I-Worm/Nuwar.W + Rustock.E Variant – Analysis
Steve sent me a new interesting malware sample classified as I-Worm/Nuwar.W. When I executed the file, it injected code into a system process named svchost.exe, and I started to receive a lot of traffic from a specified domain that has a random name (aaqarkznvb.com), and during the established connections with the domain, a lot of files were downloaded and executed in my system:
1 2 3 4 5 6 | C:\-24322245 | 444BCB3A3FCF8389296C49467F27E1D6 C:\psqrhqn.exe | 102FF59F4530E084005A2E04B768E9C1 C:\cvqkuk.exe | 102FF59F4530E084005A2E04B768E9C1 C:\ebafud.exe | 3A13D81D2B0F667BE96AD9567EDAFE0A C:\nriljal.exe | 5293DB6EC3BB865DA8A2C25FD20897C7 C:\naxv.exe | 252EF354DADF254AF07ECD92AC0A31A8 |
And was created an interesting file in /system32/drivers/:
1 | C:\WINDOWS\system32\drivers\aec.sys.bak |
The file named aec.sys is the driver of Microsoft (Microsoft Acoustic Echo Canceller) and the malware seem to have created a backup copy (.bak extension) of it, maybe because later the malware will infect the original .SYS file !
After, it created new files:
1 2 3 | %User%\LOCALS~1\Temp\winlogin.exe | 17DC830917EABCF78514F559627102BC %User%\LOCALS~1\Temp\2322862672.exe | 76DD26BBB2571997E0C0035A35A8F7C0 %User%\LOCALS~1\Temp\csrssc.exe | 76DD26BBB2571997E0C0035A35A8F7C0 |
Both files, winlogin.exe and csrssc.exe will install code hooks (IAT Modifications) as shown in image below:
And finally we can see that 3 drivers were created in /system32/drivers/ folder:
1 2 3 4 5 | C:\WINDOWS\system32\drivers\beep.sys.bak C:\WINDOWS\system32\drivers\d521de.sys C:\WINDOWS\system32\drivers\ethqksbi.sys C:\WINDOWS\system32\drivers\beep.sys C:\WINDOWS\system32\drivers\aec.sys |
Note that the malware has created a copy of the driver beep.sys.bak, and then it infects the original beep.sys with I-Worm/Nuwar.W! We can see that the file size is different from the original size, its now 55 KB. When you try to delete the drivers you always get an error, you cannot modify/change/delete any registry key that is related to the rootkit’s drivers, and you cannot modify/change/delete the 2 .SYS files created by the rootkit. The rootkit also hides some TCP Ports.
Report of the scan of the infected beep.sys:
Report Generated 23.11.2008 at 1.44.14 (GMT 1)
Filename: beep.sys
File size: 55 KB
MD5 Hash: 9ECF2DDC3500B5212DC5DB7E7C17CE3E
SHA1 Hash: 8B17BFC350914EA5F61F6FF9D9BDDECFCAA80A89
CRC32: 3119767162
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: File is possible binded with malware
Detection Rate: 2 on 24Antivirus Result
a-squared –
Avira AntiVir –
Avast –
AVG Virus identified I-Worm/Nuwar.W
BitDefender Trojan.Peed.Gen
ClamAV –
Comodo –
Dr.Web –
Ewido –
F-PROT 6 –
G DATA –
IkarusT3 –
Kaspersky –
McAfee –
MHR –
NOD32 v3 –
Norman –
Panda –
QuickHeal –
Solo Antivirus –
Sophos –
TrendMicro –
VBA32 –
VirusBuster –
We can extract interesting strings from the infected beep.sys:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | ZwOpenKey ZwCreateKey svchost.exe ZwCreateEvent TransportAddress ConnectionContext C:\progz\NewWork\driver\objfre\i386\driver.pdb LoadLibraryA GetProcAddress SetEvent Init CreateThread SleepEx d521de FATAL_UNHANDLED_HARD_ERROR ntoskrnl.exe \BaseNamedObjects\5B37FB3B-984D-1E57-FF38-AA681BE5C8D9 \registry\machine\system\CurrentControlSet\Services\%x \SystemRoot\System32\drivers\%x.sys \BaseNamedObjects\{60F9FCD0-8DD4-6453-E394-771298D2A471} services.exe \registry\machine\system\CurrentControlSet\Enum\Root\LEGACY_%ws \SystemRoot\System32\ntdll.dll %ws%ws \Device\Tcp svchost.exe \SystemRoot\Temp\%u.tmp .log \registry\machine\system \Device\Tcp |
Again, we see this string:
C:\progz\NewWork\driver\objfre\i386\driver.pdb
That was present in new Rootkit.Rustock.E variants, and we can see the reference to svchost.exe where the malware injects its code. We can see also the reference to d521de that is the other kernel driver that is installed by the rootkit.
Report of the scan of ethqksbi.sys:
Report Generated 24.11.2008 at 2.35.54 (GMT 1)
Filename: ethqksbi.sys
File size: 131 KB
MD5 Hash: BA4423EF27AAA93B35A0AB1ED64F0383
SHA1 Hash: 866652B76C42E94DD38039B48203924A999B01CD
CRC32: 452990838
Application Type: Dinamyc Link Library (DLL) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 1 on 24Antivirus Result
a-squared –
Avira AntiVir TR/Rootkit.Gen
Avast –
AVG –
BitDefender –
ClamAV –
Comodo –
Dr.Web –
Ewido –
F-PROT 6 –
G DATA –
IkarusT3 –
Kaspersky –
McAfee –
MHR –
NOD32 v3 –
Norman –
Panda –
QuickHeal –
Solo Antivirus –
Sophos –
TrendMicro –
VBA32 –
VirusBuster –
PE Import Tables:
ntoskrnl.exe
+DbgPrint
+ZwRestoreKey
+KeQueryTimeIncrement
+ObReferenceObjectByHandle
+_except_handler3
+ObLogSecurityDescriptor
+ExAllocatePoolWithTag
+wcsncpy
+FsRtlInitializeOplock
+ZwPulseEvent
+KeTickCount
+strncmp
+MmMapLockedPagesSpecifyCache
+KeBugCheckEx
+ExIsResourceAcquiredExclusiveLite
+RtlAddAce
+ZwQueryDefaultUILanguage
+ZwQuerySystemInformation
+ExAllocatePoolWithQuota
+strstr
+ExFreePoolWithTag
+ObfReferenceObject
+RtlAnsiCharToUnicodeChar
+strncpy
+IoGetCurrentProcess
Report of the scan of d521de.sys:
Report Generated 24.11.2008 at 2.35.54 (GMT 1)
Filename: d521de_sys
File size: 98 KB
MD5 Hash: 404032043145EB962E62887ECD065327
SHA1 Hash: F40F270F000709AF807F5155685C29AB333CF882
CRC32: 1053342703
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 5 on 24Antivirus Result
a-squared –
Avira AntiVir TR/Rootkit.Gen
Avast Win32:Rootkit-gen [Rtk] (0)
AVG Virus identified I-Worm/Nuwar.W
BitDefender –
ClamAV –
Comodo –
Dr.Web –
Ewido –
F-PROT 6 –
G DATA Win32:Rootkit-gen [Rtk] B
IkarusT3 –
Kaspersky –
McAfee –
MHR –
NOD32 v3 –
Norman –
Panda –
QuickHeal –
Solo Antivirus –
Sophos –
TrendMicro –
VBA32 Malware-Cryptor.Win32.General.3
VirusBuster –
PE Import Tables:
ntoskrnl.exe
+IoDeleteDevice
+KeSetEvent
+KeInitializeMutex
+IoFreeIrp
+IoAllocateIrp
+ObfReferenceObject
+KeInitializeEvent
+IoAttachDevice
+ObfDereferenceObject
+ExFreePoolWithTag
+IoAllocateMdl
+memcpy
+IoFreeWorkItem
+IofCallDriver
+KeWaitForSingleObject
HAL.dll
+ExAcquireFastMutex
+ExReleaseFastMutex
Below there are some images of the infection:
Browser Helper Objects:
Message Hooks:
SSDT Hooks:
Beep.SYS infected and Ntfs.sys Hooks:
Unknown IRP Handler:
Tcpip.sys Hooks:
Stealth Code:
Registry Startup Keys
Other Code Hooks
Regedit is disabled
Leave a Reply