Necurs. P2P: A New Type of peer-to-peer network

Necurs. P2P: A New Type of peer-to-peer network

 

Last week, I received a botnet analysis sample from a security researcher who thought it was a point-to-point peer-to-peer network, but after I analyzed it for a few days, I can determine that this network is not only a P2P network, but also a very active peer-to-peer network system. The person who provided me the analysis sample is a good friend of mine. He is also a security researcher, R136a1. (He not only discovered this botnet, but he also discovered ZeroAccess3, and find the Controller behind the botnet ).

After I searched for some related information on the Internet, I found an article published in March. This article introduces some knowledge about Necurs, maybe you can find some information you need from this article. However, this article does not mention the main use of UDP data packets in Necurs. In addition, I also found an article on bluecoat, which was published in September 2013 and discussed in detail the Necures botnet variants, you can also read this article.

Although I am not sure, I think the botnet we will discuss should be a variant of the original Necurs.

Installation Process

During the installation process...

Okay... Don't mind!

After I quickly detected the system, I found that the computer's blue screen crash was caused by the anti-virtualization code embedded in malware, which is rare, it is also very strange. When we detect the virtual environment, malware will inject a simple program into all processes in the system, which can create an exception handling program and execute the VMCPUID command.

The VMCPUID command can return the virtual machine's CPUID to us. However, it is interesting that the VMCPUID command can only be used normally in some virtual machines. If the VM system does not support this command, it will generate an invalid command and cause system exceptions. At this time, we need an exception handler to capture and handle such exceptions. When a malicious software injects a function into every process, the system will not be able to create a normal exception handling program because the system exception information will be stored in. in the rdata session process, it does not have the replication function. Therefore, if the malware detects that the current system is a virtual machine system and does not support the VMCPUID command, all processes in the system will crash, in this case, the blue screen of the system crashes. Therefore, I guess that the intention of malware developers is to try to perform some injection detection on the Virtual Machine System, but the Virtual Machine continuously crashes, therefore, they simply use this immature technology as a virtualization technology (although this technology should not cause a virtual machine system crash that supports the VMCPUID command ).

When malware successfully exploits the vulnerability CVE-2010-4398 and Elevation of Privilege for the bot process, the bot COPY Copies the executable program and the corresponding driver to C: \ Installers \ {BotGUID} \ syshost.exe and C: \ Drivers \ {RandomName }. within sys. Malware sets this executable program as a self-starting service and the driver as the Startup Device (if needed, the bot also enables the TESTSIGNING mode to load drivers without signature ). After the configuration is complete, the system restarts.

After the system is restarted, botnet will try to use netsh.exe to add its processes to the whitelist of the system firewall (in Windows XP, malware will directly disable the firewall function of the system ).

It indicates that the software uses netsh.exe to try to include its own processes in the firewall White List:

Point-to-point communication

The botnet control commands are sent by a central C & C server, which is similar to the running mechanism of a common botnet, therefore, this C & C structure is also called a hybrid P2P network ". However, because malware can use point-to-point networks to push new C & C server addresses to all bots in botnets at any time, compared with traditional botnets, this new type of botnet not only can maintain its effectiveness, but also has the flexibility of P2P peer-to-peer networks.

To enable P2P communication, the system must also generate a random port number and save it to the registry of the system. This port will be bound to the UDP and TCP Protocols of the system (even if the system uses the UDP protocol in most cases ), in this way, the corresponding P2P communication data can be normally sent. A bot in a botnet has more than 1000 IP addresses, and its port binding information is stored in the initial configuration file. Each port sends information every second until it receives a response message. After a response is received, the message sending cycle is changed to one message per minute. The strange thing is that before each request message is sent, the system needs to randomly select a number from 0-4: If the selected number is 0, the bot will try to establish a TCP link with the remote host, otherwise, it will send UDP packets to the remote host. As a result, the ratio of UDP packet sending to TCP data is about (I still cannot determine what the purpose of this mechanism is ).

 

Displays the P2P protocol handler:

All the bot hosts in the botnet will respond to the request information and embed a pass-through key (this key is the master key of the botnet, this is an RSA key with a length of 2048 bits. It is used to prevent others from introducing a new response payload to the botnet.

It is worth noting that there is no peer-to-peer switching function in the P2P protocol, because the botnet host does not trust the peer-to-peer host in the network or share information with other hosts in the network. They will generate a host list and broadcast it through the C & C server. This method can effectively prevent viruses and external attacks, because the network server can detect the corresponding IP addresses in the data center based on the host list. Otherwise, the botnet may be damaged by security companies.

Payload Storage

All data downloaded from the C & C server or P2P network will be stored in a Temporary Folder. Each file name has a separate UUID with the suffix. tmp. The system will use the SHA1 algorithm to hash the bot identifier (a 64-bit static integer data used to identify the content of the file) and generate the corresponding UUID.

The file name generation function is displayed:

The file is encrypted using the RC4 algorithm, and the system extracts the encryption key it uses from the displayed function. In addition, the system generates a random variable with hash processing and stores it at the end of the file. As a result, the signature of the generated file does not play any role.

Conclusion

The above content comes from my analysis results. After my colleagues and I have completed all the  tasks, we should be able to learn more about this botnet. We will update the results immediately after the study is obtained.