A few weeks ago, our FortiGuard Labs Threat Intelligence system discovered some new suspicious samples as usual. One of these samples caught our attention when we checked its network traffic.
For this particular sample, which Fortinet already detects as W32/Foreign.LXES!tr, we found that most of its communication has the HTTP/1.1 404 Not Found status, which should mean that some error has occurred generally. But when we analysed the data further, we realized that it was actually a special trick.
The Ping & Pong Commands
When it first connects to its C&C server, the Foreign bot uses the command ping, which expects the reply pong (Figure 1).
Figure 1. The Foreign bot uses ping/pong to check if the C&C server is available.
This is similar to the PING and PONG messages of the IRC protocol (Figure 2).
Figure 2. The PING/PONG messages, as used in a normal IRC connection.
Unlike the PING/PONG messages of the IRC protocol, which are used for testing the presence of an existing connection, the bot uses its ping/pong commands under the HTTP protocol to test the availability of its C&C server.
Hiding C&C Traffic Under an HTTP Error Code
The HTTP 404 Error is a standard HTTP response code that indicates that the client is able to communicate to a server, but that the server could not find the page that the client is requesting on that server. The Foreign bot uses the 404 Error for its malicious purposes, hiding its communication with its C&C server under this standard HTTP response code.
As can be seen in the figure below, the received message is encoded with Base64 and is stored in the source code comment between the NCMD keywords.
Figure 3. The bot’s C&C message hidden in the HTTP 404 Error.
According to the plaintext message of the package that was sent to the C&C server (Figure 3), the current version of the bot is 3.3. This version number can also be found in the bot’s binary (Figure 4).
Figure 4. Bot version in the binary.
Furthermore, as we can see in Figure 4, the bot will also collect some system information - such as the operation system, antivirus software installed, network status, and system serial number - and then upload the information to the C&C server.
The package received from the C&C server is encoded with Base64. After decoding the package, we can see the C&C message in plaintext. Below is an example of a package that we received.
Figure 5. Example of package received from the C&C server.
In the example above, we can see multiple commands in the message, which we marked in red.
- The spread archive command tells the bot to insert a copy of itself into RAR archives. The file names of its copies are chosen from the following list, which can be found hardcoded in its binary.
Figure 6. Filename list for RAR archive infection.
- The spread usb command lets the bot infect USB drives in the system. The filename used is not taken from a predefined list, but is generated using the format %d%d%d.exe, so only numbers are used.
- The loader command triggers downloading and executing of another binary under the user’s Temporary folder. The bot examines the downloaded binary’s extension name. If the extension is .dll, the bot executes regsvr32.exe with the parameter /s to load it. If the extension name is .vbs, it executes wscript.exe for loading. All other extension names, including .exe, are executed directly by calling the CreateProcess API.
- The rate command adds the following registry entry:
The [Number] indicated above is a number given by the C&C server. In our testing, the value given was 30.
The Bot Commands
Being a brand new bot, we only received certain commands that were sent by the C&C server. After analyzing the bot’s code, we found the following complete list of bot commands:
The Anti-Analysis Feature
In its codes, the bot contains an anti-analysis feature that is not activated. This feature includes several ways of detecting whether the bot is being debugged or being executed in a virtual machine, and if it is, would terminate the bot immediately.
Once this feature is triggered, it could hinder analysis, and so we list all of its detection mechanisms below:
- Calling the API IsDebuggerPresent
- Calling the API CheckRemoteDebuggerPresent
- The following strings are present in the result of the API GetUserNameA:
- The following strings exist in the full path of the bot:
- The API wine_get_unix_file_name exists in kernel32.dll
- Any of the following DLLs exists and is loadable:
- Any of the following registry entries exists:
The Foreign bot is an example of how malware can take advantage of standard messages in common protocols, using them to hide and spread their malicious activities. Our FortiGuard Labs Threat Intelligence system will continually monitor this bot’s activity and will respond when new activities emerge.