Reverse engineering

Tracing the Crimeware Origins by Reversing Injected Code

Part 4:Tracing the Crimeware Origins by Reversing the Injected Code

In this final part we will trace the origins of the ZeroAccess rootkit. We will discover that the purpose of this rootkit is to set up a stealthy, undetectable and un-removable platform to deliver malicious software to victim computers. We will also see that ZeroAccess is being currently used to deliver FakeAntivirus crimeware applications that trick users into paying $70 to remove the antivirus. It could be used to delivery any malicious application, such as one that steals bank and credit card information in the future. Further analysis and network forensics supports that ZeroAccess is being hosted and originates from the Ecatel Network, which is controlled by the cybercrime syndicate RBN (Russian Business Network).

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

Let's take a look at the max++ DLL. It is injected into other processes address space by the kernel mode driver reversed in Part 3. Here are the hashes for this DLL:

FileSize: 36.00 KB (36864 bytes)

MD5: 4CE2F6BA808954FA7B1257D4C754D5B0

SHA-1: E74EA961ADCA942623AE721283D33F6907A7C86D

No VersionInfo Available.

Resource: "TYPELIB".

max++.00.x86.dll does not have an ET ( Export Table ) entire code is contained into DllEntryPoint() function.

This malicious DLL is injected via APC and ZwAllocateVirtualMemory by the second installed driver. Recall that this driver finds newly loaded processes via PsSetLoadImageNotifyRoutine.

This DLL can be debugged by using OllyDbg 1.10 LoadDLL utility. As this component is the just a small feature of ZeroAccess, we won't go into as much detail on it as we did with the two drivers and the user-mode agent.

The above ZwTestAlert function tests whether the current thread has been alerted (and clears the alerted flag). It also enables the delivery of queued user APCs. NextDisableThreadLibraryCalls disables the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications for the DLL. By disabling the notifications, the DLL initialization code is not paged in because a thread is created or deleted, thus reducing the size of the application's working code set. This use of DisableThreadLibraryCalls increases invisibility for the injected DLL.

The call EAX is placed inside a do-while that updates the value pointed by EAX in iteration. This involves in calling a different routine each time. Let's look at the next code block:

We see the API call completed. A thread is created, and we can inspect it by reaching the StartAddress argument. This new thread will invoke a couple of calls that will talk to a Command and Control (C&C) server. The C&C server will issue requests to websites that contain code to install further malicious code to be executed on the victim's machine.

From string analysis we can obtain some valuable information:

All these entries as you can see are placed into the hidden NTFS volume that was analyzed previously. There are also other interesting strings like:

registrymachineSoftwareMicrosoftInternet ExplorerMain{F9197A7E-CE10-458e-85F8-5B0CE6DF2BBE}

The CLSID encoding is of great help during malware forensics. It can be used to determine univocally malware type and version. A quick search show us that this CLSID belongs to Trojan-Ransom.Win32.Digitala.b which is a downloader Aagent.

The above code blocks are executed if fdwReason is satisfied. Otherwise execution flows to another block of code that essentially acts as a cleanup routine.

This injected DLL serves the purpose of generating web redirections to malicious websites that contain FakeAntivirus software. Fake antivirus software (a.k.a misleading applications or rogue antivirus) is big business nowadays with Symantec reporting 43 million installation attempts from over 250 distinct programs between July 1, 2009, to June 30, 2010. With fake AV software costing the victim anywhere from $30 to $100, this is a lucrative earner for criminals.

The malicious URLs are:

http://intensedive.com/install/setup.php?m=d310b08f1d6d&i=1&id=000069000
http://intensedive.com/install/setup.php?m=d310b08f1d6d
http://intensedive.com/updates/cleaner.dll?m=d310b08f1d6d

The IP address behind these domains is 94.102.63.99. From www.robtex.com we can see the following graph

AS29073 belongs to Ecatel Network which is a well known crimeware friendly ISP.

http://hphosts.blogspot.com/2009/11/crimeware-friendly-isps-ecatel-as29073.html

Ecatel is infamous for the massive hosting of malware and spambots, the most widely used IPs are:

94.102.60.151
94.102.60.152
94.102.60.153
94.102.60.182
94.102.60.43
94.102.60.77

Detailed information on Ecatel activities can be seen here: http://www.sudosecure.net/archives/333

Often Ecatel was involved into fakeAV campaigns, and ZeroAccess drives to fake software download. From sudosecure.net we see a relation with the well-know cybercrime ring, RBN ( Russian Business Network ).

Tracing the Crimeware Origins by Reversing Injected Code

Get certified and advance your career