• 0

Need a good decompiler for malware


Question

Apparently I have a piece of 0 day malware that seems to be attaching itself to different processes on different machines, everything from not very well known exes to well known exes. I need something that will break the exe apart, find out what it is calling, and find out what exactly is embedded in it. Yes yes, millions of lines of code....I don't feel like waiting for my av company to find the issue and fix it.

Executables that comodo seems to think are communicating to ips:

pc1

googlequicksearchbox.exe 208.73.210.48

pc2

svchost.exe 208.73.210.48

server1

btmservice.exe 208.73.210.48

Info about 208.73.210.48

IP address: 208.73.210.48

Reverse DNS: [No reverse DNS entry per ns1.oversee.net.]

Reverse DNS authenticity: [unknown]

ASN: 33626

ASN Name: OVERSEE-DOT-NET

IP range connectivity: 7

Registrar (per ASN): ARIN

Country (per IP registrar): US [united States]

Country Currency: USD [united States Dollars]

Country IP Range: 208.73.128.0 to 208.73.255.255

Country fraud profile: Normal

City (per outside source): Unknown

Country (per outside source): -- []

Private (internal) IP? No

IP address registrar: whois.arin.net

Known Proxy? No

Link for WHOIS: 208.73.210.48

This is going on with multiple computers/servers and all random exes communicating...need to find what is calling the malware to run and connect.

Link to comment
Share on other sites

Recommended Posts

  • 0

yeah 161 is SNMP -- you sure that is right? Seems like pretty stupid port to try and talk to your C&C server on.. I would think every single work network on the planet would have that blocked..

Can we get a packet capture.

he said he had wireshark on the network here.....mdssfioajdsiojjalkeureijf......anyway I am getting a hub sent over to me now.

Link to comment
Share on other sites

  • 0

After many hours of screwing with this I think I may have gotten it without a full reinstall of the os. I will need to let this sit and see what the sniffer sees...comodo and the trial malwarebytes aren't reporting anything like what was happening. I am pretty sure that a critical os file has been taken over (not sure which). This is only one of the hundred or so and right now I am not 100% on it. I will say this is pretty much a pain. Any normal user should wipe their machine if they get this strain until they can detect it...fker masks and attaches itself to random processes. I don't expect novice techs to go through tons of logs or go through pulling the drive out of the computer to clean (partially what I believe "fixed" it). I still have about an hour left here and a 2 hour drive home. Status.msi is screwing with me now, it is an hp printer thing. Building a pc to sniff the network so I can take my computer back with me. Ugh.

Link to comment
Share on other sites

  • 0

Are you (they, I know you are playing clean up atm) running a bastion host or any equivalent infrastructure?

It might be worth actively fire-walling the dial home locations in the hope of stopping the proliferation of the malware. (It occurred to me after posting you have probably already done this given you don't appear to be a moron :p But still >.<)

Other then that you seem to be well and truly on top of it, even if still playing catch up.

Good luck >.<

Link to comment
Share on other sites

  • 0

After many hours of screwing with this I think I may have gotten it without a full reinstall of the os. I will need to let this sit and see what the sniffer sees...comodo and the trial malwarebytes aren't reporting anything like what was happening. I am pretty sure that a critical os file has been taken over (not sure which). This is only one of the hundred or so and right now I am not 100% on it. I will say this is pretty much a pain. Any normal user should wipe their machine if they get this strain until they can detect it...fker masks and attaches itself to random processes. I don't expect novice techs to go through tons of logs or go through pulling the drive out of the computer to clean (partially what I believe "fixed" it). I still have about an hour left here and a 2 hour drive home. Status.msi is screwing with me now, it is an hp printer thing. Building a pc to sniff the network so I can take my computer back with me. Ugh.

You can check atapi.sys ntfs.sys ntoskrnl.exe volsnap.sys with a file compare. Those are the most likely affected.

Its not dhcp but cant remember the other one.

Link to comment
Share on other sites

  • 0

Sorry :(

What for....that the poster above my "o boy" is a green bean and has 0 clue about the utilities he recommends? He will learn, it is ok.

When I post back with obscenities then you can say sorry. On my blackberry now, my computer is in maintenance mode right now and cannot access it, so I am stuck until I connect to my corp network....what does that mean, I can't remote in to look at logs or packets coming off that box.

Link to comment
Share on other sites

  • 0

Ok,im sorry if the tools that I use and have used for several years don't work for you, I was just trying to help. I have been in a similar situation as you and rkill and icesword worked for me, which is the only reason I brought it up in the first place. If you don't want to use it, then don't.

Link to comment
Share on other sites

  • 0

I understand...and I am sorry if I came off as a noob who doesn't know how to get a piece of malware off his computer.

Rkill kills the malware process so that you can run tools to be able to remove it. The issue is that nothing is detecting it. The only way to know something is running that it shouldn't be is to see what is going out. Otherwise the strain is completely stealth and runs randomly so it is very hard to see it with a process monitor and whe you do find it it has masked itself behind a legit process...the process itself seems to check out, you remove the process/exe it morphs to a different process. I am not solely relying on scanners to find the crap, I am going into the kernel as best I can (process explore/process hacker) to see what is running myself not relying on scanners to do squat because they aren't finding crap.

And this is why I asked for a decompiler to see if the processes I sumbitted to my av company had anything in them. I am far from a noob when it comes to this and the utilities you mentioned aren't good enough to find this strain. What has worked in the past is not working now and I am going deeper than most care to, I am beyond most point of no return or give up point. I am in further into to the os than many run this run that "techs" have ever been...

So I am sorry that I have come off as a noob who doesn't know crap but my question was about a decompiler to see what processes were doing and where they point to, again not something you are going to just run and be done and the answers are right in front of you.

I ask for advanced software because I need it, not to have try this piece or that piece.....if it were that simple as to run this or that I wouldn't have asked in the first place for such a thing. Nothing about this was easy....and I still didn't find it, but I believe it is fixed on that computer.

Link to comment
Share on other sites

  • 0

Thats ok bro, you didnt come off as a noob, just someone asking for help. Its alright, I know my post count is very low, and being a member since 01 with a low post count doesnt help my case. I was in the navy and never had time to post. Anyway, ill do some looking around when i get home and see if I can help

Link to comment
Share on other sites

  • 0

No...I have not been back to the client site (was doing it for another tech that is on vaca).

Here are the cliff notes...virus/malware seems to be able to install itself on pcs that attach to the network. Home pc's most likely infected if they have brought home laptops to work from home. Nothing can find it currently. Symantec is useless in the fact that the tech will get back with results of whatever scan in 24 hrs, I have other clients to support I need answers when I ask for them or shortly there after..I need a 2 hr window, 3 tops...if they are unsuccessful with finding I need to get more samples of files out to them.

This thing seems to run randomly and can not catch running with kernel tools (look at nirsoft's barage of tools, sysinternals, as well as process hacker for examples of what I use) as well as a ton of antimalware software (eset, symantec, kaspersky, malwarebytes, superantispyware, combofix, avast, avira, microsoft security essentials, plus quite a few others) and none is successfully finding it...the only way to see what is going on is either by looking at the logs on the firewall (cisco asa) or by running a sniffer.

The sniffer was installed and sees traffic being generated by many pc's on the network (not all)...the servers are infected (pretty much all of them).

Cause of issue, 3389 was open at this site and someone had a unsecured user called test1 with logon rights (did not have admin rights) to the ts server. The user was able to remote into other pc's with this account using rdp and run whatever the f they wanted. Account was disabled, I have not had a chance to thoroughly comb through AD to verify accounts as I was trying to fix and research this issue.

It is more than likely a compression and encryption based malware which current scanners are unable to detect. This software seems to hide behind processes, sees what is running and attach itself as a background dll to that process then unattach itself to go back in hiding....it is quite possibly not infecting the host process (at least symantec sees it as clean in their labs). Even with the process removed the virus/malware still exists and jumps to another running process on the system. It also seems to like to communicate for a short time when you open a browser, not attached to the iexplore.exe or firefox.exe or whatever else....it attaches to a random process (either a system exe or a toolbar exe) and runs under that.

It seems to try to run a exe off a remote server (at least that is what I am seeing in some of the packets when I was looking). Gave owner my copy of capsa to easily view packets and their contents going across the internet.

I need to clean a machine and take it off the network to be able to determine if it has been cleaned...or at least isolate it from the rest of the network. This is a really dirty piece of malware. If I can properly isolate it I would be able to remove the dll/exe/whatever else and submit the piece to symantec/eset/anubis/etc for inspection to add to their db. The issue is properly isolating malware to a file or directory when it keeps burying itself and you can't find to hole to trace it back....it is quite annoying, not to mention that I can't wait for retards (this may not be the right word to use, but the freaking indian on the phone ****ed me off yesterday...wanted me to hold so his manager could see how I rated his call, if I stayed on the phone the guy might not have a job today) to get back to me 24 hrs later which is the reason for this request of special software.

Aryeh has contacted me by pm and offered assistance with submittal, I have sent that to the owner of the company if he doesn't want to screw with Symantec....it may be a complete nuke however it isn't exactly easy to nuke a medium sized environment spanning multiple states. I don't like nuking unless absolutely necessary (just want to make that very clear).

Link to comment
Share on other sites

  • 0

So I would love to look at these captures you have done of the network traffic it has generated - can you post those or PM to me, etc.

Link to comment
Share on other sites

  • 0

I realize this is an old topic, but I believe this subject to be far from over. I have been battling this about the same time window that you have, if you are still persuing it, and been frustrated that no AV can find it and that the general populous considers me paranoid/crazy. If you are still looking at this I would like to compare notes.

Observation is very difficult other than monitoring the changes it makes unless you trigger it's defensive mode. Wiping, or even replacing the drive, only appears to remove it; it triggers a _HIDE routine that makes it lay low. It has hooks into BIOS via UEFI and other methods, so a fresh install only gives a false sense of security.

I have many more notes, including a lead on the source; let me know if you are interesting in discussing it further.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.