Security Ripcord

Malware Characteristics Report – Trojan.RegSubsDat.A

May 12th, 2009 cutaway Posted in Incident Response, Malware, Microsoft, Security | No Comments » 11,164 views

A while back Harlan posted Looking for “Bad Stuff”, pt III (Malware Detection).  In this post he outlined a method of talking about malware so that it could be more easily understood during an incident response.  With the increasing complexity of malware and the variety of analysis interpretations, I think that it is important that we start thinking about a more standard way of explaining malware capabilities and characteristics.

To help with this I have taken a relatively new piece of malware and run it through the paces that Harlan describes.  I have to warn you, there are still things that are not completely understood about this malware.  But, in the end, that is the point.  Some time in the future I can just take the report I generated and update it with any new information.  Not unlike what is currently done by most AV vendors.  But  I hope that Harlan’s method helps incident responders understand these reports a little better.  I think it will also provide them with the means to speak more intelligently about malware and present the issues and reasons for recommendations in a more professional and consistent manner.

I also want you to pay attention to the different sections of the write-up.  In addition to Harlan’s basic characteristics I have included a Research Notes section.  Although some of this information is apparent from the previous sections, I have tried to tie together how specific things were discovered or explain specific actions.  Especially things that are not covered by the AV vendors.  I believe it is a good example of how information obtained by incident responders can add to the details associated with a malware outbreak within an environment.  Many times quick and focused research can discover key aspects about the actions taken by a piece of malware that are not necessarily apparent in the write-up by AV vendors.  These details could drive your response or help you focus on specifics instead of operating with generalities.

NOTE: This post is best viewed using Firefox and may not render properly in Internet Explorer since most of this post is cut and pasted from Microsoft Word. *shrug* I needed the nested bullets.

Trojan.RegSubsDat.A

INITIAL INFECTION VECTOR

  • Unknown – possibly email (from AV report) – I cannot figure this out for some reason
  • Possibly associated with Excel Vulnerability or vulnerabilities in other Office documents

PROPOGATION MECHANISM

  • Unknown – possibly email (from AV report)

PERSISTENCE MECHANISM

  • Current User Run Key for ctfmon.exe
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • ctfmon.exe = “%System%\ctfmon.exe”
    • NOTE: Use of this key appears to be behavior that is consistent with non-malicious activity associated with uncorrupted versions of this program.
  • The malicious files ws2_32.dll and ctfmon.exe placed in the %SYSTEM%\dllcache directory to ensure that if they are deleted or modified the system will restore them automatically. This means that the sfcfiles.dll had to be updated to include the names of both files. This also means that the services had to be disable temporarily which could mean that the LastWrite time for the following key and value was updated. Unfortunately there are many key values associated with Winlogon and therefore the LastWrite time is modified regularly.
    • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
      • SFCDisable should equal 0 to indicate that WFP is enabled
    • [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection]
      • SFCDisable should equal 0 to indicate that WFP is enabled

ARTIFACTS

  • Creates
    • %System%\ctfmen.exe
    • %System%\noise0.dat
    • %System%\regs.dat
    • %System%\subs.dat
    • %System%\windcb.dat
    • %System%\windows.dll
    • %System%\bkav2006.exe
  • Modifies
    • %System%\dllcache\ws2_32.dll
    • %System%\dllcache\ctfmon.exe
    • %System%\ws2_32.dll
    • %System%\ctfmon.exe
    • C:\boot.ini – disables DEP
      • The boot.ini is modified so that DEP is disabled. This is done by changing the /noexecute value to “alwaysoff” – see the DEP reference in the notes
  • Mutexes created – these may be due to the malware or due to other processes or the subverted programs
    • oleacc-msaa-loaded
    • MSCTF.Shared.MUTEX.APG
    • 08B1CDBCH
    • mutexA
  • DNS Queries and Web activity
    • v4.windowsaupdate.com
    • happytimer.free.info
  • Network Traffic
    • Possibly Excel or other Office or Wordpad Documents that contain shellcode to connect to remote sites and download malware
    • Multiple IDS/IPS signatures should detect shellcode, writes to system32 directory,
  • Other
    • During initial malware infection the following files have been detected. These files may be associated with a completely different malware but their occurrence precedes the activity associated with Trojan.RegSubsDat.A and should be noted.
      • % Windir %\SchedLog.Txt or %Windir%\Tasks\SchedLog.Txt
      • At1.job associated with running the program TMP.EXE
      • TMP.EXE – content or actions of executable unknown
      • del.bat – content or actions of executable unknown
      • sfcfiles.dll – modified to include the %System%\ws2_32.dll and %System%\ctfmon.exe
      • %Windir%\JavaApplet
      • %Windir%\h323log.txt

RESEARCH NOTES

From system analysis it appears that the infection starts out by a scheduled task being created on the system.  The Scheduled Task Log shows that a task titled At1.job (probably depends if there is already an At1.job) is suppose to run “TMP.EXE”.  After this is run the other files appear on the system.  I also detect the occurrence of the file “del.bat” in system restore files.  I have not been able to recover either “TMP.EXE” or “del.bat” from any infected systems.  After that the dllcache files appear, the “boot.ini” file is modified, the sfcfile.dll is modified to include the new files in the dllcache, and the Prefetch file for CTFMON.EXE is created or modified.  Later after that the bkav2006.exe file, the “.dat” files, and the JavaApplet folder appear (possibly after a reboot), see the ThreatExpert update.  All of this activity appears to be surrounded by System Restore points being created.  These restore points could be caused by system files being updated or by some other system activity.

RECOMMENDATIONS

  • Apply Microsoft Patches MS09-009 and MS09-010
  • Update all third party applications including Microsoft Office and Adobe PDF (added for good measure)
  • Monitor DNS logs for queries pertaining to “windowsaupdate” and “happytimer”
  • Block via DNS, web proxy, or web filtering “windowsaupdate.com” and “happytimer.com”
  • Do not read emails or surf the web from servers or critical assets
  • Update IDS/IPS solutions to detect shellcode, shellcode in Office products, system32 writes, UPX packer detection
  • Use file integrity products or host-based IDS solutions to detect modifications to system files
  • Update AV signatures

RESOURCES

  • ThreatExpert Trojan.RegSubsDat Report – http://www.threatexpert.com/report.aspx?md5=0cafb41eca73d768091bc93f4343cbb9
  • IBM X-Force: Microsoft Excel Remote Code Execution Vulnerability – https://portal.mss.iss.net/mss/xftas/alertAdvisory/details.mss?alertAdvisoryId=3311
  • Trojan.Regsubdat.A – http://www.symantec.com/security_response/writeup.jsp?docid=2009-042215-2550-99&tabid=2
  • W32.Regsubdat.A!inf – http://www.symantec.com/security_response/writeup.jsp?docid=2009-042222-3030-99&tabid=2
  • Microsoft Security Bulletin MS09-009 – Critical – http://www.microsoft.com/technet/security/Bulletin/MS09-009.mspx
  • CVE-2009-0100 – http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0100
  • Microsoft Excel Malformed Object Memory Corruption Bug Lets Remote Users Execute Arbitrary Code – http://securitytracker.com/alerts/2009/Apr/1022039.html
  • A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003 – http://support.microsoft.com/kb/875352
  • Registry settings for Windows File Protection – http://support.microsoft.com/kb/q222473/
  • Hacking Windows File Protection – http://www.bitsum.com/aboutwfp.asp

POSSIBLY RELATED

  • Microsoft Security Bulletin MS09-010 – Critical – http://www.microsoft.com/technet/security/Bulletin/MS09-010.mspx
  • Microsoft WordPad Text Converter Remote Code Execution Vulnerability – http://www.securityfocus.com/bid/32718/info
  • Microsoft WordPad Word 97 Text Converter Memory Corruption Error Lets Remote Users Execute Arbitrary Code – http://securitytracker.com/alerts/2008/Dec/1021376.html

For those of you still reading I’ll provide you with what is currently being provided by Symantec and Microsoft for this malware.  I am going to leave the recommendations off of the Symantec write-up to save space.  One note I would like to make is that the Symantec write up talks about injecting code into specific dlls.  This is a perfect example of information that malware analysis will discover that an analysis of system artifacts may miss.  These write-ups are still necessary and helpful.

Symantec – Trojan.Regsubdat.A

Discovered: April 22, 2009
Updated: April 23, 2009 7:45:14 PM
Type: Trojan
Infection Length: 33,280 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

The Trojan may arrive as an email attachment.

Once executed, the Trojan creates the following files:

  • %System%\ctfmen.exe
  • %System%\noise0.dat
  • %System%\regs.dat
  • %System%\subs.dat
  • %System%\windcb.dat
  • %System%\windows.dll

It then modifies the following files:

  • %System%\dllcache\ws2_32.dll
  • %System%\dllcache\ctfmon.exe
  • %System%\ws2_32.dll
  • %System%\ctfmon.exe
  • C:\boot.ini

The Trojan then disables the Data Execution Prevention (DEP).

Next, the Trojan injects executable code from the non-executable .dat files into the ctfmon.exe process and any other process that loads the following file:
%System%\ws2_32.dll

Once the compromised computer has restarted, the Trojan contacts the following remote location and may download additional files:
v4.windowsaupdate.com

Microsoft – Virus:Win32/Kirpich.A

Summary
This software threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat.

Go forth and do good things,

Don C. Weber


Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

«
»