Friday, August 21, 2009

W32/conficker A General Analysis [Updated]

Few months ago my computer was infected with Conficker worm. There are approx. 5 variants of Conficker worm. My computer was infected with one of them. But in this post I mixed all of it's variants characteristics.

Damage:-
By January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million.The worm uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.
After the infection I observed different things lets discuss those.

Aliases
* Worm:Win32/Conficker.A (Microsoft)
* Crypt.AVL (AVG)
* Mal/Conficker-A (Sophos)
* Trojan.Win32.Pakes.lxf (F-Secure)
* Trojan.Win32.Pakes.lxf (Kaspersky)
* W32.Downadup (Symantec)
* Worm:Win32/Conficker.B (Microsoft)
* WORM_DOWNAD.A (Trend Micro)

Symptoms of Conficker infection include the following:
  • Access to security-related sites is blocked
  • Users are locked out of the directory
  • Traffic is sent through port 445 on non-Directory Service (DS) servers
  • Access to administrator shared drives is denied
  • Autorun.inf files are placed in the recycled directory, or trash bin.
Observations:














  • First thing interesting i observed about Conficker that it restrict the access to security sites without modifying hosts file.
  • It inject it's self in SVCHOST.exe a running process so terminating and deleting this file is very difficult for users.
  • The autourn.inf file structure used by Conficker worm was very different from traditional autorun.inf because lot of garbage code was added.
















  • The option "Open Folder to view Files" -- Publisher not Specified was added by the worm. This windows open when ever the PenDrive is Injected.
























  • The extension i observed of the file was vmx. Click the image to see clearly.
















  • If your pen drive is infected with Conficker, it will infect your PC by simple injecting your pen drive before starting your PC. It my personal experience, because my computer was infecting again and again after cleaning the worm as my pen drive is always remain injected to my PC. Then i formatted my Pen drive and rescanned my whole PC, Then problem get solved.
  • It's isolate it's self in these type of locations on each drive I:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665 to make detection difficult by the user.
  • First variant of Conficker worm downloads a GeoIP file from a third party website in order to determine the language of the operating system. when the owner of the website removed that file, the worm had much tougher time to determining the OS. But in the second variant which was seen in 28 December of 2008, to solve the problem of GeoIP file the author of the worm embedded the data in to this new variant.








  • It's change setting of PC so PC wouldn't show hidden files. It opened a port in firewall and disable auto updates.
  • During a deep scan of the worm file following things are found that in which language it is programmed.[Results of File Scan]

    File Name: jwgkvsq.vmx
    Number of Matching Signatures: 7
    Deep Scan: Yes
    Best Match: Microsoft Visual C++ 6.0 DLL

    All Matches:
    Signature: Microsoft Visual C++ 6.0 DLL
    Matches: 63
    Signature: Microsoft Visual C++ 6.0
    Matches: 18
    Signature: Microsoft Visual C++ 6.0 DLL (Debug)
    Matches: 18
    Signature: Armadillo v1.xx - v2.xx
    Matches: 17
    Signature: Microsoft Visual C++ v6.0 DLL
    Matches: 11
  • On the source computer, the worm runs an HTTP server on a port between 1024 and 10000; the target shell code connects back to this HTTP server to download a copy of the worm in DLLsvchost.exe form, which it then attaches to svchost.exe
  • Heuristically identified capability of spreading across the following weakly restricted network shares.
ADMIN$
C$
D$
E$
IPC$

  • The network replication uses a dictionary attack by probing credentials from the following list.
00000
000000
00000000
111111
11111111
123123
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
54321
654321
88888888
abc123
academia
admin
admin$
admin123
administrator
admins
america
anchor
anything
april
arrow
artist
asdfgh
basic
changeme
cluster
codeword
coffee
compaq
cookie
country
dirty
discovery
drive
edition
email
england
english
forever
france
freedom
french
ghost
guest
ihavenopass
india
input
japan
julie
killer
letmein
logout
macintosh
master
modem
monday
mouse
mypass
mypc123
network
nobody
pass123
password1
password123
phone
phrase
printer
private
pw123
record
right
saturday
script
simple
slave
student
superuser
switch
target
temp123
test123
thailand
user1
video
virus
xxxxx
xxxxxx
xxxxxxxx
xxxxxxxxx

  • It terminates the processes that contains the following strings in name:
* wireshark
* unlocker
* tcpview
* sysclean
* scct_
* regmon
* procmon
* procexp
* ms08-06
* mrtstub
* mrt.
* mbsa.
* klwk
* kido
* kb958
* kb890
* hotfix
* gmer
* filemon
* downad
* confick
* avenger
* autoruns
  • In order to block users access to security-related domains, prevents network access to any domains that contain the following strings:
* windowsupdate
* wilderssecurity
* virus
* virscan
* trojan
* trendmicro
* threatexpert
* threat
* technet
* symantec
* sunbelt
* spyware
* spamhaus
* sophos
* secureworks
* securecomputing
* safety.live
* rootkit
* rising
* removal
* quickheal
* ptsecurity
* prevx
* pctools
* panda
* onecare
* norton
* norman
* nod32
* networkassociates
* mtc.sri
* msmvps
* msftncsi
* mirage
* microsoft
* mcafee
* malware
* kaspersky
* k7computing
* jotti
* ikarus
* hauri
* hacksoft
* hackerwatch
* grisoft
* gdata
* freeav
* free-av
* fortinet
* f-secure
* f-prot
* ewido
* etrust
* eset
* esafe
* emsisoft
* dslreports
* drweb
* defender
* cyber-ta
* cpsecure
* conficker
* computerassociates
* comodo
* clamav
* centralcommand
* ccollomb
* castlecops
* bothunter
* avira
* avgate
* avast
* arcabit
* antivir
* anti-
* ahnlab
* agnitum
  • Scheduled tasks have been seen to be created on the system to re-activate the worm.
  • Message during decompiling with ollyDbg 1.10


















Removal:-
Thanks to Microsoft Removal Tools who solved that problem. For further info see my post "Malware removal tools"
-----
ExtremeVoltages
"We start from there, where other ends."

Thursday, August 20, 2009

W32/Induc Abuses Delphi Compiler

The W32/Induc virus has been in the wild for at least a year. During this period it has succeeded in infecting a lot of Delphi installations, including manufacturers of some pretty popular software packages.

On a victim’s machine this virus searches for the presence of a specific version (4.0, 5.0, 6.0 and 7.0) of the Delphi Compiler. The virus gathers this information using the registry entry below.










If it finds one of these versions, the virus inserts its code into the file SysConst.pas, which is present in x.0\Source\rtl\sys. The virus renames the current Sysconst.dcu, which is present under the Delphi library folders, to SysConst.bak. The SysConst.pas file containing the viral code–like the one shown below–is complied using the Delphi command line compiler dcc32.exe to create an infected SysConst.dcu. The original SysConst.pas file is then deleted.












This virus does not have a malicious payload. It just spreads through the compiled executables.

Sunday, August 9, 2009

A Technique Used by Antivirus Programes

In past when a virus was released it was detected by antivirus experts after 15-30 days. Till then virus had done enough damage to millions of users like "I love you worm". Then antivirus experts started using a new technology.

In this technology , when a certain files does specious activity in computer, Av program does not perform any action and keep eye on that file. Next, when you update your antivirus these files are send to security experts of antivirus that you are using. Some time you have to submit that files manually by selecting those specious files and then clicking "Submit" (An option in Antivirus Program). Malware analysts analyze the file, if it is a virus then they make it's signatures. By this a virus is caught with in 3-4 days and less damage is done.

Antivirus Using these Technique:-
May be some other antivirus vendors also use this technique but i know these.
  • Eset Nod32 (Threat Sense Engine)
  • Bitdefender 10
  • Norton Antivirus 2009

So A bad new for malware writers but to counter this many malware writers try to delete and disable Antivirus programs. A simple example is "Avkiller.Trojan". Let discuss little bit more about this Trojan.
--------------------------------------------------------------

Avkiller.Trojan is written in Delphi. It is usually UPX packed. The unpacked size is approximately 34 KB. It adds the value to start every time when PC Starts.

MSWindows C:\windows\spool16.exe

to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

This Trojan horse also terminates antivirus programs and services; for example:
  • Zonealarm.exe
  • Zapro.exe
  • Vsmon
  • Minilog
  • Minilog.exe
  • Vsmon.exe
  • Svw3
  • Blackice
  • Blackd.exe
  • Blackice.exe
  • Nisum
  • Nisserv
  • Nisum.exe
  • Nisserv.exe
  • Nmain.exe
  • Iamapp.exe
  • Iamserv.exe
  • Frw.exe
  • Persfw.exe
  • Lockdown.exe
  • Lockdown2000.exe
  • Sphinx.exe
  • Nprotect.exe
  • Ndd32.exe
  • Smc.exe
  • Netutils.exe
  • Ldnetmon.exe
  • Portmonitor.exe
  • Connectionmonitor.exe
  • Cpd.exe
  • Defwatch.exe
  • Rtvscn95.exe
  • Vpc32.exe
  • Vptray.exe
  • Poproxy.exe
  • _Avp32.exe
  • _Avpcc.exe
  • _Avpm.exe
  • Avpcc.exe
  • Avpm.exe
  • Avp.exe
  • Nav Alert
  • Nav Auto-Protect
  • Navapw32.exe
  • Alertsvc.exe
  • Navapsvc.exe
  • Navlu32.exe
  • Navw32.exe
  • Sweepnet
  • Sweepsrv.Sys
  • Swnetsup.exe
  • Icload95.exe
  • Icmon.exe
  • Icsupp95.exe
  • Icloadnt.exe
  • Icsuppnt.exe
  • Iface.exe
  • Ants.exe
  • Anti-Trojan.exe
  • Wrctrl.exe
  • Wradmin.exe
  • Cleaner3.exe
  • Cleaner.exe
  • Tc.exe
  • Tca.exe
  • Tcm.exe
  • Moolive.exe
  • Mcshield
  • Avsynmgr
  • Mcshield.exe
  • Vshwin32.exe
  • Vsmain.exe
  • Scan32.exe
  • Scrscan.exe
  • Alogserv.exe
  • Vsecomr.exe
  • Webscanx.exe
  • Avconsol.exe
  • Vsstat.exe
  • Avxw.exe
  • Avxmonitornt.exe
  • Avxmonitor9x.exe
  • Avxquar.exe.exe
  • Amon9x.exe
  • Avgserv
  • Avgserv.exe
  • Avgw.exe
  • Avgcc32.exe
  • Iomon98.exe
  • Webtrap.exe
  • Pccwin98.exe
  • Pcciomon.exe
  • Pop3trap.exe
  • Tds-3.exe
  • Ss3edit.exe
  • Doors.exe
  • Jedi.exe
  • Monitor.exe
  • Rav7win.exe
  • Rav7.exe
  • Sweep95.exe
  • Mcagent.exe
  • Mcupdate.exe
  • Claw95.exe
  • Claw95cf.exe
  • Normist.exe
  • Nvc95.exe
  • Vet95.exe
  • Vettray.exe
  • Autodown.exe
  • Rescue.exe
  • Avkserv.exe
  • Ackwin32.exe
  • Dvp95.exe
  • Dvp95_0.exe
  • F-Agnt95.exe
  • F-Prot95.exe
  • Expert.exe
  • Fp-Win.exe
  • F-Stopw.exe
  • Vir-Help.exe
  • F-Prot.exe
  • Spyxx.exe
  • Atwatch.exe
  • Atupdater.exe
  • Atcon.exe
  • Pview95.exe
  • Wgfe95.exe
  • Avgctrl.exe
  • Ldpromenu.exe
  • Ldscan.exe
  • Generics.exe
  • Processmonitor.exe
  • Programauditor.exe
  • Avsynmgr.exe
  • Guard.exe
  • Tfak.exe
  • Luall.exe
  • Lucomserver.exe
  • Trjscan.exe
  • Regrun2.exe
  • Navapsvc
  • Symproxysvc.exe
  • Neowatchtray.exe
  • Netstat.exe
  • Regedit.exe
  • Regedit95.exe
  • egui.exe
So always practice a good Anti-Virus program to keep your PC safe from malwares before your PC get infected.

Tuesday, August 4, 2009

Block Diagram of Cracking

The Risk:-
When an application is being created, the Compiler will compile the application source code into several object files made of machine language code. Then the object files are linked together to create the final executable. But as you can see the file is unprotected and can be easily cracked.









Dissembler or De-Compiler:-In the same manner that the source code of an application is converted into machine code at compilation time, there are tools that can convert a compiled application into assembly language or a higher programming language. These tools are known as dissemblers and de-compilers.

An attacker can use a dissembler or de-compiler to study how a specific application works and what a specific routine does. When the attacker has a good knowledge of the target application, he can modify the compiled application to alter his behavior. For example, the attacker could bypass the routine that checks for the trial period in an application and make it run forever or even worse, cause the application to behave as if it was registered.








Software Protectors:-
Software protectors are created to keep an attacker away from directly inspecting or modifying a compiled application. A software protector is like a shield that keeps an application encrypted and protected against possible attacks.

Advantages of using a Software Protector are:
  1. Protect an application against piracy.
  2. Prevents attackers from studying how an application is implemented.
  3. Will not allow attackers to modify an application to change its behavior .
The Weakness:-
Since software protectors were born, many attackers have centered most of their efforts on attacking the software protectors themselves instead of the applications. Many tools have been developed that aid in the attacking of software protectors. These attacks often result in the attacker obtaining the original application that is decrypted and has the protection wrapper removed.

The main problem with software protectors is that they use protection techniques very well known by crackers, so they can be easily bypassed with traditional cracking tools.







More Effective Solutions:-
Few more things or protection can be added to make the file more safe like garbage code, thread engine etc.
Garbage Code:-
Garbage code should be mixed with the real code in an algorithm. After doing so, an attacker is forced to deal with lots of garbage code when trying to study a specific routine. For example, if an attacker views a disassembled application, they will have to study 8,000 instructions instead of the original 1,000 instructions.

Some software protectors use this technique but use a restricted set of garbage code to be mixed with the real code, so an attacker can easily differentiate which code is real and which is not. The garbage code should be like the real code to make cracking difficult.

Click image to see Clearly.
























Secure Entry Point:-
When an application is going to be protected, protecting softwares removes the entry point of the application, the first instructions that are executed in an application, and overwrites them with garbage code. If an attacker finds the application entry point, he will only get the garbage code.













Monitor Blocker:-
Most of the current protectors offer file or registry monitors detection techniques, like finding a specific window class name registered in the system or detecting a specific executable running in memory. An attacker can easily bypass these techniques if he has custom file or registry monitors. A protected application should show this message if a monitoring program is found in memory.









Thread Engine:-
ThreadEngine is a powerful technique that supervises and protects an application at runtime. ThreadEngine is composed by a "web" of threads that work cooperatively with the protected application threads as a single unit. If an attacker threatens a thread, a neighboring thread will report an alert message to the rest of the threads thus exiting the application from memory or executing a customized routine to stop the attacker.

Only a few software protectors use a similar technique, but they do not use a strong communication protocol between each thread and the protected application threads. In this scenario, each thread runs independently making it easy for an attacker to attack each thread to bypass this protection technique.





















Anti Dumping:-
Most of the current software protectors use very weak techniques against memory dumpers such as destroying the executable header at runtime. These techniques can easily be bypassed with newer dumping tools.

Non protected Application Image.













Protected Application image















For more info read my post "Importance of File Packers, to visit click here
For more info read my post "Cracking and how to defend it Part I", to visit click here
For more info read my post "Cracking and how to defend it Part II", to visit click here