[Vol-users] Identifying HIPS process injection

Darren Spruell phatbuckett at gmail.com
Tue Nov 8 19:48:46 CST 2011


I've got a suspect process running on a system.

0x0703fcb8 8880792.tmp        5940   1504 0x0b353000 2011-05-27 07:00:12
 %Windir%\Temp\8880792.tmp

It's 64K on disk and looks like it's packed with Armadillo:

File Name:  8880792.tmp
File Size:  65536
File Type:  PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 Hash:   fec737234a47ae90ee79af44d3081a4d
SHA1 Hash:  4fb9abf6aba05ec1232b98ab39073c7635f7b9aa
Cymru MHR:  Not listed
Packer ID(s):
=> Armadillo v1.71

Number of sections: 3
--------------------
('.text\x00\x00\x00', '0x1000', '0xb446', 49152)
('.rdata\x00\x00', '0xd000', '0x15d2', 8192)
('.data\x00\x00\x00', '0xf000', '0x20c0', 4096)



I dump process memory (procmemdump) and end up with strings not much
different than what I get for the file on disk. The procmemdump output
is about 10K larger.

The memdump output is 245M and going through the addressable memory
contents I get loads of suspicious data that looks like it's related
to malware. Samples:


are\EES\BIFROST

//sharedfreehosting.c

USER remote
hello   keypublic
WEBCAM  Ekran.png       Ekran.bmp
60.167.78.224

www.proxyserverlist.biz

proxy_checker/index.php

ClientSocket
www.66444.com
open
ww4.tmdqq.net/51lin
www3.57185.com/is686_.h
1.hao591.net/is6
exefile=cdb.exe
dllfile=test.dll
regedits=stubpath
tp://bravor.net
w.ya.ru
whatismyip.co

Welcom to BackDor serv  by emPyte
Fan666` .
tem\lsass.ex
ion\Run
*sniff*
 sad
yo,
PRIVMSG
Splinter        ddos v1.0
INFECT
Plus!
terra.com.mx
send.aspx?id=


Windll22.exe
!reboot
!reconnect
!join
!pwl
!connection
!switch
!chatslaves

Connected to
NetShadow v1.2
Server ID:
F:\Work\TEST    MyFunlove
\calc.ex
LAgPCfAGCxoRI
CwgMCA8JERAO9x
Chat-Fenster
pcinfo
Resolution:
        tmdqq.net       57185.com
szfocus.net
cool-pic.com
dcomScaner
Vortex1 mazafaka
GONNA BE AN IRCF
HTTP://WWW.ASEXVIDEO
        HACKTOOLZ
?ACTION=LOGIN&SEND=
ICQBETA


I suppose though that this is data from the HIPS application that has
been injected into this executable's process space. The same strings
are present in the memory space of all processes. I want to confirm
this by finding an indicator in the process memory that attributes
this data to the HIPS application. What is the best way to do this?

My initial suspicion is that the VAD table could show me that. Is this
right? How could this analysis proceed in Volatility? The 'modules'
plugin shows me a couple of entries that I suspect relate to it.

0x8a3c01e8 mfehidk.sys
0x00f70a9000 0x052000 mfehidk.sys
0x89030a20 \SystemRoot\system32\drivers\mfetdik.sys
0x00f7697000 0x00e000 mfetdik.sys
0x89237e68 \Device\mfehidk01.sys
0x00b7f38000 0x053000 mfehidk01.sys

-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Vol-users mailing list