Enterprise Signatureless Malware Detection

Poison Ivy (“Nitro”) and ECAT analysis

Posted by on Nov 2, 2011 in Blog, Uncategorized | Comments Off

In this blog post we continue in our series looking at how ECAT detects and analyses compromises that evade traditional detection This time, we’ve taken a look at a recent rev of Poison Ivy that was brought into the limelight by Symantec’s report on the use of a variant as an attack vector against certain companies in the chemical industry and other sectors. Symantec nicknamed the campaign “Nitro”.

These attacks are an example of the distributed, outsourced business model so prevalent now. The malware was built using a standard crimeware kit widely available on-line, then tweaked and bundled in for installation and delivery via email attachments.

Our analysis begins with a scan by ECAT of a compromised machine. This delivers the result shown below, a Machine Suspect Level (MSL) of 41. Definitely bad, and in need of attention, though worth noting that it’s a relatively low rating for malware:

ECAT console view after scan of machine infected with Poison Ivy

 

Next,we see that Windows hooks have been used to inject code into memory, using a Windows OS API:

Poison Ivy code injection using Windows hooks

We can then see that floating code has been injected into Explorer.exe and IExplore.exe (the IE browser). The ECAT agent captures this floating code as soon as it’s generated and links it back to the original process(es). The MSL (suspect level) of these two processes registers as 33 in ECAT, indicating they are compromised and can’t be trusted:

Poison Ivy code injection into Explorer, IE

 

Drilling down further on one of the floating code blocks, we see an HTTP connection string:

Poison Ivy malware generates malicious HTTP traffic

We then see that multiple network connections are going out to this IP address on port 4445. There seems to be a polling pattern since the mean time between connections is 41 seconds +/-7 seconds. Note that in our test we had it connect to an internal server. Also note that the number of bytes sent is greater than the number of bytes received which is the opposite of what we would expect to see for a connection to a web server. Of interest is the Burst Count and Standard Deviation results. This is a handy feature in ECAT’s network monitoring and analysis for identifying suspicious traffic patterns, and in this instance indicates communication with the command and control server (C&C):

Poison Ivy generates suspicious network connections

In the next view we see an unknown program trying to mascarade as a normal Windows application that is configured to run automatically at boot time through a run key:

Poison Ivy launches an unknown program

 

Analyzing the file in ECAT shows that it has only one imported function (very unusual). The file’s strings contain the IP address of the C&C and an HTTP connect string, the same one we found while analyzing the floating code found in IExplore.exe:

Poison Ivy - unknown file analysis

 

Putting it all together we now have a complete picture of the compromise: what it did, how it did it, and (perhaps most importantly) where it tried to reach to get instructions and exfiltrate data.

We’ll be following up in future posts with more analyses using ECAT 3.2, and posting videos on our Youtube channel that you can subscribe to here.

For a whitepaper on ECAT or to request more information, please click here