Tuesday, June 17, 2014

Malware brief introduction:


Malware is a malicious software program (Mal+Ware=Malicious+software). Computer viruses, Trojan, Rootkits, Bootkits, Adware, Spyware, Backdoor, Crimeware, etc. comes under the category of malware. Malware is intended to infect the system, run the unauthorized programs in the system, utilize the system resources and even steal the credentials.

In dos virus era, computer viruses are used only for destruction purposes. And the earlier malware author did it for a fun and show their talent in the understanding of computers and its program's functionality. But the current trend is totally different. Yes, the current malware author not focusing on just destruction of the programs by infecting, their total focus on stealing the valuable credentials such as banking user name and password, email password, etc. Billions of Dollars were stolen using malware programs by malware authors.

Another important purpose of the malware is used as state of art and in other words as targeted attacks against a country or state, organisation by other arch-rival countries or organisation. It is known as APT (Advance persistent Threats). Threat actor may be underground cyber hacking groups or arch-rival Governments or state sponsored threat actors and its target is as we earlier told a country or state, big organisation (Billions of Dollars worth in terms of revenue).

Common people use the term virus (computer virus) for all the malicious programs, but computer virus is one of the malicious program or one of the categories in the malware. Virus files usually infect the system files and application files. So, it finally results in the malfunction of the computer programs. Only option is through disinfection method used by antivirus program or need to format the whole system and installing the operating system once again. Formatting the  system and installing the OS again, is time consuming work. Also, people will lost the important data stored in the system. If data may be songs and movies, but in greater extent, it was important official documents and it worth more than a movie or songs. In this case, using antivirus program is must. Since it have shield functionality to stop the known malware families or viruses to infect the system. Even infected program can be cleaned or disinfected by antivirus program, since they have cleaning routines for most of the virus families.

Antivirus or anti-malware engines will detect those malicious programs and remove it. Antivirus engine scan for signature in the all computer programs present in the system and notify the user. Signature is nothing but malicious code or routine and it only triggering the malicious event to happen. If such routines present in the file, then it will be detected by the antivirus engine. We can see more about on the same category in upcoming posts.

Monday, June 16, 2014

Etumbot - APT Backdoor

AV results for Etumbot Backdoor (malware -APT):


MD5 ff5a7a610746ab5492cc6ab284138852
SHA-1 34e4692f35e809bb281fa7455f661057c6d5c9e2
SHA-256 89983ea32ba4ddf50ef488653be07d30ed77c09d77b03c5bd3eaac5e8497970e


AVG SHeur4.BSAN 20140613
Ad-Aware Trojan.GenericKD.1597427 20140613
Agnitum Trojan.Agent!Bn8DSJ/FD8s 20140614
AhnLab-V3 Dropper/Win32.Agent 20140613
AntiVir TR/Dropper.Gen 20140613
Antiy-AVL Trojan/Win32.Agent 20140613
Baidu-International Trojan.Win32.Agent.aN 20140613
BitDefender Trojan.GenericKD.1597427 20140613
DrWeb Trojan.DownLoader9.41796 20140613
Emsisoft Trojan.GenericKD.1597427 (B) 20140613
F-Secure Trojan.GenericKD.1597427 20140613
Fortinet W32/Agent.AFSHQ!tr 20140613
GData Trojan.GenericKD.1597427 20140613
Ikarus Trojan.Win32.Agent 20140613
K7AntiVirus Riskware ( 0040eff71 ) 20140613
K7GW Trojan ( 050000001 ) 20140613
Kaspersky Trojan.Win32.Agent.afshq 20140613
McAfee RDN/Generic BackDoor!xi 20140613
McAfee-GW-Edition RDN/Generic BackDoor!xi 20140615
MicroWorld-eScan Trojan.GenericKD.1597427 20140613
Microsoft Trojan:Win32/Dynamer 20140613
NANO-Antivirus Trojan.Win32.Agent.cufuaq 20140613
Norman Obfuscated.W!genr 20140613
Qihoo-360 HEUR/Malware.QVM07.Gen 20140613
Rising PE:Malware.FakeXLS@CV!1.6AC3 20140613
Sophos Troj/Etumbot-B 20140613
TotalDefense Win32/FakeExcel_i 20140613
TrendMicro BKDR_ETUMBOT.UQU 20140613
TrendMicro-HouseCall BKDR_ETUMBOT.UQU 20140613
VIPRE Trojan.Win32.Generic!BT 20140613
nProtect Trojan/W32.Agent.94720.ACP 20140613

Is a Win32 executable
  Size of header      00000040h / 64
  File size in header 00000490h / 1168
  Entrypoint          00000040h / 64
  Overlay size        00016D70h / 93552
  No relocation entries

  PE EXE at offset 000000D0h / 208
    Entrypoint             0000258Bh / 9611
    Entrypoint RVA         0000318Bh
    Entrypoint section     .text
    Calculated PE EXE size 00017200h / 94720
    Image base             00400000h / 4194304
    Required CPU type      80386
    Required OS            4.00 - Win 95 or NT 4
    Subsystem              Windows GUI
    Linker version         6.00
    Stack reserve          00100000h / 1048576
    Stack commit           00001000h / 4096
    Heap reserve           00100000h / 1048576
    Heap commit            00001000h / 4096
    Flags:
      Relocation info stripped from file
      File is executable
      Line numbers stripped from file
      Local symbols stripped from file
      Machine based on 32-bit-word architecture

    Sections according to section table (section align: 00001000h):
      Name      RVA        Virt size  Phys offs  Phys size  Phys end   Flags

      .text     00001000h  00005A94h  00000400h  00005C00h  00006000h  60000020

      .rdata    00007000h  00000A1Ah  00006000h  00000C00h  00006C00h  40000040

      .data     00008000h  0000F65Ch  00006C00h  00000A00h  00007600h  C0000040

      .rsrc     00018000h  0000FA98h  00007600h  0000FC00h  00017200h  40000040


    Listing of all used data directory entries (used: 3, total: 16):
                         Name  Phys offs  RVA        Phys size  Section
                 Import Table  000064D4h  000074D4h  0000003Ch  .rdata
              Ressource Table  00007600h  00018000h  0000FA98h  .rsrc
         Import Address Table  00006000h  00007000h  000000F4h  .rdata

    Functions from the following DLLs are imported:
      [0] KERNEL32.dll
      [1] SHELL32.dll

    Resources at offset 00007600h (RVA 00018000h) for 64152 bytes:
        Type 80000268h / 2147484264:
          ID: 00002AF9h / 11001
            RVA: 00018280h; Offset: 00007880h; Size: 35260 bytes
          ID: 00002AFAh / 11002
            RVA: 00020C40h; Offset: 00010240h; Size: 4699 bytes
        Icon:
          ID: 00000001h / 1
            RVA: 00021EA0h; Offset: 000114A0h; Size: 744 bytes
          ID: 00000002h / 2
            RVA: 00022188h; Offset: 00011788h; Size: 296 bytes
          ID: 00000003h / 3
            RVA: 000222B0h; Offset: 000118B0h; Size: 3752 bytes
          ID: 00000004h / 4
            RVA: 00023158h; Offset: 00012758h; Size: 2216 bytes
          ID: 00000005h / 5
            RVA: 00023A00h; Offset: 00013000h; Size: 1384 bytes
          ID: 00000006h / 6
            RVA: 00023F68h; Offset: 00013568h; Size: 9640 bytes
          ID: 00000007h / 7
            RVA: 00026510h; Offset: 00015B10h; Size: 4264 bytes
          ID: 00000008h / 8
            RVA: 000275B8h; Offset: 00016BB8h; Size: 1128 bytes
        Icon Group:
          ID: 00000065h / 101
            RVA: 00027A20h; Offset: 00017020h; Size: 118 bytes
      Total resource size: 64117 bytes (data: 63501 bytes, TOC: 616 bytes)

    Processed/created with:
      Found compiler 'Visual C++ 6.0 (EXE) (nodebug)'

PE sections
Name Virtual address Virtual size Raw size Entropy MD5
.text  4096 23188 23552 6.50 b78540e7b33a8d01255c8d2b72037cbf
.rdata  28672 2586 3072 4.77 97b2c12ed2c68162a3e15aa8f77723f3
.data  32768 63068 2560 1.96 59c0be0a6652bb90ca2ec4b18b8fd598
.rsrc  98304 64152 64512 7.26 8894f5928962010ad245a1f61d8a3f60



 PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-03-04 00:19:59
Link date 1:19 AM 3/4/2014
Entry Point 0x0000318B
Number of sections 4


PE imports:
[+] KERNEL32.dll
GetLastError
HeapFree
GetStdHandle
LCMapStringW
SetHandleCount
WaitForSingleObject
GetOEMCP
LCMapStringA
HeapDestroy
ExitProcess
SetFileTime
GetEnvironmentStringsW
FlushFileBuffers
GetModuleFileNameA
RtlUnwind
LoadLibraryA
FreeEnvironmentStringsA
GetStartupInfoA
SizeofResource
GetFileSize
LockResource
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
UnhandledExceptionFilter
MultiByteToWideChar
FreeEnvironmentStringsW
GetCPInfo
GetCommandLineA
GetProcAddress
SetStdHandle
GetFileTime
SetFilePointer
GetTempPathA
WideCharToMultiByte
GetStringTypeA
GetModuleHandleA
ReadFile
WriteFile
GetCurrentProcess
CloseHandle
GetACP
HeapReAlloc
GetStringTypeW
SetFileAttributesA
TerminateProcess
GetEnvironmentStrings
CreateProcessA
GetEnvironmentVariableA
LoadResource
VirtualFree
GetFileType
CreateFileA
HeapAlloc
GetVersion
FindResourceA
VirtualAlloc
HeapCreate

[+] SHELL32.dll
ShellExecuteA


File Icon:

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...