A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18045  by EP_X0FF
 Wed Feb 06, 2013 6:05 am
unixfreaxjp wrote: This malware was detected below software/program/service.. suspected registry token keys.
Code: Select all
Windows Defender
wscntfy.exe
MSASCui.exe
MpCmdRun.exe
NisSrv.exe
msseces.exe
fp.exe
MsMpSvc
windefend
SharedAccess
iphlpsvc
wscsvc
mpssvc
(etc)
The reason is for deletion purpose, I found many stuffs deleted in registry like:
Code: Select all
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
..\System\CurrentControlSet\Services\SharedAccess\Setup
..\System\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
..\System\CurrentControlSet\Services\wscsvc
..\System\CurrentControlSet\Services\wscsvc\Enum
..\System\CurrentControlSet\Services\wscsvc\Parameters
..\System\CurrentControlSet\Services\wscsvc\Security
Explanation starting from this page http://www.kernelmode.info/forum/viewto ... &start=110 and down.
Posts moved.
 #18048  by EP_X0FF
 Wed Feb 06, 2013 7:04 am
unixfreaxjp wrote:Additionals:
(installed/used IDA, starting to like it...)
Just found that in the .text PE section found the operation to close all processes of :
MsMpSvc, windefen, SharedAccess, iphlpsvc, wscsvc, mpssvc, bfe
PoC, see .text of the unpack binary, coded: http://pastebin.com/raw.php?i=MwgAzEEZ
Comment/direction are welcome..
It attempt to disable embedded Windows security components, Sirefef is doing this from the beginning.
I thank you, and sorry for always posting in wrong places, thank's for your patient. I will learn harder of KM structure.
No problem.
 #18049  by Horgh
 Wed Feb 06, 2013 12:03 pm
It brutes the dlls to load like below catch-record...
Only ntdll.dll is "bruteforced". The packer then retrieves the others dll / apis in a classic way in order to reconstruct the import table of the binary. I don't know if this packer is used on other malwares, I only saw it on ZeroAccess samples.
 #18050  by unixfreaxjp
 Wed Feb 06, 2013 12:09 pm
Just wacked new fresh sample from Blackhole "/closest/" version.
Code: Select all
Landing page: h00p://3thtyjtyjcc.ns02.us/closest/209tuj2dsljdglsgjwrigslgkjskga.php
Got no time to post properly so I wrote the report in text here (pastebin).
↑The poor JS/guidance to get exploit urls is in there for all to freely use.

This one searched for remote DNS below:
Code: Select all
194.165.17.3:53
66.85.130.234:53
and sending malformed UDP packet to so many hosts to as per below list:
Code: Select all
206.254.253.254:16464
190.254.253.254:16464
182.254.253.254:16464
180.254.253.254:16464
166.254.253.254:16464
135.254.253.254:16464
134.254.253.254:16464
119.254.253.254:16464
117.254.253.254:16464
115.254.253.254:16464
92.254.253.254:16464
88.254.253.254:16464
87.254.253.254:16464
71.254.253.254:16464
69.254.253.254:16464
46.150.37.29:16464
68.9.31.32:16464
69.133.27.61:16464
95.57.233.74:16464
94.210.172.145:16464
184.155.123.146:16464
194.165.17.3:123
91.242.217.247:123
75.95.95.148:16464
24.92.201.152:16464
222.254.253.254:16464
98.149.145.253:16464
66.65.129.254:16464
97.83.82.254:16464
190.190.239.72:16464
118.171.55.88:16464
14.97.157.71:16464
173.20.198.123:16464
24.186.214.38:16464
218.173.39.25:16464
116.193.142.246:16464
76.97.134.59:16464
68.204.131.69:16464
114.178.175.1:16464
118.171.44.79:16464
173.17.47.76:16464
123.143.96.27:16464
173.20.128.26:16464
90.94.246.250:16464
70.171.38.38:16464
79.136.67.28:16464
95.169.211.29:16464
87.111.189.32:16464
75.109.170.11:16464
97.89.4.235:16464
Still don't understand why ZeroAccess can have so many botnets but I am sure we can shut this for good.
God loves the braves! Salute KernelMode!
(attached: binary sample, calc.exe)
#MalwareMustDie!!!
Attachments
Sample: calc.exe (ZeroAccess Recycler Variant encrypted bin)
(137.61 KiB) Downloaded 81 times
 #18052  by EP_X0FF
 Wed Feb 06, 2013 1:48 pm
unixfreaxjp wrote:Still don't understand why ZeroAccess can have so many botnets
Because it P2P bot.
 #18085  by unixfreaxjp
 Thu Feb 07, 2013 2:51 pm
Hi. Fresh Blackhole "closest" version serving ZeroAccess VT: 5/46
At IP: 178.63.214.21 (Dynamic Addr)
---------------------------------------------------------------------------------
ASN |Prefix |ASName |CN |Domain |ISP of an IP Address
---------------------------------------------------------------------------------
24940 | 178.63.0.0/16 | HETZNER | DE | YOUR-SERVER.DE | JUST HOSTING
Payload URL:
Image
WARNING! Is up and alive now so don't click below URL, the BHEK was "tweaked" into open download (smile)
h00p://5jijefijdjw.mywww[.]biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php?swgvl=30%20:1n:1i:1i:33&fsc=30:33:1n:1m:1h:33:30:1o:30:1h&jvlli=1i&jqnawl=pre&obihxani=scbpntas%20
VT: https://www.virustotal.com/file/d61c8ae ... 360236062/
Just in case I attached sample too.
Attachments
7z archived, pwd: infected
(138.09 KiB) Downloaded 82 times
  • 1
  • 33
  • 34
  • 35
  • 36
  • 37
  • 56