Malware Research

Today, i came across a good blog from Trend. http://blog.trendmicro.com/zeus-gets-another-update/

But, the “F5″ result is not that clear, so I decide to check it.

I get the sample from https://zeustracker.abuse.ch/monitor.php?host=xoophafiel.ru

Zbot version 2.3.2.0, thanks to its hardcoded parameter.

After unpacked the binary, it turns out that not so much routine changed except the encryption algorithm which mentioned in Trend’s blog.

So, I focused on that algorithm. :)

1. Need to locate that algorithm. I started with the routine which will search “DAVE” strings after decryption. 

2. “sub_41BE9F”. After doing some re work on it, my guess is AES. But, where is the key? So, I traced back. 

3.  Key(16 bytes)  is hardcoded in the binary at 405388. In order to verify my guess. I manually get the encrypted data(DAVE part, overlay of  UPX packed binary, same as the old versions’) and wrote the following perl script to decrypt it. 

use Crypt::Rijndael;
$encrypted = $ARGV[0];
open KEY, "recv_key";
open ODATA, "$encrypted";
undef $/;
$key = <KEY>;
$block = <ODATA>;
$cipher = Crypt::Rijndael->new( $key, Crypt::Rijndael::MODE_ECB() );

$de = $cipher->decrypt($block);

open OUT,">recv_dec";
print OUT $de;

The “DAVE” part data key is:

After decryption:

Yes, “DAVE”….

4. After figured out its algorithm, the next step I went to the config file which downloaded by zbot. Just like the old version, it stores the config file decryption key in the hardcoded data which also encrypted via simply XOR. After some re works, i got the following key:

5. Also used that perl script and simply XOR on the downloaded config file, I got the following compressed data.

6. 2.3.2.0 doesn’t change its compress method, after de-compression. 

That’s it. 

-Kyle Yang

Since I wrote too many things about Pushdo/Cutwail/Webwail, this time i don’t want to actually write something. I believed some pics are better.

-Kyle Yang

Last week, ShadowServer have posted a great blog about this new p2p spam botnet. In this blog, I’ll mainly focus on its communication protocol and encryption algorithm of bot version 0.0.49.

The following figure shows us its bootstrap before communication starts.

1. Update Peer List

After the bootstrap, it will try to ‘talk’ to the peers which are hardcoded in the binary.(peer number? Sorry, I didn’t count)

It will send the following data via TCP/80.

After reversing its data compose routine, the real encrypted data actually starts from the offset 0×22(Highlighted).

01 02 01 01 01 01 02 01 – Hardcoded ANMP Flag(Author named the protocol)
51 01 00 00 – data length(include 1 byte which is unknown yet, in this case, it is 0x0B)
00 00 00 00 unknown
01 – Hardcoded, unknown
E8 03 – Hardcoded, unknown
03 00 00 00 – unknown
00 00 00 00 – unknown
00 00 00 00 – unknown
0B – unknow
… – Encrypted Data

The encrypted data is ZLIB compressed and encrypted using BlowFish(password is base64 encoded and hardcoded in the binary). After the decryption,the clear data send to the peer is the following:

The actually data send to the peer is the bootstrap peer list which including 2 main data parts. One is the bootstrap peer list, another is the bot(peer) info.

//bootstrap peer list
m_bootstrap_list
m_clients_list

//more than 1 peer info
m_client_id
m_ip
m_last_active_time
m_last_active_time
m_listening_port
m_live_time

//bot info
m_client_id
m_current_time
m_external_info_packed
m_external_data_blob
m_external_data_signature
m_external_info_id
m_listening_port
m_live_time
m_version
m_build
m_build_name
m_major
m_minor

After that, the peer will send its bootstrap and its updated peer list to the bot(peer). The data zones are almost the same except the bot build(version) info doesn’t exist and “m_success” appended.

2. Retrive spam related stuff & Send Report

After the bot(peer) updated its peer list, it will try to retrieve the spam info from the peer.

It will send the following HTTP GET to the peer. The clear data is the following:

The data includes the 2 main parts. One is the bot(peer) info, another is the current spam job info which are the following:

client_id
m_client_build_name //seems always to be “test”
m_client_ver_entry
m_build
m_build_name
m_major
m_minor
m_client_version //0.0.49
m_is_first_meet
m_last_worked_job_id
m_listenning_port
m_mail_section
m_current_que_size
m_plugins_configs_send_data
m_dns_config_id
m_from_client_mail_section
m_hosting_config
m_config_id
m_socks_config_id

Then, the peer will response the following data(clear):

We could see that, it contains the server config, spam template, etc. :]

After the working job done, it will send a report of the spam email sending status. Following is an example of this report.

Diff v0.0.48 and v0.0.49:

Sorry for not so many explanations. I’ll go deeper to figure out “unknown” parts.

-Kyle Yang

In my last blog,

Farewell To Pushdo/Cutwail/Webwail Botnet – I (Relationship with other malware gangs)

I revealed the relationship between Pushdo gang and other malware gangs. Feel Interesting?

Since I didn’t finish my demo in the VB100 2010 presentation. In this blog, I’ll try to point out some key features of Pushdo/Cutwail/Webwail Fuzzing Tracker.

Tracker Development:

I started to wrote this botnet tracer after my presentation on BlackHat 2010. There 3 main purpose of this tracker.

1. Monitor its update history.

2. Share the information to all the researchers.

3. One day, I’ll co-operate with other malware researchers or companies to take down this botnet totally.

For point 3, I was on the way after my vb100 presentation. I’m quite sure you guys already felt it. :)

Key Features:

1. Latest Pushdo Modules

Pushdo, is a advanced downloader which could download many different modules.

For now, there are 11 different modules.

If there is an update of Pushdo’s module or a totally new module, it will show them in this section.

2. Latest Module Parameters

Cutwail or Webwail, are command line tool. They all have switches. They couldn’t run properly without proper parameters.

So, every time when Pushdo download either Cutwail or Webwail, it will also download corresponding parameters for Cutwail and Webwail.

Simply put, those parameters are the C&C server IP & Port for Cutwail and Webwail.

If there is a new parameters, it will show them in this section.

3. Latest Webwail Scripts

Webwail, a script engine driven, has the ability to register mail account and send spam from the web.

Webwail will download many different scripts when registering mail account or sending spam.

If there is new scripts, it will show them in this section.

4. Pushdo C&C Server Info

It will show you the Pushdo C&C server IP & Port. You could check what modules/parameters had been downloaded from this C&C server.

In the modules sub-page, you will find the module name which is given by the pushdo author(s), just like a nick name.

In the parameter sub-page, you will find the parameters detail info, including IP&Port and nick name for the server.

5. Cutwail C&C Server Info

It will show you the Cutwail(Spam engine) C&C server IP & Port.

In the detail info page, you will find different responses from the server. Like, Spam Template, Configuration and Email List.

6. Webwail C&C Server Info

It will show you the Webwail(web spam)C&C server IP & Port.

In the detail info page, you will find different kind of scripts for webwail. If you check those scripts carefully, you’ll find “Denis” , “Joker” and some Russian comments. :)

7. Pushdo Module Update Info

Basically, it will show you how many times the module get updated.

8. Vendor Module Update History

Vendor ID, a key value which is hard-coded in the Pushdo binary. The bot will received different modules and send different spam email based on different vendor value.

There are 23 different vendor ID, from 0×01 to 0×17.

You could find some distinct modules only existed in one vendor.

Yeah, that’s all I think.  This tracker contains my almost 1 year researching results. Please use it wisely. I hope you could get benefit from it. http://re-malware.com/kyle/

Just like my blog tag-line said, “Without mysteries, it can not survive“.

-Kyle Yang

In this blog, I’ll give a brief history of Pushdo/Cutwail/Webwail evolution and reveal its relationship with other malware gangs.

Jan 2007 – 1st generation Pushdo, use http get command and has static parameters in the get command.

Dec 2007 – 2nd generation Pushdo [Codename: Siberia2]. The author remove the static parameters from the get command. And, it will be downloaded by the 1st generation Bredolab which also used http get command.

Oct 2009 - 3rd generation Pushdo [Codename: Revolution6]. Communication protocol and encryption algorithm are totally different with before. At that time, Pushdo will download Cutwail module, trying to spread Fakeav and Pushdo itself.

Nov 2009 - They started to test Webwail module in some of its sub-botnets. It spread with the help of 2nd generation Bredolab. This new Bredolab abandoned http get too, turned to custom communication protocol and its communication encryption algorithm is XOR and MD5.

Jan 2010 – Another malware called GoolBot seeding with the help of cutwail. It will download many other malwares, like, Zbot, Fakeav and the 2nd gen Pushdo,  but it is not the orginal one, this one encrypted the http get command again by using RC4 algorithm. And, this one will communicate with c&c server through port 443 and generate lots of junk ssl traffic to 250 legitimate websites. The purpose of doing this is obvious, try to hide the real commands among the decoys.

Jan 2010 – Pushdo gang tried to re-use ImraBot module, this module was first seen in Jan 2009. I considered it as the prototype of the webwail.  It almost has the same fucntion of webwail. But the communication protocol is quiet different, it use http get, same as the 2nd gen pushdo, so this module should belong to the 2nd generation Pushdo. The parameters are bot_id and mode. The server reponse scripts are base64 encoded. While 2nd generation Bredolab spreading 3rd generation Pushdo, the Webwail’s function is only register msn and yahoo accounts.

Feb 2010 – Sasfis Spreads 3rd generation Pushdo. It take the Bredolab’s place, help Pushdo gang seeding. Webwail’s function is register MSN account and sending spam(Audio CAPTCHA Resolving).  And, Sasfis usually download the TDSS, Zbot, Hiloti,CMultiLoader. CMultiLoader is a downloader, using http get command. The data is base64 encoded.  Why I called it CMultiLoader, because this version has the debug print function and will send the debug info back to the server. In the log, every important operation started with CMultiLoader Or CSpreadingManager.

Feb 2010 - 3rd gen Pushdo release a new module called google_bot.  After reversing it binary, it turns out to be the GoolKit, version 1.2. It is script engine driven and has 3 main functions.

1. It has the ability to add malicious iframe to the webpages which ftp credentials have been stolen before. The modified web page contains the Goolkit tag.

2. it has the ability to launch DDOS attack to the websites.

3. It could send spam emails with the compromised website link .

Apr 2010 – Cutwail Spread the Modified 2nd Generation Pushdo. There is no major changing in this time, just change the 250 legitimate websites to 79. Most of the websites are from brazil,Ukrain and japan.

May 2010 – Pushdo gang release the new pushdo binary with the project name magadan. So, from Siberia, a region name to city name Magadan, are they telling us where they are?

Jun 2010 – Pushdo gang released 3 new modules, called botloader, google_ddos and restyle_bot and re-use the old module mailsniffer.

botloader = SpyEye downloader

google_ddosas = single target ddos module.  It launch ddos attack to an inventment website.

restyle_bot = ftp pwd stealer

Jun 2010 – Pushdo gang released another module called new_loader, but the function is same as the botloader, which is download SpyEye.

Jul 2010 - Pushdo gang released another 2 new module, called soldier and antispyware.

Soldier = SpyEye. And it will download the sock plugin.

antispyware =CMultiLoader which already removed the debug print function.

Aug 2010 – Zbot tried to download 3rd generation Pushdo throught SSL connection, then pushdo will download Cutwail to help Zbot seeding.  The sub-botnet id for that is 0×17.

Sep 2010 – While the Cutwail is injury, Sasfis made another friend – Asprox which is a spam botnet. But its communication encryption algorithm and resource decryption algorithm is still xor 1b which is too weak.

The above events should be in my blogs,check them for details.

I have been doing Pushdo/Cutwail/Webwail Botnet researching for almost 1 year. It’s time to say goodbye.

-Kyle Yang

Basically, we don’t work at weekend, but Pusho/Cutwail/Webwail gang, they did.

After added 4 new cutwail servers. Today, they spread his old friend Sasfis again. Last time is 1st Sep 2010.

Pushdo/Cutwail Botnet is warming up to bounce back – III (Sasfis, Asprox, Cutwail, FakeAV, Hiloti)

Following is the screenshot from the cutwail spam template raw data.

This time, you could see that, they still tried to use the old UPS template. And, of course, there will be an attachment.

The inner file – Invoice_Document.exe is the Sasfis, but it still used the old domain name as the last time.

The interesting thing is(as of writing), the server doesn’t response anything. But, i believed, it could spread the same malicious binary as for the last time. You could check my sasfis tracker.

-Kyle

Today, I made a BIG video of the process that Webwail register new MSN account for its spam purpose.

Above is only one function of Webwail Botnet, its main purpose is send spam from those pre-registered MSN accounts. I’ll make another video on that.

Webwail Reg MSN Routine:

1. Retrieve pre-defined MSN user info from C&C server

2. Fill the register form

3. Change to Audio CAPTCHA

4. Send CAPTCHA to resolving server

5. Fill the CAPTCHA

6. Login the new registered MSN account to verify

7. Wait for next user info.

From my Pushdo/Cutwail/Webwail Botnet Tracker DB(I can’t give a precise number,simply because the number is increasing everyday)

1.  8K+ MSN accounts are used to send spam.

2.  20K+ pre-defined MSN user informations which will be used for register MSN accounts.

3.  200+ spam templates

I’ll give a presentation about Webwail Botnet in VB100 conference

The Webwail botnet: a reputation-based filter killer – http://www.virusbtn.com/conference/vb2010/abstracts/Yang.xml

-Kyle Yang

Pushdo/Cutwail gang added another 4 new Cutwail C&C servers today(till now).

Now, they had 20 Cutwail C&C servers alive.

-Kyle Yang

In my previous 2 blogs( I and II), Pushdo/Cutwail gang already added 10 Cutwail servers. You might be interested in what spam they are sending now.

Following(from my Pushdo/Cutwail Botnet Tracker)  is the spam template which cutwail bot retrieved from the new Cutwail C&C servers.

You may be too familiar with “DHL” spam. Of course, the template contains a zipped malicious file.

The inner file(Postal_Label_NR4147c.exe) is the Sasfis. Yet again, Cutwail spread Sasfis.

There are 4 interesting findings:

1. Asprox spam botnet is also spreading Sasfis now. But, 2 different version of Sasfis. More specific, the Sasfis C&C server domain name is different.

2. Sasfis main payload binary moved from exe to dll.

3. This verion Sasfis’s custom packer seems buggy. After it re-write the image code, it should trigger SEH to enter the load DLL(main function of Sasfis) routine. But it doesn’t.

4. Even above 3, 2 version of Sasfis will both download 3 different other malwares.

There are 2 main spreading records in my tracker(above).

23rd Aug – Asprox spam Botnet spreading Sasfis.

1st Sep – Cutwail spam Botnet spreading Sasfis.

There are 2 interesting findings:

1. up.exe is the Asprox binary. Sasfis spread the same Asprox binary.

2. Sasfis is trying to double(Cutwail & Asprox spam botnet) its power to spread 2 other malicious binaries(kapusta.exe and mario.exe)

Other 2 binaries info:

Mario.exe - FakeAV downloader

C&C server – s.statst.in

FakeAV host – dlhosts.in(setupbinarymodule710.exe)

kapusta.exe – Hiloti

it will download more than 1 malicious file.

-Kyle Yang

Just like I said in my previous blog, Pushdo/Cutwail gang will add more servers in this week.  Check the following info from my tracker.

They added another 6 Cutwail C&C servers.

-Kyle Yang