A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2629  by CloneRanger
 Fri Sep 03, 2010 6:17 pm
Originally Posted by Buster_BSA

I doubt SysInspector can be considered as a rootkit detector.
No, but it's still quite a useful tool :)
 #2637  by Fabian Wosar
 Sat Sep 04, 2010 1:27 pm
Ade's dropper's config:
Code: Select all
[main]
version=3.273
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
botid=7452027a-de3a-4030-8cf2-b802b4661a92
affid=40694
subid=0
installdate=4.9.2010 13:25:17
builddate=3.9.2010 14:0:52
rnd=823518204
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://nichtadden.in/;https://91.212.226.67/;https://li1i16b0.com/;https://zz87jhfda88.com/;https://n16fa53.com/;https://01n02n4cx00.cc/;https://lj1i16b0.com/
wspservers=http://zl00zxcv1.com/;http://zloozxcv1.com/;http://71ha6dl01.com/;http://axjau710h.com/;http://rf9akjgh716zzl.com/;http://dsg1tsga64aa17.com/;http://l1i1e3e3oo8as0.com/;http://7gafd33ja90a.com/;http://n1mo661s6cx0.com/
popupservers=http://clkh71yhks66.com/
version=3.941
 #2641  by EP_X0FF
 Sun Sep 05, 2010 2:59 am
Does this bootkit working normally on x32, anybody? It renders x64 Windows XP to death BTW.
 #2642  by t4L
 Sun Sep 05, 2010 6:04 am
Seems strange but all samples I got from my sources and on this topic nothing related to x64 infection when unpacked? I havent had chance to test it on real x64, so I doubt it infects the MBR in the dropped driver. But if so, its nothing like ESET analysis, which states that "after infecting MBR, it exit with ExitWindowEx()" i.e it infects MBR from usermode.

Anyone can confirm this TDLx64 works like this: patch winload before it reaches OslArchTransferToKernel then patch uncompressed Bootmgr?
 #2644  by EP_X0FF
 Sun Sep 05, 2010 6:54 am
Yes it infects.
Code: Select all
    x64 = IsWindows64();   
    if ( x64 )
    {
      hInst = (int)GetModuleHandleA(0);
      result = WriteData(
             hInst,
             v6,
             Filenames[0],
             Filenames[1],
             Filenames[2],
             Filenames[3],
             Filenames[4],
             Filenames[5],
             Filenames[6],
             Filenames[7]);
      SetSelfDeletePending(0);
      if ( result )
      {
        if (NT_SUCCESS(RtlAdjustPrivilege(SE_SHUTDOWN_PRIVILEGE, TRUE, FALSE, &bPrev))
          ExitWindowsEx(0x12u, 0);
      }
      ExitProcess(0);
    }
   else
   {
/*
x86 mode
spooler based injection and infection for x86
*/
   } 
MBR -> ldr16 hooks int 13h, determines type of operation system and then go to ldr32/ldr64, IoCreateDriver for main code (stored inside drv32/drv64).
  • 1
  • 16
  • 17
  • 18
  • 19
  • 20
  • 60