One Article Review
| Source |  BAE |
|---|---|
| Identifiant | 352316 |
| Date de publication | 2017-03-06 12:14:53 (vue: 2017-03-06 12:14:53) |
| Titre | The Merchant of Venice Marches on Italy |
| Texte |  As if to prove its name, the latest variant of Shylock has now extended its geography to cover Italian banks. Quite an ironic twist, isn't it? Armed with an improved protection layer, it is now harder to detect too, fetching only 2 detections out of 45.The anti-VM tricks employed by Shylock can fortunately be defeated by StrongOD, a handy plugin for OllyDbg. So let's roll up our sleeves and give it a closer look.In a previous post ("Pray before you buy with Shylock") on Shylock we provided on overview of its operation and its encryption schemes. What we aim to do this time is to actually try to reconstruct the entire encryption/decryption algorithm in a stand-alone tool, a tool that will allow us to fetch and then decrypt Shylock configuration files along with the so called 'Inject Packs'.Shylock configuration files normally enlist current command-and-control (C&C) servers along with the location of the 'Inject Packs' - larger configurations that define browser injection logic, that is, what banks to target and how. By downloading and decrypting configuration files from the known live C&C servers, we'll be able to find out what the newly registered C&C are. By fetching 'Inject Packs' from these servers, we'll know what new tricks are implanted there and what new regions are being targeted.The C&C domains that we thus detect will be handy in monitoring the traffic. Since all communications are SSL, they can't be sniffed, but the presence of the Shylock domains in the traffic is a sure sign of 'Houston, we have a problem'.The sample we've analysed contains a built-in configuration stub that enlists 3 hard-coded C&C servers followed by 2 backup C&C servers:uphebuch.suoonucoog.ccahthuvuz.ccwsysinfonet.sustatinfo.ccThe first 3 C&C servers are now down but the back-up ones point to the same IP (217.172.170.220) in Germany.Sending it a packet encrypted the same way as we did last time no longer works - the server returns us a string which is our IP address. So clearly something has changed. To find out what was changed, we'll need to reconstruct the entire communication logic of Shylock step-by-step, by combining dynamic and static analysis of the sample. For that, we firstly dumped the memory heap pages where the Shylock executable has unpacked itself. Next, we decrypted all the strings in that dump (753 strings), and built a table of all hashes of all APIs from all modules loaded by Shylock (28,500 hashes). After that, we were able to reverse engineer its new logic, and this is what we've found:The Shylock request now needs to be submitted via 'POST'. In addition, the C&C server now requires that the User-Agent header provided be formatted as:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.)Where is a 4-digit number composed of the numbers collected from the bot ID string, from left to right.For example, |
| Envoyé | Oui |
| Condensat | /files/hidden7710777 /files/hidden7770777 0x00000003 0x0c 0x11223344 0x1a 100 107 11046 11074 118 156 170 172 182 183206 188 192 198198 206 217 220 229 229199 243 252the 31213 500 6321 6a3b21c 753 :173 able above access act actual actually added addition address addresses administrators after agent aim algorithm all allow alone along also analysed analysis and/or anti any apis are armed as:mozilla/4 as:the authentic back backup banks before being better binary block bot both browser buffer built but buy byte bytes c&c calculation called can case cc the ccahthuvuz ccthe ccwsysinfonet chagas changed chat checksum clearly client closely closer clr code coded collected combining command communication communications compatible; composed compressed configuration configurations connected connection contains control corrupted cover current decompressed decrypt decrypted decrypting decryption defeated define destination detect detections did different digit discovery does domains down download downloaded downloading dump dumped during dword dynamic early editor employed encrypted encrypted/compressed encryption encryption/decryption engineer engineered enlist enlists entire example executable extended fast fetch fetching field file files find first firstly flag followed following formatted fortunately found:the from fully function geography germany give good handy hard harder has hash hashes have header heap help hope hoping hosts houston how identification implanted improved inclusion indication infected inject injection ironic isn italian italy its itself jpg key know known larger last latest layer learn left let list live lives loaded location logic longer look malware marches match memory merchant mini modules monitoring msie must name need needs net netherlands network networks new newly next normally not now number numbers offset ollydbg one ones only open operation order other out overview own pack packet packs pages perfectly phone plugin point post pray prepared presence previous problem project protection prove provided putting query quite readable reconstruct reconstructed regions registered rejected releasing replace replicate replicated replies request requires researchers returns reverse right roll same sample save schemes security see sending server servers servers:eevootii servers:uphebuch set should shylock sign signature since sleeves sniffed something sooba source specifies ssl stand start starts static statinfo step string strings strongod stub stub: submitted such suoonucoog suqueiries sure surely sustatinfo suwahemah sv1; table target targeted text then these thus time togetherthe too tool traffic tricks trust try twist txt ukraine unauthorised uncompress uncompressed underneath unpacked used user utility variant venice way what where which wider will windows within won word works zip zlib |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.