Cyber Security Expo
 
Reverse Engineering a Purported Microsoft Security Patch by Charles Hornat on 17/07/03

Overview
In this paper we will examine and dissect a malicious package sent to us as an attachment to an email that appeared to be sent from Microsoft that would fix all known vulnerabilities on our system. In addition, we will review the delivery method, analyze the executable and study the impact it had on a system once it was installed.

Table of Contents

The Tools.
Tripwire.
Ethereal
Windows XP
GNU Strings.
The Delivery.
Notes on Delivery.
The Analysis.
Post Installation/Pre-Boot
Post Installation/Post-Boot
Final Analysis.
Additional Resources.
Appendix A
Strings of Malware.
Appendix B
Tripwire Report After Malware Installation.
Appendix C
Tripwire Report After Malware Install and Reboot

The Tools

Tripwire
Tripwire is a tool written by a personal friend of mine, Gene Kim, and Eugene Spafford. Tripwire can be found at www.tripwire.com. This tool was developed to take a snapshot of specific files and directories and monitor them for changes, whether authorized or not. The snapshot is a gathering of hashes (e.g. MD5, SHA, and etc.) on the files and directories you chose. It then stores that information in a secure database. Tripwire scans files and/or directories you define on a manual or automated schedule and will alert you to whether a file has been added, changed or deleted. In addition to monitoring files and directories, it can also monitor Windows Registries, File Access Times, File Flags and etc.

Ethereal
A network sniffing application that monitored all traffic coming from the test system during and after the installation of the malicious application.

Windows XP
The test systems Operating System. This analysis was performed on a default Windows XP install, networked with no service packs or hotfixes applied. The goal was to learn from it and its effect to the system, not to protect from it.

GNU Strings
GNU Strings is an application that comes with most UNIX like (LINUX) operating systems. It prints, to screen or other location of your choice, the printable character sequences that are at least 4 characters long, or meet other requirements, and are followed by an unprintable character. This is especially helpful in non-text files like Microsoft executables.

The Delivery
On May 11, 2003, we received the email as displayed in Figure 1. The email is polite and colorful, adding to its believability. Additionally, in the footer of the email is the copyright information that many people believe adds authenticity to the email. This can be seen in Figure 2. And finally, the header also adds some more credibility to those less technical and can be seen in Figure 3. Note the email address that appears in the short header, advisor.microsoft.com.


Figure 1:Delivery Method


Figure 2:Footer


Figure 3: Header

Notes on Delivery
When you first read the message of the email, certain key points should set off alarms in your mind. The first is that this patch “eliminates all known security vulnerabilities”. This would be great if true, but unfortunately, it is not. There are service packs that attempt to include as many security hotfixes as possible, but they never eliminate all known security vulnerabilities. Even if you look at the size of the attachment, this should tip you off as service packs are much larger in nature.


Figure 4:The attachment

Additionally, if we expand the header as seen in Figure 5, we will get more clues as to the real source of this email.


Figure 5:Header

The return path is ftballguy66@cox.net, which is obviously not a Microsoft address. We can also see the From line states that iamlzytaw_903216@support.msdn.com is the spoofed email address that a return message, should we choose to send one, would be sent to.

Finally, one last point to be made is that Microsoft, and this can be said for most vendors, will NEVER email you the patch directly. They will alert you to the vulnerability or purpose of the email and provide some high level information. They will then give you a link for additional information and direct you to their site to download the patch.

The Analysis
The first part of reverse engineering performed was running the executable through strings. The results can be seen in Appendix A. Examining this information will alert you to the fact that there is text to simulate it as a legitimate Microsoft developed patch. In particular are two sections that go into such detail about licensing and rights. More than likely this was just copied to add realism to the installation that users will encounter. The key here is to look for common terms or locate specific keywords and do a search in your favorite search engine.

For example, a quick search in Google.com for “KaZaA uploDropper” brought up several pages talking about known worms and viri that contain this phrase. Thus tipping one off to proceed with caution or perform further research.

Post Installation/Pre-Boot
For this project, we used Tripwire 4.0. The report after the Malware was executed and prior to any reboot can be found in Appendix B. All changes you see were directly related to the running of the Malware. The Windows registry was most heavily impacted. A quick overview of the results nets the following: 59 Registry Class Keys were added, 1 System startup Key was added, 5 OS Support files were added, and 1 file in the System32 folder was added. There were no deletions or changes, only additions.

Added:
"C:\WINDOWS\WMSysDx.bin"
"C:\WINDOWS\DX3DRndr.exe"
"C:\WINDOWS\gibe.dll"
"C:\WINDOWS\MSBugAdv.exe"
"C:\WINDOWS\patch952.exe"

Added:
"C:\WINDOWS\System32\MSWinsck.ocx"
Modified:
"C:\WINDOWS\System32\services.msc"
Added:
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+ThreadingModel"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+"

Added:
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+Version"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\+"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+Version"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\+"

Added:
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\+"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\+"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\+"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\+"

Added:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\+DxLoad"

Post Installation/Post-Boot
The next step was to reboot the Windows XP system to allow the malware to execute if needed in the ‘runas’ keys or startup folder. Once the reboot is completed, a rescan was performed to identify additional changes that occurred. In order to get an accurate understanding of what the Malware changed versus normal system file changes during a reboot, we identified all the common reboot file changes.

Modified:
"C:\WINDOWS\0.log"
"C:\WINDOWS\bootstat.dat"

Modified:
"C:\WINDOWS\System32\config\systemprofile\Cookies\index.dat"
"C:\WINDOWS\System32\config\systemprofile\Local Settings\History\History.IE5\index.dat"
"C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat"

Modified:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\+LsaPid"

If we remove those entries from the results after the reboot, we are left with following (The complete report can be found in Appendix C):

Modified:
"C:\WINDOWS\System32\wpa.dbl"
Removed:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+0"
Modified:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmboot\+Start"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\+Sources"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\+Sources"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+Count"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+NextInstance"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\+SpecialPollTimeRemaining"

Modified:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\SspiCache\+Time"
Added:
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002e.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002e.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000030.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000030.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000034.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000034.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000038.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000038.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000041.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000041.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000042.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000042.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000047.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000047.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000046.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000046.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000040.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000040.Translated"

Removed:
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002b.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002b.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002d.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002d.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000031.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000031.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000035.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000035.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003b.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003b.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003c.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003c.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003d.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003d.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000043.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000043.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000044.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000044.Translated"

Added:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1060284298-842925246-2146833427-1003\+OptimizedLogonStatus"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1060284298-842925246-2146833427-1003\+NextLogonCacheable"

Given the information above, it appears to impact the PnP Manager. A quick search in Google.com turns up no results on OptomizedLogonStatus either. The +OptomizedLogonStatus was set to a RED_DORD of 0x0000000b(11) and the NextLogonCacheable was set to RED_DWORD 0x00000001 (1).

The entry "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\+DxLoad" was supposed to launch the executable "C:\WINDOWS\DX3DRndr.exe". This executable was indeed launched, but for some reason did not run as designed, or did it? Since we did not write the program, we are not sure what the end result should have been. An NMAP scan of the system that was infected produced no new TCP ports other than those already open by default. Additionally, using Ethereal, there was no unusual traffic generated when rebooting or leaving the system idle for hours. Researching some of the key parts of this package on the Internet does bring additional research, but the analysis we found was did not accurately represent our findings.

Finally, there wasn’t any new traffic generated by the infected system. Sometimes Malware attempts to phone home to get further instructions, which may include connecting to an IRC server or downloading additional information. In this particular case, no traffic was generated and no logs are included in this analysis. The infected system was monitored from start to finish, including reboots.

Final Analysis
The final analysis we could determine is that this threat had minimal impact. Yes, it did install and alter critical system files, but the impact to the user was non-existent. When we downloaded it and installed it, we did not get any interaction with the malware. It did not prompt us for any impute nor show any signs of success or failure. When we reference back to the Strings portion of the evidence, we see a great amount of text that was probably meant to be displayed to the user, however was not.

It is important to note that both Mcafee and Norton identify and respond according to your settings when they encounter this file. We conclude that this is an altered existing Malware.

Additional Resources
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_GIBE.B

http://securityresponse.symantec.com/avcenter/venc/data/w32.gibe@mm.html

Appendix A

Strings of Malware

Appendix B

Tripwire Report After Malware Installation.

Appendix C

Tripwire Report After Malware Install and Reboot

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , Infosecwriters.com. All rights reserved. Comments are property of the respective posters.