A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #16070  by thisisu
 Wed Oct 17, 2012 6:57 am
EP_X0FF wrote:Put dropper in %temp% under any name. Then launch dropper as usual. Under admin rights of course. Then start cmd. Navigate to temp folder. Start new file with start command. Is it works for you?
I personally did it all while in windows explorer. I named the dropper sst.exe. The results should be the same if you want to use cmd prompt => start %temp%\UAC.exe . Can't confirm at the moment though. Once UAC.exe disappears ( file not found ) then you should be infected.
 #16073  by EP_X0FF
 Wed Oct 17, 2012 7:10 am
thisisu wrote:
EP_X0FF wrote:There is 1800000 ms delay before system reboot.
This happened after you launched UAC.exe? I did not experience this.

By the way, I look forward to your analysis if you decide to make one :)
Nope this is from code inside dropper. This reboot routine and most of the *new* TDL4 is the same as MaxSS from 2011. Except this two new drivers TDI32/TDI64 which now used as cmdXX.dll helpers.
 #16075  by kmd
 Wed Oct 17, 2012 8:47 am
thisisu wrote:
0x16/7ton wrote:Because malware check:
-the path to filename must contain temp directory
Not sure if you were giving me a hint here but this worked for me so thanks :)

For Windows 7 x64 live added the dropper that Xylitol uploaded into %temp% ( C:\Users\<username>\AppData\Local\Temp )
Run as administrator and you should see a randomly generated .tmp file (usually 2-4 alphanumberic characters) and a file called "UAC.exe".
Keep opening UAC.exe using Run as administrator and it will spawn 2-5 more .tmp files and will eventually disappear.
Once UAC.exe disappears, SST.c should be installed. :P

__

Side note, UAC.exe is also generated on VM Windows XP but I guess fails to install SST.c properly.

Here is link to dropper again: http://www.kernelmode.info/forum/viewto ... 310#p15942
aint working either :?
uac.exe indeed generated, but is just a copy of original dropper and then it renames to another random file. Not infect. Windows 7 en x86
can u try to infect vm with it and may be share this vm disk with us?
 #16076  by Quads
 Wed Oct 17, 2012 9:04 am
I managed to get both droppers to infect using the temp folder method on Win7 x86, HDD works hard.

TDSSkiller finds the infection for both droppers

21:33:51.0507 2108 ================ Scan global ===============================
21:33:51.0537 2108 [ DAB748AE0439955ED2FA22357533DDDB ] C:\Windows\system32\basesrv.dll
21:33:51.0568 2108 [ 183B4188D5D91B271613EC3EFD1B3CEF ] C:\Windows\system32\winsrv.dll
21:33:51.0585 2108 [ 183B4188D5D91B271613EC3EFD1B3CEF ] C:\Windows\system32\winsrv.dll
21:33:51.0618 2108 [ 364455805E64882844EE9ACB72522830 ] C:\Windows\system32\sxssrv.dll
21:33:51.0642 2108 [ 5F1B6A9C35D3D5CA72D6D6FDEF9747D6 ] C:\Windows\system32\services.exe
21:33:51.0646 2108 [Global] - ok
21:33:51.0647 2108 ================ Scan MBR ==================================
21:33:51.0654 2108 [ 6459C2AE3D6C3D60202C642557CAFCEA ] \Device\Harddisk0\DR0
21:33:51.0682 2108 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
21:33:51.0683 2108 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
21:33:51.0714 2108 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
21:33:51.0714 2108 \Device\Harddisk0\DR0 - detected TDSS File System (1)
21:33:51.0714 2108 ================ Scan VBR ==================================
21:33:51.0741 2108 [ 29A30AE979D4DF5A225ABCA567A0A3DE ] \Device\Harddisk0\DR0\Partition1
21:33:51.0742 2108 \Device\Harddisk0\DR0\Partition1 - ok
21:33:51.0757 2108 [ 54AB81D26EFD81D3A0FE6053433343C1 ] \Device\Harddisk0\DR0\Partition2
21:33:51.0758 2108 \Device\Harddisk0\DR0\Partition2 - ok
21:33:51.0790 2108 [ DB1E281D729B5C96791457A14F433AC9 ] \Device\Harddisk0\DR0\Partition3
21:33:51.0792 2108 \Device\Harddisk0\DR0\Partition3 - ok
21:33:51.0792 2108 ============================================================
21:33:51.0792 2108 Scan finished
21:33:51.0792 2108 ============================================================
21:33:51.0809 2684 Detected object count: 2
21:33:51.0809 2684 Actual detected object count: 2
21:34:23.0907 2684 \Device\Harddisk0\DR0\# - copied to quarantine
21:34:23.0907 2684 \Device\Harddisk0\DR0 - copied to quarantine
21:34:23.0970 2684 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
21:34:23.0985 2684 \Device\Harddisk0\DR0\TDLFS\vbr - copied to quarantine
21:34:24.0001 2684 \Device\Harddisk0\DR0\TDLFS\bid - copied to quarantine
21:34:24.0001 2684 \Device\Harddisk0\DR0\TDLFS\affid - copied to quarantine
21:34:24.0001 2684 \Device\Harddisk0\DR0\TDLFS\boot - copied to quarantine
21:34:24.0001 2684 \Device\Harddisk0\DR0\TDLFS\cmd32 - copied to quarantine
21:34:24.0032 2684 \Device\Harddisk0\DR0\TDLFS\cmd64 - copied to quarantine
21:34:24.0032 2684 \Device\Harddisk0\DR0\TDLFS\dbg32 - copied to quarantine
21:34:24.0032 2684 \Device\Harddisk0\DR0\TDLFS\dbg64 - copied to quarantine
21:34:24.0048 2684 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
21:34:24.0048 2684 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
21:34:24.0048 2684 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
21:34:24.0048 2684 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
21:34:24.0094 2684 \Device\Harddisk0\DR0\TDLFS\main - copied to quarantine
21:34:24.0094 2684 \Device\Harddisk0\DR0\TDLFS\subid - copied to quarantine
21:34:24.0110 2684 \Device\Harddisk0\DR0\TDLFS\tdi32 - copied to quarantine
21:34:24.0110 2684 \Device\Harddisk0\DR0\TDLFS\tdi64 - copied to quarantine
21:34:24.0110 2684 \Device\Harddisk0\DR0\TDLFS\main1 - copied to quarantine
21:34:24.0126 2684 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
21:34:24.0126 2684 \Device\Harddisk0\DR0 - ok
21:34:24.0672 2684 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure
21:34:24.0687 2684 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
21:34:24.0687 2684 \Device\Harddisk0\DR0\TDLFS\vbr - copied to quarantine
21:34:24.0687 2684 \Device\Harddisk0\DR0\TDLFS\bid - copied to quarantine
21:34:24.0687 2684 \Device\Harddisk0\DR0\TDLFS\affid - copied to quarantine
21:34:24.0687 2684 \Device\Harddisk0\DR0\TDLFS\boot - copied to quarantine
21:34:24.0687 2684 \Device\Harddisk0\DR0\TDLFS\cmd32 - copied to quarantine
21:34:24.0687 2684 \Device\Harddisk0\DR0\TDLFS\cmd64 - copied to quarantine
21:34:24.0687 2684 \Device\Harddisk0\DR0\TDLFS\dbg32 - copied to quarantine
21:34:24.0687 2684 \Device\Harddisk0\DR0\TDLFS\dbg64 - copied to quarantine
21:34:24.0703 2684 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
21:34:24.0703 2684 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
21:34:24.0703 2684 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
21:34:24.0703 2684 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
21:34:24.0703 2684 \Device\Harddisk0\DR0\TDLFS\main - copied to quarantine
21:34:24.0703 2684 \Device\Harddisk0\DR0\TDLFS\subid - copied to quarantine
21:34:24.0703 2684 \Device\Harddisk0\DR0\TDLFS\tdi32 - copied to quarantine
21:34:24.0718 2684 \Device\Harddisk0\DR0\TDLFS\tdi64 - copied to quarantine
21:34:24.0718 2684 \Device\Harddisk0\DR0\TDLFS\main1 - copied to quarantine
21:34:24.0718 2684 \Device\Harddisk0\DR0\TDLFS - deleted
21:34:24.0718 2684 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Delete
21:34:32.0971 0372 Deinitialize success



Quads
 #16082  by 0x16/7ton
 Wed Oct 17, 2012 12:39 pm
add info about sst_c dropper:
after manipulation with file path,file name he (step by step):
-dropp from resources in temp directory dll sclient.dll(32-bit image),and sqmapi.dll(32-bit or 64-bit image)
-create cmd.exe process(32-bit image) with parametrs like that:
"C:\Windows\System32\cmd.exe" "C:\Users\%USERNAME%\AppData\Local\Temp\sqmapi.dll" "C:\Windows\ehome""C:\Windows\ehome\Mcx2Prov.exe""C:\Users\%USERNAME%\AppData\Local\Temp\outlkupd.exe" (null)
-inject sclient dll into created cmd process(by CreateRemoteThread)
-In injected dll,he parse commandline and checked directory of windows media center [systemroot/ehome] (here using com CoGetObject[Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b8>5bdb8e09}],CoCreateInstance)
-if this directory exist he droped on her dll sqmapi.dll
-launching mcx2prov.exe (that pe file importing api from sqlmapi)
Dll hijacking detect :lol: .That dll simple launched process outlkupd.exe with command line "(null)" and terminated mcx2prov.exe process.
So the fastest way bypass this madness launch outlkupd.exe in temp directory with command line "(null)"...
but next he get another check... :? :? :?
:lol:
Ok he used wmi method to grab data about os and detect virtual environment :)
http://msdn.microsoft.com/en-us/library ... 85%29.aspx
request:
SELECT *FROM Win32_Processor WHERE Name LIKE "%QEMU%" (http://msdn.microsoft.com/en-us/library ... 85%29.aspx)
SELECT *FROM Win32_BIOS WHERE Manufacturer LIKE"%QEMU%" (http://msdn.microsoft.com/en-us/library ... 85%29.aspx)
SELECT *FROM Win32_DiskDrive WHERE Model LIKE "%QEMU% (http://msdn.microsoft.com/en-us/library ... 85%29.aspx)
SELECT *FROM Win32_SCSIController WHERE Manufacturer LIKE "%Xen%" (http://msdn.microsoft.com/en-us/library ... 85%29.aspx)
SELECT *FROM Win32_ComputerSystem WHERE Manufacturer LIKE "%Parallels% (http://msdn.microsoft.com/en-us/library ... 85%29.aspx)

list_checks:
  • QEMU
    Bochs
    Red Hat
    Xen
    Citrix
    Parallels
    Virtual HDD
    INTLs
    VmWare
    Microsoft
    Virtual HD
    innotek
    VBOX
In next step he compare with black list user accounts (also hashes) by wmi class Win32_UserAccount(http://msdn.microsoft.com/en-us/library ... 85%29.aspx)
Next challenge :evil:
  • -Enumerating all process(createtoolhelp32snapshot),calculate process name hash
    -Enumerating all process(ZwQuerySystemInformation[SystemProcessInformation])calculate process name hash
    -Enumerating all process by wmi class Win32_Process (http://msdn.microsoft.com/en-us/library ... 85%29.aspx)calculate process name hash
    -Try to open in cycle process (OpenProcess) with start hardcode pid 0x40,if success called GetProcessImageFileNameW,getting file name,calc hash
    Cycle continue to 0x10000 limit pid.
    After all compare getting hashes from all stages with black list
Ok and last:
-enumerating driver name by Win32_SystemDriver wmi class(http://msdn.microsoft.com/en-us/library ... 85%29.aspx) calc hash and compare with black list
-EnumProcessModules current process,GetModuleBaseNameW - > calc module name hashes ,compare with black list
-NtQuerySystemInformation with class SystemDebuggerInformation (detect KD)
i hate this :lol:
And also i am infect my Windows 7 x64 :)
 #16087  by EP_X0FF
 Wed Oct 17, 2012 5:23 pm
Code: Select all
RkU Version: 5.3.722.2442, Type VX2 (VX+)
==============================================
OS Name: Windows 7
Version 6.1.7600
Number of processors #1
==============================================
>Drivers
==============================================
0x84F1BFA9 unknown_irp_handler, size: 87 bytes
!-->[Hidden Driver] 0x84F19F38 00000226
==============================================
>Stealth
==============================================
0x84F1FA5F Page with executable code  [ ETHREAD 0x84F44A60 ] TID: 204, size: 1441 bytes
0x84F1FA1C Page with executable code  [ ETHREAD 0x859D1AB0 ] TID: 640, size: 1508 bytes
0x84F1E786 Page with executable code  [ ETHREAD 0x84F429A0 ] TID: 196, size: 2170 bytes
0x84F1C134 Page with executable code  [ ETHREAD 0x85742D48 ] TID: 220, size: 3788 bytes
0x84F1E4C8 Unknown thread object  [ ETHREAD 0x84F429A0 ] TID: 196, size: 600 bytes
0x84F1FA3B Unknown thread object  [ ETHREAD 0x84F44A60 ] TID: 204, size: 600 bytes
0x84F1FA04 Unknown thread object  [ ETHREAD 0x859D1AB0 ] TID: 640, size: 600 bytes
==============================================
>Files
==============================================
Forged MBR data found! Hidden partition is active.
==============================================
>Hooks
==============================================
atapi --> [IRP_MJ_INTERNAL_DEVICE_CONTROL], Type: Address Change 0x84F1BFA9-->84F1BFA9 [unknown_irp_handler]
==============================================
>Callbacks
==============================================
Callback with handler outside any module :: 0x84F1E79B, Type: CreateProcess
Callback with handler outside any module :: 0x84F204EC, Type: LoadImage


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
As you see nothing new from rootkit perspective. Notice the port driver hook. IIRC it will be invisible for most (or all) rootkit detectors because of memory forging this rootkit implements (mask memory modifications).

So now I can shred some like about hype that taken place in this thread and not only there.

Overall sample we all talking about (Alureon.FV) is old good MaxSS from 2011. And this hype started by Damballa (btw wtf is that) is just marketing bullshit. They discovered and newly reopened old slightly modified rootkit. Why it was so successful? Because MaxSS and it versions unlike from it grandpa TDL4 is little known, maybe only for narrow circle of experts. This thread perfectly acknowledge this - nobody even dont bothered to check, if it really new stuff or just modified old even on dropper level. As for antimalware.ru - someone who reading this topic (I will not disclosure who it was, but this member is also member of some AV company board outside) decided to show elitist knowledge (while I don't see it) and at the same time annoy unloved AV company. So she went to their site and posted BS in thread about AV tests, telling about undetectable new Alureon branch, this was reposted by kmd here and accidentally trolled people :)

For me there is nothing to discuss, this rootkit is not so interesting to talk about it so much and so long. There is no such thing as TDL5 or SST.C,D,E,F etc. If Damballa think different - then give us a proof not BS article as it did. Also 0x16/7ton did really good job revealing all AntiVM contents of this dropper, so we need to thank him.
  • 1
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15