427 Botnet fm qxd

possible 
TNotification
objects, a separate section is included, if such notifica-
tions have been monitored during the execution. In the following, some
interesting extracts from these sections are shown and explained. Notice that
sometimes we have skipped several notifications or left out some of their
attributes for better readability.









The upper section gives us information about the loaded modules of the
malware process. It starts with the particular malware image file, followed by
the Windows standard libraries ntdll.dll and kernel32.dll, which are loaded
into each Windows user process. From the information that msvcrt.dll is
loaded, we can know (or at least assume) that the malware is written in C,
since it is the standard runtime library for Microsoft C applications. As the
libraries ws2_32.dll and wininet.dll are loaded, we know that the malware is
going to use the Winsock library to set up outgoing or incoming TCP/IP
connections. Because the examined malware file is a bot application, this is
not amazing. From the fact that pstorec.dll is loaded, we can assume that the
malware is going to access the Protected Storage, most probably for stealing
some authentication data stored within it. In the next analysis section you can
see what we already assumed before:The malware copies itself to the
Windows system directory using the destination filename arman.exe:

dstfile="C:\WINDOWS\system32\arman.exe"
creationdistribution="CREATE_ALWAYS"/>

The following outputs show us that a new process is started from this cre-
ated arman.exe file. We see that the new process should be created without
showing the main window:
showwindow=”SW_HIDE”.
Furthermore, we are
informed that the API function 
CreateProcessA
was used for that purpose.The

Download 6,98 Mb.

Do'stlaringiz bilan baham: