A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #16144  by kmd
 Fri Oct 19, 2012 9:15 am
rkhunter wrote:but is it correct point of view that "don't write anything at all"? Of course all we can to discuss any paper or something else, but seems this is criticism. If you can do something better, let's do, nope?
nope it is not correct. research is always good. when it yours.
as well as playing in spies and collecting info for self-promo company this guy loves to do. look at his blogpost again - what he actually did or may be found new?

WMI antivm?
nope. phaeton posted here MUCH more and MUCH detailed. as well as how to bypass this.

figured out this is just updated old rootkit and did this first?
nope. he STILL in doubt - look at name of post.

provided info how to detect presense of this rootkit by system anomalies?
nope. Eset SysInspector anyone?

provided cleaning instructions?
nope. why bother - buy our sh..product and fcuk with it

posted anything about affilate who behind it?
nope.

can continue but tired typing

did self and company promotion?
YEAH. everybody now knows - ESET always looking forward for new threats (no matter if they found it reading public forums).
Hell they did it, facepalm.
 #16145  by EP_X0FF
 Fri Oct 19, 2012 9:28 am
rkhunter wrote:...it looks like normal PR, not endless PR on Stuxnet and endless stories about weapons.
Common Stuxnet stories are cool and interesting to read :)

It is not secret - AV companies always have a lot of active researches, trackings etc. Some for example always looking for TDL's affilates, some collecting Zeus. But I do not believe in coincidences. This is second time when they do this. Found new ZeroAccess with interesting shellcode infection? Blogpost from ESET after some time describing the same stuff. Found new-old TDL? Blogpost from ESET after some time describing the same. OK, fine with that. Everybody wants money. But why they doing this in a such idiotic manner? Why not collaborate (when having a priori more resources and time) and gain profit. No? Steal, enhance and blogspot the our way? GTFO then.
 #16185  by Brookit
 Sun Oct 21, 2012 9:01 am
That's what I call a good analysis:

http://stratsec.blogspot.com/2012/10/an ... b-has.html

Now if you think it's just another patchwork analysis, I don't think so. It is detailed and seems to be written for some time past.
Unfortunately some people always want to be first to post some news about "new" malware, so they release half baked stuff and a good analysis released at a later date doesn't get much attention. Make sure you don't miss this fact!
 #16186  by 0x16/7ton
 Sun Oct 21, 2012 9:38 am
Brookit wrote:That's what I call a good analysis:

http://stratsec.blogspot.com/2012/10/an ... b-has.html

Now if you think it's just another patchwork analysis, I don't think so. It is detailed and seems to be written for some time past.
Unfortunately some people always want to be first to post some news about "new" malware, so they release half baked stuff and a good analysis released at a later date doesn't get much attention. Make sure you don't miss this fact!
Good article.
but that's probably a mistake:
To make sure there is only instance of the dropper running, the code takes a hard-coded string "ba1039e8cdae53e44ac3e6185b0871f3d031a476" and appends "1010" to it to create a mutex, then appends "1011" to create an event:

creates mutex: Global\ba1039e8cdae53e44ac3e6185b0871f3d031a4761010

creates event: Global\ba1039e8cdae53e44ac3e6185b0871f3d031a4761011
as far as I've seen,he generate this value:ba1039e8cdae53e44ac3e6185b0871f3d031a4761010 from ID product OS windows and data install,with sha1 hashing
 #18735  by EP_X0FF
 Thu Mar 28, 2013 8:15 am
Earlier variant of MaxSS, based on TDL3, mentioned in the beginning of this thread. Infects volsnap.sys
Unlike next generation of MaxSS based on TDL4, this rootkit is only targetting win32.

SHA256: 22ab214eb3a6f9ea95fa406d700ab036b00a5ae2b4e26b865a3dddee61d65ddf
SHA1: 47a2ecabfd8ca46b7727e2140164106956f90cda
MD5: 14aa3732eb855a053aa7a89ece4dc9bb

https://www.virustotal.com/en/file/22ab ... /analysis/

Additional info: name "MaxSS" was created from a part of rootkit configuration file -> string "maxsscore". Name "SST" is created from name of driver-loader "sst2.sys" first variants of this malware used. And name "PRAGMA" comes from earlier variants of TDL2 based rootkit this affilate used.

In attach dropper and malware driver (all other components can be extracted from it).
Attachments
pass: malware
(152.37 KiB) Downloaded 103 times
  • 1
  • 11
  • 12
  • 13
  • 14
  • 15