[rinn]

Hi.

In relation to this thread http://www.kernelmode.info/forum/viewto ... 5&start=70 (Comodo5, PrivateFirewall7, Outpost 7.6, Kaspersky 2013, Dr.Web 8, Prevx 3, NOD32 6 termination concepts working from user mode).

I'm currently writing an article for the magazine in my country and I would like to ask for help in finding malware which utilize killav features. Yes, I am aware of the numerous IRC/Zeus-like bots that use blacklists of antivirus software (e.g. Zonebac) and try to complete brute attack on the forehead. I'm not looking for such type of malware. I was primarily interested in the malware, using targeting of the specific antiviruses.

It can be not limited by user mode. For an overview of the methods used in the wild I presently use:

KM

• Old ZeroAccess AV trap tricks (APC to user mode thread with ExitProcess, triggered by trap process / registry key)

(No specific targeting, but all who fall into the trap)

• BlackEnergy blacklisting (PsSetLoadImageNotifyRoutine)
• Peacomm.C blacklist (PsSetLoadImageNotifyRoutine)

(Let's say notification routines are too common, so that two above ^ are enough for this type)

• PlusDriver (targets G-Buster Browser Defender, Avast4, Avira, forced deletion from malware driver)

UM

• ZeroAccess backdoor AntiMSE/AntiWD (frankly speaking it is too primitive)
• Trojan AuxSpy (WINMM.dll codecs exploiting injection)

I'm not expecting many, but I'm obviously missing some for user land ;)
I'm not asking for samples, names or links to description will be enough to find them for me.

Thank you (-.-)

Best Regards,
-rin

[Alex]

Wapomi/Guntior use blacklist. To terminate AV's processes, UM stuff send IOCTLs and terminate process's threads using PspTerminateThreadByPointer if I good remember.

[R136a1]

Necurs / Necurs.A also uses a blacklist.

[Flamef]

Hi,
Various Virut.ce samples are using black list method to kill av's.
http://www.securelist.com/en/analysis/2 ... are_Sample
http://www.securelist.com/en/images/vli ... c03_en.png
"Now let us look at the most important feature - Virut’s payload. It is common knowledge that most malware programs are exclusively designed for financial gain and Virut is certainly no exception. Effectively, it is a backdoor which first attempts to infiltrate the address space of the ‘explorer.exe’ process (‘services.exe’, ‘iexplore.exe’), then it connects to the irc.zief.pl and proxim.ircgalaxy.pl URLs via IRC-protocol and waits for commands to arrive. The procedure looks quite conventional, as does the list of processes the virus attempts to terminate as shown in the screenshot below. This list includes processes belonging to antivirus programs such as ‘nod32’, ‘rising’, ‘f-secure’ and a number of others."

[EP_X0FF]

UM

https://www.virustotal.com/file/8dc1fc1 ... /analysis/

Trojan-PSW.Win32.VKont.alb

2 years ago this primitive Delphi malware was capable of uninstalling lots of AV products, doing this by forcing reboot into safe mode to turn off AV SP and then calling products uninstall (IIRC it was bypassing Dr.Web CAPTCHA too). Once AV was removed a new fake shell tray icon representing removed product was added.

KM

Sality aka SOSiTE_AVERI_SOSiTEEE.haha implemented unusual way in AV killing. It also uses blacklist and performs processes termination from KM. This malware search for original service table through analyzing KeServiceDescriptorTable variable and calls NtTerminateProcess directly by pointer (regarding to NT4/2000/XP/2003/Vista it have hardcoded service id numbers). Before calling this function malware lookups required process by id and opens it through Object Manager function. Few years ago I posted about one of these variants on rootkit.com, search in webarchive or contact me via PM :)

[kmd]

Linkoptimizer known as prevx@gromozon. Inside rootkit dll was banlist from VERSION_INFO blocks infos and process names. Have no idea why it was named linkoptimizer btw.

[EP_X0FF]

Have no idea why it was named linkoptimizer btw.

Because of spaghetti ('lapsha") code it had used.

[rinn]

Hi.

Thanks everyone. Also found this http://www.kernelmode.info/forum/viewto ... 495&p=3724

Against CA HIPS and Prevx3 were used targeted attack.

Best Regards,
-rin