by RSS He Xu  |  Nov 12, 2014  |  Filed in: Security Research

Dofoil, also known as Smoke Loader, is a modularized botnet that has existed for a few years. Since 2013, we have not received any new variants of this bot and the command-and-control (C&C) servers of its previous variants are no longer accessible, making Dofoil seem like a dead botnet.

In September 2014, however, we have received a brand new Dofoil variant that carries more features. This blog post will discuss our brief analysis of this new variant, which we are detecting as W32/Zurgop.BK!tr.dldr.

New Dofoil?

The previous Dofoil botnet gets its module list from its C&C server and then downloads these modules remotely. The command for fetching the module list is in plaintext, as shown below.

Title

Figure 1. Previous Dofoil variant traffic with the getload command.

The new Dofoil variant uses the same command, but is now encrypted (Figure 2).

Title

Figure 2. Encrypted traffic of new Dofoil.

After decryption, we can see that it is the same command.

Title

Figure 3. New Dofoil traffic with the getload command, after decryption.

We can now easily tell that they are from the same family: Dofoil.

As a new generation of the Dofoil botnet, it has multiple improvements and new features. I will discuss several of these in the next sections.

Anti-VM and Anti-debugging

The bot contains several checks to detect if it is currently running in a debugger or a virtual machine. If any of the following conditions are triggered, the bot enters into an infinite loop.

  1. The file name or path includes the string “sample”.
  2. The volume serial number of partition C:\ starts with 0x0CD1A40 or 0x70144646.
  3. The module sbiedll.dll (used in Sandboxie) exists in the bot’s current module list.
  4. The module dbghelp.dll (used in the WinDBG environment) exists in the bot’s current module list.
  5. The registry subkey HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum\0 contains any of the following strings, which indicates that the bot is being run in a virtual machine:

Title

  1. The Uninstall information in the registry includes the key AutoItv3CCleanerWIC.

Dropped File and Attribute Updates

The bot creates a new folder under the user’s Application Data folder using a randomly generated name. It then drops a copy of itself in that folder, also using a randomly generated name.

This behavior is something that is common in a lot of today's malware, but this bot goes one step further – it updates the attributes of its created file and folder by copying the file attributes of the advap32.dll file.

Title

Figure 4. Updating the attributes of the bot’s created folder.

Title

Figure 5. Updating the attributes of the bot’s dropped file.

Double Map Injection

This new Dofoil variant uses the double map code injection technique, which is a new injecting mechanism that has appeared only in the last two years. This method is primarily aimed at helping the bot escape from automatic detection by security-related tools.

When injecting its codes, Dofoil uses the process explorer.exe, which is commonly targeted by malware. The bot first creates a mapped section locally and moves most of its data into it. It maps this same section into explorer.exe, causing the malicious code to now be inside explorer.exe. The bot then continually calls the API SetWindowLongA with the parameter DWL_MSGRESULT and a pointer to the injected code buffer. This API call changes the default value of the specified window attribute, and will trigger an asynchronous new thread in explorer.exe which executes the injected malicious code.

To make sure that the injection and execution of the malicious code succeeds, the bot calls the API SendNotifyMessageA, which activates the injected code directly. Somewhere in the injected code is an instruction that will reset the window attribute to its default value. The bot then enters into a loop that calls the GetWindowLongA to check for this default value, which would indicate that the remote execution has succeeded.

In case the code injection for explorer.exe fails, the bot will turn to launch a new instance of the svchost.exe process as its backup. The bot then uses a classical injection routine which uses the API ZwQueueApcThread.

The Injected Code

The code that has been injected into explorer.exe simply loads an embedded abnormal PE file (Figure 6) and injects it into a newly started instance of svchost.exe.

To avoid being detected by memory-searching security tools, the ‘PE’ signature is filled with zeroes, as are the section names in its section tables. The abnormal PE file also does not have the MZ header.

Title

Figure 6. Abnormal PE structure.

After fixing the abnormal PE file, we find that it is a DLL (module) that has the export function Work.

Title

Figure 7. Export function of the DLL.

This DLL contains Dofoil’s major malicious codes, especially the ones that are related to its C&C communication.

Fake C&C Traffic

The bot enumerates the following registry key in order to collect all the URLs that are stored in the HelpLink and URLInfoAbout values:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

The following figure shows the URLs that the bot has retrieved from my replication system.

Title

Figure 8. Dynamically collected URLs.

The bot then connects to these URLs and sends some encrypted packages in an attempt to fool network sniffing tools that this is its C&C traffic.

In our tests, we find that most business web sites that it has connected to would send an error feedback, such as in the case below.

Title

Figure 9. Traffic showing a response with error feedback.

Some web sites, however, would respond with a normal web page, as in the example below.

Title

Figure 10. Traffic showing a successful request.

Because of this, detecting the botnet traffic based on the server response is inadequate.

Furthermore, this new Dofoil variant uses the same encryption algorithm for these packages, making it difficult to identify which ones are real C&C traffic and which ones are fake.

After decrypting it, however, we can easily tell them apart, as the fake C&C package has missing major parts (Figure 11).

Title

Figure 11. Decrypted fake C&C traffic.

As we can see above, the traffic has only one random parameter ‘r’.

For more information on Dofoil’s C&C traffic, see Micky Pun’s slides from the VB 2012.

Conclusion

From our brief analysis of the latest Dofoil botnet, we can see that it’s much more dangerous and aggressive than before. We have already added the detection pattern for this botnet and will respond ASAP to any future changes to ensure continued protection for customers.

by RSS He Xu  |  Nov 12, 2014  |  Filed in: Security Research