pernicious virus pengex spreads wildly through the system disk, attacking all mainstream software killing but leaving tencent alone

Posted by trammel at 2020-02-27

I. summary

Recently, a kernel level backdoor virus was intercepted by the Security Lab of tinder and named as "pengex" virus. Through analysis, "pengex" aims to hijack the user's homepage traffic for profit, but unlike other "traffic hijacking" viruses, it is highly skilled and ferocious. It will take the initiative to attack the domestic mainstream security software, making them lose the ability of kernel confrontation, which will make the computer completely lose the security protection. Paradoxically, pengex only does not attack and deliberately "let go" of Tencent's computer Butler.

"Pengex" spreads through pirated system disk and "registration machine" software, and leaves a back door in the user's computer. In the future, any virus can be implanted at any time, so the threat is great. " Pengex "will attack various mainstream anti-virus software, including cashmere, 360, Jinshan, etc., causing the drivers of these software to fail to load, thus losing the ability of anti-virus in the kernel layer.

But interestingly, the virus only deliberately let Tencent computer steward go. It added Tencent computer steward to the white list and let Tencent computer steward go during the "delete drive callback" operation. This behavior of the virus shows that the virus gang is likely to be Tencent security housekeeper's system disk channel promotion service provider, and Huorong suggests that "Tencent security housekeeper" thoroughly check the system disk promotion channel.

"Pengex" hijacks the homepage for profit by modifying the browser configuration and process startup parameters. In this process, the virus will point different browsers to different navigation stations according to the manufacturer's plan. The virus not only attacks the security software, but also attacks other similar viruses, so as to monopolize the user's computer homepage resources for profit. According to the analysis, the channel number set after the virus hijacked the homepage is "oemxiazaiba2" (the whole combination of "download bar"), please pay attention to and verify this channel account.

"Fire safety software" has updated the virus library in the first time, which can thoroughly kill the virus. Engineers of tinder remind users that if they need to reinstall the system, they must purchase the genuine system through regular channels. At present, it seems that the pirated system disk has become an important transmission channel of computer viruses.

2、 Detailed analysis

The virus is a kernel level backdoor virus, and it is preliminarily suspected that the sample is mainly transmitted through a third-party system disk. After the sample runs in the system, it will cause the mainstream security software drivers in China can not be loaded normally, so that the security software loses the defense ability. The main anti-virus security vendors include: tinder, 360, Jinshan, etc. after the execution of malicious code, any virus code stored in the remote C & C server can be executed.

The virus is divided into two parts, namely the virus loader and the back door virus. The following is divided into two parts for detailed analysis. The virus structure is shown as follows:

Overall structure of virus

Virus loader

This part of code is mainly used to fight against security software killing and kernel fighting. The loader function code is divided into two parts. First, a new toskrnl image will be loaded in memory through virtual mapping, and then the real virus driver will be loaded into memory in the same way, and the function address in the imported toskrnl will point to the function address in its virtual loaded toskrnl image. Through this method, other drivers can be bypassed and set in the toskrnl The kernel hook of. The global variable is "virus" load is a flag. Whether it is a virus loaded by virtual mapping is determined by whether the registrypath parameter in the incoming driver main function is null. As shown in the figure below:

Loader driver main function code

(1) Virtual load toskrnl

The load ﹣ make ﹣ ntoskrnl ﹣ safe function will load a new ntoskrnl image through virtual loading. After the virtual loading logic is executed, it will compare with the first 0 × 200 bytes of data loaded by the current system in memory, so as to judge whether the content of the ntoskrnl image created by itself is normal. As shown in the figure below:

Check if virtual load succeeded

Virtual load toskrnl

(2) Virtual loading of backdoor virus

The load? Rootkit function loads the real virus driver in the same way as the virtual mapping of toskrnl. The image data driven by virus is encrypted by XOR 0xc0. The function first decrypts the virus data, then maps the driver, repairs the import table and relocates the data, and finally executes the virus driver entry by calling the exqueueworkitem function. As shown in the figure below:

Load virus driver

As shown in the above figure, the end of the work ﹣ queue ﹣ item structure passed in by calling the exqueueworkitem function has additional data. In the above call, the additional data stores the entry point address of the loaded driver. As shown in the figure below:

Execution drive entry

Kernel level backdoor

After the virus is executed, it will continuously communicate with C & C server (Domain Name: or, communication port: 7897). The decryption code of the domain name and IP address used by the virus is shown in the following figure:

Decrypt domain name and IP address

(1) Virus communicates with C & C server

The communication content between virus and C & C server can be divided into two categories:

1) Data request notification

After receiving the notification of virus request data, the server can return the requested data according to the control code. Through network communication, the virus can load the remote driver module, obtain the remote dynamic database injection system process, and obtain the configuration data for traffic hijacking. The meaning of the control code is shown in the following figure:

Data request related control code

2) Operation status notification

The server can get the running status of the current virus according to the control code in the notification, such as whether the image loading callback is set successfully, whether the user's home page has been hijacked successfully, etc. the virus author can know the possible problems in the virus running according to these notifications. The meaning of the control code is shown in the following figure:

Operation status notification

Through the above control commands, we can intuitively see that the virus can not only hijack the user's home page according to the configuration data obtained remotely, but also execute arbitrary malicious code in the user's computer according to the virus author's requirements. Because the virus can prevent the security software from loading, the security software has lost the ability to fight against its kernel completely, which makes it difficult to kill it.

The virus communicates with the server as shown in the following figure:

Send data code

The TDI network function is used for communication, and the connection server code is shown as follows:

Call TDI network function to link server

Sending data and receiving data codes are similar, only taking sending data as an example. As shown in the figure below:

Call TDI network function to send data

(2) Function analysis of control code

Next, we will analyze the function of the virus in detail according to the main control codes used by the virus:

1) Control code 0 × 2, obtain virus execution configuration data for traffic hijacking

After communicating with the server, the virus can obtain the hijacking configuration data, including whether to hijack a browser, the URL that each browser needs to hijack, and the execution mark that controls the execution process of the virus. As shown in the figure below:

Download configuration

Configuration data is not stored in clear text. After downloading, it needs to be decrypted byte by byte XOR 0xc0. The data length is 0x1ca0 bytes in total. As shown in the figure below:

Decryption configuration

The downloaded browser configuration content includes the types of browsers to be hijacked, the URL hijacked by each browser, what countermeasures to perform, whether to hijack the home page of Tencent computer manager to protect the registry key and the contents of the hijacked registry key. As shown in the figure below:

Downloaded configuration content

The variable virus ﹣ proc ﹣ Ctrl ﹣ code marked in the red box shown in the figure above can control the antagonism operation flow of virus execution, such as deleting image loading callback and process callback of other drivers, cutting the device chain of attach on the system network driver, etc. Because the vast majority of browser home page protection and hijacking will do articles in these locations, the above-mentioned countermeasures can improve the hijacking success rate to a certain extent when the virus hijacks traffic at the same time. This variable specifies the execution process in the form of bit segments. The meaning of each bit segment is shown in the following figure:

Bit implication

The execution process is controlled by using the virus? Proc? Ctrl? Code variable, as shown in the following figure:

Virus? Proc? Ctrl? Code

In the following, we will explain the confrontation methods used according to the sequence shown in the figure above:

A. Remove process and image load callbacks from other drivers

This method is mainly used to hijack or protect browser startup parameters by using process callback and image loading callback. The virus first finds the callback function table in the system function setting the callback by searching the code, and then determines whether the driver module of the callback function is in the white list. If it is not in the white list, it performs the deletion operation. After the deletion is successful, it wants to The server sends running status notification 0 × 10. As shown in the figure below:

Delete image load callback

Search impact load callback function list code

Determine whether the driver module of the callback address is in the whitelist

The strings stored in the white list can be file names or part of file names. In addition to some system driver modules, they also include related drivers of Tencent computer manager. Because all the drivers of Tencent computer manager include qqpcmgr, TS and TS strings, all the drivers of Tencent computer manager will be released. The white list is as follows:

White list

Module file name of the detection callback

The method to delete a process callback is similar to the method to delete an image load callback. If the process callback function table cannot be obtained during execution, the control code 0xe will be sent to the C & C server, and if the process callback function is registered successfully, the 0 × 11 will be sent to the C & C server. As shown in the figure below:

Delete process callback

Search process callback function list

B. Truncating the device chain of attach on the system network driven object

In addition to deleting driver callbacks, the virus can also block the device chain from attach to TCPIP, AFD and TDx drivers to exclude the impact of network filter drivers on its traffic hijacking effect. As shown in the figure below:

Truncating the device chain of an attach

C. Empty hosts file

Clear hosts

D. Clear BHO (browserhelperobjects)

Remove all BHOs by removing all subkeys under the \ registry \ machine \ software \ Microsoft \ windows \ CurrentVersion \ Explorer \ browserhelperobjects registry key. However, when the registry key of \ registry \ machine \ software \ wow6432node \ tenant \ qqpcmgr is found in the virus discovery system, the BHO file will not be cleared. As shown in the figure below:

Delete BHO related codes

Delete BHO registry key

E. Reset ie proxy settings

Viruses disable network agents by setting the proxyenable key value of \ registry \ user \ current user \ software \ Microsoft \ windows \ CurrentVersion \ internetsettings to 0.

F. Hijack browser configuration

After the counter operation, the virus attempts to modify the configuration of some common browsers (IE, QQ browser, 360 security browser, Firefox, windows of the world) and the home page protection of Tencent computer housekeeper by using the hijacked web address and relevant data received, so as to hijack the traffic. After the hijacking operation, the control code 0 × 4 will be sent to the C & C server. As shown in the figure below:

Hijacking browser and Tencent housekeeper homepage protection configuration

Hijacking browser code takes hijacking 360 secure browser as an example, as shown in the following figure:

Construct 360 security browser related environment string

What attracts our attention most is that when hijacking the homepage of 360 secure browser, the virus also sets the channel number as "oemxiazaiba2", and the second half of the letter is "download bar". However, due to the limited information available, we can't verify whether it has a direct relationship with "download bar" for the time being. As shown in the figure below:

Hijack 360 security browser home code

G. Hijacking Tencent's computer Butler's home page protection website

In addition to tampering with the browser configuration, the virus will hijack the home page of Tencent computer manager to protect the website by adding a user-defined protection website (the relevant registry entries of the user-defined website are beginning with 3rd). As shown in the figure below:

Modify Tencent computer manager Home Page Protection registry key

2) Control code 0 × 3, acquire remote drive module

It is similar to the method used by the virus in the virus loader (1) above, except that the driver module data used by the virus to load this time is obtained through the C & C server, and the general execution process is the same, and the specific drive execution process will not be described in detail. As shown in the figure below:

Load remote driver module

Virtual load driver and execute entry point

3) Control code 0xa, get remote driver module

The code part of the remote driver module is implemented by injecting winlogon.exe process, and the open source blackbone project code is used in the injection part. As shown in the figure below:

Request remote dynamic library

The virus will first put the acquired dynamic database data into the system32 directory, and then call the blackbone code to inject the dynamic database into the Winlogon process for execution. As shown in the figure below:

Inject Winlogon

Inject Winlogon

Blackbone project related code in virus

(3) Other means of hijacking and confrontation

1) Hijack browser startup parameters through process callback and image load callback

In addition to the hijacking methods used by the virus described above, the virus hijacks the browser start parameters through the registration process callback and image loading callback to hijack the traffic. As shown in the figure below:

Virus registration callback

The virus will judge the browser type in the process callback. The URL links hijacked by different browsers can be different. After detecting the process that needs hijacking, the relevant hijacking information will be added to the hijacking list. As shown in the figure below:

Hijacking browser process detection

After the hijacking process information is recorded in the process callback, the process parameters in PEB are changed into the URL to be hijacked in the image loading callback. As shown in the figure below:

Hijacking process parameters

2) Intercepting driver load through image load callback

In addition to the image load callback for traffic hijacking, the virus also registers an image load callback for kernel confrontation. This callback function will not only block the execution of drivers with security software signature information, but also block the execution of some kernel level traffic hijacking viruses. When the loaded driver information is in the blacklist, the virus will replace the entry point code of the image with the direct return code, thus preventing the execution of the logical code in the image. As shown in the figure below:

Disable execution of security software driver logic

When judging whether the image being loaded belongs to the blacklist, the common kernel level traffic hijacking virus file name is used to match. If the file name contains mslmedia.sys or mssafel.sys, it will be forbidden to execute. After that, the virus will get the signature information of the current image to match the signature information in the blacklist, and if it contains, it will also be forbidden to execute. The signature information in the blacklist includes: Huorong, 360, Jinshan, 2345, Ruixing, Baidu, and even adsafe's signature and virus commonly used "Shanghai domain association" signature information, but there is still no signature information related to Tencent's computer housekeeper, so we can infer that the virus intentionally let Tencent's computer housekeeper go, not unintentionally. The blacklist information of signature information is shown in the following figure:

Signature blacklist

As shown in the figure above, in addition to the signature of mainstream security software, it also includes the signature information of "Shanghai domain association". Although the signature has expired, it will not affect the normal loading of the driver, so it is often stolen by virus programs. Last year, a large-scale outbreak of "pony activation virus" also stole the signature of "Shanghai domain association". The relevant codes are as follows:

Determine whether it belongs to blacklist

Check whether the signature information is in the blacklist

Because many kernel level traffic hijacking viruses are protected by vmprotect shell, the virus author also adds a more violent judgment method. If the section name is upx0 or. Vmp0, the driver logic execution is forbidden. As shown in the figure below:

Test section name

Three, appendix

The sample sha256 is involved in this paper

Download address of PDF report:

*The author of this article: Cashmere security (enterprise account), reprint please indicate