A forum for reverse engineering, OS internals and malware analysis 

WinNT/BlackEnergy

Forum for analysis and discussion about malware.

Re: Black Energy 2.1+

 #3224  by egomoo
 Tue Oct 26, 2010 5:16 am
EP_X0FF wrote:
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
!-->[Hidden] C:\WINDOWS\system32\drivers\paqkkmhplelf.sys
!-->[Hidden] C:\WINDOWS\system32\drivers\str.sys
But you need to do quick reset. That's the key :)

edit:
Beaten by GamingMaster. Yes, here it is - magic :)
the random driver will recreated while deleted by other antirootkit tool.

in my test,Safe Returner could remove the new Black Energy 2.1+ rootkit. (Use "DATEA0B.tmp.exe" sample)
Attachments
rootkit1.png
rootkit1.png (60.17 KiB) Viewed 764 times

Re: Black Energy 2.1+

 #3238  by GamingMasteR
 Wed Oct 27, 2010 8:34 am
the random driver will recreated while deleted by other antirootkit tool.
KDetective v1.3.1 can still defeat it :
- delete all suspicious notify routines
- restore hooked threads service table
- suspend the two suspicious system threads
- restore other splice hooks
- get the driver name from Kd+ -> Unloaded Drivers and delete it from system32\drivers folder
Attachments
(39.48 KiB) Downloaded 99 times

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 #3826  by spaceman
 Fri Dec 03, 2010 3:26 am
EP_X0FF wrote:Black list found.
rootrepeal.sys gmer.sys greypill.sys Normandy.sys gmer.exe RootRepeal.exe RkUnhooker.exe ccSvcHst.exe MsMpEng.exe msseces.exe mcagent.exe mcshield.exe mfefire.exe mfevtps.exe McSvHost.exe avp.exe egui.exe ekrn.exe spideragent.exe spidergate.exe spiderml.exe dwengine.exe cfp.exe cmdagent.exe avwebgrd.exe avmailc.exe avshadow.exe avguard.exe avfwsvc.exe avgnt.exe avgui.exe avgnsx.exe avgam.exe avgemc.exe avgfws9.exe avgwdsvc.exe AVGIDSMonitor.exe avgtray.exe avgfrw.exe avgcsrvx.exe AVGIDSAgent.exe avgrsx.exe avgchsvx.exe
edit:

two payload dlls can be extracted easily from svchost.exe for example.
This probably belongs in the Newbie Questions forum, but how do you extract dlls from a process?

Re: Black Energy 2.1+

 #3827  by EP_X0FF
 Fri Dec 03, 2010 9:22 am
Locate memory regions marked as r/w + executable (which are not belongs to any visible in loader list dlls) and dump them to disk.

Re: Black Energy 2.1+

 #5320  by EP_X0FF
 Sat Mar 05, 2011 4:48 am
Here is some fresh BlackEnergy2 to play.
Same antirootkits blacklist still in place.
Attachments
pass: malware
(96.86 KiB) Downloaded 132 times

Re: Black Energy 2.1+

 #6283  by dphrag
 Wed May 11, 2011 7:22 am
Hi all

I am trying to identify a data structure to enum/check for the service/filename , is there any ?

thanks

Re: Black Energy 2.1+

 #6288  by EP_X0FF
 Wed May 11, 2011 2:41 pm
dphrag wrote:Hi all

I am trying to identify a data structure to enum/check for the service/filename , is there any ?

thanks
Hello,

personally I don't understand what you asking. Can you be more specific?

Re: Black Energy 2.1+

 #6289  by dphrag
 Wed May 11, 2011 3:31 pm
I am using Windbg to debug some samples. I can find the servicetable hooks and the threads . I am trying to find a way by using windbg to get the service name or the driver name

Re: Black Energy 2.1+

 #6290  by EP_X0FF
 Wed May 11, 2011 4:06 pm
dphrag wrote:I am using Windbg to debug some samples. I can find the servicetable hooks and the threads . I am trying to find a way by using windbg to get the service name or the driver name
Did you tried lm command? AFAIR this rootkit real driver filename can be retrieved through unloaded modules list.
 Return to “Malware”