Binders and Malware (Part 3)
If you missed the previous parts in this article series please read:
If you would like to be notified of when Don Parker releases the next part in this article series please sign up to our WindowSecurity.com Real Time Article Update newsletter.
We left off in part two having finished configuring and building our bound piece of malware using the binder called YAB. We will now look at and execute the now bound malware. The perspective that we will take to begin with, is what this executed piece of malware looks like and behaves like once executed by an unsuspecting user. Now if you recall, we used the actual Pong.exe icon to represent our malware as this made the malicious program seem all that more legitimate.
We will monitor the actual installation of the malware itself via a couple of tools that I covered before. Namely, we will use Regmon and Filemon. With these two tools running in the background when we execute our malware we will be able to see what the malware itself does, and thereby verify that our bound malware works as expected. If you do not have these tools already installed on your computer please do so now. Once done, execute them and exclude all the background processes running. This will allow us to monitor only the new processes that will run once we execute the malware.
What does it look like?
Now as mentioned earlier let us take a look at this malware from the user's perspective. So let's go ahead and execute it. We shall assume for the purposes of this article series that the malware made its way to an end-user's mailbox undetected. Take a look at the screenshot below for what happened when I executed the malware program that had the Optix Pro trojan server bound to the Pong.exe program.
Well much as we had hoped the installation of the Pong.exe/malware is going off without a hitch, or warning for that matter, to the end-user. The remainder of the installation proceeds normally. What happened in the background though? Well for that we will consult the tools Regmon and Filemon that we had running in the background before executing the malware. Take a look at what Regmon saw in the screenshot below.
I have highlighted the part of Regmon output that shows it noting the process "optix_pro_server" installing itself on the computer. That is indeed what I called the Optix Pro server once I was finished configuring it to get it ready for binding. So far so good then. Let's now take a look at what Filemon saw during the execution of the malware.
We see that Filemon also noted that the "optix_pro_server" installed itself and made changes to the file system. Filemon also noted that the Pong.exe program (I called it Pong_malware.exe once bound with the trojan server), installed itself and made some filesytem changes. Great! The tools Regmon and Filemon did their job flawlessly and detected the program installation and the changes that they made to both the registry, and the file system. What about our actual Optix Pro trojan server though? Did it install itself successfully? Let's take a look at the screenshot below.
We see at the very top that there is a file called "msiexec16" which has a size of 809 KB. That would indeed be our Optix Pro trojan server. This "msiexec16" is the default name that the Optix Pro trojan server will go by unless you change it to something else when you are configuring it. So far so good. Now the burning question, is it actually running on the computer? Let's take a look at the screenshot below.
We see highlighted in the program ActivePorts (this tool will monitor all active TCP and UDP sockets on your computer, as well as map on your hard drive what program has opened the socket) that "msiexec16.exe" with a PID of 672 is indeed running. Huzzah! We have just seen the successful configuring, binding and execution of a piece of obfuscated malware. This is exactly how people with malicious intent would go about doing it. With this demonstration the point should sink home with your corporate end-users. Although the installation may seem innocent enough, there was a dangerous piece of malware installed seamlessly in the background. To sink the point home further though you could tell them that this Optix Pro trojan server could also log their keystrokes on the home computer. The very same one used for their online banking activities. Not good, not good at all. Via this malware their entire bank account could be emptied.
- We used the Optix Pro trojan server as our malware
- We then downloaded Pong.exe as our legitimate program
- Next we used YAB to bind the above two
It is very easy to understand many computer security concepts at a high level. This scenario is one such example. The importance of actually being able to recreate certain situations, such as this one, is that it will give you a far deeper understanding. You can then use that new found insight to convey simply and concisely the danger of it to your end-users. That is exactly why it is important to not only understand, but also to be able to do the same things are your adversaries are capable of doing. It is only by attacking that you truly learn how to defend.
Beneath the skin
We have finished covering how you would go about putting together a demonstration for your corporate end-users about the dangers of malware. Now is the time for us, as computer security professionals, to take our knowledge the next step. What we shall cover next is exactly what this malware looks like under the hood. That will encompass how to look at it safely, without executing it, and how to recognize certain byte level characteristics of Microsoft Windows executables. Malware, in spite of the fact that they are malware, still conform to certain criteria. In this case it observes the Portable Executable (PE) format.
In the last part of this article series we will look at the byte level, via a hex editor, at our malware and legitimate program. Then we will use that knowledge to learn how to recognize malware without the need to invoke it. We will also look at the UPX packing that the Optix Pro trojan server is capable of using. Further to that we shall also use the very same UPX program to unpack the UPX packed trojan server. Rounding that out we will use another program to dump the running trojan server process to see what it looks like memory. You would be quite right in thinking that the above noted is a lot of information to cover, but it is important to do so. There are a lot of excellent tools out there that can be used for malware analysis, and we shall cover several of them. Once we are done the above noted work you will find yourself able to approach malware with a new sense of confidence. Being a sys admin is tough enough, but to take your skills to the next level you need to increase your computer security skills as well.
If you missed the previous parts in this article series please read: