As you can see, the malware has two distinct and symmetric parts. Examining the first call to CreateThread
in WinMain
, it is clear that the function at 0x4014C0, labeled StartAddress
, is the starting address of a new thread. The function at 0x4015CO (labeled s_thread2_start
) is also the starting address of a new thread.
Examining StartAddress
(0x4014C0), we see that in addition to the s_Internet1
(0x401750) function, it also calls malloc
, PeekNamedPipe
, ReadFile
, ExitThread
, Sleep
, and another internal function. The function at s_thread2_start
(0x4015CO) contains a similar structure, with calls to s_Internet2
(0x401800), malloc
, WriteFile
, ExitThread
, and Sleep
. The function PeekNamedPipe
can be used to watch for new input on a named pipe. (The stdin and stdout associated with a command shell are both named pipes.)
To determine what is being read from or written to by the two threads, we turn our attention to WinMain
, the source of the threads, as shown in . We see that before WinMain
starts the two threads, it calls the functions CreatePipeA
, GetCurrentProcess
, DuplicateHandle
, and CreateProcessA
. The function CreateProcessA
creates a new cmd.exe process, and the other functions set up the new process so that the stdin and stdout associated with the command process handles are available.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PM14.2.1 Suspicious User-Agent (Internet Surf)"; content: "User-Agent\:|20|Internet|20|Surf"; http_header; sid:20001421; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PM14.2.2 Suspicious User-Agent (starts (!<)"; content: "User-Agent\:|20|(!<"; http_header; sid:20001422; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PM14.2.3 Suspicious User-Agent (long B64)"; content:"User-Agent\:|20|"; content:!"|20|"; distance:0; within:100; pcre:"/User-Agent:\x20[^\x0d]{0,5}[A-Za-z0-9+\/]{100,}/"; sid:20001423; rev:1;)
In , the first two signatures (20001421
and 20001422
) are straightforward, targeting User-Agent header content that should hopefully be uncommon. The last signature (20001423
) targets only the length and character restrictions of an encoded command-shell prompt, without assuming the existence of the same leading characters targeted in 20001422
. Because the signature is looking for a less specific pattern, it is more likely to encounter false positives. The PCRE regular expression searches for the User-Agent header, followed by a string of at least 100 characters from the Base64 character set, allowing for up to five characters of any value at the start of the User-Agent (as long as they are not line feeds indicating a new header). The optional five characters allow a special start to the User-Agent string, such as the (!<
seen in the malware. The requirement for 100 characters from the Base64 character set is loosely based on the expected length of a command prompt.
Finally, the negative content search for a space character is purely to increase the performance of the signature. Most User-Agent strings will have a space character fairly early in the string, so this check will avoid needing to test the regular expression for most User-Agent strings.