Author: expsky
0x01 causes
Network traffic found in a large number of files 1.exe, and has continued, first feels like a Trojan horse, and each 1.exe of MD5 are not the same, compared to only a few bytes are not found Like (below), by a few PgDn on to the end of the! A look at the size, only 5k. What foreigners think of a previous analysis of write-compatible xp, win7, x86, x64 system is very small MBR bootkit Trojan, when the analysis was really could not help but clap wow. Like "small is beautiful" things, later analysis, there are sections of code, you can see the author to write code and is more particular about: http inspection method is POST or GET, only relatively a initials.
A whim, decided to further analyze this sample, so with this article.
0x02 why a lot of network traffic in 1.exe file?
Trojan horse packers encryption, anti-debugging, in this age is already a basic configuration, this article is not about shelling omitted here a million words directly across to finish off the shell, the sample is very small indeed, only a total of more than 20 functions . This paper called a detailed analysis, so all the corners of this sample are reverse out, have a look at the function name, look more comfortable. ( Editor's Note: This article was published on April 9 Freebuf, author expsky to commemorate the first article on FreeBuf, specially with a function called FreeBuf, if you have to ask why that name, then we point go take a look, because it's really just Buffer as Free )
There are a lot of network traffic 1.exe, and each MD5 values are different, the first guess is not a Trojan downloader, kept running after download other Trojan
After analysis, navigate to the following key function to find out the cause, and speculation is not the same.
1) read the contents of the file itself
2) to modify its own PE file timestamp increments by 1
(This is why MD5 value for each 1.exe not the same)
3) post data, and upload files
如下是第2个appendstr附加的数据,从内容以及0x0D, 0x0A的换行,很容易认出是在构建http的协议头。最后一行的64字节的字符串,是提交的apikey,而这个apikey到底是什么呢?继续往下分析。
如下是第4个appendstr附加的数据,也是在构建http协议头,Content-Disposition字段指明了上传文件的文件名叫1.exe
4)木马为什么要循环上传自己,而又把自己上传到哪里去了呢?
先将前面构造的需要POST的IStream流数据转到buffer里,然后提交给了 www.virustotal.com/vtapi/v2/file/scan
VirusTotal是一个全球知名的提供可疑文件分析服务的网站,/vtapi/v2/file/scan 这个是开放给他的会员扫可疑文件的API接口,现在可以来回答前面看到的那个64字节的apikey是什么:会员必须向VirusTotal申请到这个apikey后,才能正常使用这个扫文件的API接口
上面是httpRequest的部分内容,这个函数就是用WinHTTP系列SDK完成http请求的函数,不需要细看,
这里只是提一下框住的那句汇编cmp ecx, 50h,晃眼一看还以为是在比较是不是80端口,原来是在检查函数参数http方法是GET还是POST, ascii 80也是字母”P”,只比较了一个首字母,这就是文章最开始提到的作者写代码比较讲究,还有不少作者编码很讲究的地方,与本文主题关系不大,这里就不细讲了。
我们再回到上面核心函数末尾
木马请求完返回的结果没有使用就直接被正义使者FreeBuf给干掉了,这是什么意思?
FreeBuf后面那句 jmp loc_401451 原来是一个死循环,又跳到上面修改自身时间戳的地方
到这里我们就清楚了原来木马一直在循环上传自身,每个循环会递增PE的TimeDataStamp字段([PE_Base+0x3c] + 0×8),所以每次提交的1.exe的MD5都不一样,因为VirusTotal对已经有MD5值分析过了的文件,就不会再分析了,直接返回以前分析的结果。所以VirusTotal返回的结果木马也不关心,直接free掉。这个木马是想攻击VirusTotal……?
分析到这里,就像给这个函数取的名字一样“LoopSubmitVirusTotal”,已经很清楚了整个过程,而且已经完全解答了分析这个样本的起因:
为什么网络流量里有大量的1.exe文件,为什么每个文件的MD5值不一样,而且只有微小的差别。
到这里文章仿佛也该结束了:《一个木马作者报复安全厂商的故事》
0x03 揭开木马的真实意图
这个故事始终觉得怪怪的,木马作者有什么好处呢?那就继续把剩下几个没逆完的函数,全部看完吧
如上图,又发现一个和前面httpRequest函数几乎一模一样的函数,唯一的区别是,这个函数自己把写了一长串WinHTTP SDK,辛苦获取到的Response返回结果,直接在函数内部就给Free掉了。换句话说就是,这是一个Http请求的函数,完成了所有工作后,却什么也不返回。外部看来和一个空函数有什么区别?
如下图,我们来到了调用这个函数的地方,看完这里基本就清楚了是怎么回事了
上层函数又是一个死循环,接收参数:服务器主机地址和路径后,就一直循环发起GET请求。原来这是在发起应用层的DOS攻击,所以前面的函数也不需要关心请求的返回结果直接就free了。
如上图,再往外层分析,进一步确认这是一个应用层DOS攻击木马。 对目标服务器循环GET的那个函数又被启了100个线程,的确是想把对方搞死的节奏
真相越来越明朗,还剩下最后一个问题,攻击的目标服务器,从哪里获取?
经验猜测是通过C&C获取,继续来证实,果然找到了如下C&C通讯函数,是通过twitter的博客页面,实现的http隐蔽通讯,接收命令
As follows, open twitter.com/pidoras6 page to confirm it (only big concern motherland good comrades, also spent 20 yuan to buy a VPN)
Open the page, click on the top tweets found five anti brackets, control commands are added to the dense, in fact, do not take up reverse decryption function, see it looks very familiar, and finally the end of the equal sign, much like base64 (base64 length of the string is encoded. 3 aligned with = insufficient to pad, so often seen in the last one or two equal sign)
Did not do a control command encryption, simply use the base64 encoding, so that others do not see at a glance what is on the line.
The code behind is not important, I would have guessed, utf8 encoded web pages into native code, call the target URL WinHttpCrackUrl function dismantling receive, and then written back to a global variable, for that 100 attacks thread loop to GET aims
0x04 end
Go back and look at a lot of those submitted to VirusTotal's 1.exe, and if the cause of the Trojan receives commands nothing to be DOS attacks,
The authors speculated that the purpose might be: because after VirusTotal is to limit the frequency samples submitted by members, the first Trojan to attack VirusTotal, VirusTotal may put IP of the machine pulled the blacklist, and now some network testing equipment are likely to call VirusTotal check the sample interface (VirusTotal there is a submission interfaces, sandbox and other samples MD5 queries often use a lot of safety equipment) If the local has a similar safety devices, so that you can VirusTotal scan function security appliances to engage destroyed.
I tried to open the target page w0rm.in, but why always the response timeout? w0rm.in this keyword as if directed by a Russian hacker? VirusTotal attack behavior and guess really the same? All this will not be just a routine stress test? w0rm If it is really a hacker, and that w0rm first love and the Trojan author's wife is not exactly the same person? Behind this is a moral evil or distortion of human nature ...... stay tuned tonight 25 6:30 "approach to science," Let's follow shot, uncover you call, i jmp those little-known story.
Original: Large column a DOS attack detailed analysis Trojan