|
|
A suspicious file was detected by A/V and identified as (Download.Fugif). The most interesting characteristic of this malware is that it hides itself in NTFS alternate data streams by attaching to the systems folder as "%System%\[4 RANDOM LETTERS].dll". Here is a screen shot from the program's quarantine:  The colin between system32 and mcaa.dll signifies an alternate data stream (ADS). In order to determine what other data may be hidden in ADS, I used the (Streams utility) from sysinternals.com. First I checked the C:\WINDOWS\system32 directory itself (none) and then parsed the file system recursively. A large amount of hidden data was identified: C:\>streams -s C:
Streams v1.53 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2005 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\WINDOWS\inzrd.log:unkfpd:$DATA 13581
C:\WINDOWS\kdolg.dat:
:mmfptn:$DATA 13581
:twcmom:$DATA 3567
C:\WINDOWS\OEWABLog.txt:swelkt:$DATA 13581
C:\WINDOWS\pcconfig.dat:dxpqmd:$DATA 197755
C:\WINDOWS\rbxfl.txt:rtwoam:$DATA 197755
C:\WINDOWS\securea.html:
:aggfjq:$DATA 197753
:dovzos:$DATA 3567
:jmhtuw:$DATA 3567
C:\WINDOWS\sessmgr.setup.log:
:jxswis:$DATA 13581
:wmjgxc:$DATA 3567
C:\WINDOWS\setupapi.log:thrkdb:$DATA 3567
C:\WINDOWS\setuperr.log:cylccc:$DATA 197753
C:\WINDOWS\SYSTEM$$.VIZ:vrxfdf:$DATA 197755
C:\WINDOWS\tgcbz.log:osityq:$DATA 3567
[...]
A few quick commands looped through these files and dumped the hidden data to a directory where they could all be examined. Here is the syntax and an example: more < overt.txt:hidden > overt.txt-hidden more < inzrd.log:unkfpd > inzrd.log-unkfpd It turned out that every single one of the captured ADS files were composed of binary data: # file *-* inzrd.log-unkfpd: data kdolg.dat-mmfptn: data kdolg.dat-twcmom: data LVMMail.INI-fmxunp: data OEWABLog.txt-swelkt: data [...] Even more interesting, several of them had the same MD5 hash, meaning they are exactly the same file: # md5sum *-* | sort 4f233dcc8730e0275f351b66a94ff069 REGLOCS.OLD-dlytvs 4f233dcc8730e0275f351b66a94ff069 REGLOCS.OLD-kncmup 4f233dcc8730e0275f351b66a94ff069 securea.html-aggfjg 4f233dcc8730e0275f351b66a94ff069 setuperr.log-cylccc 4f233dcc8730e0275f351b66a94ff069 UNNMP.cfg-ykerdl 58d25f15695202a7a22b5d9b1ab04420 LVMMail.INI-fmxunp 5ecbb3c255da58b99e0ca3609a8bb4bb kdolg.dat-twcmom 5ecbb3c255da58b99e0ca3609a8bb4bb PerWin.ini-vxhwgo 5ecbb3c255da58b99e0ca3609a8bb4bb securea.html-dovzos 5ecbb3c255da58b99e0ca3609a8bb4bb securea.html-jmhtuw ffce6fea5e4c22b4a5c21a829a1774a6 Thumbs.db-gkmmbb [...] Notice how the name of each ADS object is composed of six lowercase characters. This might suggest that they were all created by the same executable or DLL using a common algorithm for generating the names. Also notice that one overt file (ie securea.html) can host alternate streams for multiple objects (aggfjg, dovzos, jmhtuw). Many of the files hosting the ADS (eg Thumbs.db) have nothing to do with the malware per se. These files were created long ago as part of legitimate system processes. The malware latches on to the previously existing files and hides itself using the ADS technique. Not all anti-virus and anti-spyware programs examine data in alternate streams. Furthermore, when the malware installs itself and it's components, the file system's metadata only shows that existing files were modified - not that any new items were created. Imagine an archive of malicious content being unpacked and continuosly gathered on your drive without any increase in disk usage or created items. That's how this malware operates. Interestingly, it's not the *only* way this malware operates. Upon examination of the data files, there are two common file markers: WSUD and DU2t. The first 4 bytes of all ADS objects (in this case) begin with one or the other. As for the remainder of the content, it appears encrypted or encoded. So, I ran a quick test on the normal file system (non-hidden data) to see if any files contained this similar string: C:\>find /I "WSUD" c:\WINDOWS\*.* ---------- C:\WINDOWS\AMTCP.DAT WSUDq...2BU^ñ²ŭºq..¡.u..-6S ---------- C:\WINDOWS\EJRAJ.DAT WSUD·µÉh.@./CSðµ¶Ó.]"5JaæD ---------- C:\WINDOWS\SFVYA.LOG WSUDq...2BU^ñ²ŭºq..¡.u..-6S ---------- C:\WINDOWS\SMWQD.TXT WSUDq...2BU^ñ²ŭºq..¡.u..-6 [...] And likewise for the DU2t fingerprint: C:\>find /I "DU2t" c:\WINDOWS\*.* ---------- C:\WINDOWS\BROTB.LOG DU2t(@2AA6;4@*ZW@2.?05/.@2 ---------- C:\WINDOWS\DIZXV.DAT DU2t(@2AA6;4@*ZW@2.?05/.@2 ---------- C:\WINDOWS\GXAIO.TXT DU2t(@2AA6;4@*ZW@2.?05/.@2 [...] As in the case of the ADS object names, these follow a similar pattern. All are five lowercase (they are auto converted to uppercase in the output) characters, with either a .LOG, .DAT, or .TXT extension. There is some supreme organization poking out of this chaos. What's the difference between a WSUD and a DU2t file? Why are some hidden in ADS and some flaunted in plain view? Best of all - what does all the encrypted data mean and where did it come from? Before attempting to derive theories, a bit of time order would help. It appears the malicious activity could have began in mid July. Here is a quick listing of the overt .txt, .log, and .dat files; along with their modification dates, which in this case matches their creation date: C:\WINDOWS>dir *.txt | sort 07/13/2005 12:39 AM 197,755 iuoss.txt 07/19/2005 03:55 PM 3,567 crdrm.txt 07/21/2005 03:33 PM 13,581 jzkay.txt C:\WINDOWS>dir *.log | sort 07/12/2005 11:55 AM 3,567 dwzra.log 07/14/2005 02:55 AM 197,755 seicg.log 07/16/2005 07:13 AM 197,755 udxyt.log C:\WINDOWS>dir *.dat | sort 07/21/2005 05:51 AM 13,581 wsxmz.dat 07/21/2005 12:08 PM 13,581 ejraj.dat 07/22/2005 06:19 AM 197,753 hdsfl.dat Consulting the modification times for files with ADS attached (remember addition of ADS or modification of a file's ADS does result in an update of modification time), they are around the same time periods. However, one particular file (setuperr.log) was created on July 10 (two days before the first overt file on July 12 (dwzra.log). Strangely, setuperr.log is 0 bytes itself. This means the suspicious behavior could have began as early as July 10, 2005. (assuming the mtime and ctime are accurate). There are only two possible scenarios I can think of that will let the investigation keep moving. First, if the machine is still infected then we might be able to observe it in live action. Otherwise, the quarantined DLL can be restored and examined statically. So, being the entirely brave individual that I am (just kidding it's not *my* computer that is hosed), the active A/V program was disabled and mcaa.dll was released from the quarantine - into it's original location on disk. Immediately after this, Streams shows that it indeed latches back onto system directory: C:\>streams C:\windows\system32
C:\windows\system32:
:mcaa.dll:$DATA 5392
mcaa.dll was copied to the archive with the rest of the data, but before I delete the ADS, the popular (AdAware) and (ClamAV) programs ran and came up with interesting results:   Likewise, the (HijackThis program) did not detect the piece of malware anywhere in the full (system scan log) and (RootkitRevealer) fails to load properly. (Symantec Antivirus) 12.x did detect the hidden mcaa.dll and re-quarantined it. Since mcaa.dll was backed up before scanning with Symantec, I wondered what other A/V programs would detect it (when it's not hiding in ADS). The file, named system32-mcaa.txt (to bypass mail attachment filters) was sent through (VirusTotal) and they all came back negative, even Symantec: Scan results File: system32-mcaa.txt Date: 12/23/2005 07:01:56 (CET) ---- AntiVir 6.33.0.70/20051223 found nothing Avast 4.6.695.0/20051222 found nothing AVG 718/20051223 found nothing [...] ClamAV devel-20051108/20051219 found nothing Symantec 8.0/20051223 found nothing VBA32 3.10.5/20051222 found nothing At this point it dawned on me that my ADS preservation technique has a flaw. By using the "more" utility to read ADS and then redirecting output to another file, the original contents were not duplicated bit for bit. Consider the following test: C:\>md5sum TEST.EXE e0fb946c00b140693e3cf5de258c22a1 *TEST.EXE C:\>more < TEST.EXE > TEST-1.EXE C:\>md5sum TEST-1.EXE e24138bf09d5eac082f54279e4f1e685 *TEST-1.EXE Instead, I used the (NTFS Streams Info) tool to export the ADS data from disk. This time, the DLL is a valid PE and all headers are in tact. The bad news is - the VirusTotal arsenal still does not detect it. The DLL imports KERNEL32.DLL and appears to utilize the LoadLibraryA, GetModuleHandleA, and GetProcAddress functions. There are no other human readable strings in the very tiny 5392 byte file. This compromise goes far beyond what is described in this short article. Given the modification and creation dates; the ADS data is believed to be remnants of the previous infestation of malware. mcaa.dll is certainly malicious, but I don't think it operated alone; and without the other files I don't believe it's purpose can be completely understood. For this reason, the DLL will not be explored further in this article; which is meant to be focused on the topic of ADS. In a nutshell, we learned how malware can use ADS to infect systems without creating new files or increasing disk usage. Antivirus and Antispyware scanners are often crippled when they can only see part of the picture. ADS data is malformed when extracted without the right tools. We learned the chaos can lead to order and that sometimes chaos is actually a highly coordinated organization that we just don't understand. ----See (How To Use NTFS Alternate Data Streams) at Microsoft. Trend Micro describes a trojan named (TROJ_SMALL.AMI) that is exactly 5392 bytes in length and has many other characteristics in common with mcaa.dll. Trend states the first samples were received on July 9, 2005 (one day before our suspected infection according to the modified & created dates). |
|