A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19501  by EP_X0FF
 Fri May 31, 2013 2:34 am
Well, probably it downloads bitcoin miner as payload.
 #19524  by hx1997
 Sun Jun 02, 2013 1:07 pm
Hi all,

Here is a FakeAV dropper. (Internet Security)

It injects code into explorer.exe in order to create autorun entry and start the FakeAV. But I've seen some HIPS fail to block this injection.
Anyone knows how this dropper injects code?

Thanks.
Attachments
infected
(857.37 KiB) Downloaded 94 times
 #19526  by EP_X0FF
 Sun Jun 02, 2013 2:55 pm
hx1997 wrote:But I've seen some HIPS fail to block this injection.
Anyone knows how this dropper injects code?
Thanks.
It is Power Loader based.
Code: Select all
 n t d l l . d l l   LdrLoadDll  RtlCreateUnicodeStringFromAsciiz    LdrGetProcedureAddress  ntdll.dll   .cfg    logs123.txt .text   %d_cc_%s    %d__%s  IsWow64Process  kernel32    GetNativeSystemInfo kernel32.dll    32bit   64bit   %1d.%1d %04d sp%1d.%1d %s   Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)  RtlCreateUserThread ZwWriteVirtualMemory    ZwReadVirtualMemory ZwAllocateVirtualMemory ZwQueryInformationProcess   ZwQueryVirtualMemory    %d  SOFTWARE\   i n j e c t 3 2 _ e v e n t     \ B a s e N a m e d O b j e c t s \ S h i m S h a r e d M e m o r y     \ B a s e N a m e d O b j e c t s \ w i n d o w s _ s h e l l _ g l o b a l _ c o u n t e r s   \ B a s e N a m e d O b j e c t s \ M S C T F . S h a r e d . S F M . M I H     \ B a s e N a m e d O b j e c t s \ M S C T F . S h a r e d . S F M . A M F     \ B a s e N a m e d O b j e c t s \ U r l Z o n e s S M _ A d m i n i s t r a t o r     \ B a s e N a m e d O b j e c t s \ U r l Z o n e s S M _ S Y S T E M   KiUserApcDispatcher _chkstk WriteProcessMemory  k e r n e l 3 2 . d l l     atan    o p _ m o n . e x e     e x p l o r e r . e x e     Inject32Start   Inject32End CloseHandle MapViewOfFile   OpenFileMappingW    CreateThread    SetWindowLongA  u s e r 3 2 . d l l     S h e l l _ T r a y W n d   Inject32Normal  i n j e c t 3 2 _ s e c t i o n     SetWindowLongPtrA   Inject64Start   Inject64End Inject64Normal  i n j e c t 6 4 _ s e c t i o n     i n j e c t 6 4 _ e v e n t     InjectNormRoutine   SeDebugPrivilege    NewNtResumeThread(): Work thread created
   2   1   ZwResumeThread  NtResumeThread  kernelbase.dll  .exe    Protect::UpdateMain(): EXE UPDATED !!!
 Protect::UpdateMain(): eee3
    Protect::ProtectThread(): PathToProtect Dropper: '%s' 
 CurrentPath111  Protect::StartProtect(): Old: '%s'
 Protect::StartProtect(): New: '%s'
 Protect::StartProtect(): AddKeyToRun error
 nameprot    notepad Protect::GetNewPath(): Name1: '%s'
 Protect::GetNewPath(): Name2: '%s'
 Protect::WriteFileToNewPath(): FileWrite error %x
  Protect::WriteFileToNewPath(): FileRead '%s' error %x
  32131   SOFTWARE\Microsoft\Windows\CurrentVersion\Run   "%s"    MachineGuid Software\Microsoft\Cryptography abcxvcxvx   sacfsfdsf   GET knock_url1  knock_url2  avbase.dat  timer   name_exe    InstallLoadedFile(): PathToWrite Notepad: '%s' 
    shortcut    .lnk    autorun noprot  main    64  32  Drop::InjectStartThread(): inject '%s' (x%s) !!!
   explorer.exe    runas   aRestartModuleShellExec(): ShellExecuteEx error: %x
        Entry(): integrity: %x, current: '%s', win: '%s', admin: '%d', uac: '%d', wow64: '%d'
  Entry(): Exploit failed
    Entry(): Normal injected failed
    Entry(): System already infected
   DownloadRunExeUrl(): DownloadRunExeUrl Path '%s'
   DownloadRunExeUrl(): URLDownloadToFile: %x
 mainver DownloadUpdateMain(): e2
   DownloadUpdateMain(): e1
   srvurls ;   OK  Err tid=%d&ta=%s-%x fid=%d  Server::DownloadFileById(): ServerUrl '%s', Request '%s'
   %s|%d|  POST    srvretry    OK
    %x  %[^.].%[^(](%[^)])  Server::ProcessServerAnswer(): Command '%s' = %x
   buildid os=%s&bid=%s    Server::SendReport(): Buffer '%s'
  Server::ServerLoopThread(): SendReport '%s' ok
 Server::ServerLoopThread(): SendReport '%s' no answer
  srvdelay    Server::ServerLoopThread(): Sleep: '%d' min
  
PowerLoader config
Code: Select all
[main]srvurls=http://softsecuredownload.com/admin/c1.php;;
srvdelay=15
srvretry=2
buildid=218.2
noprot=1
[notepad]
name_exe=insecure.exe
shortcut=Internet Security 2014
knock_url1=http://saggerboy.com/images/m.php?id=218.2
knock_url2=http://www.banglamasala.com/ccbill/m.php?id=218.2
autorun=1
timer=0
So it is PowerLoader x86-32 and x64 + FakeAV body.
Example of extracted x64 Alureon https://www.virustotal.com/ru/file/feb8 ... 370185580/
 #19572  by hx1997
 Sat Jun 08, 2013 3:49 pm
EP_X0FF wrote:So it is PowerLoader x86-32 and x64 + FakeAV body.
Example of extracted x64 Alureon https://www.virustotal.com/ru/file/feb8 ... 370185580/
Hi, EP_X0FF.

I still have some questions about this PowerLoader based malware.

I searched PowerLoader and found this PoC https://github.com/0vercl0k/stuffz/blob ... ection.cpp
One of my friends said the author of this PoC didn't understand the injection method at all. He thought this malware performed code injection by making use of the return-oriented programming (ROP) technique.
(Well I'm not familiar with this)

So I'm a bit confused. Could you please explain it (injection technique) in more detail?

Thanks!
 #19578  by EP_X0FF
 Sun Jun 09, 2013 3:17 am
hx1997 wrote:
EP_X0FF wrote:I searched PowerLoader and found this PoC https://github.com/0vercl0k/stuffz/blob ... ection.cpp
One of my friends said the author of this PoC didn't understand the injection method at all. He thought this malware performed code injection by making use of the return-oriented programming (ROP) technique.
(Well I'm not familiar with this)

So I'm a bit confused. Could you please explain it (injection technique) in more detail?
Well trick with Shell_TrayWnd is well described, so there is nothing else to add. As for this PoC, well it is a PoC to injection method, not a full copycat of malware injection, PowerLoader (name seems comes from Aliens movie, well it is not surprise - author was in love with classic movies earlier with TDSS) implemented differently with a small ROP gadget inside.

All briefly explained here http://www.slideshare.net/matrosov/adva ... -win32gapz

As you see it is not enough to fully reproduce malware.

Taking a http://www.kernelmode.info/forum/viewto ... 986#p18986 (courtesy of rin), as example we will refer in the text.

1) dropper is trying to open one of the existing shared sections, doing NtOpenSection:
Code: Select all
ShimSharedMemory
windows_shell_global_counters
MSCTF.Shared.SFM.MIH
MSCTF.Shared.SFM.AMF
UrlZonesSM_Administrator
UrlZonesSM_SYSTEM
see @004045D0 in unpacked dropper for more info.

VirtualQuery to know the memory region size.

2) Next PL forms a payload, see @004049C0, using two exported routines - Inject32Start, Inject32End as template for construction. Malware gets Shell_TrayWnd handler and saves it to restore after exploitation (otherwise explorer will crash). It also constructs shellcode, to be executed after exploitation, see (5) for more info

Shellcode itself is simple:
Code: Select all
OpenFileMapping
MapViewOfFile
CreateThread
CloseHandle
SetWindowLongA - to restore original Shell_TrayWnd handler
3) Prepared shellcode is mapped to the opened section, see @00404950.

4) PL opening target Explorer.exe using NtOpenProcess and anti Outpost trick described by rin here http://www.kernelmode.info/forum/viewto ... 986#p18986.

Why it do this? Because PL doesn't know address where this section is located in Explorer.exe VA. So it scans memory by doing VirtualQueryEx, ReadProcessMemory.

Section found? Lets do the ROP gadget. See @004046E0 for details.
First PL is looking for the following bytes 0xFD, 0xC3 (see slide 16 of ESET presentation) -> part of ntdll code:
Code: Select all
FD -> std
C3 -> retn
next 0xC3, 0xFC -> part of kernel32 code:
Code: Select all
FC -> cld
C3 -> retn
0xB9, 0x94, 0x00, 0x00, 0x00, 0xF3, 0xA5, 0x5F, 0x33, 0xC0, 0x5E, 0x5D, 0xC2, 0x08, 0x00 -> shell32 code:
Code: Select all
B994000000 -> mov ecx, 94
F3A5       -> rep movsd
5F         -> pop edi
33C0       -> xor eax, eax
5E         -> pop esi
5D         -> pop ebp
C20800     -> retn 8
or (from 32 bit shell32.dll of windows 7 sp1)
Code: Select all
░.73880935: B994000000                     mov         ecx,000000094  
░.7388093A: F3A5                           rep movsd
░.7388093C: 5F                             pop         edi
░.7388093D: 33C0                           xor         eax,eax
░.7388093F: 5E                             pop         esi
░.73880940: 5D                             pop         ebp
░.73880941: C20800                         retn        8 
░.73880944: 9090909090                     nop
0x58h, 0xC3, 0xFFh, 0xE0 -> explorer.exe code:
Code: Select all
58   -> pop eax
C3   -> retn
FFE0 -> jmp eax
Addressses of these instructions are saved inside shellcode.

5) Skiping part related to Shell_TrayWnd as it already discussed multiple times. So what happening when shellcode gets control? It executes a piece of specially constructed code which purpose is spoof stack and execute shellcode.

part of it:

ntdll!KiUserApcDispatcher
SHELL32!code (see above)
ntdll!code (see above)
kernel32!OpenFileMappingA
kernel32!MapViewOfFile
kernel32!CloseHandle
kernel32!CreateThread
user32!SetWindowLongA

KiUserApcDispatcher pushes in stack value.
Purpose of ntdll code is to sets DF flag.
Purpose of shell32 code is to copy data from section with shellcode to the stack. DF control copy behaviour, so data will be copied from up to down. After leaving shell32 "ret" jumps to kernel code part that removes DF flag. Control then transfered to explorer code part which purpose is to execute WriteProcessMemory that overwrites "atan" routine from ntdll.dll and in final it jumps at explorer.exe code (FFE0) that does "jmp eax" to newly overwriten routine and finally execute shellcode from (2).

Every function here instead of simple return causes new function to be executed, using specially selected functions and existing code parts. It is a truly masterpiece of engineering.

As alternative way of injection you can take look on Dofoil -> http://www.kernelmode.info/forum/viewto ... 552#p19552, it is very simplified variant of PL inject.

Posts moved.
 #19816  by rinn
 Wed Jun 26, 2013 2:46 am
EP_X0FF wrote:
rinn wrote:Well, for now everybody can built their own power loader from this source :)
I don't think so. It is just a Explorer exploit part from PL, well there are many other exploits in this pack, even ransomware source. All this pack is pack of 3rd party code. Since this code is easy to read, more clones will be created soon.
I thought so. Any idea who is behind Power Loader? :)

Best Regards,
-rin
 #19817  by EP_X0FF
 Wed Jun 26, 2013 3:16 am
rinn wrote:I thought so. Any idea who is behind Power Loader? :)
His nickname is blast. I believe he is from Ukraine. He was registered here from the beginning and he was sysinternals reader too (sysinternals is the place where we started tdl3 tracking in 2009).

http://www.kernelmode.info/forum/member ... file&u=214

probably he temporary lost password or access to email and registered second account

http://www.kernelmode.info/forum/member ... file&u=944

I was looking for him for a long period of time, starting from 2009 (he was one of the reasons why I still visit script-kiddie trash like wasm.ru) as he is the one from small group of people who write good looking and working code with untrivial solutions inside.

He was reversing Stuxnet exploits in Nov2010 and... probably we a bit helped him. And next few weeks new TDL3 dropper with Stuxnet 2010-3888 rip-off pushed to dropzones :)

He tried to back to bussiness in the early 2013, selling Shell_TrayWnd inject HIPS bypass method along with PowerLoader bin/code itself.
blast1.png
blast1.png (12.21 KiB) Viewed 640 times
 #19837  by TouchMe
 Thu Jun 27, 2013 11:43 am
I'm not sure if this has been posted already, powerloader Shell_TrayWnd in carberp src: \source\BJWJ\source\Core\Inject.CPP :1109