Tuesday, July 11, 2017

Analysis of Nitol:

About Nitol:

  • Nitol is a family of Trojan that performs DDoS (distributed denial of service) attacks, allow backdoor access and control, download and run files and perform a number of other malicious activities on your computer. The Botnet is accessed from a Dynamic DNS Service.
History of Nitol (Discovery):
  • The Trojan was preloaded during the assembly and manufacturing process in China that came brand new from the factory. These Laptops and Desktops were sold in large numbers (may be because of cheap price) which lead the distribution world-wide. 
  • In August 2011, researchers on the Microsoft Digital Crimes Unit purchased 20 computers (10 laptops and 10 Desktops) from various cities in China. 4 out of 20 machines were found to be infected with malware, and one of those infectors was Nitol.

Malware Name
SHA1
Behavior
Nitol
99624d63106ccff4a2e2feb9d32437bfd2f183ab
HTTP Backdoor
Trafog
a6293ac854ade333a1faa3acabb15dfe777d5bae
FTP Backdoor
EggDrop
E4E583E7FA0CF566586D828DB019F2C7291C4F39
Suspicious – non-malicious
Malat
37e4be0b473ceba6144fa5b900cae52b4c85c47e
IRC Backdoor

  • The computer that was preloaded with Nitol was the only one that was actively running and had attempted to connect to a command and control (C&C) server.
  • Infection statistics of Nitol taken from Microsoft Telemetry.

The most commonly used Nitol Domains:

Distribution of Malware Using 3322.org
  • On 10 September 2012 Microsoft took action against the Nitol Botnet by obtaining a court order and subsequently Sink-holing the 3322.org domain.
  •  Microsoft later settled with 3322.org operator Pen Yong, which allowed the latter to continue operating the domain on the condition that any subdomains linked to malware remain sink-holed
  • 3322.org Status - 
Behaviour of Nitol:
  • Nitol Spreads through removable media and and mapped network shares. It picks directories that contain applications (.EXE, .DLL, .OCX files) and compressed file archives (e.g. .RAR and .ZIP). File attributes SYSTEM/READ-ONLY/HIDDEN. This is done by exploiting the module loading process used by Windows with an infected file LPK.DLL (Component of Microsoft Language Pack - Lpksetup.exe).
  • LPK.DLL is used to exploit the module loading process used by Windows when it runs applications. Since applications look for LPK.DLL in their current directory before any other place, Nitol will get loaded before the file (of the same name) provided by Microsoft in the System32 directory.


We got the yara rules for this Nitol variant:
Yara Rule
rule Nitol : Nitol
{
strings: 
        $a = {5E 26 2A 2E 68 74 6D}
        $b = {25 63 25 63 25 63 25 63 25 63 25 63 2E 65 78 65} 
       $C = {4C 70 6B}
condition:
        $a and $b and $C
}

Components of Nitol:

Components
  • Installer
  • Dropper - (Infected LPK and Backdoor)
  • Downloaded files for DDOS
 [Detection Info]
    * Filename: C:\Documents and Settings\Norman\Desktop\Nitol.
    * Sandbox name: W32/Obfuscated.MA.
    * Signature name: NOT_SCANNED.
    * Compressed: NO.
    * TLS hooks: NO.
    * Executable type: Library (DLL).
    * Executable file structure: OK.
    * Filetype: PE_I386.
 [General information]
    
    * Accesses executable file from resource section
 * Drops files in %WINSYS% folder.
    * Anti debug/emulation code present.
    * File length:        46592 bytes.
    * MD5 hash: b339de14bae1157e652b0ea7d070113e.
    * SHA1 hash: 99624d63106ccff4a2e2feb9d32437bfd2f183ab.
 
 [Changes to file-system]
    * Creates file C:\Windows\Temp\tmp.1.
    * Creates file C:\WINDOWS\system32\sqqggi.exe.
    * Creates file C:\WINDOWS\TEMP\SOFTWARE.LOG.
    * Deletes file C:\Windows\Temp\tmp.1.

[Changes to registry]
    * Accesses Registry key "HKLM\SYSTEM\CurrentControlSet\Services\Distribulgs"

    * Creates key "HKLM\System\CurrentControlSet\Services\Distribulgs".
    * Sets value "ImagePath"="C:\WINDOWS\system32\sqqggi.exe" in key "HKLM\System\CurrentControlSet\Services\Distribulgs".
    * Sets value "DisplayName"="Distribuoax Transaction Coordinator Service" in
key "HKLM\System\CurrentControlSet\Services\Distribulgs".
    * Sets value "Description"="Distribueuu Transaction Coordinator Service." in
 key "HKLM\System\CurrentControlSet\Services\Distribulgs".
 
 [Process/window information]
    * Creates a mutex Distribulgs.
    * Creates process "tmp.1".
    * Creates service "Distribulgs (Distribuoax Transaction Coordinator Service)
" as "C:\WINDOWS\system32\sqqggi.exe".
    * Creates process "sqqggi.exe".
    * Creates an unnamed event.
* Creates process "svchost.exe".
    * Reads memory in process "svchost.exe".
    * Modifies memory in process "svchost.exe".
    * Modified OS kernel function code in process "svchost.exe".

Static Analysis
 
MD5 - B339DE14BAE1157E652B0EA7D070113E
The working of the sample is shown clearly in Sandbox.
The file is a DLL that has the executable in the Resource Data. 
101 – Mutex
102 – Executable
The Executable also has a file in the resource
33 - DLL

The working of the Installer is Simple
Find the Resource  ( Mutex and Dropper)
Register the Mutex
Drop a file from the RCData Dropper in the %temp% with prefix hrn
Infection code for loading Hidden copy of lpk.dll and code for spreading

The working is shown clearly in the Diagram:



Now the main file of Nitol has dropped a file in Windows\System32 and also dropped a copy of infected LPK.DLL with name hra33.dll which is later deleted.



Dropped %C%C%C%C%C%C.exe
MD5 - B339DE14BAE1157E652B0EA7D070113E
 
  • This sample is the most important part of the Analysis as this is responsible for creating the service, Registry Entry, Downloading files, Performing DDOS attacks.
  • It can be observed that the file is having a lot of NOP’s right from the winmain of the Dropped file which might be place-holder to be replaced by active instructions later on in program development.
Creation of service -

Dropped file in temp with prefix hrl given a random name of six characters -
Injection of code in Svchost.exe:
Svchost.exe in memory:
Network Connectivity related Events:

The connectivity is not established because of the take down of the botnet:



  • There are some binaries downloaded by Nitol to perform these actions 
  • plusctrl.dll – MD5 - 99E6D6A21A452A24759FD50FB2874BCE
  • hra%u.dll (hra32.dll) – MD5 - 22F2C6088367D608D455ED73527DA02B
  • Stf%C%C%C%C%C.exe
  • These files are downloaded and are used by the Command and Control server for performing various actions.

C&C command ID:

0x01 (1)
  Receive Component
    Send a new module to the computer to run.
------------------------------------------------------------------------------------
0x02 (2) 
  Unknown but DDOS Specific
    Nitol connects to target address via TCP, UDP, or RAW.
------------------------------------------------------------------------------------
0x03 (3) 
  Unknown but DDOS Specific
    Possible floods: SYN, TCP, UDP, ICMP, HTTP.
___C&C may command sleep for specific time
------------------------------------------------------------------------------------
0x04 (4)
  Unknown but DDOS Specific
    Possible floods: SYN, TCP, UDP, ICMP, HTTP.
__C&C may command sleep for specific time. 
-----------------------------------------------------------------------------------
0x05 (5) 
  Stop Work
   Stop DDOS’ing target computers
------------------------------------------------------------------------------------
0x06 (6)
  Clean up
    Delete, set file attributes to Normal. Exits
------------------------------------------------------------------------------------
0x10 (16)
  Download & Run
  Specify URL and filename to download from Internet Save file in temp directory under filename “stf[5 random letters].exe” ,Execute saved file
------------------------------------------------------------------------------------
0x12 (18)
  Update
   Delete existing service, Download new executable from specified URL, Save file in temp directory under filename “stf[5 random letters].exe” , Execute saved file
------------------------------------------------------------------------------------

0x13 (19)
  Open URL
    Launch Internet Explorer (specifically) with specified URL
------------------------------------------------------------------------------------
0x20 (32)
  Start Work 
    Start DDOS’ing target computers
------------------------------------------------------------------------------------
0x14 (20)
  Open URL as Current User
   Launch Internet Explorer (specifically) with specified URL
------------------------------------------------------------------------------------
0x77 (119)
  Get Computer Information
   Get computer information and send to C&C , Computer Local (e.g. EN-US)  , Computer Name , Operating System Name , Amount of memory (RAM) , CPU Speed , Nitol Flag (possibly version number) , Nitol Work DLL flag , Timestamp
------------------------------------------------------------------------------------

Conclusion:
  • Most of AV vendors detect the malware with names Nitol, MicroFake and ServStart.
  • Antivirus or antimalware software with latest definition will remove the Nitol infection.
  • Use caution when opening attachments and accepting file transfers.
  • More caution while using removable media. Disable autorun/autoplay via group policy. 
  • Use strong passwords and never use weak or default passwords. (Since Nitol variants have the ability spread via removable media and mapped network shares).
Post made by

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...