver Process Injection Rootkit
Part 4:Tracing the Crimeware Origins by Reversing the Injected Code

In this final part we will trace the origins of the ZeroAccess rootkit. We will discover that the purpose of this rootkit is to set up a stealthy, undetectable and un-removable platform to deliver malicious software to victim computers. We will also see that ZeroAccess is being currently used to deliver FakeAntivirus crimeware applications that trick users into paying $70 to remove the antivirus. It could be used to delivery any malicious application, such as one that steals bank and credit card information in the future. Further analysis and network forensics supports that ZeroAccess is being hosted and originates from the Ecatel Network, which is controlled by the cybercrime syndicate RBN (Russian Business Network).

Let’s take a look at the max++ DLL. It is injected into other processes address space by the kernel mode driver reversed in Part 3. Here are the hashes for this DLL:

FileSize: 36.00 KB (36864 bytes)

MD5: 4CE2F6BA808954FA7B1257D4C754D5B0

SHA-1: E74EA961ADCA942623AE721283D33F6907A7C86D

No VersionInfo Available.

Resource: “TYPELIB”.

max++.00.x86.dll does not have an ET ( Export Table ) entire code is contained into DllEntryPoint() function.

This malicious DLL is injected via APC and ZwAllocateVirtualMemory by the second installed driver. Recall that this driver finds newly loaded processes via PsSetLoadImageNotifyRoutine.

This DLL can be debugged by using 1.10 LoadDLL utility. As this component is the just a small feature of ZeroAccess, we won’t go into as much detail on it as we did with the two drivers and the user-mode agent.

The above ZwTestAlert function tests whether the current thread has been alerted (and clears the alerted flag). It also enables the delivery of queued user APCs. NextDisableThreadLibraryCalls disables the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications for the DLL. By disabling the notifications, the DLL initialization code is not paged in because a thread is created or deleted, thus reducing the size of the application’s working code set. This use of DisableThreadLibraryCalls increases invisibility for the injected DLL.

The call EAX is placed inside a do-while that updates the value pointed by EAX in iteration. This involves in calling a different routine each time. Let’s look at the next code block:

We see the API call completed. A thread is created, and we can inspect it by reaching the StartAddress argument. This new thread will invoke a couple of calls that will talk to a Command and Control (C&C) server. The C&C server will issue requests to websites that contain code to install further malicious code to be executed on the victim’s machine.

From string analysis we can obtain some valuable information:

All these entries as you can see are placed into the hidden NTFS volume that was analyzed previously. There are also other interesting strings like:

\registry\machine\Software\Microsoft\Internet Explorer\Main\{F9197A7E-CE10-458e-85F8-5B0CE6DF2BBE}

The CLSID encoding is of great help during malware forensics. It can be used to determine univocally malware type and version. A quick search show us that this CLSID belongs to Trojan-Ransom.Win32.Digitala.b which is a downloader Aagent.

The above code blocks are executed if fdwReason is satisfied. Otherwise execution flows to another block of code that essentially acts as a cleanup routine.

This injected DLL serves the purpose of generating web redirections to malicious websites that contain FakeAntivirus software. Fake antivirus software (a.k.a misleading applications or rogue antivirus) is big business nowadays with Symantec reporting 43 million installation attempts from over 250 distinct programs between July 1, 2009, to June 30, 2010. With fake AV software costing the victim anywhere from $30 to $100, this is a lucrative earner for criminals.

The malicious URLs are:

The IP address behind these domains is 94.102.63.99. From we can see the following graph

AS29073 belongs to Ecatel Network which is a well known crimeware friendly ISP.

http://hphosts.blogspot.com/2009/11/crimeware-friendly-isps-ecatel-as29073.html

Ecatel is infamous for the massive hosting of malware and spambots, the most widely used IPs are:

  • 94.102.60.151
  • 94.102.60.152
  • 94.102.60.153
  • 94.102.60.182
  • 94.102.60.43
  • 94.102.60.77

Detailed information on Ecatel activities can be seen here: http://www.sudosecure.net/archives/333

Often Ecatel was involved into fakeAV campaigns, and ZeroAccess drives to fake software download. From sudosecure.net we see a relation with the well-know cybercrime ring, RBN ( Russian Business Network ).

Incoming search terms:
Share and Enjoy:
  • Twitter
  • Digg
  • del.icio.us
  • Facebook
  • Print
You may also be interested in:
Comments (5)
  1. said on November 15, 2010

    [...] Articles by giuseppeZeroAccess Malware Part 4: Tracing the Crimeware Origins by Reversing Injected CodeZeroAccess Malware Part 3: The Device Driver Process Injection RootkitZeroAccess Malware Part 2: The [...]

  2. [...] Articles by giuseppeZeroAccess Malware Part 4: Tracing the Crimeware Origins by Reversing Injected CodeZeroAccess Malware Part 3: The Device Driver Process Injection RootkitStep-by-Step Reverse [...]

  3. [...] Articles by giuseppeZeroAccess Malware Part 4: Tracing the Crimeware Origins by Reversing Injected CodeZeroAccess Malware Part 2: The Kernel-Mode Device Driver Stealth RootkitStep-by-Step Reverse [...]

  4. said on November 18, 2010

    Thank you for a great job!

    A very worthwhile piece of reading to bookmark. After all, a single pass is not enough to truly absorb the information.

    Even for those familiar with assembler and machine code, having a mechanical frame of reference to work from has a value in addition to having the tools collected together.

  5. InfoSec Training | SimplicIT Blog said on February 4, 2011

    [...] He dives deep enough to determine the source of the botnet, and who the likely authors are: The RBN (Russian Business Network). His analysis has been featured in eWeek, Information Week, The Register, Packet Storm, and Threat [...]

Leave a Reply

XHTML: You can use these tags:

Name (required)

Mail (will not be published) (required)

Website


阅读(1120) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~