Archive for the ‘Victimware Analysis’ Category

Malware Analysis Patterns (Part 23)

Sunday, February 10th, 2013

Out-of-Module Pointer pattern is about pointers to addresses outside the container module range. Typical example here would be some kernel table or structure, for example, a driver IRP dispatch table having pointers to outside that driver module address range. Other examples may include 32-bit SSDT pointing outside nt module range and IDT entries pointing outside hal and expected drivers:

[...]
818809dc 8193c4e7 nt!NtQueryOpenSubKeys
818809e0 8193c76b nt!NtQueryOpenSubKeysEx
818809e4 81a909b0 nt!NtQueryPerformanceCounter
818809e8 819920e7 nt!NtQueryQuotaInformationFile
818809ec 819e34f2 nt!NtQuerySection
818809f0 819f470b nt!NtQuerySecurityObject
818809f4 81a882fe nt!NtQuerySemaphore
818809f8 819eff54 nt!NtQuerySymbolicLinkObject
818809fc 81a8a223 nt!NtQuerySystemEnvironmentValue
81880a00 81a8a831 nt!NtQuerySystemEnvironmentValueEx
81880a04 96ca1a73
81880a08 81a7ac06 nt!NtQuerySystemTime
81880a0c 81a8f913 nt!NtQueryTimer
81880a10 81a7aeeb nt!NtQueryTimerResolution
81880a14 8193985a nt!NtQueryValueKey
81880a18 819e9273 nt!NtQueryVirtualMemory
81880a1c 8199274e nt!NtQueryVolumeInformationFile
81880a20 81a1a655 nt!NtQueueApcThread
[…]

0: kd> lm m nt
start end module name
81800000 81ba1000 nt

Such pointers may also be Raw Pointers but it also could be the case that all pointers are raw in the absence of symbols with only a few outside of the expected range.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Malware Analysis Patterns (Part 22)

Saturday, February 9th, 2013

Raw Pointer pattern is about pointers without matching symbol files. They may be in the expected module range or in some other known module range in the form of module+offset or can be completely out of range of any module from the loaded module list and therefore just a number. For example, usually we have certain structures or arrays (tables) where we expect pointers with matching symbols such as IAT, IDT and 32-bit SSDT where an occurrence of a raw pointer immediately triggers a suspicion such as in this Import Address Table from ProcessA:

[...]
00000001`3f8a9048 00000000`76e282d0 ntdll!RtlSizeHeap
00000001`3f8a9050 00000000`76bf9070 kernel32!GetStringTypeWStub
00000001`3f8a9058 00000000`76c03580 kernel32!WideCharToMultiByteStub
00000001`3f8a9060 00000000`76e33f20 ntdll!RtlReAllocateHeap
00000001`3f8a9068 00000000`76e533a0 ntdll!RtlAllocateHeap
00000001`3f8a9070 00000000`76bfc420 kernel32!GetCommandLineWStub
00000001`3f8a9078 00000001`3f8a1638 ProcessA+0×10ac
00000001`3f8a9080 00000000`76c2cc50 kernel32!IsProcessorFeaturePresent
00000001`3f8a9088 00000000`76c02d60 kernel32!GetLastErrorStub
00000001`3f8a9090 00000000`76c02d80 kernel32!SetLastError
00000001`3f8a9098 00000000`76bf3ee0 kernel32!GetCurrentThreadIdStub
[…]

Note that structures are not limited to the above and can me any OS or even application specific structure where we have symbol files. Raw pointers that are outside of expected module range are covered in the next pattern.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Malware Analysis Patterns (Part 21)

Saturday, February 9th, 2013

Hooksware pattern originally came from memory dump analysis pattern catalog and is too general for malware analysis pattern catalog. So we decided to factor out 3 separate patterns. The first one is called Patched Code and includes cases such as in-place patching:

0:004> u ntdll!ZwQueryDirectoryFile
ntdll!ZwQueryDirectoryFile:
77814db4 b8da000000      mov     eax,0DAh
77814db9 bae8af0500      mov     edx,5AFE8h
77814dbe ff12            call    dword ptr [edx]
77814dc0 c22c00          ret     2Ch
77814dc3 90              nop
ntdll!NtQueryDirectoryObject:
77814dc4 b8db000000      mov     eax,0DBh
77814dc9 ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
77814dce ff12            call    dword ptr [edx]

and detour patching:

0:004> u wininet!InternetReadFile
wininet!InternetReadFile:
7758654b e98044ac88      jmp     0004a9d0
77586550 83ec24          sub     esp,24h
77586553 53              push    ebx
77586554 56              push    esi
77586555 57              push    edi
77586556 33ff            xor     edi,edi
77586558 393db8116277    cmp     dword ptr [wininet!GlobalDataInitialized (776211b8)],edi
7758655e 897df4          mov     dword ptr [ebp-0Ch],edi

In case of WinDbg such pattern is usually detected on the crash spot such as from RIP Stack Trace or from !chkimg command output.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Malware Analysis Patterns (Part 20)

Tuesday, February 5th, 2013

As usual a new pattern arises with the need to communicate analysis findings. Most often when analyzing malware we don’t have symbol files (No Component Symbols) for an Unknown Module. By looking at IAT (if any present) we can guess module purpose. Sometimes a module itself is not malicious but is used in the larger malicious context such as screen grabbing:

[...]
10002000  76376101 gdi32!CreateCompatibleDC
10002004  763793d6 gdi32!StretchBlt
10002008  76377461 gdi32!CreateDIBSection
1000200c  763762a0 gdi32!SelectObject
10002010  00000000
10002024  77429ced user32!ReleaseDC
10002028  77423ba7 user32!NtUserGetWindowDC
1000202c  77430e21 user32!GetWindowRect
10002030  00000000
10002034  744a75e9 GdiPlus!GdiplusStartup
10002038  744976dd GdiPlus!GdipSaveImageToStream
1000203c  744cdd38 GdiPlus!GdipGetImageEncodersSize
10002040  744971cf GdiPlus!GdipDisposeImage
10002044  744a8591 GdiPlus!GdipCreateBitmapFromHBITMAP
10002048  744cdbae GdiPlus!GdipGetImageEncoders
[...]

There are also cases where these API names are not in IAT but found as String Hint in raw data such LoadLibrary / GetProcAddress and even a group of modules themselves as a collective API:

[...]
00058e20  "kernel32.dll"
00058e3c  "user32.dll"
00058e54  "ws2_32.dll"
00058e6c  "ntdll.dll"
00058e80  "wininet.dll"
00058e98  "nspr4.dll"
00058eac  "ssl3.dll"
[...]

We name this pattern Namespace.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Malware Analysis Patterns (Part 18)

Friday, February 1st, 2013

This pattern (we call it String Hint) covers traces of ASCII and UNICODE strings that look suspicious such as website, password and HTTP forms or strange names that intuitively shouldn’t be present according to the purpose of a module or its container process (example is taken from Victimware presentation case study):

0:005> s-sa 00040000 L1d000
0004004d  "!This program cannot be run in D"
0004006d  "OS mode."
00040081  "3y@"
000400b8  "Rich"
000401d0  ".text"
000401f7  "`.rdata"
0004021f  "@.data"
00040248  ".reloc"
[...]
00054018  "GET /stat?uptime=%d&downlink=%d&"
00054038  "uplink=%d&id=%s&statpass=%s&comm"
00054058  "ent=%s HTTP/1.0"
000540ac  "%s%s%s"
000540d8  "ftp://%s:%s@%s:%d"
000540fc  "Accept-Encoding:"
00054118  "Accept-Encoding:"
00054130  "0123456789ABCDEF"
00054144  "://"
00054160  "POST %s HTTP/1.0"
00054172  "Host: %s"
0005417c  "User-Agent: %s"
0005418c  "Accept: text/html"
0005419f  "Connection: Close"
000541b2  "Content-Type: application/x-www-"
000541d2  "form-urlencoded"
000541e3  "Content-Length: %d"
000541fc  "id="
00054208  "POST %s HTTP/1.1"
0005421a  "Host: %s"
00054224  "User-Agent: %s"
00054234  "Accept: text/html"
00054247  "Connection: Close"
0005425a  "Content-Type: application/x-www-"
0005427a  "form-urlencoded"
0005428b  "Content-Length: %d"
000542a4  "id=%s&base="
000542b8  "id=%s&brw=%d&type=%d&data="
000542d8  "POST %s HTTP/1.1"
000542ea  "Host: %s"
000542f4  "User-Agent: %s"
00054304  "Accept: text/html"
00054317  "Connection: Close"
0005432a  "Content-Type: application/x-www-"
0005434a  "form-urlencoded"
0005435b  "Content-Length: %d"
00054378  "id=%s&os=%s&plist="
00054390  "POST %s HTTP/1.1"
000543a2  "Host: %s"
000543ac  "User-Agent: %s"
000543bc  "Accept: text/html"
000543cf  "Connection: Close"
000543e2  "Content-Type: application/x-www-"
00054402  "form-urlencoded"
00054413  "Content-Length: %d"
00054430  "id=%s&data=%s"
00054440  "POST %s HTTP/1.1"
00054452  "Host: %s"
0005445c  "User-Agent: %s"
0005446c  "Accept: text/html"
0005447f  "Connection: Close"
00054492  "Content-Type: application/x-www-"
000544b2  "form-urlencoded"
000544c3  "Content-Length: %d"
000544e0  "GET %s HTTP/1.0"
000544f1  "Host: %s"
000544fb  "User-Agent: %s"
0005450b  "Connection: close"
00054528  "POST /get/scr.html HTTP/1.0"
00054545  "Host: %s"
0005454f  "User-Agent: %s"
0005455f  "Connection: close"
00054572  "Content-Length: %d"
00054586  "Content-Type: multipart/form-dat"
000545a6  "a; boundary=--------------------"
000545c6  "-------%d"
000545d4  "-----------------------------%d"
000545f8  "%sContent-Disposition: form-data"
00054618  "; name="id""
00054630  "%sContent-Disposition: form-data"
00054650  "; name="screen"; filename="%d""
00054670  "Content-Type: application/octet-"
00054690  "stream"
000546a0  "%s(%d) : %s"
000546ac  "%s failed with error %d: %s"
000546c8  "%02X"
000546d8  "BlackwoodPRO"
000546e8  "FinamDirect"
000546f4  "GrayBox"
000546fc  "MbtPRO"
00054704  "Laser"
0005470c  "LightSpeed"
00054718  "LTGroup"
00054720  "Mbt"
00054724  "ScotTrader"
00054730  "SaxoTrader"
00054740  "Program:   %s"
0005474f  "Username:  %s"
0005475e  "Password:  %s"
0005476d  "AccountNO: %s"
[...]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Static Code Analysis Patterns (Part 1)

Friday, January 11th, 2013

Static program analysis is used to eliminate certain coding errors that may lead to abnormal software behaviour. So it is naturally a part of software diagnostics but at source code level. Our goal here is to identify certain patterns directly linkable to patterns we see in memory dumps and software logs and collect them into a catalog. One such pattern candidate is called Loop Construct. It covers conditional and unconditional loops, for example, in one of modern languages:

extern bool soonToBeTrue; 
int mediumValue = ...;
while (true)

{

  TRACE("Waiting");

  sleep(mediumValue);

  if (soonToBeTrue)

  {

    break;

  }

  doHeavyWork();

}
while (--pControl->aFewPasses)

{

  TRACE("Waiting");

  sleep(mediumValue);

  doHeavyWork();

}

Such loops may potentially lead to Spiking Thread memory dump analysis and High Message Current and Density trace analysis patterns. Of course, we shouldn’t suspect every loop but only some that have potential to be altered by Local Buffer Overflow (for mediumValue) or Shared Buffer Overwrite (for Control.aFewPasses) or by a race condition (soonToBeTrue).

We expect things to get more interesting when we start associating source code that uses certain API with patterns of abnormal behavior.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

2008-2012 in Retrospection

Friday, January 4th, 2013

Before deciding on whether to retrospect on 2012 we found that since March 14, 2008 this site has had more than 1 million visitors with more than 33% returning. So instead of just 2012 we decided to retrospect on that interval up to December 31, 2012. Google Analytics has improved since last January, 2012 and now made our task easier. So we start with the first one hundred sites referring to us:


Source / Medium

Visits

google

698156

(direct)

164142

bing

27923

google.com

17868

windbg.org

12994

yahoo

8682

stackoverflow.com

7194

yandex

5985

windbg.dumpanalysis.org

5375

dumpanalysis.com

5369

live

5310

google.co.in

4598

blogs.msdn.com

4385

baike.baidu.com

3475

twitter.com

2972

facebook.com

2733

dumpanalysis.org

2708

images.google.com

2314

t.co

2095

baidu

1916

winvistaclub.com

1862

google.co.uk

1449

advancedwindowsdebugging.com

1427

jasonhaley.com

1370

search

1328

rsdn.ru

1294

en.wikipedia.org

1276

msn

1256

nynaeve.net

1256

blog.codeimproved.net

1213

google.de

1074

google.ca

979

reddit.com

951

bytetalk.net

908

citrixblogger.org

819

stumbleupon.com

819

linkedin.com

780

social.technet.microsoft.com

774

analyze-v.com

757

naver

750

forum.sysinternals.com

735

google.ru

710

blogs.microsoft.co.il

693

kumo.com

678

google.co.kr

658

google.com.au

654

blog.naver.com

646

reconstructer.org

645

community.citrix.com

632

blog.not-a-kernel-guy.com

604

itdatabase.com

601

advanceddotnetdebugging.com

581

serverfault.com

564

voneinem-windbg.blogspot.com

561

support.citrix.com

555

debuggingexperts.com

549

blog.miniasp.com

527

google.fr

495

caloni.com.br

488

google.com.br

479

ask

459

msuiche.net

439

insidewindows.kr

432

google.es

430

gynvael.coldwind.pl

430

blog.flexilis.com

429

aol

418

netfxharmonics.com

416

advdbg.org

413

images.google.co.uk

401

google.it

391

images.google.co.in

391

google.nl

354

serious-code.net

340

admin.itdatabase.com

337

blogs.technet.com

334

brianmadden.com

327

google.pl

319

google.com.ua

318

experts-exchange.com

316

delicious.com

312

images.google.de

305

opentask.com

301

codemachine.com

296

driveronline.org

287

google.com.tw

282

wasm.ru

275

debuglab.com

265

isisaka.com

262

literatescientist.com

261

blog.zoller.lu

258

shellexecute.wordpress.com

257

google.com.hk

256

managementbits.com

253

d.hatena.ne.jp

251

bloglines.com

249

google.com.tr

248

clausbrod.de

246

bing.com

243

Next table is distribution of visits among countries:


Country / Territory

Visits

United States

342291

India

89303

United Kingdom

76131

Russia

46472

Germany

44472

China

40155

Canada

34781

Japan

24985

France

24084

South Korea

21056

Australia

20606

Taiwan

17949

Netherlands

15607

Ireland

15579

Israel

13514

Ukraine

13449

Italy

12542

Brazil

11834

Spain

11786

Singapore

11703

Sweden

11201

Poland

10340

Romania

9423

(not set)

8909

Czech Republic

8355

Belgium

6731

Switzerland

6624

Finland

6596

Norway

5585

Malaysia

5289

Philippines

5052

Austria

5046

Denmark

4980

Hong Kong

4914

Turkey

4728

Slovakia

4599

New Zealand

4369

Portugal

4228

Argentina

3712

Belarus

3518

Hungary

3465

Bulgaria

3301

Mexico

2960

South Africa

2945

Vietnam

2721

Greece

2712

Indonesia

2527

Croatia

1881

Serbia

1843

Iran

1842

Thailand

1726

Pakistan

1660

Egypt

1519

Malta

1422

Estonia

1385

Slovenia

1334

Lithuania

1304

United Arab Emirates

1167

Chile

1104

Saudi Arabia

1096

Colombia

1067

Latvia

922

Kazakhstan

725

Peru

649

Morocco

585

Sri Lanka

516

Luxembourg

516

Moldova

439

Uruguay

435

Venezuela

431

Jordan

425

Tunisia

425

Bolivia

418

Armenia

371

Algeria

362

Costa Rica

355

Iceland

353

Panama

352

Macedonia [FYROM]

347

Bosnia and Herzegovina

327

Cyprus

317

Bangladesh

314

Nigeria

298

Puerto Rico

296

Jamaica

251

Ecuador

248

Kuwait

239

Lebanon

218

Qatar

217

Kenya

195

Georgia

194

Mongolia

189

Dominican Republic

163

Macau

156

Trinidad and Tobago

147

Bahrain

143

Uzbekistan

142

Guatemala

141

Azerbaijan

134

Mauritius

128

Oman

117

Nepal

110

El Salvador

106

Syria

103

Iraq

102

Ghana

96

Kyrgyzstan

86

Cambodia

72

Albania

71

Serbia and Montenegro

63

Ethiopia

63

Uganda

61

Brunei

57

Honduras

55

Isle of Man

55

Yemen

55

Cuba

54

Sudan

54

Palestinian Territories

52

Barbados

49

Myanmar [Burma]

48

Paraguay

45

Liechtenstein

43

Montenegro

43

Rwanda

42

Libya

41

Namibia

41

Jersey

40

Maldives

40

Turks and Caicos Islands

39

Bermuda

38

Zimbabwe

34

Fiji

32

Nicaragua

32

Tanzania

29

Réunion

27

Gibraltar

26

New Caledonia

26

Bahamas

25

Monaco

25

Netherlands Antilles

24

Aruba

24

Botswana

24

Cayman Islands

23

Angola

22

Madagascar

20

Guam

19

Afghanistan

17

Côte d’Ivoire

17

Papua New Guinea

17

Dominica

16

Guernsey

16

Guyana

16

Suriname

16

Andorra

14

Belize

14

Congo [DRC]

14

Lesotho

14

Mozambique

13

Antigua and Barbuda

12

Laos

12

French Polynesia

11

Zambia

11

Saint Lucia

10

San Marino

10

Senegal

10

Saint Vincent and the Grenadines

10

Benin

9

Guinea

9

Guadeloupe

9

Malawi

9

Turkmenistan

9

U.S. Virgin Islands

8

Faroe Islands

7

Grenada

7

Haiti

7

British Virgin Islands

7

Cameroon

6

French Guiana

6

Greenland

6

Martinique

6

Seychelles

6

Timor-Leste

6

Mali

5

Tajikistan

5

Gabon

4

Anguilla

3

Å land Islands

3

Swaziland

3

Burundi

2

Congo [Republic]

2

Cape Verde

2

Djibouti

2

Saint Kitts and Nevis

2

Liberia

2

Somalia

2

Togo

2

Vanuatu

2

Burkina Faso

1

Bhutan

1

Falkland Islands [Islas Malvinas]

1

Gambia

1

Equatorial Guinea

1

Guinea-Bissau

1

Comoros

1

Mauritania

1

Palau

1

Sierra Leone

1

Vatican City

1

Samoa

1


Then the first 100 network locations:

Service Provider

Visits

microsoft corp

33646

comcast cable communications inc.

18544

road runner holdco llc

16529

internet service provider

12815

comite gestor da internet no brasil

10995

hewlett-packard company

10961

deutsche telekom ag

9889

japan network information center

9746

verizon internet services inc.

7851

network of citrix systems inc

6945

intel corporation

6873

symantec corporation

6812

chunghwa telecom data communication business group

6381

ip pools

6314

insignium llc

6206

reliance communications ltd

5870

charter communications

5583

uunet non-portable customer assignment

4931

verizon online llc

4900

comcast cable communications holdings inc

4700

at&t internet services

4617

eircom

4567

cox communications

4540

proxad / free sas

4451

korea telecom

4397

abts (karnataka)

4251

nib (national internet backbone)

4243

chinanet guangdong province network

4189

comcast cable communications

3896

unknown

3279

xo communications

3274

chinanet shanghai province network

3248

shaw communications inc.

3179

qwest communications company llc

3156

telstra internet

3130

tw telecom holdings inc.

3091

citrix systems inc.

3029

data general corporation

2998

cox communications inc.

2946

bellsouth.net inc.

2925

optimum online (cablevision systems)

2853

china unicom beijing province network

2850

chtd chunghwa telecom co. ltd.

2791

krnic

2786

ntt communications corporation

2779

psinet inc.

2599

emc corporation

2499

comcast cable communications ip services

2435

arcor ag

2371

cisco systems inc.

2364

(not set)

2335

broadband multiplay project o/o dgm bb noc bsnl bangalore

2285

research in motion limited

2283

samtel

2257

rcs & rds s.a.

2246

computer associates international

2166

honeywell international inc.

2106

telus communications inc.

2103

customers ie

1954

sympatico hse

1929

comcast business communications llc

1853

telefonica de espana sau

1843

iinet limited

1840

ziggo consumers

1810

easynet ltd

1758

comcast business communications inc.

1738

microsoft

1717

kaspersky lab internet

1698

appense

1687

chinanet jiangsu province network

1665

dell computer corporation

1656

eircom ltd

1644

taipei taiwan

1612

abts tamilnadu

1594

network of ign arch. and design gb

1578

starhub cable vision ltd

1555

wipro technologies

1537

level 3 communications inc.

1522

tpg internet pty ltd.

1510

siemens ag

1483

microsoft corporation

1478

global crossing

1433

singnet pte ltd

1429

dynamic pools

1426

this space is statically assigned.

1425

videsh sanchar nigam ltd - india.

1414

provider local registry

1403

abts delhi

1385

qwest communications corporation

1356

kla instruments corp.

1316

telia network services

1311

cncgroup beijing province network

1278

frontier communications of america inc.

1264

telecom italia s.p.a. tin easy lite

1257

videotron ltee

1255

oracle datenbanksysteme gmbh

1234

neostrada plus

1228

suddenlink communications

1214

dynamic ip pool for broadband customers

1202

eset s.r.o.

1200

Then the first 100 search keywords and phrases that led to us:


Keyword

Visits

(not provided)

53903

kifastsystemcallret

10644

crash dump analysis

10348

crash dump

9863

ntdll!kifastsystemcallret

4305

dump analysis

4143

adplus

3332

win32 error 0n2

2553

windbg commands

2198

memory dump analysis

2183

windbg

2131

crash dumps

1825

dumpanalysis.org

1818

nt!_gshandlercheck_seh

1734

dmitry vostokov

1718

crashdump

1683

symbol file could not be found

1669

bugcheck 3b

1458

memory dump analysis anthology

1393

crash dump analyzer

1360

warning: frame ip not in any known module. following frames may be wrong.

1347

windbg cheat sheet

1318

windbg crash dump analysis

1271

minidump analysis

1259

adplus download

1214

core dump analysis

1167

fnodobfm

1159

dumpanalysis

1142

windows 7 crash dump

1142

windbg analyze

1118

kisystemservicecopyend

1066

frame ip not in any known module

1010

getcontextstate failed, 0×80070026

949

crash dump windows 7

930

the stored exception information can be accessed via .ecxr.

925

windbg script

922

error: symbol file could not be found

912

vista crash dump

895

windows crash dump analysis

888

system_thread_exception_not_handled

857

анализ дампа памяти

857

dump analyzer

847

дамп памяти

821

pool corruption

820

time travel debugging

776

system_service_exception

772

kernel_mode_exception_not_handled

741

ntdll kifastsystemcallret

741

the stored exception information can be accessed via .ecxr

734

kmode_exception_not_handled

726

trap frame

719

idna trace

695

windbg crash dump

694

kiuserexceptiondispatcher

691

minidump analyzer

672

bugcheck 7e

670

kernel32!pnlsuserinfo

643

windbg scripts

641

rtlpwaitoncriticalsection

635

minidump

628

bugcheck system_service_exception

621

exception_double_fault

597

warning: stack unwind information not available. following frames may be wrong.

584

application_fault_status_breakpoint

583

crash dump vista

582

memory dump analysis tool

576

getcontextstate failed, 0xd0000147

575

memoretics

544

dumpanalysis.org/asmpedia

537

failure_bucket_id

524

“dec 15″ module windbg

511

error: symbol file could not be found.

511

download adplus

507

basethreadinitthunk

505

dr watson vista

505

ntkrnlmp.exe crash dump

499

ntdll.dll!kifastsystemcallret

492

rtlplowfragheapfree

488

analyze minidump

477

adplus tutorial

473

application_hang_blockedon_fileio

468

bios disassembly ninjutsu uncovered

460

ntdll.kifastsystemcallret

460

analyze crash dump

459

windows dump analysis

459

debug_flr_image_timestamp

456

system_thread_exception_not_handled (7e)

456

windbg dump analysis

446

windbg hang

438

windows debugging: practical foundations

434

crash dump analysis windbg

432

dynamicbase aslr

422

crash dump analysis tool

419

nt!kebugcheckex

414

rtluserthreadstart

414

type referenced: kernel32!pnlsuserinfo

407

error: symbol file could not be found. defaulted to export symbols for ntkrnlmp.exe

405

memory dump

403

warning: frame ip not in any known module. following frames may be wrong

399

application_hang_busyhang

398

Then browser stats (we have never thought that there are so many of them):


Browser

Visits

Internet Explorer

446051

Firefox

356686

Chrome

184535

Opera

45787

Safari

24123

Mozilla

3780

Mozilla Compatible Agent

2401

Android Browser

1337

Konqueror

1057

IE with Chrome Frame

982

Opera Mini

705

SeaMonkey

503

Safari (in-app)

197

Lunascape

144

BlackBerry8900

128

Camino

126

RockMelt

124

(not set)

96

Netscape

72

Playstation 3

36

IUC

34

Googlebot

29

Lynx

24

Unsupported Browser Version

22

BlackBerry9630

21

NetFront

17

BlackBerry9700

15

Microsoft-Symbol-Server

14

BlackBerry9000

12

Galeon

11

Midori

9

NokiaE63

9

Yahoo! Slurp

9

BlackBerry8530

8

BlackBerry8520

7

PagePeeker.com

7

SAMSUNG-SGH-I617

7

BlackBerry9530

6

JUC

6

MSR-ISRCCrawler

6

OpenWave

6

anonimo

5

BlackBerry9300

5

HTC_HD2_T8585 Opera

5

Nokia5233

5

Space Bison

5

-Vasya

4

Blazer

4

Uzbl

4

-^_^- Hello :)

3

<?echo ‘<pre>’; system

3

12345

3

BlackBerry9330

3

BlackBerry9650

3

HTC_P3700 Opera

3

HTC_TyTN_II Mozilla

3

NOKIAN78

3

Playstation Portable

3

PPC; 240×320; HTC_P3450

3

undefined GoogleToolbarBB

3

anonymous

2

Empty

2

GreatBrowse

2

Helyi user agent

2

HTC_Touch_Pro2_T7373 Opera

2

HTC_Touch2_T3333 Opera

2

J2ME

2

Mozilla 5.0

2

NokiaC1-01

2

NokiaC3-00

2

NokiaC7-00

2

NokiaX2-01

2

nwzfq

2

test

2

1

?M5

1

“PagePeeker.com”

1

<?include

1

<script>alert

1

<SCRIPT>window.location=’http:

1

2.0.0.11

1

31337′

1

8900b

1

AltaVista Intranet V2.0 evreka.com crawler@evreka.com

1

annoying

1

AppEngine-Google;

1

BlackBerry9500

1

BlackBerry9550

1

bwh3_user_agent

1

Citrix

1

EBABrowser

1

EY

1

fake_user_agent Mozilla

1

FAST Enterprise Crawler 6 used by Reed Exhibitions

1

foo

1

General Browser

1

GOOGLEBOT

1

HD_mini_T5555 Opera

1

Hellbrowser 6.66

1

holy_teacher FirePHP

1

HTC_P3490 Opera

1

HTC_P4550 Mozilla

1

HTC_Polaris Mozilla

1

HTC_Touch_3G_T3232 Opera

1

HTC_Touch_HD_T8282 Opera

1

HTC_Touch_Pro_T7272 Opera

1

HTC_Touch2_T3320 Opera

1

HTC-8900

1

IE 8

1

IE6

1

iTunes

1

Keep Out

1

KraftwayBrowser2

1

Links

1

Maemo Browser

1

Medusa

1

MERONG

1

Motorola_ES405B

1

mozilla

1

Mozilla Firefox

1

MS-OC 4.0

1

msie

1

NCSA Mosaic

1

NightDynamo AdminPanel v0.2.1

1

Nokia2700c-2

1

Nokia2730c-1

1

Nokia305

1

Nokia5230

1

Nokia5310XpressMusic

1

Nokia5800 XpressMusic

1

Nokia6300

1

Nokia6700c-1

1

NokiaC2-01

1

NokiaC2-02

1

NokiaC2-03

1

NokiaC5-03

1

nokiac6-00

1

NokiaC6-00

1

NOKIAE65

1

NokiaE66

1

NokiaE71

1

NokiaE71-2;Mozilla

1

NokiaE72-1

1

NokiaN-GageQD

1

NokiaN70-1

1

NokiaNokia 6210s

1

NoneOfYourBusiness

1

nothisname_wangxiaoyang3

1

OmniWeb

1

Palm750

1

Peeplo Screenshot Bot

1

PerTrUsTsQuiD

1

pippos.7

1

PPC; 480×800; HTC_Touch_HD_T8282; OpVer 34.159.1.612

1

PriceGoblin User Agent

1

Private

1

Privoxy

1

Read Later

1

SAMSUNG-GT-E2222

1

samsung-gt-s3653

1

samsung-gt-s3653 UNTRUSTED

1

SAMSUNG-S8000

1

SAMSUNG-SGH-I637

1

Samsung-SPHM540 Polaris

1

SmallProxy 3.5.4

1

SonyEricssonK750

1

Surf

1

tdhbrowser

1

TiFiC Client Z

1

union update table sd_users set userid=9 where username=’coco

1

unknown

1

Unknown

1

UNTRUSTED

1

Updownerbot

1

WIN

1

WinXP SP2

1

Wlwap

1

WM5 PIE

1

Xda_orbit_2; 240×320

1

Xyi znat kakoi browser MRA 5.7

1

ZooShot 0.1a

1

ZooShot 0.42

1

and finally mobile devices stats (you may find your own device there):


Mobile Device Info

Visits

Apple iPhone

2292

Apple iPad

1940

(not set)

1099

Samsung GT-I9100 Galaxy S II

167

Apple iPod Touch

112

Asus Eee Pad Transformer TF101

112

SonyEricsson LT15i Xperia Arc

94

Motorola Xoom

47

Samsung Galaxy Nexus

47

Samsung GT-I9000 Galaxy S

34

Samsung GT-P7510 Galaxy Tab 10.1

30

Google Nexus S Samsung Nexus S

26

HTC EVO 4G

26

Google Nexus 7

21

RIM BlackBerry Bold Touch 9900 Dakota

21

Samsung GT-N7000 Galaxy Note

21

Acer A500 Picasso

17

Asus Eee Pad TF201 Transformer Prime

17

HTC Desire HD

17

Motorola DroidX

17

Motorola XT862 Droid 3

17

Samsung GT-S5830 Galaxy Ace

17

Samsung SGH-I747 Galaxy SIII

17

Samsung SGH-i917 Omnia 7

17

Verizon Droid2

17

Google Nexus One

13

Google Nexus One HTC Nexus One

13

HTC ADR6300 Incredible

13

Motorola Droid 2

13

Samsung GT-P7500 P4

13

Samsung SHW-M250K GALAXY S II (KT)

13

Apple iPod

9

BlackBerry 9780

9

BlackBerry 9800 Torch

9

Dell Venue Pro

9

HTC Desire

9

HTC G2 HTC Sappire

9

HTC HD7

9

HTC T9292 HD7

9

Motorola MB860 Atrix

9

Nokia E63

9

RIM BlackBerry 8530 Curve

9

Samsung GT-I9001

9

Samsung GT-I9300 Galaxy S3

9

Samsung GT-N8000 Galaxy Note 10.1

9

Samsung GT-P1000 Galaxy Tab

9

Sharp IS03 IS03 for KDDI

9

T-Mobile myTouch4G

9

Toshiba AT100

9

ZTE N860

9

Acer A101 Vangogh

4

Acer A200 Picasso_E

4

Acer Acer E310 Liquid Mini

4

Asus TF300T Transformer Pad TF300T

4

BlackBerry 8520 Curve

4

BlackBerry 9900 Dakota

4

DoCoMo L-05D Optimus it

4

DoCoMo P502i

4

Fujitsu F-12C F-12C for DoCoMo

4

Google Nexus S

4

Google Wireless Transcoder

4

HTC A8181 Desire

4

HTC ADR6350 Droid Incredible 2

4

HTC ADR6400L Thunderbolt

4

HTC ADR6400L Thunderbolt 4G

4

HTC APC715CKT EVO Design 4G

4

HTC Bravo

4

HTC Desire X0H6T

4

HTC Glacier

4

HTC Incredible S Incredible S

4

HTC Inspire 4G

4

HTC ISW12HT EVO 3D ISW12HT for KDDI

4

HTC Mozart 7 Mozart

4

HTC PC36100 EVO 4G

4

HTC PJ83100 One X

4

HTC Radar 4G

4

HTC S510e Desire S

4

HTC T7380 TouchFLO

4

HTC X515 EVO 3D

4

Huawei M860 Ascend

4

Huawei u8800 Ideos X5

4

kddi ISW11HT HTC EVO WiMAX ISW11HT for KDDI

4

LG C900 Quantum

4

LG E900 Optimus 7

4

LG LS670 Optimus S

4

LG MS690 Optimus M

4

LG VM670 Optimus V

4

LG VS910 4G Revolution

4

Motorola A953 MILESTONE 2

4

Motorola ISW11M PHOTON ISW11M for KDDI

4

Motorola MB501

4

Motorola MB525 DEFY

4

Motorola MB611

4

Motorola MOTXT912B Droid Razr 4G

4

Motorola MZ601 Xoom

4

Motorola MZ604 Xoom

4

Motorola MZ605 Xoom

4

Motorola xt875 Droid Bionic

4

Nokia 5800d XpressMusic

4

Nokia C3-00

4

Nokia C5-03 C5

4

Nokia C6-00

4

Nokia Lumia 710

4

Nokia Lumia 800

4

RIM BlackBerry 9300 Curve 3G

4

RIM BlackBerry 9700 Bold

4

RIM BlackBerry 9800 Torch

4

RIM Blackberry Bold Touch 9930

4

Samsung GT i5700 Galaxy Spica

4

Samsung GT I9000T Galaxy S

4

Samsung GT-I9100G Galaxy S II

4

Samsung GT-I9100P Galaxy S II NFC

4

Samsung GT-I9103

4

Samsung GT-I9300 Galaxy SIII

4

Samsung GT-N8010 Galaxy Note 10.1

4

Samsung GT-P7500 Galaxy Tab 10.1

4

Samsung SCH-I500 Fascinate

4

Samsung SCH-I535 4G Galaxy SIII

4

Samsung SGH-i717 Galaxy Note

4

Samsung SGH-I747 Galaxy S3

4

Samsung SGH-I777

4

Samsung SGH-I777 Galaxy S II

4

Samsung SGH-I897 Galaxy S Captivate

4

Samsung SHW-M250S GALAXY S II (SKT)

4

Samsung SPH-D700 Epic 4G

4

Samsung SWH-M110S

4

Sharp 003SH Sharp Galapagos 003SH for SoftBank

4

Softbank 001DL DELL Streak

4

SonyEricsson LT26i Xperia Arc HD

4

Xiaomi MI-ONE Plus M1 Plus

4


- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Malware: A Definition

Saturday, December 29th, 2012

Here we provide a definition of malware that highlights the importance of structural and behavioral patterns:

Malware: software that uses planned alteration of structure and behaviour of software to serve malicious purposes.

Notice the recursive character of that definition that includes self-modifying malware and also rootkits where a malicious purpose is to conceal.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Malware Analysis Patterns (Part 2)

Saturday, December 29th, 2012

As was announced earlier we start cataloguing elemental malware detection and analysis patterns. We skip Part 1 because we assign Deviant Module to it. Part 2 deals with Fake Module pattern where one of loaded modules masquerades as a legitimate system DLL or a widely known value adding DLL from some popular 3rd party product. To illustrate this pattern we modeled it as Victimware: a process crashed after loading a malware module:

0:000> k
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`0026f978 00000001`3f89103a 0x0
00000000`0026f980 00000001`3f8911c4 FakeModule!wmain+0x3a
00000000`0026f9c0 00000000`76e3652d FakeModule!__tmainCRTStartup+0x144
00000000`0026fa00 00000000`7752c521 kernel32!BaseThreadInitThunk+0xd
00000000`0026fa30 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

When we inspect loaded modules we don’t find anything suspicious:

0:000> lmp
start             end                 module name
00000000`76e20000 00000000`76f3f000   kernel32 <none>
00000000`77500000 00000000`776a9000   ntdll    <none>
00000001`3f890000 00000001`3f8a6000   FakeModule <none>
000007fe`f8cb0000 000007fe`f8cc7000   winspool <none>
000007fe`fdb30000 000007fe`fdb9c000   KERNELBASE <none>

However, when checking modules images for any modifications we find that winspool was not compared with existing binary from Microsoft symbol server:

0:000> !for_each_module "!chkimg -v -d @#ModuleName"
Searching for module with expression: kernel32
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: C:\WSDK8\Debuggers\x64\sym\kernel32.dll\503285C111f000\kernel32.dll
No range specified

Scanning section:    .text
Size: 633485
Range to scan: 76e21000-76ebba8d
Total bytes compared: 633485(100%)
Number of errors: 0
0 errors : kernel32
Searching for module with expression: ntdll
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: C:\WSDK8\Debuggers\x64\sym\ntdll.dll\4EC4AA8E1a9000\ntdll.dll
No range specified

Scanning section:    .text
Size: 1049210
Range to scan: 77501000-7760127a
Total bytes compared: 1049210(100%)
Number of errors: 0

Scanning section:       RT
Size: 474
Range to scan: 77602000-776021da
Total bytes compared: 474(100%)
Number of errors: 0
0 errors : ntdll
Searching for module with expression: FakeModule
Error for FakeModule: Could not find image file for the module. Make sure binaries are included in the symbol path.
Searching for module with expression: winspool
Error for winspool: Could not find image file for the module. Make sure binaries are included in the symbol path.

Searching for module with expression: KERNELBASE
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: C:\WSDK8\Debuggers\x64\sym\KERNELBASE.dll\503285C26c000\KERNELBASE.dll
No range specified

Scanning section:    .text
Size: 302047
Range to scan: 7fefdb31000-7fefdb7abdf
Total bytes compared: 302047(100%)
Number of errors: 0
0 errors : KERNELBASE

Checking module data reveals that it was loaded not from System32 folder and doesn’t have any version information:

0:000> lmv m winspool
start             end                 module name
000007fe`f8cb0000 000007fe`f8cc7000   winspool   (deferred)
Image path: C:\Work\AWMA\FakeModule\x64\Release\winspool.drv
Image name: winspool.drv
Timestamp:        Fri Dec 28 22:22:42 2012 (50DE1BB2)
CheckSum:         00000000
ImageSize:        00017000
File version:     0.0.0.0
Product version:  0.0.0.0
File flags:       0 (Mask 0)
File OS:          0 Unknown Base
File type:        0.0 Unknown
File date:        00000000.00000000
Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

We could see that path from running this command as well :

0:000> !for_each_module
00: 0000000076e20000  0000000076f3f000         kernel32 C:\Windows\System32\kernel32.dll                      kernel32.dll
01: 0000000077500000  00000000776a9000            ntdll C:\Windows\System32\ntdll.dll                            ntdll.dll
02: 000000013f890000  000000013f8a6000       FakeModule C:\Work\AWMA\FakeModule\x64\Release\FakeModule.exe  FakeModule.exe
03: 000007fef8cb0000  000007fef8cc7000         winspool C:\Work\AWMA\FakeModule\x64\Release\winspool.drv
04: 000007fefdb30000  000007fefdb9c000       KERNELBASE C:\Windows\System32\KERNELBASE.dll                  KERNELBASE.dll

or from PEB:

0:000> !peb
PEB at 000007fffffdf000
[...]
7fef8cb0000 50de1bb2 Dec 28 22:22:42 2012 C:\Work\AWMA\FakeModule\x64\Release\winspool.drv
[…]

Another sign is module size in memory which is much smaller than real winspool.drv:

0:000> ? 000007fe`f8cc7000 - 000007fe`f8cb0000
Evaluate expression: 94208 = 00000000`0001700

Module size can help if legitimate module from well-known folder was replaced. Module debug directory and the size of export and import directories are also different with the former revealing the development folder:

0:000> !dh 000007fe`f8cb0000
[...]
   0 [       0] address [size] of Export Directory
[…]
9000 [     208] address [size] of Import Address Table Directory
[…]
Debug Directories(2)
Type       Size     Address  Pointer
cv           49        e2c0     cac0 Format: RSDS, guid, 1, C:\Work\AWMA\FakeModule\x64\Release\winspool.pdb

This can also be seen from the output of !lmi command:

0:000> !lmi 7fef8cb0000
Loaded Module Info: [7fef8cb0000]
Module: winspool
Base Address: 000007fef8cb0000
Image Name: winspool.drv
Machine Type: 34404 (X64)
Time Stamp: 50de1bb2 Fri Dec 28 22:22:42 2012
Size: 17000
CheckSum: 0
Characteristics: 2022
Debug Data Dirs: Type  Size     VA  Pointer
CODEVIEW    49,  e2c0,    cac0 RSDS - GUID: {29D85193-1C9D-4997-95BA-DD190FA3C1BF}
Age: 1, Pdb: C:\Work\AWMA\FakeModule\x64\Release\winspool.pdb
??    10,  e30c,    cb0c [Data not mapped]
Symbol Type: DEFERRED - No error - symbol load deferred
Load Report: no symbols loaded

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Crash Dump Analysis Patterns (Part 182)

Tuesday, October 9th, 2012

This is a new pattern that we call Error Reporting Fault. It’s about the faults in error reporting infrastructure. The latter should be guarded against such faults and avoid recursion. Here is a summary example of such a pattern on Windows platforms that involve Windows Error Reporting (WER).

In a complete memory dump we notice thousands of WerFault.exe processes:

0: kd> !process 0 0
[...]
PROCESS fffffa8058010380
SessionId: 2  Cid: 488f0    Peb: 7efdf000  ParentCid: 27cb8
DirBase: 25640c000  ObjectTable: fffff8a06cd2ac50  HandleCount:  54.
Image: WerFault.exe

PROCESS fffffa805bbd5970
SessionId: 2  Cid: 4801c    Peb: 7efdf000  ParentCid: 27cb8
DirBase: 2c3f69000  ObjectTable: fffff8a040563af0  HandleCount:  54.
Image: WerFault.exe

PROCESS fffffa8078aec060
SessionId: 2  Cid: 3feac    Peb: 7efdf000  ParentCid: 488f0
DirBase: abd200000  ObjectTable: fffff8a07851a0a0  HandleCount:  59.
Image: WerFault.exe

PROCESS fffffa805bbe9a10
SessionId: 2  Cid: 3d8b8    Peb: 7efdf000  ParentCid: 4801c
DirBase: 261f91000  ObjectTable: fffff8a02d864d40  HandleCount:  56.
Image: WerFault.exe

PROCESS fffffa805bd29060
SessionId: 2  Cid: 1142c    Peb: 7efdf000  ParentCid: 3feac
DirBase: 429fb3000  ObjectTable: fffff8a0355b42e0  HandleCount:  58.
Image: WerFault.exe

PROCESS fffffa8053d853d0
SessionId: 2  Cid: 1fc4c    Peb: 7efdf000  ParentCid: 3d8b8
DirBase: 714371000  ObjectTable: fffff8a01cb6bba0  HandleCount:  58.
Image: WerFault.exe
[...]

Each process has only one thread running through WOW64 modules so we get its 32-bit stack trace:

0: kd> !process fffffa8075c21b30 ff
[...]
THREAD fffffa807c183b60 Cid 2d3c8.4334c Teb: 000000007efdb000 Win32Thread: fffff900c3f71010 WAIT: (UserRequest) UserMode Non-Alertable
[...]

0: kd> .load wow64exts

0: kd> .process /r /p fffffa8075c21b30
Implicit process is now fffffa80`75c21b30
Loading User Symbols
Loading Wow64 Symbols

0: kd> .thread /w fffffa807c183b60
Implicit thread is now fffffa80`7c183b60
x86 context set

0: kd:x86> k
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP          RetAddr
000bf474 77080bdd ntdll!ZwWaitForMultipleObjects+0x15
000bf510 76bb1a2c KERNELBASE!WaitForMultipleObjectsEx+0x100
000bf558 76bb4208 kernel32!WaitForMultipleObjectsExImplementation+0xe0
000bf574 76bd80a4 kernel32!WaitForMultipleObjects+0x18
000bf5e0 76bd7f63 kernel32!WerpReportFaultInternal+0x186
000bf5f4 76bd7858 kernel32!WerpReportFault+0x70
000bf604 76bd77d7 kernel32!BasepReportFault+0x20
000bf690 776674df kernel32!UnhandledExceptionFilter+0x1af
000bf698 776673bc ntdll!__RtlUserThreadStart+0x62
000bf6ac 77667261 ntdll!_EH4_CallFilterFunc+0x12
000bf6d4 7764b459 ntdll!_except_handler4+0x8e
000bf6f8 7764b42b ntdll!ExecuteHandler2+0x26
000bf71c 7764b3ce ntdll!ExecuteHandler+0x24
000bf7a8 77600133 ntdll!RtlDispatchException+0x127
000bf7b4 000bf7c0 ntdll!KiUserExceptionDispatcher+0xf
WARNING: Frame IP not in any known module. Following frames may be wrong.
000bfb00 77629ef2 0xbf7c0
[…]

We find exception processing and code on stack (return address belongs to stack range). This thread is waiting for another process and it is WerFault.exe too:

0: kd:x86> .effmach AMD64

0: kd> !process fffffa8075c21b30 ff
[...]
THREAD fffffa807c183b60 Cid 2d3c8.4334c Teb: 000000007efdb000 Win32Thread: fffff900c3f71010 WAIT: (UserRequest) UserMode Non-Alertable
fffffa80809c44e0 ProcessObject
[…]

0: kd> !process fffffa80809c44e0
PROCESS fffffa80809c44e0
SessionId: 2  Cid: 33844    Peb: 7efdf000  ParentCid: 2d3c8
DirBase: 9c53f0000  ObjectTable: fffff8a0423d4170  HandleCount: 978.
Image: WerFault.exe
[...]

We go back to our original WerFault process and in its PEB data we find it was called to report a fault from another process with PID 0n189240:

0: kd> !process fffffa8075c21b30 ff
[...]
CommandLine:  'C:\Windows\SysWOW64\WerFault.exe -u -p 189240 -s 3888′
[…]

And it’s WerFault.exe too:

0: kd> !process 0n189240
Searching for Process with Cid == 2e338

PROCESS fffffa8078b659e0
SessionId: 2  Cid: 2e338    Peb: 7efdf000  ParentCid: 47608
DirBase: 201796000  ObjectTable: fffff8a02e664380  HandleCount: 974.
Image: WerFault.exe
[...]

So we see a chain of WerFault.exe processes each processing a fault in the previous one. So there should be a first fault somewhere which we can find in stack trace collection (32-bit stack traces for this example) unless that exception stack trace was paged out due to insufficient memory occupied by WerFault.exe processes.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Crash Dump Analysis Patterns (Part 179)

Sunday, July 15th, 2012

When looking at the module list (lmv), searching for modules (.imgscan) or examining the particular module (!address, !dh) we may notice one of them as Deviant Module. The deviation may be in (but not limited to as anything is possible):

- suspicious module name

- suspicious protection

- suspicious module load address

0:005> .imgscan
MZ at 00040000, prot 00000040, type 00020000 - size 1d000
MZ at 00340000, prot 00000002, type 01000000 - size 9c000
Name: iexplore.exe
MZ at 02250000, prot 00000002, type 00040000 - size 2000
MZ at 023b0000, prot 00000002, type 01000000 - size b000
Name: msimtf.dll
MZ at 03f80000, prot 00000002, type 00040000 - size 2000
MZ at 10000000, prot 00000004, type 00020000 - size 5000
Name: screens_dll.dll
MZ at 16080000, prot 00000002, type 01000000 - size 25000
Name: mdnsNSP.dll
MZ at 6ab50000, prot 00000002, type 01000000 - size 26000
Name: DSSENH.dll
MZ at 6b030000, prot 00000002, type 01000000 - size 5b0000
Name: MSHTML.dll
MZ at 6ba10000, prot 00000002, type 01000000 - size b4000
Name: JSCRIPT.dll
MZ at 6cec0000, prot 00000002, type 01000000 - size 1b000
Name: CRYPTNET.dll
MZ at 6d260000, prot 00000002, type 01000000 - size e000
Name: PNGFILTER.DLL
MZ at 6d2f0000, prot 00000002, type 01000000 - size 29000
Name: msls31.dll
MZ at 6d700000, prot 00000002, type 01000000 - size 30000
Name: MLANG.dll
MZ at 6d740000, prot 00000002, type 01000000 - size 4d000
Name: SSV.DLL
MZ at 6d7b0000, prot 00000002, type 01000000 - size c000
Name: ImgUtil.dll
MZ at 6ddb0000, prot 00000002, type 01000000 - size 2f000
Name: iepeers.DLL
MZ at 6df20000, prot 00000002, type 01000000 - size 33000
Name: IEShims.dll
MZ at 6eb80000, prot 00000002, type 01000000 - size a94000
Name: IEFRAME.dll
MZ at 703b0000, prot 00000002, type 01000000 - size 53000
Name: SWEEPRX.dll
MZ at 70740000, prot 00000002, type 01000000 - size 40000
Name: SWEEPRX.dll
MZ at 725a0000, prot 00000002, type 01000000 - size 12000
Name: PNRPNSP.dll
MZ at 725d0000, prot 00000002, type 01000000 - size 8000
Name: WINRNR.dll
MZ at 725e0000, prot 00000002, type 01000000 - size 136000
Name: MSXML3.dll
MZ at 72720000, prot 00000002, type 01000000 - size c000
Name: wshbth.dll
MZ at 72730000, prot 00000002, type 01000000 - size f000
Name: NAPINSP.dll
MZ at 72890000, prot 00000002, type 01000000 - size 6000
Name: SensApi.dll
MZ at 72ec0000, prot 00000002, type 01000000 - size 42000
Name: WINSPOOL.DRV
MZ at 734b0000, prot 00000002, type 01000000 - size 6000
Name: rasadhlp.dll
MZ at 736b0000, prot 00000002, type 01000000 - size 85000
Name: COMCTL32.dll
MZ at 73ac0000, prot 00000002, type 01000000 - size 7000
Name: MIDIMAP.dll
MZ at 73ae0000, prot 00000002, type 01000000 - size 14000
Name: MSACM32.dll
MZ at 73b00000, prot 00000002, type 01000000 - size 66000
Name: audioeng.dll
MZ at 73c30000, prot 00000002, type 01000000 - size 9000
Name: MSACM32.DRV
MZ at 73c60000, prot 00000002, type 01000000 - size 21000
Name: AudioSes.DLL
MZ at 73c90000, prot 00000002, type 01000000 - size 2f000
Name: WINMMDRV.dll
MZ at 74290000, prot 00000002, type 01000000 - size bb000
Name: PROPSYS.dll
MZ at 74390000, prot 00000002, type 01000000 - size f000
Name: nlaapi.dll
MZ at 743a0000, prot 00000002, type 01000000 - size 4000
Name: ksuser.dll
MZ at 74430000, prot 00000002, type 01000000 - size 15000
Name: Cabinet.dll
MZ at 74450000, prot 00000002, type 01000000 - size 3d000
Name: OLEACC.dll
MZ at 74490000, prot 00000002, type 01000000 - size 1ab000
Name: gdiplus.dll
MZ at 74640000, prot 00000002, type 01000000 - size 28000
Name: MMDevAPI.DLL
MZ at 74670000, prot 00000002, type 01000000 - size 32000
Name: WINMM.dll
MZ at 746b0000, prot 00000002, type 01000000 - size 31000
Name: TAPI32.dll
MZ at 749e0000, prot 00000002, type 01000000 - size 19e000
Name: COMCTL32.dll
MZ at 74b80000, prot 00000002, type 01000000 - size 7000
Name: AVRT.dll
MZ at 74ba0000, prot 00000002, type 01000000 - size 4a000
Name: RASAPI32.dll
MZ at 74ce0000, prot 00000002, type 01000000 - size 3f000
Name: UxTheme.dll
MZ at 74de0000, prot 00000002, type 01000000 - size 2d000
Name: WINTRUST.dll
MZ at 74ea0000, prot 00000002, type 01000000 - size 14000
Name: rasman.dll
MZ at 74f70000, prot 00000002, type 01000000 - size c000
Name: rtutils.dll
MZ at 74f80000, prot 00000002, type 01000000 - size 5000
Name: WSHTCPIP.dll
MZ at 74fb0000, prot 00000002, type 01000000 - size 21000
Name: NTMARTA.dll
MZ at 75010000, prot 00000002, type 01000000 - size 3b000
Name: RSAENH.dll
MZ at 75050000, prot 00000002, type 01000000 - size 5000
Name: MSIMG32.dll
MZ at 75060000, prot 00000002, type 01000000 - size 15000
Name: GPAPI.dll
MZ at 750a0000, prot 00000002, type 01000000 - size 46000
Name: SCHANNEL.dll
MZ at 752b0000, prot 00000002, type 01000000 - size 3b000
Name: MSWSOCK.dll
MZ at 75370000, prot 00000002, type 01000000 - size 45000
Name: bcrypt.dll
MZ at 753f0000, prot 00000002, type 01000000 - size 5000
Name: WSHIP6.dll
MZ at 75400000, prot 00000002, type 01000000 - size 8000
Name: VERSION.dll
MZ at 75420000, prot 00000002, type 01000000 - size 7000
Name: CREDSSP.dll
MZ at 75430000, prot 00000002, type 01000000 - size 35000
Name: ncrypt.dll
MZ at 75480000, prot 00000002, type 01000000 - size 22000
Name: dhcpcsvc6.DLL
MZ at 754b0000, prot 00000002, type 01000000 - size 7000
Name: WINNSI.DLL
MZ at 754c0000, prot 00000002, type 01000000 - size 35000
Name: dhcpcsvc.DLL
MZ at 75500000, prot 00000002, type 01000000 - size 19000
Name: IPHLPAPI.DLL
MZ at 75590000, prot 00000002, type 01000000 - size 3a000
Name: slc.dll
MZ at 755d0000, prot 00000002, type 01000000 - size f2000
Name: CRYPT32.dll
MZ at 75740000, prot 00000002, type 01000000 - size 12000
Name: MSASN1.dll
MZ at 75760000, prot 00000002, type 01000000 - size 11000
Name: SAMLIB.dll
MZ at 75780000, prot 00000002, type 01000000 - size 76000
Name: NETAPI32.dll
MZ at 75800000, prot 00000002, type 01000000 - size 2c000
Name: DNSAPI.dll
MZ at 75a70000, prot 00000002, type 01000000 - size 5f000
Name: sxs.dll
MZ at 75ad0000, prot 00000002, type 01000000 - size 2c000
Name: apphelp.dll
MZ at 75b30000, prot 00000002, type 01000000 - size 14000
Name: Secur32.dll
MZ at 75b50000, prot 00000002, type 01000000 - size 1e000
Name: USERENV.dll
MZ at 75c90000, prot 00000002, type 01000000 - size 7000
Name: PSAPI.DLL
MZ at 75ca0000, prot 00000002, type 01000000 - size c3000
Name: RPCRT4.dll
MZ at 75d70000, prot 00000002, type 01000000 - size 73000
Name: COMDLG32.dll
MZ at 75df0000, prot 00000002, type 01000000 - size 9000
Name: LPK.dll
MZ at 75e00000, prot 00000002, type 01000000 - size dc000
Name: KERNEL32.dll
MZ at 75ee0000, prot 00000002, type 01000000 - size aa000
Name: msvcrt.dll
MZ at 75f90000, prot 00000002, type 01000000 - size 1e8000
Name: iertutil.dll
MZ at 76180000, prot 00000002, type 01000000 - size 29000
Name: imagehlp.dll
MZ at 761b0000, prot 00000002, type 01000000 - size 6000
Name: NSI.dll
MZ at 761c0000, prot 00000002, type 01000000 - size 84000
Name: CLBCatQ.DLL
MZ at 76250000, prot 00000002, type 01000000 - size 49000
Name: WLDAP32.dll
MZ at 762a0000, prot 00000002, type 01000000 - size c6000
Name: ADVAPI32.dll
MZ at 76370000, prot 00000002, type 01000000 - size 4b000
Name: GDI32.dll
MZ at 763c0000, prot 00000002, type 01000000 - size 59000
Name: SHLWAPI.dll
MZ at 76420000, prot 00000002, type 01000000 - size e6000
Name: WININET.dll
MZ at 76510000, prot 00000002, type 01000000 - size b10000
Name: SHELL32.dll
MZ at 77020000, prot 00000002, type 01000000 - size 145000
Name: ole32.dll
MZ at 77170000, prot 00000002, type 01000000 - size 7d000
Name: USP10.dll
MZ at 771f0000, prot 00000002, type 01000000 - size 8d000
Name: OLEAUT32.dll
MZ at 77280000, prot 00000002, type 01000000 - size 18a000
Name: SETUPAPI.dll
MZ at 77410000, prot 00000002, type 01000000 - size 9d000
Name: USER32.dll
MZ at 774b0000, prot 00000002, type 01000000 - size 133000
Name: urlmon.dll
MZ at 775f0000, prot 00000002, type 01000000 - size 127000
Name: ntdll.dll
MZ at 77720000, prot 00000002, type 01000000 - size 3000
Name: Normaliz.dll
MZ at 77730000, prot 00000002, type 01000000 - size 2d000
Name: WS2_32.dll
MZ at 77760000, prot 00000002, type 01000000 - size 1e000
Name: IMM32.dll
MZ at 77780000, prot 00000002, type 01000000 - size c8000
Name: MSCTF.dll
MZ at 7c340000, prot 00000002, type 01000000 - size 56000
Name: MSVCR71.dll

0:005> !address 00040000
Usage:                  <unclassified>
Allocation Base:        00040000
Base Address:           00040000
End Address:            0005d000
Region Size:            0001d000
Type:                   00020000 MEM_PRIVATE
State:                  00001000 MEM_COMMIT
Protect:                00000040 PAGE_EXECUTE_READWRITE

0:005> !address 10000000
Usage:                  <unclassified>
Allocation Base:        10000000
Base Address:           10000000
End Address:            10001000
Region Size:            00001000
Type:                   00020000 MEM_PRIVATE
State:                  00001000 MEM_COMMIT
Protect:                00000004 PAGE_READWRITE

- suspicious text inside

See this case study for an example.

- suspicious import table (screen grabbing) or its absence (dynamic imports)

0:005> !dh 10000000
[...]
2330 [      50] address [size] of Export Directory
20E0 [      78] address [size] of Import Directory
0 [       0] address [size] of Resource Directory
0 [       0] address [size] of Exception Directory
0 [       0] address [size] of Security Directory
4000 [      34] address [size] of Base Relocation Directory
2060 [      1C] address [size] of Debug Directory
0 [       0] address [size] of Description Directory
0 [       0] address [size] of Special Directory
0 [       0] address [size] of Thread Storage Directory
0 [       0] address [size] of Load Configuration Directory
0 [       0] address [size] of Bound Import Directory
2000 [      58] address [size] of Import Address Table Directory
0 [       0] address [size] of Delay Import Directory
0 [       0] address [size] of COR20 Header Directory
0 [       0] address [size] of Reserved Directory
[…]

0:005> dps 10000000+2000 10000000+2000+58
10002000  76376101 gdi32!CreateCompatibleDC
10002004  763793d6 gdi32!StretchBlt
10002008  76377461 gdi32!CreateDIBSection
1000200c  763762a0 gdi32!SelectObject

10002010  00000000
10002014  75e4a411 kernel32!lstrcmpW
10002018  75e440aa kernel32!VirtualFree
1000201c  75e4ad55 kernel32!VirtualAlloc
10002020  00000000
10002024  77429ced user32!ReleaseDC
10002028  77423ba7 user32!NtUserGetWindowDC
1000202c  77430e21 user32!GetWindowRect

10002030  00000000
10002034  744a75e9 GdiPlus!GdiplusStartup
10002038  744976dd GdiPlus!GdipSaveImageToStream
1000203c  744cdd38 GdiPlus!GdipGetImageEncodersSize
10002040  744971cf GdiPlus!GdipDisposeImage
10002044  744a8591 GdiPlus!GdipCreateBitmapFromHBITMAP
10002048  744cdbae GdiPlus!GdipGetImageEncoders

1000204c  00000000
10002050  7707d51b ole32!CreateStreamOnHGlobal
10002054  00000000
10002058  00000000

0:000> !dh 012a0000
[...]
0 [       0] address [size] of Export Directory
0 [       0] address [size] of Import Directory
0 [       0] address [size] of Resource Directory
0 [       0] address [size] of Exception Directory
0 [       0] address [size] of Security Directory
8000 [      FC] address [size] of Base Relocation Directory
4000 [      1C] address [size] of Debug Directory
0 [       0] address [size] of Description Directory
0 [       0] address [size] of Special Directory
0 [       0] address [size] of Thread Storage Directory
0 [       0] address [size] of Load Configuration Directory
0 [       0] address [size] of Bound Import Directory
0 [       0] address [size] of Import Address Table Directory
0 [       0] address [size] of Delay Import Directory
0 [       0] address [size] of COR20 Header Directory
0 [       0] address [size] of Reserved Directory
[…]

- suspicious path names

Age: 7, Pdb: d:\work\BekConnekt\Client_src_code_New\Release\Blackjoe_new.pdb

Debug Directories(1)
Type Size Address Pointer
cv 46 2094 894 Format: RSDS, guid, 1, C:\MyWork\screens_dll\Release\screens_dll.pdb

- suspicious image path (although could be just dynamic code generation for .NET assemblies)

- uninitialized image resources

0:002> lmv m C6DC
start    end        module name
012a0000 012a9000   C6DC     C (no symbols)
Loaded symbol image file: C6DC.tmp
Image path: C:\Users\User\AppData\Local\Temp\C6DC.tmp
Image name: C6DC.tmp
Timestamp:        Sun May 30 20:18:32 2010 (4C02BA08)
CheckSum:         00000000
ImageSize:        00009000
File version:     0.0.0.0
Product version:  0.0.0.0
File flags:       0 (Mask 0)
File OS:          0 Unknown Base
File type:        0.0 Unknown
File date:        00000000.00000000

Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

- suspicious (small) image size

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Crash Dump Analysis of Defective Malware: A Case Study

Monday, October 18th, 2010

One of my home computers got infected. I confess that I don’t have an antivirus because I’m conscious while browsing Internet (the last infected machine I had was an MSDOS one) so perhaps one of my family members was less careful. I paid attention to the possible infection when IE started crashing when I was pushing a login button on one of online banking websites. However I didn’t pay enough attention because it was a heap corruption (see my previous case study) and simply switched to another non-crashing browser vendor such as Apple Safari. Since then IE was crashing periodically when I was pushing various admin buttons in WordPress but I didn’t pay much attention too because it was still heap corruption and I was thinking it was a script processing defect, waiting for a new IE update. Until one day explorer.exe crashed as well when I was entering a password for an ftp account. Here’s the stack trace that I got after opening a crash dump in WinDbg:

0:030> kL 100
ChildEBP RetAddr
0663e9c4 76f05610 ntdll!KiFastSystemCallRet
0663e9c8 7706a5d7 ntdll!NtWaitForMultipleObjects+0xc
0663ea64 7706a6f0 kernel32!WaitForMultipleObjectsEx+0×11d
0663ea80 770de2a5 kernel32!WaitForMultipleObjects+0×18
0663eaec 770de4d1 kernel32!WerpReportFaultInternal+0×16d
0663eb00 770bff4d kernel32!WerpReportFault+0×70
0663eb8c 76f17fc1 kernel32!UnhandledExceptionFilter+0×1b5
0663eb94 76ea9bdc ntdll!__RtlUserThreadStart+0×6f
0663eba8 76ea4067 ntdll!_EH4_CallFilterFunc+0×12
0663ebd0 76f05f79 ntdll!_except_handler4+0×8e
0663ebf4 76f05f4b ntdll!ExecuteHandler2+0×26
0663eca4 76f05dd7 ntdll!ExecuteHandler+0×24
0663eca4 93181a08 ntdll!KiUserExceptionDispatcher+0xf
WARNING: Frame IP not in any known module. Following frames may be wrong.
0663efa0 0321aaaf 0×93181a08
0663efac 6b887974 0×321aaaf
0663efbc 6b8973ad msieftp!InternetCloseHandleWrap+0×10
0663f810 6b897fbf msieftp!CFtpSite::_QueryServerFeatures+0×57
0663fa50 6b8981ae msieftp!CFtpSite::_LoginToTheServer+0×235
0663fa94 6b88b39e msieftp!CFtpSite::GetHint+0xe8
0663fab4 6b88b412 msieftp!CFtpDir::GetHint+0×1f
0663fae4 6b88ed38 msieftp!CFtpDir::WithHint+0×49
0663fb10 6b88eda4 msieftp!CFtpEidl::_Init+0×6e
0663fb2c 7584ecb4 msieftp!CFtpEidl::Next+0×41
0663fb64 7584f63b shell32!CEnumThread::_EnumFolder+0×65
0663fb80 7584f5ba shell32!CEnumThread::_RunEnum+0×6f
0663fb8c 7645c2c9 shell32!CEnumThread::s_EnumThreadProc+0×14
0663fc10 7706d0e9 shlwapi!WrapperThreadProc+0×11c
0663fc1c 76ee19bb kernel32!BaseThreadInitThunk+0xe
0663fc5c 76ee198e ntdll!__RtlUserThreadStart+0×23
0663fc74 00000000 ntdll!_RtlUserThreadStart+0×1b

Notice 0×321aaaf address. We see that wininet function was hooked by a code running in 0×0321XXXX range:

0:030> ub 6b887974
msieftp!InternetOpenWrap+0×46:
6b887963 cc              int     3
msieftp!InternetCloseHandleWrap:
6b887964 8bff            mov     edi,edi
6b887966 55              push    ebp
6b887967 8bec            mov     ebp,esp
6b887969 56              push    esi
6b88796a ff7508          push    dword ptr [ebp+8]
6b88796d 33f6            xor     esi,esi
6b88796f e82e610100      call    msieftp!InternetCloseHandle (6b89daa2)

0:030> u 6b89daa2
msieftp!InternetCloseHandle:
6b89daa2 ff2500278a6b    jmp     dword ptr [msieftp!_imp__InternetCloseHandle (6b8a2700)]
msieftp!_imp_load__InternetConnectW:
6b89daa8 b834278a6b      mov     eax,offset msieftp!_imp__InternetConnectW (6b8a2734)
6b89daad e9b4feffff      jmp     msieftp!_tailMerge_WININET_dll (6b89d966)
6b89dab2 cc              int     3
6b89dab3 cc              int     3
6b89dab4 cc              int     3
6b89dab5 cc              int     3
6b89dab6 cc              int     3

0:030> dp 6b8a2700 l1
6b8a2700  76dc9088

0:030> u 76dc9088
wininet!InternetCloseHandle:
76dc9088 e9031a458c      jmp     0321aa90
76dc908d 51              push    ecx
76dc908e 51              push    ecx
76dc908f 53              push    ebx
76dc9090 56              push    esi
76dc9091 57              push    edi
76dc9092 33db            xor     ebx,ebx
76dc9094 33ff            xor     edi,edi

0:030> u 0321aa90
0321aa90 55              push    ebp
0321aa91 8bec            mov     ebp,esp
0321aa93 837d0800        cmp     dword ptr [ebp+8],0
0321aa97 740c            je      0321aaa5
0321aa99 8b4508          mov     eax,dword ptr [ebp+8]
0321aa9c 50              push    eax
0321aa9d e82eedffff      call    032197d0
0321aaa2 83c404          add     esp,4

This address range was not on a loaded module list so I used image scanning command to detect Hidden Module:

0:030> .imgscan
MZ at 00080000, prot 00000002, type 01000000 - size 2cd000
Name: explorer.exe
MZ at 003d0000, prot 00000002, type 00040000 - size 2000
MZ at 018a0000, prot 00000008, type 00040000 - size 7000
MZ at 031c0000, prot 00000008, type 00040000 - size 3000
MZ at 031d0000, prot 00000002, type 01000000 - size c000
Name: DLAAPI_W.DLL
MZ at 03210000, prot 00000040, type 00020000 - size 1d000
[…]

!dh command was not showing any useful hints so I dumped the whole address range of that Unknown Component and found strange strings inside:

0:030> db 03210000 03210000+1d000
[...]
032246d0  2a 00 00 00 2a 00 00 00-42 6c 61 63 6b 77 6f 6f  *...*...Blackwoo
032246e0  64 50 52 4f 00 00 00 00-46 69 6e 61 6d 44 69 72  dPRO....FinamDir
032246f0  65 63 74 00 47 72 61 79-42 6f 78 00 4d 62 74 50  ect.GrayBox.MbtP
03224700  52 4f 00 00 4c 61 73 65-72 00 00 00 4c 69 67 68  RO..Laser...Ligh
03224710  74 53 70 65 65 64 00 00-4c 54 47 72 6f 75 70 00  tSpeed..LTGroup.
03224720  4d 62 74 00 53 63 6f 74-54 72 61 64 65 72 00 00  Mbt.ScotTrader..
03224730  53 61 78 6f 54 72 61 64-65 72 00 00 00 00 00 00  SaxoTrader......
03224740  50 72 6f 67 72 61 6d 3a-20 20 20 25 73 0d 0a 55  Program:   %s..U
03224750  73 65 72 6e 61 6d 65 3a-20 20 25 73 0d 0a 50 61  sername:  %s..Pa
03224760  73 73 77 6f 72 64 3a 20-20 25 73 0d 0a 41 63 63  ssword:  %s..Acc
03224770  6f 75 6e 74 4e 4f 3a 20-25 73 0d 0a 53 65 72 76  ountNO: %s..Serv
03224780  65 72 3a 20 20 20 20 25-73 0d 0a 00 5c 00 00 00  er:    %s...\...
03224790  25 73 20 25 73 00 00 00-25 73 00 00 50 52 4f 43  %s %s...%s..PROC
032247a0  45 53 53 4f 52 5f 49 44-45 4e 54 49 46 49 45 52  ESSOR_IDENTIFIER
032247b0  00 00 00 00 25 64 00 00-25 30 32 58 00 00 00 00  ....%d..%02X....
032247c0  30 00 00 00 2c 00 00 00-25 30 32 58 00 00 00 00  0...,...%02X....
[...]
03225000  01 01 00 00 5c 00 63 00-68 00 6b 00 6e 00 74 00  ....\.c.h.k.n.t.
03225010  66 00 73 00 2e 00 65 00-78 00 65 00 00 00 00 00  f.s...e.x.e.....
03225020  5c 00 63 00 68 00 6b 00-6e 00 74 00 66 00 73 00  \.c.h.k.n.t.f.s.
03225030  2e 00 64 00 61 00 74 00-00 00 00 00 a6 b7 04 5e  ..d.a.t........^
[...]

I didn’t pay attention to chkntfs.exe but did a search for SaxoTrader string in all files using findstr command and found chkntfs.exe as a system file in Start Menu \ Programs \ Startup folder in roaming user AppData. I couldn’t remove it so I had to boot in command line mode to do that. The crashes were gone since that. I double checked various iexplore.exe crash dumps saved previously and found the same module loaded, for example:

0:005> .imgscan
MZ at 00040000, prot 00000040, type 00020000 - size 1d000
MZ at 00340000, prot 00000002, type 01000000 - size 9c000
Name: iexplore.exe
[…]

Here we consider IE and Explorer as victimware of malware.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -