A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #9674  by HackJack
 Sat Nov 12, 2011 4:29 am
After deleting callbacks for CreateProcess ?_empty_?, LoadImage unknown_notify_handler in Kernel callbacks routines, i was able to run Gmer

please find the gmer log attached
Attachments
Gmer Log
(9.57 KiB) Downloaded 38 times
 #9675  by EP_X0FF
 Sat Nov 12, 2011 4:31 am
This log does not give any additional info. MaxSS installed and working.
Can you do a full physical memory dump and upload it somewhere? (RkU->Tools->Dump All Physical Memory)
 #9680  by EP_X0FF
 Sat Nov 12, 2011 2:04 pm
Your MaxSS config
BKFS[SCRIPT_SIGNATURE_CHECK]

[kit_hash_begin]
100000
[kit_hash_end]

[kit64_hash_begin]
100000
[kit64_hash_end]

[cmd_dll_hash_begin]
100000
[cmd_dll_hash_end]

[cmd_dll64_hash_begin]
100000
[cmd_dll64_hash_end]

[servers_begin]
hxxp://quick-876346.com/cat/v3
hxxp://lutanasbourne.com/cat/v3
hxxp://badlecycle.com/cat/v3
hxxp://webgetclick.com/cat/v3
hxxp://francispolar.com/cat/v3
[servers_end]

[modules_begin]
bbr232|100015
serf332|100028
sant32|100000
[modules_end]

[modules64_begin]
serf364|100028
bbr264|100015
sant64|100000
[modules64_end]

[injects_begin]
cmd32|svchost.exe,
bbr232|iexplore.exe,explorer.exe,firefox.exe,safari.exe,chrome.exe,opera.exe,WebKit2WebProce,WebKit2WebProc,
serf332|iexplore.exe,explorer.exe,ieuser.exe,
sant32|services.exe,
[injects_end]

[injects_begin_64]
cmd32|svchost.exe,
cmd64|svchost.exe,
bbr232|iexplore.exe,explorer.exe,firefox.exe,safari.exe,chrome.exe,opera.exe,WebKit2WebProce,WebKit2WebProc,
bbr264|iexplore.exe,explorer.exe,firefox.exe,safari.exe,chrome.exe,opera.exe,WebKit2WebProce,WebKit2WebProc,
serf332|iexplore.exe,explorer.exe,ieuser.exe,
serf364|iexplore.exe,explorer.exe,ieuser.exe,
sant32|services.exe,
sant64|services.exe,
[injects_end_64]

[block_by_crc_begin]
2319090
1377285
1358012
1402047
1178976
1219939
1233377
1355247
1394702
1371304
7065345
10454367
11020797
1454051
1563203
1422898
1966285
1492854
1469591
1411944
1449167
1446295
1437356
1396682
1415008
1413143
1570237
1459789
1438019
1389482
1446840
1376301
1609283
1602092
1420090
6527308
1609787
1606318
1460103
1421835
1626431
1422756
1495286
1450307
1606001
1559749
1462324
1567436
1602084
1394702
1562615
1568096
1570672
1560044
1566626
1433161
1581575
1492446
1597675
1430267
[block_by_crc_end]

[crc_begin]
645710
1110560
53571
103475
267156
133776
74366
4213081836
4012962617
339533577
820333846
1237135839
2619140643
635755395
1084636732
168058888
3997900220
972101418
1997303488
2043050407
1410727764
1360607466
3264581999
3584516421
1160809628
665538150
2361482463
4267483940
1623533333
2570953230
796389970
344921315
1092572581
750006651
2381913409
797654280
468590801
2049471588
2432572148
3305834765
626336804
3728285991
1547311532
2015336217
3319889045
2875729805
680805574
919866743
3931323967
138235900
1931611448
903354224
[crc_end]

[mods_hosts_begin]
interalotimub.com
sumbaiturful.com
mosendoysu.com
joburgonfroco.com
clickrec.org
webgetclick.com
[mods_hosts_end]

[jpeg_begin]
hxxp://Laheyutizu.livejournal.com/|l6Rl0JtinHxSSY50nzCy
hxxp://xykojotas.wordpress.com/|nel+q6Ym+XUqdKN37zGn
hxxp://Ursalupiwu.livejournal.com/|tcd1rIM072wRart11Sjn
hxxp://bopowojo.wordpress.com/|l8RB/+sj5VoEHZQjzjPm
[jpeg_end]
[SCRIPT_SIGNATURE_CHECK_END]
 #9682  by EP_X0FF
 Sat Nov 12, 2011 2:39 pm
There are a lot of McAfee junk in memdump as well as rootkit markers. This rootkit looks like updated MaxSS variant which were spreading in Aug-Sept-Oct. There seems no more debug dll (ldr_dll.dll) or it functionality moved somewhere else. As for blocklist, these values mostly the same as in MaxSS cfg's recovered in Aug-Sept-Oct. There is MBAM.sys special ban code embedded in MaxSS driver, just like in the beginning of this year.

Some more cfg data.
BKFS[PANEL_SIGN_CHECK]
[runs_count_begin]
30
[runs_count_end]
[urls_to_serf_begin]
hxxp://www.dewytogabsu.com/ac4.php?aid=574&sid=direc40
hxxp://www.uniquedentu.com/ac4.php?aid=574&sid=direc40
hxxp://www.buseforode.com/ac4.php?aid=574&sid=direc40
hxxp://www.tavelfelegon.com/ac4.php?aid=574&sid=direc40
hxxp://www.ingesuricow.com/ac4.php?aid=574&sid=direc40
hxxp://www.ranboceubap.com/ac4.php?aid=574&sid=direc40
[urls_to_serf_end]
[refs_to_change_begin]
http://www.buseforode.com/ac4.php=|www.buseforode.com/search.php
http://www.tavelfelegon.com/ac4.php=|www.tavelfelegon.com/search.php
http://www.ranboceubap.com/ac4.php=|www.ranboceubap.com/search.php
http://www.ingesuricow.com/ac4.php=|www.ingesuricow.com/search.php
http://www.dewytogabsu.com/ac4.php=|www.dewytogabsu.com/search.php
http://www.uniquedentu.com/ac4.php=|www.uniquedentu.com/search.php
[refs_to_change_end]
[panels_begin]
interalotimub.com
hotokelahout.com
joburgonfroco.com
sumbaiturful.com
mosendoysu.com
francispolar.com
webgetclick.com
[panels_end]
[popupcount_begin]
3
[popupcount_end]
[popupurl_begin]
[popupurl_end]
[popupurl2_begin]
[popupurl2_end]
TDL "BKFS"
mbr
bid
boot
cmd64
dbg64
drv64
ldr64
info
mainfb.script
serf_conf
sant32
vbr
affid
cmd32
dbg32
drv32
ldr32
subid
main
com32
serf332
bbr_conf
time.txt
 #9683  by frank_boldewin
 Sat Nov 12, 2011 6:12 pm
HackJack wrote: i have also attached the installer for the rootkit.SST.b, requesting not to install in a virtual machine
find attached an unpacked patched dropper, that installs even in vmware.

pw: malware
Attachments
(218.97 KiB) Downloaded 82 times