Unubot’s new clothes, pretty?

Robert, one of my esteemed colleagues (and lucky – he is off on a week long holiday while I am working the weekend) had spotted a recent trend in increase of unpacked IRC bots in the wild.

A lot of malicious executables rely on using packer to disguise themselves. As a side-effect, this will be suspicious to trained eyes since they look quite different from normal clean executables.

There had been a trend of thought that the best way to avoid detection by AV vendors is to leave malicious executable unpacked to avoid suspicion. However, leaving the file unpacked would be leaving it’s functionality naked. Many people would strings an executable before running it, especially IRC bots would have a lot of easily identifiable strings of various command.

So be mysteriously suspicious or honestly malicious.

What did W32/Unubot comes up with in this case? Let’s have a look at the structure of the file.

unubot-entro.GIF

The blue line represent the entropy of the data – code would generally around an entropy of 0.8 while packed data would have much higher entropy. As the diagram shows, the file is not packed except having some compressed appended data. This would be similar to a lot of clean self-extracting archive.

Looking at the original strings content, it only contains a few library strings.

unubot-strings

Subjecting to analysis – which is very easy since the code is not obfuscated in anyway – we found the following.

  1. It creates a process of itself in suspended mode (so it will be loaded into the memory but will not run)
  2. Then it deallocates the memory (using ZwUnmapViewOfSection) of this suspended copy of itself
  3. Remember that the data appended of high entropy at the end of the file? It is a painstakingly encrypted executable file. Most Windows executable file will starts with the magic word ‘MZ’, and in this case it encrypts it’s magic bytes with a special key, the first e0 bytes of the header with a different key, and different keys for the rest of the file.
  4. It then writes the decrypted code to the the suspended process
  5. Next it fixes up the suspended thread context of the suspended process to execute properly
  6. In the end it resumes the suspended thread

As a result, you will have an unpacked file which runs a packed IRC bot, without writing any packed executable to disk. The technique used here is quite well known – it is coined as the Nebbett’s Shuttle technique in Black Hat 2007, “Stealth Secrets of Malware Ninjas” by Nick Harbour.

So, how good is this Stealthing Ninja?

  1. The unpacked loader demonstrates various memory injection technique which is quite suspicious. It would be flagged up by our Behavioral Genotype detection.
  2. By leaving itself unpacked, it sacrifice the ability to protect from analysis. Skilled reverse engineer would have no problem with understanding what it is doing.
  3. While doing all it’s process injection, registry modification, etc. it had violated at least 3 of Sophos Behavior protection rules – so Sophos’ HIPS detection – if turned on – will detect and block it even if the user decided to turn off our on-access scanning.
  4. Last of all, the packed IRC bot was in fact only packed with UPX . So all strings of the IRC bot will be viewable by using tools such as Process Explorer.

procexp.GIF

So W32/Unubot‘s new cloak of invisibility might not be as concealed as it thought.

But interestingly only 3 vendors out of 32 on VirusTotal have detected the sample as I am writing this blog.

unubottotal.