Posted by: realsecurity | September 1, 2008

Anti analysis tricks in Trojan-Downloader.Win32.Agent.abti

While perusing some malware for learning purposes I ran across some anti analysis techniques used in Trojan-Downloader.Win32.Agent.abti.

I’m keeping this post a little more brief by posting fewer screenshots.

MD5: 588573DC336B3695E9FDB890EEFD26DB
Virus Total Results

Anubis Results

Threat Expert Results

Sunbelt sandbox results

The Anubis scan yielded great results, but we are focusing mainly on the anti analysis tricks this time. We will quickly see how the malware downloads it’s next binary near the end of this post.

load.exe

According to xPELister, this file only imports 1 dll, very strange.


4

A scan of the binary with PEiD yeilds nothing.


4

Running strings, we get the following:

” /c del ”
” >> NUL
ntdll.dll
http://
?id=
SleepEx
GetTickCount
GetCommandLineA
Sleep
lstrcatA
GetEnvironmentVariableA
GetShortPathNameA
GetStartupInfoA
QueueUserAPC
IsDebuggerPresent
GetVersionExA
CloseHandle
GetCurrentProcessId
CreateThread
lstrcpyA
KERNEL32.dll

Due to the lack of a full URL in the strings output and the strange lack of imports, we can assume this file is packed with something. The program calls IsDebuggerPresent and GetTickCount, both can be used to look for debuggers.

Sure enough, the first function that gets called when the program is loaded in olly is IsDebuggerPresent. If a debugger is present, the value returned in the EAX register will be 1. The screenshot below was taken after letting the function execute and return 1 in EAX.


4

To circumvent this trick, we can simply use the Hide Debugger plugin for olly. After we reload olly and the malware, IsDebuggerPresent returns 0.


4

By simply stepping over the next series of instructions we encounter a call to GetTickCount. This function can be used to determine how much time has elapsed between instructions. As a debugger pauses the program’s execution, this counter will increase. At 00402480 we encounter a call to SleepEx.


4

Stepping into the CALL (F7) we see that the timeout parameter is FFFFFFFF or INFINITE. This will cause the program to simply wait forever and not execute any subsequent instructions, rendering debugging useless.


4

To bypass this, simply set a breakpoint after CALL EBP. The malware author that wrote the code for this downloader used techniques to fool disassemblers. The code changes at run time and therefore a dissasembler doesn’t know how the program flows exactly. So by making an educated guess and setting a breakpoint at the beginning of the code 00401000 we can continue on.


4


4

Stepping forward a few more instructions sends us to a section of code that sets up a file to be deleted via the command line. The malware will probably delete itself after the binary terminates.


4

Executing several more instructions will suddenly jump us into a new section of code which olly was previously unable to decode. This is probably due to the runtime packer used on this piece of malware.


4

Now that we are in this new section and we know it will contain instructions select module -> Analysis -> Analyze code.


4

Stepping through the code further we encounter sfc_os.dll being loaded. This dll is referenced in methods for disabling system file protection.


4

To wrap up our session, a file is created and written to the drive called inB.tmp.


4


4

Running strings against this new file yeilds what we’re looking for, the communication used to contact the C&C that was previously hidden.

InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetQueryDataAvailable
InternetReadFile
InternetCloseHandle
CoInitializeEx
CoInitializeSecurity
CoCreateInstance
CoUninitialize
http://www.bot-tob.ru/hottop/gate.php?id=f84a75cd

We can now connect to the C&C with a valid bot ID and download the next few files.

Lessons Learned:

In this post we’ve learned how to spot and circumvent a check for IsDebuggerPresent by using a plugin such as hide debugger or simply changing the value of the EAX register by hand. We also learned how to avoid timing checks with GetTicketCount by setting a breakpoint immediately after the call to it. To make this work, execute to the breakpoint as soon as the program is loaded. Lastly, when jumping into an unknown section of code, it can be re-analyzed by olly selecting “analyze code”.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: