My Road to Digital Forensics Excellence

Double Blinky

Posted by Paul Bobby on June 26, 2009

Here’s a section of code containing calls to our HTTP functions:

Setting a breakpoint after the InternetReadFile() function is our best bet.

Here are some strings:

Past experience with C2 over HTTP shows that server-to-bot communication is often obfuscated – so I highly doubt that a request for, say, ‘sysinfo’ would come across in the clear. But why not give it a try?

HoneyD was reconfigured to execute ‘scripts\’, which in this test will send back the string ‘sysinfo’ to the requestor, with no HTTP tags or anything else.

Run until the breakpoint. A portion of the stack:

index.php is the last part of the bots’ GET request, and the data at 0x0012FB28 is ‘sysinfox0A’

While tracing through the code, there were two checks I was able to recognize:

If (char is a 0-9) or (char is a-zA-Z)
If char is Newline or Carriage Return

There is some sort of deobfuscation routine here, which I haven’t been able to figure out yet, but each character in ‘sysinfo’ is processed through the below routine:

The crash happens here:

The highlighted instruction generates an Access Violation. Blinky puts its own handler in the SEH chain, and that threw me for a while. But IDA Pro lists this handler as:

So I discounted that. Perhaps the error is a result of debugging, VM, or simply because I didn’t format the C2 correctly. Or just buggy code.

Anyway, time to patch the code by modifying EDX to point to 0x0012FB28 which is the beginning of the ‘sysinfo’ string. This, by the way, was a guess. Turns out… pretty good guess.

Well okay… so the following routine behaves like a strcmp().

So maybe, more of an educated guess.

Anyway, the function jumps, the return code is tested, and then the function at 0x00401000 is called.

Pressing F9 to continue execution (and ensuring sniff_hit is still executing), here’s what happens next:

-> 81[.]95.152.178:80
POST /sysinfo.php HTTP/1.1
Referer: fe25de0be9887dbb2ac25dad792fce2a
Response-id: 0
User-Agent: Googlebot/2.1 ( http[:]//
Content-Length: 198
Cache-Control: no-cache

Memory load: 45
Total physical memory: 536330240
Available physical memory: 291299328
Total virtual memory: 2147352576
Available virtual memory: 2114596864
OS version: 5.1
Build number: 2600

The bot contains various other commands, such as execute, download, die and wait etc. I tested one other command, execute, and produced a working notepad.exe.

My analysis is still not complete – I really need to figure out that obfuscation routine.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: