Emulating C&C Servers for Machine Identification & Eradication

By Greg Newman ·

We recently discovered a custom piece of malware that connected, like many other pieces of malware, maintained a persistent connection to a command and control server in order to receive commands from the server and exfiltrate data.  Identification of all infected machines was difficult, so an emulated command and control server was created in order to identify infected machines.  On top of that, an uninstall feature was discovered in the malware allowing eradication of the malware from infected machines.

The malware has a simple command and control protocol.  It connects to a hostname, which is stored in the registry by the dropper originally used to install the malware.  It maintains a persistent connection and polls for new commands in a loop.  The command structure can be defined by the following regular expression:“[\x00-\x1b]\x80\x00\x00[\x00-\xff]{2048}”.  Therefore, the command itself is defined by a single byte and there are 27 commands available to the attacker.  In order to keep this concise, I will only go into detail about the handshake the malware makes when connecting to the server and the command that is of interest to us: uninstall.

image1

When the malware connects to the server, it sends a handshake with the following information:
  • Windows Version
  • Computer Name
  • MAC Address
  • RAT Comment (a field that can be set by the dropper or another command issued from the C&C)
The packet handshake is a 0x180 byte packet with the following format consisting of four fields appended to each other:
  • 0x80 bytes for Windows version information
  • 0x40 bytes for Computer Name
  • 0x40 bytes for MAC Address information
  • 0x80 bytes for RAT comment
One of the interesting commands available on this malware is a command to uninstall itself.  The uninstall command, command 0x1A, deletes the registry keys responsible for starting the malware and uses the MoveFileEx API to set the files to be deleted upon reboot.  It then disconnects from the C&C.  Note that the switch statement in the above code starts by subtracting 0x8000 from the first DWORD of the packet and 32794 (the case for the jump table seen below) is 0x801A.

image2_0

A small python script is attached which keeps track of infected machines that connect to the C&C and issues the uninstall command after the handshake is sent.  Implementation of the script consisted of hosting it on a machine on the local network and redirecting DNS queries for the C&C domain or routing IP addresses for the C&C to our emulator.  It will then log the infected machine and issue the uninstall command, easing remediation.  It should also be noted that this particular piece of malware, once disconnected from the C&C, would not attempt to reconnect until the machine was restarted.  Forcing a reboot on suspect machines across the network is necessary to complete the uninstall process.

 

With a simple C&C protocol such as this one, maintaining packet capture can also be useful to determine what data was exfiltrated during the time of infection.  It is also trivial to write a script to parse packet captures to list any commands that were executed during communication with the C&C.

Security Tools:

text-plaincncemu.py.txt