Wednesday, 9 December 2015

Reversing Encrypted Callbacks of Trojan Dynamer

Recently, a DNS Changer malware is being spread in the wild. It is hosted on various websites as shown below:

http://buffer-control.com/1.exe
http://healthy-control.com/1.exe
http://catnew4u.work/1.exe 
http://95.211.210.167/1.exe
http://catnew4u.link/1.exe
http://catnew4u.info/1.exe
http://format-control.com/1.exe

This malware will modify the Name Server settings on the machine and then perform network callbacks to domains configured in the binary. The data is sent encrypted over the network and it is sent through both HTTP HEAD and POST methods.
We will cover the following topics:
1. Name Server modifications made to the Operating System. 
2. Encryption method used for network callbacks.
3. Data sent in the callbacks.
4. Domain Name Analysis
Name Server modifications

As an example, I will consider the binary with MD5 hash: e789b3ef034427bf09676f522512858f. This binary will perform the following modifications to Windows Registry for changing the Name Server used by Operating System.


HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4C90BF29-49F1-4284-9837-2AC5F324A4B0}\DHCPNameServer: "199.203.131.151"
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4C90BF29-49F1-4284-9837-2AC5F324A4B0}\DHCPNameServer: "199.203.131.151"
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer: "199.203.131.151 82.163.143.181"

As we can see, two new name servers are added. The primary name server added is: 199.203.131.151. After making the above Windows Registry modifications, it calls the API, DhcpNotifyConfigChange for the changes to take effect.
This means that all the DNS queries will be routed through the name servers configured above.
In the screenshot below, we can see the DNS queries performed by the malware after execution. As can be seen, the DNS queries are sent to the resolver with IP address: 199.203.131.151

Encryption Method for Network Callbacks

Now, let us look at what data is exfiltrated from the machine and how it is encrypted.

Below are the different steps used by the binary for encrypting the data.

1. It generates a seed. The seed is generated using GetSystemTimeAsFileTime(). The seed generation routine is similar to what we observed in Nivdort malware.
2. It then decrypts a base key. This base key is later used along with the data to be encrypted.

The screenshot below shows the decryption routine and the corresponding encrypted key.

3. After the decryption is completed, we can see the 64 byte key.
4. Now, data is collected from the system. Different information about the system, like the OS version, Admin rights, timestamp and so on are collected. The data is collected in JSON format as shown below:

{"dns_setter":{"activity_type":16,"args":{},"bits":{"file_type":2,"job_id":"8842746664399823806"},"build":128,"exception_id":0,"hardware_id":"5978409460789182924","is_admin":true,"major":1,"minor":0,"os_id":501,"register_date":"1449641943","register_dsrc":"1","service_pack":3,"source_id":"201","status": true,"user_time":1449661744,"version":16777344,"x64":false}}

5. Let us look at the encryption routine now. Below is the call to the encryption routine.

We can see that one of the parameters passed to the subroutine above is the 64 byte decrypted base key.

6. In the encryption routine, it first calculates a CRC32 hash from the data to be encrypted. It then uses the seed previously calculated. It performs the following computations on the seed to calculate a one byte offset.

seed = (seed * 0x343fd) + 0x269ec3
t = (seed >> 10) & 0x3f
offset = (t + 0xf) & 0x3f


The final calculated value is used as an offset into the 64 byte base key. In this way, the first 28 bytes of the encrypted data are calculated.

After this, it uses the seed along with the data to be encrypted. When we return from this subroutine, we can see the encrypted data as shown below:


It then sends an HTTP HEAD request to the callback server. In the HTTP HEAD request it sends the encrypted data.


Domain Name Analysis

The domain names are present in plain text in the binary. Below are some of the domain names.

legco.info
ough.info
heato.info
yelts.net
deris.info
big4u.org
listcool.net
listcool.info
monoset.info

Below are the observations about the callback domains:

1. All the domains were registered after Oct 2015.
2. The name servers corresponding to these domains are from cloudflare.com
3. All the domains are hosted on a dedicated server with IP address: 185.17.184.10.

This malware is interesting because of the way it encrypts the data before sending it to the callback server.

No comments:

Post a Comment