fujacks a modern file infector

8/6/2019 Fujacks a Modern File Infector

1/20

Fujacks: A Modern File Infector

Joel Yonts

Chief Scientist

Malicious Streams

MaliciousStreams


2/20

FUJACKS:AMODERNFILEINFECTOR

JoelYonts/MaliciousStreams

(TheManyFacesofFujacks)

1.0INTHEEARLYDAYS 3

2.0FUJACKSAMALWAREOFADIFFERENTCOLOR 32.1FIRSTIMPRESSIONS 32.2STRUCTURALANALYSIS 3Figure2.2.1:FileStructureofMaliciousSample 4Figure2.2.2:PEHeader#1ofMaliciousSample 4Figure2.2.3:PEHeader#2ofMaliciousSample 5 Figure2.2.4:FujacksInfectedFileTag 5

2.3TROJANLIKEBEHAVIOR 5Figure2.3.1:DropperTrojanInfection 6

Figure2.3.2:InternetActivityAssociatedwithMalwareInfection 7 2.4AVIRALTWIST 7Figure2.4.1:ViralReproduction 8

2.5THEWORMEMERGES 8Figure2.5.1:NetworkWormandLocalStorageReproduction 9

3.0WHYFILEINFECTORREPRODUCTION? 93.1STEADYHANDNEEDEDTOREPAIRINFECTEDFILES 10

4.0DETECTING&RESPONDINGTOFUJACKSINFECTIONS 104.1GENERALDEFENSEAGAINSTFILEINFECTORS 104.2FUJACKSSPECIFICDEFENSEANDERADICATION 11

5.0FINALTHOUGHTS 12APPENDIXA:INFECTIONARTIFACTS 13

Artifact1:ListofsecurityrelatedservicesdisabledbyFujacks 13Artifact2:APIcallsusedtolocatelocalstorageinfectiontargets 13Artifact3:DictionaryattackagainstanSMBshare 14Artifact4:FileoperationsforloadinginfectedPEintomemory 15 Artifact5:Fileoperationsfordroppingoriginal(clean)PE 15 Artifact6:Fileoperationsfordroppingtemporarybatchfile 16Artifact7:Droppedbatchfile(81$$.bat)usedtoreplace/cleaninfectedsample.exe 16Artifact8:FileoperationsfordroppingmaliciousPE 16Artifact9:Autorunkeyinstalledattheinitialstartupofncscv32.exemalware 17 Artifact10:FileoperationsoverwritinginfectiontargetwithacopyofFujacks 17Artifact11:TemporaryIconfileisusedtopreserveoriginalPEIcon 18Artifact12:OriginalPE(run.exe)isappendtonewinfectedPE 18

APPENDIXB:SAMPLEFUJACKSPEDISINFECTOR 19AppendixB:Proof-of-conceptPythonfunctionforcleaningaFujacksinfectedPE 19


3/20



1.0IntheEarlyDays

Backintheearlydaysofthepersonalcomputer,theComputerVirusdominatedtheworld.

These tiny (cyber) life formsdidnt exist in the world of infectedwebsites and massiveSPAMattacks.No,theever-popularfloppywasthemediumofinfection.Spreadingfromonestudentorcolleaguetothenextthroughthesharingoftheselegacystoragedevices.Itwasntaboutstealingyourmoneyoridentityinthatday;itwasaboutmakinganameforyourself amongst your friends and the hacker community. Then the Internet grew up,moneybegan to flowacross themassive sea of inter-connected hostsand the REALbadbuyspaidattention.Weallknowthestory.Overtime,malwareauthorsfoundbetterwaysto distribute theirwares and the way of the file infecting virus largely died out untilrecently.In2007,webegantoseearebirthintheareaofFileInfectors.AtfirstglancethislookedlikeouroldfriendtheparasiticvirusbuttherehasbeenasubtlechangeintheDNAoftheseoldthreats.ThisnewbreedofmalwaretooktodaysblendedthreatandaddedtheinfectioncapabilitiesofahighlycontagiousFileInfector.

2.0FujacksAmalwareofadifferentcolor

Fast forward tomid 2007. The Fujacks family ofmalware began to climb the infectionprevalencecharts.Thisnewfamilywasactuallyfirstdiscoveredinlate2006buttheearlyvariants lacked some of the advanced reproductive behaviors that allowed Fujacks tomultiplyitsvictimsandgainintheranksofthemostinfectious.ThisreportwillfocusononeofthemoreevolvedvariantsknownasFujacks.AB.

2.1FirstImpressions

OneoftheinitialinterestingthingsInotedaboutthissampleishowmuchtheclassificationofthismalwarevariedacrossAVvendors.Evenamongstthemajorvendorssomecalledthe sample aWorm,othersaTrojan,andothers stilla Virus. AfteranalyzingthesamplepersonallyIcouldseewhytheconfusionexistedandhow,likethehorseofadifferentcolorinoz,thesampleseemedtochangebeforemyveryeyes.

2.2StructuralAnalysis

Asmanywoulddo,myfirststepinanalyzingthissampleincludedtakingalookunderthehoodandpeeringatthefilestructure,imports,andembeddedstrings.Thefilestructureprovidedthefirstsurprise.TheSectionsincludedaverylargeExtraDatsegment.


4/20


JoelYonts/MaliciousStreams 4

Figure2.2.1:FileStructureofMaliciousSample

Examining the contentsof the extra segment revealedanother PEheader. A second PEheadermostprobably indicated an embeddedPE file thatwouldlenditself toaDropperTrojanmalwarestructure.Thiswouldalsoimplyatypicaldropperreproductionthatreliesonuser interactionwithaprobable delivery throughattachments inemails andInternetdownloads.

00000000 4d5a 0000 0000 0000 0000 0000 5045 0000 MZ..........PE..00000010 4c01 0200 4653 4721 0000 0000 0000 0000 L...FSG!........00000020 e000 8f81 0b01 0000 00da 0100 0066 0000 `........Z...f..00000030 0000 0000 5401 0000 0010 0000 0c00 0000 ....T...........

Figure2.2.2:PEHeader#1ofMaliciousSample


5/20



00010d40 7265 7373 0034 4238 0300 4d5a 9000 0300 ress.4B8..MZ....00010d50 0000 0400 0000 ffff 0000 b800 0000 0000 ..........8.....00010d60 0000 4000 0000 0000 0000 0000 0000 0000 ..@.............

00010d70 0000 0000 0000 0000 0000 0000 0000 0000 ................00010d80 0000 0000 0000 8000 0000 0e1f ba0e 00b4 ............:..400010d90 09cd 21b8 014c cd21 5468 6973 2070 726f .M!8.LM!This pro00010da0 6772 616d 2063 616e 6e6f 7420 6265 2072 gram cannot be r00010db0 756e 2069 6e20 444f 5320 6d6f 6465 2e0d un in DOS mode..00010dc0 0d0a 2400 0000 0000 0000 5045 0000 4c01 ..$.......PE..L

Figure2.2.3:PEHeader#2ofMaliciousSample

AnotherinterestingnotewastheexistenceofaWHBOYstringattheveryendofthefile.

Addr 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 2 4 6 8 A C E

-------- ---- ---- ---- ---- ---- ---- ---- ---- ----------------0001d100 0000 0000 0000 0000 0000 0000 0000 0000 ................0001d110 0000 0000 0000 0000 0000 0000 0000 0000 ................0001d120 0000 0000 0000 0000 0000 0000 0000 0000 ................0001d130 0000 0000 0000 0000 0000 0000 0000 0000 ................0001d140 0000 0000 0000 0000 0000 0057 4842 4f59 ...........WHBOY0001d150 7275 6e2e 6578 652e 6578 6502 3530 3137 run.exe.exe.50170001d160 3601 6.

Figure2.2.4:FujacksInfectedFileTag

Thisstringandfollowingfilename/filesizecombinationturnedouttobeatagaddedbyFujacksthatcontainedtheoriginalnameandoriginalsizeoftheinfectedfile.

Examiningembeddedstringsandtheimporttablerevealedlittleofinterest.ImportswereverylightwithGetProcAddressandLoadLibrarybeingtheonlyimportedfunctions.StringswerefairlystandardwiththeonlyanomalybeingthereoccurringstringWhBoy.

2.3TrojanLikeBehavior

Takinghigh-levelstructuralanalysisandspeculationonlysofar,mynextstepwastorunthesampleinacontrolledenvironment.Uponexecution,themalwaresampleseparatedthetwoPEfilesbydroppingadisinfectedcopyofthecarrierprogramlocallyandbydroppingamalicious PE file in the%SYSTEM%/driversdirectory. At the end of this process theinfectedsamplewasdeletedandboththedisinfectedcarrierPEandthemaliciousPEwere

executed.Theendresult:theuserseestheprogramtheyexecuted(noalterationoftheuserexperience)andthemaliciousPEwasrunningsilentlyinthebackground.Furthermore,themalicious PEwas set torestarteachtime the computerrestarts tomaintain apersistentinfection.


6/20



Figure2.3.1:DropperTrojanInfection

AtthispointIhadseentheanticipateddropperTrojanbehaviorandcouldunderstandtheTrojan classification. Another anticipated behavior was the Internet activity observeddirectly following the installation of the malicious PE. The exact purpose behind theInternetaccesswasnotdeterminedduringtheanalysisduetotheremotesitebeingofftheair.Fromthehttprequestitwaseasytospeculatethatadditionalmalwareoratleastanupgradeoftheexistingmalwarewastheinitialintent.

FujacksTag

sample.exe

ncscv32.exe

Heap Memory

Fujacks Tag

sample.exe

ncscv32.exe

sample.exe(infected)

Sample.exe (Infected)

* Prepended Malware PE

* Appended Infection Tag

Initial Execution1. User Execution2. Process Startup3. sample.exe loaded

into memory

Disinfect Dropper4. Original (clean) PE dropped from memory

5. Temp batch file dropped from memory6. .bat deletes sample.exe (infected)7. .bat renames sample.exe.exe (clean) to sample.exe8. .bat starts new sample.exe (clean) and deletes itself

sample.exe.exe

%TEMP%/

$$.bat

/

sample.exeUser

User

sample.exe

(clean)

%SYSTEM%/drivers/

ncscv32.exe

ncscv32.exe(fujacks)

HKEY_USERS\...\Run\ncscv32

2

1

3

Install Malware9. Malware PE dropped from memory10. Newly dropped Malware is excecuted11. Malware PE installs autorun key12. Infected sample.exe process exits

11

4

5

6

7

8

9 10

12


7/20



DNSQuery:www.whboy.netDNSResponse:69.64.155.133

HTTPGetRequest:GET/update/wormcn.txtHTTP/1.1User-Agent:QQHost:www.whboy.netCache-Control:no-cache

Figure2.3.2:InternetActivityAssociatedwithMalwareInfection

2.4AViralTwist

Just asIwas readytodeclare this sample aTrojan, Inoticed itbegantomultiply! Themalicious PE was multi-threaded with several of its threads intent on spreading themaliciouscode.

First,itscannedlocalvolumeslookingforPE(exe),asp,aspx,jsp,htm,andhtmlfiles.Oncethemalwareidentifiedavictim,aninfectionprocessbegan.PEfileswerepre-pendedwithacomplete copy of the newly installed malware while web files were appended with amaliciousiframethatwouldsecretlydirectallwhoviewedthewebcontenttoamaliciousdownload site. After the infection process,manyof the PE files residingon the systembecameTrojanswiththesamelayoutasouroriginalsample.OneoddnoteaboutthePE

infectionwasonlytargetPEswithembeddediconresourceswereinfected.IbelievethistobeashortcominginthecodingofthisFujacksvariant.EarliervariantsinfectedallPEfilesbut changed all infected files to a standard icon supplied by Fujacks. The AB variantimplemented logic to preserve the original icon using temp files and a reload process.Apparentlyaddingthislogicalteredthelogicusedtoselectinfectiontargets.

Another artifact of the Fujacks infection process was the tagging of previouslyscanned/infected directories. After multiple restarts of the dropped malicious PE, Idiscovered the File Infection processwouldalways resume inthedirectorywhereit lastvisited.Knowingthispersistenceofinformationmustbemaintainedondisk,IdiscoveredtheDesktop__.inifile.ThisfilewasdroppedineachdirectoryasFujacksrecursivelyscanned

thefilesystemlookingforinfectionvictims.ThefilewassettoSystem,Hidden,andRead-onlytohideitspresencesandsimplycontainedYYYY-MM-DDofthelastscanbyFujacks.EachtimethemaliciousPEwasrestarteditwouldrecursivelyscanafilesystemandskipanydirectorythatcontainedaDesktop__.inifilewiththecurrentdate,effectivelyresumingthesystemscanfromthelastdirectoryvisited.


8/20



Figure2.4.1:ViralReproduction

AtthispointIhadseenafileinfectortypereproductionthathashistoricallybeenassociatedwithacomputervirus.SoifwestoppedthestoryhereIwouldbecomfortablewiththeTrojanandVirusclassificationsbutnotnetworkWorm.

2.5TheWormEmerges

Notcontentwiththenativesoilbeingconquered,however,severalthreadsofthemaliciousPE began a systematic sweep of the local subnet looking for othermachines with SMBsharingenabled.Ifavictimwaslocated,themaliciousPEbeganalimiteddictionaryattack

against the SMB share. If the targetmachinehad anopen share orweakpassword, themaliciousPEcompromisedtheremotesystembyplacingacopyofitself(namedSetup.exe)ontheremotesystemandsettingittoautomaticallystartifauserbrowsedthetargetdrive.Tofurtherthecompromise,themaliciousPEalsobeganarecursivesweepoftheremote

FujacksTag

target.exe

ncscv32.exe

icon

Infect PE Files2. Target.exe loaded into memory

3. Icon resource of target.exe written to temp file4. Overwrite target.exe with a copy of ncsv32.exe5. Icon set to original icon using temp file6. Append file with target.exe from memory7. Append fujacks specific tag

ncscv32.exe

(fujacks)

2

1

3 4

5

6

7

2a

%TEMP%/$$.ico

target.exe

(.asp, .aspx, .jsp, .htm, .html)

.exe

%SYSTEM%/drivers/

ncscv32.exe

Heap Memory

target.exe

target.exe(Infected)

Infection Targets

1. Searches for PE, html, aspxfiles dropping Desktop__.iniin each directory

* Skips directory if desktop__.ini is

present and has current date.

Infect Web Files2a. Append infectous iframe to each file

Desktop__.ini

(System, Hidden, RO)


9/20



filesystem lookingforadditionalPEandwebfiles to infectusing thesameprocessnotedabove.

A nearly identical infection process occurred for attached storage such asUSB drives &iPods.Theonlyvariationwasthename(GameSetup.exe)usedforthedroppedmaliciousPE.

Figure2.5.1:NetworkWormandLocalStorageReproduction

SonowweseethewormbehaviornotedbyseveralAVresearchers.Itiseasytoseethatthis malware species has a complicated lifecycle which explains the naming conventionconfusion.

3.0WhyFileInfectorReproduction?

AsI alluded toearlier,webeganwith the age ofthe virus, enduredthe onslaught ofthenetworkwormage,andseeminglyhavesettledintotheageoftheTrojan.IknowthingsarenotsocutanddrybutgenerallyIbelievethisclassificationoferasholdtrue.IfIcouldpointtoonethingthathasbeengoodaboutourcurrentageoftheTrojan,itisinfectionsstayput!IfaTrojangetsthroughperimeterdefensesandinfectsacorporate(orhome)usersPCthe

Network SMB Infection1a. Multiple threads search for and attack SMB shares

using basic dictionary attack2a. Drop Setup.exe & autorun.inf on remote system3a. Search & infect remote system .exe, .html, and .aspx

3a

ncscv32.exe

(fujacks)

1a

2a[NET DRIVE]:\Setup.exe

[NET DRIVE]:\Autorun.inf

Fileserver WorkstationSMB

SMB

SMB[NET DRIVE]:*\*.exe

[NET DRIVE]:*\*.html

[NET DRIVE]:*\*.aspx

Remote System

USB Devices

[DRIVE]:\GameSetup.exe

[DRIVE]:\Autorun.inf

[DRIVE]:*\*.exe

[DRIVE]:*\*.html

[DRIVE]:*\*.aspx

Local System

Attached Storage Infection

1. Multiple threads locate

attached storage

2. Drop GameSetup.exe &

autorun.inf

3. Search & infect .exe, .html,

and .aspx

1

2

3


10/20



infectionwillbecontainedandonlythedataflowingthroughoraroundthismachineisatrisk. Thiswas a huge relief after the geometric reproduction of the networkwormera.However,theblendedthreatthatFujacksbringstothetablegivestheattackersthebestofmultipleworlds.Withthisattack,theycanutilizetherobustfunctionalityandstealthofaTrojan during penetration and become cyber cockroaches scurrying from one internalmachinetothenextoncetheypenetrate.ReintroducingthereproductivethreatmaybeamajorcontributortotheresurgenceinFileInfectorssuchasFujacks.

Alongthosesame lines, the proliferationofUSB thumbdrives andpersonalMP3playerssuch as iPodshavemade the USB Infectorportion of the Fujacksmalwareanattractiveaddition.Thisvectoralsopavesthewayforfuturenon-conventionaltargets.Inthenearfuture your printers, household appliances, car, etc.may be infected with a Fujacks likemalwarebecauseoftheirlocalstoragecapabilities.

One finalnote on the reproductive behavior worth highlighting is the web file infectionvector. This vectorhas far reaching potential for infection ifweb content that ishostedInternetorcorporateintranet-facingisinthepathofinfection.Allthatisrequiredisforaweb server,web content file server, orweb developer to become infectedwith Fujacksthrough one of the many infection vectors and the potential for infecting customers,businessassociates,andfriendsgreatlyincreases.

3.1SteadyHandNeededtoRepairInfectedFiles

Beyond reproductivebehavior, anothermotive for the resurgencemaybe theadditionalcomplicationandtimerequired to containandclean infection outbreaks. WithaTrojan,simplydeletingtheoffendingfileandsupportingregistrykeysmaybeenoughtoeradicatethe threat. Intheworldof file infectors, the infectionmay beattachedto yourbusinesscriticaldocuments, attachedto theweb content that provides 100%ofyour revenue,oryoursingle copyofthe termpaperdue tomorrow. Disinfecting file infectorsmostofteninvolves slicing and dicing your treasured files and removing the malicious componentswithoutharmingtheknowngoodcontent.Obviouslytheneedforaccuracyiscriticalwithlittle tolerance for error. This extra time can prolong the infection hours if not days.Whether this aspect of file infectors is a primary motive or a by-product, the attackercommunityistheonebenefiting.

4.0Detecting&RespondingtoFujacksInfections

4.1GeneralDefenseAgainstFileInfectors

Nomalwareanalysiswrite upwouldbecompletewithoutadefensesection.Allthingsconsidered,Fujacksisstillafairlyeasyfamilytoguardagainst.Thefamilydoesnotutilizeacryptographicpacker,itislightonanti-debuggingtechniques,andthefilechangesareeasy


11/20



todetect.Atasummarylevel,thesamekeyelementsofdefenseagainstgeneralmalwarethreats hold true. Specifically the need for network basedanti-malware + IPS and hostbasedanti-malware+IPSformthecoredefense.Additionaltechnologyneededforaholisticdefenseinclude:

Monitoring&filteringofentrypointssuchaswww&email Networkmonitoringtoolsidentifyingtoptalkers&suspiciousflows DataLossPreventionsolutions Fileintegritymonitoring Network&hostwhite-listing

4.2FujacksSpecificDefenseandEradication

Inadditiontothesegeneraldefenseguidelines,searchingforanyoftheartifactsnotedinappendixAwouldprovideagooddetectivecontrol.

InfectionArtifacts-Detection

Presenceofanewfilein%SYSTEM%/drivernamedncscv32.exe Presenceofanunknownsystemprocessnamedncscv32 Presenceofnvscv32registryvaluesetinthe\Windows\CurrentVersion\Runkey Presenceofasystem,hidden,read-onlyfilenamedDesktop__.inilocatedin

potentiallyinfecteddirectories

Presenceofahiddeniframeassessinghttp://www.lovebak.com/qq.htmappendedtoasp,aspx,jsp,htmandhtmlfiles

PresenceofGameSetup.exeandSetup.exeonlocalstoragedevicesandnetworkshares

Unexplained$$.batand$$.icofilesinuser%TEMP%directory EmailattachmentorfiledownloadthatcontainstwoPEheaders.Somegenericanti-

malwaresignaturescandetectdoublePEsasapotentialdropperTrojan.

PEfilessuddenlygrowinginsize(approximately60K)andendingwiththefollowingASCIstringWHBOY.exe.exe.

UnexplainedSMBnetworkconnectionattemptstoothersystemsontheLAN PhoneHomehttpactivitytowww.lovebak.comand/orwww.whboy.net ManyoftheFujacksvariantschangedtheiconofallinfectedfiles.Icantexplainthis

inanyotherwayexceptsloppinessontheviruswriterspart.Thisshouldbeahugeredflagtoendusers.


12/20



InfectionArtifacts-Eradication

CheckwithyourAVvendorforthelatestsignaturesanddetectionheuristics.IfyourAVCompanycurrentlydoesnthavecoverage,attempttocreateacustomersignatureandsubmitasamplefortheiranalysis.

Determinephonehome&maliciousdownloadsitesandblockthematyournetworkorhostfirewall.Inthiscasewww.lovebak.comandwww.whboy.netshouldbeblocked.

Killmaliciousprocessncscv32,deletencscv32.exefrom%SYSTEM%/driversdirectory,andremovetheautrorunvaluenvscv32from\Windows\CurrentVersion\Run.

SearchalllocalstorageanddeleteinstancesofGameSetup.exeandsupportingAutorun.infentry

SearchallnetworksharesanddeletemaliciousinstancesofSetup.exe(Usewww.virustotal.comifnecessarytoensurevalidSetup.exefilesarenotdeleted)

Ifpossible,disableopensharesandsetstrongpasswordsforremainingnetworkshares

Searchallwebfilesforthepresenceofthewww.lovebak.comandrestoringthemfromabackuporremovetheappendediframestringifinfected.

RestoreinfectedPEfilesfromabackuporcreateacustomdisinfector(AppendixB)5.0FinalThoughts

Whileresearchingclassicfileinfectors,Icameacrossonespeciesthathadasimilarinfectedfile format asFujacks. The specieswas calledW32/Sand.123000 andwas discovered in

2003.LikeFujacks,filesinfectedwithSand.12300separatetheoriginalPEandthemaliciouscode

into separate files at run time. After separation both files areexecuted, again resembling the execution of a Fujacks infectedfile. Could Sand.12300 be the inspiration for the design ofFujacks?

Regardless of its ancestry, the Fujacks family is certainly aninterestingmalwaregroup that hasa complicated reproductivecycle. Iwould still consider this almost a proof-of-concept forwhat could be a serious threat when combined with other

advanced techniques such as rootkit technology and alternatedata streams. A healthy focus from our security productproviders and incidentrespondersonhow todealwith todaysfile infectors will pay dividends and help ensure we are wellpreparedforthenextevolution.

Amoeba Infector

ProgramCode

Amoeba Virus(W32/Sand.12300)

Malicious Code(Head)

Malicious Code(Tail)


13/20



AppendixA:InfectionArtifacts

Attempts to access service "Schedule".Attempts to access service "sharedaccess".Attempts to access service "RsCCenter".Attempts to access service "RsRavMon".Attempts to access service "RsCCenter".Attempts to access service "RsRavMon".Attempts to access service "KVWSC".Attempts to access service "KVSrvXP".Attempts to access service "KVWSC".Attempts to access service "KVSrvXP".Attempts to access service "kavsvc".Attempts to access service "AVP".Attempts to access service "AVP".Attempts to access service "kavsvc".

Attempts to access service "McAfeeFramework".Attempts to access service "McShield".Disables security related services.

Artifact1:ListofsecurityrelatedservicesdisabledbyFujacks

00666 0x0041D3FD=KERNEL32!GetDriveTypeA ("A:\")00667 0x0041D3FD=KERNEL32!GetDriveTypeA ("B:\")00668 0x0041D3FD=KERNEL32!GetDriveTypeA ("C:\")00669 0x0041D3FD=KERNEL32!GetDriveTypeA ("D:\")00670 0x0041D3FD=KERNEL32!GetDriveTypeA ("E:\")

00671 0x0041D3FD=KERNEL32!GetDriveTypeA ("F:\")

omitted for brevity

00685 0x0041D3FD=KERNEL32!GetDriveTypeA ("T:\")00686 0x0041D3FD=KERNEL32!GetDriveTypeA ("U:\")00687 0x0041D3FD=KERNEL32!GetDriveTypeA ("V:\")00688 0x0041D3FD=KERNEL32!GetDriveTypeA ("W:\")00689 0x0041D3FD=KERNEL32!GetDriveTypeA ("X:\")00690 0x0041D3FD=KERNEL32!GetDriveTypeA ("Y:\")00691 0x0041D3FD=KERNEL32!GetDriveTypeA ("Z:\")00692 0x7C809463=KERNEL32!Sleep (0x00000000)

Artifact2:APIcallsusedtolocatelocalstorageinfectiontargets


14/20



0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"","Administrator",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" withusername=%s and password=%s",0x201D2A20....)

0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"1234","Administrator",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" withusername=%s and password=%s",0x201D2A20....)

0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"","Guest",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" withusername=%s and password=%s",0x201D2A20....)

0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"1234","Guest",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" withusername=%s and password=%s",0x201D2A20....)

0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"","admin",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" withusername=%s and password=%s",0x201D2A20....)

0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"1234","admin",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" withusername=%s and password=%s",0x201D2A20....)

0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"","Root",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" withusername=%s and password=%s",0x201D2A20....)

0x0041CBF8=MPR!WNetAddConnection2A (0x4FDFBF18,"1234","Root",0x00000000)0x733D1308=USER32!wsprintfA (0x4FDFBCE8,"Connection to resource "%s" with

username=%s and password=%s",0x201D2A20....)

0x0041CC1F=MPR!WNetCancelConnectionA ("\\10.0.0.116",0xFFFFFFFF)0x0041D10D=KERNEL32!Sleep (0x00000200)

Artifact3:DictionaryattackagainstanSMBshare


15/20



ProcessName Operation Target Detailsample.exe ReadFile C:\mw\sample.exe Offset:0,Length:20,480

sample.exe QueryStandardInformationFile

C:\mw\sample.exe AllocationSize:122,880,EndOfFile:119,138,NumberOfLinks:1,DeletePending:False,Directory:Fals

sample.exe ReadFile C:\mw\sample.exe Offset:20,480,Length:20,480















sample.exe CloseFile C:\mw\sample.exe

Artifact4:FileoperationsforloadinginfectedPEintomemory

ProcessName Operation Target Detail

sample.exe WriteFile C:\mw\sample.exe.exe Offset:0,Length:128sample.exe WriteFile C:\mw\sample.exe.exe Offset:128,Length:128sample.exe WriteFile C:\mw\sample.exe.exe Offset:128,Length:128sample.exe WriteFile C:\mw\sample.exe.exe Offset:256,Length:128sample.exe WriteFile C:\mw\sample.exe.exe Offset:256,Length:128sample.exe WriteFile C:\mw\sample.exe.exe Offset:384,Length:128

sample.exe WriteFile C:\mw\sample.exe.exe Offset:49,792,Length:128

sample.exe WriteFile C:\mw\sample.exe.exe Offset:49,920,Length:128sample.exe WriteFile C:\mw\sample.exe.exe Offset:50,048,Length:128sample.exe CloseFile C:\mw\sample.exe.exe **()representsrepeatingoperations

Artifact5:Fileoperationsfordroppingoriginal(clean)PE


16/20




sample.exe WriteFile C:\DocumentsandSettings\***\LocalSettings\Temp\81$$.bat Offset:0,Length128

sample.exe WriteFile C:\DocumentsandSettings\***\LocalSettings\Temp\81$$.bat Offset:128,Length:43

sample.exe WriteFile C:\DocumentsandSettings\***\LocalSettings\Temp\81$$.bat Offset:128,Length:43

sample.exe CloseFile C:\DocumentsandSettings\***\LocalSettings\Temp\81$$.bat

Artifact6:Fileoperationsfordroppingtemporarybatchfile

try1del "C:\mw\sample.exe"if exist "C:\mw\sample.exe" goto try1ren "C:\mw\sample.exe.exe" "run.exe"if exist "C:\mw\sample.exe.exe" goto try2"C:\mw\sample.exe":try2del %0

Artifact7:Droppedbatchfile(81$$.bat)usedtoreplace/cleaninfectedsample.exe

Process

Name Operation Target Detailsample.exe WriteFile C:\WINDOWS\system32\drivers\ncscv32.exe

Offset:0,Length:128

sample.exe WriteFile C:\WINDOWS\system32\drivers\ncscv32.exe

Offset:128,Length:128

sample.exe WriteFile C:\WINDOWS\system32

\drivers\ncscv32.exeOffset:68,608,Length:128


Offset:68,736,Length:128


Offset:68,864,Length:74

sample.exe CloseFile C:\WINDOWS\system32\drivers\ncscv32.exe

**()representsrepeatingoperations

Artifact8:FileoperationsfordroppingmaliciousPE


17/20



RegistryKeyModifications:

Key Name: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunClass Name: Last Write Time: 9/18/2008 - 10:07 AMValue 0

Name: nvscv32Type: REG_SZData: C:\WINDOWS\system32\drivers\ncscv32.exe

Artifact9:Autorunkeyinstalledattheinitialstartupofncscv32.exemalware

Artifact10:FileoperationsoverwritinginfectiontargetwithacopyofFujacks


ncscv32.exe QueryStandardInformationFile

C:\WINDOWS\system32\drivers\ncscv32.exe

AllocationSize:69,632,EndOfFile:68,938,NumberOfLinks:1,DeletePending:False,Directory:False

ncscv32.exe WriteFile C:\cygwin\bin\run.exe Offset:0,Length:65,536

ncscv32.exe WriteFile C:\cygwin\bin\run.exe Offset:65,536,Length:3,402

ncscv32.exe SetBasicInformationFile

C:\cygwin\bin\run.exe CreationTime:0,LastAccessTime:0,LastWriteTime:9/24/20089:59:17AM,ChangeTime:9/25/20087:40:47AM,FileAttributes:n/a

ncscv32.exe CloseFile C:\WINDOWS\system32\dr

ivers\ncscv32.exe

ncscv32.exe CloseFile C:\cygwin\bin\run.exe


18/20




ncscv32.exe CreateFile C:\DocumentsandSettings\***\LocalSettings\Temp\94$$.Ico

DesiredAccess:GenericRead,Disposition:Open,Options:SynchronousIONon-Alert,Non-DirectoryFile,Attributes:N,ShareMode:Read,Write,AllocationSize:n/a,OpenResult:Opened


C:\DocumentsandSettings\***\LocalSettings\Temp\94$$.Ico

AllocationSize:4,096,EndOfFile:766,NumberOfLinks:1,DeletePending:False,Directory:False

ncscv32.exe ReadFile C:\DocumentsandSettings\***\LocalSettings\Temp\94$$.Ico

Offset:0,Length:766


C:\DocumentsandSettings\***\LocalSettings\Temp\94$$.Ico

AllocationSize:4,096,EndOfFile:766,NumberOfLinks:1,DeletePending:False,Directory:False

ncscv32.exe CloseFile C:\DocumentsandSettings\***\LocalSettings\Temp\94$$.Ico

Artifact11:TemporaryIconfileisusedtopreserveoriginalPEIcon


ncscv32.exe CreateFile C:\cygwin\bin\run.exe DesiredAccess:GenericRead/Write,Disposition:Open,Options:SynchronousIONon-Alert,Non-DirectoryFile,Attributes:N,ShareMode:Read,AllocationSize:n/a,OpenResult:Opened


C:\cygwin\bin\run.exe AllocationSize:69,632,EndOfFile:68,938,NumberOfLinks:1,DeletePending:False,Directory:False

ncscv32.exe ReadFile C:\cygwin\bin\run.exe Offset:68,810,Length:128

ncscv32.exe WriteFile C:\cygwin\bin\run.exe Offset:68,938,Length:128



**(

)representsrepeatingoperationsArtifact12:OriginalPE(run.exe)isappendtonewinfectedPE


19/20



AppendixB:SampleFujacksPEDisinfector

##############################################################################

# cleanFile

# - Proof-of-Concept Python function for cleaning a Fujacks infected PE

# - Function lacks necessary error checking and logging

#

def cleanFile ( infectedFile ):MAX_FJ_TAG_SIZE=256

# Open Infected File

infectedFP =open(infectedFile, "r")

# Read End of File

infectedFP.seek(-(MAX_FJ_TAG_SIZE), os.SEEK_END)fileChunk=infectedFP.read(MAX_FJ_TAG_SIZE)

# Search for Fujacks Tag

# Format of Tag: WHBOY.exe..

fjTagRE="WHBOY(.*\.exe)\.exe.([0-9]*)."fjTagPattern= re.compile(fjTagRE)

mobj =fjTagPattern.search(fileChunk)

# Parse Fujacks Tag

fjTagLoc = MAX_FJ_TAG_SIZE-mobj.start()fnameOrigPE=mobj.group(1)sizeOrgPE=int(mobj.group(2))

# Write Clean PE

locOrigPE=fjTagLoc+sizeOrgPE+1infectedFP.seek(-(locOrigPE), os.SEEK_END)

tmpFd, cleanFile = tempfile.mkstemp(suffix=".clean", text=False, dir=".")os.write(tmpFd, infectedFP.read(sizeOrgPE))

infectedFP.close()os.close(tmpFd)

# Restore Original PE

os.rename(infectedFile, infectedFile+".infected")os.rename(cleanFile, fnameOrigPE)

AppendixB:Proof-of-conceptPythonfunctionforcleaningaFujacksinfectedPE


20/20


Joel Yonts / Malicious Streams

References

Quist,D.(2008,December).Offensivecomputing.Retrievedfromhttp://www.offensivecomputing.netSkoudis,E.,&Zeltser,L.(2004).Malware:FightingMaliciousCode.(M.Franz,Ed.)UpperSaddleRiver,NJ:PrenticeHall.

Szor,P.(2005).TheArtofComputerVirusResearchandDefense.(K.Gettman,J.Goldstein,G.Kanouse,K.Hart,&C.Andry,Eds.)UpperSaddleRiver,NJ:PearsonEducation,Inc.

Zeltser,L.(2010).Reverse-engineeringmalware:malwareanalysistoolsandtechniques.ProceedingsoftheSANSconference