SecureArtisan

My Road to Digital Forensics Excellence

Blinky on the Brain

Posted by Paul Bobby on June 25, 2009

Blinky.exe is a malware specimen that was used to demonstrate an HTTP C2 channel for Sans 610. I am very familiar with HTTP C2 in our corporate environment, so it was more than a little interesting to start dissecting an actual specimen.

Unfortunately it appeared that the specimen was either neutralized or just plain broken in some way as it kept crashing within my Windows VM; buggy code or anti-analysis measures?

Metainfo

* name = blinky.exe
* bytes = 36864
* type = MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
* md5 = decaa5ef31e95711ffaf2f99d50e7337
* sha1 = 1c8746350bb07881f82340776ab2db2a2d10458e
* ssdeep = 384:q9Yr0Fyv4TsYSPXoml8UrYutfv+rhWuTGR6lx89DthncDk9E:IjFCSsYy+uU8uhv8ZtyA,"blinky.exe"

* metadata
* Creation date: 2008-07-01 02:08:27
* Comment: CPU: Intel 80386
* Comment: Subsystem: Windows GUI
* Format version: Portable Executable: Windows application
* MIME type: application/x-dosexec
* Endian: Little endian

* Antivirus
* Virustotal
• SecureWeb-Gateway Heuristic.Malware
• AntiVir HEUR/Malware
* Jotti
• AntiVir HEUR/Malware

Behavioral Analysis

  1. Simple Execution
    1. No visible output
    2. Process Explorer shows the process continues running after a 60 second wait
  2. Regshot, Wireshark and CaptureBAT -c
    1. Wireshark shows SYN request to 81[.]95.152.178 on port 80. No DNS
    2. CaptureBAT shows no captured deleted files
    3. Regshot shows that blinky.exe prefetch was created
  3. HoneyD (default), Sniff_hit, regshot, wireshark, captureBAT -c
    1. Execution results in a crash; drwtsn32.log and user.dmp produced
    1. Wireshark shows successful transaction to port 80, contents from default configuration of HoneyD are successfully sent to Blinky
    1. No further network traffic is recorded prior to blinky.exe crashing
    1. CaptureBAT caught two deleted files
      1. 29C50FD.dmp, and
      2. 496c_appcompat.txt
    2. Sniff_hit captures the following traffic:
-> 81[.]95.152.178:80

POST /index.php HTTP/1.1
Referer: fe25de0be9887dbb2ac25dad792fce2a
Response-id: 0
User-Agent: Googlebot/2.1 ( http[:]//www.googlebot.com/bot.html)
Host: 81[.]95.152.178
Content-Length: 0
Cache-Control: no-cache

---------------------------------------------------------------------------

<- 81[.]95.152.178:80
HTTP/1.1 404 NOT FOUND
Server: Microsoft-IIS/5.0
P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI'
Content-Location: http[:]//cpmsftwbw27/default.htm
Date: Thu, 04 Apr 2002 06:42:18 GMT
Content-Type: text/html
Accept-Ranges: bytes

You are in Error

You are in Error
O strange and inconceivable thing! (rest is snipped)

---------------------------------------------------------------------------

Next Step

At this point I have observed that the executable reaches a single IP address, transmits a crafted HTTP packet, and receives input prior to crashing.

I have learnt from Sans 610 that in order to create an HTTP connection, send a request and to receive a response, the following function calls are made:

  • InternetOpen(), InternetConnect()
  • HTTPOpenRequest()
  • HTTPAddRequestHeaders() (optional)
  • HTTPSendRequest()
  • InternetReadFile()

Next step is static code analysis to determine if the above function calls are made. If so, my plan is to debug starting at the conclusion of the InternetReadFile() function (which receives web server output).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: