a methodology for studying untrusted software

With Application to the Real Case of the WinSatan Trojan

The IT Security Laboratory from the Carlos III University of Madrid was created in 1990, and since these days it has been focused on IT security research and development. Its members have participated in multiple research projects and have worked with a number of companies. They can be reached at <http://benjusuf.uc3m.es/miembros>.

The authors present a general methodology for studying untrusted software that is particularly suitable for the analysis of dangerous software (viruses, worms, and trojans). In many cases, it is useful to learn exactly what untrusted software does on a computer. This methodology is demonstrated with our work on the recent trojan called WinSatan.

Introduction

We propose a general methodology to extract all the valuable information for a certain piece of software for which we have no initial information, such as documentation or source code. We have found this methodology to be much better than the nearly impractical method of reverse-engineering it with a disassembler. We think this methodology will be of great help in the analysis of potentially dangerous code like viruses, worms, and trojans and could also be used as a reference to develop and implement new security software.

Proposed Methodology

A general view of the proposed methodology is shown in Figure 1.

Our methodology is divided into five main steps. Before installing and executing the suspicious software, we recommend the following actions:

1. Use a hex editor (for example, the free HexWorkShop) to navigate through the contents of the untrusted software (usually an executable). In most cases, you'll be able to see all the text messages the software generates, along with some of the values of its internal constants.

When analyzing the WinSatan trojan, we discovered a large number of messages. Some of them were error messages; more important, some included a strange list of active IRC servers and their respective IPs (presumably included to make the trojan robust in case of badly configured DNS servers). This yielded information about the internal architecture and the main features of the trojan. We also discovered that the trojan was programmed using the Delphi programming language, that its author was probably German, and that he/she used the so-called ICL communication components.

2. Use a file-activity-control utility, such as the excellent and completely free FileMon, to follow the trace of all the activity the untrusted software generates during its execution. This generally yields excellent information about files created, modified, and read in order to gather (and possibly publish) information about the victim's machine.

We determined which files WinSatan created upon execution, including the file called fs-backup.exe (which was the real trojan) in the C:/windows directory. We also found that the trojan created a new directory and consulted several other files to gather information. The FileMon utility generated more information than we are able to analyze in detail in this short article. We strongly recommend exiting any other application during the use of FileMon, to minimize the amount of uninteresting file activity logged.

3. Use a Registry-activity-control utility, such as the free RegMon program, to control all the changes and readings the trojan makes in the Registry. This could be of great interest, as most of the known trojans (along with other malicious software) use the Registry as a source of invaluable information about the attacked machine, and they usually create or modify some Registry keys to, for example, force its running every time the user starts Windows.

When we used the RegMon program to study WinSatan, we discovered that it reads some 20 registry keys, but the most important fact we discovered in this phase was
that it creates a new one under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run with the apparently innocent and useful name of RegisterServiceBackup and the value "fs-backup.exe". What is this for? Simply to force Windows to execute fs-backup.exe every time it starts up, thus ensuring that the trojan will always be running if the machine is in use.

4. Use a portscanner such as TCPView or the netstat command to scan localhost to observe which ports are open before and after running the untrusted software. In most cases, upon the execution of trojans, new ports are opened on the victim's machine so that the attacker can access it in some way (via ftp, telnet, or some other protocol). We used nmap to scan our infected machine from outside and the netstat command to do it locally. The outside scan is important because the untrusted software (like some rootkits) can modify the netstat command to hide its actions. In both cases, we discovered that port 999 was opened every time we ran WinSatan. Before this discovery, we successfully tried to connect to port 999 and saw that it was an ftp server that allowed anyone full access to the victim's files. The netstat command also showed us that our infected machine was trying to connect to some of the IRC servers we saw in the hex-editing phase.

5. Use a sniffer such as sniffit or windump to sniff all incoming and outgoing traffic. Almost by definition, a trojan will try to open ports on the victim's machine to allow the attacker to take control of it. These incoming connections will be detected and logged if you run a sniffer that logs all incoming and outgoing traffic. Also, the victim's machine usually reports its state to the attackers by some means (e.g., electronic mail, IRC messages, or news postings) and this will be detected and logged if you sniff outgoing traffic.

All this information provides clues to the identity of the author of the malicious software. Using the well-known sniffit sniffer, we observed surprising results: the infected machine sent the following messages to the IRC servers by a privmesg IRC command: "Online!. I am <user or machine name> I use Windows <windows version>, my CPU is a <type of processor>". We had already seen this string in the hex-edit phase, but only at this point did we understand its use. We also saw that this message was directed to two IRC nicknames that were scroll and scroll1 (we suppose scroll1 was created by the developer of this trojan in case some other IRC user had already taken the scroll nickname) and was repeated once every minute to confirm that the victim was still connected to the Net. We have checked that both users are usually active on these IRC servers.

How Did WinSatan Spread ?

WinSatan was described in the news and on some Web pages (for example, <http://music.acmecity.com/orchestra/29/WinSATAN.zip>, now gone, where we found it) as "A Windows port for SATAN, the security checker tool for UN*X." This sounds attractive enough to get a great number of downloads and assure a quick spread of the trojan over the Net. We discovered that behind this marketing slogan was a dangerous backdoor application.

Technical Details

The trojan used WinSatan to spread. However, none of the software's three functions worked properly, which provably means its only purpose was to spread the trojan.

WinSatan connects to various IRC servers, and this connection remains active even when the program is closed, continuing to run in the background without a trace on the system tray or task manager.

The "I'm online" IRC message was sent by a Privmsg command to the two IRC users, which prevents other users from reading it. Obviously, this exposes the victim's computer to every attack the author of this trojan wants to do on the IRC.

In addition, we discovered that the trojan opens an unprotected (it asks for username and password, but any combination of the two will be accepted) ftp server on port 999 of the victim's machine, which gives the attacker full control over the victim's files. The attacker's strategy is quite simple: he/she only has to connect to one of these IRC servers, using the scroll or scroll1 nickname, and wait for the victims' messages indicating they are infected and online. On receiving one of these messages, he/she only has to discover the victim's IP (trivial, using the IRC commands /who and /dns) and connect to it by an ftp command directed to port 999.

Searching the code with the help of a hex editor, we discovered that the trojan was written in Delphi and that it has a list of IRC servers to connect to. Here is the list (in no particular order):

•  irc.stealth.net
•  irc.webbernet.net
•  ircnet.sprynet.org
•  irc.univ-lyon.fr
•  irc.rus.uni.stuttgart.de
•  eu.ircnet.org
•  us.ircnet.org
•  web.im.tut.fi

Windows 3.x, Windows 95, and Windows 98 all proved vulnerable. Tested on a Windows NT 4.0 box, it didn't work at all. (Its 16-bit code on NT gives the error, "The procedure entry point RegisterServiceProcess could not be located in the dynamic link library kernel32.dll.")

To recapitulate: The trojan adds a key in the Registry to run itself. It then runs on every system startup. It tries to connect to the IRC servers every few seconds once the user has connected to the Net. When the trojan manages to connect to an IRC server, it sends the above-mentioned message once a minute.

How to Check Whether Your Box Is Infected

To determine whether the trojan is running on your machine, type the command netstat -an from the command prompt. If you see you are connected to an IRC server using destination ports like 6666 or 6667, for example, 165.121.1.47:6667, and you know you're not running an IRC client, you're in trouble.

Another test to perform is to check whether you have port 999 open. Port 999 is not associated with any standard service, so it doesn't have to be open. If you find it open, try to connect to it with the command ftp localhost 999. If you manage to do it and are prompted with the message "CreaKer is here," you are infected.

Also, check if you have a program called fs-backup.exe (about 366KB) in the C:\windows directory. If you find it, you are infected. Remove it immediately. (If you can't because it is running, simply do a shutdown to MS-DOS and remove it from there.)

In any case, check the Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

to search for unusual or strange entries. If you find one called RegisterServiceBackup, you are infected. This is a good test to do anyway, in order to catch other trojans that may be lurking on your machine.

Disinfecting

Disinfecting a machine couldn't simpler. Just remove the Registry key that allows the trojan to start when Windows starts (named RegisterServiceBackup, as described above). Restart Windows, and, since the trojan is not running, you will have no problems removing the file fs-backup.exe from C:\windows. Remove it and you are clean!

WinSatan Today

We tested some well-known antivirus programs to see whether they could detect the new trojan. None of them did, even those using heuristic methods. We tried McAfee VirusScan version 4.0.3 with heuristic searching and the latest update by this date (6 June 1999), Antiviral Toolkit Pro 3.01.29 with the latest revision (9 June 1999), and the Platinum Panda Antivirus 6.0 with heuristics after an update on the Internet. We emailed McAfee, AVP, and Panda, and all of them included the code signatures of the trojan in the next versions of their products.

The discovery and analysis of this trojan has been widely covered, mostly by the digital media. As a result, many people have contributed in different ways to avoid its spreading but, unfortunately, a lot of people have been infected by it,.

Thanks to Leo Ricchieri, who has developed a VB script that removes the trojan; see <http://www.securiteam.com/securitynews/WinSatan_FixBackdoor.vbs>. (This requires a VB script—enabled browser.)

WinSatan's characteristic port 999 has been included in many default trojans ports lists all over the Net. Last, but not least, one of the discoverers of the trojan has developed a Nessus script that detects WinSatan remotely, so any user of the excellent and free Nessus security-auditing tool can detect whether a remote machine is infected by the WinSatan trojan. More information on Nessus can be found at <http://www.nessus.org>.

Unfortunately, in spite of the efforts made by many people to stop the trojan's spread, many users are infected, and many crackers are abusing them. The nicknames scroll and scroll1 on the cited IRC servers are almost always used by people abusing victims.

Conclusions