Trojan.TDR. Udi Shamir (Ta!0n) COSEINC (AML) Advanced Malware Labs

Transcription

1 Trojan.TDR Udi Shamir (Ta!0n) COSEINC (AML) Advanced Malware Labs Overview TDR malware targets specific companies which are using McAfee protection suites. The malware utilizes anti-debugging, antivirus awareness and smart process injection techniques to evade detection. It also transmits sensitive information to command and control servers. Background Currently, most malware attacks are in the form of trojan downloaders, bankers and BHO (browsers helper objects). A functional trojan malware seldom gets embedded within the payload of an exploit, but TDR is one such exception. Infection Details TDR was found by our researchers on a high profile host, but its infection vector is still unknown to us. At this point, we believed that it was dropped by one of Adobes latest CVE s.

2 Technical Summary TDR functionalities can be split into two components, namely the loader and the payload. The loader provides the preliminary safety verifications, such as running in minimize mode, detecting debugger and evading specific Antivirus software. When the environment is safe, it will proceed to load the second stage: the payload. The payload performs sophisticated process injection, unpacks the main payload section and creates new process which looks benign. More importantly, the new process is specifically built to evade detection by McAfee Antivirus. The Loader (tdr.mal.exe) The Loader first calls the function that performs Anti Debugging technique. This is to ensure that the malware is not being analyzed and debugged. When executing, TDR stays silent by using windows hide parameter (SW_HIDE) within the following StartupInfo structure parameters: Startupinfo = 0018FF44 -> STARTUPINFOA {Size=0, Reserved1=NULL, Desktop=NULL, Title=NULL, X=0, Y=0, Width=0, Height=0, XCountChars=0, YCountChars=0, FillAttribute=0, Flags=0, ShowWindow=SW_HIDE, Reserved2=0, Reserved3=NULL, hstdinput=null,

3 Anti-Debugging Function: The Anti-Debugging technique is known but not commonly used. The author chose the OutputDebugStringA Win32 API. The OutputDebugString function accepts a single string and send it to the debugger. The Anti Debugging trick is very simple; the developer sets a DWORD Value in the SetLastError() function and calls OutputDebugString. If Debugger is present, the GetLastError() function will hold the Value assigned to SetLastError(). If the value is empty, it implies that no Debugger attached. TDR will exit if a Debugger is attached. WINAPI OutputDebugString( in_opt LPCTSTR lpoutputstring); DWORD TESTDATA = 007; SetLastError(TESTDATA); OutputDebugString(L"F00 Fighters ); if(getlasterror() == TESTDATA){ //i found a debugger attached } When disassembling TDR s binary we can see the call to OutputDebugStringA with the debugger specific message. Evading Antivirus: Most Trojans will choose to stop execution when they detect the presence of Antivirus software. TDR, on the other hand, seems to target McAfee. Its disassembled code shows this behavior. The detection technique is very simple. TDR calls RegQueryValueA Win32 API and search for the presence of McAfee products inside the registry keys. When it detects the presence of McAfee

4 Antivirus, it creates a process named services.exe and if McAfee is absent, it will create the process named svchost.exe. The disassembler code below shows the logical behind this.

5 Our research machine did not contain any McAfee products, so TDR creates the svchost.exe process and calls the packed payload routine at address 0x The unpacking routine is at address 0x Packed section at address 0x The unpack function at address 0x040102E

6 The Payload TDR payload is packed and its unpacking routines start when the loader finishes its init process. The unpacking routine is tedious and time consuming and after it is done, TDR creates a new process with process-name depending on if McAfee products are present. In our setup, the process name was svchost.exe. CreateProcess(NULL, svchost.exe, tdr.mal.exe, NULL, NULL, FALSE, CREATE_SUSPEND ); Create Process The CreateProcess parameters indicate that TDR creates new process in SUSPEND mode and subsequently performs process injection. Process Injection TDR uses an uncommon injection technique which was first introduced by the Duqu Malware ( This technique is also referred to as puppet process, as the first created process is just a puppet that does nothing. The Injection steps are described below: 1. TDR needs to locate the entry point of the newly created process and its ImageBase. It achieves this by finding the ImageBaseAddress through calling ZwQueryInformationProcess() and then ReadProcessMemory(). 2. The ImageBaseAddress is at offset 0x8. Below is the debugger s output after extracting the PEB structure.

7 3. The next step is to map the original binary PE section from tdr.mal.exe using the ZwMapViewOfSection() with the BaseAdress equal to 0. The malware wants to copy the entire PE image and modifies its PE image address to that of the newly created process. During this step, TDR has already unpacked its payload into memory and is pointing to the new entry point of svchost.exe puppet process. Below is an example code which demonstrate how TDR extract the ImageBaseAddress PROCESS_BASIC_INFORMATION p_info; // retrieves pointer to a PEB DWORD ImageBase; ZwQueryInformationProcess = (long ( stdcall *)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(GetModuleHandleA( ntdll ),"ZwQueryInformationProcess") ; // extract ImageBase PebBaseAddress +8 // ReadProcessMemory(p_info.hProcess, (BYTE*)pbi.PebBaseAddress + 8, &ImageBase, 4, &nb_read);

8 4. Before copying the new image into the puppet process, TDR un-maps svchost.exe memory section with the BaseAddress equal to the ImageBaseAddress. Subsequently, it copied the original PE image using memcpy(). When everything is completed, it unlinks (remove) the original image. PE_H NEW PROCESS SVCHOST IMAGE PE_H TDR Image TDR.MAL.EXE PE_H NEW PROCESS SVCHOST CONTAINS TDR IMAGE Above diagram shows the injection flow. TDR creates new process name svchost.exe. It un-maps the existing new process image using ZwUnmapViewOfSection(). It creates a new section using ZwMapViewOfSection() and copy the malwares section using memcpy(). It removes the original sample tdr.mal.exe. Why TDR took these extra steps when creating a new process? 1. The newly created process svchost.exe is a valid system service hence it looks benign. 2. The PE header is benign since TDR replace the Image and not the PE Header. This leaves the header completely unchanged. 3. This technique fools McAfee Antivirus which inspect the headers and structures.

9 Network Connection TDR initiates network connection from the new process svchost.exe. This allows the malware to mask its network traffic among legitimate connections from the real svchost.exe. TDR first tries to connect to the ip address This belongs to KORNET, which is a legitimate provider. inetnum: netname: KORNET descr: KOREA TELECOM descr: Network Management Center country: KR admin-c: DL248-AP tech-c: GK40-AP The second connection is being initiated with known dynamic domain service provider myddns.com.

10 The following urls were captured during the network analysis: Both urls have server listening on port 8080, followed by a random 5 characters php file. The above examples showed the php files kvfbx.php and pnrrv.php. The id parameter structure is <random 6 numbers><mac address> for example: DDF34B09G == random id: 151DDF34B09G machine MAC address DDF34B09G == random id: 151DDF34B09G machine MAC address Conclusion TDR employs interesting anti debugging and injection techniques that are not commonly used. It also targets McAfee antivirus and circumvent the way McAfee inspects newly created processes. The fact that TDR was captured on a live host with updated antivirus protection emphasizes why antivirus may not be a foolproof solution to malware. And finally, these various pieces, when added together, make TDR a formidable malware that is hard to detect.