A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #203  by ConanTheLibrarian
 Mon Mar 15, 2010 5:57 pm
I just removed this from a machine. I don't know how to reverse engineer yet. I am unfamiliar with it - first time I've seen it.

http://www.virustotal.com/analisis/4c77 ... 1268674852

Found a way to upload it:
http://www.filedropper.com/nixoa


MD5...: acfe49f6431a608e520d8935c749f399
SHA1..: f9d9d4eaf075ab4e43d9d7ae1ac6953c42cce053
Last edited by ConanTheLibrarian on Mon Mar 15, 2010 6:52 pm, edited 1 time in total.
 #205  by EP_X0FF
 Mon Mar 15, 2010 6:00 pm
Hi,

Thanks for information.
The file is over 800KB so I am unable to attach it to this forum
You can try to zip it and upload to http://rapidshare.com free file hoster.

Regards.
 #216  by EP_X0FF
 Mon Mar 15, 2010 7:28 pm
Hi again,

Thanks for the sample. I was able to load it inside test box. So huge size of driver file caused by malware "packer".

Rootkit set's CmRegistry callback to protect registry keys.
It hooks Key object-->ParseProcedure, so this rootkit using DKOH technique also.
Probably also to protect rootkit registry keys from being revealed / removed.

Also it hooks IRP_MJ_CREATE handler of ntfs.sys

Rootkit driver file is not hidden from high level enumeration (it is visible in Explorer).
Maybe it is requiring something to work properly.

After reboot rootkit died.
 #219  by ConanTheLibrarian
 Mon Mar 15, 2010 8:00 pm
Thanks for that. I can confirm.

The root file and key is visible but untouchable. Gmer was able to hack the reg key values by saving using raw writing. After a reboot it was offline.
 #220  by gjf
 Mon Mar 15, 2010 8:19 pm
This rootkit is already well studied, some info here and here.

If I remeber correctly I removed this rootkit using Gmer without any problem. "Boot Bus Extender" is quite special name for this.

Concerning the subj - the rootkit dies because manual installation I believe. Dropper could solve the problem.
 #2265  by Elite
 Tue Aug 24, 2010 10:37 pm
Found this dropper in the shitty section of the internet this evening. Nothing even remotely impressive.

Dropper spawns a few command prompt windows. Spews files in local profile temp directory. Unleashes hell.
Installs a few fake codecs. Drops a driver in drivers directory with random name and locks read access to file. Uses callback routine, some DLL injection into usermode.
Runs tons of processes from temp directory. Runs hidden IE window and sends data over SSL.

Makes a big mess. Easily defeated with public RkU.
Attachments
Pw: bullshit
(11.82 KiB) Downloaded 130 times