A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27568  by benkow_
 Wed Jan 06, 2016 1:59 pm
chimung wrote:Does anyone get recently Dridex sample?
Sample of the day attached
https://www.virustotal.com/fr/file/dc3c ... /analysis/

<botnet>120</botnet>
<server_list>
104.131.59.185:243
1.179.170.7:4493
78.47.119.93:666
80.96.150.201:9943
</server_list>

grabbed via hXXp://37.46.130.53/jasmin/authentication.php

Just for information, they make little change in the spreading proxy stuff. /tmp/.estbuild has moved to /tmp/.kerneltmp.
They reuse always the same compromise host (like hxxp://195.37.231.2 for example)
Proxy conf example for 195.37.231.2:
Code: Select all
worker_processes                  2;

error_log                         /dev/null;
pid                               /tmp/.kerneltmp/nginx.pid;

events {
    worker_connections            4096;
#    use                           epoll;    
}

http {
    access_log			  /dev/null;
    client_max_body_size        	   200m;
    chunked_transfer_encoding off;

    server {
        listen                    4493;
	location /m348-2hdk-cb2 {
		information;
	}
        ssl on; ssl_certificate /tmp/.kerneltmp/certs/server.crt; ssl_certificate_key /tmp/.kerneltmp/certs/server.key;
        
        location / {
		proxy_pass                 http://62.76.42.222:880;
		proxy_redirect             off;
		proxy_set_header           Host             $host;
		proxy_set_header           X-Forwarded-For  $remote_addr;
		proxy_set_header           X-Real-IP        $remote_addr;
		proxy_connect_timeout      180;
		proxy_send_timeout         180;
		proxy_read_timeout         180;
		proxy_buffer_size          4k;
		proxy_buffers              4 32k;
		proxy_busy_buffers_size    64k;
		proxy_temp_file_write_size 64k;
		proxy_temp_path            /tmp/.kerneltmp/tmp/;
	}
   }
}
Attachments
infected
(109.87 KiB) Downloaded 127 times
 #27918  by tim
 Mon Feb 22, 2016 5:42 pm
benkow_ wrote:Botnet 120/121 spread new sample.
Conf obfuscation seems to have change. No more .sdata section
hXXp://91.203.5.169/jeremy/clarkson.php
hXXp://92.63.101.229/jeremy/clarkson.php
hxxp://91.223.88.50/jeremy/clarkson.php

94.73.155.11:2448
115.249.247.26:4538
87.106.101.55:4538

attached
Any idea how they are storing the config now?

Strings obfuscation is the same from what i can tell.
 #27920  by kaze0
 Tue Feb 23, 2016 9:03 am
For the stage 1, config is now stored in binary format inside .data section. The format is quite simple: IP (4bytes) followed by port(2bytes)
To locate the binary config, look for the function responsible for address extraction:
Image.
See the movzx part ? here you go.
Right before these adresses you also have the botnetid and the number of addresses inside config, also binary encoded.
 #28758  by EP_X0FF
 Thu Jun 23, 2016 2:38 pm
Just for fun, masterpiece PDF "covering" Dridex technique.

https://conference.hitb.org/hitbsecconf ... gation.pdf

Highlight of only interesting part.
Image

I don't know what quality of the rest of this "article" - I stopped reading after saw this. But I have a bad feelings for the rest too.

Specially for this "experts" I remember that Dridex was using Gootkit adapted method (which was stolen by MZh from here https://www.blackhat.com/docs/eu-15/mat ... ims-wp.pdf, and partially from sdb-explorer utility on github). Never was vulnerability never was any AppCompat whitelist. Just a documented shim and autoelevated sdbinst.
  • 1
  • 11
  • 12
  • 13
  • 14
  • 15