SecureArtisan

My Road to Digital Forensics Excellence

msrll concluded

Posted by Paul Bobby on August 5, 2009

Static Analysis – Interaction with port 2200

Telnet to port 2200 produces a simple prompt “#:”. There is a single reference to this ASCII string in the code at 0x40BD04. That’s where I set my breakpoint.

image On tracing the calling tree that gets to this point, I found a place to modify the runtime credential check.

imageSet a breakpoint on the highlighted line, change the ZERO flag when you get there, and the code will assume the credentials you typed in at the “#:” prompt are valid.

Static Analysis – Interaction in IRC channel

I first attempted to find where the command “?login” was processed – but hit a dead end. Instead I focused on where the malware processes input received from the IRC channel. The bot issues a periodic IRC PING, causing the client to exit after a 180 Timeout if the PONG is not received. This is a little wrinkle when analyzing the code.

image When the username and password are processed, the code tests the results twice: line 405B68 with TEST EAX, EAX and line 405B72 with TEST EAX, 10000. Patching both of these lines with NOPS means a successful login in the IRC channel.

Incident Response

  1. DNS Block
    1. collective7[.]zxy0.com
  2. SMS Search
    1. system32\mfm\jtram.conf
    2. system32\mfm\msrll.exe
  3. Personal Firewall
    1. Block on incoming connections to TCP 2200
  4. 4n6 indicators
    1. Registry autorun key
    2. MD5 of executable
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: