We researched some of the early stage activity of this new round of Storm. It’s an unusual release for the group — they are being chided on forums and blog comments for repetition of the one liner emails that are recognizable and identified by spam filters. We mentioned that the components used (no kernel mode drivers) and the user mode binaries’ characteristics and behavior are unusual for the group as well. It seems that they lost a graphic designer and their driver developers left the scene (at least for this release).
So, let’s elaborate a bit on what seemed like a total lack of sophistication in this release’s code base, keeping in mind that the group’s efforts have included implementation of the most effective techniques to target and successfully evade security products on users’ desktops. They were good at this work, after all, they had built the allegedly largest botnet ever. To that end, the malware writers are not disappointing with this release.
While the changes in the relentless holiday releases of late have typically had to do with their social engineering themes, we find that now the evasion techniques have moved out of the kernel and into user-mode.
In the “kickme.exe” samples that load “testdll_f.dll”, we find several interesting pieces of code. A loop implements an ntdll function overwrite routine just prior to loading the mysterious test dll that is unpacked in memory and never touches disk, and kickme hooks several api’s — NtOpenFile, NtQueryAttributesFile, NtClose, NtCreateSection, NtMapViewOfSection, and NtProtectVirtualMemory. Here is an example of one of the hooks:
The hook function blocks within the code are some of the first chunks of code to be unencrypted at startup. A jump table is built on the stack to redirect control back to the hook function from the jmp instruction in ntdll. When LoadLibraryW is called on the in-memory unpacked testdll_f.dll library, these hooks replace the standard Windows loader functionality and any security products’ functionality that hooks these functions common to dll loading themselves. Up until this point in the binaries’ execution, the thread has been busily unpacking code at the assembly level without making calls to api’s other than a handful buried away in ntdll, like memcpy.
So far as we know, this user-level evasive behavior is new to Storm. These changes may be underestimated by some, but they help the group to meet their own goals in new ways.
On to the next malware family, we’ll probably see you next holiday or major news event (possibly the NCAA championship) with more Storm details.