[markusg]

http://www.virustotal.com/file-scan/rep ... 1299007578

[Eric_71]

[main]
version=0.03
aid=30185
sid=0
builddate=351
rnd=1390067357
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.15

[markusg]

3018502.exe
http://www.virustotal.com/file-scan/rep ... 1299097043

[nullptr]

3018502.exe is TDL4, same config as posted by Eric_71 Wed Mar 02, 2011.

[kareldjag/michk]

Hi

Interesting analysis about "oscarised rootkits":
TDL4 PART 1: http://perpetualhorizon.blogspot.com/20 ... ds-of.html

TDL4 PART 2: http://perpetualhorizon.blogspot.com/20 ... ds-of.html
Certainly a Kav fan:)

[gjf]

Certainly a Kav fan:)

Nope :)

I offer my gratitude to Michael Hale Ligh, one of the authors of the excellent Malware Analysts Cookbook

Just because I have read it I can state that this guy just trying to be a pro according to this book. All the same scenarios, all the same tools and a lot of non-systematic work because of absence of every day practice :) Anyway it is quite good practical part for above mentioned book.

I used a tool Michael wrote called tdlcopy.exe that he was kind enough to share.

That is quite interesting, because I did not find such a tool in Internet. Maybe present for the best student? ;)

[gigaz]

http://www.virustotal.com/file-scan/rep ... 1299319912

Code: Select all

[main]
version=0.03
aid=30020
sid=0
builddate=351
rnd=1614895754
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.15

[markusg]

30185c.exe
http://www.virustotal.com/file-scan/rep ... 1299595629

[EP_X0FF]

30185c.exe
http://www.virustotal.com/file-scan/rep ... 1299595629

[main]
version=0.03
aid=30185
sid=0
builddate=351
rnd=299502267
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://lo4undreyk.com/;hxxps://sh01cilewk.com/;hxxps://cap01tchaa.com/;hxxps://kur1k0nona.com/;hxxps://u101mnay2k.com/
wsrv=hxxp://gnarenyawr.com/;hxxp://rinderwayr.com/;hxxp://jukdoout0.com/;hxxp://swltcho0.com/;hxxp://ranmjyuke.com/
psrv=hxxp://crj71ki813ck.com/
version=0.15

All in attach.

[Fabian Wosar]

Attached is a sample that uses an installation method that at least I haven't seen before in TDL-4. Installation works like this:

• Renames itself into %TEMP% folder using a seemingly random name.
• Imports several MSI APIs (MsiInstallProductA, MsiCloseAllHandles, MsiEnableLogA, MsiSetInternalUI) dynamically and by ordinal and drops MSI file with random name inside the %TEMP% folder.
• The dropper then sets MsiSetInternalUI to INSTALLUILEVEL_NONE to make the installation silent and calls MsiInstallProductA with the dropped package.
• The MSI package essentially installs a file called DllDropper.dll to the user's %AppData% directory and tries to register it as a COM DLL.
• In order to register it a new MSIEXEC.EXE process gets started that loads the DLL which may fool some HIPSes or tricks the user into allowing the installation.
• After DllMain ran and the rootkit was installed MSIEXEC.EXE tries to call DllRegisterService which doesn't exist. This will essentially cause the installation to fail which causes a rollback of all changes (-> DllDropper.dll gets removed).
• The dropper then removes the MSI file and deletes itself using a ShellExecute call ("cmd /c del ...").

Other than that the rookit appears to be pretty much the same. The attached package includes all dropped files as well as the TDL-4 storage and the original sample.

Detection:
http://www.virustotal.com/file-scan/rep ... 1300035988

Config:

Code: Select all

[main]
version=0.03
aid=50044
sid=0
builddate=351
rnd=436374069
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://i0m71gmak01.com/;https://0imh17agcla.com/;https://jna0-0akq8x.com/
wsrv=http://u-a-d-1come.com/;http://z0a-adotcom.com/;http://61zra71kf-a.com/
psrv=http://amazeyapcell.com/;http://8hqka--acom.com/
version=0.169
bsh=d8fd097db3162eb93fdfcace6035fd60900f921d

Last but not least: Don't use a software breakpoint on MsiInstallProductA during reversing. There is a check that checks the function's entry point for hooks and software breakpoints and will simply cause the dropper exit if one is found. Use a hardware breakpoint instead.

Have fun :).