Archive for June, 2010

Analysis of a backdoor trojan for Linux platform

June 5, 2010

For the past few days, there has been so many debates and opinions about the idea to switch to non-PE platform following the “Aurora” incident.

Hence, I thought it might be timely to look for some ELF binaries in the honeypot. The target is a very simple, reverser friendly backdoor trojan “Linux/Smalldoor.A”.

Dynamic Analysis:

I executed the sample in a Xubunu 9.04 image along with the strace utility.

Upon execution, the backdoor is kind enough to greet with the port details and some friendly mesage.

Starting the backdoor trojan

Starting the backdoor trojan

Knowing that the trojan is listening on port 1144, I decided to interact with it. Hence opened a telnet session.

Interacting with the binary

Interacting with the binary

As expected, the backdoor communication prompts for a password to start the communication. The authentication part is simple we shall see the password retrieval and the list of valid commands details in the static analysis part.

Static Analysis:

Static analysis was needed to know the password and the valid commands accepted by the malware.

Using IDA pro, I disassembled and reduced the visualization graph to reduce to basic flow. Here is the overview:

Overview of control flow

Overview of control flow

and here are the disassembly of the important functionalities.

Starting backdoor port.

starting_Backdoor_listing

starting_Backdoor_listing

Login module of the backdoor (password authentication):

Login module listing

Login module listing

and finaly the core payload (multi-process application)

core_payload

core_payload

and here is the Strace output (filtered to reflect only interesting aspects):

[b809b430] write(1, “Starting backdoor daemon…\n”…, 28) = 28
[b809b430] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
[b809b430] setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [0], 4) = 0
[b809b430] bind(3, {sa_family=AF_INET, sin_port=htons(1144), sin_addr=inet_addr(“0.0.0.0”)}, 16) = 0
[b809b430] listen(3, 5)           = 0
[b809b430] getsockname(3, {sa_family=AF_INET, sin_port=htons(1144), sin_addr=inet_addr(“0.0.0.0”)}, [16]) = 0
[b809b430] write(1, “Listening to port 1144\n”…, 23) = 23
[b809b430] clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7f29708) =

Such a binary could well be considered as a clean utility designed for an organization specific needs. However, one could sense malware with anti debugging tricks and heavy obfuscations sooner if the trend continues.

Feedbacks and suggestions are welcome:

Cheers 🙂

Advertisements

Malware analysis using IDA Pro graph reduction

June 3, 2010

Today,  I was analyzing a bunch of Botnets to find any similar code structures among them. This task has made me to think how great it would have been to have a collaborative platform that has the collection of  analyzed IDB files of malware.

The sample I was working on was a SDbot and here is a sneak preview of the reduced IDA pro graph for it’s primary functionalities:

WinMain - reduced graph

WinMain - reduced graph with Reverse Engineered information.

The malware first checks whether the sample is being analyzed in an analysis  environment. However the technique is less sophisticated and simple string comparison with the username mathcing. Here is the graph of the “isRunningInsideAnalysisEnvironment?”

processed graph of isRunningInsideAnalysisEnvironment

processed graph of isRunningInsideAnalysisEnvironment

also, as usual the malware drops a copy of  its own to “C:\Program Files\Common files\System\sdbot.exe” and it ensures that if the sample is run from anyother location, it spawns the specific copy to do the Network communication procedures.

Here is the graph of the decision making module:

Spawn/Continue

Spawn/Continue

Interestingly, the malware uses the absolute path of the running module name to decrypt the obfuscated strings.

Here is the Network communication procedure graph:

Network Communication Graph

Network Communication Graph

and if anypoint in future, if  I need to get back to the analysis of the Sdbot, this IDB would be a nice resource to refresh the memory.