A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15310  by frank_boldewin
 Wed Aug 22, 2012 8:04 pm
Details to this malware are here:

The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1)
https://blog.mandiant.com/archives/3155

The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2)
https://blog.mandiant.com/archives/3189

further infos can be added to the above blog informations:

- the NDIS Intermediate Driver used as backdoor is based on public source code from 2009. see ( http://code.google.com/p/passthruivi/ )

- Driver code is available from Windows NT - Win7 (x86 + x64)

- the driver add its self signed cert (GlobalSign) to the windows certstore, because the cat/inf files are signed with the GlobalSign cert, thus to avoid the user interactive dialog asking if this should really be installed.

- they disable the code signing in registry to get properly loaded on x64 systems.

- the driver accepts the following commands:

shell <command> --------> executes a command on the cmd shell and pipes its return buffer to the driver

file <code> -----> depending on the code several files operations are executed and the output is send to the driver. operations can be files reading (even at special offsets), attribute changing, writing to a file, directory creation and enumeration of files as well as finding directories by name.

proxy <code> ----> depending on the code several operations are allowing, e.g. termination of the proxy, connect to host:port and recv + forward as well as forward data to a special host

connect <host> <port> <cookie-value> ----> sends a GET request to a given host:port

exit ---> ends a backdoor operation
Attachments
password: infected
(189.64 KiB) Downloaded 139 times
 #15327  by frank_boldewin
 Thu Aug 23, 2012 4:13 pm
dumb110 wrote:Interesting! Anybody has a copy of the infected W7fw.sys and infected sethc.exe please :|
there is no infected W7fw.sys. The hikit driver IS the W7fw.sys. the different driver files (depending what windows OS gets infected) are all in the zip file attached in my first post. look in the directory: Dropped-Ressources

further the replaced sethc.exe is nothing more than a plain cmd.exe
 #15329  by dumb110
 Thu Aug 23, 2012 4:45 pm
https://www.virustotal.com/file/76efffa ... 345740007/
First seen by VirusTotal
2011-12-13 22:32:38 UTC ( 8 months, 1 week ago )

https://www.virustotal.com/file/3406cfe ... 345740193/
First seen by VirusTotal
2011-11-09 19:01:53 UTC ( 9 months, 2 weeks ago )

https://www.virustotal.com/file/565da8f ... 345740219/
First seen by VirusTotal
2012-08-23 07:06:50 UTC ( 9 hours, 38 minutes ago )

https://www.virustotal.com/file/8a830c4 ... 345740120/
First seen by VirusTotal
2009-04-22 16:59:20 UTC ( 3 years, 4 months ago )

This is epic! :lol:
 #15362  by djnemo
 Sun Aug 26, 2012 8:55 pm
when i was reading analysis of hikit i didnt understand one thing , hikit add cert with certmgr.exe to system
Code: Select all
certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root
certmgr.exe -add GlobalSign.cer -c -s -r localMachineTrustedPublisher
as far as i know only this two command and some registry change will not stop driver signing protection, there is some Authenticode needed to be used !
How hikit deal with Microsoft Authenticode ?

thanks