Reversing the Plague Bot, will the Real Snipa Please Stand-up
Since Friday, I have been having fun reverse engineering this piece of malware called Plague bot. Overall the bot has the typical suite of functionality including the MSN spreader, USB infector, DDoSer, SSyn along with download and updating capabilities. The initial binary was encrypted/obfuscated using a VB 6.0 compiled program. This wraps the binary in a VB virtual machine – effectively hiding the true binary. This fact was apparent because very few strings were visible and the binary itself imported the MSVBVM60.dll. Because of the P-Code wrapping, initial static analysis provided little use. Therefore we used dynamic reversing extract the binary.
Image shows imports for VB Virtual Machine.
Extracting the binary was accomplished by placing a breakpoint on the CreateProcess and waiting for the process to call itself. I attempted to dump the binary after it was executing, using the instructions here. This failed to give me a usable binary, which was my initial goal, so I looked at the resulting Plague bots system image while it was executing, and I found a number of interesting strings that are shown below.
| BitDefender Firewall Alert Windows Security Alert andy nepenthes currentuser vmware honey sandbox InsideTm TU-4NH09SMCG1HC SbieDll.dll Ether Detect The Wireshark Network Analyzer Project 1 – Packet Analyzer – Colasoft Capsa TCPView – Sysinternals: www.sysinternals.com Process Monitor – Sysinternals: www.sysinternals.com Process Explorer – Sysinternals: www.sysinternals.com File Monitor – Sysinternals: www.sysinternals.com |
| 127.0.0.1 www.pandasoftware.com 127.0.0.1 www.norton.com 127.0.0.1 www.nod32.com 127.0.0.1 www.microsoft.com 127.0.0.1 www.macafee.com 127.0.0.1 www.kaspersky-labs.com 127.0.0.1 www.hotmail.com 127.0.0.1 www.download.mcafee.com 127.0.0.1 pandasoftware.com 127.0.0.1 norton.com 127.0.0.1 nod32.com 127.0.0.1 microsoft.com 127.0.0.1 macafee.com |
During the extraction process, I was initially going to trace the VB 6.0 code until CreateProcess was called, but after I found these strings, I decided to step it up and write a BPHook for Immunity Debugger. The hook works by placing BPs on user requested addresses or Module Functions, and when the BP is hit a user provided string is searched in the current processes memory. If the string is found, then the code will try to find the executable’s header and dump the image to disk, before it is executed. In this particular case, I do not calculate the images size, and I just look for a tail value at the end of the allocated memory after the binary. If I ever have to do this again, I will figure out how to calculate the image’s size. Before I automated this process, I was dumping the image as shown below, using the Python Interpreter shell in the debugger.
Dumping Malware Executable from Memory with Immunity Debugger
Analysis of the bot at this point static analysis was employed using IDA Pro; some dynamic analysis was used to get a clear picture of the memory and data. When the binary runs, the first action performed is check for common malware analysis tools, and the checks appeared to FAIL in some cases. The bit basically checks Window Titles to see if a tool is working. For example, I was running SysInternals Process Explorer, and the check still passed and the program continued executing. In any case, I merely converted all the strings to ‘A\x00’ using the debuggers Python shell, with the following snippet:
- f = imm.writeMemory(0x40c1b8, ‘A\x00′*0×504)
IDA Pro Showing Plague's Attempt to Look For Analyst's Tools
After passing all the “security” checks, the bot looks to see if it is installed in the windows directory as svchost.exe. If not, then the executable copies itself into %windir%\svchos.exe and create an autorun registry key. If the executable is present in the directory, the bot will proceed to initialize the IRC server and call out to vteamunix.info, which resolves too 174.133.63.91.
While the string did not present any real protection measures, it did employ encoded strings. To counter this obfuscation, I just looked over the code used to encode the strings. The code basically used a string of 37 characters, and XOR’ed each against the encoded character in the obfuscated in the string. I wrote an IDA script that decoded each string, renamed, and then added a comment to the IDA reference.
| Decoded string successfully: ‘\xb8\xb8\xaf\xaf\xb8\xaf\xb6\xa4\xb3\x84\xbc\xa2\x8d\x8d\xaf\xb8\xb6\xa4\xb3\xaf\xaf\xb8\xb8′ = ooxxoxasdSkuZZxoasdxxoo Decoded string successfully: ‘\x84\x9c\xa2\x8d\x8d\x8d\x8d\x8d\x8d\xad\xaf\xaf’ = SKuZZZZZZzxx Decoded string successfully: ‘\xa4\xa1\xb4\xbf\xb8\xa4\xa3′ = svchost Decoded string successfully: ‘\xf2\xa0\xbe\xb9\xb3\xbe\xa5\xf2′ = %windir% Decoded string successfully: ‘\xa4\xa1\xb4\xbf\xb8\xa4\xa3\xf9\xb2\xaf\xb2′ = svchost.exe Decoded string successfully: ‘\x96\xa2\xa3\xb8\x85\xa2\xb9\xf9\xb2\xaf\xb2′ = AutoRun.exe Decoding string: ‘!\x00′ Decoded string successfully: ‘\xa0\xbe\xb9\xe4\xe5′ = win32 Decoded string successfully: ‘\xfd\x97\xb6\xb3\xba\xbe\xb9′ = *@admin Decoded string successfully: ‘\xa7\x9b\xb6\xb0\x82\xb2′ = pLagUe Decoded string successfully: ‘\xa7\x9b\xb6\xb0\x82\xb2′ = pLagUe Decoded string successfully: ‘\xa7\x9b\xb6\xb0\x82\xb2\xf7\xb5\xb8\xa3\xf7\xe5\xf9\xe1\xf7\xb8\xb1\xb1\xbe\xb4\xbe\xb6\xbb’ = pLagUe bot 2.6 official Decoded string successfully: ‘\xd4\xe3\xd5\xa7\x9b\xb6\xb0\x82\xb2\xf7\xe5\xf9\xe1\xf9\xf7\x81\xbe\xb6\xf7\x9a\x84\x99\xf9′ = 4pLagUe 2.6. Via MSN. Decoded string successfully: ‘\xf4′ = # Decoded string successfully: ‘\xf4′ = # Decoded string successfully: ‘\xf4′ = # Decoded string successfully: ‘\xf4\xa7\xb6\xa4\xa4\xa0\xb8\xa5\xb3\xa4′ = #passwords Decoded string successfully: ‘\xa1\xa3\xb2\xb6\xba\xa2\xb9\xbe\xaf\xf9\xbe\xb9\xb1\xb8′ = vteamunix.info Finished converting and decoding strings to strings. |
For good measure, I have also included what the strings looked like in IDA Pro after the decoding process.
Decoded Strings from Plague Bot in IDA Pro
At this point, I dug a little further and identified the code responsible for the MSN spreading and USB infection process. The USB infector functionality was very easy to reverse. First I found the USB infector function, which is actually started in a thread called when the binary starts. The function was identified by using the encoded string reference. Additionally, Matt and I noticed the infector makes no distinction about whether a drive is a USB, Network, or any other drive. Thus, by some accident they manage to successfully infect drives other drives with the bot. The observed function does the following things:
| 1) Create the following directory: \\cold\\hott 2) Create the file Desktop.ini in the directory and write the following into it to make it look like the Recycling Bin: 3) Copy the svchost.exe binary image into the directory. 4) Write \\autorun.inf 5) Sends a message saying it infected a drive and continues running |
After looking at the USB infector, I turned my attention to the MSN functionality. At this point, I felt dynamic analysis would be more beneficial to my cause, but I was unable to figure out how to call the necessary function with the right variable types and values. At this point I turned to Google and found code for an MSN Spread here, which closely matches the plague bot. In summary, below are some of the commands we enumerated in the binary. The list may not be complete due to time constraints, but it is representative of the bot’s other capabilities.
| msn/msnoff visit update byefor3ver likeomgletsupdatemannnn likeomgletsdownloadmannnn ps2 ddos udp http ff remove stop |
Associating a face to the name was the most fruitful experience in this analysis. Since Google yielded great results for the MSN Spreader, I decided to search for “Plague Bot” and found a number of posts dating back to September in the HackForums.net. Most notably, the author, tuSnipa boasted about features in the bot. Below is an capture of his post in the forum.
Snipa Selling the Plague Bot on HackForum.net
Additionally, he claims to run the IRC servers and distribute binaries for each binary. Below is a screen capture from Wireshark, and it shows the network traffic between the client and the IRC server. Note the Snipa.gov MOTD.
Bot joing the IRC channel "Seeing Nothing" at snipa.gov
Overall this was a fun piece of malware to reverse especially to get back into the swing of things. I wrote several scripts for IDA and Immunity Debugger:
- ida_pro_runtime_imports.py – basic renaming script to rename some runtime function imports in the binary
- ida_pro_remove_all_names_in_function.py – basic script/command to remove all the names on “DataXrefsFrom” in the function
- ida_pro_decode_strings.py – script to decode, name, and add comments regarding the strings
- bp_dump_image.py – Immunity Debugger script to dump an executable image with a special string.
Posted in Development, Hacking, Python, Research, Reverse Engineering, Security having 2 comments »
February 4th, 2010 at 4:07 am
Hey Dude, Great article but the links to the idaypython and immunity scripts are broken.
February 4th, 2010 at 6:03 am
Ooops. Sorry about that fixed now.