|
Archive for the ‘Vundo’ Category
Tuesday, June 17th, 2008
It seems that quite a bit of malware is being classified as Vundo (Virtumonde) these days. With the volume of malware currently being distributed in dynamic link library form, it is not always easy to differentiate one from another. Frequently these modules are statically linked with C and C++ runtimes, compression, and GUI libraries, which can slow analysis down. In addition to all this embedded library code, Vundo’s code seems to be under constant development and is updated to fix bugs, add a new piece of functionality, or add more randomization to prevent signature recognition quite frequently.
However, there is one construct that the developers behind the code seem to enjoy using. In almost every place where an event and sometimes registry value names are created, the name is generated by a function which is similar between variants.
The function derives this name from an attribute of the infected computer. The attribute is the serial number assigned to the “C:” drive volume when it was last formatted by the operating system. Then, the serial number is randomized by one or more bitwise cpu instructions against a number selected by the programmer. The result of these operations is converted into a string and returned for use.
The recognition of this function can help positively ID a Vundo sample. The source code representation of this function would look similar to this:
#include <windows.h>#define arbitrary_vundo_number 0xFDEC
int generate_number(char *output){ int return_value; DWORD volume_serial_number;
return_value = GetVolumeInformation("c:\\", NULL, 0, &volume_serial_number, NULL, NULL, NULL, 0);
volume_serial_number ^= arbitrary_vundo_number;
return wsprintf(output, "%08x", volume_serial_number);}
Actual Vundo assembly code looks like this:
push esi ; nFileSystemNameSizepush esi ; lpFileSystemNameBufferpush esi ; lpFileSystemFlagspush esi ; lpMaximumComponentLengthlea eax, [ebp+VolumeSerialNumber]push eax ; lpVolumeSerialNumberpush esi ; nVolumeNameSizepush esi ; lpVolumeNameBufferpush offset RootPathName ; "c:\\"mov [ebp+VolumeSerialNumber], 123hcall ds:GetVolumeInformationAxor [ebp+VolumeSerialNumber], 34D2121hpush [ebp+VolumeSerialNumber]push offset a08x ; "%08x"push [ebp+arg_0] ; LPSTRcall ds:wsprintfAadd esp, 0Chpop esileaveretn
Posted in Adware, Obfuscation, Reversing, Undetected malware, Vundo | No Comments »
Thursday, June 12th, 2008
Sure, you want to get it for free. Who doesn’t want free schwag?
In our previous post on peculiar Vundo capabilities, we detailed Vundo’s inclusion of Microsoft Research Detours source code in their malicious binaries. After googling Vundo and reading up on it, you still might not feel confident that you understand how one gets Vundo on their system. While there are malicious sites out there using commodity exploit kits to attack unpatched windows systems and install the Vundo components, and there may be a few cases of users receiving spammed email messages with links to the malware, from my perspective it seems that most of the Vundo infections on this planet have to do with crackz. That is, key generators that enable individuals to pirate software.
So we decided to stop by getcracks.com and get the latest. While the enticing allure of free software abounds, even more present is the pile of malcode served up from the site and its various providers. And what do you know? It looks like they have a crack for ThreatFire too!
Only before you go off to the site, thinking that you can find things for free, understand that nothing really is for free.
In this case, we extracted the executable and found five files inside: readme.bat, crack.exe, serial.exe, keygen.exe, and number.exe. The readme isn’t really a readme at all. When double clicked, the file simply runs the four executables that it is delivered with. And what do we find in the other four?
crack.exe — Trojan.Vundo/Trojan.Virtumonde
number.exe — Trojan-Downloader.Small.CML,Trojan.Nebuler!sd6/Trojan.Nebuler
keygen.exe — Trojan-Downloader.Small!sd5,Trojan-Downloader.Win32.Small.ury,Downloader,TROJ_DLOADER.NWJ
serial.exe — Trojan-Downloader.Trojan!sd6,Downloader.Trojan, Trojan-Downloader.Homles!sd6,Trojan-Downloader.Win32.Homles.br,Infostealer, Adware.Maxifiles
As you can see, things aren’t free. Vundo doesn’t travel alone. Some of that stuff could ruin your system and potentially steal sensitive information.
The crack.exe file itself drops multiple dlls. They are injected into multiple processes and display alarming ads. Often, it’s difficult to understand where the ads came from or why they are on the system at all — the loaded Vundo libraries do not start displaying these ads for at least a half day. In the meantime, they track your surfing habits and send the data back to a set of servers. Here are a couple of their latest ad campaigns. The first performs the standard phony scan on your machine and identifies malware that isn’t on the system, shocking the user into buying a rogueware package:
They are hawking rogueware from “AntiSpywareExpert.com”. Their website really looks pretty slick:
The second of the two ads performed another phony scan, and claimed that pornographic images and porn site cookies were all over the machine, which was false:
Steer clear of crackz and gaming cheatz! You’ll find much of the same.
Another malcrackz post here.
Posted in Dropper, Vundo | 1 Comment »
Tuesday, June 10th, 2008
For the past several years, the Vundo family (also known as Virtumonde) of malware appeared high on AV vendors’ prevalence lists — this stuff is everywhere. To get there, the malware employs an aggressive set of tactics over the course of its distribution to evade AV and anti-spyware solutions. A close examination exposes an interesting observation that some of its user-mode rootkit tactics use the Microsoft Research Detours library in order to hide its presence from security solutions. Below is a somewhat technical description.
First off, the Detours project out of Microsoft Research focuses on “Binary Interception of Win32 Functions“. In other words, when a developer or malware writer wants to hook a function inline and insert their own code, they can intercept a win32 function with code from the Detours library.
To use this code commercially, “Detours Professional 2.1 includes a license for use in production environments and the right to distribute detour functions in products…For information on licensing Detours Professional 2.1 contact Microsoft’s IP Licensing Group at iplg@microsoft.com”. Let’s assume either that Microsoft never provided the vundo developers with a license or that the vundo developers never attempted to obtain a license for their “commercial” use.
One of Vundo’s library components currently in the wild is injected into processes as a part of its attack. This component may in turn be detected by anti-spyware scanners using the EnumProcessModules api call, which would provide an anti-malware scanner using that call with a handle to the injected module. And this is where the abuse begins.
You can see the malicious Vundo hook in this screenshot, implementing the hook functionality from the Detours library. Basically, if a process calls EnumProcessModules, the vundo appropriated code will intercept the win32 function and report that the module enumeration procedure failed. When the EnumProcessModules call fails, certain security scanners are unable to detect the vundo component’s presence:
How can Detours code be identified in this dll? Well, the source of the detours library can be placed side-by-side with the unpacked and disassembled vundo component. In many places, the same sequence and order of instructions and data is unmistakably identical. For the sake of brevity, we’ll focus on just a couple that briefly illustrates our point in this post.
Here, the deadlisting for the vundo function is on the left, and the matching Detours source code on the right. This chunk of Detours code is at the core of the hooking functionality within disasm.cpp of detours.lib. The source from the Detours library here is determining the length of the currently evaluated instruction and then copying the instruction to the trampoline buffer (this location is the place where the inlined vundo rootkit function can call back into the original function without interception). The appropiated code on the left is compiler optimized, and it is a mirror image of the Detours logic on the right:
Here, in a similar fashion, we see vundo functionality that was stolen from the Detours library calling the DetourCopyInstructionEx() function and an inlined detour_does_code_end_function() function. In this reversing illustration, the vundo function is performing checks to ensure the target function’s eligibility for interception. In other words, vundo’s appropriated Detours code is checking to see if the target function contains a select set of instructions that would prevent hooking:
Posted in Evasion technique, Reversing, Vundo | No Comments »
|
|
|
|
