A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18745  by EP_X0FF
 Sat Mar 20, 2010 2:38 pm
img.png
img.png (2.05 KiB) Viewed 861 times
Copy of famous rootkit for historical purposes. More can be found here http://www.kernelmode.info/forum/viewto ... f=16&t=630

SHA256: 9cb9d88755dc97275c343d54148a3c77e9e4a47993d77bb96049432440e4cb45
SHA1: e053da98951c66cd2f07bb2d92fdded2ef373e7b
MD5: 0206d052cfd59ef3c7770ca53b8ca43a

https://www.virustotal.com/en/file/9cb9 ... /analysis/
Attachments
pass: malware
(87.32 KiB) Downloaded 109 times
 #393  by fatdcuk
 Mon Mar 22, 2010 5:50 pm
Probaly data shared in private but will share my 2 static sources(a 3rd is variable as it is delivered by exploit on compromised sites).

Excluding rogues that have sold seats on their installs i have found that the iframe$ bundle downloader has been habitual offender for eitherTDL2 or TDL3 or both...

Type1(Cracksite/Keygen)
Code: Select all
http://keygen.name
All roads lead to Rome with a self extracting executable(Take care as it has been know to include Virut every so often along with Hiloti and other freind(s)).
Hosting of file is not to static but currently pointing to for example.
Code: Select all
http://get.serdb01.com/keygens/norton_antivirus__trial-keygen.exe
File attached.
http://www.virustotal.com/analisis/9a6d ... 1269278326

Type2(driveby)...

Type3(P2P land)
Attached is the current bundle downloader floated on Gnutella and other dirty P2P nets appearing near you(Zipped folder 2-4.5mb in size,all the names under the sun with 2 yellow key executables= Bundle downloader)
http://www.virustotal.com/analisis/1a35 ... 1267782429
Lot of goodies on that bundle(very worth tracking ;))
Code: Select all
http://joetracker.info/links/20100209082754.exe
http://joetracker.info/links/tb.exe
http://joetracker.info/links/cb.exe
http://joetracker.info/links/hamburgaler.exe
http://joetracker.info/links/20100204103420.exe
http://joetracker.info/links/20100218031245.exe
http://joetracker.info/links/20100228082137.exe
Enjoy!
Attachments
(94.74 KiB) Downloaded 108 times
(151.8 KiB) Downloaded 116 times
 #394  by Meriadoc
 Mon Mar 22, 2010 7:26 pm
Hi Ade,

Yes a good source, I've been diving into that crack/keygen site for awhile, same as the associated links - always a winner

thanks for the links and samples :)

Regards
 #399  by EP_X0FF
 Tue Mar 23, 2010 6:38 am
Hi Ade,

thanks for sharing.
keygen.name providing refined bundle each day very well ;)
Well actually all their "cracks" are just a same malware package.

Usually I also pick up everything recent from malc0de - but it's mostly trash and script-kiddies trojans.

Thank you for samples.

Regards.
 #530  by EP_X0FF
 Fri Apr 02, 2010 5:27 pm
Excellent Ade! :D

extracted urls from TDL2 mini loader
hxxp://findernos.org/up3/setup;
hxxp://www.increafind.org/up3/setup;
hxxp://www.zealandsecurity.com/up3/setup;
hxxp://findernos.org/up3/install01;
hxxp://www.increafind.org/up3/install01;
hxxp://www.zealandsecurity.com/up3/install01;
 #535  by STRELiTZIA
 Sat Apr 03, 2010 6:38 am
Loader strings:
UNICODE "TMP"
UNICODE "%s%s%d.tmp"
ASCII "_VOID"
UNICODE "%s%S%x.tmp"
UNICODE "\license.dat"
ASCII "94804860143697233939975370329435970097710202"
UNICODE "Azerbaijan"
UNICODE "Belarus"
UNICODE "Kazakhstan"
UNICODE "Kyrgyzstan"
UNICODE "Russia"
UNICODE "Uzbekistan"
UNICODE "Ukraine"
UNICODE "Czech Republic"
UNICODE "Poland"
UNICODE "Algeria"
UNICODE ".exe"
ASCII "ERROR . LOADER : %s nothing was executed ."
UNICODE "\AE0DD401-4FE0-4b74-8F0B-5C2CEBD36952"
UNICODE ".exe"
UNICODE ".manifest"
ASCII "<?xml version=""1.0"" encoding=""UTF-8"" standalone=""yes""?><assembly xmlns=""urn:schemas-microsoft-com:asm.v1"" manifestVersion=""1.0""><ms_asmv2:trustInfo xmlns:ms_asmv2=""urn:schemas-microsoft-com:asm.v2""><ms_asmv2:security><ms_asmv"...
ASCII "Printers\Connections"
ASCII "affid"
ASCII "subid"
ASCII "%[^;];%[^;];"
ASCII "software\_VOID"
ASCII "subid"
ASCII "%[^;];%[^;];"
UNICODE "\knowndlls\dll.dll"
UNICODE "\\?\globalroot\systemroot\system32\msvcrt.dll"
UNICODE "\D9A2BC6E-912D-451a-B433-1D6EE914F861"
ASCII "\\?\globalroot\systemroot\system32\msvcrt.dll"
UNICODE "\knowndlls\msvcrt.dll"
ASCII "fgetc"
ASCII "ntdll.dll"
UNICODE "spooler"
ASCII ".srt"
ASCII "IsWow64Process"
ASCII "kernel32"
ASCII "2831689418-1935655697-1177238915-725345543"
ASCII "%u-%s"
ASCII "urlmon.dll"
ASCII "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
ASCII "ObtainUserAgentString"
URL:
Code: Select all
hxxp://securityattendance.com/page/setup
Attached unpacked disassembly listing (loader.txt)
Attachments
(14.6 KiB) Downloaded 78 times
 #536  by EP_X0FF
 Sat Apr 03, 2010 6:43 am
Does anybody has a payload from this URL? Server seems to be down.
 #589  by Meriadoc
 Fri Apr 09, 2010 9:41 am
Is it YourProtector or Your Protection.

I helped someone nail the rootkit and then got them to clean up with mbam. Apparently it stops the user having an internet they can use and installing new software.

edit : I can see from the attachment it is your protection :)

I got them to send me the log :

Malwarebytes' Anti-Malware 1.45
http://www.malwarebytes.org

Database version: 3960

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18904

06/04/2010 18:04:53
mbam-log-2010-04-06 (18-04-53).txt

Scan type: Quick scan
Objects scanned: 129614
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection (Rogue.YourProtection) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe_reader (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Administrator\AppData\Local\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\cleansweep.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\_VOIDdvpfdtqcsw (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection (Rogue.YourProtection) -> Quarantined and deleted successfully.

Files Infected:
C:\cleansweep.exe\config.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\about.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\activate.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\buy.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\help.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\scan.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\settings.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\splash.mp3 (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\update.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\urp.db (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\virus.mp3 (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDqvwebeevmp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDuuforstvir.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDeaqcxspnmy.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\_VOIDbfc9.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\acrotray .exe (Trojan.Agent) -> Quarantined and deleted successfully.