Tuesday, May 5, 2009

Virut Analysis and Snort Rule

Virut (from virus + trojan) is a family of malware that has been around in since about 2006. Unfortunately for us, it is still around 3 years later with new variants being released on regular basis. We came across a recent Virut sample (MD5:e68c4b9428f41036b1cf890d93bdf390) and took a closer look at it:

Immediately after the file is executed, it establishes an encrypted connection to irc.zief.pl:65520 (should it fail, the back up server is proxim.ircgalaxy.pl) to contact it's command and control server. Virut then downloads several executable files from adx2.2288.org disguised as "non files" (per the file extensions):

  • adx.gif, a Trojan downloader
  • 8.txt, a password stealer. An analysis of 8.txt shows the following strings embedded in it:

Strings in executable 8.txt
Pic.1: Strings embedded in executable "8.txt"

The network traffic confirms that "8.txt" it is a password stealing Trojan:

pcap showing the password stealer in action
Pic.2: Network traffic showing password-stealing Trojan in action

Additional malware is downloaded from put.ghura.pl:

  • out.exe
  • adrtv.exe
  • ad2.exe

Note that the files downloaded, including their names have the potential of being completely different every time because of Virut gets commands on what to do at runtime through its connection to the C&C server.

Virut is also a classic "virus" in the sense that it spreads from file to file by appending malicious code to clean files, making them some 20 kb larger than before. In infected files, a jump (JMP) instruction is inserted to point to the end of the original file. Picture 3 shows the virus entry point.

Virut creates an entry point in the executable it infects in order to call the viral code
Pic.3: Virut entry point

This variant of Virut is also an entry-point obscuring virus. Different infected files show that the virus' entry point is always at different offsets relative to the entry point of the infected files. Virut patches the code of the executables so that the virus is not always invoked when the files are run, but is called randomly.

Additionally, Virut is highly polymorphic. Pictures 4 and 5 show the file-appending virus code for 2 infected exectutables. The two set of instructions do not match at all because Virut uses garbage instructions and a different decryptor for for each file it infects, making analysis more difficult.

Virut polymorphic code
Pic.4: Virut code appended to an executable

Virut polymorphic code
Pic.5: Virut code appended to another executable

According to VirusBulletin (www.virusbtn.com), the malware family Virut was the 5th most prevalent in March 2009. Virut has used the same domain name for the server it contacts when it is initally run. Rules to detect detect Virut attempting to contact its command and control server will be released in the near future. I will then update this blog post with the GIDs and SIDs.

1 comment:

Post a Comment