Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[HES2013] The reality about Red October by Paul “RootBSD” Rascagneres

HackitoErgoSum
May 02, 2013
Research
0
92

[HES2013] The reality about Red October by Paul “RootBSD” Rascagneres

I propose to make a technical analysis of Red October. The talk will be deeply technical: how to get the payload stored in the .doc file, how to unpack the malware, the analysis of the final malware and to finish how to rewrite a C&C. The presentation will be base on these articles:

http://code.google.com/p/malware-lu/wiki/en_malware_redoctober
http://code.google.com/p/malware-lu/wiki/en_malware_redoctober2
http://code.google.com/p/malware-lu/wiki/en_malware_redoctober3
http://code.google.com/p/malware-lu/wiki/en_malware_redoctober_cc

Audio available here : http://2013.hackitoergosum.org/presentations/Day1-03.The%20reality%20about%20Red%20October%20by%20Paul%20RootBSD%20Rascagneres.mp3
More information about the conference :
http://www.hackitoergosum.org

HackitoErgoSum

May 02, 2013
Tweet

More Decks by HackitoErgoSum

See All by HackitoErgoSum
[HES2014] Vaccinating APK’s by Milan Gabor & Danijel Grah
hackitoergosum
0
190
[HES2014] WMI Shell: A new way to get shells on remote Windows machines using only the WMI service by Andrei Dumitrescu
hackitoergosum
2
4.8k
[HES2014] LTE vs. Darwin: The Evolution Strikes Back? by Hendrik Schmidt & Brian Butterly
hackitoergosum
0
120
[HES2014] Applying science to eliminate 100% of buffer overflows by Andreas Bogk
hackitoergosum
0
280
[HES2013] Hacking apple accessories to pown iDevices – Wake up Neo! Your phone got pwnd ! by Mathieu ‘GoToHack’ RENARD
hackitoergosum
1
210
[HES2013] Frida IRE – a tool for scriptable dynamic instrumentation in userland by Ole André Vadla Ravnås
hackitoergosum
0
240
[HES2013] Paparazzi over ip by Daniel Mende
hackitoergosum
0
63
[HES2014] HackRF A Low Cost Software Defined Radio Platform by Benjamin Vernoux
hackitoergosum
0
350
[HES2013] Information Warfare: mistakes from the MoDs by Raoul “Nobody” Chiesa
hackitoergosum
0
110

Other Decks in Research

See All in Research
CASCON 2023 Most Influential Paper Award Talk
tsantalis
0
120
F0に基づいて伸縮された画像文字からの音声合成 [ASJ2024春]
nehi0615
0
120
First Authorに俺はなるっ!! IROS’23 CCC2023 FY
shota_nishiyama
0
180
自己教師あり学習による事前学習(CVIMチュートリアル)
naok615
2
1.4k
Generative AI - practice and theory
gpeyre
1
570
Combating Misinformation in the age of LLMs
teacherpeterpan
0
130
論文紹介 DISN: Deep Implicit Surface Network for High quality Single-view 3D Reconstruction / DISN: Deep Implicit Surface Network for High quality Single-view 3D Reconstruction
nttcom
0
120
第4回ナレッジグラフ勉強会:ISWC2023論文読み会
kg_wakate
1
210
[2023 CCSE] ZOZOTOWN検索における 研究開発の取り組みについて
tomoyayama
0
130
リサーチに組織を巻き込むための「準備8割」の話
terasho
0
470
LiDARセキュリティ最前線
kentaroy47
0
280
HP (Hitto Point: 筆頭ポイント)
tanichu
0
730

Featured

See All Featured
Become a Pro
speakerdeck
PRO
11
4.5k
Making Projects Easy
brettharned
108
5.5k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
RailsConf 2023
tenderlove
4
540
Thoughts on Productivity
jonyablonski
58
3.8k
Design by the Numbers
sachag
274
18k
Docker and Python
trallard
34
2.7k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k
The Pragmatic Product Professional
lauravandoore
25
5.8k
YesSQL, Process and Tooling at Scale
rocio
164
13k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k

Transcript

  1. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Malware.lu May 2013 @r00tbsd – Paul Rascagnères The reality about Red October

  2. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Plan - Malware.lu presentation - The reality about Red October

  3. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu About malware.lu Presentation of malware.lu Mainteners: - @r00tbsd – Paul Rascagnères - @y0ug – Hugo Caron - Defane – Stephane Emma - MiniLX – Julien Maladrie

  4. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu A few numbers Here are some numbers about malware.lu - 5,572,622 malware samples - 39 articles - complete analysis of Red October & Rannoh - 1825 users - 2143 followers on twitter (@malwarelu) - 7GB of database - 3,5TB of malware - 1 tool: malwasm - 1 company: CERT, consulting, Reverse Engineering, Malware analysis, intelligence… - and more…

  5. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu

  6. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu

  7. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Plan - Malware.lu presentation - The reality about Red October

  8. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: presentation On january 2013, Kasperspy published an article on its website about a new malware called Red October. The articles can be read on www.securelist.com We decided to anlyse one of the samples provided by Kaspersky: - 51edea56c1e83bcbc9f873168e2370af This file was a rich text file. A vulnerability is exploited in the document: - CVE-2012-0158.

  9. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: first stage

  10. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: first stage To extract the shell code used we can simply use the strings command: The data looks like assembly code… We used the .decode("hex") python function to have the binary file.

  11. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: first stage We opened the binary file with IDA Pro and identified 2 informations: - find a specific string (PT@T) - A xor (0xB6)

  12. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: first stage So we looked to the string and started to extract data once the string found: And we applied the xor algorithm:

  13. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: second stage We opened the new shellcode with IDA Pro:

  14. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: second stage The generated file looked like a Windows binary:

  15. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: msmx21.exe (dropper)

  16. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: msmx21.exe (dropper) The hash of the file was: e7d4841bccc9c3fb48124699d5e65deb The file was packed. The packer was on the heap, so we added several breakpoints on functions used to allocate or manipulate memory. On a VirtualAlloc() we saw a MZ directly in memory

  17. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: msmx21.exe (dropper) The hash of the unpacked file was: 20c3ec7d34e5f950ed7b3752c65fc127 This binary create 3 files: - %TEMP%\msc.bat - %ProgramFiles%\windows NT\svchost.exe - %ProgramFiles%\windows NT\wsdktr.ltp

  18. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: msmx21.exe (dropper) We can download the content of the file by adding breakpoint on the function WriteFile():

  19. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: .bat, .exe & payload

  20. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: msc.bat The content of the batch:

  21. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: svchost.exe The file was packed, we used the same technique than previously. The unpacked file was an UPX file. Here is the hash of the files: - e1ed995b223e899ee8557bbdbaab7c83 (with upx) - 5f38e180671fe1d86009d730687a0e3e (without upx) The purpose of the binary is to decrypt the wsdktr.ltp file. The algorithm is: -RC4 -Zlib

  22. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: svchost.exe RC4 function KSA (function 0x403930):

  23. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: svchost.exe RC4 function PRGA (function 0x4039B0):

  24. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: svchost.exe Zlib function (function 0x404500):

  25. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: svchost.exe A python script to decrypt the payload The usage:

  26. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: svchost.exe Here is the hash of the final binary: - 9b049bcb675377af1ca08fcf3ddad89c (.dll) - b587fb33613bfbdd2a95e98fc00391d5 (unpack .dll) !! We finally have the real Red October sample !!

  27. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: the real malware

  28. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: the real malware A complet IDA Pro file is available here: - http://malware-lu.googlecode.com/git/redoctober/ida/red.idb The first step was to create a thread. The real malicious function calls by the thread is sub_100013A0.

  29. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: the real malware

  30. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: the real malware The workflow of the malware: - sub_1000DD70: this function retrieves system information such as Windows directory, volume info, IE version... - sub_10003F00: this function reads the configuration of the browsers and forges the HTTP request (using POST method) to contact the C&C. The list of the C&C is available at this adress: 0x10025008 (nt-windows- online.com;...), the port is available at this adress: 0x10025028 (80) and the path is available at this adress: 0x10025024 (/cgi-bin/nt/th). The communication uses a XOR, the malware needs to decode the data. The key of the XOR is a rand() with the seed 12345.

  31. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: the real malware The C&C gives an order to the infected machine. - case 0x4: executes a binary stored locally:

  32. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: the real malware The C&C gives an order to the infected machine. - case 0x3: download a file and execute this file:

  33. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: the real malware The C&C gives an order to the infected machine. - case 0x6: download a file:

  34. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: the real malware The C&C gives an order to the infected machine. - case 0x7: install a new version of the malware:

  35. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: the real malware The C&C gives an order to the infected machine. - case by default: do nothing…

  36. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: homemade C&C We provide a poc of a homemade C&C. Here is the format of the network packet: - ID: four bytes containing the command, in our case 0x3 - size: four bytes containing the size of the packet - Directory: four bytes containing a code to define the directory to save the file, for example 0x1 is %TEMP% - FileName: the name of the file is put here and finishes by \x00 - Binary: here the binary in raw format The server uses a XOR to encode this data before sending them to the infected machine. The code source of the C&C is available here: http://code.google.com/p/malware-lu/wiki/en_malware_redoctober_cc

  37. The reality about Red October… @r00tbsd – Paul Rascagnères from

    Malware.lu Red October: conclusion… Our opinion about this case….