Saturday, October 5, 2013

Zodiac v0.10, Part II: Attribution

So who are these guys?

There's a lot of bits of info to do google searches on.  In the binary are these strings:

.rdata:0040C2F8 0000001F C rolotech-electronics.comuf.com
.rdata:0040C317 0000001A C speedtest1.hivelocity.net
.rdata:0040C331 0000000D C 68.11.12.242
Google searches on those domains and that IP turn up lots of malware results, all of which show almost the exact same symptoms (or "IOCs" as infosec likes to call them).  Normally, when malware is sold or traded heavily in the underground, the symptoms when that malware gets used will differ across multiple infections.  The fact that the samples are pretty homogenous seem to hint that this malware is used by one group exclusively.

Googling the deciphered hostname fkn.ddos.cat brings up this post from the excellent guys at exposedbotnets detailing what they saw on the IRC server when they ran the bot.  That's neat too because two of the names (Sabu and tflow) are old handles from some of the infamous lulzsec guys.  But it's not actually them; all of lulzsec has been busted up and in jail for a while now.

This is the part that I really liked though.  This string is found in the binary:
.rdata:0040B6C4 00000044 C PRIVMSG %s :(Version): Zodiac v0.10 (HIGHLY PRIV10) Windows version
Googling that string brings up this reddit post linking to Joe's Security Blog, where he did some very good analysis on an almost exact same sample.

But it also brought up this very interesting pastebin showing a log of some hackers hanging out in an IRC.  Now, there's a lot there, but the most interesting bits are this:
09[16:22] * Topic is ' 4,1H 9T 8P 0\ 8 No power since 2011 (damn it, Acidstorm) 0\ 9Mumble up: core.hack-the-planet.tv 64738 : niggers5 0\ 4 /htp/HTP-5.txt underway (ASCII, content) 0\ 8straylig.ht now mirroring releases 0\ 13 http://i.imgur.com/9z0MGOV.png '
this:
[18:03] <&XiX> hey nachash dont forget to make HTP-5.txt editable by htp bro
and this:

[02:17] <&Goku> 23:16 >>>> zwin-LUMPVJ|60 (zwin-@hack-BB3B7A6D.mullvad.net) has joined #shiro
[02:17] <&Goku> 23:16 <Shiro> .zwin* version
[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Version): Zodiac v0.10 (HIGHLY PRIV10) Windows version
[02:17] <&Goku> 23:16 <Shiro> .zwin* help
[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Help): Build type: Windows (Feb 19 2013, 22:59:38)
[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Help): COMMAND   DESCRIPTION
[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Help): quit  Make the bot quit
[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Help): help  Print this menu
[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Help): version  Print the version of the bot
[02:17] <&Goku> wont get much larger then that as well
[02:17] <&Goku> 33kb base
[02:17] <&Goku> i am
[02:17] <&Goku> god sent coder
So I'm pretty sure these are the guys that created this botnet code, because of that version string.

And, I'm pretty sure these are the guys that released the HTP zines (Hack the Planet).  Now that's kind of a big deal.  Here's the HTP-5 issue.  Have a read, it's pretty good (also note that they mention "one of our botnets, Zodiac" right in the zine).  They breached MIT, Securi, and the freakin' NIST-NVD.  But the craziest part is that they were behind the Linode breach.  That one is intense because Linode is a pretty big service provider, and in HTP's words:
Meanwhile, we enjoyed our (root) access to Nmap, Nagios, SQLite, OSTicket, Phusion Passenger (modrails), Mono Project, Prey Project, Pastie, Sucuri, Hak5, Pwnie Express, Puppet, and oauth.
They were in a position to backdoor nmap.  And yes, hacklogs can be faked, but all of these hacks have been verified.  That's a sobering thought.

Anyway, I thought it was cool that the malware I decided to really cut my teeth on was from the HTP guys.  I'm still nowhere near done with it and will post updates as I make my way through the code.

Fun times.



Zodiac v0.10, Part I: First Look

So I've made some progress on this analysis.

First off, this string was found in the sample:

.rdata:0040B05C 000000D4 C DEAR WHITEHATS: This bot isn't protected because I'm lazy and you're not going to do anything anyway, not because I'm inept. Although I have added a dirty cipher to please you. Come chat with us, we're friendly.

I believe I found the dirty cipher here:



It's kind of a Caesar Cipher: given a byte of ciphertext, if it is between 0x2E and 0x4F it will add 0x30, and if it is between 0x50 and 0x7E it will subtract 0x30.

This deciphering routine is used by the following functions (labelled by me):


And used on strings that are all collected together in a data segment.  I went ahead and deciphered what was there and changed the labels:


The deciphered label "ev1l1lod1ld0s" is used to create a mutex, so that only one copy of the bot is running on a host at a time:



The deciphered label "Windongs" is used to create a registry key at HKLM\software\microsoft\windows\currentversion\run for persistence:



And I am now starting to get into the code that connects to the command server at fkn.ddos.cat.  I'll post more on that part of the code once I've slogged through it, but I also wanted to get into another fun part of the investigation: attribution.



Tuesday, September 17, 2013

How do you eat an elephant?

One bite at a time.

I need to step up my Reverse Engineering game so I'm going to try a full coverage analysis of a malware sample a friend of mine sent me.  He actually sent me a bunch of samples, and this is the runt of the litter.  It's also a little dated; the C2 for this sample is already dead and the domains show up on AV sites when googled.  However, this will still be good practice.

That said, 191 functions when opened in IDA.  103 of those are unnamed, so they're the target.  Hopin' to get through it all in (at most) a month.




Let's dance.