A forum for reverse engineering, OS internals and malware analysis 

Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

 #18743  by rinn
 Thu Mar 28, 2013 12:11 pm
Hi there.
EP_X0FF wrote:Well it was soon 4 years ago.
Yes four years ago in the middle of 2009 first Sirefef was found in the wild.

Timeline:

Summer 2009 - first rootkit version arrived (Sirefef.A). DiabloNova blogged about it on rootkit.com 08/09. Known as "win32k router" and "Get Accelerator". Described by MSFT in Trojan:Win32/Sirefef.A encyclopedia entry. Initially detected by AV as Backdoor.MaxPlus, because of specifically named device \Device\__max++>. Used "globalroot" symbolic link just like TDL3 arrived in the wild in the end of August 2009. Driver has internal pdb string "kinject.pdb". Reparse points used for "kill av" purposes.
End of 2009 - Russian ransomware Digitala/GetAccelerator equipped with Sirefef.A found in the wild. Original TDL3 based malware with z00clicker dll found in the wild.
Beginning of 2010 - B variant arrived. Reimplemented in many ways, see Evilcry article in the beginning of this topic. Sirefef already established botnet. Actual name "ZeroAccess" retrieved from pdb string found inside driver body.
May 2011 - Sirefef got x64 backdoor and big update for B version with new way of storing payload at disk and kill av module as separate driver, meaning it is in beta stage. z00clicker now used by Sirefef and updated to V2
Later 2011 summer Sirefef have incorporated killav plugin in main driver. In the wild found ZeroAccess plugin targetting TDL4 and TDL3 clones. Later the same year they removed killav feature.
May - summer 2012 Sirefef removed rootkit component and pushed few new variants described here on this forum in topic http://www.kernelmode.info/forum/viewto ... =16&t=1713, p2p protocol updated to V2, z00clicker now V3.

something like that. Would be cool if you can add or correct anything and see TDSS timeline too :)

Best Regards,
-rin

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

 #18744  by EP_X0FF
 Thu Mar 28, 2013 12:23 pm
rinn wrote:Summer 2009 - first rootkit version arrived (Sirefef.A). DiabloNova blogged about it on rootkit.com 08/09. Known as "win32k router" and "Get Accelerator".
I got sample from a_d_13 :) Everybody in that time were so busy with fcuking TDL2+ anti-removal methods so Sirefef some time was unnoticeable. And as you said TDL3 started it loading from September 2009.
Would be cool if you can add or correct anything and see TDSS timeline too
This can take a lot of time, remember so much things :)

Re: Rootkit ZeroAccess (alias MaxPlus, Sirefef)

 #19346  by EP_X0FF
 Mon May 20, 2013 3:38 pm
Rootkit version also moved to new dropper.

Source hxxp://videos.wu.cz/dl/Play_Video1043_Now.exe
Code: Select all
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 19 May 2013 03:06:20 GMT
ETag: "607e01c9-3ea00-4dd09801861db"
Accept-Ranges: bytes
Content-Length: 256512
Content-Type: application/x-msdos-program
Connection: close
Dropper, example of infected file, rootkit driver, x64 backdoor, bootstrap lists and two decrypted dropper stages in attach.

https://www.virustotal.com/en/file/ce26 ... /analysis/
https://www.virustotal.com/en/file/f26c ... /analysis/
https://www.virustotal.com/en/file/114f ... /analysis/
https://www.virustotal.com/en/file/1830 ... /analysis/
Attachments
pass: infected
(603.17 KiB) Downloaded 107 times
example of infected driver, pass: infected
(93.22 KiB) Downloaded 67 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #19577  by thisisu
 Sat Jun 08, 2013 10:36 pm
Not sure what this one is yet. Pulled off a laptop that only came in for LCD repair :) VT results suggest it is Sirefef so added it here for now.

MD5: 404b41370c88a06375ff7263bccdc3b8
https://www.virustotal.com/en/file/f189 ... 370730455/

Was trying to analyze myself but am getting stuck at 00232DC3 -- "Don't know how to step command at address 00232DC3. Try to run, change EIP or pass exception to program". Fill with NOPs? hehe
Attachments
pass: infected
(380.66 KiB) Downloaded 91 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #19584  by reverser
 Sun Jun 09, 2013 9:08 pm
thisisu wrote:Not sure what this one is yet. Pulled off a laptop that only came in for LCD repair :) VT results suggest it is Sirefef so added it here for now.

MD5: 404b41370c88a06375ff7263bccdc3b8
https://www.virustotal.com/en/file/f189 ... 370730455/
Decrypted payload (1st stage?) attached. Has inside a .CAB with 32.dll (TrojanDropper:Win32/Sirefef.B) and fp.exe (signed Flash Player installer).
Attachments
infected
(156.89 KiB) Downloaded 82 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #19594  by EP_X0FF
 Mon Jun 10, 2013 3:05 pm
thisisu wrote:Not sure what this one is yet. Pulled off a laptop that only came in for LCD repair :) VT results suggest it is Sirefef so added it here for now.

MD5: 404b41370c88a06375ff7263bccdc3b8
https://www.virustotal.com/en/file/f189 ... 370730455/

Was trying to analyze myself but am getting stuck at 00232DC3 -- "Don't know how to step command at address 00232DC3. Try to run, change EIP or pass exception to program". Fill with NOPs? hehe
This is seems artefact leftover after Sirefef installation. This dll was intended to be running inside I assume explorer.exe and requeres some mutex to be created before by original dropper.
reverser post contain final stage payload dropper with payload dll in cab.

1) Change original dropper (lets call drpA) PE characteristics -> remove "dll" flag. This will make your reversing easlier.
2) After this load drpA into Olly (whatever else that can set breakpoints and change EIP).
3) Set breakpoint on the NtFreeVirtualMemory, NtAllocateVirtualMemory. Sirefef will decrypt 2 stage dropper (lets call it drpB) into newly allocated region and futher transfer control to it.
4) Once you at breakpoint, inspect virtual memory of debugged process -> dump memory region with decrypted drpB. It is simple notice - it will be big and at dedicated address, you can inspect from NtAllocateVirtualMemory breakpoint.
5) Unload drpA from debugger - you dont need it anymore. Load this dumped drpB instead. Final stage payload dropper (lets call it drpC) is in inside .data section of drpB and it is encrypted.
6) Now we need to force Sirefef decrypt drpC. Before decryption Sirefef performs checking if it running inside virtual environment. If we are using public VM's we need to disable antiVM to continue.

VMWare antiVM.
Code: Select all
.00402DE9: 6A0C                           push        00C
.00402DEB: 6800F04200                     push        00042F000 --↓1
.00402DF0: E843000000                     call       .000402E38 --↓2
.00402DF5: 8365FC00                       and         d,[ebp][-4],0
.00402DF9: 53                             push        ebx
.00402DFA: B868584D56                     mov         eax,0564D5868 ;'VMXh'
.00402DFF: BB65D48586                     mov         ebx,08685D465 ;'
.00402E04: B90A000000                     mov         ecx,00000000A
.00402E09: 66BA5856                       mov         dx,05658 ;'VX'
.00402E0D: ED                             in          eax,dx
.00402E0E: 895DE4                         mov         [ebp][-01C],ebx
.00402E11: 5B                             pop         ebx
.00402E12: 834DFCFF                       or          d,[ebp][-4],-1 ;' '
.00402E16: 33C0                           xor         eax,eax
.00402E18: 817DE468584D56                 cmp         d,[ebp][-01C],0564D5868 ;
.00402E1F: 0F94C0                         setz        al
.00402E22: EB0D                           jmps       .000402E31 --↓3
.00402E24: 33C0                           xor         eax,eax
.00402E26: 40                             inc         eax
.00402E27: C3                             retn
VirtualPC antiVM
Code: Select all
.00402D9F: 8B65E8                         mov         esp,[ebp][-018]
.00402DA2: 834DFCFF                       or          d,[ebp][-4],-1 
.00402DA6: 32C0                           xor         al,al
.00402DA8: E8C6000000                     call       .000402E73 --↓1
.00402DAD: C3                             retn
.00402DAE: 6A08                           push        8
.00402DB0: 6810F04200                     push        00042F010 --↓2
.00402DB5: E87E000000                     call       .000402E38 --↓3
.00402DBA: 8365FC00                       and         d,[ebp][-4],0
.00402DBE: B801000000                     mov         eax,1
.00402DC3: 0F3F                           #UD
.00402DC5: 07                             pop         es
.00402DC6: 0BC7                           or          eax,edi
.00402DC8: 45                             inc         ebp
.00402DC9: FC                             cld
.00402DCA: FFFF                           #UD
.00402DCC: FFFF                           #UD
.00402DCE: 834DFCFF                       or          d,[ebp][-4],-1 ;' '
.00402DD2: B001                           mov         al,1
.00402DD4: EB0D                           jmps       .000402DE3 --↓4
.00402DD6: 33C0                           xor         eax,eax
.00402DD8: 40                             inc         eax
Code: Select all
.00402D78: 6A08                           push        8
.00402D7A: 6820F04200                     push        00042F020 --↓1
.00402D7F: E8B4000000                     call       .000402E38 --↓2
.00402D84: 8365FC00                       and         d,[ebp][-4],0
.00402D88: 0FB8                           #UD
.00402D8A: 0100                           add         [eax],eax
.00402D8C: C745FCFFFFFFFF                 mov         d,[ebp][-4],-1 ;'    '
.00402D93: 834DFCFF                       or          d,[ebp][-4],-1 ;' '
.00402D97: B001                           mov         al,1
.00402D99: EB0D                           jmps       .000402DA8 --↓3
.00402D9B: 33C0                           xor         eax,eax
.00402D9D: 40                             inc         eax
.00402D9E: C3                             retn 
.00402D9F: 8B65E8                         mov         esp,[ebp][-018]
.00402DA2: 834DFCFF                       or          d,[ebp][-4],-1 ;' '
.00402DA6: 32C0                           xor         al,al
.00402DA8: E8C6000000                    3call       .000402E73 --↓4
.00402DAD: C3                             retn
If VM detect dropper quits.
So patch all "jnz" with nops or run over these instructions. Done - AntiVM bypassed.
Code: Select all
.text:00402530                 mov     [ebp+var_18], esp
.text:00402533                 call    AntiVM1 ;VMX
.text:00402538                 test    al, al
.text:0040253A                 jnz     proc_exit
.text:00402540                 call    AntiVM2 ;VPC and ->
.text:00402545                 test    al, al
.text:00402547                 jnz     proc_exit
.text:0040254D                 call    AntiVM3
.text:00402552                 test    al, al
.text:00402554                 jnz     proc_exit
7) Now Sirefef check command line, extract tokens from it, etc, we don't need to know what is it and why. Just follow the control flow.
Make sure machine wasn't already marked by Sirefef (for example while previous runs with debugger).
Code: Select all
signed int __cdecl SfCheckInfectionMarker()
{
  signed int result; 
  DWORD pdwType; 
  int pvData;
  DWORD pcbData;

  pvData = 0;
  pcbData = 4;
  if ( SHGetValueA(
         HKEY_CURRENT_USER,
         "Software\\Microsoft",
         "bhghfmljekyiaiiglvwiohfyuywprpci",
         &pdwType,
         &pvData,
         &pcbData)
    || pdwType != 4
    || pcbData != 4
    || (result = 1, pvData != 1) )
    result = 0;
  return result;
}
Check presence of this key and remove it, if it exists. Or patch this call, whatever.

8) Procedure that decrypt drpC is at @00402147. It also set's infection marker.

Encryption algo used to encrypt drpC
Code: Select all
  v2 = 167424;
  do
  {
    if ( v2 <= 3 )
    {
      if ( v2 <= 1 )
      {
        *((_BYTE *)&dword_406000 + v1++) ^= 0xF2u;
        --v2;
      }
      else
      {
        *(_WORD *)((char *)&dword_406000 + v1) ^= 0xA8F2u;
        v1 += 2;
        v2 -= 2;
      }
    }
    else
    {
      *(int *)((char *)&dword_406000 + v1) ^= 0x7008A8F2u;
      v1 += 4;
      v2 -= 4;
    }
  }
  while ( v1 < 167424 );
Primitive as you see with fixed payload size.

So your goal, after bypassing all checks enter this procedure, wait until it decrypt data and dump it. That is all. Of course you can a bit speedup this process by starting execution directly from this decryption routine, or implementing decryptor yourself and using it over .data section dump.

9) Once everything dumped and decrypted - extract CAB file from drpC and unpack it using any archiver. 32.dll is a payload and it additionally encrypted.
https://www.virustotal.com/en/file/fd55 ... /analysis/

To unpack it, patch PE characterics of this dll like before with dropper (optional, only to make life easlier). Set breakpoints on NtAllocateVirtualMemory, NtFreeVirtualMemory and just trace a little. When it will try to free region with "XPXACXK" look at process memory map and dump RW maked region with multiple PE files inside. It will be 140 KB in size and will include 32/64 bit dlls and rootkit driver (classic package).

Short dump of strings from it (notice ZeroAccess rootkit presence checking)
Code: Select all
 \ B a s e N a m e d O b j e c t s \ { 8 1 D 0 5 F 9 A - 5 3 4 3 - 4 3 9 f - A C A B - E 7 8 2 2 E 4 4 1 6 F 9 }     p r  \ ? ? \ A C P I # P N P 0 3 0 3 # 2 & d a 1 a 3 f f & 0     8 : \ ? ? \ % 0 8 x     sfc_os.dll  w i n l o g o n . e x e       Ђ    \ r e g i s t r y \ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ s e r v i c e s \ % S     s y s   S t a r t   
       \ r e g i s t r y \ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ s e r v i c e s \ % s     T y p e      
 ЁI m a g e P a t h     ј\ *       Ш\ r e g i s t r y \ M A C H I N E \ S Y S T E M \ S e t u p \ P i d     D F иeaoimnqazwsxedcrfvtgbyhnujmikolp    \ s y s t e m r o o t \ s y s t e m 3 2 \ d r i v e r s \   classpnp.sys    win32k.sys  % S     \ . % S     \ ? ? \ % 0 8 x \ L \ 1 2 3 4 5 6 7 8   % x     \ s y s t e m r o o t \ $ N t U n i n s t a l l K B % u $   \ s y s t e m r o o t \ s y s t e m     $ & 4c : \ w i n d o w s \ s y s t e m 3 2 \ c o n f i g     \ s y s t e m r o o t \ s y s t e m 3 2 \ c o n f i g   % u     : S u m m a r y I n f o r m a t i o n   U   \ ? ? \ % 0 8 x \ c f g . i n i     \ ? ? \ % 0 8 x \ @         \ s y s t e m r o o t \ s y s t e m 3 2 \ c o n s r v . d l l   > @ H\ s y s t e m r o o t \ s y s t e m 3 2 \ s v c h o s t . e x e     @ B ђ\ s y s t e m r o o t \ a s s e m b l y     ( * Ьt e m p      
 G A C _ 3 2       $G A C _ 6 4       <\ s y s t e m r o o t \ a s s e m b l y \ t e m p \ U   6 8 T    \ s y s t e m r o o t \ a s s e m b l y \ t e m p \ c f g . i n i   B D ˜\ s y s t e m r o o t \ a s s e m b l y \ t e m p \ @   6 8 д\ s y s t e m r o o t     $% w Z \ S o f t w a r e \ % 0 8 x   q i d     he x p l o r e r . e x e       x    \ r e g i s t r y \ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n   ~ Ђ  W i n d o w s   D e f e n d e r       " (    \ r e g i s t r y \ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ e x p l o r e r \ S h e l l S e r v i c e O b j e c t s \ { F D 6 9 0 5 C E - 9 5 2 F - 4 1 F 1 - 9 A 6 F - 1 3 5 D 9 C 6 6 2 2 C C }   ю  X\ r e g i s t r y \ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ e x p l o r e r \ S h e l l S e r v i c e O b j e c t s \ { F 5 6 F 6 F D D - A A 9 D - 4 6 1 8 - A 9 4 9 - C 1 B 9 1 A F 4 3 B 1 A }

PВV2    : C o n S e r v e r D l l I n i t i a l i z a t i o n   c o n s r v             \ r e g i s t r y \ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ C o n t r o l \ S e s s i o n   M a n a g e r \ S u b S y s t e m s       љ њ     АВV2    \ B a s e N a m e d O b j e c t s \ { 8 1 D 0 5 F 9 A - 5 3 4 3 - 4 3 9 f - A C A B - E 7 8 2 2 E 4 4 1 6 F 9 }         p r     pГV2    \ s y s t e m r o o t \ s y s t e m 6 4         ( *     шГV2    c : \ u s e r s         \ s y s t e m r o o t \ s y s t e m 3 2         \ r e g i s t r y \ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ C o n t r o l \ S e s s i o n   M a n a g e r \ S u b S y s t e m s       љ њ     ЂДV2       	                              
                    AcceptEx        \ \ . \ g l o b a l r o o t \ s y s t e m r o o t \ s y s t e m 3 2 \ m s w s o c k . d l l     ConServerDllInitialization      w i n s r v     n e t s v c s         ЖV2    s v c h o s t . e x e         0ЖV2    L i b r a r y P a t h         XЖV2    P r o v i d e r I d           ЂЖV2    m s w s o c k . d l l   P a c k e d C a t a l o g I t e m       " $     АЖV2    mswsock.dll     N u m _ C a t a l o g _ E n t r i e s   & (     ЗV2    C a t a l o g _ E n t r i e s \ % 0 1 2 u       C a t a l o g _ E n t r i e s 6 4 \ % 0 1 2 u   C u r r e n t _ P r o t o c o l _ C a t a l o g         0 2      ЗV2    C u r r e n t _ N a m e S p a c e _ C a t a l o g       2 4     иЗV2    \ r e g i s t r y \ M A C H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ W i n S o c k 2 \ P a r a m e t e r s   Ћ ђ     0ИV2    \ s y s t e m r o o t \ a s s e m b l y \ G A C _ 3 2 \ D e s k t o p . i n i   N P     ђКV2    \ K n o w n D l l s 3 2 \ m s w s o c k . d l l         0 2     0ЙV2    \ K n o w n D l l s \ m s w s o c k . d l l     , .     xЙV2    \ s y s t e m r o o t \ a s s e m b l y         ( *     ёЙV2    G A C _ M S I L               шЙV2    G A C          КV2    G A C _ 3 2           8КV2    G A C _ 6 4           XКV2    N P     РИV2            \ s y s t e m r o o t \ a s s e m b l y \ G A C _ 6 4 \ D e s k t o p . i n i
Rootkit driver contains TDL style config
Code: Select all
[main]
aid=30344
sid=0
version=0.03
and quote from wikipedia.
https://www.virustotal.com/en/file/532f ... 370878385/

Funny string from one of dlls.
Code: Select all
e:\sz\x64\release\InCSRSS.pdb
HTH

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #19879  by EP_X0FF
 Sun Jun 30, 2013 7:07 am
Win32:Virut wrote:Hi,

probably Sirefef, I can't run and check it now.

https://www.virustotal.com/pl/file/1608 ... 372444235/

Link: _hxxp://videos.e-blog.cz/videoplayer/2/Play_Movie_Now.exe
This is Sirefef with rootkit on board. Sirefef driver has most sophisticated malware driver obfuscator seen itw up to date (well maybe excluding old private Rustock).

Attached archive include:

sirefef_dropper.unp -> unpacked Sirefef dropper from final stage (1 stage -> selfdebug -> 2 stage -> aplib -> final stage). Inside it contain cabinet file with all payload.
https://www.virustotal.com/en/file/5ae9 ... 372575816/

_32 -> Sirefef bootstrap list for win32 botnet
https://www.virustotal.com/en/file/0918 ... 372575780/

_64 -> Sirefef bootstrap list for win64 botnet
https://www.virustotal.com/en/file/4c71 ... 372575779/

rtk32 -> win32 rootkit
https://www.virustotal.com/en/file/21cf ... /analysis/

rkt32.deobf -> deobfuscated ready to reverse win32 rootkit (note: inside driver 2 additional dlls it uses in injection purposes). Didn't changed since Aug 2012.
https://www.virustotal.com/en/file/9b6a ... 372575807/

rtk64 -> win64 backdoor (stay unchanged for year)
https://www.virustotal.com/en/file/7b05 ... /analysis/

sirefef_1.dll -> 1 dll from rkt32.deobf
https://www.virustotal.com/en/file/f583 ... 372575809/

sirefef_2.dll -> 2 dll from rkt32.deobf
https://www.virustotal.com/en/file/3349 ... /analysis/

Posts moved.
Attachments
pass: infected
(284.17 KiB) Downloaded 97 times
  • 1
  • 34
  • 35
  • 36
  • 37
  • 38
 Return to “Malware”