Wednesday, August 15, 2012

Malware Analysis Tutorial 32: Exploration of Botnet Client


Learning Goals:
  1. Practice WinDbg for Inspecting Kernel Data Structure
  2. Use Packet Sniffer to Monitor Malware Network Activities
  3. Understand Frequently Used Network Activities by Malware
  4. Expose Hidden/Unreachable Control Flow of Malware
Applicable to:
  1. Operating Systems
  2. Assembly Language
  3. Operating System Security
1. Introduction

This tutorial explores the botnet client part of Max++. We assume that you have completed tutorial 31 where our lab setting directly results from its analysis. You should have the following before the analysis, as shown in Figure 1.

Figure 1. Process Network Message

As shown in Figure 1, there is a big loop of calling zwReplyWaitReceivePortEx, which tries to wait for a message from the port. EAX represents the return code of the function, e.g., 0x0 represents OK and 0x102 represents time-out. If time-out, it calls function 0x35671D03. Otherwise, it proceeds to process the message.

Max++ first reads the 2nd word in the message, this is supposed to be an integer between 1 and 3. For case 3, it calls function 0x3567162D. for case 1, it calls function 0x3567204F. Note that all the four parameters of 0x3567204F are from the msg (5th, 7th, 8th and 10th words from the message respectively).

2. Execute Remote Command (#1).
Now let's delve into function 0x3567204F. Again, notice that this function gets executed ONLY WHEN the second word of the remote network message is 0x1. Figure 2 shows its function body.

Figure 2. Mysterious Function 0x3567204F

As shown in Figure 2, one of the input parameters of the function is ESI register (pointing to 0x00181580). This is a mysterious data structure. We suspect that it is the COM interface of the fake JScript COM object (the remote max++.x86.dll). The COM interface wraps a C++ object so that the program (Max++) can call the functions available in the DLL.

Next, the function clears memory region 0x009FFEE8, and copies the first four parameters passed in the stack to this region. Notice that these four parameters are the 5th, 7th, 8th, and 10th words in the remote message. Then it saves 0x009FFFE8 to EBP-10.

Max++ then proceeds to call some function of the remote DLL (see the second highlighted area in Figure 2). It seems to be taking out the virtual function table of the object and it invokes the function located at offset 0x18. This function takes at least 7 parameters, and they are [ESI+18], [ESI+20], 0x356782A4, 0, 1, [EBP-20], and [EBP-10]. Here [ESI+18] and [ESI+20] must be some data attributes of the COM interface object, and [EBP-20] is a pointer to collect result. From the VariantClear call (see the last highlighted area of figure 2), we can infer that [EBP-20] is a pointer to VARIANTARG. Lastly notice that [EBP-10] stores 0x009FFEE8, which contains the four words from the remote message.

Although we have no access of the remote DLL, we can infer that this part of the malware is taking some command/parameters of the remote message, and execute some functions correspondingly. It looks like a bot-net client.

3. Initilization (command #3)
We now look at case #3 (where the 2nd word of the remote message is 3). In this case,  function 0x3567162D is invoked.. To enforce the control flow into this case, we simply change the register values correspondingly. Figure 3 displays the body of function 0x3567162D.

Figure 3. Function Body of 0x3567162D

As shown in Figure 3, function 0x3567162D extracts a file from the hidden drive into a newly allocated heap area. The contents of the file seem to be some special javascript tags and HTTP request headers. The file name is read from an absolute location 0x3567806C. Unless the address is being re-written, it's always reading the same file.

Then Max++ jumps to function 0x356719E4, as shown in Figure 4. Again, it's invoking the COM interface of the remote object which is not available. As shown in Figure 4, it loads the virtual function table of the COM object multiple times and calls several functions of that COM interface.

Figure 4. Calling COM Object

4. Conclusion
Since the remote object is not available, we are not able to drill deeper into Max++. The bottomline via the analysis in this tutorial is that the maxware is able to listen to a port and receive commands from a remote server. The remote command has a fairly simple structure, the second word of the remote message decides the action to take at the max++ client side. #3 seems to be initializing service; and #1 seems to be executing some actions, where four words from the remote message serve as the parameters.

In the next tutorial, we will submit Max++ to various malware analysis engines and match their discovery with our manual analysis.


Posted by at

17 comments:

  1. home monitoringSeptember 5, 2012 at 12:28 PM

    Great post.I like this one.Thanks for sharing.

    ReplyDelete
  2. karyn grayDecember 15, 2012 at 8:13 PM

    I enjoyed the tips you are providing on your website. Remote IT Support can make one’s help technical service. Thanks for the information……..

    ReplyDelete
  3. alarm monitoringJanuary 2, 2013 at 8:56 PM

    very Informative and comprehensive data !
    it’s takes advantages ..
    enjoyed reading it !
    Thanks for sharing...

    ReplyDelete
  4. rithkhmerAugust 7, 2017 at 10:51 AM

    Nice article, thanks for the information. You give me some idea's. I will bookmark for next reference.

    ก็อตซิลล่า 2015

    ReplyDelete
  5. BloggerSeptember 30, 2017 at 11:09 AM

    BlueHost is definitely the best website hosting provider with plans for all of your hosting needs.

    ReplyDelete
  6. Mary J. SmithOctober 3, 2017 at 5:26 AM

    How to improve chances of success in playing free slots no deposit and online games with no registration - 3 important tricks. Win money at 777spinslot.

    ReplyDelete
  7. BloggerOctober 4, 2017 at 1:36 AM

    I have used AVG anti virus for a couple of years now, and I'd recommend this solution to all you.

    ReplyDelete
  8. Dolph ZiglarOctober 18, 2018 at 4:35 PM

    There are certainly a lot of details like that to take into consideration. That is a great point to bring up. I offer the thoughts above as general inspiration but clearly there are questions like the one you bring up where the most important thing will be working in honest good faith. I don?t know if best practices have emerged around things like that, but I am sure that your job is clearly identified as a fair game. Both boys and girls feel the impact of just a moment?s pleasure, for the rest of their lives.
    spyhunter license key

    ReplyDelete
  9. Peptide SynthesisFebruary 2, 2019 at 4:40 AM

    Thanks for providing such a great Information, you can see
    Custom Peptide Synthesis
    Peptide Synthesis

    ReplyDelete
  10. gunmetal jeansFebruary 24, 2019 at 11:05 PM

    I’ve been browsing online more than 2 hours today, yet I never found any interesting article like yours. It’s pretty worth enough for me. In my opinion, if all web owners and bloggers made good content as you did, the internet will be a lot more useful than ever before.
    Reverse Engineering in India
    Reverse engineering design

    ReplyDelete
  11. UnknownJune 24, 2019 at 12:04 PM

    Bisa pula pasangan berurutan kartu K-Q-J dari jenis yang berbeda. Jika kartu anda memenuhi syarat ini, maka anda memiliki masa depan yang cerah untuk melanjutkan ke tahap selanjutnya. Selain itu, jika mendapatkan kartu yang berurutan 2 sampai 10 juga merupakan awal yang baik.
    asikqq
    http://dewaqqq.club/
    http://sumoqq.today/
    interqq
    pionpoker
    bandar ceme terbaik
    betgratis
    paito warna terlengkap
    forum prediksi

    ReplyDelete
  12. leoJuly 2, 2019 at 9:34 PM

    Thanks for sharing, very informative blog.
    ReverseEngineering

    ReplyDelete
  13. PuremeldaJuly 5, 2019 at 5:32 AM

    We focus on meeting all the needs of our clients by offering them with a reliable custom essay writing service USA and legitimate paper writing services delivering it on time.

    ReplyDelete
  14. meldaresearchJuly 7, 2019 at 11:10 PM

    Companies offering affordable custom research papers should help students perform well by delivering papers prior to deadline. Early delivery of essay writing service nursing is very important because it results in good performance of learners.

    ReplyDelete
  15. UnknownJuly 15, 2019 at 11:40 PM

    Nice blog!!!!!!!.
    ReverseEngineering

    ReplyDelete
  16. Barbra WilliamsAugust 1, 2019 at 2:35 AM

    jigsy blogs

    ReplyDelete
  17. meldaresearchAugust 5, 2019 at 10:40 PM

    Your search for Custom Research Paper Writing Services ends here. Welcome to the home of best essay writers who are qualified in diverse fields. Our
    Research Paper Writing Service     is proof that we are right near you. It is easy, place your order and get original plagiarism free assignments. What’s more, we keep everything confidential.

    ReplyDelete

Subscribe to: Post Comments (Atom)