A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1272  by gjf
 Sat Jun 12, 2010 10:21 pm
Some news in Bootkit family :)
News are presented here.It is a well-known Stoned, but re-hashed.
All I know this malware starts some processes with NT-AUTHORITY\SYSTEM rights. Executables are not hidden and are placed somewhere in C:\System Volume Information\. It cannot be terminated because of rights.

The malware can be removed using standard technique for removing bootkits :)

Does anyone have a dropper to perform analysis?

BTW looks like it has a website :)
 #1273  by rossetoecioccolato
 Sat Jun 12, 2010 11:07 pm
Stoned is open source and intended for use by law enforcement, security researchers and other individuals who have a legitimate interest. Additional (and more accurate) information may be obtained by contacting the author at Peter_at_Kleissner_dot_at. Versions available from the author require the user to have administrative privileges and to click yes when prompt to install what is explicitly identified as a bootkit. The software license prohibits use for unlawful purposes. Bootkits are becoming quite common in the wild and so it is useful to have one available for research purposes. But I doubt the authors of TDL or Rustock will need to learn anything from Stoned. The web site that you mention is not associated with the author. I can't imaging why anyone would want to pay money for something that can be obtained for free simply by contacting the author.
 #1281  by gjf
 Wed Jun 16, 2010 9:30 am
I am talking not about Stoned, but about Whistler which is probably based on Stoned.
 #1283  by rossetoecioccolato
 Wed Jun 16, 2010 1:31 pm
Same thing. If you want a copy email the author. It would be interesting to know who the website that you mention really is (since it is hosted in US federal jurisdiction).
 #1285  by gjf
 Thu Jun 17, 2010 1:44 pm
That's what I did :) Peter kindly described me everything. Actually the information have been posted here already.

I believe it is really Stoned-based malware. Same behaviour: non-hidden MBR patching, SYSTEM-rights of malware processes etc. Taking into account the author cannot do better than simly "hide" malware files in "System Volume Information" I think there is not anything new.

Sure we cannot be absolutely sure without droppers, but AFAIK nobody has it yet :)
 #1390  by Quads
 Fri Jul 02, 2010 11:56 pm
Has anyone found a sample installer for the Bootkit that creates these files on peoples PC's??

c:\system volume information\microsoft\smss.exe
c:\system volume information\microsoft\services.exe

A lot of AV's, MBAM and SAS are detecting the above files but they get recreated on the next restart.

Quads
 #1393  by Quads
 Sat Jul 03, 2010 12:52 am
Thanks

Yeah, I was trying to find the latest sample to play with and remove without using the Windows CD with the FixMBR command.
Instead trailing other Bootkit Removers.

Thanks for your input

Quads
 #1395  by EP_X0FF
 Sat Jul 03, 2010 3:15 am
Quads wrote:Has anyone found a sample installer for the Bootkit that creates these files on peoples PC's??

c:\system volume information\microsoft\smss.exe
c:\system volume information\microsoft\services.exe

A lot of AV's, MBAM and SAS are detecting the above files but they get recreated on the next restart.

Quads
Hello,

Give us a malware names casted by AV :)

Regards.
 #1399  by Quads
 Sat Jul 03, 2010 8:51 am
The 2 files above detected as

Symantec Win32.Unruy!gen1
A-squared Trojan-Clicker.Win32.Cycler.ajsx!A2
AVG Trojan horse Downloader.Generic9.CAXD or trojan horse clicker.AJRO
Avast Win32:Cycler-l[trj] or Win32:Cycler-G [Trj]
Malwarebytes Trojan.cycler
ESET a variant of Win32/TrojanDownloader.Unruy.BV trojan
Kaspersky Trojan-Clicker.win32.cycler.ajtp or Win32:Cycler-F [Trj]
SAS Trojan.Agent/Gen-Blarsa

The 2 files get created again even after deletion on next restart.

Bootkit Remover fixes the MBR and after the files are no longer created.

Quads