sww wrote:guys all info here http://www.kernelmode.info/forum/viewto ... =70#p15961rkhunter wrote:@sww Why you talking about Dr.Web?'Coz u're talking about Mr.Vaber, anti-malware.ru and Kaspersky Lab. And about all that myths distributed by drweb... Please read all posts again very carefully. Especially this one.
UPD: Question from Vaber to you: Is it possible to infect system's VBR using Alureon.FV?
A forum for reverse engineering, OS internals and malware analysis
kmd wrote:sst.c as proclaimed by erikloman and inspired by dambabla is mysterious new maxss variant that "infects" already existing vbr not adding new volume like old maxss did. if you take both vbr's - old and attached there - they are different. take ms description - Trojan:DOS/Alureon.E and Trojan:DOS/Alureon.K - different.and Trojan: DOS/Alureon.K was added Aug 07, 2012, i. e., new http://www.microsoft.com/security/porta ... FAlureon.K
I've a possible explanation to this mess, but I would like to hear erikloman thoughs first :) Also it would be really cool if you all stop calling others work "shit, crap" etc :) Thank you :)
Ring0 - the source of inspiration
rkhunter wrote:Previous MaxSS did the same. Almost byte in byte :)sww wrote:guys all info here http://www.kernelmode.info/forum/viewto ... =70#p15961rkhunter wrote:@sww Why you talking about Dr.Web?'Coz u're talking about Mr.Vaber, anti-malware.ru and Kaspersky Lab. And about all that myths distributed by drweb... Please read all posts again very carefully. Especially this one.
UPD: Question from Vaber to you: Is it possible to infect system's VBR using Alureon.FV?
Ring0 - the source of inspiration
EP_X0FF wrote:Previous MaxSS did the same. Almost byte in byte :)what do you mean? request spoilers!
EP_X0FF wrote:Previous MaxSS did the same. Almost byte in byte :)Can you share link to VBR or VT report for this previous MaxSS version? Btw, if it's identical why Alureon.K detect for him appeared?
rkhunter wrote:Btw, if it's identical why Alureon.K detect for him appeared?it's different:
old
https://www.virustotal.com/file/c40d2f7 ... /analysis/
new
https://www.virustotal.com/file/0285ef7 ... /analysis/
rkhunter wrote:Can you share link to VBR or VT report for this previous MaxSS version?This picture from your post you linked previously demonstrates routine responsible for I/O operations with malicious components, including vbr. It is equal to previously used by MaxSS, as well as multiple debugger checking, antivm. For sample refer to my old post, it's already crypter free, search for DeviceIoControl and IOCTL http://www.kernelmode.info/forum/viewto ... 9031#p9031 The dropper itself have been redesigned to obfuscate code flow as you mentioned.
Btw, if it's identical why Alureon.K detect for him appeared?Well, you can find lots of different detections for sinowal for example. Alone itself it does not indicate anything. As I posted before I want to hear any updates from Erik, since he started this and probably he can share more info.
kmd wrote:EP_X0FF wrote:Previous MaxSS did the same. Almost byte in byte :)what do you mean? request spoilers!
Spoilers? What if I wrong? No spoilers :D But I see nice picture. Really fun :D Could be wrong however.
Ring0 - the source of inspiration
rkhunter wrote:Don't u think that this is incorrect behaviour??And stop complaining! Do you have questions for me - go to the PM.
EP_X0FF wrote: Well, you can find lots of different detections for sinowal for example. Alone itself it does not indicate anything. As I posted before I want to hear any updates from Erik, since he started this and probably he can share more info.Don't understand...post ago you told that them completely equal, you mean droppers or malicious VBRs? Or u mean various detections for both exactly equal boot-components? :?
Btw, currently I see that we haven't 100% facts, because these new droppers won't infect VBR.
