[EP_X0FF]

Well, you can find lots of different detections for sinowal for example. Alone itself it does not indicate anything. As I posted before I want to hear any updates from Erik, since he started this and probably he can share more info.

Don't understand...post ago you told that them completely equal, you mean droppers or malicious VBRs? Or u mean various detections for both exactly equal boot-components? :?

My post was about yours

guys all info here viewtopic.php?f=16&t=596&start=70#p15961

Most of main code, I/O routines the same, reboot routine the same (just moved into separate procedure in new dropper) - everyone can verify this, I think even delay between reboot is the same.

Btw, currently I see that we haven't 100% facts, because these new droppers won't infect VBR.

Lets start from the beginning. Under "infecting" VBR, what do you mean?

[rkhunter]

Lets start from the beginning. Under "infecting" VBR, what do you mean?

How u can confirm that this dropper [posted above with screens] infects VBR with the same malicious code as a previous version?

[EP_X0FF]

Lets start from the beginning. Under "infecting" VBR, what do you mean?

How u can confirm that this dropper [posted above with screens] infects VBR with the same malicious code as a previous version?

They key word there "infects". What does this mean to you?

- modifying existing code
- replacing existing code
- adding new code and somehow transfering control to it

what is "infecting VBR" all you talking about? :)

[kmd]

Lets start from the beginning. Under "infecting" VBR, what do you mean?

How u can confirm that this dropper [posted above with screens] infects VBR with the same malicious code as a previous version?

They key word there "infects". What does this mean to you?

- modifying existing code
- replacing existing code
- adding new code and somehow transfering control to it

what is "infecting VBR" all you talking about? :)

old maxss adds new entry to mbr+active flag, no code modification. vbr written to new hidden volume
so it not infecting anything

original tdl4 replacing mbr with it own also not "infect" in virus mean but mass media prefer to use word "infect" and "virus"

[sww]

They key word there "infects". What does this mean to you?

Dammit, i love you :lol:

Also, kmd is right about modifying mbr. I'm not analysed this one, but i trust Vaber. So, it's not an infection in a "virus" word meaning...

[0x16/7ton]

Isn't working for me on VM. Will try tomorrow on a live machine.

Isn't working for me, even on live machine. Tried Win 7 x 64. Dropper goes into a temp folder as something like A3.tmp but disappears after a reboot.

Because malware check:
-the path to filename must contain temp directory
-compares filename with black list (by calculating hashes )
-compares username with black list...
maybe it's not everything,but i think randomization in environment os help you :)

additional info:
sst_c hash alg pseudo code:

Code: Select all

int Hash_proc (len_string,string)
{
  int r = 0,temp_round=0;
  int length_string=len_string;
  for ( hash  = -1; length_string; hash = temp_round ^ (hash  >> 8) )
  {
    temp_round= string[r] ^ (hash&0xff);
    round_count= 0;
    --length_string;
    ++r;
    do
    {
      if ( temp_round & 1 )
        temp_round= (temp_round >> 1) ^ 0xEDB88320;
      else
       {
        temp_round= temp_round >> 1;
        ++round_count;
       }
    }
    while ( round_count< 8 );
  }
  return ~hash  ;
}

All hash get from unicode strings.
Some example:
hash:0xbcb2c8fe unicode_string:file.exe
hash:0xf37288c2 unicode_string:temp

[frank_boldewin]

Here are the decrypted and decompressed ressources file from SST_C.

4 AFFID
3.059 BOOT
25.088 CMD32
43.520 CMD64
6.656 DBG32
9.088 DBG64
38.912 DRV32
41.472 DRV64
6.144 LDR32
5.632 LDR64
3.817 MAIN
440 MBR
8 SUBID
12.800 TDI32
16.384 TDI64
512 VBR

enjoy!

ps: haven't seen the files TDI32 and TDI64. seems to be newly added. correct me if i'm wrong.

[kmd]

Because malware check:
-the path to filename must contain temp directory
-compares filename with black list (by calculating hashes )
-compares username with black list...
maybe it's not everything,but i think randomization in environment os help you :)

are u able to run it on your box to the infection stage? coz environment randomization was a first thing i did. still not working after your tips. additionally dropper misses manifest and %temp%+filename requirement suggest me it normally install with user rights escalation exploit from exploit kit imo.

[thisisu]

Because malware check:
-the path to filename must contain temp directory

Not sure if you were giving me a hint here but this worked for me so thanks :)

For Windows 7 x64 live added the dropper that Xylitol uploaded into %temp% ( C:\Users\<username>\AppData\Local\Temp )
Run as administrator and you should see a randomly generated .tmp file (usually 2-4 alphanumberic characters) and a file called "UAC.exe".
Keep opening UAC.exe using Run as administrator and it will spawn 2-5 more .tmp files and will eventually disappear.
Once UAC.exe disappears, SST.c should be installed.

__

Side note, UAC.exe is also generated on VM Windows XP but I guess fails to install SST.c properly.

Here is link to dropper again: http://www.kernelmode.info/forum/viewto ... 310#p15942

[EP_X0FF]

Put dropper in %temp% under any name. Then launch dropper as usual. Under admin rights of course. Then start cmd. Navigate to temp folder. Start new file with start command. Is it works for you?