Trojan Heloag Botnet

Looks like there is a new Botnet on the horizon. Win32/Heloag is treated as Backdoor Trojan by many AV companies but appears to be a new kind of Botnet that uses P2P for communicating with its peers and Bot master. Its been out there for a while now.

A recent post by Arbor Networks on the Bot’s analysis actually prompted me to have a closer look at this piece of malware. Either their report is missing something or I seem to have observed some additional activities that the Bot does ! So here is some insight into the protocol the Bot uses for its communication with Peers as well as its Bot Master.

Once infected, as usual the malware copies itself to the windows system folder as file with names such as “crse.exe” or “conme.exe”. Some initial variants of this malware use TCP port 1106 for the communication with their Bot Master or Command & Control (C&C) server where as the newer variants appear to be using TCP port 8090.

The Bot uses a clear text payload with the first byte being used as a identifier of message or activity that the C&C server wants the Bot to perform. During my analysis I observed following messages:

0x01 – Initial Hello message (sent by Bot)

0x02 – Keep alive

0x03 – Peer information (sent by C&C)

0x04 – File download and execution (sent by C&C)

After infection, the Bot communicates with its C&C using the Hello message followed by the hostname. So, the 32Bytes of payload looks something like this -

01 + Hostname + Null padding

As mentioned earlier, older variants must have been using TCP port 1106 to communicate, so if that is the case they are upgraded to the latest versions. The C&C uses the “04” command for this and looks something like this:

04 + 2Bytes for no. of URLs + 64Bytes of payload info

payload = 00 00 + URL to fetch and execute + null padding

The upgraded Bot now starts using TCP 8090 for communication. Next, the C&C sends a “peers list” to the Bot for its P2P using “03” command that looks something like this:

03 + 2Bytes for no. of peers + 64Bytes of peer information

Peer information = 00 00 + Peer-IP + null padding + Peer-port

Unlike what the Arbor networks report said, I observed the P2P communication on TCP as well as UDP ports. At the time of the analysis, the Bot was using port ranges 7105 – 7506 for TCP as well as port ranges 9101 - 9301 for TCP & UDP.

It exchanged huge amounts of traffic on the UDP ports – almost 15MB in a very short time ! Though UDP payload appeared to be encrypted it was exactly 100 Bytes in length. Also, the use of its P2P communication is not known yet.

While I have not done a static analysis yet, I guess that the use of TCP or UDP is determined on the basis of port range itself and must be hardcoded in the binary as that info is not passed on by C&C as part of its protocol.

Whether or not this is a entirely new piece of Botnet is doubtful, but the communication protocol does appear to be different than what I have seen before in other botnets such as Conficker or Waledac.

That’s it for now. I will be playing around a bit more with this. Will update if I find something new. Following are the md5 of the binaries used for this analysis -

b36a68304cec89cf35ddaea8a7e8406d

6a5759f5e32253e06217baa6e1b1dbe1

ed96a6175f00e21df631b295b3019f6a

Stay tuned !

PDF Command execution vulnerability

Researcher Didier Stevens just managed to discover that he can make PDF reader execute any command without exploiting any vulnerability ! On his blog he demonstrated how the “Launch” action parameter of PDF document can be abused to execute arbitrary command on the victims machine.

Though he did not reveal complete details, his partial PoC is good enough to guess how the attack can be made possible. I decided to have a look at it and see how this behaves on different platforms and readers.

Apparently what Adobe thought was a feature, leaves gaping holes in the operating system for any attacker to exploit ! By Simply having a look at the PDF file specifications from Adobe’s website, I was able to create the attack that Sevens has described in his Post. It is extremely trivial to manipulate the dialog box prompt -

This was tested on WinXP SP3 with Adobe 9.3.1. Clicking on open, directly opens calculator as I just changed “/F” parameter from his PoC to “calc.exe”.

But wait, that’s not it, I replaced calc.exe with guess what – a URL and voila … my browser just opened and took me straight to that page. Ohh.. how nice Adobe !!? :/ If your PDF opens directly in your browser, then it gets even better ! -

PDF URL Redirection in action

Now, not only can the attacker take you to a exploit loaded website, but this also becomes a even more lucrative vector for phishing attack. Imagine receiving a PDF from a bank that asks you click on “open” to go its website for entering details !

I decided to try this on my Ubuntu 9.10, but (thank god) the Evince document viewer did not open any file (yes I modified the PDF for xcalc). But what about Adobe Reader 9.3.1 on Ubuntu ?? It did gave the prompt but unlike windows, it did not allow me to execute any program.

Instead I was able to open any file in the default editor. Also, note that I was not able to control the prompt text box as in the case of windows ! Also, the URL demo also didn’t work with Adobe on Ubuntu.

Hope Adobe and others fix this issue soon ! I don’t wanna start analyzing another pile of malicious PDF’s again .. ;)