Malware analysis is not a new topic for security analysts, and all engineers are pretty aware of the process and procedures that need to be followed, which are neatly explained in other articles. I would like to showcase the process by citing an example of the Shylock Trojan.

The Shylock Trojan is a banking malware that exhibits rootkit characteristics. It leaves very few artifacts on the filesystem and is completely memory resident. The Shylock Trojan is engineered to collect financial information from its victims, this can include passwords for banking accounts, pin codes etc. This sensitive information is relayed back to the malware authors. The malware makes use of several C&C servers in order to achieve this.

Shylocks main mode of attack is through Man in the Browser (MiTM) attacks. In such attacks, the malware waits in the memory for the correct time and injects its payload into the web browser. Shylock affects Internet Explorer and the Mozilla Firefox browser. Now, whenever a user browses the Web, the Trojan can inject malicious code into the user’s traffic and also see everything that the user does on the web.

The malware has several additional features such as a built-in VNC server to remotely control the victim’s computer. The malware is spread through exploited web pages or through Skype. Shylock employs several evasive techniques to hide its presence in the system, making it very difficult to detect. It does not make any visible filesystem changes and cannot be easily detected through conventional security measures such as Anti-Virus solutions, making it a very high risk incident.

A sample Shylock Trojan is available at kernelmode.info and I recommend readers to download the Shylock Trojan in a virtualised environment for analysis.

Analysis

The first step in our analysis process is to make sure the malware we downloaded won’t spread to the adjacent machines. Then the suspected file is first loaded into our custom Cuckoo Sandbox. The Sandbox executes the malware and attempts to identify it and provide some basic information about it.

Want to learn more?? The InfoSec Institute Advanced Computer Forensics Training trains you on critical forensic skills that are difficult to master outside of a lab enviornment. Already know how to acquire forensically sound images? Perform file carving? Take your existing forensic knowledge further and sharpen your skills with this Advanced Computer Forensics Boot Camp from InfoSec Institute. Upon the completion of our Advanced Computer Forensics Boot Camp, students will know how to:
  • Perform Volume Shadow Copy (VSC) analysis
  • Advanced level file and data structure analysis for XP, Windows 7 and Server 2008/2012 systems
  • Timeline Analysis & Windows Application Analysis
  • iPhone Forensics

As shown in the above screenshots, the malware has been identified by Cuckoo as the Shylock/Caphaw Trojan.

After the automated analysis, next will begin a static analysis process. This is done in a virtual environment. Before executing the Trojan, some anomalies in the file were noticed. The file’s description depicts quotes from Shakespeare’s play “The Merchant of Venice”. The Trojan is called Shylock because Shylock is a character in the Merchant of Venice and because there are many references to Shylock within the code itself. The program itself is written in C++ and encrypted using a crypter tool.

The File description features quotes from Shakespeare’s “Merchant of Venice”

We then begin to analyze the PE header of the file with our tools this gives us some useful information such as the time of file creation the original filename etc.

The file PE Header shows that the file was created on 11/11/2010

It can also be found that malware has used a fake self-signed certificate to fool AV scanners and other security mechanisms. As shown in the screenshot, the certificate is clearly fake and contains yet another reference to the Merchant of Venice.

The fake certificate features more quotes from the “Merchant of Venice”

We then begin our dynamic analysis by actually executing the file within our virtual malware lab. We run HBGary’s Flypaper to prevent the malware from immediately injecting itself into the memory.

Process Explorer shows the malware executing before it is injected into memory

After the file is executed, it immediately injects itself into several Windows processes, namely explorer.exe, iexplore.exe and firefox.exe if present. In order to analyze the memory for these processes, we first take a memory dump of the system and store it for further analysis in our memory analysis tools volatility.

Next, Wireshark is used to monitor any suspicious traffic that may be leaving our malware lab, a packet capture is taken and analyzed. We noticed suspicious DNS traffic to several domains:

extensadv.cc
brainshpere.cc
topbeat.cc

DNS traffic to suspicious domains generated by the Shylock Trojan

Using volatility our team first looked for artifacts in the memory that indicate the presence of the Shylock Trojan. These are called mutexes. Shylock leaves mutexes that begin with MTX and are followed by a random stream of hexadecimal digits.

We continue our analysis with volatility to look for injected code in the suspected processes such as explorer.exe

Malfind command dumps malicious code in normal processes

The above command output shows that the explorer process has a MZ header i.e. the explorer process has another executable running within its process space. The Vad Tag VadS also signifies the presence of injected code in the process. We use volatility to take a dump of the above executable.

On studying the dumps with a Hex editor we notice some interesting things in the code. The dump is actually a dll file that contains information about hooking several Windows API calls and also about a VNC module.

Windows API hooks featured in dump


VNC module functionality and more Windows API hooks

The above information leads us to look for Windows API hooks in the memory. We use volatility with the apihooks command to dump information about malicious hooks in memory.

Trampoline hook for function HttpOpenRequestA In process iexplore.exe

The screenshots above show that the malware hooks into several Windows API calls, for example HttpRequestA is used to open HTTP connections to the Web servers hooking. This can give the malware the ability to inject malicious code into HTTP traffic.

Shylock hooks the InitiateSystemShutdownExW function to persist in the system even after system reboot. The malware is simply reloaded into memory after the system has been restarted.

Hook in InitiateSystemShutdownExW function

Recommendations

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have fewer avenues of attack.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses.
  • Block all VNC traffic leaving your network, as the malware may attempt to remotely control the infected system.
  • Ensure that your systems are up to date with the latest available patches, particularly Internet Explorer and the Firefox browser if present.
  • Isolate the compromised system immediately if malware is found to be present.
  • Block traffic to the following domains in your perimeter devices such as Firewalls and IDS/IPS solutions:

    brainshpere.cc
    topbeat.cc
    extensadv.cc

Eradication

  • Use tdskiller, a tool developed by Kaspersky to find and delete the Shylock rootkit
  • Rootkit revealer is a tool developed by Mark Russinovich to find and eradicate memory rootkits. It is part of the Sysinternals suite of tools.
  • Norton Power Eraser can be used.
  • GMER is another tool used specifically for removing rootkits.

References