Details to this malware are here:
The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1)
https://blog.mandiant.com/archives/3155
The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2)
https://blog.mandiant.com/archives/3189
further infos can be added to the above blog informations:
- the NDIS Intermediate Driver used as backdoor is based on public source code from 2009. see ( http://code.google.com/p/passthruivi/ )
- Driver code is available from Windows NT - Win7 (x86 + x64)
- the driver add its self signed cert (GlobalSign) to the windows certstore, because the cat/inf files are signed with the GlobalSign cert, thus to avoid the user interactive dialog asking if this should really be installed.
- they disable the code signing in registry to get properly loaded on x64 systems.
- the driver accepts the following commands:
shell <command> --------> executes a command on the cmd shell and pipes its return buffer to the driver
file <code> -----> depending on the code several files operations are executed and the output is send to the driver. operations can be files reading (even at special offsets), attribute changing, writing to a file, directory creation and enumeration of files as well as finding directories by name.
proxy <code> ----> depending on the code several operations are allowing, e.g. termination of the proxy, connect to host:port and recv + forward as well as forward data to a special host
connect <host> <port> <cookie-value> ----> sends a GET request to a given host:port
exit ---> ends a backdoor operation
The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1)
https://blog.mandiant.com/archives/3155
The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2)
https://blog.mandiant.com/archives/3189
further infos can be added to the above blog informations:
- the NDIS Intermediate Driver used as backdoor is based on public source code from 2009. see ( http://code.google.com/p/passthruivi/ )
- Driver code is available from Windows NT - Win7 (x86 + x64)
- the driver add its self signed cert (GlobalSign) to the windows certstore, because the cat/inf files are signed with the GlobalSign cert, thus to avoid the user interactive dialog asking if this should really be installed.
- they disable the code signing in registry to get properly loaded on x64 systems.
- the driver accepts the following commands:
shell <command> --------> executes a command on the cmd shell and pipes its return buffer to the driver
file <code> -----> depending on the code several files operations are executed and the output is send to the driver. operations can be files reading (even at special offsets), attribute changing, writing to a file, directory creation and enumeration of files as well as finding directories by name.
proxy <code> ----> depending on the code several operations are allowing, e.g. termination of the proxy, connect to host:port and recv + forward as well as forward data to a special host
connect <host> <port> <cookie-value> ----> sends a GET request to a given host:port
exit ---> ends a backdoor operation
Attachments
password: infected
(189.64 KiB) Downloaded 139 times
(189.64 KiB) Downloaded 139 times