WinNT/Gowfi - Rootkit Banker (alias KillFiles, KillAV)

#4362 by cjbi
Sat Jan 08, 2011 3:31 pm

Stupid KillAV.
It tries to kill some antivirus.

Strings

drive (2).sys wrote:\\DosDevices\\xxx
\\Device\\xxx
\\DosDevices\\xxx
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\gbpsv.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\gbiehcef.dll
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\gbieh.gmd
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\cef.gpc
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\gbieh.dll
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\gbpdist.dll
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\bb.gpc
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\gbpkm.sys
\\Device\\HarddiskVolume1\\Arquivos de programas\\Scpad\\scpIBCfg.bin
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\gbpsv.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Scpad\\scpMIB.dll
\\Device\\HarddiskVolume1\\Arquivos de programas\\Scpad\\scpsssh2.dll
\\Device\\HarddiskVolume1\\Arquivos de programas\\Scpad\\sshib.dll
\\Device\\HarddiskVolume1\\Arquivos de programas\\Alwil Software\\Avast4\\ashLogV.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Alwil Software\\Avast4\\VisthUpd.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Alwil Software\\Avast4\\VisthUpd.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Alwil Software\\Avast4\\ashWebSv.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Alwil Software\\Avast4\\aswUpdSv.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Alwil Software\\Avast4\\ashUpd.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Avira\\AntiVir Desktop\\avscan.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Avira\\AntiVir Desktop\\update.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Avira\\AntiVir Desktop\\updfix.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Avira\\AntiVir Desktop\\avupgsvc.exe
\\Device\\HarddiskVolume1\\WINDOWS\\system32\\scpsssh2.dll
\\Device\\HarddiskVolume1\\WINDOWS\\system32\\drivers\\gbpkm.sys
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\scpsssh2.inf
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\abn.gpc
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\erma.inf
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\gbieh.gmd
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\gbiehabn.dll
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\gbiehuni.dll
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\GbPluginABN.inf
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\GbPluginuni.inf
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\uni.gpc
String:%08X/n
String1:%08X/n

...

String33:%08X/n
c:\\dd\\objfre_wxp_x86\\i386\\ddr.pdb
IoDeleteSymbolicLink
RtlInitUnicodeString
IoCreateFile
IoFreeIrp
KeSetEvent
fDereferenceObject
WaitForSingleObject
fCallDriver
GetCurrentThread
KeInitializeEvent
IoAllocateIrp
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
IoFileObjectType
ZwClose
DbgPrint
CreateSymbolicLink

VirusTotal results
http://www.virustotal.com/file-scan/rep ... 1285460267
http://www.virustotal.com/file-scan/rep ... 1282089116
http://www.virustotal.com/file-scan/rep ... 1294498825
http://www.virustotal.com/file-scan/rep ... 1280846955
http://www.virustotal.com/file-scan/rep ... 1288712133
http://www.virustotal.com/file-scan/rep ... 1294491347
http://www.virustotal.com/file-scan/rep ... 1271858091

Attachments

rootkitbanker.zip

pass: infected
(18.83 KiB) Downloaded 153 times

Username

cjbi

Posts

92

Joined

Sun Mar 14, 2010 7:16 am

Re: Rootkit Banker (alias KillFiles, KillAV, AVKill)

#6447 by cjbi
Fri May 20, 2011 8:05 pm

Aliases: Rootkit.Win64.Banker.a
Rootkit.Win32.Banker.dy

It tries to kill G-Buster Browser Defense component.

More information:
Rootkit Banker - now also to 64-bit: http://www.securelist.com/en/blog/11266 ... _to_64_bit

VirusTotal results
Rootkit.Win64.Banker.a: http://www.virustotal.com/file-scan/rep ... 1305918530
Rootkit.Win32.Banker.dy: http://www.virustotal.com/file-scan/rep ... 1305921831

Attachments

rootkitbanker64.zip

pass: malware
(114.37 KiB) Downloaded 280 times

Username

cjbi

Posts

92

Joined

Sun Mar 14, 2010 7:16 am

Re: Rootkit Banker (alias KillFiles, KillAV, AVKill)

#6522 by Vrtule
Tue May 24, 2011 8:33 pm

Hmmm, is it really a rootkit? I quickly looked to the 32bit driver and it seems that it only attempts to destroy some blacklisted products and probably to do something with hosts file. But it seems to me that the driver does not perform any hiding attempts.

Is 64-bit driver the same?

Username

Vrtule

Posts

468

Joined

Sat Mar 13, 2010 9:14 pm

Location

Czech Republic

Contact

Re: Rootkit Banker (alias KillFiles, KillAV, AVKill)

#6529 by Evilcry
Wed May 25, 2011 5:47 am

Hi,

This is not a real 'rootkit', it's more an agent driver that basically:

-> Removes G-Buster Browser Defender components
-> Updates two entries into Hosts config

x64 edition works in the sameway

Regards,
Evilcry

Username

Evilcry

Posts

135

Joined

Tue Apr 20, 2010 6:10 pm