Analysis of a Trojan Horse virus (1)

Analysis of a Trojan Horse virus (1)
I. Basic Information

Sample name: Rub. EXE

Sample size: 21504 bytes

Virus name: Trojan. Win32.Rootkit. hv

Shelling: UPX (3.07)

Sample MD5: 035c1ada4bace78dd1_cb0e1d184043

Sample SHA1: BAD1CE555443FC43484E0FACF8B88EA8756F78CB

Composition of virus files:

Virus parent file Rub. EXE MD5: 035c1ada4bace78dd1_cb0e1d184043

Owwesc.exe (a file name consisting of random letters and the file after the virus mother Rub. EXE is out of the UPX) MD5: CC7E53EBCE40AC0BFE07FAF3592C210A

File hra33.dll MD5 released by virus MOTHER: 5B845C6FDB4903ED457B1447F4549CF0

 

2. Sample shelling

 

Run the "rub.exe" command on the virus mother file to check the shell. The result of using die.exe to check the shell is as follows. The virus parent file is added with the UPX shell, and the virus development tool Microsoft Visual C/C ++ (6.0 ). The UPX shell is not very difficult to shell. According to the ESP law of shelling, the mother file of the virus is shelled, and then the behavior of the mother file of the virus is analyzed.

 

Iii. sample Virus Behavior Analysis

 

1.Open the Registry "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \. Net CLR" to check whether the registry exists.

 

2.If the registry entry "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \. Net CLR" exists, the Service dispatch routine is set for the main thread.

 

  2.1 The following is a detailed analysis of the behavior of the Service dispatch routine set by the virus process.

 

2.1.1Set the service request processing function for the main thread service control. The service request processing function sets the service status according to the relevant control command nServiceControlStatus.

2.1.2Create a signal mutex ". Net CLR" to prevent the second execution of virus behavior.

2.1.3Enumerate the resources of virus process files and obtain resources of the 0xA type. In fact, this resource is a PE file.

2.1.4Use the obtained 0xA resources to release the virus file C: \ WINDOWS \ system32 \ hra33.dll in the system directory C: \ WINDOWS \ system32 \ system32, modify the first two bytes of the hra33.dll file to "MZ" and restore "hra. dll "is a normal PE file.

2.1.5QueryRegistry HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \.. Net CLR ImagePath corresponds to the image file ImageFile. The IamgeFile language resource of the image file is changed as a virus file C: \ WINDOWS \ system32 \ hra33.dll by updating or replacing resources.

2.1.6Load the dynamic library file C: \ WINDOWS \ system32 \ hra33.dll, and create three virus threads consecutively to destroy your computer.

========================================================== ====================================

Thread 1 virus uses IPC $ to plant viruses on your local host server.

 

1.Obtain the standard Host Name of your local host, and then retrieve all IP addresses and port information corresponding to the local host name based on the obtained host name traversal.

2.Loop the IP address and port number of the local host of the user to be obtainedWeak Password Logon TestAttempt to intrude into the local host server for subsequentInsert virus files.

3.If a weak password is successfully logged on to the user's local host server, a virus file is implanted into the user's local host server, and then a virus file is run to create a virus process, destroys your local host server.

========================================================== ====================================

The virus behavior of thread 2 isCreates many endless threads for network operations to obtain the user's computer operating system information, CPU information, memory information, and network traffic information, create a network socket to actively connect to the server of the virus author and send the information to the virus author. Therefore, the user's computer becomes a "zombie" controlled by the virus author. Your computer waits for the virus author to send control commands to perform malicious operations. The following is a detailed analysis.

1.Create the same virus thread in an endless loop and then sleep (this behavior is very large in the virus process). Some software marks these threads as"Zombie thread".

2.Create a network socket and initiate a network connection to www.hacker22.com to receive remote network control from the virus author.

3.Obtains the version information, CPU processing frequency and quantity information, system memory information, network traffic used, and the launch of the user's computer from startup to present. time, prepare to send the user's information to the virus author.

4.Create an endless loop network wait, wait for the control command remotely sent by the virus author, then parse the Control Command sent by the virus author, and execute malicious operations on the user's computer. The remote control command of the virus author also distinguishes nrev1_number from 6, nrev1_number from 6, and nrev1_number from 6.

This section analyzes the malicious operations related to remote control commands of virus writers.

 

 

1.When the remote control command nrev1_number of the virus author is 0x10, download the virus file from www.hacker22.com to the user's temporary system file directory % temp %, and then run the virus file, the names of the virus files created and released by the virus process are random numbers without file extensions.

2.When the remote control command nrev1_number of the virus author is 0x6 and nrev1_number is 0x12, the control behavior on the user's computer is consistent. Releases the mutex of signals created by viruses. net CLR, disable the name of the virus to be created ". net CLR "service, delete Registry" HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \. net CLR ", delete the virus process file itself, still download the virus file from www.hacker22.com to the temporary file directory % temp % of the user system, execute the downloaded virus file, the names of the virus files that are created and downloaded are composed of the first five characters, which are random and followed by a fixed character, namely, "%c?c=c=ccn.exe". Then, the current virus process is ended.

 

3.Worker Process.

 

4.When the remote control command nrev1_number of the virus author is 0x2, 0x4, or 0x5, no substantive operations are performed, it is nothing more than the function address that uses the network operation API or the function process address for operations such as the URL www.hacker22.com to call back the process of the thread to be created, creates many network socket operation threads in disorder (not important ).

 

5.When the remote control command nrev1_number of the virus author is 0x3, parse the control command remotely sent by the virus author and create a specified number of threads for the virus author based on the control command, the role of a thread is to send an Http data request package in the form of GET to www.hacker22.com using the iexplore.exe Program under the file path C: \ WINDOWS \ system32 \ Program Files \ Internet Explorer \ I %e.exe, download files from the server of the virus author.

========================================================== ====================================

The virus behavior of thread 3 is the same as that of thread 2, but the URL that initiates the connection changes to aiqing.txddos.com.. Create an endless loop virus thread and send a network connection to the server address aiqing.txddos.com of the virus author to actively accept control, obtain control commands sent by the virus author, and parse these control commands, the user's computer is controlled. For detailed analysis process, see the specific analysis of thread 2 behavior.

========================================================== ====================================

Behavior Analysis of endless zombie threadsUsing an endless loop, you can create the same thread on your computer and set the service status based on the Service Control Command nServiceControlStatus.

The role of the same thread created by an endless loop isFirst, the decryption string "CgvQyt0d4NzeCQsTCxND" is used to obtain the IP address and port number for initiating the network connection. The system, CPU, memory, network traffic, and other information of the user's computer are obtained and sent to the virus author; in addition to the web site, other virus behaviors are the same as those in thread 2 and thread 3. The attacker can remotely control the virus and parse the control commands, controls the user's computer.

2.1.7If the registry entry "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \. Net CLR" does not exist. Use the current virus process (the virus file data extracted from the UPX shell), and release the virus file in the Windows System directory C: \ WINDOWS with the name of a random letter in the format of "%c%c%c%c%c.exe", such as owwesc.exe; create a virus file named ". net CLR "and start the virus service. Set the Registry" HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \. the value of Description for Net CLR is "Microsoft. net com + Integration with SOAP "allows the user's system to support web SOAP access services. The virus process deletes the virus file itself and ends the current virus process through the monitoring event that has been analyzed previously.