Storm Worm && Botnet Analysis

本文详细解析了一种利用电子邮件和钓鱼网站传播的蠕虫,该蠕虫使用内核驱动隐藏自身并注入合法进程services.exe,绕过防火墙,创建后门。它包含SMTP引擎和P2P组件,用于垃圾邮件发送。蠕虫使用自定义打包器和加密保护自身,并应用多种Rootkit技术,使其难以检测和移除。作者通过动态和静态分析,揭示了其解包、解密、注入和Rootkit技术的细节,以及P2P僵尸网络的运作方式。
摘要由CSDN通过智能技术生成

Recently, a new Worm/Trojan has been very "popular" in our Net world. This worm uses email and various phishing Web sites to spread and infect computers. When the worm breaks into the system, it installs a kernel driver to protect itself. With the help of the driver, it then injects and runs malicious code from the legitimate process "services.exe". So, it can bypass firewalls easily and open a back door for the bad guys.

This worm contains an SMTP client engine and a peer-to-peer client component. Obviously, these components are prepared for spamming or mass-mailing purposes.

During my research, I found that this worm used various rootkit techniques to protect itself (such as hiding files, registers, ports, and the like), so it's not easily detected and removed. The worm also used a custom packer and encryption to protect itself. In the driver that the worm dropped, we learned that it employs a user-mode APC to inject malicious code (embedded) into the process named "services.exe".

In this paper, I will explain the worm from three aspects:

1. The interesting things that reside in its executable file (custom packer and encryption)

2. Rootkit techniques it uses

3. Peer-to-peer botnet & spamming

Okay, lets start our journey.

Overview

When this worm is running, it unpacks itself first, and then drops a malicious PE file that is embedded in the executable file. Then, it decrypts the malicious PE file into heap memory. When these steps are complete, the worm jumps to the heap memory (containing the malicious PE file) and executes the decrypted malicious code. This is the code that is responsible for the bad behavior.

Figure 1 is a high-level view of this worm's activities:

Figure 1. Overview of the worm

Next, I will explain how this worm accomplishes all of this, step by step.

Analysis sequence

The worm uses a custom packer and encryption to protect its binary file, so the first step it takes is to unpack and decrypt the embedded PE file.

In this section, I will demonstrate how to use OllyDbg and IDA Pro to analyze the worm.

Dynamic Analysis

First, I use OllyDbg to debug the worm and try to dump the unpacked file.

Stage 1 – Getting Start

Figure 2. Main Routine of the Worm

Notice that Figure 2 shows the main routine of the worm. It exports two functions: plr and wsx . The plr function is used to unpack worm-self, and wsx is the real entry point.

The plr function is passed to wsx as a parameter. This function implements the custom packer used by the worm.

Stage 2 – Unpack

Figure 3. Calling Unpack Routine – plr

After the execution path reaches the wsx function, the first thing it does is to unpack the data section, which contains the code that will be executed further.

Figure 4 shows the packed data section.

Figure 4. Packed Code

From Figure 4 we can see that this code does not have any actual functions and is used only to obscure its purpose.

The figure below shows the same data section after it has been unpacked:

Figure 5. Unpacked Code

Well, it looks very nice. At this moment, we can dump the memory to a file and do a static analysis (using IDA Pro or other tools). This is my favorite way, but we can continue debugging this worm by OllyDbg and watch what it does next.

In the next section, I will use the IDA Pro tool to continue exploring the worm.

Static Analysis

I am very grateful for IDA Pro, which is an amazing too

评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值