Destructive malware - a closer look at an SMB worm tool

19 January 2015

 View Christopher Doman’s profile on LinkedIn

On December 19 US-CERT released an alert, TA14-353A, relating to seven tools used to target a major entertainment company.

Some, such as the “Network Propagation Wiper” have been well described before.  Less well known, however, is the SMB Worm Tool which US-CERT describes as follows:

“SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.”

Meet SVCH0ST.EXE

The US-CERT alert doesn’t contain file hashes (only import hashes) which makes directly identifying particular samples more difficult. However, there is a file that closely matches the signature for the SMB Worm Tool:

Original Filename: SVCH0ST.EXE

MD5: 61bf45be644e03bebd4fbf33c1c14be2

Compilation Timestamp: 2014-10-16 05:00:56

Uploaded to VirusTotal: 2014-12-19 20:19:38 (from the US)

Mutex: Global\FwtSqmSession106829323_S-1-5-19

Resources: Korean

This sample (SVCH0ST.EXE) matches the fairly unique mutex of the US-CERT sample.  It also matches another string (“EVERYONE”) and contains a somewhat similar “leet speak” string:

 y0uar3@s!llyid!07,ou74n60u7f001

 y@s!11yid60u7f!07ou74n001

 US CERT Alert

 SVCH0ST.EXE

Inspection of SVCH0ST.EXE shows it to contain the functionality required for a SMB worm. Whilst this isn’t the exact malware sample referenced by US CERT, it appears to be closely related.

SMB Worms

The basic concept of an SMB worm is similar to that of the original Morris worm from 1988. A SANS paper from 2001 describes the typical operation of a SMB worm. A typical SMB worm:

  • Uses a password dictionary to attempt authentication to remote network shares;
  • Copies itself over to the victim system via the network share; and,
  • Remotely executes itself on the victim system, for example via psexec or remotely scheduled tasks.

SVCH0st.exe

The sample SVCH0ST.EXE contains functionality for:

  • Brute forcing authentication to network shares using a dictionary of passwords;
  • Copies the malware across to the Administrator (Admin$) network share; and,
  • Executes the malware using remotely scheduled tasks.

In evidence that attackers really do read industry reports, the first ten passwords in the dictionary used to brute force access to network shares are from Trustwave’s 2014 Business Password Analysis:

 Password1

 Hello123

 password

 Welcome1

 banco@1

 training

 Password123

 job12345

 spring

 food1234

Command Line Parameters

-i Installs malware and initiates network connectivity.

The malware copies itself to “System\Svchost.exe”, then writes the following to the file “mscvcr.bat”:

 @echo off

 :D1

 del /a %1

 if exist %1 goto D1

 del /a %0

 

This batch file is then executed with “cmd /c msvcr.bat {malware.exe}”. This has the effect of repeatedly attempting to delete the original malware file.

-s: Initiates network connectivity.

Mitigation Options

There are a number of potential mitigations against this type of threat:

  • Consider employing key mitigation strategies to targeted attacks (such as application whitelisting);
  • Prevent the success of dictionary attacks on network shares by enforcing strong password policies;
  • Auditing multiple failed SMB connections is a good practice which will alert in this case;
  • We see a number of threat actors employing remotely scheduled tasks in order to move laterally across networks. Typically this is done by attackers on the command prompt the “at” command, however as seen here malware can use the trick too; and,
  • The original SANS article on SMB Worms suggests disabling the task scheduling service as an option to limit the capabilities of worms to spread, however doing so can prevent required Windows Updates. Remote task scheduling can be limited through firewall settings, where appropriate.

Yara Rule

The following rule can be used to detect SMB Worm Tool on disk:

 rule smbWormTool

 {

 meta:

 author = "PwC Cyber Threat Operations"

 description = "SMB Worm Tool"

 version = "1.0"

 created = "2014-12-30"

 osint_ref =

 "http://totalhash.com/analysis/db6cae5734e433b195d8fc3252cbe58469e42bf3"

 exemplar_md5 = "61bf45be644e03bebd4fbf33c1c14be2"

 strings:

 $STR1 = "%s\\Admin$\\%s.exe" wide ascii nocase

 $STR2 ="NetScheduleJobAdd" wide ascii nocase

 $STR3 = "SetServiceStatus failed, error code" wide   ascii nocase

 $STR4 = "LoadLibrary( NTDLL.DLL ) Error" wide ascii   nocase

 $STR5 = "NTLMSSP" wide ascii nocase

 condition:

 all of them

 }

 

 

References

Targeted Destructive Malware, https://www.us-cert.gov/ncas/alerts/TA14-353A

FBI Flash Alert A-000044-MW

The BH01 Worm, http://www.sans.org/security-resources/malwarefaq/bh01.php

2014 Business Password Analysis, https://gsr.trustwave.com/topics/business-password-analysis/2014-business-password-analysis/

Viewing events for assessing NTLM usage, http://technet.microsoft.com/en-gb/library/jj865682(v=ws.10).aspx

Worm Activity - Brute Force, http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=16297&signatureSubId=0&softwareVersion=6.0&releaseVersion=S392

Why You Shouldn’t Disable The Task Scheduler Service in Windows 7 and Windows 8, http://blogs.technet.com/b/askpfeplat/archive/2013/07/15/why-you-shouldn-t-disable-the-task-scheduler-service-in-windows-7-and-windows-8.aspx

Configure Firewall Port Requirements for Group Policy, http://technet.microsoft.com/en-gb/library/jj572986.aspx

Strategies to Mitigate Targeted Cyber Intrusions, http://www.asd.gov.au/publications/Mitigation_Strategies_2014.pdf

 

Further information

For more in-depth coverage, including full details of the analysis behind this blog as well as additional indicators which can be used to detect similar samples, or if you have any other queries, please give us a shout at threatintelligence@uk.pwc.com.

Twitter
LinkedIn
Facebook
Google+

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.