Background This is the second part of the analysis of the new Poison Ivy variant, or PlugX, which was an integrated part of Poison Ivy’s code. In the of this analysis we introduced how this malware was installed onto victim’s systems, the techniques it used to perform anti-analysis, how it obtained the C&C server’s IP&Port from the PasteBin website, and how it communicated with its C&C server. What we didn’t talk much about in that first blog was the control-commands that are used by this malware, partly because only a few of those commands were used during our analysis. However, as you may know, RAT malware usually has many control-commands so that attackers can effectively remotely control a victim’s machine. So, after our initial analysis, we monitored the C&C servers and captured their packets.

Thanks for the link, it seems that i in fact don't have the poison ivy virus, here is my HJT log - Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:58:10 PM, on. Lyrics diary of a madman. Jun 19, 2013  Der erste von 3 teilen zum Thema Poison Ivy Teil 2: Download poison Ivy: Passwort.

Fortunately, we were able to successfully collect enough attacks and packets so that we could obverse and document its behavior. In this analysis, I’m going to focus on the control-commands used by the C&C server as it attempts to penetrate the victim’s network by exploiting vulnerabilities.

Although the C&C servers have now been shut down, we found a way to decrypt the communication data from the captured packets in order to analyze its behavior. As per my analysis, this variant of Poison Ivy eventually launches the (Eternal Blue) attack against the machines located inside the victim’s LAN. Let’s now take a look at how it performs this exploit. Manage multiple modules Before going on, however, we have to talk about how the decrypted modules are managed. From Part I we know that there are six modules in the svchost.exe program, which are connected by a doubly linked list. There is a module node in each of modules, as well as in svchost.exe. The module node is added into the doubly linked list when its module code is initialized.

The header of the doubly linked list is in a global variable located in svchost.exe’s memory space (qword_2345D0 with base address 0x220000 in my case). Below is a module node’s structure, along with some corrections to the one shown in the Part I of this analysis. The first module (which was injected into svchost.exe when svchost.exe started) is executed in svchost.exe, and was the first one added into the doubly linked list. I call it the host module. I named these module1, module2, etc. According to the order in which they are added into the doubly linked list, The six modules are decrypted by the host module. Figure 1 shows a view of the module node of the host (svchost.exe) in memory.

View of the host module node in memory The host module node’s address is 0x334A20. The previous node’s address is 0x165068, and the next one is 0x51F280.

The host module’s index is 0, and its module base address is 0x220000. Finally, the function table’s address is 0x334A60. Module index is important because it is also a part of the Control-Commands. We will talk more about this later.