A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13687  by EP_X0FF
 Mon Jun 04, 2012 5:54 am
x86 XP SP3, I see mass injection in the trusted processes, also it downloaded bitcoin miner and injected into trusted process address space.

How to get this crap modify services.exe? :)
0x35670000 Ldr suspicious modification-->MSWSOCK.dll [ EPROCESS 0x81D94888 ] PID: 1192 [SDBN][VFN][FEP][FRS][FTDS], size: 20480 bytes
0x35670000 Ldr suspicious modification-->mswsock.dll [ EPROCESS 0x81D9EA78 ] PID: 1368 [SDBN][VFN][FEP][FRS][FTDS], size: 20480 bytes
0x35670000 Ldr suspicious modification-->mswsock.dll [ EPROCESS 0x81C2F560 ] PID: 1856 [SDBN][VFN][FEP][FRS][FTDS], size: 20480 bytes
0x00400000 Ldr suspicious modification-->svchost.exe [ EPROCESS 0x81C2F560 ] PID: 1856 [SDBN][SDFN][VFN][FEP][FRS][FTDS], size: 995328 bytes
where SDBN - Duplicate entry for such BaseDllName in PEB found, VFN - Vad entry name different than module name, FEP - File entry point mismatch with PEB data, FRS - File raw size mismatch with PEB data, FTDS - File time date stamp mismatch with PEB data, so basically ZeroAccess replaced system dll code in memory (mswsock.dll) with it own code and made corresponding modification to the PEB Ldr part.

Additionally MSS completely removed all sensitive components of this malware after full scan.

edit:

Just to mention. Tried latest release of Dr.Web CureIt on the following sample (DB from 04 June) - complete failure. Nothing detected - not on disk nor in memory.
CureIt 7 beta - same fail.

KVRT 2011 with full system disk scan + memory -> complete failure. Custom scan - same. Additionally it identified OllyDbg StrongOD plugin as Rootkit.Win32.Agent.biwb, cool story bro.
Hmm, one day old dropper identified correctly as ZAccess, but all actuall components are undetected.
Last edited by EP_X0FF on Mon Jun 04, 2012 8:08 am, edited 1 time in total. Reason: tested with different products
 #13692  by Gabethebabe
 Mon Jun 04, 2012 10:07 am
I am having some fun with a user whose computer is infected by Zaccess. Combofix detects it, but enters an infinite reboot loop and fails to get rid of it. The symantec and eset dedicated tools find nothing. aswMBR,TDSSKiller find nothing.

I noted that TDSSKiller report an MD5 for vgapnp.sys of 7d92be0028ecdedec74617009084b5ef and when I later did an MD5 check with on offline tool (OTLPE disk, running systemlook) it reported 87B06E1F30B749A114F74622D013F8D4 for the same file. Both MD5s appear to be legit though.

https://www.virustotal.com/file/06c06ef ... /analysis/
https://www.virustotal.com/file/d0749ce ... /analysis/

So I think I'm going to try and find the infected driver by a dumb kaspersky boot disk scan, unless any of you has a better idea.

EDIT: funny/interesting detail: when I asked user to download combofix and save it under another name (svchost,exe), running this would result in svchost.exe being renamed back to combofix.exe. Dunno if this is a combofix functionality or a LOL FU from zaccess
 #13695  by Gabethebabe
 Mon Jun 04, 2012 11:42 am
Sure
I already looked through recent topics on MG, but all ZA infections I found there are kind enough to allow CF to run :p

http://www.geekpolice.net/t28819-root-kitzero-access

You can see all my failboat experiments.

I ran the systemlook Md5 action to compare with TDSSKiller results.
The DDS log shows something that looks like a malicious service (2012-05-31 13:18:20 0 ----a-w- c:\windows\system32\sho5BF7.tmp). I haven´t tried to do anything about this file, because I'm like 99% it will respawn under another name after rebooting.
 #13701  by B-boy/StyLe/
 Mon Jun 04, 2012 4:02 pm
@Gabethebabe

You can run a quick scan with MBAM. The latest defs can handle with this variant very well.
Also run a scan with HitmanPro and OTL custom scan including:
Code: Select all
HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
Regards,
Georgi
 #13712  by erikloman
 Tue Jun 05, 2012 6:46 am
Gabethebabe wrote:Thanks Georgi

Running a Hitman Pro scan now on my own computer to see what logs it produces.
keepass.exe is considered suspicious and OTL.exe is identified as trojan.siggen4.2299 (lol).
For being suspicious it means keepass.exe scores 21.0 points or more. Can you send me the log by PM? I will have a look at OTL.exe fp.
 #13722  by Gabethebabe
 Tue Jun 05, 2012 10:23 am
erikloman wrote:For being suspicious it means keepass.exe scores 21.0 points or more. Can you send me the log by PM? I will have a look at OTL.exe fp.
On its way. A second scan did not flag OTL.exe anymore btw.
 #13732  by Gabethebabe
 Tue Jun 05, 2012 7:16 pm
malware case update

I ran MBAM with latest sigs - nothing
I ran hitmanpro - it found some irrelevant vundo stuff, ate some cookies and flagged SearchFilterHost.exe as suspicious, but that file resulted to be legit.

I can't run OTL on the infected system - it halts during the scan.

So all tools are breaking their teeth on this zaccess variant aorn
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 56