A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #14734  by EP_X0FF
 Wed Jul 18, 2012 5:14 pm
kmd wrote:http://artemonsecurity.blogspot.com/201 ... inese.html

i dont get it, im using drvmon as well as many others and didnt noticed any blacklisting or tool detection. can any1 shread some light?
How many times should I post this? Five? Twelve? This lolkit has nothing to do with DrvMon. The statement in blogpost is incorrect. Having some "DrvMon" string inside does not give it ability to "prevent", "detect" or whatever. We had to consider giving really rare name to our tool, something like "Yzlaypfsshz500" to exclude possible linking with lolkits from China. From the logic of main blacklist with numerous crapware in it - some of this "antimalwarez" have the driver that can be exploited through not secured control code which disables some features of this "product" and obviously it will be called right before malware driver load. I don't want download, install and reverse all this pieces of shit just to find which one, because it is boring and out of any kind of interest.
 #14737  by rkhunter
 Wed Jul 18, 2012 8:01 pm
With great respect to all guys :?
I told that it "has feature" and didn't say that "it blocked"...seems there are some third-party driver that creates link to device \\.\DP0000 and it can receive IOCTL 0xC4DC with in parameter "Set|DrvMon|0". It performs this before driver installation, so I suggested that this is anti-drvmon feature, of course, I can't be sure by 100% as well as anyone can't be sure on 100% that this is not anti-drvmon feature.
 #14738  by EP_X0FF
 Thu Jul 19, 2012 3:30 am
How much possibility of:

1) Another malware driver. Already loaded(!) driver.
2) Special Ioctl dispatch routine parsing string (lmao) params set used for blacklisting?

Around 0% because it is total lol even for lolkits from China.
 #14901  by cjbi
 Sat Jul 28, 2012 2:32 pm
Fresh Guntior dropper.

Dropper string(s)
Code: Select all
\\.\%C:
\\.\PhysicalDrive0
Global\{65B4B2F0-2810-4df5-BD0F-0CE435A61102}
stinst.log
{2937F62B-D7E0-494e-A7CA-A37D957FC8AD}
{A66621EF-57B8-4ee3-A5D5-B76CB6002EBE}
%s%.8x.bat
:DELFILE
del "%s"
if exist "%s" goto :DELFILE
del "%s"
open
360tray.exe
explorer.exe
HardwareInfo.exe
HintClient.exe
CfgClt.exe
AVP.exe
KSafeTray.exe
RavMonD.exe
%.8X.tmp
%s%s
.exe
%s\%s.dll
%s\%s
Start
Svchost
netsvcs
%SystemRoot%
%s\System32\%s.exe -k %s
Parameters
%s\%s\%s
ServiceDll
360leakfixer.exe
RsAgent.exe
 132020 197640 395280 790560 1581120 3162240
onment
Envir
Manager
Session
Control
%s\%s\%s %s\%s%s
Path
%s;%s
Environment
Paths
SOFTWARE\Microsoft\Windows\CurrentVersion
%s\%s %s\
HELPCTR.EXE
MSIMG32.dll
control.exe
OLE32.dll
Shell_TrayWnd
ImmLoadLayout
imm32.dll
ZwQueryValueKey
ntdll.dll
Keyboard Layout\Preload
user32.dll
%s\Control\Keyboard Layouts\%.8X
Layout File
%.8X
Layout Text
Program Manager
ntdll
ZwQuerySystemInformation
FILE
MACHINE\%s
Everyone
sfc_os.dll
SfcFileException
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SYSTEM\CurrentControlSet\Services
SYSTEM\CurrentControlSet
\\.\Guntior
%s\%s.sys
Base
SeLoadDriverPrivilege
ZwCreateFile
Enum
Service
ConfigFlags
Type
system32\%s.sys
ImagePath
Group
ErrorControl
Classes
Device
%s\%s\%s%s\%s
%s\%s%s\%s%s\%s
DrvAnti.exe
drvanti%.4d%.2d%.2d.log
E:\NBMSClient\%s\%s
%s%.8x.tmp
Handle=
%s%.8x.exe
%s %X
HintRoot.sys
SeDebugPrivilege
NtSystemDebugControl
\\.\HintDefend
\\.\DP0000
Set|DrvMon|0
IME file
setup.exe
C:\test.pdb
VirusTotal result(s)
444.dll.exe.vir 23/41 https://www.virustotal.com/file/8f3c5a5 ... /analysis/
Attachments
pw: infected
(109.8 KiB) Downloaded 79 times
guntior.png
No more stupid calc.exe blacklisting.
guntior.png (16.38 KiB) Viewed 630 times
 #14914  by Alex
 Sun Jul 29, 2012 4:38 pm
rkhunter wrote:- Interesting method of initialization via dll and keyboard layout switching
- Interesting method of driver loading via PnpManager (look function at 403118)
- Killing processes of AV-products via driver - PsTerminateProcess
First time I saw this method of driver loading in an old "Wapomi/Qvod/Jadtre" Chinese malware which is a predecessor of this one. Do you know any other malware which use unusual driver loading method?
Attachments
pass: infected
(85.84 KiB) Downloaded 69 times
 #14920  by AaLl86
 Mon Jul 30, 2012 8:47 am
Peter Kleissner wrote:Those crooks! They stole my NTFS driver source from my bootkit, and they are not even paying me! Crooks! Chinese copycats! Polizei!

It looks like they used my source 1:1. Look at this for example: ...
..this is the reason why I don't publish source code of my researches Peter, except if someone mail me...
Black Hats if public, download them and uses in a bad manner...

BTW Interesting sample...
In the next days I try to end researches on EFI flaws..... something new I hope...

Regards
 #14921  by rkhunter
 Mon Jul 30, 2012 8:49 am
Alex wrote:Do you know any other malware which use unusual driver loading method?
Don't remember any like this.
 #15081  by thisisu
 Thu Aug 09, 2012 8:15 pm
Alex wrote:First time I saw this method of driver loading in an old "Wapomi/Qvod/Jadtre" Chinese malware which is a predecessor of this one. Do you know any other malware which use unusual driver loading method?
This one infects userinit.exe as well? Is that a common characteristic of this bootkit?