Security Incidents mailing list archives
Re: Millennium Trojan
From: "Howard, Aaron" <ahoward () NOERRORS COM>
Date: Sat, 9 Dec 2000 00:41:15 -0500
Well, since I have received several requests, I'll include a more full
analysis
of this trojan.
Please note that this is all from reviewing the executable, not
actually
running it. I'm not confident enough in my abilities to keep it from
doing
damage if I run it.
So, a little background...
We hired an outside consultant to help us set up an
accounting/distribution
software package. He came in and was seated at an open PC.
We block a lot of things, but I have heretofore been lenient on
outbound
traffic (allowing all machines inside with valid source addresses to
establish
connections on any local port > 1023 to any other machine outside our
network
on any port > 1023.
The idea was to allow our users to run IRC, MSN Messenger, AOL Instant
Messenger, Yahoo Instant Messenger, ICQ, RealAudio, etc. (Modification
of
this policy is already underway...)
But, even though we allow(ed) these outbound connections, they are all
logged
to a central logging machine and that log is constantly scrolling in
the
background of my screen.
So one day I'm working away and notice a bunch of connections on
destination
port 6667...this peaks my curiosity because I KNOW nobody at our
company uses
IRC but me...and this wasn't me.
Here are the actions I took ...
1. nbtstat -A internal.source.ip.address
this returned me the following:
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
PCNAME <00> UNIQUE Registered
OURDOMAIN <00> GROUP Registered
PCNAME <03> UNIQUE Registered
CONSULTANT <03> UNIQUE Registered
MAC Address = xx-xx-xx-xx-xx-xx
The key here was that is showed the source IP address in question was
in use
by our consultant.
Now usually I'd just call the user up and say, "What are you doing?"
but this
being a consultant, I decided it was best to be more discreet.
We use VNC on all our internal machines for support-related issues. So,
I
checked him out.
2. I used VNC to view his screen and take screen shots of him chatting
via
mIRC for nearly an hour.
3. After this, we let him go and immediately blocked outbound
connections on
all ports > 1023. However, we left the machine on. Then I started
noticing
blocked connections on port 6667 from that machine. Blocked attempts
looked
like this:
denied tcp x.x.x.2(1068) -> 130.243.43.71(6667)
denied tcp x.x.x.2(1040) -> 151.189.12.20(6667)
denied tcp x.x.x.2(1376) -> 194.75.152.237(6667)
denied tcp x.x.x.2(1029) -> 198.139.244.22(6667)
denied tcp x.x.x.2(1500) -> 198.63.2.192(6667)
denied tcp x.x.x.2(1336) -> 198.88.88.99(6667)
denied tcp x.x.x.2(1348) -> 199.232.159.166(6667)
denied tcp x.x.x.2(1046) -> 209.25.152.162(6667)
denied tcp x.x.x.2(1072) -> 209.254.98.88(6667)
denied tcp x.x.x.2(1049) -> 212.43.196.5(6667)
(Note: destination ip addresses were not attempted in this order, this
is a
sorted list of unique destination IPs...)
4. I VNC'ed over to it and saw NO applications running. Nothing in the
task
list at all.
5. So, I created bootable Norton Antivirus 5.0 disks with the latest
virus
defs (11/27/00) and went to that machine and scanned it. Nothing. So,
I
started MSINFO32.EXE to check loaded modules and found something called
kernel32.vxc was in memory but it had no version info. And it was in
\windows\system... I scanned it specifically again, NAV said not a
virus. It
was attrib-ed as HIDDEN/SYSTEM.
6. I copied it to a floppy to take to another machine for testing and
renamed
it BADGUY.EXE.
7. QuickView of the EXE showed very little other than that the EXE was
mangled
(packed) to prevent viewing like this.
8. So I checked backlogs of my bugtraq e-mails and found a few sites
with
reverse engineering tools. www.suddendischarge.com was most helpful.
9. I downloaded several tools from sudden discharge: 1) Universal File
Scanner
(fs11-27-00.zip), 2) Anti-Aspack 0.2 (unaspack02.zip), 3) DeDe 2.431
(dede2431full.zip), 4) PE Explorer 1.0 Beta (pex_b090.zip)
a. I used fs to determine the following:
file scanner by SMT
+---------------------------e:\ahoward\badguy1.exe----------------------
------+
¦extension: executable file
¦
+----------------------------MZ-EXE DOS
executable---------------------------+¦
¦¦sizes: header 28, relocs 0, empty 644, image 192, overlay 291488
bytes ¦¦
¦¦dos/exe DOS stub from Borland tlink32
¦¦
¦+----------------------------Portable
executable----------------------------¦¦
¦¦subsystem: Win32 GUI, cpu: i386
¦¦
¦¦linktime: Fri, 19.Jun.1992 at 17:22.17 (UTC 22:22.17)
¦¦
¦¦checksum: correct
¦¦
¦¦linker: Borland TLINK/TLINK32
¦¦
¦¦sizes: stub 64, header 960, image 291328, overlay 0
¦¦
¦¦pe/exe.packer ASPack 1.061b,1.07b (type
2)-------------------------unpacker¦¦
¦+----------------------------------------------------------------------
-----+¦
+-----------------------------------------------------------------------
------+
I thought one thing was odd about this...the linktime says
19.Jun.1992...so
was this program REALLY compiled in 1992? Not likely. I imagine a
little
hex-editing of the file and you can make the link date whatever you
want.
Or change the date on your system before linking.
b. Since I couldn't tell much more about the file without unASPack-ing
it,
I used unaspack to remove the packing and created badguy2.exe, then fs
showed
the following...
file scanner by SMT
+---------------------------e:\ahoward\badguy2.exe----------------------
------+
¦extension: executable file
¦
+----------------------------MZ-EXE DOS
executable---------------------------+¦
¦¦sizes: header 28, relocs 0, empty 644, image 192, overlay 622240
bytes ¦¦
¦¦dos/exe DOS stub from Borland tlink32
¦¦
¦+----------------------------Portable
executable----------------------------¦¦
¦¦subsystem: Win32 GUI, cpu: i386
¦¦
¦¦linktime: Fri, 19.Jun.1992 at 17:22.17 (UTC 22:22.17)
¦¦
¦¦checksum: correct
¦¦
¦¦linker: Borland TLINK/TLINK32
¦¦
¦¦sizes: stub 64, header 960, image 622080, overlay 0
¦¦
¦+----------------------------------------------------------------------
-----+¦
+-----------------------------------------------------------------------
------+
(No packing now)
c. I used DeDe to disassemble it and generate the attached form1.pas
file.
(Note: I removed the password as I see no need for it to be included...)
d. I generated a strings reference from the "source" DeDe creates in
strings.txt. From this we can tell the trojan will accept a number of
commands and take certain actions based on those commands.
e. I used PE Explorer to grab out a little more (saved as nmshow.pas)
Which shows they are using a component from NetMasters in this trojan...
Source files created by DeDe and PE Explorer are not all attached as I
keep
getting my message rejected for being over 3000 lines.
...but I think what's here explains well enough.
-Aaron
--
Aaron Howard, RHCE, CCNA, CNE, MCSE
ahoward () noerrors com, aphoward () gcfn org
PGP key available via key servers
Attachment:
form1.pas
Description:
* Possible String Reference to: 'éyøÿëë^[å]Ã' * Possible String Reference to: ' :' * Possible String Reference to: ' :' * Possible String Reference to: 'PC_END' * Possible String Reference to: '^[å]Ã' * Possible String Reference to: 'TROJAN_CLOSED :void' * Possible String Reference to: 'windows.dll' * Possible String Reference to: 'KeyHook_Start' * Possible String Reference to: '鬣øÿëè_^[å]Ã' * Possible String Reference to: '\Kernel32.vxc /nomsg' * Possible String Reference to: 'Kernel32' * Possible String Reference to: '#SquashCentre' * Possible String Reference to: 'v.1.6.' * Possible String Reference to: 'handle.ini' * Possible String Reference to: 'Handle' * Possible String Reference to: 'MainHandle' * Possible String Reference to: 'Ã@' * Possible String Reference to: 'software\microsoft\windows\currentversion\setup' * Possible String Reference to: 'sysdir' * Possible String Reference to: '\Windows.dll' * Possible String Reference to: 'click' * Possible String Reference to: '\Windows.dll' * Possible String Reference to: '49 33 x' * Possible String Reference to: '50 34 x' * Possible String Reference to: '51 163 x' * Possible String Reference to: '52 36 x' * Possible String Reference to: '53 37 x' * Possible String Reference to: '54 94 x' * Possible String Reference to: '55 38 x' * Possible String Reference to: '56 42 x' * Possible String Reference to: '57 40 x' * Possible String Reference to: '48 41 x' * Possible String Reference to: '188 44 60' * Possible String Reference to: '190 46 62' * Possible String Reference to: '191 47 63' * Possible String Reference to: '186 59 58' * Possible String Reference to: '192 39 64' * Possible String Reference to: '222 35 126' * Possible String Reference to: '219 91 123' * Possible String Reference to: '221 93 125' * Possible String Reference to: '189 45 95' * Possible String Reference to: '187 61 43' * Possible String Reference to: '223 96 172' * Possible String Reference to: 'Windows.dll' * Possible String Reference to: 'KeyHook_Start' * Possible String Reference to: '_^[å]Ã' * Possible String Reference to: 'é ½øÿë_^[å]Ã' * Possible String Reference to: 'REQUESTLOGIN' * Possible String Reference to: 'LOGON_GRANTED :Welcome to the millenium trojan. ' * Possible String Reference to: ' Awaiting commands.' * Possible String Reference to: 'LOGON_GRANTED :Welcome to the millenium trojan. ' * Possible String Reference to: ' Awaiting commands.' * Possible String Reference to: 'ICONS_HIDE' * Possible String Reference to: 'progman' * Possible String Reference to: 'SYSTEM_MESSAGE :Desktop icons hidden' * Possible String Reference to: 'ICONS_SHOW' * Possible String Reference to: 'progman' * Possible String Reference to: 'SYSTEM_MESSAGE :Desktop icons shown' * Possible String Reference to: 'SYSKEYS_OFF' * Possible String Reference to: 'SYSTEM_MESSAGE :System keys disabled' * Possible String Reference to: 'SYSKEYS_ON' * Possible String Reference to: 'SYSTEM_MESSAGE :System keys enabled' * Possible String Reference to: 'DESKTOP_LOCK' * Possible String Reference to: 'SYSTEM_MESSAGE :Desktop Locked' * Possible String Reference to: 'DESKTOP_UNLOCK' * Possible String Reference to: 'SYSTEM_MESSAGE :Desktop Unocked' * Possible String Reference to: 'DESKTOP_WALLPAPER' * Possible String Reference to: 'SYSTEM_MESSAGE :Wallpaper changed to "' * Possible String Reference to: 'PLUGINS_LIST' * Possible String Reference to: 'PLUGIN_NAME' * Possible String Reference to: 'PLUGIN_ADD' * Possible String Reference to: 'PLUGIN_ADDED :Plugin "' * Possible String Reference to: '" from "' * Possible String Reference to: '" has been added' * Possible String Reference to: 'PLUGIN_REMOVE' * Possible String Reference to: 'PLUGIN_REMOVED :Plugin "' * Possible String Reference to: '" has been removed' * Possible String Reference to: 'RELAY_ADDRESS' * Possible String Reference to: 'RELAY_PORT' * Possible String Reference to: 'RELAY_CONPORT' * Possible String Reference to: 'RELAY_START' * Possible String Reference to: 'RELAY_STOP' * Possible String Reference to: 'KEYS_DISABLE_ALL' * Possible String Reference to: 'KEY_MESSAGE :keyboard disabled' * Possible String Reference to: 'KEYS_ENABLE_ALL' * Possible String Reference to: 'KEY_MESSAGE :keyboard enabled' * Possible String Reference to: 'KEYS_DISABLE' * Possible String Reference to: 'KEY_MESSAGE :keys "' * Possible String Reference to: '" disabled' * Possible String Reference to: 'KEYS_ENABLE' * Possible String Reference to: 'KEY_MESSAGE :keys "' * Possible String Reference to: '" enabled' * Possible String Reference to: 'KEY_LISTEN_START' * Possible String Reference to: 'Windows.dll' * Possible String Reference to: 'KeyHook_Start' * Possible String Reference to: 'KEY_MESSAGE :Sending keystrokes' * Possible String Reference to: 'KEY_LISTEN_STOP' * Possible String Reference to: 'KEY_MESSAGE :Keystroke sending is now off' * Possible String Reference to: 'SYSTEM_SCREENSHOT' * Possible String Reference to: 'SCREENSHOT_INSIZE :' * Possible String Reference to: 'SCREENSHOT_INITIALIZE :764371' * Possible String Reference to: 'FILE_FILENAME' * Possible String Reference to: 'FILE_DSET' * Possible String Reference to: 'FILE_GET_ATTRIBUTES' * Possible String Reference to: 'FILE_ATTRIBUTE_ARCHIVE :1' * Possible String Reference to: 'FILE_ATTRIBUTE_ARCHIVE :0' * Possible String Reference to: 'FILE_ATTRIBUTE_COMPRESSED :1' * Possible String Reference to: 'FILE_ATTRIBUTE_COMPRESSED :0' * Possible String Reference to: 'FILE_ATTRIBUTE_DIRECTORY :1' * Possible String Reference to: 'FILE_ATTRIBUTE_DIRECTORY :0' * Possible String Reference to: 'FILE_ATTRIBUTE_HIDDEN :1' * Possible String Reference to: 'FILE_ATTRIBUTE_HIDDEN :0' * Possible String Reference to: 'FILE_ATTRIBUTE_NORMAL :1' * Possible String Reference to: 'FILE_ATTRIBUTE_NORMAL :0' * Possible String Reference to: 'FILE_ATTRIBUTE_OFFLINE :1' * Possible String Reference to: 'FILE_ATTRIBUTE_OFFLINE :0' * Possible String Reference to: 'FILE_ATTRIBUTE_READONLY :1' * Possible String Reference to: 'FILE_ATTRIBUTE_READONLY :0' * Possible String Reference to: 'FILE_ATTRIBUTE_SYSTEM :1' * Possible String Reference to: 'FILE_ATTRIBUTE_SYSTEM :0' * Possible String Reference to: 'FILE_ATTRIBUTE_TEMPORARY :1' * Possible String Reference to: 'FILE_ATTRIBUTE_TEMPORARY :0' * Possible String Reference to: 'SYSTEM_MONITOR_OFF' * Possible String Reference to: 'SHUTDOWN_MESSAGE :Monitor turned off' * Possible String Reference to: 'SYSTEM_MONITOR_ON' * Possible String Reference to: 'SHUTDOWN_MESSAGE :Monitor turned on' * Possible String Reference to: 'SYSTEM_RESTART' * Possible String Reference to: 'SHUTDOWN_MESSAGE :Restarting system' * Possible String Reference to: 'SYSTEM_SHUTDOWN' * Possible String Reference to: 'SHUTDOWN_MESSAGE :Shutting down system' * Possible String Reference to: 'SYSTEM_FORCE' * Possible String Reference to: 'SHUTDOWN_MESSAGE :Forcing down system' * Possible String Reference to: 'SYSTEM_POWEROFF' * Possible String Reference to: 'SHUTDOWN_MESSAGE :Powering down system' * Possible String Reference to: 'SYSTEM_LOGOFF' * Possible String Reference to: 'SHUTDOWN_MESSAGE :Logging off current user' * Possible String Reference to: 'DRIVE_SERIAL' * Possible String Reference to: 'DRIVE_NAME :Drive name of drive "' * Possible String Reference to: '" is "' * Possible String Reference to: 'DRIVE_SERIAL :Serial number of drive "' * Possible String Reference to: '" is "' * Possible String Reference to: 'DRIVE_OPEN' * Possible String Reference to: 'SYSTEM_MESSAGE :Drive "' * Possible String Reference to: '" has been opened' * Possible String Reference to: 'DRIVE_CLOSE' * Possible String Reference to: 'SYSTEM_MESSAGE :Drive "' * Possible String Reference to: '" has been closed' * Possible String Reference to: 'FILE_EXECUTE' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was executed normally' * Possible String Reference to: 'FILE_EXECUTE_INVIS' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was executed invisibly' * Possible String Reference to: 'FILE_EXECUTE_NONEXE' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was opened' * Possible String Reference to: 'FILE_EXECUTE_NONEXE_INVIS' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was opened invisibly' * Possible String Reference to: 'FILE_DELETE' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was deleted' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was not deleted' * Possible String Reference to: 'FILE_COPY_LOC1' * Possible String Reference to: 'FILE_COPY_LOC2' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was copied to ' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" failed to copy to "' * Possible String Reference to: 'FILE_RENAME_NAME1' * Possible String Reference to: 'FILE_RENAME_NAME2' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" was renamed to "' * Possible String Reference to: 'FILE_MESSAGE :"' * Possible String Reference to: '" failed to rename to "' * Possible String Reference to: 'FTP_PORT' * Possible String Reference to: 'FTP_MAX' * Possible String Reference to: 'FTP_START' * Possible String Reference to: 'FTP_MESSAGE :FTP server started on port ' * Possible String Reference to: ' for ' * Possible String Reference to: ' connections' * Possible String Reference to: 'FTP_STOP' * Possible String Reference to: 'FTP_MESSAGE :FTP server stopped' * Possible String Reference to: 'ADMIN_SET_PASSWORD' * Possible String Reference to: 'SYSTEM_MESSAGE :Password set to "' * Possible String Reference to: 'ADMIN_GETOLDPASSWORD :void' * Possible String Reference to: 'ADMIN_CLEAR_PASSWORD' * Possible String Reference to: 'SYSTEM_MESSAGE :Password cleared' * Possible String Reference to: 'SYSTEM_MESSAGE :Password not cleared' * Possible String Reference to: 'ADMIN_OLDPASSWORD' * Possible String Reference to: 'SYSTEM_MESSAGE :Password changed to "' * Possible String Reference to: 'SYSTEM_MESSAGE :Password not changed' * Possible String Reference to: 'PROCESS_LIST_ALL' * Possible String Reference to: 'PROCESS_BEGINLIST :All Processes' * Possible String Reference to: 'PROCESS_LIST_VISIBLE' * Possible String Reference to: 'PROCESS_BEGINLIST :Visible Processes' * Possible String Reference to: 'PROCESS_LIST_INVISIBLE' * Possible String Reference to: 'PROCESS_BEGINLIST :Inisible Processes' * Possible String Reference to: 'PROCESS_MINIMIZE' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was minimized' * Possible String Reference to: 'PROCESS_MAXIMIZE' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was maximized' * Possible String Reference to: 'PROCESS_RESTORE' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was restored' * Possible String Reference to: 'PROCESS_HIDE' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was made invisible' * Possible String Reference to: 'PROCESS_SHOW' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was made visible' * Possible String Reference to: 'PROCESS_LOCK' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was locked' * Possible String Reference to: 'PROCESS_UNLOCK' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was unlocked' * Possible String Reference to: 'PROCESS_CLOSE' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" was closed' * Possible String Reference to: 'PROCESS_DELETE' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" source file was deleted' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" source file failed to delete' * Possible String Reference to: 'PROCESS_GETFILENAME' * Possible String Reference to: 'PROCESS_MESSAGE :Filename of "' * Possible String Reference to: '" is "' * Possible String Reference to: '".' * Possible String Reference to: 'PROCESS_CAPTION' * Possible String Reference to: 'PROCESS_SET_CAPTION' * Possible String Reference to: 'PROCESS_MESSAGE :Caption of "' * Possible String Reference to: '" set to "' * Possible String Reference to: 'PROCESS_FRONT' * Possible String Reference to: 'PROCESS_MESSAGE :"' * Possible String Reference to: '" is now on top' * Possible String Reference to: 'MESSAGE_POPUP' * Possible String Reference to: 'Message' * Possible String Reference to: 'SYSTEM_MESSAGE :Popup message "' * Possible String Reference to: '" shown' * Possible String Reference to: 'MESSAGE_WARNING' * Possible String Reference to: 'Warning' * Possible String Reference to: 'SYSTEM_MESSAGE :Warning message "' * Possible String Reference to: '" shown' * Possible String Reference to: 'MESSAGE_ERROR' * Possible String Reference to: 'Error' * Possible String Reference to: 'SYSTEM_MESSAGE :Error message "' * Possible String Reference to: '" shown' * Possible String Reference to: 'MESSAGE_INFO' * Possible String Reference to: 'Info.' * Possible String Reference to: 'SYSTEM_MESSAGE :info message "' * Possible String Reference to: '" shown' * Possible String Reference to: '_^[å]Ã' * Possible String Reference to: 'éÑøÿëë[å]Ã' * Possible String Reference to: 'RELAY_MESSAGE_CONNECTED :Connected to ' * Possible String Reference to: ' on port ' * Possible String Reference to: '. Local port is ' * Possible String Reference to: '[å]Ã' * Possible String Reference to: 'é£øÿëð[Y]Ã' * Possible String Reference to: 'RELAY_MESSAGE_DISCONNECTED :Disconnected from ' * Possible String Reference to: '[Y]Ã' * Possible String Reference to: 'RELAY_MESSAGE :Client connected' * Possible String Reference to: 'éóøÿëë_^[YY]Ã' * Possible String Reference to: '*?311?*' * Possible String Reference to: '*?319?*' * Possible String Reference to: '*:' * Possible String Reference to: '*?318?*' * Possible String Reference to: 'Quit :Reload' * Possible String Reference to: '_^[YY]Ã' * Possible String Reference to: 'IRCEnableAuthSquasige' * Possible String Reference to: 'CMDLine' * Possible String Reference to: 'VERSION' * Possible String Reference to: 'PRIVMSG ' * Possible String Reference to: ' :' * Possible String Reference to: 'REMVPlugin' * Possible String Reference to: 'CLOSEProc' * Possible String Reference to: 'PluginHTTP' * Possible String Reference to: 'PING' * Possible String Reference to: 'ping -t -l ' * Possible String Reference to: 'CLOSE' * Possible String Reference to: 'QUIT :CLOSE' * Possible String Reference to: 'QUIT' * Possible String Reference to: 'QUIT :QUIT' * Possible String Reference to: 'REMOVE' * Possible String Reference to: 'QUIT :REMOVE' * Possible String Reference to: 'Kernel32' * Possible String Reference to: 'JOIN ' * Possible String Reference to: ' MainPass1234' * Possible String Reference to: 'MODE ' * Possible String Reference to: ' +stnk MainPass1234' * Possible String Reference to: 'MODE ' * Possible String Reference to: ' -o ' * Possible String Reference to: 'software\microsoft\windows\currentversion\setup' * Possible String Reference to: 'sysdir' * Possible String Reference to: '\Kernel32.vxc /nomsg' * Possible String Reference to: 'Kernel32' * Possible String Reference to: 'PING :irc.dal.net' * Possible String Reference to: 'WHOIS ' * Possible String Reference to: '^[å]Ã'
Attachment:
nmshow.pas
Description:
Current thread:
- Millennium Trojan Howard, Aaron (Dec 09)
- <Possible follow-ups>
- Re: Millennium Trojan Howard, Aaron (Dec 11)