Defeating security controls in antivirus and anti-malware systems is a common goal among malware authors. There are many sophisticated techniques and an incredible level of creativity with regard to methods of defeating these systems coming from those on “the other side of the fence.”

I recently came across an interesting piece of malware (Trojan.Downloader.1301007.C-Jottix), and would like to thank our colleagues from VirusSign.org for sharing the malware binaries. In this post, we would like to share some additional details about this malware.

We executed the image through our Vinsula Execution Engine (VEE) and discovered some interesting behavior.

The highlights of the analysis:

  • The executable image is digitally signed with a proper certificate issued by Thawte.
  • As a part of the execution, a special file with extension “.exe” but no name is being created and launched (this is why I dubbed it “Headless Horseman”).
  • Amazon EC2 services are used for hosting the additional code that is being downloaded.

Jottix

 

The executable image is not packed and its properties show that it has been digitally signed by Thawte as per the following screenshots.

The signature list in file properties indicates that the certificate has been issued to “Jottix international media G. M (2007)”.  A quick Google search on the name of the signer doesn’t provide much useful information on this signer. This made me curious as to how these guys actually got a valid certificate from Thawte.

Name of signer

 

The certificate is valid for one year and expires on December 24th, 2013 as shown below.

Certificate is valid to

 

Running the main malware image triggers a set of events. The main executable creates an executable file titled “.EXE” and then launches it. Following that, a few other files are created on the disk and are launched by the secondary “.EXE”, which launches a few other processes.

This is what shows up immediately after launching the main executable.

 

Malware Screen 1

Malware Screen 1

Malware Screen 2

Malware Screen 2

Malware Screen 3

Malware Screen 3

 

Here is the process list of all process that have been launched as a result of starting the main malware image file.

     + virussign.com_01c358a50d12116a0f3c8b448b6c6000.exe [Process Id: 3980]
         Image Name: [C:\Temp\de63a4604b214e51a2ee67d3d6606129\virussign.com_01c358a50d12116a0f3c8b448b6c6000.exe]
         + ns737D.tmp [Process Id: 880]
             Image Name: [C:\Users\[UserName]\AppData\Local\Temp\nsy41C1.tmp\ns737D.tmp]
             + WMIC.exe [Process Id: 2808]
                 Image Name: [C:\Windows\System32\Wbem\WMIC.exe]
         + ns872F.tmp [Process Id: 1016]
             Image Name: [C:\Users\[UserName]\AppData\Local\Temp\nsy41C1.tmp\ns872F.tmp]
             + WMIC.exe [Process Id: 3396]
                 Image Name: [C:\Windows\System32\Wbem\WMIC.exe]
         + .exe [Process Id: 1108]
             Image Name: [C:\Users\[UserName]\AppData\Local\Temp\nsy41C1.tmp\.exe]
         + ns7CC1.tmp [Process Id: 1332]
             Image Name: [C:\Users\[UserName]\AppData\Local\Temp\nsy41C1.tmp\ns7CC1.tmp]
             + WMIC.exe [Process Id: 312]
                 Image Name: [C:\Windows\System32\Wbem\WMIC.exe]
         + ns9D62.tmp [Process Id: 1984]
             Image Name: [C:\Users\[UserName]\AppData\Local\Temp\nsy41C1.tmp\ns9D62.tmp]
             + cscript.exe [Process Id: 3288]
                 Image Name: [C:\windows\system32\cscript.exe]
         + ns67A9.tmp [Process Id: 2124]
             Image Name: [C:\Users\[UserName]\AppData\Local\Temp\nsy41C1.tmp\ns67A9.tmp]
             + WMIC.exe [Process Id: 3536]
                 Image Name: [C:\Windows\System32\Wbem\WMIC.exe]
         + iexplore.exe [Process Id: 2168]
             Image Name: [C:\Program Files\Internet Explorer\iexplore.exe]
             Image Name: [C:\Windows\System32\SearchFilterHost.exe]
             + iexplore.exe [Process Id: 3484]
                 Image Name: [C:\Program Files\Internet Explorer\iexplore.exe]
         + ns9630.tmp [Process Id: 2524]
             Image Name: [C:\Users\[UserName]\AppData\Local\Temp\nsy41C1.tmp\ns9630.tmp]
             + WMIC.exe [Process Id: 1884]
                 Image Name: [C:\Windows\System32\Wbem\WMIC.exe]
         + ns8F0D.tmp [Process Id: 2864]
             Image Name: [C:\Users\[UserName]\AppData\Local\Temp\nsy41C1.tmp\ns8F0D.tmp]
             + WMIC.exe [Process Id: 2380]
                 Image Name: [C:\Windows\System32\Wbem\WMIC.exe]
         + ns92F5.tmp [Process Id: 2896]
             Image Name: [C:\Users\[UserName]\AppData\Local\Temp\nsy41C1.tmp\ns92F5.tmp]
             + WMIC.exe [Process Id: 3756]
                 Image Name: [C:\Windows\System32\Wbem\WMIC.exe]
         + ns8B83.tmp [Process Id: 2916]
             Image Name: [C:\Users\[UserName]\AppData\Local\Temp\nsy41C1.tmp\ns8B83.tmp]
             + WMIC.exe [Process Id: 3180]
                 Image Name: [C:\Windows\System32\Wbem\WMIC.exe]
         + ns8395.tmp [Process Id: 3636]
             Image Name: [C:\Users\[UserName]\AppData\Local\Temp\nsy41C1.tmp\ns8395.tmp]
             + WMIC.exe [Process Id: 2780]
                 Image Name: [C:\Windows\System32\Wbem\WMIC.exe]

The main malware executable copies itself, but under a different name. The new executable gets stored under “C:\Users\[UserName]\AppData\Roaming\.exe”. Notice that the image name consists only of the extension .exe, with the name missing. Following screenshot shows the actual call to CopyFileA Win32 API, the callstack and and the values of the two parameters – the source and destination files. It is important to note that under the hood CopyFile* Win32 API family uses CreateFile Win32 API.

CopyFile call

While Windows OS does not allow a user to create a file without a name, the effect can be achieved programmatically. The following sample code illustrates how to do this. In essence, instead of specifying a conforming name, the process that creates and copies the files specifies the extension with a leading backslash. This will not be blocked by the OS. For example creating a file with no name should be a straighforward process as shown in the code below where a file is created using file name “c:\temp\\.exe” – notice the double backslash before “.exe”.  This represents a problem with the underlying CreateFile Win32 API, which should prevent this kind of malformed file names.

This allows an attacker to create and copy the Headless Horseman file, which may present a problem for many AV/security services who blindly expect that all running processes will have proper names and extensions.

#include "stdafx.h"
#include <windows.h>
#include <tchar.h>

int _tmain(int argc, _TCHAR* argv[])
{
	const TCHAR * pszFileName = _T("c:\\temp\\\\.exe");
	HANDLE hFile = ::CreateFile(
		(LPTSTR) pszFileName, // file name 
		GENERIC_WRITE,        // open for write 
		0,                    // do not share 
		NULL,                 // default security 
		CREATE_ALWAYS,        // overwrite existing
		FILE_ATTRIBUTE_NORMAL,// normal file 
		NULL);                // no template 
	if (INVALID_HANDLE_VALUE != hFile) 
	{ 
		//
		// Write the content of the file here....
		//

		::CloseHandle(hFile);
	} 

	return 0;
}

Here is a screenshot with the weird executable with no name being created and later on launched.

Exe with no name

 

This is what the headless horseman processes look like in the Task Manager.

Task Manager - .exe

 

Both the main malware image file and the newly created “.exe” attempt to connect to 176.34.149.95 on port 80 (http).  We have used http://www.mxtoolbox.com/ReverseLookup.aspx‎ for researching the IP addresses found in this sample. Interestingly, 176.34.149.95 points to AWS EC2 (ec2-176-34-149-95.eu-west-1.compute.amazonaws.com) apparently located in Ireland. Below is the geographic location of the IP.

Geo location of 176.34.149.95

Another interesting nuance that was capture by Vinsula Execution Engine is that the main executable writes to the run at startup locations in the registry. Here is a screenshot showing the registry setting modification of the infected machine.

+ virussign.com_01c358a50d12116a0f3c8b448b6c6000.exe [Process Id: 3980]
         Action:NtSetValueKey Key:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Node:Value Name: Value: New Value:"C:\Users\VanDamme\AppData\Roaming\\.exe" /MODE=RUNONCE /DYNAMIC=
RunOnce Change

RunOnce Change

This sample uses a third party product. After disassembling the Ipconfig.dll, it is clear that it is actually the NSIS IpConfig module. For more details see http://nsis.sourceforge.net/IpConfig plugin.

The hashes of the files related to this sample are copied below.

==================================================
Filename : 01c358a50d12116a0f3c8b448b6c6000.exe_
MD5 : 01c358a50d12116a0f3c8b448b6c6000
SHA1 : bfb81c5699b88eae4ee4be8858407a6f0dc7dcde
CRC32 : 1c171c98
SHA-256 : 96e55719f04fec56790f44e0328028a668035e4deb50ce8c3afad220487680aa
Full Path : M/images/01c358a50d12116a0f3c8b448b6c6000.exe_
Modified Time : 23/09/2013 7:27:56 AM
Created Time : 13/10/2013 9:51:57 PM
File Size : 248,552
File Version : 1.0
Product Version : 1.0
Identical : 1
Extension : exe_
File Attributes : A
==================================================

==================================================
Filename : .exe
MD5 : 01c358a50d12116a0f3c8b448b6c6000
SHA1 : bfb81c5699b88eae4ee4be8858407a6f0dc7dcde
CRC32 : 1c171c98
SHA-256 : 96e55719f04fec56790f44e0328028a668035e4deb50ce8c3afad220487680aa
Full Path : M/images/nse49A3.tmp\.exe
Modified Time : 7/10/2013 4:29:34 PM
Created Time : 8/10/2013 7:25:10 PM
File Size : 248,552
File Version : 1.0
Product Version : 1.0
Identical : 1
Extension : exe
File Attributes : A
==================================================

==================================================
Filename : registry.dll
MD5 : 2b7007ed0262ca02ef69d8990815cbeb
SHA1 : 2eabe4f755213666dbbbde024a5235ddde02b47f
CRC32 : fca04622
SHA-256 : 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
Full Path : M/images/nse49A3.tmp\registry.dll
Modified Time : 7/10/2013 9:51:10 PM
Created Time : 8/10/2013 7:25:10 PM
File Size : 25,088
File Version :
Product Version :
Identical : 2
Extension : dll
File Attributes : A
==================================================

==================================================
Filename : inetc.dll
MD5 : f709ad241164b3ffd89273f2416a0450
SHA1 : 083957166d09445fdc59bbc516fe5a18d1ca2618
CRC32 : 9735c4b4
SHA-256 : ba165d17b860205195eab31bc7d70fcb463f67ecbcd45ddb3bef0d389c53b01a
Full Path : M/images/nsn262C.tmp\inetc.dll
Modified Time : 7/10/2013 9:46:38 PM
Created Time : 8/10/2013 7:25:10 PM
File Size : 83,456
File Version :
Product Version :
Identical :
Extension : dll
File Attributes : A
==================================================

==================================================
Filename : IpConfig.dll
MD5 : a3ed6f7ea493b9644125d494fbf9a1e6
SHA1 : ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8
CRC32 : bf77d3a5
SHA-256 : ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08
Full Path : M/images/nsn262C.tmp\IpConfig.dll
Modified Time : 7/10/2013 9:46:38 PM
Created Time : 8/10/2013 7:25:10 PM
File Size : 117,248
File Version :
Product Version :
Identical :
Extension : dll
File Attributes : A
==================================================

==================================================
Filename : System.dll
MD5 : c17103ae9072a06da581dec998343fc1
SHA1 : b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
CRC32 : bfee9b1e
SHA-256 : dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
Full Path : M/images/nsn262C.tmp\System.dll
Modified Time : 7/10/2013 9:46:38 PM
Created Time : 8/10/2013 7:25:10 PM
File Size : 11,264
File Version :
Product Version :
Identical :
Extension : dll
File Attributes : A
==================================================

==================================================
Filename : ThreadTimer.dll
MD5 : cc888fec62967cf5d03f9898e0cb65cb
SHA1 : b219e1f82c318797eb36700d9d88d3eb461d382e
CRC32 : 0fdf98b8
SHA-256 : 7d9235c4c34be7ef9b31efcccfd97bc604d0cd4fb37df9b62ccbd1d460c20d96
Full Path : M/images/nsn262C.tmp\ThreadTimer.dll
Modified Time : 7/10/2013 9:46:38 PM
Created Time : 8/10/2013 7:25:10 PM
File Size : 3,584
File Version :
Product Version :
Identical :
Extension : dll
File Attributes : A
==================================================