Hunting for Bugs, but Found a Worm
Hi All, my name is Ron Riddle and I’m an Escalation Engineer on the core Windows team. I worked an issue recently wherein a svchost.exe was crashing due to heap corruption; so, after enabling Page Heap and breaking out the services as needed, I received a user-mode dump that would show me the culprit. I was expecting to find a legitimate bug either in our code or a third-party module; but, much to my surprise, I found that malware had caused a buffer overrun and the subsequent crash. With that, I would like to share the simple approach I took in identifying the malware within the dump file.
1. I start by dumping out the offending call stack. Notice that the debugger wasn’t able to map the code addresses to a loaded or unloaded module.
0:003> kbn
# ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 02bcfdcc 7c81a35f 02b7ae40 7c81a3ab 00000004 0x2b685b0
01 02bcfde4 02b68bfe 02b7ae40 00000000 77e424ee ntdll!LdrpCallInitRoutine+0x21
02 02bcfde8 02b7ae40 00000000 77e424ee 02b7ae10 0x2b68bfe
03 02bcfdec 00000000 77e424ee 02b7ae10 00000000 0x2b7ae40
2. Next, I try to learn more about the mystery address, such as what larger allocation it was a part of.
0:003> !address 0x2b685b0
Usage: <unclassified>
Allocation Base: 02b60000
Base Address: 02b61000
End Address: 02b81000
Region Size: 00020000
Type: 00020000 MEM_PRIVATE
State: 00001000 MEM_COMMIT
Protect: 00000040 PAGE_EXECUTE_READWRITE
3. By now, I am suspicious of a rogue module, so I proceed in searching the aforementioned address range for a DOS Signature(i.e. 0x5A4D or “MZ”) that I know any Portable Executable file must contain. I start with the Base Address from the above output and use the Region Size to specify my range.
0:003> s -a 02b61000 l20000/4 "MZ"
02b615d8 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
02b61bd0 4d 5a 75 f4 5f 83 c4 08-c2 04 00 55 8d 44 24 0c MZu._......U.D$.
02b67cd0 4d 5a 0f 85 69 01 00 00-8b 4d 7c 8b 46 3c 81 c1 MZ..i....M|.F<..
02b681bf 4d 5a 74 07 33 c0 e9 c9-01 00 00 8b 45 0c 56 8b MZt.3.......E.V.
4. Now that I have some hits, I’ll start with the first one and verify whether it’s a valid module. Bingo!
0:003> !dh -a 02b615d8
File Type: DLL
FILE HEADER VALUES
14C machine (i386)
5 number of sections
37304740 time date stamp Wed May 05 08:27:28 1999
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
2102 characteristics
Executable
32 bit word machine
DLL
OPTIONAL HEADER VALUES
10B magic #
7.00 linker version
600 size of code
600 size of initialized data
0 size of uninitialized data
10B0 address of entry point
1000 base of code
----- new -----
10000000 image base
1000 section alignment
200 file alignment
1 subsystem (Native)
4.00 operating system version
0.00 image version
4.00 subsystem version
6000 size of image
400 size of headers
41AE checksum
00100000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
0 DLL characteristics
0 [ 0] address [size] of Export Directory
4000 [ 28] address [size] of Import Directory
0 [ 0] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
0 [ 0] address [size] of Security Directory
5000 [ 4C] address [size] of Base Relocation Directory
0 [ 0] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
0 [ 0] address [size] of Load Configuration Directory
0 [ 0] address [size] of Bound Import Directory
2000 [ 44] address [size] of Import Address Table Directory
0 [ 0] address [size] of Delay Import Directory
0 [ 0] address [size] of COR20 Header Directory
0 [ 0] address [size] of Reserved Directory
SECTION HEADER #1
.text name
3CC virtual size
1000 virtual address
400 size of raw data
400 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
68000020 flags
Code
Not Paged
(no align specified)
Execute Read
SECTION HEADER #2
.rdata name
68 virtual size
2000 virtual address
200 size of raw data
800 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
48000040 flags
Initialized Data
Not Paged
(no align specified)
Read Only
SECTION HEADER #3
.data name
56 virtual size
3000 virtual address
200 size of raw data
A00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C8000040 flags
Initialized Data
Not Paged
(no align specified)
Read Write
SECTION HEADER #4
INIT name
1D4 virtual size
4000 virtual address
200 size of raw data
C00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
E2000020 flags
Code
Discardable
(no align specified)
Execute Read Write
SECTION HEADER #5
.reloc name
82 virtual size
5000 virtual address
200 size of raw data
E00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
(no align specified)
Read Only
5. Because I’m not sure which sections might contain identifying characteristics, I decide to go spelunking through all the sections (except for the relocation section) looking for said characteristics that might help me to identify the rogue module. I start with the relative virtual address of the .text section @ 0x1000 and continue through the INIT section @ 0x4000.
0:003> dc 02b615d8+0x1000 l4000/4
…
02b63c58 00000065 646c6977 73737265 72756365 e...wilderssecur
02b63c68 00797469 65726874 78657461 74726570 ity.threatexpert
02b63c78 00000000 74736163 6f63656c 00007370 ....castlecops..
02b63c88 6d617073 73756168 00000000 65737063 spamhaus....cpse
02b63c98 65727563 00000000 61637261 00746962 cure....arcabit.
02b63ca8 69736d65 74666f73 00000000 626e7573 emsisoft....sunb
02b63cb8 00746c65 75636573 6f636572 7475706d elt.securecomput
02b63cc8 00676e69 69736972 0000676e 76657270 ing.rising..prev
02b63cd8 00000078 6f746370 00736c6f 6d726f6e x...pctools.norm
02b63ce8 00006e61 6f63376b 7475706d 00676e69 an..k7computing.
02b63cf8 72616b69 00007375 72756168 00000069 ikarus..hauri...
02b63d08 6b636168 74666f73 00000000 74616467 hacksoft....gdat
02b63d18 00000061 74726f66 74656e69 00000000 a...fortinet....
02b63d28 64697765 0000006f 6d616c63 00007661 ewido...clamav..
02b63d38 6f6d6f63 00006f64 63697571 6165686b comodo..quickhea
02b63d48 0000006c 72697661 00000061 73617661 l...avira...avas
02b63d58 00000074 66617365 00000065 6c6e6861 t...esafe...ahnl
02b63d68 00006261 746e6563 636c6172 616d6d6f ab..centralcomma
02b63d78 0000646e 65777264 00000062 73697267 nd..drweb...gris
02b63d88 0074666f 74657365 00000000 33646f6e oft.eset....nod3
02b63d98 00000032 72702d66 0000746f 74746f6a 2...f-prot..jott
02b63da8 00000069 7073616b 6b737265 00000079 i...kaspersky...
02b63db8 65732d66 65727563 00000000 706d6f63 f-secure....comp
02b63dc8 72657475 6f737361 74616963 00007365 uterassociates..
02b63dd8 7774656e 616b726f 636f7373 65746169 networkassociate
02b63de8 00000073 75727465 00007473 646e6170 s...etrust..pand
02b63df8 00000061 68706f73 0000736f 6e657274 a...sophos..tren
02b63e08 63696d64 00006f72 6661636d 00006565 dmicro..mcafee..
02b63e18 74726f6e 00006e6f 616d7973 6365746e norton..symantec
02b63e28 00000000 7263696d 666f736f 00000074 ....microsoft...
02b63e38 65666564 7265646e 00000000 746f6f72 defender....root
02b63e48 0074696b 776c616d 00657261 77797073 kit.malware.spyw
02b63e58 00657261 75726976 00000073 304ce942 are.virus...B.L0
…
02b64348 54464f53 45524157 63694d5c 6f736f72 SOFTWARE\Microso
02b64358 575c7466 6f646e69 435c7377 65727275 ft\Windows\Curre
02b64368 6556746e 6f697372 78655c6e 726f6c70 ntVersion\explor
02b64378 415c7265 6e617664 5c646563 646c6f46 er\Advanced\Fold
02b64388 485c7265 65646469 48535c6e 4c41574f er\Hidden\SHOWAL
02b64398 0000004c 63656843 5664656b 65756c61 L...CheckedValue
…
02b63ee8 ffffffff 02b6a44f 02b6a453 70747468 ....O...S...http
02b63ef8 772f2f3a 672e7777 796d7465 6f2e7069 ://www.getmyip.o
02b63f08 00006772 70747468 772f2f3a 772e7777 rg..https://www.w
02b63f18 73746168 7069796d 72646461 2e737365 hatsmyipaddress.
02b63f28 006d6f63 70747468 772f2f3a 772e7777 com.https://www.w
02b63f38 69746168 69796d73 726f2e70 00000067 hatismyip.org...
02b63f48 70747468 632f2f3a 6b636568 642e7069 https://checkip.d
02b63f58 6e646e79 726f2e73 00000067 61207069 yndns.org...ip a
02b63f68 65726464 00007373 ffffffff 02b6a55e ddress......^...
…
02b64858 00000020 74666f53 65726177 63694d5c ...Software\Mic
02b64868 6f736f72 575c7466 6f646e69 435c7377 rosoft\Windows\C
02b64878 65727275 6556746e 6f697372 75525c6e urrentVersion\Ru
02b64888 0000006e 646e7572 32336c6c 6578652e n...rundll32.exe
02b64898 73252220 73252c22 00000000 0065006e "%s",%s....n.e.
02b648a8 00730074 00630076 00000073 00000020 t.s.v.c.s... ...
6. The list of anti-malware software vendors was a dead give-away that I was dealing with malware. Finally, I conducted a Bing search using various artifacts from the preceding spew. In the end, I was able to confirm that the rogue module was, in fact, the Conficker worm by simply running a full scan of the system using a signature-based scanner.
I hope this walk-through provided you with techniques that you can leverage to identify rogue modules within your dump files, should that become necessary. Until next time, happy bug-hunting and watch out for the worms!