A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24796  by EP_X0FF
 Fri Jan 02, 2015 12:52 pm
Legacy BIOS MBR WinNT bootkit.

Purpose: kernel mode spambot.

MBR:
This sample https://www.virustotal.com/en/file/c015 ... 420199827/,
old December analyzed Pitou build https://www.virustotal.com/en/file/269f ... /analysis/
Current sample doesn't use 0xDEADBEEF as xor key and looks a little bit simplified.

Hooks IRP_MJ_DEVICE_CONTROL and IRP_MJ_INTERNAL_DEVICE_CONTROL for the disk port driver and several routines in NDIS driver by splicing.

Contain antiVM similar to Win32/Avatar lolkit -> MmMapIoSpace and lookup for known VM vendors/products names.

Image

Source:
Code: Select all
31.184.236.83/crypted.ff.exe

HTTP/1.1 200 OK
Date: Fri, 02 Jan 2015 0X:XX:XX GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sat, 27 Dec 2014 11:56:11 GMT
ETag: "26009a-7da00-50b3153deb85e"
Accept-Ranges: bytes
Content-Length: 514560
Connection: close
Content-Type: application/x-msdos-program
Bootkit data storage:

Located at the end of the system disk in unpartitionable space. Structure is simple -> initialization code, copy of original mbr used for faking while filtering I/O requests and next lolkit driver. Depending on mode there will be x86-32 driver or x64 version of the same trash.

VT scans:

dropper (dotnet crypter)
https://www.virustotal.com/en/file/09b5 ... 420203568/

for x64 driver
https://www.virustotal.com/en/file/bbc3 ... 420202247/

for x86-32 driver
https://www.virustotal.com/en/file/403f ... 420202266/

Previously analyzed Pitou variant used xor encryption over these data with hardcoded 0xDEADBEEF key, decrypting contents of bootkit code upon bootkit MBR execution. This one stores data without any encryption.

Small code for decoding bootkit data used for previous version/build
Code: Select all
#include <windows.h>
#include <intrin.h>

#define DATASIZE 0x6c000 //0x78c00 for x64

void main()
{
	HANDLE					f;
	DWORD					iobytes;
	DWORD					*buffer, s0 = 0xdeadbeef;
	ULONG					c;

	f = CreateFile(TEXT("c:\\malware\\pitou\\uspace_32.dat"), GENERIC_READ | SYNCHRONIZE, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
	if ( f != INVALID_HANDLE_VALUE ) {
		buffer = (DWORD *)VirtualAlloc(NULL, DATASIZE, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
		if ( buffer != NULL ) {
			ReadFile(f, buffer, DATASIZE, &iobytes, NULL);

			for (c=0; c<(DATASIZE/4); c++) {
				buffer[c] = buffer[c] ^ s0;
				s0 = _rotr(s0, 1);
			}
		}
		CloseHandle(f);

		f = CreateFile(TEXT("c:\\malware\\pitou\\uspace_32.dmp"), GENERIC_ALL | SYNCHRONIZE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, 0, NULL);
		if ( f != INVALID_HANDLE_VALUE ) {
			WriteFile(f, buffer, DATASIZE, &iobytes, NULL);
			CloseHandle(f);
		}

		VirtualFree(buffer, 0, MEM_RELEASE);
	}

	ExitProcess(0);
}
Pitou dropper + extracted drivers in attach, upon successful installation it will force Windows reboot by NtShutdownSystem call. For direct disk access during installation dropper uses IOCTL_SCSI_PASS_THROUGH request.

P.S.

F-Secure coverage of earlier Pitou version https://www.f-secure.com/documents/9965 ... epaper.pdf + Pitou UAC bypass reconstructed method UACMe - Defeating Windows User Account Control, however this particular dropper seems unable to bypass UAC.
Attachments
pass: infected
(760.01 KiB) Downloaded 218 times
 #25470  by R136a1
 Mon Mar 16, 2015 11:01 am
Pitou author seems to be pretty creative when it comes to droppers. This one is coded in PureBasic and drops a slightly older variant of the version described by EP_X0FF.

Behaviour on Windows XP and prior (x86):


Driver hooks IRP_MJ_DIRECTORY_CONTROL for file system driver to hide its driver file inside %SystemRoot%\system32\drivers.

Furthermore it hooks functions NtEnumerateKey and NtOpenKey by splicing (SSDT) to hide registry entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.

It also hooks the ProtocolStatus routine of MS QoS Packet Scheduler (psched.sys) by splicing which is needed for NdisRegisterProtocol function during initialization.

Image

Hardcoded C&C Server and some DGA domains extracted from memory dump:
80.156.86.78
utonbaaaj.com
ovfeaapak.me
iwasubab.biz
biovubba.org


Behaviour on Windows Vista+ (x86/x64):

See EP_X0FF's description


Virustotal:

Dropper
https://www.virustotal.com/en/file/808a ... 426503129/

x86 driver
https://www.virustotal.com/en/file/e347 ... 426503202/

x64 driver
https://www.virustotal.com/en/file/d533 ... 426503247/


Files attached.
Attachments
PW: infected
(1.01 MiB) Downloaded 137 times
 #26230  by EP_X0FF
 Fri Jul 03, 2015 6:43 am
Well, it stil silently autoelevates, hooks irp etc. Mbr detect reveals count of BitDefender engine usage. Bizarre thing is that this malware even with installed hooks failed to hide its own mbr. Overall its just a indication of the fact - Windows bootkits are dead. Pitou particular malware family is just like a dinousaur and Rovnix is alive just because it open-source and some gangs still use it.

https://www.virustotal.com/en/file/0cec ... 435905091/