2013-07-01
Abstract
The SkyBot and NgrBot worms have very similar methods of spreading. However, the two are very distinct in terms of the channels they use for distribution. Neo Tan and colleagues take a detailed look at the two IM worms – from their hijack methods and spreading channels, to the other malicious files they are trying to deliver – and give a brief comparison of the two.
Copyright © 2013 Virus Bulletin
The SkyBot and NgrBot (a.k.a. DorkBot) worms are often confused with each other, since their methods of spreading are very similar (both can spread through portable drives or via IM). However, the two are very distinct in terms of the channel of distribution: SkyBot spreads itself/other malware by tricking users into clicking a malicious link that is sent through the Skype window, whereas NgrBot spreads by sending a malicious link through MSN and by posting a malicious link on social networking sites (Facebook, Twitter, etc.). In addition, NgrBot is able to download other malware under the instruction of IRC commands.
In this article, we will take a detailed look at these two IM worms – from their hijack methods and distribution channels, to the other malicious files they are trying to deliver – in order to give a brief comparison of the two.
The latest SkyBot only targets Skype, and spreads itself by sending a malicious link to all the contacts in the victim’s Skype contact list. In its first phase, it tries to send the malicious link to the active Skype chat window. In order to hijack the current active chat window, SkyBot goes through the following steps:
It calls FindWindowA to find ‘tSkMainForm’ or ‘tSkMainForm.UnicodeClass’ to get the Skype window handle, then ShowWindow to make it active.
It calls FindWindowExA with the obtained handle and gets the handle of the ‘TConversationsControl’ window.
It calls SetForegroundWindow to bring the chat window into the foreground and activates the window.
It calls ShowWindow with parameter SW_RESTORE to activate and display the Skype window (so that if the Skype window is minimized, the system will restore it to its original size and position).
It then sleeps for 100ms, then uses the WM_SETFOCUS parameter in the SendMessageA function to send to the Skype window in order to gain the keyboard focus.
It calls SendMessageA with the WM_KEYDOWN parameter to simulate the ‘Up Arrow’ key event 0x320 times, and the ‘Down Arrow’ key event 0x2 times, followed by an ‘Enter’ key event.
It calls BlockInput to block any user input, then enters into a loop. The loop will break if the current active chat user receives the malicious link.
It finds the ‘TConversationForm’ using the FindWindow API or, if it is not successful, it tries to find ‘tSkMainForm’ instead and EnumChildWindows to find its child windows. Then it finds ‘TChatEntryControl’, then ‘TChatRichEdit’, which is the text input field of the Skype chat window.
It calls SendMessageW with the WM_SETTEXT parameter to fill in the malicious link and sends the ‘Enter’ key event to finish the sending process. Then the loop breaks and user input is unblocked.
The second phase is to send the malicious link to the entire list of the user’s contacts, regardless of whether they are online or offline. After hijacking the current active chat window to send the malicious link, it sleeps for 0x4e20 seconds and then uses the Skype Desktop API (also called Skype public API) provided by Skype itself. To do that, it utilizes the Skype4COM.dll file, which comes with the installation of every Skype application. Skype4COM is a Windows-based COM object which simply bridges the text based Skype Desktop API to a third-party application. To import the Skype4COM.dll, it calls CoCreateInstance with the hard-coded rclsid.
Then it creates the wrapper object and calls ISkype.Attach with Protocol Version = 8 and Wait = -1. Although the Wait parameter is set to -1 here, this Attach method will still trigger the Skype application to warn the user that an application is trying to use Skype, and will let the user decide whether to allow it. However, this worm uses a trick to bypass the warning (this technique still works on the latest version of Skype [6.3.0.105] at the time of writing this article):
Before calling the Attach, it creates a thread which watches for warning windows popping up in Skype. The main idea here is to find the ‘TZapCommunicator’ window. First, it tries to call FindWindowA with ClassName ‘tSkMainForm’ or ‘tSkMainForm.UnicodeClass’. (The ‘TCommunicatorForm’ window will be searched if the above two searches fail – this is probably for backward-compatibility with older versions of Skype.) If there is a hit, it uses the return handle to call FindWindowExA to search for its child window, ‘TZapCommunicator’. The search is done in a loop, with a 0xc8 millisecond sleep. If it finds the ‘TZapCommunicator’ window, it checks the foreground window by calling GetForegroundWindow; it will minimize the current foreground window if it is not the Skype window and then set the Skype window as the foreground window by calling SetForegroundWindow. This step is crucial for the later part. If for some reason the foreground window is not Skype, the latest bypass method will fail.
It calls GetWindowRect to get the position of the ‘TZapCommunicator’ window and calculate the size. Then it calls GetSystemMetrics twice with index equal to SM_CXSCREEN and SM_CYSCREEN to obtain the primary screen’s width and height in pixels. Then it calculates the absolute position of the ‘allow’ button in pixels. The SendInput API is called three times, with the type set to INPUT_MOUSE: the first SendInput API moves the mouse to the absolute position of the ‘allow’ button, the second sends a mouse left-button-down event, and the third sends a mouse left-button-up event to finish the job.
Once the attaching is successful, it uses ISkype.Friends to retrieve the victim’s list of contacts and iterate through them one by one to send the malicious link using ISkype.SendMessage.
The infected link leads to an IRCBot which eventually will download a type of Bitcoin miner (a CPU based miner). This miner only uses the CPU to perform mining, thus it always utilizes about 90% of the CPU resources when running (which is not an efficient method compared with other, GPU-based miners).
The NgrBot worm is able to spread through portable drives, social networks and IM (but not Skype).
Once the NgrBot has been installed on the computer, the malware injects the IRC communication routine into a newly created mspaint.exe process. Then it connects to the IRC server to get commands. Figure 5 shows a screenshot of a typical communication in the IRC channel.
From Figure 5, we can see that the NgrBot joins the IRC channel with a formatted ‘nickname’ (‘n[CA{XPa{gvsdmfl’ in this case). The nickname is based on the following template:
‘n[Country Code{OS Version|User Type{Random String’
Where User Type = ‘a’ means that it is an administrator, and User Type = ‘u’ means that it is a normal user.
After it joins the IRC channel, the server issues the command ‘!mdns’ with a link to a DNS block list and the command ‘!dl’ with two download jobs. Note that these two commands are not fixed; they can be fully customized via the NgrBot builder.
From Figure 6, we can see that the IRC server can send a fake message to be used by browsers and IM, hook APIs to hijack user messages, send a list of anti-virus vendor domain names (most of which are anti-virus application update server URLs) and a table of redirecting DNS queries to be used by the hooked DNS query APIs, receive stolen user account information, infect removable drives, download and execute files to/from the bot, and perform distributed denial of service attacks, etc.
After blocking the domains, it injects itself into almost every process (except mspaint.exe) that it is able to access, so that it can look for and hook the desired APIs via inline hooking. The desired API list is hard-coded in the bot’s binary, as shown in Figure 7. The data structure of each entry in the hooking list is described as follows:
struct API_TO_HOOK
{
DWORD *libName;
DWORD *apiName;
DWORD *hookerFunction; //function to be injected into the original API routine
DWORD *outRestorepoint; //inline-hook restore point
DWORD *browserMessengerCheckingFunction; //helper function to check if current process is a browser or a messenger
}
The libName is a pointer to the name of the library which contains the API. The apiName is a pointer to the name of the targeted API. The hookerFunction is the address of the malicious function which will hook the original API. And the outRestorepoint is the pointer to a pre-determined location which holds a copy of the overwritten byte codes during the inline hooking and a jump operation back to the original API work flow.
| CopyFileA | CopyFileW | CreateFileA | CreateFileW | DeleteFileA |
| DeleteFileA | DeleteFileW | DnsQuery_A | DnsQuery_W | GetAddrInfoW |
| HttpSendRequestA | HttpSendRequestW | InternetWriteFile | MoveFileA | MoveFileW |
| NtEnumerateValueKey | NtQueryDirectoryFile | PR_Write | RegCreateKeyExA | RegCreateKeyW |
| send | URLDownloadToFileA | URLDownloadToFileW |
Table 1. All the targeted APIs.
Table 1 shows all the targeted APIs.
Among them, the hooking of CopyFileA, CopyFileW, CreateFileA, CreateFileW, DeleteFileA, DeleteFileW, MoveFileA, MoveFileW, NtEnumerateValueKey, NtQueryDirectoryFile, RegCreateKeyExA and RegCreateKeyW are mainly for the bot’s self-defence mechanism. If any other process attempts to access the bot’s registry record, it will block it. The hooking of DnsQuery_A, DnsQuery_W and GetAddrInfoW is for the blocking or redirecting of DNS queries. Table 2 shows the keywords contained in the hard-coded DNS blocking list.
| Webroot | Fortinet | Virusbuster.nprotect | Gdatasoftware | Vrus |
| Precsesecurity | Lavasoft | Heck.tc | Emisoft | Onlinemalwarescanner |
| Onecare.live | f-secure | Bullguard | Clamav | Panadasecurity |
| Sophos | Malwarebytes | Sunbeltsoftware | Norton | Norman |
| McAfee | Symantec | Comodo | Avast | Avira |
| Avg | Bitdefender | Eset | Kaspersky | Trendmicro |
| Iseclab | Virscan | Garyshood | Viruschief | Jotti |
| Threatexpert | Novirusthanks | Virustotal |
Table 2. Keywords contained in the hard-coded DNS blocking list.
After matching this list, it will access the shared data through a named pipe to see if there is a downloaded domain name list, and block those domains as well.
The hooking of HttpSendRequestA, HttpSendRequestW, InternetWriteFile, PR_Write and send is for accessing and modifying the user’s browser or messenger communication, so that it can grab sensitive information and also hijack messages. However, it only has the ability to parse MSN messenger protocol, so Skype is safe from this worm for now.
Table 3 shows a list of websites from which it tries to grab login information.
| 4shared | Alertpay | AOL | Bcointernacional | BigString |
| Brazzers | cPanel | Directadmin | Dotster | DynDNS |
| eBay | Enom | Fastmail | Fileserve | |
| Filesonic | Freakshare | Gmail | GMX | Godaddy |
| Hackforums | Hotfile | IKnowThatGirl | Letitbit | Live |
| LogMeIn | Mediafire | Megaupload | Moneybookers | Moniker |
| Namecheap | Netflix | Netload | NoIP | OfficeBanking |
| Oron | Runescape | Sendspace | Sms4file | Speedyshare |
| Steam | Thepiratebay | Torrentleech | Uploaded | |
| Uploading | Vip-file | Webnames | Whatcd | WHM |
| Yahoo | YouTube | YouPorn |
Table 3. Websites from which it tries to grab login information.
The hooking of URLDownloadToFileA and URLDownloadToFileW blocks the downloading of any file with extension ‘exe’, ‘com’, ‘pif’ or ‘scr’ from the IE or Firefox browser. It does not affect the bot’s downloading process since the bot does not use browsers to do that. This is some kind of self-defence from competitors, against any other possible exploits.
The concept of this inline hooking is to replace the beginning of the API calls with a jump to the malicious code, and after executing the malicious code, the flow jumps to the saved original opcodes, then finally jumps back to resume from the original location. The malware uses a method called ‘code overwriting’ to locate the address of the original API function, and changes the first five bytes of the API code with a unconditional Jump instruction that redirects the call to the callback function. The following is an example of how it hooks the kernel32.CreateFileA API:
Check the import tables of each and every DLL against the hooking APIs list, and get the addresses of the function to hook.
Calculate the offset to the malicious hooker function.
Replace the original code with a jump (0xE9) and the hooker function distance.
Store the replaced byte codes at a pre-defined location, and append a jump back to 0x7C801A29.
In order to pass the commands to the injected processes, it implements the named pipe technique for the communication between the IRC function process and the worker processes. The data saved in the pipe is RC4 encrypted; the RC4 key is hard-coded in the binary and its CRC32 value is used to compose the pipe name.
The named pipe server is created in the mspaint.exe thread, and another process calls ConnectNamedPipe using the same CRC32 value as the name to get the pipe handle. Then they are able to access the shared data just like a local file object.
Once the above set ups are finished, NgrBot copies itself to the current user’s %AppData% folder with a randomly generated name and then adds a link to its executable file in the system registry autorun key in order to automatically launch each time Windows starts up.
| SkyBot | NgrBot | |
|---|---|---|
| Hijack method | - Windows hijack - Use of Skype4COM library | Inline hooks |
| Spreading method/targets | Sends spam with infected URL to messenger via Skype API | -Hijacks MSN messages -Uses stolen social media accounts to send spam |
| C&C control method | IRC* | IRC |
| Infects removable drives? | No† | Yes |
| Persistent? | No‡ | Creates autorun entry in registry |
| PPI | - IRCBot - Bitcoin miner (CPU based miner) | - Bitcoin miner (GPU based miner) - Kelihos |
| *The Skype spam leads to IRCBot download. | ||
| †Its IRCBot can infect removable drives. | ||
| ‡Its IRCBot creates an autorun entry in the registry. |
Table 4. Comparison of two IM worms
Compared with NgrBot, SkyBot is more likely to be a spreading module of its IRCBot, with the IRCBot in charge of its updates and persistency. In terms of spreading through messengers, SkyBot only targets Skype and NgrBot targets MSN messenger – which will soon be retired following Microsoft’s acquisition of Skype. Because Skype is a multi-platform messenger, if the spam message directs the user to a web page which can dynamically generate redirects to different payloads according to the detected user platform, this worm has the potential to spread through other operating systems such as Android and iOS. On the other hand, the payloads of both worms currently lead to Bitcoin miners. This is not a curious coincidence since the value of Bitcoins is increasing rapidly in the Internet society. Both worms use IRC commands to communicate with C&C servers, and their traffic is virtually unencrypted – thus making detection very easy.
![The pipe name is in the following format: [Hex value of CRC32]_ipc.](/uploads/images/figures/2013/07/Sky-10.jpg)