Security Incidents mailing list archives
Re: Millennium Trojan
From: "Howard, Aaron" <ahoward () NOERRORS COM>
Date: Sat, 9 Dec 2000 00:41:15 -0500
Well, since I have received several requests, I'll include a more full analysis of this trojan. Please note that this is all from reviewing the executable, not actually running it. I'm not confident enough in my abilities to keep it from doing damage if I run it. So, a little background... We hired an outside consultant to help us set up an accounting/distribution software package. He came in and was seated at an open PC. We block a lot of things, but I have heretofore been lenient on outbound traffic (allowing all machines inside with valid source addresses to establish connections on any local port > 1023 to any other machine outside our network on any port > 1023. The idea was to allow our users to run IRC, MSN Messenger, AOL Instant Messenger, Yahoo Instant Messenger, ICQ, RealAudio, etc. (Modification of this policy is already underway...) But, even though we allow(ed) these outbound connections, they are all logged to a central logging machine and that log is constantly scrolling in the background of my screen. So one day I'm working away and notice a bunch of connections on destination port 6667...this peaks my curiosity because I KNOW nobody at our company uses IRC but me...and this wasn't me. Here are the actions I took ... 1. nbtstat -A internal.source.ip.address this returned me the following: NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- PCNAME <00> UNIQUE Registered OURDOMAIN <00> GROUP Registered PCNAME <03> UNIQUE Registered CONSULTANT <03> UNIQUE Registered MAC Address = xx-xx-xx-xx-xx-xx The key here was that is showed the source IP address in question was in use by our consultant. Now usually I'd just call the user up and say, "What are you doing?" but this being a consultant, I decided it was best to be more discreet. We use VNC on all our internal machines for support-related issues. So, I checked him out. 2. I used VNC to view his screen and take screen shots of him chatting via mIRC for nearly an hour. 3. After this, we let him go and immediately blocked outbound connections on all ports > 1023. However, we left the machine on. Then I started noticing blocked connections on port 6667 from that machine. Blocked attempts looked like this: denied tcp x.x.x.2(1068) -> 130.243.43.71(6667) denied tcp x.x.x.2(1040) -> 151.189.12.20(6667) denied tcp x.x.x.2(1376) -> 194.75.152.237(6667) denied tcp x.x.x.2(1029) -> 198.139.244.22(6667) denied tcp x.x.x.2(1500) -> 198.63.2.192(6667) denied tcp x.x.x.2(1336) -> 198.88.88.99(6667) denied tcp x.x.x.2(1348) -> 199.232.159.166(6667) denied tcp x.x.x.2(1046) -> 209.25.152.162(6667) denied tcp x.x.x.2(1072) -> 209.254.98.88(6667) denied tcp x.x.x.2(1049) -> 212.43.196.5(6667) (Note: destination ip addresses were not attempted in this order, this is a sorted list of unique destination IPs...) 4. I VNC'ed over to it and saw NO applications running. Nothing in the task list at all. 5. So, I created bootable Norton Antivirus 5.0 disks with the latest virus defs (11/27/00) and went to that machine and scanned it. Nothing. So, I started MSINFO32.EXE to check loaded modules and found something called kernel32.vxc was in memory but it had no version info. And it was in \windows\system... I scanned it specifically again, NAV said not a virus. It was attrib-ed as HIDDEN/SYSTEM. 6. I copied it to a floppy to take to another machine for testing and renamed it BADGUY.EXE. 7. QuickView of the EXE showed very little other than that the EXE was mangled (packed) to prevent viewing like this. 8. So I checked backlogs of my bugtraq e-mails and found a few sites with reverse engineering tools. www.suddendischarge.com was most helpful. 9. I downloaded several tools from sudden discharge: 1) Universal File Scanner (fs11-27-00.zip), 2) Anti-Aspack 0.2 (unaspack02.zip), 3) DeDe 2.431 (dede2431full.zip), 4) PE Explorer 1.0 Beta (pex_b090.zip) a. I used fs to determine the following: file scanner by SMT +---------------------------e:\ahoward\badguy1.exe---------------------- ------+ ¦extension: executable file ¦ +----------------------------MZ-EXE DOS executable---------------------------+¦ ¦¦sizes: header 28, relocs 0, empty 644, image 192, overlay 291488 bytes ¦¦ ¦¦dos/exe DOS stub from Borland tlink32 ¦¦ ¦+----------------------------Portable executable----------------------------¦¦ ¦¦subsystem: Win32 GUI, cpu: i386 ¦¦ ¦¦linktime: Fri, 19.Jun.1992 at 17:22.17 (UTC 22:22.17) ¦¦ ¦¦checksum: correct ¦¦ ¦¦linker: Borland TLINK/TLINK32 ¦¦ ¦¦sizes: stub 64, header 960, image 291328, overlay 0 ¦¦ ¦¦pe/exe.packer ASPack 1.061b,1.07b (type 2)-------------------------unpacker¦¦ ¦+---------------------------------------------------------------------- -----+¦ +----------------------------------------------------------------------- ------+ I thought one thing was odd about this...the linktime says 19.Jun.1992...so was this program REALLY compiled in 1992? Not likely. I imagine a little hex-editing of the file and you can make the link date whatever you want. Or change the date on your system before linking. b. Since I couldn't tell much more about the file without unASPack-ing it, I used unaspack to remove the packing and created badguy2.exe, then fs showed the following... file scanner by SMT +---------------------------e:\ahoward\badguy2.exe---------------------- ------+ ¦extension: executable file ¦ +----------------------------MZ-EXE DOS executable---------------------------+¦ ¦¦sizes: header 28, relocs 0, empty 644, image 192, overlay 622240 bytes ¦¦ ¦¦dos/exe DOS stub from Borland tlink32 ¦¦ ¦+----------------------------Portable executable----------------------------¦¦ ¦¦subsystem: Win32 GUI, cpu: i386 ¦¦ ¦¦linktime: Fri, 19.Jun.1992 at 17:22.17 (UTC 22:22.17) ¦¦ ¦¦checksum: correct ¦¦ ¦¦linker: Borland TLINK/TLINK32 ¦¦ ¦¦sizes: stub 64, header 960, image 622080, overlay 0 ¦¦ ¦+---------------------------------------------------------------------- -----+¦ +----------------------------------------------------------------------- ------+ (No packing now) c. I used DeDe to disassemble it and generate the attached form1.pas file. (Note: I removed the password as I see no need for it to be included...) d. I generated a strings reference from the "source" DeDe creates in strings.txt. From this we can tell the trojan will accept a number of commands and take certain actions based on those commands. e. I used PE Explorer to grab out a little more (saved as nmshow.pas) Which shows they are using a component from NetMasters in this trojan... Source files created by DeDe and PE Explorer are not all attached as I keep getting my message rejected for being over 3000 lines. ...but I think what's here explains well enough. -Aaron -- Aaron Howard, RHCE, CCNA, CNE, MCSE ahoward () noerrors com, aphoward () gcfn org PGP key available via key servers
Attachment:
form1.pas
Description:
* Possible String Reference to: 'éyøÿëë^[å]Ã' * Possible String Reference to: ' :' * Possible String Reference to: ' :' * Possible String Reference to: 'PC_END' * Possible String Reference to: '^[å]Ã' * Possible String Reference to: 'TROJAN_CLOSED :void' * Possible String Reference to: 'windows.dll' * Possible String Reference to: 'KeyHook_Start' * Possible String Reference to: '鬣øÿëè_^[å]Ã' * Possible String Reference to: '\Kernel32.vxc /nomsg' * Possible String Reference to: 'Kernel32' * Possible String Reference to: '#SquashCentre' * Possible String Reference to: 'v.1.6.' * Possible String Reference to: 'handle.ini' * Possible String Reference to: 'Handle' * Possible String Reference to: 'MainHandle' * Possible String Reference to: 'Ã@' * Possible String Reference to: 'software\microsoft\windows\currentversion\setup' * Possible String Reference to: 'sysdir' * Possible String Reference to: '\Windows.dll' * Possible String Reference to: 'click' * Possible String Reference to: '\Windows.dll' * Possible String Reference to: '49 33 x' * Possible String Reference to: '50 34 x' * Possible String Reference to: '51 163 x' * Possible String Reference to: '52 36 x' * Possible String Reference to: '53 37 x' * Possible String Reference to: '54 94 x' * Possible String Reference to: '55 38 x' * Possible String Reference to: '56 42 x' * Possible String Reference to: '57 40 x' * Possible String Reference to: '48 41 x' * Possible String Reference to: '188 44 60' * Possible String Reference to: '190 46 62' * Possible String Reference to: '191 47 63' * Possible String Reference to: '186 59 58' * Possible String Reference to: '192 39 64' * Possible String Reference to: '222 35 126' * Possible String Reference to: '219 91 123' * Possible String Reference to: '221 93 125' * Possible String Reference to: '189 45 95' * Possible String Reference to: '187 61 43' * Possible String Reference to: '223 96 172' * Possible String Reference to: 'Windows.dll' * Possible String Reference to: 'KeyHook_Start' * Possible String Reference to: '_^[å]Ã' * Possible String Reference to: 'é ½øÿë_^[å]Ã' * Possible String Reference to: 'REQUESTLOGIN' * Possible String Reference to: 'LOGON_GRANTED :Welcome to the millenium trojan. ' * Possible String Reference to: ' Awaiting commands.' * Possible String Reference to: 'LOGON_GRANTED :Welcome to the millenium trojan. ' * Possible String Reference to: ' Awaiting commands.' * Possible String Reference to: 'ICONS_HIDE' * Possible String Reference to: 'progman' * Possible String Reference to: 'SYSTEM_MESSAGE :Desktop icons hidden' * Possible String Reference to: 'ICONS_SHOW' * Possible String Reference to: 'progman' * Possible String Reference to: 'SYSTEM_MESSAGE :Desktop icons shown' * Possible String Reference to: 'SYSKEYS_OFF' * Possible String Reference to: 'SYSTEM_MESSAGE :System keys disabled' * Possible String Reference to: 'SYSKEYS_ON' * Possible String Reference to: 'SYSTEM_MESSAGE :System keys enabled' * Possible String Reference to: 'DESKTOP_LOCK' * Possible String Reference to: 'SYSTEM_MESSAGE :Desktop Locked' * Possible String Reference to: 'DESKTOP_UNLOCK' * Possible String Reference to: 'SYSTEM_MESSAGE :Desktop Unocked' * Possible String Reference to: 'DESKTOP_WALLPAPER' * Possible String Reference to: 'SYSTEM_MESSAGE :Wallpaper changed to "' * Possible String Reference to: 'PLUGINS_LIST' * Possible String Reference to: 'PLUGIN_NAME' * Possible String Reference to: 'PLUGIN_ADD' * Possible String Reference to: 'PLUGIN_ADDED :Plugin "' * Possible String Reference to: '" from "' * Possible String Reference to: '" has been added' * Possible String Reference to: 'PLUGIN_REMOVE' * Possible String Reference to: 'PLUGIN_REMOVED :Plugin "' * Possible String Reference to: '" has been removed' * Possible String Reference to: 'RELAY_ADDRESS' * Possible String Reference to: 'RELAY_PORT' * Possible String Reference to: 'RELAY_CONPORT' * Possible String Reference to: 'RELAY_START' * Possible String Reference to: 'RELAY_STOP' * Possible String Reference to: 'KEYS_DISABLE_ALL' * Possible String Reference to: 'KEY_MESSAGE :keyboard disabled' * Possible String Reference to: 'KEYS_ENABLE_ALL' * Possible String Reference to: 'KEY_MESSAGE :keyboard enabled' * Possible String Reference to: 'KEYS_DISABLE' * Possible String Reference to: 'KEY_MESSAGE :keys "' * Possible String Reference to: '" disabled' * Possible String Reference to: 'KEYS_ENABLE' * Possible String Reference to: 'KEY_MESSAGE :keys "' * Possible String Reference to: '" enabled' * Possible String Reference to: 'KEY_LISTEN_START' * Possible String Reference to: 'Windows.dll' * Possible String Reference to: 'KeyHook_Start' * Possible String Reference to: 'KEY_MESSAGE :Sending keystrokes' * Possible String Reference to: 'KEY_LISTEN_STOP' * Possible String Reference to: 'KEY_MESSAGE :Keystroke sending is now off' * Possible String Reference to: 'SYSTEM_SCREENSHOT' * Possible String Reference to: 'SCREENSHOT_INSIZE :' * Possible String Reference to: 'SCREENSHOT_INITIALIZE :764371' * Possible String Reference to: 'FILE_FILENAME' * Possible String Reference to: 'FILE_DSET' * Possible String Reference to: 'FILE_GET_ATTRIBUTES' * Possible String Reference to: 'FILE_ATTRIBUTE_ARCHIVE :1' * Possible String Reference to: 'FILE_ATTRIBUTE_ARCHIVE :0' * Possible String Reference to: 'FILE_ATTRIBUTE_COMPRESSED :1' * Possible String Reference to: 'FILE_ATTRIBUTE_COMPRESSED :0' * Possible String Reference to: 'FILE_ATTRIBUTE_DIRECTORY :1' * Possible String Reference to: 'FILE_ATTRIBUTE_DIRECTORY :0' * Possible String Reference to: 'FILE_ATTRIBUTE_HIDDEN :1' * Possible String Reference to: 'FILE_ATTRIBUTE_HIDDEN :0' * Possible String Reference to: 'FILE_ATTRIBUTE_NORMAL :1' * Possible String Reference to: 'FILE_ATTRIBUTE_NORMAL :0' * Possible String Reference to: 'FILE_ATTRIBUTE_OFFLINE :1' * Possible String Reference to: 'FILE_ATTRIBUTE_OFFLINE :0' * Possible String Reference to: 'FILE_ATTRIBUTE_READONLY :1' * Possible String Reference to: 'FILE_ATTRIBUTE_READONLY :0' * Possible String Reference to: 'FILE_ATTRIBUTE_SYSTEM :1' * Possible String Reference to: 'FILE_ATTRIBUTE_SYSTEM :0' * Possible String Reference to: 'FILE_ATTRIBUTE_TEMPORARY :1' * Possible String Reference to: 'FILE_ATTRIBUTE_TEMPORARY :0' * Possible String Reference to: 'SYSTEM_MONITOR_OFF' * Possible String Reference to: 'SHUTDOWN_MESSAGE :Monitor turned off' * Possible String Reference to: 'SYSTEM_MONITOR_ON' * Possible String Reference to: 'SHUTDOWN_MESSAGE :Monitor turned on' * Possible String Reference to: 'SYSTEM_RESTART' * Possible String Reference to: 'SHUTDOWN_MESSAGE :Restarting system' * Possible String Reference to: 'SYSTEM_SHUTDOWN' * Possible String Reference to: 'SHUTDOWN_MESSAGE :Shutting down system' * Possible String Reference to: 'SYSTEM_FORCE' * Possible String Reference to: 'SHUTDOWN_MESSAGE :Forcing down system' * Possible String Reference to: 'SYSTEM_POWEROFF' * Possible String Reference to: 'SHUTDOWN_MESSAGE :Powering down system' * Possible String Reference to: 'SYSTEM_LOGOFF' * Possible String Reference to: 'SHUTDOWN_MESSAGE :Logging off current user' * Possible String Reference to: 'DRIVE_SERIAL' * Possible String Reference to: 'DRIVE_NAME :Drive name of drive "' * Possible String Reference to: '" is "' * Possible String Reference to: 'DRIVE_SERIAL :Serial number of drive "' * Possible String Reference to: '" is "' * Possible String Reference to: 'DRIVE_OPEN' * Possible String Reference to: 'SYSTEM_MESSAGE :Drive "' * Possible String Reference to: '" has been opened' * Possible String Reference to: 'DRIVE_CLOSE' * Possible String Reference to: 'SYSTEM_MESSAGE :Drive "' * Possible String Reference to: '" has been closed' * Possible String Reference to: 'FILE_EXECUTE' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was executed normally' * Possible String Reference to: 'FILE_EXECUTE_INVIS' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was executed invisibly' * Possible String Reference to: 'FILE_EXECUTE_NONEXE' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was opened' * Possible String Reference to: 'FILE_EXECUTE_NONEXE_INVIS' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was opened invisibly' * Possible String Reference to: 'FILE_DELETE' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was deleted' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was not deleted' * Possible String Reference to: 'FILE_COPY_LOC1' * Possible String Reference to: 'FILE_COPY_LOC2' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was copied to ' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" failed to copy to "' * Possible String Reference to: 'FILE_RENAME_NAME1' * Possible String Reference to: 'FILE_RENAME_NAME2' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was renamed to "' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" failed to rename to "' * Possible String Reference to: 'FTP_PORT' * Possible String Reference to: 'FTP_MAX' * Possible String Reference to: 'FTP_START' * Possible String Reference to: 'FTP_MESSAGE :FTP server started on port ' * Possible String Reference to: ' for ' * Possible String Reference to: ' connections' * Possible String Reference to: 'FTP_STOP' * Possible String Reference to: 'FTP_MESSAGE :FTP server stopped' * Possible String Reference to: 'ADMIN_SET_PASSWORD' * Possible String Reference to: 'SYSTEM_MESSAGE :Password set to "' * Possible String Reference to: 'ADMIN_GETOLDPASSWORD :void' * Possible String Reference to: 'ADMIN_CLEAR_PASSWORD' * Possible String Reference to: 'SYSTEM_MESSAGE :Password cleared' * Possible String Reference to: 'SYSTEM_MESSAGE :Password not cleared' * Possible String Reference to: 'ADMIN_OLDPASSWORD' * Possible String Reference to: 'SYSTEM_MESSAGE :Password changed to "' * Possible String Reference to: 'SYSTEM_MESSAGE :Password not changed' * Possible String Reference to: 'PROCESS_LIST_ALL' * Possible String Reference to: 'PROCESS_BEGINLIST :All Processes' * Possible String Reference to: 'PROCESS_LIST_VISIBLE' * Possible String Reference to: 'PROCESS_BEGINLIST :Visible Processes' * Possible String Reference to: 'PROCESS_LIST_INVISIBLE' * Possible String Reference to: 'PROCESS_BEGINLIST :Inisible Processes' * Possible String Reference to: 'PROCESS_MINIMIZE' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was minimized' * Possible String Reference to: 'PROCESS_MAXIMIZE' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was maximized' * Possible String Reference to: 'PROCESS_RESTORE' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was restored' * Possible String Reference to: 'PROCESS_HIDE' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was made invisible' * Possible String Reference to: 'PROCESS_SHOW' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was made visible' * Possible String Reference to: 'PROCESS_LOCK' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was locked' * Possible String Reference to: 'PROCESS_UNLOCK' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was unlocked' * Possible String Reference to: 'PROCESS_CLOSE' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was closed' * Possible String Reference to: 'PROCESS_DELETE' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" source file was deleted' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" source file failed to delete' * Possible String Reference to: 'PROCESS_GETFILENAME' * Possible String Reference to: 'PROCESS_MESSAGE :Filename of "' * Possible String Reference to: '" is "' * Possible String Reference to: '".' * Possible String Reference to: 'PROCESS_CAPTION' * Possible String Reference to: 'PROCESS_SET_CAPTION' * Possible String Reference to: 'PROCESS_MESSAGE :Caption of "' * Possible String Reference to: '" set to "' * Possible String Reference to: 'PROCESS_FRONT' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" is now on top' * Possible String Reference to: 'MESSAGE_POPUP' * Possible String Reference to: 'Message' * Possible String Reference to: 'SYSTEM_MESSAGE :Popup message "' * Possible String Reference to: '" shown' * Possible String Reference to: 'MESSAGE_WARNING' * Possible String Reference to: 'Warning' * Possible String Reference to: 'SYSTEM_MESSAGE :Warning message "' * Possible String Reference to: '" shown' * Possible String Reference to: 'MESSAGE_ERROR' * Possible String Reference to: 'Error' * Possible String Reference to: 'SYSTEM_MESSAGE :Error message "' * Possible String Reference to: '" shown' * Possible String Reference to: 'MESSAGE_INFO' * Possible String Reference to: 'Info.' * Possible String Reference to: 'SYSTEM_MESSAGE :info message "' * Possible String Reference to: '" shown' * Possible String Reference to: '_^[å]Ã' * Possible String Reference to: 'éÑøÿëë[å]Ã' * Possible String Reference to: 'RELAY_MESSAGE_CONNECTED :Connected to ' * Possible String Reference to: ' on port ' * Possible String Reference to: '. Local port is ' * Possible String Reference to: '[å]Ã' * Possible String Reference to: 'é£øÿëð[Y]Ã' * Possible String Reference to: 'RELAY_MESSAGE_DISCONNECTED :Disconnected from ' * Possible String Reference to: '[Y]Ã' * Possible String Reference to: 'RELAY_MESSAGE :Client connected' * Possible String Reference to: 'éóøÿëë_^[YY]Ã' * Possible String Reference to: '*?311?*' * Possible String Reference to: '*?319?*' * Possible String Reference to: '*:' * Possible String Reference to: '*?318?*' * Possible String Reference to: 'Quit :Reload' * Possible String Reference to: '_^[YY]Ã' * Possible String Reference to: 'IRCEnableAuthSquasige' * Possible String Reference to: 'CMDLine' * Possible String Reference to: 'VERSION' * Possible String Reference to: 'PRIVMSG ' * Possible String Reference to: ' :' * Possible String Reference to: 'REMVPlugin' * Possible String Reference to: 'CLOSEProc' * Possible String Reference to: 'PluginHTTP' * Possible String Reference to: 'PING' * Possible String Reference to: 'ping -t -l ' * Possible String Reference to: 'CLOSE' * Possible String Reference to: 'QUIT :CLOSE' * Possible String Reference to: 'QUIT' * Possible String Reference to: 'QUIT :QUIT' * Possible String Reference to: 'REMOVE' * Possible String Reference to: 'QUIT :REMOVE' * Possible String Reference to: 'Kernel32' * Possible String Reference to: 'JOIN ' * Possible String Reference to: ' MainPass1234' * Possible String Reference to: 'MODE ' * Possible String Reference to: ' +stnk MainPass1234' * Possible String Reference to: 'MODE ' * Possible String Reference to: ' -o ' * Possible String Reference to: 'software\microsoft\windows\currentversion\setup' * Possible String Reference to: 'sysdir' * Possible String Reference to: '\Kernel32.vxc /nomsg' * Possible String Reference to: 'Kernel32' * Possible String Reference to: 'PING :irc.dal.net' * Possible String Reference to: 'WHOIS ' * Possible String Reference to: '^[å]Ã'
Attachment:
nmshow.pas
Description:
Current thread:
- Millennium Trojan Howard, Aaron (Dec 09)
- <Possible follow-ups>
- Re: Millennium Trojan Howard, Aaron (Dec 11)