[EP_X0FF]

Here is probably new variant of TDL. Or another copy-paste clone, I'm not sure, currently can't get it work because of nice Blue Screens it provides to me (BSOD in atapi.sys and then system unbootable) :)

Three different methods of drivers loading used (tdl3 method, beep.sys method, direct NtLoadDriver).

443-direct.e_ = dropper itself
269E.dll to be injected into spooler (contains sys, see next)
sst2.sys driver it's trying to load

here is ThreatExpert entry describing the same behavior
http://www.threatexpert.com/report.aspx ... 9cdfb34340

source hxxp://clickcalm.org/any5/443-direct.exe

[nullptr]

I had just been looking at 443-direct myself, but it freezes the VM at AddPrintProvidor(..) lol
Managed to extract the dll and unpack it and watch it (with a bit of help) write the driver, load it and write its service entry to the registry.
It has notify callbacks for CreateProcess and LoadImage. As soon as I establish an internet connection the VM freezes. :?
Will probably have a bit more of a play with it later. Maybe emulate the internet functionality of the driver and see what turns up. ;)

edit:
It downloaded a heap of things, but as soon as I tried to browse directories everything froze. Maybe this malware is alpha version.

[EP_X0FF]

Ok, crap reversed. It is PALEVO :D Or if it wants, it will be MaxSS.

\SystemRoot\System32\palevo.txt

s e r f _ c o n f b b r _ c o n f [injects_begin] [injects_end] c m d s s c o r e \ D r i v e r \ a c p i \ D r i v e r \ A C P I \ D e v i c e \ H a r d D i s k 0 \ D R 0 volsnap.sys s v c h o s t . e x e I m a g e P a t h INIT .rsrc \ S y s t e m R o o t \ o r i g v o l s n v o l s n h o o k e d \ S y s t e m R o o t \ S y s t e m 3 2 \ D r i v e r s \ v o l s n a p . s y s m a x s s c o r e * A D V A P I 3 2 . D L L ZwTerminateProcess LoadLibraryExA k e r n e l 3 2 . d l l n t d l l . d l l System ntoskrnl.exe hal.dll .text \ S y s t e m R o o t \ S y s t e m 3 2 \ m a i n . s c r i p t svchost.exe K E R N E L 3 2 . D L L N T D L L . D L L | .dll explorer.exe * N T D L L . D L L * K E R N E L 3 2 . D L L e x p l o r e r . e x e cmdsscore

Here is what's inside payload dll that this driver injecting to processes (actually inside driver 2 libraries)

http://anonymitylines.com/ftp1/cat | e x p l o r e r . e x e SeDebugPrivilege winsta0\default cmd_dll: DownloadFileToBuffer: try url %s
HTTP/1.1 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) GeckaSeka/20090911 Firefox/3.5.1 GET 404 NOT FOUND % S % S m a x s s c o r e c m d s s c o r e % S maxsscore cmdsscore http://www.microsoft.com/ cmd_dll: MainWorkThread started
affid subid cmd_dll: affid = %s subid = %s
cmd_dll: MainWorkThread: try read script
main.script cmd_dll: lpstrMainScript: read script OK
[servers_end] [servers_begin] %s/main.php?affid=%s&subid=%s&v=3 [SCRIPT_SIGNATURE_CHECK] cmd_dll: main.script not valid, SCRIPT_SIGNATURE_CHECK failed
cmd_dll: lpstrMainScript downloaded = %s
[servers_end] [servers_begin] cmd_dll: read script failed
cmd_dll: try download script
%s/main.php?affid=%s&subid=%s&v=3 cmd_dll: script url: %s
cmd_dll: lpstrMainScript = %s
[SCRIPT_SIGNATURE_CHECK] cmd_dll: main.script not valid, SCRIPT_SIGNATURE_CHECK failed
[servers_end] [servers_begin] main.script [kit_hash_end] [kit_hash_begin] [cmd_dll_hash_end] [cmd_dll_hash_begin] %s/files/core/maxsscore %s/files/core/cmdsscore [modules_end] [modules_begin] %s/files/mods/%s %s/testadd.php?aid=%s&sid=%s&mode=check_point4&data=try_url_%s %s/testadd.php?aid=%s&sid=%s&mode=check_point5&data=url_%s_download_OK_and_save_sectors_OK %s/testadd.php?aid=%s&sid=%s&mode=check_point_fail5&ntstatus=%d cmd_dll loaded
svchost.exe JKgxdd5ff44okghk75ggp43423ksf89034jklsdfjklas89023 cmd_dll install OK %s!!!
wininet.dll wininet.dll InternetCloseHandle InternetConnectA InternetOpenA HttpOpenRequestA InternetCrackUrlA HttpSendRequestA InternetReadFile InternetCheckConnectionA

and from second

ldr_dll: DLL = %s api ord = %X addr = %X
ldr_dll: DLL = %s api = %s addr = %X
ldr_dll: MainThread started
ldr_dll: g_dwNamesCount = %d
ldr_dll: pbDllBuffer = %X
ldr_dll: LoadDll() pbDllBuffer = %X, pminidll[%d].modeof = %d pminidll[%d].pbbrconfig = %X
ldr_dll: LoadDll() pbDllBuffer = %X, pminidll[%d].modeof = %d Addr of pminidll[%d] = %X
ldr_dll: hMod = %X
ldr_dll: ldr_dll started
ldr_dll: array of PMINIDLLPARAMS addr = %X

And after reboot - infinite loop of PAGE_FAULT_IN_NONPAGED_AREA :D

[EP_X0FF]

@nullptr

Can you please upload what it downloaded? :)

New IE found with http://www.clickleg.org/ac.php?q=cloning&aid=5&sid=direct2

searching for cloning
searching for cloning
http://www.cloning.com/

looking for cloning
looking for cloning
http://www.cloning.com/

cloning
cloning
http://www.cloning.com/

81<50

[nullptr]

@nullptr
Can you please upload what it downloaded? :)

Unfortunately not, I just saw numerous things executing in Task Manager, one was AMdelta.exe, but as soon as I tried to look for anything, the VM froze.
I tried removing the callbacks before it downloaded anything, but that ended with the same result. Trojan.pcCrippler :?:

[PX5]

In message, you see .ex

Those should be PRAGMA, I havent got to all the others yet. :roll:

Think ones look like windowsupdate logo may be FakeAV

[EP_X0FF]

Thanks PX5.

Excellent. 20+ megabytes of malware, archive split on 4 parts, enjoy.

pass: malware

[EP_X0FF]

Yes, it is some sort of new TDL.

The same I/O filtering, now working for hiding infected volsnap.sys modification.
Here is infected driver sample if somebody want to look. To counteract simple removal it constantly reopens handle for infected driver in queued WorkItem.

[EP_X0FF]

Samples from the target site with size ~ 17 kb all are classical TDSS downloaders.

hxxp://Traffic-Advisory.com/a/ad;
hxxp://www.fastradotop.com/a/ad;
hxxp://www.searchdull.com/a/ad;

Unfortunately payload inaccessible for me.

[EP_X0FF]

If you take a look on injected code you will find a lot of things.
This trojan is very self descriptive :)

All samples with size of 420+ kb from archive posted above - recrypt of the same Fake AV (Malware Defense reincarnation).

PX5 is rights, it's PRAGMA :)