Tracur Malware Analysis
From UIC
Tracur.b Analysis
Contents |
| Tracur Malware Analysis | |
|---|---|
| Author: | Quequero |
| Email: | 
|
| Website: | http://quequero.org |
| Date: | 21/12/2010 (dd/mm/yyyy) |
| Level: | 
|
| Language: | English 
|
| Comments: | Let's start with malware reversing! |
Tracur.b analysis
In a previous tutorial we have shown how to deal with malware, this time we'll go through the analysis process of a real malware found in the wild. In this case we are going to deal with Tracur.b a variant of Tracur malware, we will get infected and we'll try to understand what's going on the infected machine, and what this malware is capable of. So fire up your debugger and get ready for the fun!
Tools
First of all we'll need a few tools:
- VMware, VirtualBox, Parallels or any other virtual machine with Windows installed (I used Windows XP SP3)
- LordPE or any other memory dumper (OllyDump will do as well if you use OllyDbg v1)
- OllyDbg, any version
- RegShot
- SysAnalyzer
- ProcessExplorer
Of course you will need Tracur.b executable, grab it from the UIC Malware Kickstart Package, password is: infected.
Malware Identification
This malware is identified from the various AV vendors with the following names:
- AhnLab-V3 (Dropper/Win32.Agent)
- AntiVir (TR/Katusha.2.8)
- Avast (Win32:Dracur-E)
- Avast5 (Win32:Dracur-E)
- AVG (Downloader.Generic10.AFIX)
- BitDefender (Gen:Variant.Katusha.2)
- Comodo (MalCrypt.Indus!)
- DrWeb (Trojan.DownLoader1.31906)
- Emsisoft (Virus.Win32.Dracur!IK)
- eSafe (Win32.GenVariant.Kat)
- F-Secure (Gen:Variant.Katusha.2)
- Fortinet (W32/TRACUR.SMDI!tr)
- GData (Gen:Variant.Katusha.2)
- Ikarus (Virus.Win32.Dracur)
- Kaspersky (Trojan-Dropper.Win32.Agent.dikg)
- McAfee (Artemis!F7F27B3DDEE9)
- McAfee-GW-Edition (Artemis!F7F27B3DDEE9)
- Microsoft (TrojanDownloader:Win32/Tracur.A)
- NOD32 (Win32/TrojanDownloader.Tracur.B)
- nProtect (Gen:Variant.Katusha.2)
- Panda (Trj/CI.A)
- Prevx (Medium Risk Malware)
- Rising (Trojan.Win32.Generic.5240387C)
- Sunbelt (Trojan.Win32.Generic!BT)
- TheHacker (Trojan/Downloader.Tracur.b)
- TrendMicro (TROJ_TRACUR.SMDI)
- TrendMicro-HouseCall (TROJ_TRACUR.SMDI)
- VirusBuster (Trojan.Katusha.LAQ)
Analysis
Turn on your preferred Virtual Machine, but one point must be very clear: a virtual machine is _not_ an added security layer, malware can (and in some cases will) escape the cage, so be careful!, the simple fact that you're using a virtual machine doesn't imply that the most advanced malware will stay there. You've been warned :).
Disable drag and drop support from the VM to the host computer and disable any shared folder from and to the VM. While it is true that escaping the VM can be a bit hard, it is also true that most of the malware will spread through usb-sticks and shared folders. At this point make a snapshot of the current environment, since you'll need a clean system every time you'll start a new analysis.
Run RegShot and take a registry snapshot, optionally you can save the hive for later comparisons. Run SysAnalyzer and check the option Use Directory Watcher, select your file and... Are you ready?
Dropping
Click Run! on SysAnalyzer and after a few seconds Tracur will be up and running, sometimes the malware will crash because there seems to be some problems with threads injected into other processes ;p, anyway... Looking at SysAnalyzer, comparing RegShot snapshots and even by looking at process explorer we are able to find out what happens behind the curtain of the dropping process. Let's summarize it:
- fundisc32.exe is launched
- fundisc32.exe copies itself in c:\windows\system32\ with a random name that mimics and already existing file (like: dfrgsnap32.exe)
- The newly created "fundisc32.exe" is run
- This new process installs itself as a service (like: Autostarter or DCOM Server Process Launcher etc...)
- netsh.exe is launched to add a firewall rule that allows its own traffic
- A DLL is spawned (plustab32.dll, regsvc32.dll, perfos32.dll etc...)
- The DLL install itself as an IE BHO (Browser Helper Object)
- The DLL register itself as a WinLogon entry to be loaded at logon-time
- The DLL downloads and runs a GNUtella client...
- A file, called always lsass.exe, is spawned here: C:\Documents and Settings\Administrator\Application Data\SysWin\lsass.exe
- lsass.exe installs itself in the registry using the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run, name RTHDBPL value C:\Documents and Settings\Administrator\Application Data\SysWin\lsass.exe (unlike other names, these values are fixed)
Figuring out the order listed above won't always be your first task, expecially because more often than not, you'll have to find out what's the role of every component. This is true for Tracur as well, so don't get upset if you are not able to understand what's going on just using RegShot, SysAnalyzer and so...
Component Analysis
Tracur is up and running... We now need to analyze what kind of actions are actually being performed from every part of the malware. Let's begin with the first executable, that is: fundisc32.exe.
Fundisc32.exe
Try to load fundisc32.exe into IDA and you'll soon find out that it's packed/encrypted, what you are going to find after the unpacking routine will be something like this:
CODE:00528186 loc_528186: ; CODE XREF: CODE:00532F68
CODE:00528186 mov ebp, 67B6476Ah
CODE:0052818B push edi
CODE:0052818B ; ---------------------------------------------------------------------------
CODE:0052818C dd 0
CODE:00528190 dd 8C320550h, 3737h, 0AD47A896h, 0
CODE:005281A0 dd 0C8AFA895h, 0E0h, 0BED26E0Ch, 0FFFF1928h, 0AFA81D6Ch
We need to revert to the good old debugger ;p, so open OllyDbg, configure it to stop at WinMain() and run the program. OllyDbg, if you're using the default configuration, will soon stop asking to press Shift+F9 to pass the exception to debugged program, keep doing that until you reach the entry point, that should look like this:
CODE:00532F52 mov ebp,esp
CODE:00532F54 add esp,-30
CODE:00532F57 push eax
CODE:00532F58 mov eax,005315FC
CODE:00532F5D call 00532A7C
CODE:00532F62 mov eax,dword ptr ds:[eax+0E216]
CODE:00532F68 call 00528186
CODE:00532F6D mov dword ptr ds:[ecx+14BA],ebx
Prepare your best finger: this packer uses a awful lot of junk code and to bother you, 99% of the call instructions will never return, so be sure to trace the code using only step in or F7, otherwise you'll lose control and you won't be able to unpack anything. That said, the packer will allocate a memory into the heap using VirtualAlloc, packed code will consequently be written in that area and after that, re-aligned code will be written back on the .text section of the original mapped executable. Of course don't forget to use hardware breakpoints instead of software breakpoints since we are dealing with code that rewrites itself. Eventually you'll find the point were unpacked code will be written back:
CODE:00E582A7 lea esp,[esp+8]
CODE:00E582AB rep stos byte ptr es:[edi] ; Take a look at ESP+4!
CODE:00E582AD push dword ptr ss:[esp-63]
CODE:00E582B4 push dword ptr ss:[esp-79]
Take a look ad esp+4:
0012FEC0 00401390
0012FEC4 00E652A0 ; Points to unpacked code
0012FEC8 00000000
0012FECC 0012FF14
The address will point to the unpacked executable, try to dump it and you'll find:
00E652B0 B8 00 00 00|00 00 00 00|40 00 00 00|00 00 00 00| ¸.......@.......
00E652C0 00 00 00 00|00 00 00 00|00 00 00 00|00 00 00 00| ................
00E652D0 00 00 00 00|00 00 00 00|00 00 00 00|D8 00 00 00| ............Ø...
00E652E0 0E 1F BA 0E|00 B4 09 CD|21 B8 01 4C|CD 21 54 68| ��º�.´.Í!¸�LÍ!Th
00E652F0 69 73 20 70|72 6F 67 72|61 6D 20 63|61 6E 6E 6F| is program canno
00E65300 74 20 62 65|20 72 75 6E|20 69 6E 20|44 4F 53 20| t be run in DOS
00E65310 6D 6F 64 65|2E 0D 0D 0A|24 00 00 00|00 00 00 00| mode....$.......
It really seems the beginning of some .exe/.dll ;p, stop here, open LordPE, choose your process, right click and select Dump Region:
The section is easily recognizable since it's the only one marked as XRW. Dump it, save the dump, open it with any hex-editor and remove everything from the beginning until you'll find the MZ signature. Cool, you have your unpacked fundisc32.exe (password, as usual, is: infected).
Let's go back to IDA, we need to find out what the program is doing... And it doesn't seem too hard, take a look at the disasm:
.text:00402FDC push offset File
.text:00402FE1 mov [esp+1C8h+var_1A8], esi
.text:00402FE5 call GenerateName ; Generate a _something_32.exe/.dll name
...
.text:00402FF5 push esi
.text:00402FF6 push esi
.text:00402FF7 push 1
.text:00402FF9 push esi
.text:00402FFA push esi
.text:00402FFB push 0C0000000h
.text:00403000 push offset File
.text:00403005 call ds:CreateFileA ; Create the file
...
.text:0040301A push 4
.text:0040301C push 3000h
.text:00403021 push 58400h ; Final size
.text:00403026 push esi
.text:00403027 call ds:VirtualAlloc ; Alloc memory on heap
...
.text:00403037 push offset key ; "D#*_dT8TK*9W%9y9EN*P%2A6PDft!=EkqDbn$qs"...
.text:0040303C xor esi, esi
.text:0040303E call ds:lstrlenA ; Calculate key len
...
.text:00403054 DecryptionLoop:
.text:00403054 mov bl, [edx+ecx]
.text:00403057 xor bl, byte ptr ds:key[esi] ; Decrypt file...
.text:0040305D add esi, 1
.text:00403060 cmp esi, ebp
.text:00403062 mov [ecx], bl ; ... and place it back into the heap
.text:00403064 jl short loc_403068
.text:00403066 xor esi, esi
.text:00403068
.text:00403068 loc_403068:
.text:00403068 add ecx, 1
.text:0040306B sub eax, 1
.text:0040306E jnz short DecryptionLoop
...
.text:00403083 push 0
.text:00403085 lea edx, [esp+1C4h+HeapInformation]
.text:00403089 push edx
.text:0040308A mov eax, edi
.text:0040308C sub eax, esi
.text:0040308E push esi
.text:0040308F add eax, 58400h
.text:00403094 push eax
.text:00403095 push ebx
.text:00403096 call ebp ; WriteFile() -> Write decrypted content into the final file
...
.text:004030D3 loc_4030D3:
.text:004030D3
.text:004030D3 push offset File ; lpLibFileName
.text:004030D8 call ds:LoadLibraryA ; Load the DLL
...
.text:004030E4 push offset aDllregisters_0 ; "DllRegisterServer"
.text:004030E9 push esi ; hModule
.text:004030EA call ds:GetProcAddress
.text:004030F0 test eax, eax
.text:004030F2 jz short loc_4030F6
.text:004030F4 call eax ; And call the entry point (DllRegisterServer())
What's happening here? The process makes room into the heap and decrypts the DLL in memory, decrypted content is then written on disk with a pseudo-random name, the library is loaded and run either by calling one of its exported functions (DllRegisterServer()) or by using a direct call to rundll32.exe.
Just below the already examined section there's another one, very similar, that instead of loading a dll, runs a copy of fundisc32.exe from c:\windows\system32\_something_32.exe.
Let's take a look at another interesting bit of code:
.text:0040142B push ebx
.text:0040142C push ebx
.text:0040142D call ds:OpenSCManagerA ; Open the ServiceManager
...
.text:00401454 push 3
.text:00401456 push 30h
.text:00401458 push ebp
.text:00401459 mov [esp+45Ch+pcbBytesNeeded], ebx
.text:0040145D mov [esp+45Ch+ServicesReturned], ebx
.text:00401461 mov [esp+45Ch+ResumeHandle], ebx
.text:00401465 call edi ; EnumServicesStatusA -> Enumerate services
...
.text:0040158E call ebx
.text:00401597 push eax
.text:00401598 push offset ServiceName
.text:0040159D call edi ; lstrcpyA ; Create a service name
...
.text:0040161A call AddFirewallRule ; Add firewall rule
.text:0040161F jmp short loc_40162A
.text:00401621 push eax
.text:00401622 call AddFirewallRule2 ; Add firewall rule
...
.text:00401644 lea edx, [esp+464h+DisplayName]
.text:0040164B push edx
.text:0040164C lea eax, [esp+468h+ServiceName]
.text:00401653 push eax
.text:00401654 push ebp
.text:00401655 call ds:CreateServiceA ; Create the service
...
.text:0040167B push 0
.text:0040167D push 0
.text:0040167F push esi
.text:00401680 call ds:StartServiceA ; Run the service
Here the process is enumerating services, taking one at random to copy its name, then a new service is created (using the already existing name) pointing to the copy of fundisc32.exe that's located in system32 directory, then after adding a rule to allow its traffic (and the DLL's traffic) through the windows firewall, the service is run.
This is most of the interesting job in fundisc32.exe, other actions are performed but they are not as interesting as those we've seen right now, since most of them are maintenance routine used to restart the service, start the dll (in 32bit or 64bit environment), monitor it, manage events and so on...
In the next part we'll analyze the spawned dll where most of the fun is. We'll see how the DLL injects itself into some processes and why. Next part is gonna be more challenging that this one :).
Greetings
Greetings goes to Andreageddon, Evilcry, PnLuck, Antelox, Evolution and all the other guys that are helping UIC to move forward. :)
Disclaimer
I documenti qui pubblicati sono da considerarsi pubblici e liberamente distribuibili, a patto che se ne citi la fonte di provenienza. Tutti i documenti presenti su queste pagine sono stati scritti esclusivamente a scopo di ricerca, nessuna di queste analisi è stata fatta per fini commerciali, o dietro alcun tipo di compenso. I documenti pubblicati presentano delle analisi puramente teoriche della struttura di un programma, in nessun caso il software è stato realmente disassemblato o modificato; ogni corrispondenza presente tra i documenti pubblicati e le istruzioni del software oggetto dell'analisi, è da ritenersi puramente casuale. Tutti i documenti vengono inviati in forma anonima ed automaticamente pubblicati, i diritti di tali opere appartengono esclusivamente al firmatario del documento (se presente), in nessun caso il gestore di questo sito, o del server su cui risiede, può essere ritenuto responsabile dei contenuti qui presenti, oltretutto il gestore del sito non è in grado di risalire all'identità del mittente dei documenti. Tutti i documenti ed i file di questo sito non presentano alcun tipo di garanzia, pertanto ne è sconsigliata a tutti la lettura o l'esecuzione, lo staff non si assume alcuna responsabilità per quanto riguarda l'uso improprio di tali documenti e/o file, è doveroso aggiungere che ogni riferimento a fatti cose o persone è da considerarsi PURAMENTE casuale. Tutti coloro che potrebbero ritenersi moralmente offesi dai contenuti di queste pagine, sono tenuti ad uscire immediatamente da questo sito.
Vogliamo inoltre ricordare che il Reverse Engineering è uno strumento tecnologico di grande potenza ed importanza, senza di esso non sarebbe possibile creare antivirus, scoprire funzioni malevole e non dichiarate all'interno di un programma di pubblico utilizzo. Non sarebbe possibile scoprire, in assenza di un sistema sicuro per il controllo dell'integrità, se il "tal" programma è realmente quello che l'utente ha scelto di installare ed eseguire, né sarebbe possibile continuare lo sviluppo di quei programmi (o l'utilizzo di quelle periferiche) ritenuti obsoleti e non più supportati dalle fonti ufficiali.
