I. summary
Recently, a kernel level backdoor virus was intercepted by the Security Lab of tinder and named as "pengex" virus. Through analysis, "pengex" aims to hijack the user's homepage traffic for profit, but unlike other "traffic hijacking" viruses, it is highly skilled and ferocious. It will take the initiative to attack the domestic mainstream security software, making them lose the ability of kernel confrontation, which will make the computer completely lose the security protection. Paradoxically, pengex only does not attack and deliberately "let go" of Tencent's computer Butler.
"Pengex" spreads through pirated system disk and "registration machine" software, and leaves a back door in the user's computer. In the future, any virus can be implanted at any time, so the threat is great. " Pengex "will attack various mainstream anti-virus software, including cashmere, 360, Jinshan, etc., causing the drivers of these software to fail to load, thus losing the ability of anti-virus in the kernel layer.
But interestingly, the virus only deliberately let Tencent computer steward go. It added Tencent computer steward to the white list and let Tencent computer steward go during the "delete drive callback" operation. This behavior of the virus shows that the virus gang is likely to be Tencent security housekeeper's system disk channel promotion service provider, and Huorong suggests that "Tencent security housekeeper" thoroughly check the system disk promotion channel.
"Pengex" hijacks the homepage for profit by modifying the browser configuration and process startup parameters. In this process, the virus will point different browsers to different navigation stations according to the manufacturer's plan. The virus not only attacks the security software, but also attacks other similar viruses, so as to monopolize the user's computer homepage resources for profit. According to the analysis, the channel number set after the virus hijacked the homepage is "oemxiazaiba2" (the whole combination of "download bar"), please pay attention to and verify this channel account.
"Fire safety software" has updated the virus library in the first time, which can thoroughly kill the virus. Engineers of tinder remind users that if they need to reinstall the system, they must purchase the genuine system through regular channels. At present, it seems that the pirated system disk has become an important transmission channel of computer viruses.
2、 Detailed analysis
The virus is a kernel level backdoor virus, and it is preliminarily suspected that the sample is mainly transmitted through a third-party system disk. After the sample runs in the system, it will cause the mainstream security software drivers in China can not be loaded normally, so that the security software loses the defense ability. The main anti-virus security vendors include: tinder, 360, Jinshan, etc. after the execution of malicious code, any virus code stored in the remote C & C server can be executed.
The virus is divided into two parts, namely the virus loader and the back door virus. The following is divided into two parts for detailed analysis. The virus structure is shown as follows:
Overall structure of virus
Virus loader
This part of code is mainly used to fight against security software killing and kernel fighting. The loader function code is divided into two parts. First, a new toskrnl image will be loaded in memory through virtual mapping, and then the real virus driver will be loaded into memory in the same way, and the function address in the imported toskrnl will point to the function address in its virtual loaded toskrnl image. Through this method, other drivers can be bypassed and set in the toskrnl The kernel hook of. The global variable is "virus" load is a flag. Whether it is a virus loaded by virtual mapping is determined by whether the registrypath parameter in the incoming driver main function is null. As shown in the figure below:
Loader driver main function code
(1) Virtual load toskrnl
The load ﹣ make ﹣ ntoskrnl ﹣ safe function will load a new ntoskrnl image through virtual loading. After the virtual loading logic is executed, it will compare with the first 0 × 200 bytes of data loaded by the current system in memory, so as to judge whether the content of the ntoskrnl image created by itself is normal. As shown in the figure below:
Check if virtual load succeeded
Virtual load toskrnl
(2) Virtual loading of backdoor virus
The load? Rootkit function loads the real virus driver in the same way as the virtual mapping of toskrnl. The image data driven by virus is encrypted by XOR 0xc0. The function first decrypts the virus data, then maps the driver, repairs the import table and relocates the data, and finally executes the virus driver entry by calling the exqueueworkitem function. As shown in the figure below:
Load virus driver
As shown in the above figure, the end of the work ﹣ queue ﹣ item structure passed in by calling the exqueueworkitem function has additional data. In the above call, the additional data stores the entry point address of the loaded driver. As shown in the figure below:
Execution drive entry
Kernel level backdoor
After the virus is executed, it will continuously communicate with C & C server (Domain Name: caoduba.com or 139.129.234.76, communication port: 7897). The decryption code of the domain name and IP address used by the virus is shown in the following figure:
Decrypt domain name and IP address
(1) Virus communicates with C & C server
The communication content between virus and C & C server can be divided into two categories:
1) Data request notification
After receiving the notification of virus request data, the server can return the requested data according to the control code. Through network communication, the virus can load the remote driver module, obtain the remote dynamic database injection system process, and obtain the configuration data for traffic hijacking. The meaning of the control code is shown in the following figure:
Data request related control code
2) Operation status notification
The server can get the running status of the current virus according to the control code in the notification, such as whether the image loading callback is set successfully, whether the user's home page has been hijacked successfully, etc. the virus author can know the possible problems in the virus running according to these notifications. The meaning of the control code is shown in the following figure:
Operation status notification
Through the above control commands, we can intuitively see that the virus can not only hijack the user's home page according to the configuration data obtained remotely, but also execute arbitrary malicious code in the user's computer according to the virus author's requirements. Because the virus can prevent the security software from loading, the security software has lost the ability to fight against its kernel completely, which makes it difficult to kill it.
The virus communicates with the server as shown in the following figure:
Send data code
The TDI network function is used for communication, and the connection server code is shown as follows:
Call TDI network function to link server
Sending data and receiving data codes are similar, only taking sending data as an example. As shown in the figure below:
Call TDI network function to send data
(2) Function analysis of control code
Next, we will analyze the function of the virus in detail according to the main control codes used by the virus:
1) Control code 0 × 2, obtain virus execution configuration data for traffic hijacking
After communicating with the server, the virus can obtain the hijacking configuration data, including whether to hijack a browser, the URL that each browser needs to hijack, and the execution mark that controls the execution process of the virus. As shown in the figure below:
Download configuration
Configuration data is not stored in clear text. After downloading, it needs to be decrypted byte by byte XOR 0xc0. The data length is 0x1ca0 bytes in total. As shown in the figure below:
Decryption configuration
The downloaded browser configuration content includes the types of browsers to be hijacked, the URL hijacked by each browser, what countermeasures to perform, whether to hijack the home page of Tencent computer manager to protect the registry key and the contents of the hijacked registry key. As shown in the figure below:
Downloaded configuration content
The variable virus ﹣ proc ﹣ Ctrl ﹣ code marked in the red box shown in the figure above can control the antagonism operation flow of virus execution, such as deleting image loading callback and process callback of other drivers, cutting the device chain of attach on the system network driver, etc. Because the vast majority of browser home page protection and hijacking will do articles in these locations, the above-mentioned countermeasures can improve the hijacking success rate to a certain extent when the virus hijacks traffic at the same time. This variable specifies the execution process in the form of bit segments. The meaning of each bit segment is shown in the following figure:
Bit implication
The execution process is controlled by using the virus? Proc? Ctrl? Code variable, as shown in the following figure:
Virus? Proc? Ctrl? Code
In the following, we will explain the confrontation methods used according to the sequence shown in the figure above:
A. Remove process and image load callbacks from other drivers
This method is mainly used to hijack or protect browser startup parameters by using process callback and image loading callback. The virus first finds the callback function table in the system function setting the callback by searching the code, and then determines whether the driver module of the callback function is in the white list. If it is not in the white list, it performs the deletion operation. After the deletion is successful, it wants to The server sends running status notification 0 × 10. As shown in the figure below:
Delete image load callback
Search impact load callback function list code
Determine whether the driver module of the callback address is in the white list
The strings stored in the white list can be file names or part of file names. In addition to some system driver modules, they also include related drivers of Tencent computer manager. Because all the drivers of Tencent computer manager include qqpcmgr, TS and TS strings, all the drivers of Tencent computer manager will be released. The white list is as follows:
White list
Module file name of the detection callback
The method to delete a process callback is similar to the method to delete an image load callback. If the process callback function table cannot be obtained during execution, the control code 0xe will be sent to the C & C server, and if the process callback function is registered successfully, the 0 × 11 will be sent to the C & C server. As shown in the figure below:
Delete process callback
Search process callback function list
B. Truncating the device chain of attach on the system network driven object
In addition to deleting driver callbacks, the virus can also block the device chain from attach to TCPIP, AFD and TDx drivers to exclude the impact of network filter drivers on its traffic hijacking effect. As shown in the figure below:
Truncating the device chain of an attach
C. Empty hosts file
Clear hosts
D. Clear BHO (browserhelperobjects)
Remove all BHOs by removing all subkeys under the \ registry \ machine \ software \ Microsoft \ windows \ CurrentVersion \ Explorer \ browserhelperobjects registry key. However, when the registry key of \ registry \ machine \ software \ wow6432node \ tenant \ qqpcmgr is found in the virus discovery system, the BHO file will not be cleared. As shown in the figure below:
Delete BHO related codes
Delete BHO registry key
E. Reset ie proxy settings
Viruses disable network agents by setting the proxyenable key value of \ registry \ user \ current user \ software \ Microsoft \ windows \ CurrentVersion \ internetsettings to 0.
F. Hijack browser configuration
After the anti operation, the virus attempts to modify the configuration of some common browsers (ie, QQ browser, 360 security browser, Firefox, windows of the world) and the home page protection of Tencent computer housekeeper by using the received hijacking website and relevant data, so as to hijack the traffic. After the hijacking operation, the control code 0 × 4 will be sent to the C & C server. As shown in the figure below:
Hijacking browser and Tencent housekeeper homepage protection configuration
Hijacking browser code takes hijacking 360 secure browser as an example, as shown in the following figure:
Construct 360 security browser related environment string
What attracts our attention most is that when hijacking the homepage of 360 secure browser, the virus also sets the channel number as "oemxiazaiba2", and the second half of the letter is "download bar". However, due to the limited information available, we can't verify whether it has a direct relationship with "download bar" for the time being. As shown in the figure below:
Hijack 360 security browser home code
G. Hijacking Tencent's computer Butler's home page protection website
In addition to tampering with the browser configuration, the virus will hijack the home page of Tencent computer manager to protect the website by adding a user-defined protection website (the relevant registry entries of the user-defined website are beginning with 3rd). As shown in the figure below:
Modify Tencent computer manager Home Page Protection registry key
2) Control code 0 × 3, acquire remote drive module
It is similar to the method used by the virus in the virus loader (1) above, except that the driver module data used by the virus to load this time is obtained through the C & C server, and the general execution process is the same, and the specific drive execution process will not be described in detail. As shown in the figure below:
Load remote driver module
Virtual load driver and execute entry point
3) Control code 0xa, get remote driver module
The code part of the remote driver module is implemented by injecting winlogon.exe process, and the open source blackbone project code is used in the injection part. As shown in the figure below:
Request remote dynamic library
The virus will first put the acquired dynamic database data into the system32 directory, and then call the blackbone code to inject the dynamic database into the Winlogon process for execution. As shown in the figure below:
Inject Winlogon
Inject Winlogon
Blackbone project related code in virus
(3) Other means of hijacking and confrontation
1) Hijack browser startup parameters through process callback and image load callback
In addition to the hijacking methods used by the virus described above, the virus hijacks the browser start parameters through the registration process callback and image loading callback to hijack the traffic. As shown in the figure below:
Virus registration callback
The virus will judge the browser type in the process callback. The URL links hijacked by different browsers can be different. After detecting the process that needs hijacking, the relevant hijacking information will be added to the hijacking list. As shown in the figure below:
Hijacking browser process detection
After the hijacking process information is recorded in the process callback, the process parameters in PEB are changed into the URL to be hijacked in the image loading callback. As shown in the figure below:
Hijacking process parameters
2) Intercepting driver load through image load callback
In addition to the image load callback for traffic hijacking, the virus also registers an image load callback for kernel confrontation. This callback function will not only block the execution of drivers with security software signature information, but also block the execution of some kernel level traffic hijacking viruses. When the loaded driver information is in the blacklist, the virus will replace the entry point code of the image with the direct return code, thus preventing the execution of the logical code in the image. As shown in the figure below:
Disable execution of security software driver logic
When judging whether the image being loaded belongs to the blacklist, the common kernel level traffic hijacking virus file name is used to match. If the file name contains mslmedia.sys or mssafel.sys, it will be forbidden to execute. After that, the virus will get the signature information of the current image to match the signature information in the blacklist, and if it contains, it will also be forbidden to execute. The signature information in the blacklist includes: Huorong, 360, Jinshan, 2345, Ruixing, Baidu, and even adsafe's signature and virus commonly used "Shanghai domain association" signature information, but there is still no signature information related to Tencent's computer housekeeper, so we can infer that the virus intentionally let Tencent's computer housekeeper go, not unintentionally. The blacklist information of signature information is shown in the following figure:
Signature blacklist
As shown in the figure above, in addition to the signature of mainstream security software, it also includes the signature information of "Shanghai domain association". Although the signature has expired, it will not affect the normal loading of the driver, so it is often stolen by virus programs. Last year, a large-scale outbreak of "pony activation virus" also stole the signature of "Shanghai domain association". The relevant codes are as follows:
Determine whether it belongs to blacklist
Check whether the signature information is in the blacklist
Because many kernel level traffic hijacking viruses are protected by vmprotect shell, the virus author also adds a more violent judgment method. If the section name is upx0 or. Vmp0, the driver logic execution is forbidden. As shown in the figure below:
Test section name
Three, appendix
The sample sha256 is involved in this paper
Download address of PDF report: http://down4.hoorong.cn/doc/pengex.pdf
*The author of this article: Cashmere security (enterprise account), reprint please indicate freebuf.com