.

As you can see, the malware has two distinct and symmetric parts. Examining the first call to CreateThread in WinMain, it is clear that the function at 0x4014C0, labeled StartAddress, is the starting address of a new thread. The function at 0x4015CO (labeled s_thread2_start) is also the starting address of a new thread.

Examining StartAddress (0x4014C0), we see that in addition to the s_Internet1 (0x401750) function, it also calls malloc, PeekNamedPipe, ReadFile, ExitThread, Sleep, and another internal function. The function at s_thread2_start (0x4015CO) contains a similar structure, with calls to s_Internet2 (0x401800), malloc, WriteFile, ExitThread, and Sleep. The function PeekNamedPipe can be used to watch for new input on a named pipe. (The stdin and stdout associated with a command shell are both named pipes.)

To determine what is being read from or written to by the two threads, we turn our attention to WinMain, the source of the threads, as shown in . We see that before WinMain starts the two threads, it calls the functions CreatePipeA, GetCurrentProcess, DuplicateHandle, and CreateProcessA. The function CreateProcessA creates a new cmd.exe process, and the other functions set up the new process so that the stdin and stdout associated with the command process handles are available.

.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PM14.2.1 Suspicious User-Agent (Internet Surf)"; content: "User-Agent\:|20|Internet|20|Surf"; http_header; sid:20001421; rev:1;)  alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PM14.2.2 Suspicious User-Agent (starts (!<)"; content: "User-Agent\:|20|(!<"; http_header; sid:20001422; rev:1;)  alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PM14.2.3 Suspicious User-Agent (long B64)"; content:"User-Agent\:|20|"; content:!"|20|"; distance:0; within:100; pcre:"/User-Agent:\x20[^\x0d]{0,5}[A-Za-z0-9+\/]{100,}/"; sid:20001423; rev:1;)

In , the first two signatures (20001421 and 20001422) are straightforward, targeting User-Agent header content that should hopefully be uncommon. The last signature (20001423) targets only the length and character restrictions of an encoded command-shell prompt, without assuming the existence of the same leading characters targeted in 20001422. Because the signature is looking for a less specific pattern, it is more likely to encounter false positives. The PCRE regular expression searches for the User-Agent header, followed by a string of at least 100 characters from the Base64 character set, allowing for up to five characters of any value at the start of the User-Agent (as long as they are not line feeds indicating a new header). The optional five characters allow a special start to the User-Agent string, such as the (!< seen in the malware. The requirement for 100 characters from the Base64 character set is loosely based on the expected length of a command prompt.

Finally, the negative content search for a space character is purely to increase the performance of the signature. Most User-Agent strings will have a space character fairly early in the string, so this check will avoid needing to test the regular expression for most User-Agent strings.