A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8873  by EP_X0FF
 Fri Sep 30, 2011 11:49 pm
@Tigzy

Files by attaching it's device to fs driver (ntfs).

Image

Monitoring + keys protection by CM callback. Drivers loading guarded by LoadImageNotify callback. Banning performed by filenames and specific data found inside binaries (located in Directory[IMAGE_DIRECTORY_ENTRY_SECURITY]), this is additional blacklist for case if drivers names will be different.
KProcess Hacker VirusBuster Ltd Beijing Jiangmin SUNBELT SOFTWARE Sunbelt Software K7 Computing Immunet Corporation Beijing Rising G DATA Software Quick Heal Technologies Comodo Security Solutions Sophos Plc Anti - Virus CJSC Returnil Software NovaShield Inc antimalware BullGuard Ltd Check Point Software Technologies Ltd Symantec Corporation Panda Software International Kaspersky Lab FRISK Software International Ltd ESET, spol. s r.o. Doctor Web Ltd Comodo Inc BitDefender SRL BITDEFENDER LLC Avira GmbH GRISOFT, s.r.o. PC Tools ALWIL Software Agnitum Ltd
Image

FakeAV protected by two SSDT hooks + ObRegisterCallback for newest versions
Code: Select all
ntoskrnl.exe-->NtOpenProcess, Type: Address Change 0x805717C7-->F32FA213 [C:\WINDOWS\System32\Drivers\40ac432e68c8aa52.sys]
ntoskrnl.exe-->NtOpenThread, Type: Address Change 0x8058A1BD-->F32FA33C [C:\WINDOWS\System32\Drivers\40ac432e68c8aa52.sys]
In sum this is more malware protection agent driver than rootkit, because it has 0 stealth.
Is it possible to break all the callback with bruteforce?
This is at least not wise.
 #8920  by Quads
 Sun Oct 02, 2011 11:41 pm
Noticed with the driver for Necurs running it doesn't allow GMER on program start to have all the scan areas selected, only from Services and below available, with a error message appearing.

Quads
 #8921  by EP_X0FF
 Mon Oct 03, 2011 12:31 am
Quads wrote:Noticed with the driver for Necurs running it doesn't allow GMER on program start to have all the scan areas selected, only from Services and below available, with a error message appearing.
EP_X0FF wrote:And looks like this blacklist works not like expected - for example on my machines it blocked from loading ALL drivers (Process Explorer, WinObj, any other tool with driver on board).
GMER is unable to load it driver due to block from Necurs and then works in a UM scan mode which is useless.
 #8934  by EP_X0FF
 Mon Oct 03, 2011 12:44 pm
Tigzy posts moved to dedicated thread
 #15996  by rough_spear
 Mon Oct 15, 2012 10:31 am
Hi All, :D

Necurs rootkit aka Bubik/Bubnix.

Dropper -

SHA256: 7de0a1e53bd40b3194743e61052c1c92bf352f7d39df7afcf514d99b8a6b6bdc
SHA1: 8883c165dd8908b3aec9ea9268682a621575f4a1
MD5: 6b537ad316046e455249596ec332d9c8

VT link - https://www.virustotal.com/file/7de0a1e ... /analysis/

dropped driver -

SHA256: 742a3c8c0a3601af29daffb966e947334d4f20501e5568b9c9fbf4c3526b4b84
SHA1: 30f63b8cae41a97456a82131c4577a2020697b89
MD5: 0907292986e05a8752bc1863556d229e

VT link - https://www.virustotal.com/file/742a3c8 ... /analysis/

Regards,


rough_spear.
Attachments
password - infected.
(74.84 KiB) Downloaded 120 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 8