by RSS Long Tran  |  Jul 28, 2014  |  Filed in: Security Research

Asprox, a.k.a. Zortob, is an old botnet that was uncovered in 2007. It is known to spread by arriving as an attachment in spam emails that purport to be from well-known companies. The attachment itself is disguised as a legitimate document file by using icons such as those of a .doc or .pdf file.

Asprox 1

Figure 1. Asprox malware posing as a Microsoft Word document.

This blog post will give an overview on Asprox's functionality with a focus on the changes in its communication with the command-and-control (C&C) server, including a new C&C command, as compared to its previous version.

Initial Startup and Injection

After unpacking itself, it creates a new instance of svchost.exe and injects code into it. It then creates an MD5 digest using a combination of the Windows installation date and the user's account name and security identifier (SID). This digest will be used as an identifier for the client. It also takes the first four bytes of the digest as an RC4 key when encrypting and decrypting data. When this is done, it signals to the injecting process that it may terminate.

The injected code then attempts to create a mutex with the hardcoded name 2GVWNQJz1. This is a simple check to ensure that there is only one instance of the malware running at a time since the malware will terminate if this mutex currently exists.

Registry Check

Asprox checks for a registry key that contains an updated list of C&C servers, where each item in the list consists of the server's IP address and port number. This registry key is located at:

HKEY_CURRENT_USER\Software\[Random1] The random name is generated by a function in the malware code that outputs eight random characters. (This function is used many times throughout the malware's execution.) Asprox locates this registry key by enumerating all the keys under HKEY_CURRENT_USER\Software\ and applying the RC4 algorithm to potentially decrypt the data held within it. It then checks whether the decrypted data begins with the string "You fag!!!!!", which Asprox recognizes as the start of the updated server list.

Asprox also enumerates the registry values under the following autorun key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

This is done in order to search for a string value with data that is the same as the path of the malware. If this registry value is not located, it copies itself to the Local Application Data folder with a randomized name. The autorun registry entry for this file is created later.

It then attempts to find the registry entry with its Group ID. Similar to the registry key that stores the C&C server list, the Group ID is saved under a key with another randomized name:

HKEY_CURRENT_USER\Software\[Random2]

This key has its data prefixed with the string "For group!!!!!" before being encrypted with RC4. If this registry key is not present, the hardcoded Group ID "0406s" is used.

Although this check occurs later in the code, there is one more registry entry that Asprox uses:

HKEY_CURRENT_USER\Software\[Random3]

This specific key lists the bot's module names and the random filenames that they are saved with under the Local Application Data folder. The list has the prefix "For base!!!!!" and each item in the list uses the format "[Module Name]=[Random Filename];".

Sandbox Defense

Asprox calls the WSAStartup API to prepare for network communication. However, before it performs any communication to the C&C server, it goes to sleep for two minutes. This is likely a defense against sandbox applications.

Client Message to Server

After awakening from its short sleep, a server address that has been randomly selected from its server list is decrypted using RC4. If this is the malware's initial execution, then the string "chwebABqyI" is used as the key to decrypt the IP address. Otherwise, the four-byte key that was taken from the MD5 digest is used.

In the previous version, Asprox's intial message was the following formatted string:

http://IP:Port%.8x/index.php?r=gate&id=%23s&group=%.4drcm

In this version, it is changed to an XML-formatted knock message.

Asprox 2

Figure 2. An example of the first message that is sent to the C&C server.

Unlike the previous version, communication with the server is further encrypted with RSA using Microsoft Base Cryptographic Provider v1.0. The following hardcoded public key is used:

-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCUAUdLJ1rmxx+bAndp+Cz6+5I Kmgap2hn2df/UiVglAvvg2US9qbk65ixqw3dGN/9O9B30q5RD+xtZ6gl4ChBquqw jwxzGTVqJeexn5RHjtFR9lmJMYIwzoc/kMG8e6C/GaS2FCgY8oBpcESVyT2woV7U 00SNFZ88nyVv33z9+wIDAQAB -----END PUBLIC KEY-----

The initial knock message is compressed and then encrypted with RC4 using a key that was generated from the next sixteen bytes in the RC4 keystream. After encrypting the knock message, the generated key is encrypted using the public key above. All of the encrypted data are concatenated and sent in the optional data field of a POST request.

Asprox 3

Figure 3. Encrypted optional data field that contains the RC4 key and the knock message.

The POST request is a combination of the MD5 key and the string "/index.php?r=gate" encrypted with the MD5 key.

Asprox 4

Figure 4. The POST request containing the RC4 key and encrypted data.

After submitting the POST message to the C&C server, the client reads the server's reply.

Server Response

When the reply from the C&C server is received, the data's signature is first verified using the public key, then decrypted with RC4 using the same sixteen-byte key that was used to encrypt the knock message.

Similar to the initial message that Asprox sends, the response from the C&C server has also changed from a formatted string to an XML-formatted knock message. The following two figures show examples of knock messages with C&C commands that were received from the server. (The C&C commands will be discussed in the next section.)

Asprox 5

Figure 5. A portion of the "run" command received from the C&C server.

Asprox 6

Figure 6. The "idl" command received from the C&C server.

The received knock message is sent to a function where it is parsed into a structure of size 93 (0x5D) bytes. Note that depending on the command, some of these fields may not be populated.

AsproxTable 1

Table 1. The structure that contains the data from the knock message.

The figure below shows an example of the received data after it has been parsed into this structure.

Asprox 7

Figure 7. An example of a parsed "run" command that reveals a downloaded executable.

C&C Functions

The following are the C&C functions that Asprox uses. The number next to each command is the Type (see Table 1).

Idl (0): Go to sleep for thirteen minutes. Run (1): Run the executable that is embedded in the module data. When this command is received, the bot first verifies the data's integrity by calculating the MD5 digest of the data and comparing it against the digest given by the server. If verified, the bot will create the file as %LocalAppData%\ [Random].exe, then call CreateProcess to execute it. Rem (2): Delete its autorun, server address list , and module list registry keys. The Group ID and files will remain. Rdl (3): Inject the module into a new instance of svchost.exe. When this command is received, the bot first verifies the module's data integrity using the MD5 digest, then creates a new instance of svchost.exe and injects the downloaded module into it. If the Save Module Flag (see Table 1) is set, it will search for the module list registry key and create it if it is not found. Afterwards, it will save the data as a file in the Local Application Data folder with a randomized filename. This file is saved without an extension. Finally, it will append the module name and random name pair to the end of the module list registry key. Red (4): Remove the module name from the module list registry key. However, the file is not deleted from the system. Upd (5): Update itself. When this command is received, the bot first verifies the module's data integrity using the MD5 digest. If verified, it deletes itself from the Local Application Data folder and uses the data to create a new file with the same name and location. Ear (6): Save the executable and create an autorun registry entry. This command is the latest addition to Asprox. When received, it verifies the module's data integrity using the MD5 digest and saves the module as a file to the Local Application Data folder with a randomized name. Afterwards, it creates an autorun registry key for it. However, the module is not executed.

Registry Key and Server Address Update

After executing the C&C command, the malware checks if an updated server address list exists inside the structure. If present, it will update the registry key that contains the list of server addresses. If the registry key is not yet present, it will create it and add the server information.

If an autorun registry key has not yet been created, then it creates one under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run with a random key name. The data is the path of the copied filename under the Local Application Data folder.

Finally, it will go through its module list in the registry and inject all the modules that are MZ files into new instances of svchost.exe.

Conclusion

In this blog post, we took a quick overview of Asprox's functions and saw the updates that it has made to its C&C code. With added RSA encryption, another C&C command, and updated messaging format, it does not look like Asprox will stop evolving. We will continue to monitor Asprox for any changes and will keep you updated.

by RSS Long Tran  |  Jul 28, 2014  |  Filed in: Security Research

comments powered by Disqus