Tuesday, 5 January 2010

bot1.exe part10 - secure/unsecure command


The 'secure' (or 'sec') command creates a thread that disables DCOM by setting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole value to 'N'

from msnd we can see that the possible values are 'N' and 'Y'. A message is then sent to the channel informing the controller that DCOM has been disabled:

<@unchk> .secure
< USA|88366> -secure- DCOM disabled.

In addition to this, at 0041D5EB, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous value is changed from 0 to 1 therefore restricting anonymous users' permissions. More info here

Furthermore, a call to NetShareEnum(0, 502, ...) is made (0041D6CD). With the name of all network shares (returned by this function) in hand, the bot proceeds to calling NetShareDel on each one, thereby removing all network shares from the target.

< USA|88366> -secure- Restricted access to the IPC$ Share.
< USA|88366> -secure- Failed to delete 'IPC$' share.
< USA|88366> -secure- Share 'ADMIN$' deleted.
< USA|88366> -secure- Share 'C$' deleted.
< USA|88366> -secure- Network shares deleted.

The 'unsecure' (or 'unsec') command does exactly the opposite. It enables DCOM, disables restrictanonymous, and sets up network shares. The registry changes, are equivalent to the the aforementioned ones, with the only difference being the arguments to RegSetValue.
In order to enable network shares, the executable starts by trying to add two predefined shares
- IPC
- ADMIN
Afterwards, there is a call to GetLogicalDrives (0041DA40) and the return value is 0200000D, which means that there are logical drives named A, C, D, and Z (this is due to my current setup of the virtual machine).
Logical drive A is ignored, and the next in line (from the least-to-most significant bit in the bitmask returned by GetLogicalDrives) is logical drive C. GetDriveType is called on 'C:\' and if the drive type return is 3 (DRIVE_FIXED from msdn) then, a call to the procedure that does the network share addition (0041C29E) is made, and the next logical drive in line is analyzed according to this criteria.
Since, in my setup D stands for the cd-rom drive, and Z for a network share between the host and the virtualized system, only drive C will have a network share. This is the result of running .unsecure:

<@unchk> .unsecure
< USA|88366> -secure- DCOM enabled.
< USA|88366> -secure- Unrestricted access to the IPC$ Share.
< USA|88366> -secure- Failed to add 'IPC$' share.
< USA|88366> -secure- Share 'ADMIN$' added.
< USA|88366> -secure- Share 'C$' added.
< USA|88366> -secure- Network shares added.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)