Skip to main content

Emulating C&C Servers for Machine Identification & Eradication

August 07, 2012

We recently discovered a custom piece of malware that connected, like many other pieces of malware, maintained a persistent connection to a command and control server in order to receive commands from the server and exfiltrate data.  Identification of all infected machines was difficult, so an emulated command and control server was created in order to identify infected machines.  On top of that, an uninstall feature was discovered in the malware allowing eradication of the malware from infected machines.

The malware has a simple command and control protocol.  It connects to a hostname, which is stored in the registry by the dropper originally used to install the malware.  It maintains a persistent connection and polls for new commands in a loop.  The command structure can be defined by the following regular expression:“[\x00-\x1b]\x80\x00\x00[\x00-\xff]{2048}”.  Therefore, the command itself is defined by a single byte and there are 27 commands available to the attacker.  In order to keep this concise, I will only go into detail about the handshake the malware makes when connecting to the server and the command that is of interest to us: uninstall.

image1

When the malware connects to the server, it sends a handshake with the following information:

  • Windows Version
  • Computer Name
  • MAC Address
  • RAT Comment (a field that can be set by the dropper or another command issued from the C&C)

The packet handshake is a 0x180 byte packet with the following format consisting of four fields appended to each other:

  • 0x80 bytes for Windows version information
  • 0x40 bytes for Computer Name
  • 0x40 bytes for MAC Address information
  • 0x80 bytes for RAT comment

One of the interesting commands available on this malware is a command to uninstall itself.  The uninstall command, command 0x1A, deletes the registry keys responsible for starting the malware and uses the MoveFileEx API to set the files to be deleted upon reboot.  It then disconnects from the C&C.  Note that the switch statement in the above code starts by subtracting 0x8000 from the first DWORD of the packet and 32794 (the case for the jump table seen below) is 0x801A.

image2_0

A small python script is attached which keeps track of infected machines that connect to the C&C and issues the uninstall command after the handshake is sent.  Implementation of the script consisted of hosting it on a machine on the local network and redirecting DNS queries for the C&C domain or routing IP addresses for the C&C to our emulator.  It will then log the infected machine and issue the uninstall command, easing remediation.  It should also be noted that this particular piece of malware, once disconnected from the C&C, would not attempt to reconnect until the machine was restarted.  Forcing a reboot on suspect machines across the network is necessary to complete the uninstall process.

 

With a simple C&C protocol such as this one, maintaining packet capture can also be useful to determine what data was exfiltrated during the time of infection.  It is also trivial to write a script to parse packet captures to list any commands that were executed during communication with the C&C.

Security Tools:

text-plaincncemu.py.txt

Related Blogs

March 08, 2010

Recent Encryption Research Demystified

Last week, NetworkWorld published an article  under the headline “RSA 1024-bit private key encryption cracked.”  RSA encryption was one of the first w...

See Details

May 10, 2013

Security Alert – ColdFusion Servers at Risk | Optiv

On May 8, 2013, Adobe released a security advisory for a critical vulnerability that affects ColdFusion 10, 9.0.2, 9.0.1, 9.0, and earlier versions fo...

See Details

October 17, 2011

Welcome to 6Labs!

Welcome to 6Labs! This first post will be an overview of 6Labs and the industry insight we will provide through this venue. 6Labs is the culmination o...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

July 21, 2015

Application Security Solutions

Learn how Optiv can help with web, email and application protection.

See Details

July 21, 2015

Data Security Solutions

Learn how we can help secure your date throughout its lifecycle.

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.