A forum for reverse engineering, OS internals and malware analysis 

(Possible) Whistler Bootkit Dropper

Forum for analysis and discussion about malware.

Re: (Possible) Whistler Bootkit Dropper

 #1609  by EP_X0FF
 Mon Jul 19, 2010 3:58 am
No stealth modification was detected with this bootkit. You can take a look on it's driver, it is very simple (PsCreateSystemThread).

Re: (Possible) Whistler Bootkit Dropper

 #1621  by PX5
 Tue Jul 20, 2010 7:13 pm
One was hardly detected just 40 hours ago, should do trick, sometimes good xp sp2 cd is nice to have laying around. :)

I watch IE launch in process exploder and user cry because he use FF and thinks its all IEs fault, which isnt so far off I dont reckon.

Code: Select all
Unicode Strings:
---------------------------------------------------------------------------
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Black Internet
FileDescription
File Loader
FileVersion
1.0.0.1
InternalName
Loader
Bible
41:38 And Pharaoh said unto his servants, Can we find such a one asthis is, a man in whom the Spirit of God is?  41:39 And Pharaoh saidunto Joseph, Forasmuch as God hath shewed thee all this, there is noneso discreet and wise as thou art: 41:40 Thou shalt be over my house,and according unto thy word shall all my people be ruled: only in thethrone will I be greater than thou.
LegalCopyright
Copyright (C) 2008 Black Internet, Inc.
OriginalFilename
Loader.exe
ProductName
Loader
ProductVersion
1.0.0.1
Bible
24:34 And he said, I am Abraham's servant.
VarFileInfo
Translation
Attachments
(19.09 KiB) Downloaded 63 times

Re: (Possible) Whistler Bootkit Dropper

 #1629  by a_d_13
 Wed Jul 21, 2010 11:47 am
It is a beta tool that I'm developing, using a whitelist of valid MBRs so it doesn't "detect" OEM MBRs, and also allows the user to dump the MBR to a file. If you come across an unknown MBR, please send it to me.

http://ad13.geekstogo.com/MBRCheck.exe (note: down at July 20th, use one below)
http://download.bleepingcomputer.com/ro ... RCheck.exe
http://www.kernelmode.info/MBRCheck.exe

Thanks,
--AD

Re: (Possible) Whistler Bootkit Dropper

 #1633  by Quads
 Wed Jul 21, 2010 10:39 pm
a_d_13 wrote:It is a beta tool that I'm developing, using a whitelist of valid MBRs so it doesn't "detect" OEM MBRs, and also allows the user to dump the MBR to a file. If you come across an unknown MBR, please send it to me.

http://ad13.geekstogo.com/MBRCheck.exe (note: down at July 20th, use one below)
http://download.bleepingcomputer.com/ro ... RCheck.exe
http://www.kernelmode.info/MBRCheck.exe

Thanks,
--AD
Just a thought, what about boot loaders like GRUB and OS Selector in detection with MBRcheck.

Quads

Re: (Possible) Whistler Bootkit Dropper

 #1637  by EP_X0FF
 Thu Jul 22, 2010 2:09 am
SystemPro wrote:Does it matter if system is inside vm or not?

Because the unknown mbrs seem to be more likely inside vms.
Your question is delirium. Please avoid posting "Revealing of nothing coz I bored (ala Sysinternals)" content here.

Special note for SystemPro:

Another violation and your posts will be deleted without any further notice.

Re: (Possible) Whistler Bootkit Dropper

 #1663  by Quads
 Sun Jul 25, 2010 10:37 pm
The downloaded files on the Bootkits install are updated, see attached

MBAM, SAS and Norton don't detect them during scans

Quads
Attachments
pass = malware
(49.93 KiB) Downloaded 69 times

Re: (Possible) Whistler Bootkit Dropper

 #1666  by gjf
 Mon Jul 26, 2010 11:17 am
Quads wrote:The downloaded files on the Bootkits install are updated, see attached

MBAM, SAS and Norton don't detect them during scans
loader.exe - Trojan-Clicker.Win32.Cycler.akmy
smss.exe - Trojan.Win32.Vilsel.akef
 Return to “Malware”