[rkhunter]

MD5: CBA6BD3776D1AC79A15D9A31B7C50B98
https://www.virustotal.com/file/fc2f91b ... /analysis/

[rkhunter]

MD5: 73B02AF92F48D4116F384BE14F227655
[1/39] Kaspersky - Backdoor.Win32.ZAccess.dzi https://www.virustotal.com/file/ce6f9fb ... /analysis/

[rkhunter]

MD5: 88FD73708A41F22E7A90173D06519D83
https://www.virustotal.com/file/7af8d22 ... /analysis/

[rkhunter]

MD5: A35A033226362381A9DC62299DA6B1FF
https://www.virustotal.com/file/cc919ec ... /analysis/

[ResearchMalware]

MD5: 73B02AF92F48D4116F384BE14F227655
[1/39] Kaspersky - Backdoor.Win32.ZAccess.dzi https://www.virustotal.com/file/ce6f9fb ... /analysis/

This sample replaces the sys file "afd.sys" in the drivers folder. However, If I try to copy the afd.sys file using explorer or command prompt, It serves the clean version. Only when I copy it using GMer, I get the malicious replaced file.

I have gone through some of the analysis of the ZeroAccess and they have mentioned this functionality is achieved because the zeroaccess intercepts Windows' disk I/O by hijacking the disk.sys connection to the lower port device and If an attempt to read or write the infected driver is intercepted, the rootkit fakes the file content by showing the original clean content.

Can somebody help me how to see this block of assembly code responsible for doing the above mentioned activity.

Thanks in Advance!

[rkhunter]

Can somebody help me how to see this block of assembly code responsible for doing the above mentioned activity.
Thanks in Advance!

In case of dropper - 73B02AF92F48D4116F384BE14F227655.

Obtain address of DR0 object for hijack checking

kd> !object \device\harddisk0\dr0
Object: 81997420 Type: (819b8ad0) Device
ObjectHeader: 81997408 (old version)
HandleCount: 0 PointerCount: 4
Directory Object: e1448ee8 Name: DR0

Check lower device

kd> dt _device_object DeviceExtension 81997420
ntdll!_DEVICE_OBJECT
+0x028 DeviceExtension : 0x819974d8 Void

kd> dd 0x819974d8+8 l1
819974e0 81721e78

Check it on malicious

kd> !devobj 81721e78
Device object (81721e78) is for:
\Driver\00003978 DriverObject 816c1550
Current Irp 00000000 RefCount 0 Type 00000032 Flags 00002018
DevExt 81721f30 DevObjExt 81721f40
ExtensionFlags (0000000000)
Device queue is not busy.

It malicious, next check driver object

kd> !drvobj 816c1550 7
Driver object (816c1550) is for:
\Driver\00003978
Driver Extension List: (id , addr)

Device Object list:
817881d8 81721e78

DriverEntry: 813c85f0
DriverStartIo: 00000000
DriverUnload: 00000000
AddDevice: 00000000

Dispatch routines:
[00] IRP_MJ_CREATE 813c7fd0 +0x813c7fd0
[01] IRP_MJ_CREATE_NAMED_PIPE 813c7fd0 +0x813c7fd0
[02] IRP_MJ_CLOSE 813c7fd0 +0x813c7fd0
[03] IRP_MJ_READ 813c7fd0 +0x813c7fd0
[04] IRP_MJ_WRITE 813c7fd0 +0x813c7fd0
[05] IRP_MJ_QUERY_INFORMATION 813c7fd0 +0x813c7fd0
[06] IRP_MJ_SET_INFORMATION 813c7fd0 +0x813c7fd0
[07] IRP_MJ_QUERY_EA 813c7fd0 +0x813c7fd0
[08] IRP_MJ_SET_EA 813c7fd0 +0x813c7fd0
[09] IRP_MJ_FLUSH_BUFFERS 813c7fd0 +0x813c7fd0
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION 813c7fd0 +0x813c7fd0
[0b] IRP_MJ_SET_VOLUME_INFORMATION 813c7fd0 +0x813c7fd0
[0c] IRP_MJ_DIRECTORY_CONTROL 813c7fd0 +0x813c7fd0
[0d] IRP_MJ_FILE_SYSTEM_CONTROL 813c7fd0 +0x813c7fd0
[0e] IRP_MJ_DEVICE_CONTROL 813c7fd0 +0x813c7fd0
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL 813c7fd0 +0x813c7fd0
[10] IRP_MJ_SHUTDOWN 813c7fd0 +0x813c7fd0
[11] IRP_MJ_LOCK_CONTROL 813c7fd0 +0x813c7fd0
[12] IRP_MJ_CLEANUP 813c7fd0 +0x813c7fd0
[13] IRP_MJ_CREATE_MAILSLOT 813c7fd0 +0x813c7fd0
[14] IRP_MJ_QUERY_SECURITY 813c7fd0 +0x813c7fd0
[15] IRP_MJ_SET_SECURITY 813c7fd0 +0x813c7fd0
[16] IRP_MJ_POWER 813c7fd0 +0x813c7fd0
[17] IRP_MJ_SYSTEM_CONTROL 813c7fd0 +0x813c7fd0
[18] IRP_MJ_DEVICE_CHANGE 813c7fd0 +0x813c7fd0
[19] IRP_MJ_QUERY_QUOTA 813c7fd0 +0x813c7fd0
[1a] IRP_MJ_SET_QUOTA 813c7fd0 +0x813c7fd0
[1b] IRP_MJ_PNP 813c7fd0 +0x813c7fd0

Code:

kd> u 0x813c7fd0 l10
813c7fd0 8b442404 mov eax,dword ptr [esp+4]
813c7fd4 8b4828 mov ecx,dword ptr [eax+28h]
813c7fd7 55 push ebp
813c7fd8 8b6904 mov ebp,dword ptr [ecx+4]
813c7fdb 56 push esi
813c7fdc 8b742410 mov esi,dword ptr [esp+10h]
813c7fe0 57 push edi
813c7fe1 8b7e60 mov edi,dword ptr [esi+60h]
813c7fe4 8a07 mov al,byte ptr [edi]
813c7fe6 3c16 cmp al,16h
813c7fe8 751c jne 813c8006
813c7fea 56 push esi
813c7feb ff1554013d81 call dword ptr ds:[813D0154h]
813c7ff1 fe4623 inc byte ptr [esi+23h]
813c7ff4 83466024 add dword ptr [esi+60h],24h
813c7ff8 56 push esi

[ResearchMalware]

Dispatch routines:
[00] IRP_MJ_CREATE 813c7fd0 +0x813c7fd0
[01] IRP_MJ_CREATE_NAMED_PIPE 813c7fd0 +0x813c7fd0
[02] IRP_MJ_CLOSE 813c7fd0 +0x813c7fd0
[03] IRP_MJ_READ 813c7fd0 +0x813c7fd0
[04] IRP_MJ_WRITE 813c7fd0 +0x813c7fd0
[05] IRP_MJ_QUERY_INFORMATION 813c7fd0 +0x813c7fd0

Very useful. Thank you. From the IRP entries it looks like it uses the same hooking technique used by TDL-3. Is my understanding correct?

[rkhunter]

From the IRP entries it looks like it uses the same hooking technique used by TDL-3. Is my understanding correct?

Exactly, one handler for all entries.

[ResearchMalware]

From the IRP entries it looks like it uses the same hooking technique used by TDL-3. Is my understanding correct?

Exactly, one handler for all entries.

Thank you.

[thisisu]

MD5: 473ee8b79d33a21559f2214ae9d172d7
https://www.virustotal.com/file/be7d526 ... 334031402/
Oak technology .dlls