11:30 a.m.
I've put together a package for you, http://michael-lambert.us/Rocra_130115b.zip
In it is the memory image, 130115b.w32. Infection time is approx 1637 CST on 15 Jan.
svchost.exe PID is 464, parent is msmx21.exe PID 1404
Also included is the DOC file that drops and runs msmx21.exe which drops and runs
svchost.exe
Thanks for looking at it.
Is anyone else looking at Red October?
Mike
Date: Fri, 18 Jan 2013 07:45:25 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
I got the exe from your website, thanks. Do you happen to have the original malware
sample, or an md5 of the sample. There are a few things I'd like to check out that may
be easier if I had a full memory dump.
Thanks, talk to you soon.
MHL
On Thu, Jan 17, 2013 at 3:49 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
MHL,
I've tried sending twice, 2nd time passworded. Rejected both times. I've not seen
anything on the Vol-list either. May be a size problem.
----
Reporting-MTA: dns;snt0-omc2-s18.snt0.hotmail.com
Received-From-MTA: dns;SNT118-W46
Arrival-Date: Thu, 17 Jan 2013 12:18:41 -0800
Final-Recipient: rfc822;michael.hale(a)gmail.com
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;552-5.7.0 Our system detected an illegal attachment on your message.
Please
552-5.7.0 visit http://support.google.com/mail/bin/answer.py?answer=6590 to
552 5.7.0 review our attachment guidelines. m1si2744262obl.114
----
I have put it here. PW is Rocra
http://michael-lambert.us/Rocra_svchost-exe_464_exe-dump.zip
Let me know when you receive the .exe successfully.
Thanks,
Mike
From: postmaster(a)mail.hotmail.com
To: dragonforen(a)hotmail.com
Date: Thu, 17 Jan 2013 12:26:58 -0800
Subject: Delivery Status Notification (Failure)
This is an automatically generated Delivery Status Notification.
Delivery to the following recipients failed.
michael.hale(a)gmail.com
--Forwarded Message Attachment--
From: dragonforen(a)hotmail.com
To: michael.hale(a)gmail.com
CC: vol-users(a)volatilityfoundation.org
Subject: RE: [Vol-users] IAT hook question
Date: Thu, 17 Jan 2013 14:26:31 -0600
First email was bounced by gmail. I've added a pw to the zip. PW is Rocra
Let me know when you have the .exe ok.
Thanks
Date: Thu, 17 Jan 2013 14:48:06 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
CC: vol-users(a)volatilityfoundation.org
Hmm sorry, I must be reading the GMER log incorrectly:
dragonforen(a)hotmail.com> wrote:
MHL,
Thank you very much. Attached is a ZIP. (Rocra is the short name) I used Volatility 2.1
C:\Python27\volatility-2.1>vol.py dlldump -f E:\Tests\130115b\Vol\130115b.w32
--profile=WinXPSP3x86 -p 464 -D E:\Tests\130115b\Vol\dlldump >
E:\Tests\130115b\Vol\dlldump.txt
Volatile Systems Volatility Framework 2.1
C:\Python27\volatility-2.1>
Have a good day,
Mike
Date: Thu, 17 Jan 2013 12:47:54 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
CC: vol-users(a)volatilityfoundation.org
Mike, if you could use dlldump and extract kernel32.dll from pid 464 and send it to me,
I'll take a look. The necessary pages of the PE file may just not be memory resident.
MHL
On Thu, Jan 17, 2013 at 12:31 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
I am looking at a Red October infection. The malware is svchost PID 464, C:\Program
Files\Windows NT\svchost.exe
GMER tells me that the IAT is hooked. See attached.
I wanted to see this with Volatility per the apihooks documentation here
http://code.google.com/p/volatility/wiki/CommandReferenceMal22
"As of Volatility 2.1, apihooks also detects hooked winsock procedure tables,
includes an easier to read output format, supports multiple hop disassembly, and can
optionally scan quicker through memory by ignoring non-critical processes and DLLs.
Here is an example of detecting IAT hooks installed by Coreflood. The hooking module is
unknown because there is no module (DLL) associated with the memory in which the rootkit
code exists. If you want to extract the code containing the hooks, you have a few options:
"
I tried apihooks in Volatility 2.1 and 2.2, below is the result
C:\Python27\volatility-2.1>vol.py -f E:\Tests\130115b\Vol\130115b.w32
--profile=WinXPSP3x86 -p 464 apihooks
Volatile Systems Volatility Framework 2.1
C:\Python27\volatility-2.1>
-------------------------
C:\Python27\volatility-2.2>vol.py apihooks -f E:\Tests\130115b\Vol\130115b.w32
--profile=WinXPSP3x86 -p 464
Volatile Systems Volatility Framework 2.2
C:\Python27\volatility-2.2>
=========================
My question is, "what am I doing wrong?" It is probably something simple.
Thanks for the help,
Mike
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
7:15 p.m.
New subject: IAT hook question
Ah I se what's happening, its a pretty reasonable explanation. There's no
issue with Volatility's apihooks, rather you're being misled by GMER on the
live system.
So first let's go back to your log file. It says there are about 60 hooked
functions across two DLLs (kernel32 and user32) in the svchost.exe process.
Here are the first three:
IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program
Files\Windows NT\svchost.exe [KERNEL32.dll!CreateThread]
0274EC81
IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program
Files\Windows NT\svchost.exe [KERNEL32.dll!ExitProcess]
08A10000
IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program
Files\Windows NT\svchost.exe [KERNEL32.dll!ExitThread]
330041B3
As I mentioned before, the first strange thing is the value in the far
right which GMER just calls "Value" - with no indication of what value
its supposed to be. I went back and installed Coreflood on a system (a
malware we know really uses IAT hooks) and looked at the GMER output:
IAT C:\Program Files\Internet Explorer\iexplore.exe[3072] @
C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA]
7FF82A50
IAT C:\Program Files\Internet Explorer\iexplore.exe[3072] @
C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress]
7FF82360
IAT C:\Program Files\Internet Explorer\iexplore.exe[3072] @
C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!CreateFileA]
7FF821E0
So "Value" is the address of the hook - where the rootkit code exists.
In your Red October log file, its showing several values in kernel
address ranges like CC335B5E and E8575300. Its impossible for a
usermode module's IAT to put in kernel space, so that suggests GMER is
looking at the wrong data.
Why is GMER looking at the wrong data? Many tools like LordPE and
Import Reconstructor, when they perform dumping/rebuilding tasks, they
read the PE header from the file on disk (in this case C:\Program
Files\Windows NT\svchost.exe). The PE header tells the programs to
look at specific offsets to find the "Value" being read. Taking that
information from the file on disk is good, in the case that malware
erases its PE header from memory. However, its bad if the malware is
packed on disk and during the unpacking process it alters its PE
header, including the sections, imports, exports, etc. This changes
the data at those offsets that the file on disk says. So GMER is
really reading some random values in the body of the unpacked process.
So LordPE and ImpRec have a configuration option to disable the *default*
behavior of reading PE headers from disk instead of memory. However, GMER
does not - it always reads from disk. Also you can tell from ldrmodules
output that this is a case of "Process Hollowing" malware - it not only
replaces the PE header of the original svchost.exe in memory during the
unpacking process, but the entire body of the executable is replaced.
Anyway, hope that makes sense.
MHL
On Fri, Jan 18, 2013 at 11:30 AM, Mike Lambert <dragonforen(a)hotmail.com>wrote:
I've put together a package for you,
http://michael-lambert.us/
Rocra_130115b.zip
In it is the memory image, 130115b.w32. Infection time is approx 1637 CST
on 15 Jan. svchost.exe PID is 464, parent is msmx21.exe PID 1404
Also included is the DOC file that drops and runs msmx21.exe which drops
and runs svchost.exe
Thanks for looking at it.
Is anyone else looking at Red October?
Mike
------------------------------
Date: Fri, 18 Jan 2013 07:45:25 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
I got the exe from your website, thanks. Do you happen to have the
original malware sample, or an md5 of the sample. There are a few things
I'd like to check out that may be easier if I had a full memory dump.
Thanks, talk to you soon.
MHL
On Thu, Jan 17, 2013 at 3:49 PM, Mike Lambert <dragonforen(a)hotmail.com>wrote:
MHL,
I've tried sending twice, 2nd time passworded. Rejected both times. I've
not seen anything on the Vol-list either. May be a size problem.
----
Reporting-MTA: dns;snt0-omc2-s18.snt0.hotmail.com
Received-From-MTA: dns;SNT118-W46
Arrival-Date: Thu, 17 Jan 2013 12:18:41 -0800
Final-Recipient: rfc822;michael.hale(a)gmail.com
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;552-5.7.0 Our system detected an illegal attachment
on your message. Please
552-5.7.0 visit http://support.google.com/mail/bin/answer.py?answer=6590to
552 5.7.0 review our attachment guidelines. m1si2744262obl.114
----
I have put it here. PW is Rocra
http://michael-lambert.us/Rocra_svchost-exe_464_exe-dump.zip
Let me know when you receive the .exe successfully.
Thanks,
Mike
From: postmaster(a)mail.hotmail.com
To: dragonforen(a)hotmail.com
Date: Thu, 17 Jan 2013 12:26:58 -0800
Subject: Delivery Status Notification (Failure)
This is an automatically generated Delivery Status Notification.
Delivery to the following recipients failed.
michael.hale(a)gmail.com
--Forwarded Message Attachment--
From: dragonforen(a)hotmail.com
To: michael.hale(a)gmail.com
CC: vol-users(a)volatilityfoundation.org
Subject: RE: [Vol-users] IAT hook question
Date: Thu, 17 Jan 2013 14:26:31 -0600
First email was bounced by gmail. I've added a pw to the zip. PW is Rocra
Let me know when you have the .exe ok.
Thanks
------------------------------
Date: Thu, 17 Jan 2013 14:48:06 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
CC: vol-users(a)volatilityfoundation.org
Hmm sorry, I must be reading the GMER log incorrectly:
dragonforen(a)hotmail.com> wrote:
MHL,
Thank you very much. Attached is a ZIP. (Rocra is the short name) I used Volatility 2.1
C:\Python27\volatility-2.1>vol.py dlldump -f E:\Tests\130115b\Vol\130115b.w32
--profile=WinXPSP3x86 -p 464 -D E:\Tests\130115b\Vol\dlldump >
E:\Tests\130115b\Vol\dlldump.txt
Volatile Systems Volatility Framework 2.1
C:\Python27\volatility-2.1>
Have a good day,
Mike
------------------------------
Date: Thu, 17 Jan 2013 12:47:54 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
CC: vol-users(a)volatilityfoundation.org
Mike, if you could use dlldump and extract kernel32.dll from pid 464 and send it to me,
I'll take a look. The necessary pages of the PE file may just not be memory resident.
MHL
On Thu, Jan 17, 2013 at 12:31 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
I am looking at a Red October infection. The malware is svchost PID 464, C:\Program
Files\Windows NT\svchost.exe
GMER tells me that the IAT is hooked. See attached.
I wanted to see this with Volatility per the apihooks documentation here
http://code.google.com/p/volatility/wiki/CommandReferenceMal22
"As of Volatility 2.1, apihooks also detects hooked winsock procedure tables,
includes an easier to read output format, supports multiple hop disassembly, and can
optionally scan quicker through memory by ignoring non-critical processes and DLLs.
Here is an example of detecting IAT hooks installed by Coreflood. The hooking module is
unknown because there is no module (DLL) associated with the memory in which the rootkit
code exists. If you want to extract the code containing the hooks, you have a few options:
"
I tried apihooks in Volatility 2.1 and 2.2, below is the result
C:\Python27\volatility-2.1>vol.py -f E:\Tests\130115b\Vol\130115b.w32
--profile=WinXPSP3x86 -p 464 apihooks
Volatile Systems Volatility Framework 2.1
C:\Python27\volatility-2.1>
-------------------------
C:\Python27\volatility-2.2>vol.py apihooks -f E:\Tests\130115b\Vol\130115b.w32
--profile=WinXPSP3x86 -p 464
Volatile Systems Volatility Framework 2.2
C:\Python27\volatility-2.2>
=========================
My question is, "what am I doing wrong?" It is probably something simple.
Thanks for the help,
Mike
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
3:38 p.m.
New subject: IAT hook question
Thank you very much MHL!
I don't understand the ldrmodules evidence yet but I am working on it.
I thought I saw that PID 464 svchost.exe was started with C:\Program Files\Windows
NT\svchost.exe (per dlllist). In that case (there is a svchost.exe file in that folder and
persistance is added to ...NT\currentversion\winlogon\userinit), I thought it was just
executed rather than injection by hollowing.
Mike
Date: Sun, 20 Jan 2013 19:15:09 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
CC: vol-users(a)volatilityfoundation.org
Ah I se what's happening, its a pretty reasonable explanation. There's no issue
with Volatility's apihooks, rather you're being misled by GMER on the live system.
So first let's go back to your log file. It says there are about 60 hooked functions
across two DLLs (kernel32 and user32) in the svchost.exe process. Here are the first
three:
IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows
NT\svchost.exe [KERNEL32.dll!CreateThread] 0274EC81
IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows
NT\svchost.exe [KERNEL32.dll!ExitProcess] 08A10000
IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows
NT\svchost.exe [KERNEL32.dll!ExitThread] 330041B3As I
mentioned before, the first strange thing is the value in the far right which GMER just
calls "Value" - with no indication of what value its supposed to be. I went back
and installed Coreflood on a system (a malware we know really uses IAT hooks) and looked
at the GMER output:IAT C:\Program Files\Internet Explorer\iexplore.exe[3072] @
C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] 7FF82A50
IAT C:\Program Files\Internet Explorer\iexplore.exe[3072] @ C:\WINDOWS\system32\PSAPI.DLL
[KERNEL32.dll!GetProcAddress] 7FF82360
IAT C:\Program Files\Internet Explorer\iexplore.exe[3072] @ C:\WINDOWS\system32\PSAPI.DLL
[KERNEL32.dll!CreateFileA] 7FF821E0
So "Value" is the address of the hook - where the rootkit code exists. In your
Red October log file, its showing several values in kernel address ranges like CC335B5E
and E8575300. Its impossible for a usermode module's IAT to put in kernel space, so
that suggests GMER is looking at the wrong data. Why is GMER looking at the wrong data?
Many tools like LordPE and Import Reconstructor, when they perform dumping/rebuilding
tasks, they read the PE header from the file on disk (in this case C:\Program
Files\Windows NT\svchost.exe). The PE header tells the programs to look at specific
offsets to find the "Value" being read. Taking that information from the file on
disk is good, in the case that malware erases its PE header from memory. However, its bad
if the malware is packed on disk and during the unpacking process it alters its PE header,
including the sections, imports, exports, etc. This changes the data at those offsets that
the file on disk says. So GMER is really reading some random values in the body of the
unpacked process.
So LordPE and ImpRec have a configuration option to disable the *default* behavior of
reading PE headers from disk instead of memory. However, GMER does not - it always reads
from disk. Also you can tell from ldrmodules output that this is a case of "Process
Hollowing" malware - it not only replaces the PE header of the original svchost.exe
in memory during the unpacking process, but the entire body of the executable is
replaced.
Anyway, hope that makes sense.
MHL
On Fri, Jan 18, 2013 at 11:30 AM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
I've put together a package for you, http://michael-lambert.us/Rocra_130115b.zip
In it is the memory image, 130115b.w32. Infection time is approx 1637 CST on 15 Jan.
svchost.exe PID is 464, parent is msmx21.exe PID 1404
Also included is the DOC file that drops and runs msmx21.exe which drops and runs
svchost.exe
Thanks for looking at it.
Is anyone else looking at Red October?
Mike
Date: Fri, 18 Jan 2013 07:45:25 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
I got the exe from your website, thanks. Do you happen to have the original malware
sample, or an md5 of the sample. There are a few things I'd like to check out that may
be easier if I had a full memory dump.
Thanks, talk to you soon.
MHL
On Thu, Jan 17, 2013 at 3:49 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
MHL,
I've tried sending twice, 2nd time passworded. Rejected both times. I've not seen
anything on the Vol-list either. May be a size problem.
----
Reporting-MTA: dns;snt0-omc2-s18.snt0.hotmail.com
Received-From-MTA: dns;SNT118-W46
Arrival-Date: Thu, 17 Jan 2013 12:18:41 -0800
Final-Recipient: rfc822;michael.hale(a)gmail.com
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;552-5.7.0 Our system detected an illegal attachment on your message.
Please
552-5.7.0 visit http://support.google.com/mail/bin/answer.py?answer=6590 to
552 5.7.0 review our attachment guidelines. m1si2744262obl.114
----
I have put it here. PW is Rocra
http://michael-lambert.us/Rocra_svchost-exe_464_exe-dump.zip
Let me know when you receive the .exe successfully.
Thanks,
Mike
From: postmaster(a)mail.hotmail.com
To: dragonforen(a)hotmail.com
Date: Thu, 17 Jan 2013 12:26:58 -0800
Subject: Delivery Status Notification (Failure)
This is an automatically generated Delivery Status Notification.
Delivery to the following recipients failed.
michael.hale(a)gmail.com
--Forwarded Message Attachment--
From: dragonforen(a)hotmail.com
To: michael.hale(a)gmail.com
CC: vol-users(a)volatilityfoundation.org
Subject: RE: [Vol-users] IAT hook question
Date: Thu, 17 Jan 2013 14:26:31 -0600
First email was bounced by gmail. I've added a pw to the zip. PW is Rocra
Let me know when you have the .exe ok.
Thanks
Date: Thu, 17 Jan 2013 14:48:06 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
CC: vol-users(a)volatilityfoundation.org
Hmm sorry, I must be reading the GMER log incorrectly:
dragonforen(a)hotmail.com> wrote:
MHL,
Thank you very much. Attached is a ZIP. (Rocra is the short name) I used Volatility 2.1
C:\Python27\volatility-2.1>vol.py dlldump -f E:\Tests\130115b\Vol\130115b.w32
--profile=WinXPSP3x86 -p 464 -D E:\Tests\130115b\Vol\dlldump >
E:\Tests\130115b\Vol\dlldump.txt
Volatile Systems Volatility Framework 2.1
C:\Python27\volatility-2.1>
Have a good day,
Mike
Date: Thu, 17 Jan 2013 12:47:54 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
CC: vol-users(a)volatilityfoundation.org
Mike, if you could use dlldump and extract kernel32.dll from pid 464 and send it to me,
I'll take a look. The necessary pages of the PE file may just not be memory resident.
MHL
On Thu, Jan 17, 2013 at 12:31 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
I am looking at a Red October infection. The malware is svchost PID 464, C:\Program
Files\Windows NT\svchost.exe
GMER tells me that the IAT is hooked. See attached.
I wanted to see this with Volatility per the apihooks documentation here
http://code.google.com/p/volatility/wiki/CommandReferenceMal22
"As of Volatility 2.1, apihooks also detects hooked winsock procedure tables,
includes an easier to read output format, supports multiple hop disassembly, and can
optionally scan quicker through memory by ignoring non-critical processes and DLLs.
Here is an example of detecting IAT hooks installed by Coreflood. The hooking module is
unknown because there is no module (DLL) associated with the memory in which the rootkit
code exists. If you want to extract the code containing the hooks, you have a few options:
"
I tried apihooks in Volatility 2.1 and 2.2, below is the result
C:\Python27\volatility-2.1>vol.py -f E:\Tests\130115b\Vol\130115b.w32
--profile=WinXPSP3x86 -p 464 apihooks
Volatile Systems Volatility Framework 2.1
C:\Python27\volatility-2.1>
-------------------------
C:\Python27\volatility-2.2>vol.py apihooks -f E:\Tests\130115b\Vol\130115b.w32
--profile=WinXPSP3x86 -p 464
Volatile Systems Volatility Framework 2.2
C:\Python27\volatility-2.2>
=========================
My question is, "what am I doing wrong?" It is probably something simple.
Thanks for the help,
Mike
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
3:43 p.m.
New subject: IAT hook question
Yes, that's the purpose of hollowing - to execute a process from a path on
disk, then replace what's in memory with something else (either with the
contents of another file or an unpacked copy of the initial file).
By the way, we cover all this in the training course.
On Mon, Jan 21, 2013 at 3:38 PM, Mike Lambert <dragonforen(a)hotmail.com>wrote:
Thank you very much MHL!
I don't understand the ldrmodules evidence yet but I am working on it.
I thought I saw that PID 464 svchost.exe was started with C:\Program
Files\Windows NT\svchost.exe (per dlllist). In that case (there is a
svchost.exe file in that folder and persistance is added to
...NT\currentversion\winlogon\userinit), I thought it was just executed
rather than injection by hollowing.
Mike
------------------------------
Date: Sun, 20 Jan 2013 19:15:09 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
CC: vol-users(a)volatilityfoundation.org
Ah I se what's happening, its a pretty reasonable explanation. There's no
issue with Volatility's apihooks, rather you're being misled by GMER on the
live system.
So first let's go back to your log file. It says there are about 60 hooked
functions across two DLLs (kernel32 and user32) in the svchost.exe process.
Here are the first three:
IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows
NT\svchost.exe [KERNEL32.dll!CreateThread] 0274EC81
IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows
NT\svchost.exe [KERNEL32.dll!ExitProcess] 08A10000
IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows
NT\svchost.exe [KERNEL32.dll!ExitThread] 330041B3
As I mentioned before, the first strange thing is the value in the far right which GMER
just calls "Value" - with no indication of what value its supposed to be. I went
back and installed Coreflood on a system (a malware we know really uses IAT hooks) and
looked at the GMER output:
IAT C:\Program Files\Internet Explorer\iexplore.exe[3072] @
C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] 7FF82A50
IAT C:\Program Files\Internet Explorer\iexplore.exe[3072] @
C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] 7FF82360
IAT C:\Program Files\Internet Explorer\iexplore.exe[3072] @
C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!CreateFileA] 7FF821E0
So "Value" is the address of the hook - where the rootkit code exists. In your
Red October log file, its showing several values in kernel address ranges like CC335B5E
and E8575300. Its impossible for a usermode module's IAT to put in kernel space, so
that suggests GMER is looking at the wrong data.
Why is GMER looking at the wrong data? Many tools like LordPE and Import Reconstructor,
when they perform dumping/rebuilding tasks, they read the PE header from the file on disk
(in this case C:\Program Files\Windows NT\svchost.exe). The PE header tells the programs
to look at specific offsets to find the "Value" being read. Taking that
information from the file on disk is good, in the case that malware erases its PE header
from memory. However, its bad if the malware is packed on disk and during the unpacking
process it alters its PE header, including the sections, imports, exports, etc. This
changes the data at those offsets that the file on disk says. So GMER is really reading
some random values in the body of the unpacked process.
So LordPE and ImpRec have a configuration option to disable the *default*
behavior of reading PE headers from disk instead of memory. However, GMER
does not - it always reads from disk. Also you can tell from ldrmodules
output that this is a case of "Process Hollowing" malware - it not only
replaces the PE header of the original svchost.exe in memory during the
unpacking process, but the entire body of the executable is replaced.
Anyway, hope that makes sense.
MHL
On Fri, Jan 18, 2013 at 11:30 AM, Mike Lambert <dragonforen(a)hotmail.com>wrote:
I've put together a package for you, http://michael-lambert.us/
Rocra_130115b.zip
In it is the memory image, 130115b.w32. Infection time is approx 1637 CST
on 15 Jan. svchost.exe PID is 464, parent is msmx21.exe PID 1404
Also included is the DOC file that drops and runs msmx21.exe which drops
and runs svchost.exe
Thanks for looking at it.
Is anyone else looking at Red October?
Mike
------------------------------
Date: Fri, 18 Jan 2013 07:45:25 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
I got the exe from your website, thanks. Do you happen to have the
original malware sample, or an md5 of the sample. There are a few things
I'd like to check out that may be easier if I had a full memory dump.
Thanks, talk to you soon.
MHL
On Thu, Jan 17, 2013 at 3:49 PM, Mike Lambert <dragonforen(a)hotmail.com>wrote:
MHL,
I've tried sending twice, 2nd time passworded. Rejected both times. I've
not seen anything on the Vol-list either. May be a size problem.
----
Reporting-MTA: dns;snt0-omc2-s18.snt0.hotmail.com
Received-From-MTA: dns;SNT118-W46
Arrival-Date: Thu, 17 Jan 2013 12:18:41 -0800
Final-Recipient: rfc822;michael.hale(a)gmail.com
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;552-5.7.0 Our system detected an illegal attachment
on your message. Please
552-5.7.0 visit http://support.google.com/mail/bin/answer.py?answer=6590to
552 5.7.0 review our attachment guidelines. m1si2744262obl.114
----
I have put it here. PW is Rocra
http://michael-lambert.us/Rocra_svchost-exe_464_exe-dump.zip
Let me know when you receive the .exe successfully.
Thanks,
Mike
From: postmaster(a)mail.hotmail.com
To: dragonforen(a)hotmail.com
Date: Thu, 17 Jan 2013 12:26:58 -0800
Subject: Delivery Status Notification (Failure)
This is an automatically generated Delivery Status Notification.
Delivery to the following recipients failed.
michael.hale(a)gmail.com
--Forwarded Message Attachment--
From: dragonforen(a)hotmail.com
To: michael.hale(a)gmail.com
CC: vol-users(a)volatilityfoundation.org
Subject: RE: [Vol-users] IAT hook question
Date: Thu, 17 Jan 2013 14:26:31 -0600
First email was bounced by gmail. I've added a pw to the zip. PW is Rocra
Let me know when you have the .exe ok.
Thanks
------------------------------
Date: Thu, 17 Jan 2013 14:48:06 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
CC: vol-users(a)volatilityfoundation.org
Hmm sorry, I must be reading the GMER log incorrectly:
dragonforen(a)hotmail.com> wrote:
MHL,
Thank you very much. Attached is a ZIP. (Rocra is the short name) I used Volatility 2.1
C:\Python27\volatility-2.1>vol.py dlldump -f E:\Tests\130115b\Vol\130115b.w32
--profile=WinXPSP3x86 -p 464 -D E:\Tests\130115b\Vol\dlldump >
E:\Tests\130115b\Vol\dlldump.txt
Volatile Systems Volatility Framework 2.1
C:\Python27\volatility-2.1>
Have a good day,
Mike
------------------------------
Date: Thu, 17 Jan 2013 12:47:54 -0500
Subject: Re: [Vol-users] IAT hook question
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
CC: vol-users(a)volatilityfoundation.org
Mike, if you could use dlldump and extract kernel32.dll from pid 464 and send it to me,
I'll take a look. The necessary pages of the PE file may just not be memory resident.
MHL
On Thu, Jan 17, 2013 at 12:31 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
I am looking at a Red October infection. The malware is svchost PID 464, C:\Program
Files\Windows NT\svchost.exe
GMER tells me that the IAT is hooked. See attached.
I wanted to see this with Volatility per the apihooks documentation here
http://code.google.com/p/volatility/wiki/CommandReferenceMal22
"As of Volatility 2.1, apihooks also detects hooked winsock procedure tables,
includes an easier to read output format, supports multiple hop disassembly, and can
optionally scan quicker through memory by ignoring non-critical processes and DLLs.
Here is an example of detecting IAT hooks installed by Coreflood. The hooking module is
unknown because there is no module (DLL) associated with the memory in which the rootkit
code exists. If you want to extract the code containing the hooks, you have a few options:
"
I tried apihooks in Volatility 2.1 and 2.2, below is the result
C:\Python27\volatility-2.1>vol.py -f E:\Tests\130115b\Vol\130115b.w32
--profile=WinXPSP3x86 -p 464 apihooks
Volatile Systems Volatility Framework 2.1
C:\Python27\volatility-2.1>
-------------------------
C:\Python27\volatility-2.2>vol.py apihooks -f E:\Tests\130115b\Vol\130115b.w32
--profile=WinXPSP3x86 -p 464
Volatile Systems Volatility Framework 2.2
C:\Python27\volatility-2.2>
=========================
My question is, "what am I doing wrong?" It is probably something simple.
Thanks for the help,
Mike
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4315
days inactive
4318
days old
vol-users@lists.volatilityfoundation.org
3 comments
2 participants
participants (2)
-
Michael Hale Ligh -
Mike Lambert