and this is the one for the first infected winlogon/explorer.exe
Attachments
(19.75 KiB) Downloaded 76 times
A forum for reverse engineering, OS internals and malware analysis
Attachments
(71.94 KiB) Downloaded 80 times
You will be surprised, but take a look what we have in this sample.
aside from this kb.dll name changed to ms.dll
EP overwrite is the same (winlogon/explorer)
system32\dll also in place
cmd.exeHello Stuxnet and TDL.
<Principals>
<Principal id="LocalSystem">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Actions Context="LocalSystem">
<Exec>
<Command>%s</Command>
</Exec>
</Actions>
</Task>
\\?\globalroot\systemroot\system32\tasks\
task%d
<Actions
aside from this kb.dll name changed to ms.dll
EP overwrite is the same (winlogon/explorer)
system32\dll also in place
Ring0 - the source of inspiration
Another one with very few detections, similar to the above sample.
Attachments
password : malware
(147.64 KiB) Downloaded 81 times
(147.64 KiB) Downloaded 81 times
Attachments
(111.55 KiB) Downloaded 78 times
Attachments
(68.05 KiB) Downloaded 73 times
Bamital with Stuxnet exploit harvested from SpyEye dropzone (upload directory).
Proxy dll named b.dll, main payload (encrypted) stored as C:\windows\system32\dll, name hardcoded, decrypted in attach, pass malware
Contains special blacklist of AV sites, update servers.
Proxy dll named b.dll, main payload (encrypted) stored as C:\windows\system32\dll, name hardcoded, decrypted in attach, pass malware
Contains special blacklist of AV sites, update servers.
127.0.0.1 82.165.237.14
127.0.0.1 82.165.250.33
127.0.0.1 akamai.avg.com
127.0.0.1 antivir.es
127.0.0.1 anti-virus.by
127.0.0.1 avast.com
127.0.0.1 avg.com
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 avp.ru/download/
127.0.0.1 avpg.crsi.symantec.com
127.0.0.1 backup.avg.cz
127.0.0.1 bancoguayaquil.com
127.0.0.1 bcpzonasegura.viabcp.com
127.0.0.1 bitdefender.com
127.0.0.1 clamav.net
127.0.0.1 comodo.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com/products/
127.0.0.1 downloads1.kaspersky-labs.com/updates/
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com/products/
127.0.0.1 downloads2.kaspersky-labs.com/updates/
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com/products/
127.0.0.1 downloads3.kaspersky-labs.com/updates/
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com/products/
127.0.0.1 downloads4.kaspersky-labs.com/updates/
127.0.0.1 downloads5.kaspersky-labs.com
127.0.0.1 downloads5.kaspersky-labs.com/products/
127.0.0.1 downloads5.kaspersky-labs.com/updates/
127.0.0.1 drweb.com
127.0.0.1 emsisoft.com
127.0.0.1 eset.com
127.0.0.1 eset.com/
127.0.0.1 eset.com/download/index.php
127.0.0.1 eset.com/joomla/
127.0.0.1 eset.com/products/index.php
127.0.0.1 eset.es
127.0.0.1 fortinet.com
127.0.0.1 f-prot.com
127.0.0.1 f-secure.com
127.0.0.1 gdata.es
127.0.0.1 go.microsoft.com
127.0.0.1 hacksoft.com.pe
127.0.0.1 ikarus.at
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky.ru
127.0.0.1 kaspersky-labs.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 macafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 microsoft.com
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 networkassociates.com
127.0.0.1 nod32.com
127.0.0.1 norman.com
127.0.0.1 norton.com
127.0.0.1 nprotect.com
127.0.0.1 pandasecurity.com
127.0.0.1 pandasoftware.com
127.0.0.1 pctools.com
127.0.0.1 pif.symantec.com
127.0.0.1 pifmain.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 rising-global.com
127.0.0.1 scanner.novirusthanks.org
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 sunbeltsoftware.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 symantec.com/updates
127.0.0.1 threatexpert.com
127.0.0.1 trendmicro.com
127.0.0.1 u2.eset.com
127.0.0.1 u20.eset.com
127.0.0.1 u3.eset.com
127.0.0.1 u3.eset.com/
127.0.0.1 u4.eset.com
127.0.0.1 u4.eset.com/
127.0.0.1 u7.eset.com
127.0.0.1 update.avg.com
127.0.0.1 update.microsoft.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 updates2.kaspersky-labs.com
127.0.0.1 updates3.kaspersky-labs.com
127.0.0.1 us.mcafee.com
127.0.0.1 viabcp.com
127.0.0.1 virscan.org
127.0.0.1 virusbuster.hu
127.0.0.1 viruslist.com
127.0.0.1 viruslist.ru
127.0.0.1 virusscan.jotti.org
127.0.0.1 virustotal.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 http://www.ahnlab.com
127.0.0.1 http://www.aladdin.com
127.0.0.1 http://www.antivir.es
127.0.0.1 http://www.antiy.net
127.0.0.1 http://www.authentium.com
127.0.0.1 http://www.avast.com
127.0.0.1 http://www.avg.com
127.0.0.1 http://www.avp.com
127.0.0.1 http://www.avp.ru
127.0.0.1 http://www.avp.ru/download/
127.0.0.1 http://www.bitdefender.com
127.0.0.1 http://www.clamav.net
127.0.0.1 http://www.comodo.com
127.0.0.1 http://www.download.mcafee.com
127.0.0.1 http://www.drweb.com
127.0.0.1 http://www.emsisoft.com
127.0.0.1 http://www.eset.com
127.0.0.1 http://www.eset.com/
127.0.0.1 http://www.eset.com/download/index.php
127.0.0.1 http://www.eset.com/joomla/
127.0.0.1 http://www.eset.com/products/index.php
127.0.0.1 http://www.fortinet.com
127.0.0.1 http://www.f-prot.com
127.0.0.1 http://www.f-secure.com
127.0.0.1 http://www.gdata.es
127.0.0.1 http://www.grisoft.com
127.0.0.1 http://www.ikarus.at
127.0.0.1 http://www.kaspersky.com
127.0.0.1 http://www.kaspersky.ru
127.0.0.1 http://www.kaspersky-labs.com
127.0.0.1 http://www.macafee.com
127.0.0.1 http://www.mcafee.com
127.0.0.1 http://www.microsoft.com
127.0.0.1 http://www.my-etrust.com
127.0.0.1 http://www.networkassociates.com
127.0.0.1 http://www.nod32.com
127.0.0.1 http://www.norman.com
127.0.0.1 http://www.norton.com
127.0.0.1 http://www.nprotect.com
127.0.0.1 http://www.pandasecurity.com
127.0.0.1 http://www.pandasoftware.com
127.0.0.1 http://www.pctools.com
127.0.0.1 http://www.rising-global.com
127.0.0.1 http://www.scanner.novirusthanks.org
127.0.0.1 http://www.sophos.com
127.0.0.1 http://www.sunbeltsoftware.com
127.0.0.1 http://www.symantec.com
127.0.0.1 http://www.symantec.com/updates
127.0.0.1 http://www.trendmicro.com
127.0.0.1 http://www.virscan.org
127.0.0.1 http://www.viruslist.com
127.0.0.1 http://www.viruslist.ru
127.0.0.1 http://www.virusscan.jotti.org
127.0.0.1 http://www.virustotal.com
127.0.0.1 http://www.windowsupdate.microsoft.com
Attachments
(19.34 KiB) Downloaded 62 times
pass: malware
(28.36 KiB) Downloaded 76 times
(28.36 KiB) Downloaded 76 times
Ring0 - the source of inspiration
Anyone know about a new variant of this out that infects "\windows\system32\svchost.exe" along with explorer.exe and winlogin.exe/wininit.exe? I ran into a couple customer machines yesterday that had all three of these infected, and the various svchost processes were spawning hidden iexplorer.exe windows to various search sites.
VT Links to the explorer.exe and svchost.exe files I pulled off one machine:
explorer.exe: http://www.virustotal.com/file-scan/rep ... 1317068628
svchost.exe : http://www.virustotal.com/file-scan/rep ... 1316462058
A dropper would be much appreciated
VT Links to the explorer.exe and svchost.exe files I pulled off one machine:
explorer.exe: http://www.virustotal.com/file-scan/rep ... 1317068628
svchost.exe : http://www.virustotal.com/file-scan/rep ... 1316462058
A dropper would be much appreciated
If this Bamital version uses similar approach to load itself, then we can try to extract actual malware payload from infected machine. So infected file is required to proceed.
Ring0 - the source of inspiration
Here's the infected explorer.exe and svchost.exe in the referenced VT scans. I'll work on tracking down an infected winlogon.exe/wininit.exe as well.
Attachments
password: malware
(426.69 KiB) Downloaded 65 times
(426.69 KiB) Downloaded 65 times