A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15997  by rkhunter
 Mon Oct 15, 2012 10:52 am
rough_spear wrote:Hi All, :D

Necurs rootkit aka Bubik/Bubnix.

Dropper -

...
rough_spear.
Oh, no...Bublik it's not Bubnix or Necurs, it's an absolutely different malware.
 #15998  by rough_spear
 Mon Oct 15, 2012 11:15 am
rkhunter wrote:
rough_spear wrote:Hi All, :D

Necurs rootkit aka Bubik/Bubnix.

Dropper -

...
rough_spear.
Oh, no...Bublik it's not Bubnix or Necurs, it's an absolutely different malware.
But this malware puts it's driver in Boot Bus Extender driver group.BTW which malware is this?
 #15999  by rkhunter
 Mon Oct 15, 2012 11:32 am
rough_spear wrote:
rkhunter wrote:
rough_spear wrote:Hi All, :D

Necurs rootkit aka Bubik/Bubnix.

Dropper -

...
rough_spear.
Oh, no...Bublik it's not Bubnix or Necurs, it's an absolutely different malware.
But this malware puts it's driver in Boot Bus Extender driver group.BTW which malware is this?
...it's Necurs, but not a Bublik. And btw, why you think that Necurs is a Bubnix?
 #16000  by EP_X0FF
 Mon Oct 15, 2012 11:39 am
Bublik is a data stealing trojan, Bubnix is usually Rustock (however this is generic name describing different families of malware that uses drivers to block/prevent removal) and Necurs is not rootkit but driver agent - part of FakeAV "self-protection". Posts moved.
 #16030  by rough_spear
 Mon Oct 15, 2012 8:36 pm
EP_X0FF wrote:Bublik is a data stealing trojan, Bubnix is usually Rustock (however this is generic name describing different families of malware that uses drivers to block/prevent removal) and Necurs is not rootkit but driver agent - part of FakeAV "self-protection". Posts moved.
Thanks EP_X0FF,
That's really perfect explanation.
 #16171  by Cody Johnston
 Fri Oct 19, 2012 8:04 pm
Fresh Sample. One Change:

Drops <random> exe in %userprofile% (reg entries point to it - located in Necurs.log)

Included GMER log of reg entries as well as dropper and sys file. Both dropper and sys file have been renamed from original, original names located in Necurs.log file.

VT 7/43 for dropper:

https://www.virustotal.com/file/607a516 ... /analysis/
Attachments
Password: infected
(83.61 KiB) Downloaded 147 times
 #17057  by RageMachine
 Thu Dec 06, 2012 9:40 pm
I found this on a system, very interesting and runs as a service on the target system. Was unable to kill the PID using all methods of force I knew (TerminateProcess, terminate threads, closing handles, WM_DEstroy, attaching debugger and then killing it) It prevents the target user from launching new devices on the system and its root dir in C:\Windows\Installer is untouchable. Defeated by removing registry key from windows repair.
* Enables driver test signing mode
* installs two drivers and makes keys under HKLM\System\CurrentControlSet****\Services\
* Has target of syshost.exe in C:\windows\installer\{ }\
* Removes Windows Update related services including bits\wuauserv
* prevents loading of new drivers and continually closes handles to its files and keys
Attachments
infected
(65.24 KiB) Downloaded 103 times
infected
(66.71 KiB) Downloaded 109 times
Last edited by RageMachine on Fri Dec 07, 2012 12:19 am, edited 3 times in total.
 #17058  by markusg
 Thu Dec 06, 2012 9:59 pm
hi
its Necurs. Try TDSS Killer, under change parameters, check all boxes and let it run, at first i would take the action step, so you can check the log from user.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 8