Recently we found some new malware samples using AutoIt to hide themselves. On further analysis we found that those sample belong to the Vertexnet botnet. They use multiple layers of obfuscation; once decoded, they connect to a control server to accept commands and transfer stolen data.
This sample is packed using a custom packer. On execution it drops three files in the %TEMP% folder.
These files are compiled using aut2exe. The malware next executes the file botnet.exe from the temp folder. This file is written in AutoIt. We can easily decompile it using Exe2Aut.
This file uses various obfuscated variables that are encrypted using a simple algorithm:
Decoding the variables, we can see that this script calls various Windows APIs using the Autoit DLL functions DllStructCreate, DllStructGetPtr, DllCall, etc.
Searching Google, we easily found the original code likely to be used in the preceding script with obfuscation: http://www.autoitscript.com/forum/topic/99412-run-binary/
(The preceding post containing information on how to run an executable from memory is old. It was made around 2009 on autoitscript.com.)
The technique of running an executable from memory through an AutoIt script is well documented on this link. To summarize, it first creates a process with with the CREATE_SUSPENDED flag:
Next it uses GetThreadContext to get the CONTEXT structure:
Subsequently, it uses WriteProcessMemory,SetThreadContext and allocates memory for the data.
Then it resumes the thread:
After dumping the data in WriteProcessMemory calls, we get a Visual Basic file, which uses the RunPE method to execute the payload:
The final payload is VertexNet 1.2 , which we discovered from the strings it contains:
On executing the final payload, it communicates with the control server:
We see an constant increase in AutoIt malware because of its ease of use. We have found that malware authors always use ready-made tools and quickly adapt to new tricks.
McAfee customers are protected against this threat by IPS signature: BOT: VertexNet Bot Activity Detected.
I would like to thank my colleague Arunpreet Singh for his help with the analysis of this threat.