Arbor Networks: Security to the Core

Last evening we started seeing a stream of new malware that was a lot like the recent Storm ZIP run on about April 12. All of this malware is related to CME-711. This time we see a few changes:

• RAR is used instead of ZIP, but it’s still password protected
• The “outer” executable isn’t the basic storm bot but appears to try and throw off analysis

Other than that, it’s basically the same as the run from the 12th: GIF images are used in place of text, the password is three letters and two numbers, and the subject lines include things like “Virus Alert!”, “Warning!”, and “Virus Activity Detected!”. The GIF images display a message that we started to know and love during the ZIP+password run.

Email messages contain two attachments, a password protected RAR file and the GIF image. Once you uncompress the RAR file (using the password), you get an EXE (named bugfix-NUMBERS.exe, patch-NUMBERS.exe, or removal-NUMBERS.exe, where NUMBERS is a five digit number). This first stage EXE (ie bugfix-38265.exe) drops a randomly named file (ie vs74Xf0.exe) on the desktop. This new EXE, ie vs74Xf0.exe, is the classic Peacomm P2P component.

Just like last time, a lot of this seems to be getting by traditional signature-based AV detection routines.

What follows is some analysis I did this morning on the malware (vs74Xf0.exe):

BASIC INFO:
-----------------------------------------------
FILE TYPE:      application/x-ms-dos-executable
FILE SIZE:      37747 bytes
-----------------------------------------------

CHECKSUMS:
-----------------------------------------------
MD5:            8617ab4e033c0853cf1766de30cf6589
SHA1:           a881cee8c265779d74d7a70be13e383301afe2bc
-----------------------------------------------
A/V INFO:
-----------------------------------------------
SCANNER: VScanner                      VIRUS: No virus found
SCANNER: AVG                           VIRUS: Downloader.Tibs
SCANNER: ClamAV                        VIRUS: Trojan.Small-1117
SCANNER: BDC                           VIRUS: Trojan.Peed.ET
SCANNER: KAV				VIRUS: Email-Worm.Win32.Zhelatin.ab
-----------------------------------------------

Looking at the unpacked file we see a couple of things that look familiar:

FILENAMES:
-----------------------------------------------
KERNEL32.dll
ADVAPI32.dll
WS2_32.dll
WININET.dll
KERNEL32.dll
USER32.dll
ADVAPI32.dll
ntoskrnl.exe
KERNEL32.DLL
USER32.DLL
USER32.DLL
ADVAPI32.dll
kernel32.dll
-----------------------------------------------

PE INFO:
-----------------------------------------------
[ADVAPI32.dll]
StartServiceA
CreateServiceA
OpenSCManagerA
CloseServiceHandle

[kernel32.dll]
GetSystemDirectoryA
SetCurrentDirectoryA
GetFullPathNameA
CreateFileA
WriteFile
CloseHandle
-----------------------------------------------

Looking at its behavior we can see that it installs the rootkit it usually drops in the usual fashion:

Creates file C:%5cwindows%5csystem32%5cwincom32.sys

And it sets the following registry key and value

[System%5cCurrentControlSet%5cServices%5cwincom32] 1177521988
"DisplayName"="wincom32"
"ErrorControl"=dword:00000001
"ImagePath"="C:%5cwindows%5csystem32%5cwincom32.sys"
"Start"=dword:00000002
"Type"=dword:00000001

Peacomm has to bootstrap itself onto a P2P network through a list of initial nodes (IPs and ports). This is usually stored in a file named “peers.ini” using a simple encoding scheme. Here’s the peers.ini list it drops decoded (block UDP traffic to these hosts to prevent the worm from getting into the network):

88.133.92.194 11717
84.78.235.176 3461
89.151.122.162 9826
64.0.0.2 11158
89.148.64.1 7495
92.200.129.18 9635
60.199.120.129 4136
91.189.219.177 4667
146.36.74.161 7871
88.135.124.193 6459
87.122.166.97 4344
55.118.98.33 4662
85.94.234.161 4533
129.23.114.33 4663
70.97.26.162 11579
17.30.233.145 6257
90.171.176.1 4661
146.36.75.177 7871
78.232.141.209 6182
84.74.161.16 3043
95.248.128.2 9480
146.36.77.209 7871
146.36.77.209 7871
146.36.71.113 7871
83.57.145.18 8272
85.86.108.193 6120
87.126.235.184 33333
89.159.242.33 4198
65.27.178.33 7871
80.5.89.146 12053
30.231.122.162 9760
194.43.188.193 4140
93.208.7.113 5046
146.36.74.161 7871
146.36.71.113 7871
94.226.34.32 3705
87.114.38.98 10564
220.203.180.66 8457
217.153.145.17 7871
146.36.75.177 7871
90.171.189.210 10449
196.69.80.1 6327
87.113.24.129 6963
146.36.71.113 7871
146.36.77.209 7871
27.178.40.129 4665
146.36.74.161 7871
221.211.51.50 10747
205.209.16.1 7871
78.232.129.18 11732
212.75.179.50 8465
146.36.74.161 7871
48.7.127.244 17636
86.109.214.97 5271
128.13.208.4 19485
82.47.242.33 6172
86.109.210.35 12438
70.97.18.34 11779
81.18.35.50 11971
90.170.175.242 9734
92.196.73.146 11200
123.178.32.0 3127
146.36.67.51 12981
62.232.136.130 10200
95.253.210.33 5000
85.95.248.129 8155
80.10.175.241 6959
95.244.69.80 3453
86.103.118.98 8889
146.36.75.177 7871
146.36.75.177 7871
146.36.75.177 7871
85.85.86.97 7983
163.55.113.17 7672
81.29.222.224 3025
93.208.7.116 17606
82.45.210.34 11288
67.51.58.160 3311
223.254.238.228 20392
81.30.225.20 19866
146.36.71.113 7871
146.36.74.161 7871
67.55.123.177 4665
164.64.11.177 6021
84.78.236.192 3395
80.4.79.242 8796
146.36.77.209 7871
93.221.215.113 6028
80.15.254.226 10056
65.27.178.33 7871
88.138.162.33 5011
91.176.15.244 19268
84.73.145.18 10773
146.36.72.129 7871
146.36.74.161 7871
146.36.77.209 7871
146.36.77.209 7871
146.36.71.113 7871
146.36.77.209 7871
214.104.134.100 19608
65.26.168.129 7871
85.95.249.145 4665
146.44.205.210 10811
21.80.14.225 4445
78.228.73.146 10301
90.168.136.129 6859
113.28.200.129 7051
91.185.153.146 8892
146.36.77.209 7871
91.180.78.227 12608
90.173.210.34 9786
206.236.201.146 12023
95.254.228.66 9561
83.59.188.193 7222
205.209.16.1 7871
146.36.77.209 7871
74.163.54.97 7871
93.208.1.17 4395
62.227.59.177 6816
82.39.116.65 8048
92.205.221.210 10301
62.236.205.210 12081
65.24.130.36 16727
201.148.67.52 17675
94.225.23.116 19306
214.104.138.162 9804
217.146.33.17 6537
80.13.216.129 5298
205.214.103.113 6589
55.119.118.99 13302
83.49.19.49 5540
121.148.71.114 10790
92.192.7.114 8910
84.76.206.225 5691
211.55.122.160 3517
146.36.71.113 7871
95.253.210.33 5000
62.236.205.209 4183
205.221.209.20 19332
85.89.150.99 12617
215.113.22.99 13327
208.3.52.64 3789
146.36.71.113 7871
146.36.72.129 7871
146.36.74.161 7871
204.194.32.3 15576
85.87.119.125 53436
81.30.228.66 12021
90.160.6.98 11827
223.248.130.34 11010
133.88.128.5 20499
56.143.242.33 4719
69.84.78.225 5615
198.96.4.68 16636
94.233.157.212 19953
94.233.157.210 11851
50.32.1.18 8665
80.6.102.97 4217
120.129.27.177 8109
80.4.76.193 5569
74.164.73.144 3665
206.230.97.19 13234
205.216.136.129 4480
81.26.175.243 16219
89.154.172.194 8945
93.222.224.2 12118
88.138.172.193 4664
192.9.146.35 13404
218.167.119.113 4990
153.152.129.16 3626
64.1.16.1 5427
94.237.212.64 3749
91.180.76.193 6137
89.146.39.113 6666
85.95.249.145 4665
81.16.15.241 4171
206.231.114.33 7871
90.174.231.112 3012
87.114.35.50 9424
222.231.125.210 11477
84.73.150.98 11447
192.1.18.34 11640
94.226.35.51 15399
91.183.112.1 4894
195.61.221.223 62624
93.216.140.193 6740
82.40.137.145 4665
83.56.137.146 9016
66.41.151.115 12893
91.176.5.84 18053
146.36.77.209 7871
95.241.29.212 20136
218.173.220.203 48490
93.210.42.160 2346
74.173.214.98 8461
84.79.248.130 10487
81.30.230.99 12394
87.114.37.81 6679
86.107.185.148 16464
81.26.161.19 15469
49.30.238.225 4241
87.114.42.163 12697
66.41.154.162 10629
88.142.226.32 3538
210.37.85.84 20006
80.9.151.114 8571
135.112.14.230 24686
91.177.22.101 21676
95.249.159.242 12167
92.194.35.50 10054
80.12.205.210 11650
87.122.172.194 12115
81.30.234.163 14611
87.113.28.193 4667
216.139.186.161 7537
50.42.174.227 12573
84.74.165.80 3714
221.219.179.49 4946
118.111.242.34 9084
89.146.36.66 10829
82.45.218.162 8467
213.89.159.241 7457
87.125.218.160 3838
55.123.184.130 11636
201.151.114.33 4158
206.231.114.33 7871
55.123.184.129 4114
83.54.102.98 9806
91.177.17.18 9253
85.91.184.130 12000
211.49.18.32 3193
146.36.71.113 7871
57.158.237.211 14829
214.111.247.113 4776
146.36.77.209 7871
146.36.74.161 7871
222.230.106.161 5653
146.36.75.177 7871
217.153.147.49 7871
82.44.201.146 8901
146.36.71.113 7871
71.112.0.13 57202
72.137.150.98 10612
92.201.153.145 4661
208.8.130.32 4009
92.200.134.97 5468
94.230.102.96 3391
215.117.95.242 10024
65.26.168.129 7871
219.186.162.33 8070
94.236.197.84 20333
91.177.19.49 5642
91.176.2.33 5845
84.66.34.33 5460
83.61.221.221 54695
83.59.180.65 5998
127.247.127.241 5388
205.209.16.1 7871
223.247.121.145 6324
83.52.65.17 7033
88.142.234.160 2688
82.40.136.129 7236
81.24.133.81 5528
146.36.75.177 7871
146.36.71.113 7871

I’ve shared samples, some analysis, and MBOX files with many of the appropriate people in the malware research world this morning.

Links around the net for this one:

• Ny variant af Nuwar spammet ud (Denmark)
• ZIP then, RAR now. What’s next? from the Trend Micro blog
• Spam Attack: RARed Trojan, from the Symantec blog

This entry was posted on Wednesday, April 25th, 2007 at 2:04 pm and is filed under Arbor Networks, Botnets, Malware, Reverse Engineering, Worms. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.