1/8 0xEBFE Fooled by Andromeda 0xebfe.net/blog/2013/03/30/fooled-by-andromeda There is a malware with name “Andromeda”, that recently started to spread again. Let’s listen to the experts from Trend Micro: Full blog entry Hm, it is strange behavior for mass-spreading malware, isn’t it? Someone should explain what’s really going on - and this “someone” will be me :) Andromeda has several anti-debugging or anti-reversing tricks: http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/ http://blog.trendmicro.com/trendlabs-security-intelligence/andromeda-botnet-resurfaces/ 2/8 It checks the names of processes by comparing CRC32-hashes: It checks for Sandboxie dll: 3/8 It checks “0”-value in registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum for “vmwa”, “vbox”, “qemu”-strings. Obviously, this is an anti-vm trick: And finally it checks the elapsed time between “rdtsc”-instructions: Passing all these checks makes Andromeda avoid address 0x00401E8C, where an ACCESS_VIOLATION exception would occur. If some anti-reversing checks pass, the payload is loaded at 0x402413. This is what the Andromeda payload header structure looks like: 4/8 payload_header.cpp #pragma pack(push, 1) typedef struct _ANDROMEDA_PAYLOAD { BYTE rc4Key[16]; // 0x000 DWORD encryptedSize; // 0x010 DWORD unknown; // 0x014 probably CRC32 DWORD unpackedSize; // 0x018 DWORD offsetEntryPoint; // 0x01C DWORD offsetRelocAndImport; // 0x020 DWORD relocsAndImportSize; // 0x024 BYTE encryptedPayload[]; // 0x028 } ANDROMEDA_PAYLOAD; #pragma pack(pop, 1) This is the header of default-payload at 0x402413 address: Andromeda uses RC4 for decryption and aPLib-library for decompression. I made an IDAPython script that decrypts the payload and recovers the relocations and imports. My script is based on the great kabopan scripts by Ange Albertini. You can find my script here: https://github.com/0xEBFE/Andromeda-payload I decrypted the payload at 0x402413 and it does several operations: http://code.google.com/p/kabopan/ https://twitter.com/angealbertini https://github.com/0xEBFE/Andromeda-payload 5/8 Copies itself to %ALLUSERSPROFILE%\svchost.exe Writes itself to “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” registry key as “SunJavaUpdateSched”. And also (sorry for the big picture, but you have to see this): 6/8 seg 663 -°16000188 push offset unk_166662C4 seg 663 :1680018D push 161h seg G63 216000192 call j_seg883_ws?2_32_WSAStartup seghes:18000197 mou [ebptvar_28], 2 seg 863 :1600019D push 8000 ; <--- port number seg 863-1 680001A2 call j_seg9683_ws2_32_htons seg 863:160001A7 mou [ebptvar_1E], ax Seg 883 :188881AB mou [ebptuar_1C], 6 seg G6 216000182 push a segh63 : 10080164 push a seg 863 :160001B6 push a seg G83 :108881B8 push IPPROTO_TCP seg 683 :106881BA push SOCK_STREAM Seg 663 :1866861BC push AF_INET seg 663 :108001BE call j_seg863_ws2_32_WSAaSocketa segh6s 218000103 mou [ebptvar_14], eax seg hes :180001C6 cmp eax, BFFFFFFFFA seg863:160001C9 jz short loc_10006244 seg 863:1680001CB push 16h seg 863:160001CD lea eax, [ebptvar_24] seg 983218880108 push bax seg 863 :186801D1 push [ebptvar_18] seg 003 :108801D4 call j_seg9683_ws?2_32_bind seg863:160001D9 cmp eax, GOFFFFFFFFA seg 863:160001DC jz short loc_10006244 seg 863:1680001DE push 5 seg 983 :188801E8 push [ebptuvar_14] seg 6683 :188G01E3 call j_seg983_ws?_32_listen segh6s :1680001E8 cmp eax, BFFFFFFFFA seg H6s :1G0001EB jz short loc_10@08244 seg863:160001ED segG63:188G01ED loc_18@681ED: ; CODE XREF: sub_188808A6+1A2)j Seg 663 :108861ED xor Pax, @aXx Seg 063 :168001EF lea edi, [ebp+startup_info] segh6s 21 60001F2 mou ecs, 44h seghes 21 60001F7 rep stosb seg863:160001F9 push a seg 863 :160001FB push a seg 863:1680001FD push [ebptvar_14] seg 983218880208 call j_segG83_ws2_32_accept seg 863 216000285 mou [ebp+startup_info.cb], 44h seg 86s 160002 8C mou [ebp+startup_info.hStdInput], eax ; <-- socket handle seg 863: 160002 OF mou [ebp+startup_info.hStd0utput], eax ; <-- socket handle seg 863 :16000212 mou [ebp+startup_info.hStdError], eax ; <-- socket handle seg 863-:16000215 mou [ebp+startup_info.wShowtindow], SW_HIDE Seg 663210666216 mou [ebptstartup_info.dwFlags], STARTF_USESHOWWINDOW or ST seg 683 :16880222 lea eax, [ebptprocess_info] seghes :1 6000225 push Pax seg A6s :1 8000226 lea eax, [ebp+startup_info] seg 863 :16000229 push eax seg 863 :1600022A push a seg 863 :1600022C push a seg 883 21888822E push i] seg 883 218880236 push 1 seg h6s 216000292 push a seg 863 :10000234 push a seg 863216000236 push offset aCmd_exe ; <--- Command Shell (cmd.exe) seg 863 -16000236 push a Seg 883 218888230 call j_seg683_kerne132_CreateProcessA seg 86s :1 6000242 jmp short loc_1@@061ED SOQ BOS 21 GBBB2 ee Sn en nm Seg 863 :10880244 5eq6683:1608680244 loc 16606244: ; CODE XREF: sub 168686A6+287] sub 166006AG+467T7] ... 6/8 7/8 In this screenshot you can see that Andromeda: Opens port 8000 — ✔ check :) Runs new instance of “cmd.exe” — ✔ check :) It does not have any code to process commands from remote computer, but since standard handles (StdInput and StdOutput) are redirected to socket it’s possible to execute commands remotely. Obviously it’s a fake payload - someone got fooled :) Let’s check the SEH-handler of Andromeda: As you can see Andromeda basically changes execution flow when an exception occurs at the specified address Andromeda passes the execution flow to the “load_payload”-function with address 0x00402058 as argument. In this real payload, the malware injects itself to “msiexec.exe” or “svchost.exe”. If you check more closely you can spot a third payload that runs in “msiexec.exe” or “svchost.exe”: 8/8 This payload contains the C&C url. However this url is also a fake, thanks to @aaSSfxxx for pointing me out. You might ask the question: “How do cyberterrorists test their cyberweapons if it’s not possible to run them in Virtual Machines?”. And the answer is: Andromeda checks the CRC32 of the %SYSTEMDRIVE% volume name, and if equal to 0x20C7DD84 (for example “CKF81X”), the real payload is executed. Thanks to this great forum for supplying the sample: http://www.kernelmode.info/ MD5-hash of analyzed sample: 2C1A7509B389858310FFBC72EE64D501 https://twitter.com/aaSSfxxx http://www.kernelmode.info/