A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18453  by RageMachine
 Wed Mar 06, 2013 5:54 pm
Please feel free to remove this if this is not malware, but I have been working with it and have been finding it coupled with some unstable userland malware that uses APPINIT_DLL to load on startup (Search toolbar stuff - causes pretty bad system instability including services not responding to control requests and inability to boot to normal mode). This set comes in two DLL's, the winXXprop goes into the APPINIT_DLL entry under WindowsNT\CurrentVersion\Windows and then, with that in there, will look for WinXXcert. There is no company name, no detections, and the main module only has two exports, including BZInvoke which appears to check which process is loaded and act accordingly. At BZInvoke+55 there is a function that appears to start making keys if Firefox or Chrome are present, but I just do not have the skill yet to figure out how to handle this. Mostly because this would be my first DLL, and I'm not really sure how to monitor what its doing, so i just called the DLL exports manually in OllyDBG but didn't get very far.

Feel free to move the topic if I posted this in error.
Image
Attachments
infected
(87.21 KiB) Downloaded 45 times
 #18458  by EP_X0FF
 Thu Mar 07, 2013 3:58 am
win32prop sets splicing hooks on several ntdll API's
Code: Select all
LdrLoadDll
NtTerminateProcess
NtCreateFile
NtDeleteFile
NtOpenFile
NtCreateDirectoryObject
NtOpenDirectoryObject
NtSetInformationFile
advapi32 API's
Code: Select all
RegSetValueW
RegSetValueExW
RegSetKeyValueW
RegDeleteValueW
RegDeleteKeyValueW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyTransactedW
RegDeleteTreeW
Ws2_32.dll API's
Code: Select all
bind
connect
ConnectEx
listen
socket
WSAConnect
WSASocketW
WSAConnectByList
WSAConnectByNameW
WSAStartup
wininet.dll API's
Code: Select all
InternetOpenW
InternetGoOnlineW
InternetCheckConnectionW
InternetAttemptConnect
As you see, some can be used to counteract removal.
Code: Select all
void __cdecl HookAPIs()
{
  HMODULE hNtdll; 
  HANDLE hOurThread; 

  hNtdll = GetModuleHandleW(L"ntdll.dll");
  if ( hNtdll )
  {
    pNtTerminateProcess = GetProcAddress(hNtdll, "NtTerminateProcess");
    if ( pNtTerminateProcess )
    {
      sub_10004220();
      hOurThread = GetCurrentThread();
      tlocal_lock(hOurThread);
      SetHook(&pNtTerminateProcess, NtTerminateProcessHook);
      tlocal_unlock();
    }
  }
  HookAdvapi();
  HookLdrLoadDllCondition();
  hookNTDLL();
  bHooked = TRUE;
}
thread local lock procedure at @10004A70, thread unlock procedure at @10004480, HookFn primitive at @10004B30, HookCode procedure at @10004B50.

Can you attach actual dropper?
 #18477  by markusg
 Sat Mar 09, 2013 12:44 am
do you have dropper of search results dropping this dll, because not every search results toolbar having this dll i think
 #18494  by RageMachine
 Mon Mar 11, 2013 3:52 pm
markusg wrote:do you have dropper of search results dropping this dll, because not every search results toolbar having this dll i think
It is indeed part of search results toolbar, but I cannot find a dropper on any machines I have come across because typically those machines have been put in such a state its hard to find it (left on there for a very long time with an AV running - - tsk tsk). I will still search for it and when I find it I will post it. I do have the search results toolbar copies as well, its almost always accompanied by Search Results Toolbar & Datamngr, and Sendori is usually now present with this as well. I will keep hunting and post it as soon as I find one. Here is a sample that goes alongside it.
Attachments
infected
(9.07 MiB) Downloaded 41 times