Bit9

Update 3As promised, we wanted to provide an update on our investigation into the recent incident at Bit9. We will continue to be as open as possible, and share details with the security community at large in the hopes that this information will help others. The investigation is still ongoing and we will share more information as it becomes available, so long as it does not compromise the security or confidentiality of our customers.

Summary

We continue to believe the attack against Bit9 was part of a larger campaign to infiltrate select US organizations in a very narrow market space. Out of respect to those companies, we will not disclose the names or nature of those organizations, but we can say that this attack was not against critical infrastructure companies (e.g. utilities, banking, energy), nor was it against government entities. We believe the attack was not financially motivated, but rather a campaign to access information. The motivation and intent of the attackers matters because it helps to explain the narrow scope of the compromise.

We have performed a thorough assessment against our entire customer base and identified three customers that were impacted. Over the course of our continuing investigation, this number has not changed.

As we have discussed before, due to an operational error, we failed to install the Bit9 platform on a virtual system that was brought online at Bit9. It contained an older digital code-signing certificate (no longer in use, but still valid at that time). Because this system was not protected by the Bit9 software, the attackers were able to access this system and sign a number of pieces of malware, which they subsequently used against their intended targets.

The initial compromise on our system occurred in July 2012. We believe the attackers entered via a SQL injection flaw that was present at the time on an Internet-facing Web server. This allowed them to access the virtual machine with the certificate. That virtual system was only active for a short period of time and was taken offline (shut down) in late July 2012. It remained offline and shut down through December 2012, which is why the intrusion was not detected. The system was brought back online in January 2013, and shortly thereafter the compromise was discovered. We took immediate containment and remediation steps, revoked the certificate in question, and reached out to our entire customer base.

Highly Focused

After extensive analysis and examination of our entire computing infrastructure, there is no evidence or data to suggest the attackers accessed or modified our source code or product in any way. We continue to believe the scope of the attack remained the landing point from the SQL injection attack and the virtual system containing the certificate. The surrounding systems were protected by Bit9 which limited lateral movement for the attackers. It is apparent from the forensic evidence and investigation into the larger campaign that the attackers’ motives were very specific.

Attack Methodology

As I stated above and as we’ve stated previously, the forensic analysis conducted up to this point indicates that the attackers gained a foothold through an Internet-facing host in July 2012. The attackers dropped a malicious backdoor application (netddeserv.exe) that exhibited behavior and artifacts suggestive of malware previously reported with the name “HiKit.” This malware was able to execute because the system was not protected by Bit9 due to the operational error mentioned earlier. Two versions of the backdoor were discovered on the compromised system. One backdoor attempted communications with a remote host using the IP address 218.210.49.203, and the other backdoor attempted communications with a remote host associated with the URL downloadmp3server.servemp3.com (which resolves to the IP 66.153.86.14).

At this point in the investigation we have identified that the attackers compromised at least two legitimate user accounts, which were used to gain access to an unprotected virtual system containing the Bit9 code-signing digital certificate. The attackers then downloaded several malicious files, including variants of the “HiKit” and “HomeUNIX” backdoors, signed them using the Bit9 certificate, and then retrieved those signed files. In total, we observed thirty-two (32) different files signed by the attackers, many of them custom scripts.

In the subsequent attacks on the three target organizations, the attackers appeared to have already compromised specific Websites (a watering hole style attack, similar to what was recently reported by Facebook, Apple and Microsoft). We believe the attackers inserted a malicious Java applet onto those sites that used a vulnerability in Java to deliver additional malicious files, including files signed by the compromised certificate.

Lessons Learned

While there is no evidence that our product or source code was compromised in any way, out of an abundance of caution we have already undertaken an extensive review of our code, including using third-party analysis and line-by-line review of our entire code base. All results to date have confirmed our assessment. In addition, we are undergoing a thorough security audit and have addressed the operational errors that led to the compromise. We have shared, and will continue to share, relevant details of our security posture with our customers.

While we believe Bit9 is the most effective protection you can have on your endpoints, I’ve always said there is no silver bullet to security. It takes multiple layers, including network monitoring and filtering, identity management and user authentication, access control and more. These technologies need to be working together to form overlapping layers of detection and protection, because the attackers are more likely to find holes in any one of them than in all of them.

This incident has only fortified what we already knew… the enemy is persistent, sophisticated and motivated. As the news of companies that have been hit in the past several weeks has shown, everyone is a potential target. The cyber threat is only growing and we remain committed to our customers’ security and to being an open partner in the defense of our cyber properties.

Technical Details – Bit9

The following are preliminary technical details regarding some of the files analyzed as part of the investigation. This is in the context of an ongoing investigation and is subject to revision.

File: netddesrv.exe

The “netddesrv.exe” file is a backdoor / remote access tool containing an embedded rootkit component. This file was dropped on the compromised virtual system containing the Bit9 code-signing certificate. This backdoor is customized for each victim and creates a corresponding “netddrsrv.conf” configuration file which we believe contains the target name and the beacon address to use.

Filename netddesrv.exe
File size 73216 bytes
MD5 fc99fa2d9872eab586478b98c33beca5
SHA1 57f2d86de4de82627ab6ada51be6903f37a0d583
Version metadata Child Type: StringFileInfo
Language/Code Page: 1033/1200
Comments:
CompanyName:
FileDescription: NetDDESrv
FileVersion: 1, 0, 0, 1
InternalName: NetDDESrv
LegalCopyright:     Copyright ? 2012
LegalTrademarks:
OriginalFilename: msrv.exe
PrivateBuild:
ProductName: NetDDESrv
ProductVersion:     1, 0, 0, 1
SpecialBuild:
Child Type: VarFileInfo
Translation: 1033/1200

 

NetDDESrv supports the following command line arguments:

Command Description

i

Installs “NetDDESrv” service

u

Uninstalls “NetDDESrv” service. Malware is not deleted from the system

hide

Hides malicious file, configuration file, service, and open port from the Windows Explorer/UI, SC, and NETSTAT commands

show

Makes malicious file, configuration file, service, and open port visible to Windows Explorer/UI, SC, and NETSTAT command

stop

Stops the “NetDDESrv” service

 

When installed, it registers itself as a “Network DDE Service” with startup type set to “Automatic” for persistence when the system is restarted.

Services Local

When hidden, the program extracts a “c:\windows\temp\hitx.sys” file which it installs as a rootkit service. This driver hides the NetDDESrv files, service, and open port from Windows Explorer, SC and NETSTAT commands.

While the address used for external communications is controlled by the configuration file, and therefore will vary, the NetDDESrv address used in the attack on Bit9 was “218.210.49.203“. When this service was started, it beaconed out “218.210.49.203“ over port 443.

The following information was found about the “218.0.0.0-218.255.255.255” net range:

  • OrgName: Asia Pacific Network Information Centre
  • Address: PO BOX 3646, South Brisbane, QLD, AU

The following information was found about the “218.210.0.0-218.211.255.255” net range:

  • NetName: NCICNET-NET
  • Desc: New Century InfoComm Tech Co., Ltd.
  • Address: 1F~11F, No. 218 Rueiguang Road, Taipei, Taiwan, 114, R.O.C, TW
  • Phone: 866-2-7715-5128
  • Email: davidlin1@fareastone.com.tw

The following information was found about the “218.210.49.128-218.210.49.255” net range:

  • NetName: eBizprise-TW
  • Desc: Taipei Taiwan
  • Person: Chris
  • Email: mis@ebizprise.com.tw

The first beacon contains fifty-two (52) bytes of encoded data. When decoded with a four (4) byte XOR key, the following string is revealed: “matrix_passwor”.

Screen Shot 2013-02-25 at 2.21.41 PMRaw HEX view of the NetDDESrv beacon data

Screen Shot 2013-02-25 at 2.21.45 PM

Decoded HEX view of the NetDDESrv beacon data

The following is a subset of registry artifacts related to the installation of “netddesrv.exe”:

Key Value Data
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDESrv N/A
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDESrv\DependOnGroup [NO VALUE]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDESrv\DependOnService RPCSS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDESrv\DisplayName Network DDE Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDESrv\ErrorControl 0×1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDESrv\ImagePath [CWD]\ netddesrv.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDESrv\ObjectName LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDESrv\Start 0×2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDESrv\ Type 0×10
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDESrv\Security N/A
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETDDESRV\0000\Class LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETDDESRV\0000\ClassGUID {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETDDESRV\0000\ConfigFlags 0×0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETDDESRV\0000\DeviceDesc Network DDE Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETDDESRV\0000\Legacy 0×1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETDDESRV\0000\Service NetDDESrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hitx N/A
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hitx\Type 0×1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hitx\Start 0×4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hitx\ErrorControl 0×1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hitx\ImagePath \??\C:\WINDOWS\TEMP\hitx.sys

 

File: hitx.sys

The “hitx.sys” file is a malicious driver embedded into “netddesrv.exe”. The driver is encoded inside “netddesrv.exe” with the following single-byte XOR key: “0×76”. The driver is created in the system “c:\windows\temp” directory. Once the rootkit service is started and loaded into memory, the “hitx.sys” rootkit file is deleted from the system.

Filename hitx.sys
File size 15360 bytes
MD5 03f70e7761d331615e88c1d7841ce906
SHA1 ce0881baa86b1f4de37f87342a505dcaa4c8406d
Version metadata Child Type: StringFileInfo
Language/Code Page: 2052/1200 Chinese (PRC)
Comments:
CompanyName: Microsoft
FileDescription: rkit
FileVersion: 1, 0, 0, 1
InternalName: rkitLegal
Copyright: Copyright ? 2011
LegalTrademarks:
OriginalFilename: rkit.exe
PrivateBuild:
ProductName: Microsoft rkit
ProductVersion: 1, 0, 0, 1
SpecialBuild:
Child Type: VarFileInfo
Translation: 2052/1200

 

When started, the rootkit hides:

  • Open port from the “NETSTAT” utility
  • The “netddesrv.exe” files in the system from the Windows Explorer UI
  • The “netddesrv.exe” service from the “SERVICES.MSC” UI

The following strings of interest were observed in the file:

  • 10.28.157.71
  • E:\SourceCode\Matrix_new\Release\Hitx.pdb

File: netddesrv.exe (2)

A second “netddesrv.exe” file was discovered on the compromised system that was not active. It has the same behavior and attributes of the previously described NetDDESrv malware, with the following differences:

Filename netddesrv.exe
File size 177664 bytes
MD5 bf5b5c68c9fdb4ae7d981c365e09354b
SHA1 15c45a8221e13d134f4c1b2485b54d334c2c6b9e

 

When this service is started, it beacons out to “downloadmp3server.servemp3.com“, which resolves to the IP address “66.153.86.14”, over port 443.

The WHOIS results for “66.153.86.14” are:

  • PaeTec Communications, Inc. PAETECCOMM (NET-66-153-0-0-1) 66.153.0.0 – 66.153.127.255
  • LPA SYSTEMS, INC. PAET-ROC-LPA-S-1 (NET-66-153-86-0-1) 66.153.86.0 – 66.153.86.63
  • Address: Rochester, New York USA

File: blat.exe / blat.dll

Blat.exe is a command line email program. However, the version that was discovered on the compromised system was an unapproved version and arrived in the time frame of the first identified activity. As such, we believe it may have been involved in the attack.

Filename MD5 Path
blat.dll 4dbdcea9eeb8abd205cc0115d2c5de0a C:\Windows\blat.dll
blat.exe 53ab44e7b77f0c5e4b00ba6c438c9a1f C:\Windows\blat.exe
blat301_32.full.zip* a51a0b7d1da6a46d66d80d3c3c57fbc9 C:\blat301_32.full.zip

*The zip file blat301_32.full.zip contains: blat.exe, blat.dll, blat.lib, and blatdll.h

Other Information

During the forensic analysis of the network traffic, we observed a beacon from the compromised system to the IP address “46.149.18.xx”. We are aware that this IP is part of a recent sinkholing operation.

Certificates Revoked

The following are the details on the compromised certificate that we revoked:

Publisher Bit9, Inc
Issuer VeriSign Class 3 Code Signing 2009-2 CA
Serial 4f2ef29ca5f96e5777b82c62f34fd3a6
SHA1 555d2d20851e849f0c109e243cf8a5da1f9995d7
MD5 1f1a2d9917e04b8ca490730d1d3c4bde
ValidFrom 5/25/2010 12:00:00 AM
ValidTo 5/24/2013 11:59:59 PM
SignatureTime 7/15/2011 1:55:10 PM
RootPublisher Class 3 Public Primary Certification Authority
RootIssuer Class 3 Public Primary Certification Authority
RootSerial 70bae41d10d92934b638ca7b03ccbabf

 

In addition, out of an abundance of caution, we also revoked the certificate that was in active use at the time:

Publisher Bit9, Inc
Issuer VeriSign Class 3 Code Signing 2010 CA
Serial 7cc1db2ad0a290a4bfe7a5f336d6800c
SHA1 fbc678aa0f8246551d5595f34c3ff3374b86d38a
MD5 c97bf0a8f506f0fe59d3157d1b91068b
ValidFrom 1/27/2012 12:00:00 AM
ValidTo 5/25/2013 11:59:59 PM
SignatureTime 5/18/2012 7:55:40 PM
RootPublisher Class 3 Public Primary Certification Authority
RootIssuer Class 3 Public Primary Certification Authority
RootSerial 70bae41d10d92934b638ca7b03ccbabf

 

Files Maliciously Signed by Bit9 Certificate

We identified thirty-two (32) files that were signed by the attackers with the compromised certificate. The cryptographic hash values of those files are listed here.

MD5 SHA1
68ff4c62295875db54e24dd5487be77f 8fc028b7d2218be3ac7869ee98285a2e703e72fe
e5a8788d5c448e819c405943e2b678c0 124f924188cb7c77b76255ac4379f6ca9b965127
35c5ddf6787fe90bc2b613ae1a7f17ec c014ce20f8e7054607f2ac00907999a9cd6dc935
918f76b341b40af346ae7a1358548799 dca298d1ca95903b774c160363c2a717da66fb70
57360b7a2195a3d0b0966b26f119eaf3 973acf578cc5b5d36657fccc3f68b115159bc7d9
d89a99407113dca6e55bd66341b2ef58 fc1c6511dc628a45348a85f5797a209d80f8cd00
d9e6af31d06edb664e058889f6654211 47bb0a022a4155c02dffdc716203cd3edde502c0
eea7a7bf84ec66126ca4f789cda59553 622e67e2018f510b3f27873c24b153c73c31bb6b
7ddb005f77a92dd047a51fed84b65e06 f94c9d5e8a0bee8f43e1c72d5a88a6162e8cefc8
7a3150f9aeb7379143a5929c98562dc7 62dbcc66d5ab499c9bab57e4c6c1bb6268c162cf
9fd00a21c6d16d395d895094b13b02b0 b8e64f40123f0f84b3f525024639348979ee3ff2
3aa53e19ee108b7f2a24269d5eaef67a eb819ba15eaeb6efa49b6a621b8eb64803546e73
7da684d72b5afa80a439f46e0a101ffa c756b84d9921b08bea6b236b9572b9b0b65bce71
9811d6dbbfd6264b684eb6f5a8f8eab0 0eca689e22f7718a8cc24a1713b7f93009d45571
94b3982d6b577644bbe1a2576f1671f4 27017e889b7de8498342aa4561e8e894555bb7a4
112273279df2f6562a6d3a344d9fc235 6c4f73a7e9eb3e39ec3d366e419a7f0550dd8964
2c321dc95dcfd7a6ef4dce99b8fcaca9 d90c3211f2eaa893df2342583bda817d52301678
e5074cd33592b8f6e0dcc8a1c385be52 cc01ad6da64aa85f402652f93f4e4339d2e1f49f
6fdadec97eb11cb25519603dad73f5b5 d6987d87f7babf7405b0f22094045427cf232a0c
cbf8f6bb24fffe424a3ea0a110051b47 7e6dc25b0d8b5ea0acc8154e36369592d58036be
0c7d9aea89e4816eef97732a01e4d1c9 b4eb7658100fa5900cba33d72c571e3ac079ef1d
aa6ec3eb25a3bb5e005edd3ef8fd485f 0bb46625f8e79c5fac993ccc4109252e4661a6ce
e4f23ee1d8fa548f5aec7c4cff639cd9 22d332111c79e3a329506a43d80af97910914be7
3196c378caaf6260a3b90ce30d576642 a5cc38277ca8c2d59a8dae79841b1e3fc2227977
a78e55d42294381d9272ea736de20e0d e2c4e9c0a00e544bfa7f85d1a1205cc605c84c6c
db33e2909aa96cae370b9dfd696197f7 1186825d38ff399cebefc7a50fd9f2291863c339
c7798ba543c355346f2483274be5acea 483c59f15de5cacb04982e1b12eee8107b3a9079
aa2783c13e16d22816fe742be9996384 903a71ee4f2be12f533702a20de8dfcfeadaf580
f6d1602ec1e74e8e33a0eb664487b917 944717c6eb577282fff678cd8fbcfb5bd6851f88
9ad2abe7a16b855279f27dca1ad9d225 ec47cb066de5d093d97017fb0e1c91ccceb2ba90
df4a527c184e7226d37e70f967241e52 bb2de55f90675c9d7393f82a16b6e64ff9a35e60
9de298e7ff04049d3ea36d2606033e32 7f514ceb68a0557840467c42d95654d718e6019a

Technical Details – Intended Targets

The following information contains details that we have learned about the maliciously signed files which were intended to be used by the attackers. This is in the context of an ongoing investigation and is subject to revision.

Java Applet Malware

We believe the files maliciously signed by the Bit9 certificate were delivered to the target customer systems via a malicious Java Applet, which the attackers installed on a compromised Website designed to attract an intended target (i.e. a watering hole attack). Analysis of this applet shows it is a Hydraq dropper that drops a variant of the Hydraq (aka Aurora) trojan. In our investigation, we observed this primary payload under various filenames, including “media.exe” and filenames that look like a decimal number with 16-digit precision (e.g. “0.123456712346789.exe”).

This payload contains an additional signed piece of malware that it extracts and installs on the system, perhaps under the name “BITS.dll” or “soundmax.dll”.

After dropping the Hydraq trojan and its embedded file, we believe the attack subsequently installs additional malware, such as a variation of the HiKit backdoor, observed in one case with the name “pwmewsvc.exe”.

File: media.exe [or] 0.################.exe (16 digits after decimal point)

This file was delivered through a Java exploit and can be best classified as a dropper. It is digitally signed by the compromised Bit9 certificate and contains an embedded DLL in its resource section also digitally signed.

Filename media.exe or 0.################.exe (16-digits)
File size 103800 bytes
MD5 918f76b341b40af346ae7a1358548799
SHA1 dca298d1ca95903b774c160363c2a717da66fb70
Version metadata Child Type: StringFileInfo
Language/Code Page: 2057/1250
Comments:
CompanyName: Microsoft Corporation
FileDescription: Microsoft Windows Media Center Plugin
FileVersion: 6, 1, 0, 0
InternalName: Microsoft(R) Windows(R) Operating System
LegalCopyright: Copyright (C) 2010
LegalTrademarks:
OriginalFilename: Media.exe
PrivateBuild:
ProductName: Microsoft(R) Windows(R) Operating System
ProductVersion: 6, 1, 0, 0
SpecialBuild:
Child Type: VarFileInfo
Translation: 2057/1250

 

When executed, this file extracts and installs its embedded BITS.DLL file to the location “%USERPROFILE%\BITS.dll” and then deletes itself.

File: bits.dll [or] soundmax.dll

The “BITS.dll” file is a malicious DLL embedded within the previously described “media.exe” dropper. It has also been observed using the filename “soundmax.dll”.

Filename BITS.dll or soundmax.dll
File size 73592 bytes
MD5 9ad2abe7a16b855279f27dca1ad9d225
SHA1 ec47cb066de5d093d97017fb0e1c91ccceb2ba90
Version metadata Child Type: StringFileInfo
Language/Code Page: 2057/1250
Comments:
CompanyName: Microsoft Corporation
FileDescription: Microsoft Windows Media Center Plugin
FileVersion: 6, 1, 0, 0
InternalName: Microsoft(R) Windows(R) Operating System
LegalCopyright: Copyright (C) 2010
LegalTrademarks:
OriginalFilename: Media.exe
PrivateBuild:
ProductName: Microsoft(R) Windows(R) Operating System
ProductVersion: 6, 1, 0, 0
SpecialBuild:
Child Type: VarFileInfo
Translation: 2057/1250

 

It contains two (2) exports: “Launch” and “ServiceMain”. If either function is called, the malware beacons to IP address “180.210.204.227” over port 80.

The following information was found about the “180.0.0.0-180.255.255.255” net range:

  • OrgName: Asia Pacific Network Information Centre
  • Address: PO BOX 3646, South Brisbane, QLD, AU

The following information was found about the “180.210.204.224-180.210.204.255” net range:

  • NetName: SPARKSTATION-AS-P
  • Address: 10 Science Park Road, #02-09 The Alpha, SG
  • Phone: 65 68228929
  • Email: noc@sparkstation.net

The malware beacons with eighty-eight (88) bytes of encoded data. As with the HiKit backdoor variants analyzed in this report, this data appears to be encoded with a four-bytes XOR key. The key is contained within the first four (4) bytes of the packet.

Screen Shot 2013-02-25 at 2.25.37 PM

Raw HEX view of the BITS.dll beacon data

Screen Shot 2013-02-25 at 2.25.38 PM

Decoded HEX view of the BITS.dll beacon data

When installed, the malware entrenches itself in the registry as a service library, replacing the legitimate Background Intelligent Transfer Service library (c:\windows\system32\qmgr.dll) with itself. The following is a screenshot of the services window showing the Background Intelligent Transfer Service running the malicious DLL:

The following is a subset of registry artifacts related to the installation of “BITS.dll”:

Key Value Data
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters\ServiceDLL [CWD]\BITS.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters\MyStubPath [CWD]\0.################.exe(the parent/containing filename)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\NextInstance 0×1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\Class\ClassGUID LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000 {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\ConfigFlags 0×0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\ DeviceDesc Background Intelligent Transfer Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\Legacy 0×1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\Service BITS

 

During a cursory examination, this service was observed looking for a process named “McpRoxy.exe”, and if found, attempting to open a handle to that process.

The following strings of interest were observed in the file:

  • rat_UnInstall
  • McpRoXy.exe
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • soundmax
  • rundll32.exe “%s”, Launch
  • Services.exe
  • Dll.dll

File: pwmewsvc.exe

The file “PWMEWSVC.EXE” is best classified as a loader. When executed, it decodes an embedded DLL into memory and then loads it. This embedded file, “PWMEWSVC_decoded_file.dll” [examiner given name] is a variant of the “netddesrv.exe” backdoor described earlier. The “PWMEWSVC.EXE” file is an advanced variant due to the techniques used by the attackers to obfuscate APIs and decode the embedded DLL backdoor into memory. During the investigation, this file was observed as a second stage payload after a system had been compromised from the previously mentioned Hydraq dropper.

Filename PWMEWSVC.EXE
File size 189816 bytes
MD5 f6d1602ec1e74e8e33a0eb664487b917
SHA1 944717c6eb577282fff678cd8fbcfb5bd6851f88
Version metadata Child Type: StringFileInfo
Language/Code Page: 1033/1200
Comments:
CompanyName: Microsoft Corporation
FileDescription:
FileVersion: 1, 0, 0, 1
InternalName:
LegalCopyright: (C) Microsoft Corporation. All rights reserved.
LegalTrademarks:
OriginalFilename:
PrivateBuild:
ProductName: Microsoft(R) Windows(R) Operating System
ProductVersion: 1, 0, 0, 1
SpecialBuild:
Icon Entry\1
Icon Entry\2

 

It was observed that the following commands supported by the other similar variants were not supported by “PWMEWSVC.EXE”: “hide”, “show”, “stop”.

When the “NetDDESrv” service is started from this file, the malware beacons to “209.34.194.50” over port 443.

The WHOIS results for “209.34.194.50” are:

  • Travel and Transport COXNE-TRAVELTRNSPRT-1 (NET-209-34-194-0-1) 209.34.194.0 – 209.34.194.127
  • Cox Communications Omaha, L.L.C. COXNE-COMM (NET-209-34-192-0-1) 209.34.192.0 – 209.34.223.255
  • Address: Omaha, Nebraska USA

The first beacon contains fifty-four (54) bytes. This beacon contains encoded data. The data is encoded with a four-byte XOR key. The key is contained within the first four (4) bytes of the packet. When the data is decoded, the following string is revealed: “matrix_password”.

The embedded file within “PWMEWSVC.EXE” has the following properties when viewed in its decoded de-obfuscated form: (Note: This hash may not match a file hash since the file was copied out of memory)

Filename PWMEWSVC_decoded_file.dll (examiner given name)
File size 190464 bytes
MD5 f673cdbde0f0ce9fe62ceb92019635a4
SHA1 56396502f815ff9a47d1c81a9095de04d3bbe7e0

 

Just as the file “netddesrv.exe” contained an embedded “hitx.sys” rootkit service, this embedded “PWMEWSVC_decoded_file.dll” contains a similar rootkit. It is suspected this file extracts a “c:\windows\temp\https.sys” with the following properties:

Filename https.sys (examiner given name)
File size 14848 bytes
MD5 2f1b021644071f7c6420212f9bf4297d
SHA1 fc91c8941e1f0d7fce1a3a3c6dd8424a74dd8c30

 

The following strings of interest were observed in the file:

  • 10.28.157.71
  • https.sys

File: wuauserv.dll

This malicious file was digitally signed by the compromised Bit9 certificate and was analyzed as part of our investigation. It was not directly observed in the wild as part of our investigation.

Filename wuauserv.dll
File size 55088 bytes
MD5 aa6ec3eb25a3bb5e005edd3ef8fd485f
SHA1 0bb46625f8e79c5fac993ccc4109252e4661a6ce

 

It contains one (1) export: “DllRegisterServer”. When this function is called, the malicious DLL beacons to IP address “110.173.55.187” over port 80.

The following information was found about the “110.0.0.0-110.255.255.255” net range:

  • OrgName Asia Pacific Network Information Centre

Another search provided the following information about the “110.173.48.0-110.173.63.255” net range:

  • NetName: CHINADEDICATED-HK
  • Address: Room B, 8/F, Wing Cheung Ind Building, No. 109, How Ming Street, Kwun Tond, HK
  • Phone: 85268554675

When executed, the malware checks the OS version. If the version is less or equal to 5, it executes the following command:

  • RUNDLL32 “C:\\Docume~1\\All Users\\Application Data\\wuauserv.dll” DllRegisterServer

If the OS version is greater than 5, it executes the following command:

  • RUNDLL32 “C:\\ProgramData\\wuauserv.dll” DllRegisterServer

It then appears to set the following value in the registry:

  • Key: HKEY_CURRENT_USER\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\run
  • Value name: SymantecUpdate
  • Value data: [path to DLL]\wuauserv.dll

At some point, it will XOR some data with 0×99, copy the data to a buffer, and create a thread. This is most likely the decoding loop with the malicious logic that beacons to “110.173.55.187” over TCP port 80.

The following strings of interest were observed in the file:

  • FuncDll.dll
  • SOFTWARE\Microsoft\Windows\CurrentVersion\run
  • SymantecUpdate

Leave a Reply