Reverse Eng. Lab Setup Guide

1.  Virtualization:
   
   1. VmWare - http://www.vmware.com/
   2. VirtualBox - https://www.virtualbox.org/
2.  Tools Development:
   
   1. Compilers/IDE:
      1. Dev C++ - http://www.bloodshed.net/devcpp.html
      2. Microsoft Visual C++ - http://www.microsoft.com/visualstudio/en-us/products/2010-editions/visual-cpp-express
   2.  Assemblers: 
      
      1. MASM - http://www.masm32.com/
      2. NASM - http://www.nasm.us/
      3. WinAsm (IDE) - http://www.winasm.net/
   3. Langugages:
      1. Python - http://python.org/
3. Tools Reverse Engineering:
1. Disassembler:
   1. IDA (5.0) - http://www.hex-rays.com/products/ida/support/download.shtml
   2. IDAPython - http://code.google.com/p/idapython/
2. Debuggers:
   1. OllyDbg - http://www.ollydbg.de/
   2. Immunity Debugger - http://immunityinc.com/products-immdbg.shtml
   3. Windbg - http://msdn.microsoft.com/en-us/windows/hardware/gg463009
   4. Pydbg - http://code.google.com/p/paimei/
3. PE file Format:
   1. PEView - http://www.magma.ca/~wjr/
   2. PEBrowse - http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html
   3. LordPE - http://www.woodmann.com/collaborative/tools/index.php/LordPE
   4. ImpRec - http://www.woodmann.com/collaborative/tools/index.php/ImpREC
   5. PEid - http://www.peid.info/ vi. ExeScan - http://securityxploded.com/exe-scan.php
4. Process:
   1. ProcMon - http://technet.microsoft.com/en-us/sysinternals/bb896645
   2. Process Explorer - http://technet.microsoft.com/en-us/sysinternals/bb896653
5. Network:
   1. WireShark - http://www.wireshark.org/
   2. TcpView - http://technet.microsoft.com/en-us/sysinternals/bb897437
6. File and Registry:
   1. Regshot: http://sourceforge.net/projects/regshot/
   2. Capturebat - http://www.honeynet.org/node/315
   3. InstallWatchPro. - http://www.brothersoft.com/downloads/installwatch-pro-2.5c.html
   4. FileMon - http://technet.microsoft.com/en-us/sysinternals/bb896642
7. Misc:
   1. CFFexplorer - http://www.ntcore.com/exsuite.php
   2. Notepad++ - http://notepad-plus-plus.org/
   3. Dependency walker - http://www.dependencywalker.com/
   4. Sysinternal Tools - http://technet.microsoft.com/en-us/sysinternals/bb842062

©2012, copyright BLACK BURN

Bypassing Anti-virus using Code Injection Technique

Introduction:
This article throws light on how 'Code Injection' or 'DLL Injection' technique can be used as prominent weapon along with other techniques to bypass Anti-virus softwares. It also explains top level technical details revolving around EXE internals, protectors/packers, encoded shellcodes, inner working of Antivirus etc



Accompanying this article, you will find video demonstration of 'Injector (POC Tool)' which shows code injection technique to successfully bypass Antivirus software on the system.

Antivirus:
Antivirus (or anti-virus) Software is used to prevent, detect, and remove, malware, including computer viruses, worms, and Trojan horse. Such programs may also prevent and remove adware, spyware, and other forms of malware. � Wikipedia

Antivirus play a major role for the security of a system. But for hackers/ pentesters , it creates some big problems. During the post exploitation phase we have some sort of excess on the victim machine and generally we want to upload some tools on the victim machine for better control but here antivirus play with our tools and detect them as a malicious file and delete them. Now it may be possible if you are using your own tool then antivirus may fail to detect it but this is rare situation during a pentesting. In case, if we use publicly exposed tools then there is higher probability of getting caught by antivirus.

A simple example: Suppose we have a reverse shell now we know that this is a single connection to our machine from our victim and we don�t want to loose it at any condition. So we upload some tools on the victim machine like netcat or other executable (may be generated from metasploit) to get a backup connection etc.. may be to upgrade our shell to merepreter shell. But our victim is using a anti virus and anti virus delete the uploaded files. Now we need something else means either bypass AV or write our own code. But the question here is how antivirus is able to detect our executables (.exe).

Executables (.EXE):
Basically exe files not only contain your code but also contain some important data that is only meaningful for a Operating system loader.

AAnd technical name for that data is PE (portable executable) file header/ PE file format. I am not explaining pe file format here. Here is the snapshot,



PEview - PE File Viewer Tool:



So when we execute exe, windows loader first read the PE header and on the basis of header information loader loads the file into memory.br>
Executable Detection (top level view):



So when we copy the file on system then antivirus scan the file (check for known signatures) and if the file is malicious then delete the file.

Encrypter/packer/protector:
The above technologies (Encrypter/packer/protector) are not only to evade anti viruses. People also use them for ethical work. Basically encryptor/packers encrypt/pack the file and add the decryption/unpacking routine into the file. So when we execute the file windows loader loads the file on the basis of PE header (encryptor/packer does not pack the PE header of a file they only change the necessary values in PE header. Eg. Address of entry point, sections etc..). so the unpacking work something like this:



SSo unpacking/decryption routine unpack the code and then jump on the Original Entry Point (on our real code freshly recovered from unpacking routines).

So if we pack the exe with any packer then Antivirus should not be able to detect the exe?. Ok now its time to do some practical.
Pack any malicious file with UPX (a freeware packer) and then test again with Antivirus. You should see that your AV is again popping up the alert and telling that hey don't try to fool me it is malicious.. But our file was packed how AV still know that it is a malicious file and the answer is AV has also signature for UPX, so what AV is doing it loads the file detect the packer then decrypt/unpack(AV also know how to unpack UPX packed files ?) the file and then test the file, And this is the reason that AV still know that file is malicious. But hey where is proof that AV is doing all this shit to test file.

Ok to prove just open the same packed file in a hex editor and just overwrite the starting bytes with some garbage values and then again test it with your AV. Now you should see that AV is saying that file is clean (Reason: Because file is corrupted and AV have no option to unpack/decrypt it) fantastic that's all we want.

Concept of Code Injection - Ingeneric way to bypass AV:
BBecause exe files are going to detected by AVs( at least if you pack them with the publicly exposed packers/encryptors). So we have to think in a another way.

And the another way is: split the exe into two parts (not physically)
1.The core code (the actual code that performs a specific task for eg. Bind shell)
2.The interface - a mechanism that will inject the code into memory and execute that code.
So the functioning is something like this:



Note that from the above explanation we know that shellcode/code into a file is not going to be detected by AV because AV don�t know how to decode shellcode. (Don�t talk about Heuristic, I know AV vendors are joking ?)

Important Note: you may be thinking that why I am saying encoded shellcode because if you use metasploit shellcodes there signatures may be in AVs. If you encode the shellcode with any available encoder in metasploit then AVs not able to decode it in a file and not able to detect it (if you don't understand it read the whole stuff again ?). Although in some cases (Eg. Avast may be with others also) AV not alert if you use shellcodes that are not encoded because AV think that txt file are lame files. But if you force fully scan the file than AV alert.

Second part of the concept is the interface that will inject the code into a process. Code injection is not a new concept (dll injection is one of the most popular example).

Note: All the things are generic and are not specific to any tool or shellcodes. Metasploit and shellcodes are used only to demonstrate the concept. You can also inject your codes "that are detectable to AV in exe mode" with this method and can bypass AV.

Things that you can do with this method:

1.Can backdoor a process
2.Can provide many backup shells (every type)

We can use publically available tool (malicious) without fear and too many other things limited to your wild imaginations.


©2012, copyright BLACK BURN

Tools for Reverse Engineering and Malware Analysis

Introduction
Reverse engineering is the process of analyzing a subject system to identify the system's components and their relationships, and to create representations of the system in another form or at a higher level of abstraction. The process of reverse engineering, which is part of malware analysis, is accomplished using specific tools that are categorized as hex editors, disassemblers/debuggers, decompiles and monitoring tools.
Disassemblers/debuggers occupy important position in the list of reverse engineering tools. A disassembler converts binary code into assembly code. Disassemblers also extract strings, used libraries, and imported and exported functions. Debuggers expand the functionality of disassemblers by supporting the viewing of the stack, the CPU registers, and the hex dumping of the program as it executes. Debuggers allow breakpoints to be set and the assembly code to be edited at runtime.
One must be familiar with the Portable Executable (PE)[1]file format before diving into reverse engineering for Windows executables. In this article we will get into important aspects of Hiew, OllyDbg and IDA Pro from reverse engineer's perspective.

Hiew
Hiew[2] short for Hacker's view is a great disassembler (not that this is not debugger) designed for hackers, asthe name suggests. 
It supports three modes - Text, Hexadecimal and Decode (Dis-assembly) mode. Enter/F4 key is used to switch between these modes. In each mode the Function Line, corresponding to function keys from F1 to F12, which appears at the bottom of the Hiew screen, changes and its functionality with CTRL, SHIFT and ALT combinations.



Fig. 1 Hiew – Three modes: Text, Hex, Decode

PE Header
PE Header could be viewed by pressing F8 from Hex or Decode view. In this mode we could see important properties of PE file using following shortcuts:
F6
Sections Table

F7
Import Table

F9
Export Table

F10
Data Directories

F5
Jump to Entry Point

Alt-F2
Jump to end of last section



Fig. 2 Hiew – PE Header

Search in file
Hiew supports to search in a file for ASCII or HEX sequence of bytes by pressing F7 key. It also supports byte wild character.

Alt-?
Wild character

Shift-F7 
To repeat search

Alt-F7 
To change search direction

Strings
ASCII and Unicode strings are viewed from Text/Hex mode by pressing Alt-F6 key. This helps to search for juicy strings like suspicious urls, FTP, SMTP or IRC commands, files names, registry keys etc in the file. You could jump to selected string from string window by pressing ENTER key. +/- keys are used to change the minimum length of displayed strings, this will help to filter out smaller strings. You could apply filter for displayed strings using F9 key.



Fig. 3 Hiew – Strings from file

Moving around
You could directly jump to specific location by pressing F5 key and providing offset (offset values are hexadecimal?). To specify relative offset + or - sign could be used as prefix to offset. When specified offset is a Virtual Address, it should start with ".". Alt-F1 key is used to toggle between Virtual Address and file offset.
If you want jump to specific function or offset which appears as part of control transfer instruction like call, jmp or conditional jump, you could press the key that appears at the end of instruction. Please see Fig.1 marked for label 4. In this case if you press key “4”, it will take you to offset 0x010073DA.
0 or Backspace key is used to jump back the previous instruction.

Simple Decryption
Hiew supports decryption of block using simple encryptions like xor, add, rol etc. Press F3 from Hex or Decode view to enter in edit mode and then press F7 to add simple decryption routine. You could set operand size as byte, word or dword by pressing F2.
Hiew works great when used in combination with File Manager like FAR[3] by configuring its command line. This is very helpful disassembler to quickly get different aspects of file under analysis like file header, section information, data directories, imported / exported functions and strings. 

OllyDbg
OllyDbg[4][5]is an application-level debugger. OllyDbg interface shows the disassembly, hex dump, stack, and CPU registers. Additionally, OllyDbg supports run tracing, conditional breakpoints, PE header viewing, hex editing, and plug-in support.
At first Startup, OllyDbg asks to setup User Data Directory (UDD) and Plugins directory.UDD is used to keep debugged application specific information like breakpoints and other information and obviously you need to save plugins in Plugins directory. It provides wide Debugging Options like break on new module or when thread is created, how to process exceptions etc. OllyDbg supports setting of Hardware Breakpoints, Software Breakpoints, Memory Breakpoints and even Conditional Breakpoints.
OllyDbg supports plugins to enhance its functionality. 



Fig. 4 OllyDbgAdvanced Window

Olly Advanced Plugin
There were some bugs reported with Olly v1.10 related to string parsing routine, parsing of faulty executables. This plugin fixes most of these bugs. Some malware samples are loaded with Anti-Debugging techniques [7], Olly Advanced plugin helps to counter most of them.



Fig. 5 OllyDbg Advanced Plugin

Olly DumpPlugin
Olly Dump is used to dump debugged process memory. You could trace the packed file till it reaches original entry point and then dump unpacked version of file from process memory. It provides options to rebuild Import Address Table (IAT).



Fig. 6 OllyDbgDump Plugin

Olly ScriptPlugin
OllyScriptis a plugin to that lets you to automate OllyDbg by writing scripts in an assembly-like language. Many tasks involve a lot of repetitive work just to get to some point in the debugged application. By using this plugin you could write a script once and it could be used with other similar samples. OpenRCE[8]hosts dozens of scripts that helpful to find original entry point (OEP) of many packers.

IDA Pro
IDA Pro is a powerful disassembler that presents the disassembly in well-organized format, shows Graph view of selected function. However, it is less frequently used as a debugger in reverse engineers community where OllyDbg steals the top rank. IDA Pro's features include hex editing, string extraction, and import and export viewing. IDA Pro also features a window for viewing all of the functions called by a program, and provides accurate analyses of the program, summarizing them in a color-coded bar at the top of the screen, which classifies the various sections of the program's code. Below figure shows IDA Pro's interface, including the disassembly and the color-coded analysis bar at the top of the screen. The titles of the other windows are visible on the tabs above the disassembly.



Fig. 7 IDA Pro Main Windows

IDA Pro supports wide variety of processors like ARM, DEC, Intel, Motorola etc.
IDA Pro provides selection of debuggers
• Bochs
• Win Debugger
• GDB
• WinDbg

IDA Pro with Boch semulator make an interesting combination that is used to debug Operating system starting from booting process and it is helpful in debugging even ROM BIOS and Master Boot Record code.
Analysis done on particular sample, comments added, functions marked could be saved as an .idb file.

IDA Shortcuts
Below is the list of some important IDA Shortcuts, for complete list please visit reference [9].

Enter
Goto address or variable

Esc
Go back to previous location

;
Add inline comment

INSERT | SHIFT ;
Add comment

N
Rename label, variable, functions etc.

X
Show cross reference

M
Substitute enum

CTRL W
*Dont forget to* Save changes

Extending IDA 
IDA supports writing IDC Scripts which is very similar to C like language on top of powerful IDA disassembler. The functionality of disassembler could be utilized even through python scripts and by writing plugins. 

FLIRT 
Fast Library Identification and Recognition Technology
One of the challenges with disassembly of programs developed with modern high level languages is to identify library functions. One may end up in spending considerable time to go through these functions. On the other hand identification of library functions can considerably ease the analysis of a program. IDA comes with FLIRT to recognize the standard library functions. 
One must understand the power of each tool to choose appropriate tool for specific requirement during reverse engineering.

References
1. Portable Executable File Format – A Reverse Engineer View 
http://tuts4you.com/download.php?view.2974
2. Hiew
http://www.hiew.ru/
3. FAR Manager
http://farmanager.com/
4. OllyDbg
http://www.ollydbg.de
5. OllyDbg Quick Start Guide 
http://tuts4you.com/download.php?view.214
6. OllyDbg Plugins
http://www.openrce.org/downloads/browse/OllyDbg_Plugins
7. Anti-Debugging 
http://lilxam.free.fr/repo/hacking/Windo...erence.pdf
8. Olly Scripts
http://www.openrce.org/downloads/browse/...llyScripts
9. IDA Shortcuts
http://www.hex-rays.com/idapro/freefiles...rtcuts.pdf
©2012, copyright BLACK BURN

Myanmar Kid's Haveji.exe Exposed !!

Analysis Of Haveji.exe
==============================================================
File Name :            Haveji.exe (aka Win32/Hupigon)
Binded With :         cmd.exe ( Downloader )
File Size:               28672
Total Processes:    2
MD5       :             "33154e683a6b9faee259e25ecbd7a0cb"
SHA 256 :             "eba09858b2ddb1f3e489086db4e5ae886fcb7c73352975a04bc2c295fe54ba2d"
SHA 1     :             "52be3b62465243d347117f28799f225b53b2a106"
File Type :             PE32 executable for MS Windows (GUI) Intel 80386 3
------------------------------------------------------------------------------------------------
Category:        Malware
Type:              Backdoor
Platform:         W32
Origin:            CHINA ( Jun 26, 2006 !! It's Too Old :p And Stolen From China :o)


Other Names Of This Shit : C!87,ZZSlash,Malware.SB.Bbc,Artemis!1508982B3D4D,Hupigon.
----------------------------------------------------------------------------------------------------


Summary ::
This Haveji Is written with Borland Delphi. Haveji is a family of backdoor Trojans. A Haveji infection includes TrojanDropper:Haveji and two to three files that the
 dropper installs. These additional files include Backdoor:Haveji, the main backdoor component, and Backdoor:Haveji!hook,
 a stealth component that hides files and processes associated with Haveji. The Trojan dropper may also install PWS:Haveji, 
 a plugin that logs keystrokes and steals passwords. Haveji may support other malicious plugins as well.


 Main Target : Key Log and Stealing Browsers Passwords 


Symptoms:
There are no common symptoms associated with this Haveji. Alert notifications from installed antivirus software may be the only symptom(s).


Technical Information (Analysis) :
------------------------------------------------
Win32/Hupigon=Haveji is a family of backdoor Trojans. A Win32/Hupigon infection includes TrojanDropper:Win32/Hupigon and two to three 
dynamic-link library (DLL) files that the dropper installs.


TrojanDropper:Win32/Hupigon copies itself to the Windows system folder and runs itself from there. The Trojan dropper then drops the following 
DLL files: Backdoor:Win32/Hupigon. This is the main backdoor component of Win32/Hupigon. TrojanDropper:Win32/Hupigon registers this 
component as a service. The service opens a backdoor server that allows other computers to connect to and control the infected computer in 
various ways. Backdoor:Win32/Hupigon connects to a specified Web site to notify the attacker of the infection. This backdoor component may 
have other functionality, such as the ability to host a telnet server and the means to connect to a video source such as a Web cam to spy on the 
user using Windows API functions for audio-video interleave (AVI) capture. Backdoor:Win32/Hupigon!hook. This is the stealth component of 
Win32/Hupigon. This component hides files and processes associated with Win32/Hupigon by intercepting certain Windows API function calls. 
Backdoor:Win32/Hupigon!hook is injected into other processes by TrojanDropper:Win32/Hupigon using CreateRemoteThread.


TrojanDropper:Win32/Hupigon may also install PWS:Win32/Hupigon. This DLL is a plugin that logs keystrokes and steals passwords. 
PWS:Win32/Hupigon tries to capture Windows logon credentials and may also try to capture other user data. It too is injected into other 
processes by TrojanDropper:Win32/Hupigon using CreateRemoteThread.


Process :
========
Deleted Files ::
[process 1] C:\Documents and Settings\Administrator\Local Settings\Temp\19.tmp


Stored Modified Files::
[process 1] C:\Documents and Settings\Administrator\Local Settings\Temp\19.tmp\Haveji.bat


Created Mutexes ::
[process 1] Name: Groove:PathMutex:YoNgf9TlAyd0477wzgfiTWi4XXU=
Desired Access: DELETE READ_CONTROL SYNCHRONIZE WRITE_DAC WRITE_OWNER MUTEX_MODIFY_STATE
[process 1] Name: Local\ZonesCounterMutex
Desired Access: DELETE READ_CONTROL SYNCHRONIZE WRITE_DAC WRITE_OWNER MUTEX_MODIFY_STATE
[process 1] Name: Local\ZoneAttributeCacheCounterMutex
Desired Access: DELETE READ_CONTROL SYNCHRONIZE WRITE_DAC WRITE_OWNER MUTEX_MODIFY_STATE
[process 1] Name: Local\ZonesCacheCounterMutex
Desired Access: DELETE READ_CONTROL SYNCHRONIZE WRITE_DAC WRITE_OWNER MUTEX_MODIFY_STATE


Created Keys ::
[process 2] \REGISTRY\MACHINE\System\CurrentControlSet\Control\TimeZoneInformation


Set Values ::
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG
Value: Seed
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\Shell Folders
Value: Personal
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\MountPoints2\{3259504d-e161-11e0-bf1d-806d6172696f}
Value: BaseClass
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\MountPoints2\{3259504b-e161-11e0-bf1d-806d6172696f}
Value: BaseClass
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\MountPoints2\{3259504a-e161-11e0-bf1d-806d6172696f}
Value: BaseClass
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Value: Common Documents
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\Shell Folders
Value: Desktop
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Value: Common Desktop
[process 1] Key Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Value: Common AppData
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\Shell Folders
Value: Local AppData
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: ProxyBypass
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: IntranetName
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: UNCAsIntranet
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: AutoDetect
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: ProxyBypass
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: IntranetName
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: UNCAsIntranet
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Internet Settings\ZoneMap
Value: AutoDetect
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\Shell Folders
Value: Cache
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr
entVersion\Explorer\Shell Folders
Value: Cookies
[process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Shel
lNoRoam\MUICache
Value: C:\Documents and Settings\Administrator\Local Settings\Temp\19.tmp\Haveji.bat


Network Traffic
Connection #1 Local 10.20.25.255 to 10.20.25.247
.............................................................................
Note :
If You Want All Details Analysis  Please Leave a Comment And I'll Send You ......


The following text strings  found in a Haveji :


6600.org
BEI_ZHU
GrayPigeon
Hacker.com.cn.exe
huaihuaitudou
Rejoice2007
woainisisi


Installation ::
-------------------


When the backdoor's file is started, it copies itself as a file named something similar to "Haveji.exe" in the Windows 
System folder and then uses the following processes to make itself to look like a valid Windows program:


calc.exe
cmd.exe
mmc.exe
mspaint.exe
mstsc.exe
notepad.exe
osk.exe
sndrec.exe
sndvol32.exe
svchost.exe
winchat.exe
It also makes a number of additions to the registry.


File System Modifications bY Haveji.exe ::
--------------------------------------------------------------
The following files were created in the system:


%USERPROFILE%\ Application Data\ MsMpEng.exe
%APPDATA%\ Microsoft\ 16BA\ 7D7.exe
%USERPROFILE%\ Local Settings\ Application Data\ giq.exe
%WINDIR%\ svchost\ svchost.exe
%APPDATA%\ 457D.exe


Activity Of Haveji ::
1.It allows others to access the computer
2.Allows for recording with the user's webcam
3.Can make the user's computer to attack various servers
4.Send victim's computer messages
5.Has rootkit functionality so it has a stealth component that hides files
6.Create logs from keystrokes, steals passwords, and sends this information to remote servers



Propagation (  LoL :D ) :
------------------------------------
Haveji doesn't have any automatic mechanisms to spread itself. It must be sent by its author via e-mail, through a website, or even via Instant Messengers (IM) such as Yahoo, MSN, ICQ, and Skype.



Creating Haveji Variants : (The Myanmar Kiddo's Stole It From Chinese !! )
-------------------------------------
Haveji variants are created using kit software. The kit is maintained in a very professional fashion with a highly developed User Interface (UI).
The main UI of the kit can be seen below:

Many options can be set. The "Fast Configuration" shown below enable the following options:

Service name is rejoice44.exe

Installation path is Msinfo…
Password is 1234
Icon is taken from MS Media Player
Uses Internet Explorer to bypass firewall
Create mutex and remove installer from installer folder
Pack code by using UPX
Self/auto-clone protected installation path is "system32"
Executable is calc.exe


There is also a "rootkit" option available. Other options including adding a URL to target for a Distributed Denial of Service (DDoS) attack :

Registry Modifications

Creates these keys:


HKLM\System\CurrentControlSet\Services\system32
ImagePath = C:\WINDOWS\Hacker.com.cn.exe
HKLM\System\CurrentControlSet\Services\system32
HKLM\System\CurrentControlSet\Services\system32\Security


Prevention ::
------------------
Take the following steps to help prevent infection on your computer:


1.Enable a firewall on your computer.
2.Get the latest computer updates for all your installed software.
3.Use up-to-date antivirus software.
4.Limit user privileges on the computer.
5.Use caution when opening attachments and accepting file transfers.
6.Use caution when clicking on links to Web pages.
7.Protect yourself against social engineering attacks.
8.Use strong passwords.
9.Use Master Password For Your Browser .
10. Use Microsoft Security Essentials: http://www.microsoft.com/security_essentials/


©2012, copyright BLACK BURN