Code injection
Abstract
Code injection is a protection mechanism used by malware in order to avoid detection. The injector stores the malware as an encrypted resource, which it decrypts and injects into a running process. The injector may also contain various checks for virtual machines and system tools in order to hinder analysis.
The injector is known to be used by the following malware families:
Worm:Win32/Pushbot (Microsoft)
Worm:Win32/Hamweq (Microsoft)
Worm:Win32/Rimecud (Microsoft)
PWS:Win32/Zbot (Microsoft)
Backdoor:Win32/Bifrose (Microsoft)
Backdoor:Win32/Rbot (Microsoft)
Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.
Technical Information
Sample on execution opens internet explorer in the background in the suspended state and injects the backdoor code to it.
Fig. 1.1 Network activity
As the Screenshot in figure 1.1 indicates, we can see the port opened by the Internet explorer on the local machine (Port no:1197) to communicate with the remote server.
Fig.1.2 Raw data
As the code piece in figure 1.2 is indicating, raw data and the communication between the local machine and the remote server can be seen.
Injector uses various checks for virtual machines and system tools in order to hinder analysis. As the code piece in figure 1.3 is indicating, all the modules needed for the file to inject the malicious code will be loaded dynamically and the address of the imports will be saved in the Import Address Table.
Fig. 1.3 Rebuilding Imports
Control will be passed to the code which opens Internet explorer in Suspended state, Overwrites the complete text section with the malicious code and executes it. Detailed explanation with the screen shots can be seen below.
As the code piece in figure 1.4 is indicates, a process will be created in the suspended mode.
Fig. 1.4 Creating process
The code in figure 1.5 shows the parameters passed to the new process which is taken from the stack.
Fig. 1.5 Parameters in stack
The Process Info structure that is passed back out of this call provides handles to both the process ID (PID) and the main thread ID (TID) of the newly created Internet Explorer process. These handles will be re-used later in the routine. As code in figure 1.6 indicates, the hijacker will call GetThreadContext to copy out all of the values held in the registers of the currently suspended iexplore main thread. They will be used when the thread's execution is resumed:
Fig 1.6 Calling GetThreadContext
The entire .text section of iexplore will be overwritten and extended with a loop that calls WriteProcessMemory and VirtualProtect on ten separate occasions. This work completely overwrites Microsoft's code, making Internet Explorer just a shell for the injection code to work within:
Fig. 1.7 Writing to the Memory of IE
Screenshots in figure 1.7 shows the parameters passed to the WriteprocessMemory.
As the code in figure 1.8 is indicating, after copying the executable code to IE, the context of the suspended thread is set back to its original environment and the newly overwritten thread's execution is resumed:
Fig. 1.8 Executing the thread
Process which looks like a familiar browser process will no more be a friendly browser, it will be a malicious one.
Conclusion
It’s difficult to identify the threat since it doesn’t show obvious symptoms that indicate the presence of this malware on an affected machine. It just injects the malicious code into some legitimate process in order to avoid detection. Better idea to face this malware family would be to keep all security software up to date and to use security application which uses behavior blocking technology.
References:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=VirTool%3AWin32%2FInjector.gen!AC
http://blog.threatfire.com/2009/08/clampis-evasive-injection-technique.html
http://blog.threatfire.com/2008/03/common-hijack-habits-are-hard-to-break.html
By Arvind Gowda