Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: An inside look at a targeted attack - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
An inside look at a targeted attack

With targeted attacks becoming regular news items, it might be a good time to have a closer look at a sample of a somewhat older one. Recently I received a potentially malicious e-mail that was originally distributed early 2006. After one year, the dropper, a Word document exploiting MS05-035 was recognized by only 9 out of VirusTotal’s 36 AVs as malicious.

This attack was clearly targeted through the scope of its distribution, limited to members of a specific organization, and the purported/spoofed source and content of the e-mail message. Each of these taken together created a valid context in which the message was interpreted by the recipient.

A hex dump of the file indicated an embedded executable at the end:

00010200 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 |MZ..............|
00010240 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
00010250 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
00010260 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
00010270 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|

By removing everything in front of the magic ‘MZ’ signature using a hex editor, the executable was easily extracted. 15 of the AVs detected the binary as a Troj/Riler.J variant. Interesting, as Riler.J was listed in the then-NISCC's 2005 warning.

The file was packed with UPX. It turned out to be an installer which created the following files:
C:\WINNT\system32\SNootern.dll
C:\WINNT\system32\uidmngr.ini

The latter file contains the filename from which installation originally took place, while the former contains the bulk of this Trojan. The executable also registers a new instance of the Non-IFS service provider support environment (WS2IFSL) and installs the Trojan as a layered service provider. The following key gets added:

HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem: 43 3A 5C 57 49 4E 4E 54 5C 53 79 73 74 65 6D 33 32 5C 53 4E 6F 6F 74 65 72 6E 2E 64 6C 6C 00 00 00 00 67 00 6E 00 61 00 74 00 75 00 72 00 65 00 3D 00 22 00 24 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 20 00 4E 00 54 00 24 00 22 00 0D 00 0A 00 43 00 6C 00 61 00 73 …

The first few HEX values decode to:
C:\WINNT\System32\SNootern.dll (…)

Upon a reboot, the host performs a DNS lookup for a host registered on 3322.org (a Chinese dynamic DNS provider). It then makes a TCP connection to this server on a hard coded port number.

As grand finale… it appears that more than one year after the initial attacks, the hostname is still successfully resolving and the box on the other end is actively picking up the phone.

It would prove quite interesting to know what someone infected with this piece of malicious code could expect. Running the tool using a debugger such as Ollydbg quickly shows a number of decision trees similar to the following:



Closer review shows that commands exist to allow the remote host to create files, search for files, and more importantly, gain a command line shell on the box (“LIKE”).

After a bit more testing with the malware, the connection protocol appeared fairly obvious as well. The infected host makes an outbound connection to the US based server, both parties identify, open a log and go dormant. Until, that is, the control server issues a command supported by the Trojan.

NAME
NAME: DIMASHK.VER: Stealth 2.6.MARK: fl510 .OS: NT 5.0.L_IP: 10.3.5.26.ID: NoID
LONG:0531_LOG.txt
NULL
AUTH
ERR code = 0
SNIF
ERR code = 0
WAKE


When the file was first received, we distributed it to the major anti virus vendors, and coverage has much improved since. What this example shows best, though, is that information sharing is vital in identifying these types of attacks. Only when information on them is shared and patterns are identified can detection and response improve. 

Cheers,
Maarten Van Horenbeeck

Maarten

158 Posts

Sign Up for Free or Log In to start participating in the conversation!