A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1180  by NOP
 Sat May 29, 2010 3:39 pm
I think this is Black Energy, not Rustock.
Code: Select all
liveinterbet.info/start/auth.php
 #1182  by Alex
 Sat May 29, 2010 3:59 pm
You are right NOP it's Black Energy.
 #1189  by fatdcuk
 Sun May 30, 2010 7:56 pm
:oops: Sorry about that folks,

Looking like im keeping some esteemed company on that mistake tho :lol:
 #3172  by B-boy/StyLe/
 Thu Oct 21, 2010 5:27 pm
I found the *.exe

DATEA0B.tmp.exe

http://www.virustotal.com/file-scan/rep ... 1287681669

MD5: 317dea854c1d4b8e61e7c375421b6708
2010/10/21 20:01:19.0011 Detected object count: 2
2010/10/21 20:01:31.0545 Locked file(sptd) - User select action: Skip
2010/10/21 20:01:31.0587 \HardDisk0\MBR - will be cured after reboot
2010/10/21 20:01:31.0587 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
2010/10/21 20:01:37.0744 Deinitialize success
Regards,
G. ;)
Attachments
pass: malware
(94.93 KiB) Downloaded 107 times
 #3173  by EP_X0FF
 Fri Oct 22, 2010 3:36 am
This one is not TDL. It looks like new version of Black Energy 2.

It patches ServiceTable pointer for every new thread to point to rootkit prealloacted fake service table + splice hook to get this work. Rootkit code relocated to memory allocated pool. New fake table contains copy of original service table with few replaced by rootkit handlers. This help it to hide user mode thread, registry entries.

NtDeleteValueKey
NtEnumerateKey
NtEnumerateValueKey
NtOpenKey
NtOpenProcess
NtOpenThread and others (I'm lazy to write whole list).

Most antirootkits will not work with this rootkit, they simple dying at start. You need to remove notify routines set by rootkit (CreateProcess, CreateThread, LoadImage) to get them work.

Rootkit driver and data files are hidden from enumeration.

Image
 #3176  by EP_X0FF
 Fri Oct 22, 2010 4:07 am
Black list found.
rootrepeal.sys gmer.sys greypill.sys Normandy.sys gmer.exe RootRepeal.exe RkUnhooker.exe ccSvcHst.exe MsMpEng.exe msseces.exe mcagent.exe mcshield.exe mfefire.exe mfevtps.exe McSvHost.exe avp.exe egui.exe ekrn.exe spideragent.exe spidergate.exe spiderml.exe dwengine.exe cfp.exe cmdagent.exe avwebgrd.exe avmailc.exe avshadow.exe avguard.exe avfwsvc.exe avgnt.exe avgui.exe avgnsx.exe avgam.exe avgemc.exe avgfws9.exe avgwdsvc.exe AVGIDSMonitor.exe avgtray.exe avgfrw.exe avgcsrvx.exe AVGIDSAgent.exe avgrsx.exe avgchsvx.exe
edit:

two payload dlls can be extracted easily from svchost.exe for example.
 #3188  by swirl
 Fri Oct 22, 2010 2:49 pm
too bad ddos_update.py doesn't work anymore, they've changed the url format and parameters, and
probably also the encryption method :( Also judging by the response size they are using two separate hosts:
one for the configuration and one for downloading the dos modules
hxxp://91.212.127.147/spm/s_alive.php?id=XXXXXXXXXXXXXX&tick=156328&ver=530&smtp=bad&sl=1&fw=0&pn=-1&psr=0
hxxp://91.212.127.147/spm/s_get_host.php?ver=530

89.149.196.37
POST /e/getcfg.php
ncnt=<hex block here>
mztja=<hex block here>
I'll have a look and see if I can update the script.
 #3196  by Fyyre
 Fri Oct 22, 2010 9:02 pm
EP_X0FF wrote:Black list found.
rootrepeal.sys gmer.sys greypill.sys Normandy.sys gmer.exe RootRepeal.exe RkUnhooker.exe ccSvcHst.exe MsMpEng.exe msseces.exe mcagent.exe mcshield.exe mfefire.exe mfevtps.exe McSvHost.exe avp.exe egui.exe ekrn.exe spideragent.exe spidergate.exe spiderml.exe dwengine.exe cfp.exe cmdagent.exe avwebgrd.exe avmailc.exe avshadow.exe avguard.exe avfwsvc.exe avgnt.exe avgui.exe avgnsx.exe avgam.exe avgemc.exe avgfws9.exe avgwdsvc.exe AVGIDSMonitor.exe avgtray.exe avgfrw.exe avgcsrvx.exe AVGIDSAgent.exe avgrsx.exe avgchsvx.exe
black list with mole tracks...