My Road to Digital Forensics Excellence

msrll concluded

Posted by Paul Bobby on August 5, 2009

Static Analysis – Interaction with port 2200

Telnet to port 2200 produces a simple prompt “#:”. There is a single reference to this ASCII string in the code at 0x40BD04. That’s where I set my breakpoint.

image On tracing the calling tree that gets to this point, I found a place to modify the runtime credential check.

imageSet a breakpoint on the highlighted line, change the ZERO flag when you get there, and the code will assume the credentials you typed in at the “#:” prompt are valid.

Static Analysis – Interaction in IRC channel

I first attempted to find where the command “?login” was processed – but hit a dead end. Instead I focused on where the malware processes input received from the IRC channel. The bot issues a periodic IRC PING, causing the client to exit after a 180 Timeout if the PONG is not received. This is a little wrinkle when analyzing the code.

image When the username and password are processed, the code tests the results twice: line 405B68 with TEST EAX, EAX and line 405B72 with TEST EAX, 10000. Patching both of these lines with NOPS means a successful login in the IRC channel.

Incident Response

  1. DNS Block
    1. collective7[.]
  2. SMS Search
    1. system32\mfm\jtram.conf
    2. system32\mfm\msrll.exe
  3. Personal Firewall
    1. Block on incoming connections to TCP 2200
  4. 4n6 indicators
    1. Registry autorun key
    2. MD5 of executable

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: