A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20271  by EP_X0FF
 Tue Jul 30, 2013 4:46 am
Thanks for sharing. This is updated Sirefef with new survival strategy.

Major changes:
1) All MS Cabinet related code removed. Each component (even 2Kb bootstrap lists) are now compressed with APLib;
2) Different startup locations used, no more RECYCLE folder.

a) Registers itself as a service (primary launch)
Code: Select all
   if (NT_SUCCESS(( ZwSetValueKey(hKey, &usObjectName, 0, 1, L"LocalSystem", 24)) 
              && (NT_SUCCESS(ZwSetValueKey(
                   hKey,
                   &usDescription,
                   0,
                   1,
                   L"Keeps your Google software up to date. If this service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This service uninstalls itself when there is no Google software using it.",
                   588)))
              && NT_SUCCESS(ZwSetValueKey(hKey, &usDisplayName, 0, 1, L"Google Update Service (gupdate)", 64)) )
random2.png
random2.png (32.68 KiB) Viewed 793 times
b) HKCU\Software\Microsoft\Windows\CurrentVersion\Run (reserve launch)
random1.png
random1.png (4.05 KiB) Viewed 793 times
Notice specially crafted symbols in path - SysInternals Autoruns will fail to operate with them, same for Regedit. Since they all use WinAPI to access data, they will fail to open key.

For both cases - registry keys security permissions are broken to prevent access/removal. Same for directories with malware on disk.

Removal.

For (A) - go to PROGRAMFILES\Google\Desktop\Install, take ownership (replacing ALL access list) and erase directory.

Note: Sirefef config file - @ maybe be opened with exclusive access rights. Run Process Explorer, locate "@" (w/o quotes) in "Find Handle or Dll" and close handle. If it still busy - rename it. Reboot computer.

For (B) - go to USERPROFILE\Local Settings\Application Data\Google, take ownership over malware directory and erase it. Reboot computer. After reboot crafted startup entry still will be in registry. Unfortunately regedit cannot handle it. Remove whole "Run" key.

About unaccessible keys/directories (in case of (B)).
This is temporary solution as I don't know any third party tools that able to handle such registry entries and obviously cannot advice internal tool which screenshot you see above. There is nothing impossible here, you just need a tool that is able to handle registry/file path in Native format.

Unpacked, extracted binaries of above Sirefef + three plugins it downloaded in attach.
Attachments
pass: infected
(148.97 KiB) Downloaded 161 times
 #20272  by EP_X0FF
 Tue Jul 30, 2013 4:56 am
z00clicker from 800000cb plugin attached. It also now packed with APlib instead of Cab and not encrypted additionally with ROL.
Attachments
pass: infected
(15 KiB) Downloaded 87 times
 #20274  by unixfreaxjp
 Tue Jul 30, 2013 6:00 am
updated Sirefef with new survival strategy.
Just an awesome analysis! It explained the google update stuff and the autostart.
Just a recent update:
Tested in "ALL" online sandbox, you name it, are all crashed. Cuckoo also crashed, only one VM survived this (the MS one *smile*)
Sysinternals stuff is causing an early exist without full infection (it won't create the google update startups even the code is there), yet the big bug exists, revealing the comm CnC instead the botnets.. :-) APLib looks becoming a popular compressor now..
This is gonna be a real mess.. My opinion: The attack itself a new strong push in spreading new ver Zero Access / Sireref via Glazunov,
spotted in US, Japan Canada was infected by same exploit kit lead to the same infector IP of ZeroAccess and same CnC. Early stage, better to stop this for good.
 #20275  by EP_X0FF
 Tue Jul 30, 2013 8:19 am
Sirefef now using embedded null on it registry entry to counteract removal. Subkey "Parameters"
Code: Select all
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000011F0   50 00 61 00 72 00 61 00  6D 00 65 00 74 00 65 00   P a r a m e t e 
00001200   72 00 73 00 00 00 2E 20  64 27                     r s   . d'
Removal (WARNING may cause damage to Windows).

1) Retake ownership over malware registry key;
2) Export whole "services" key to file as "Registry hive file";
3) Open it with hex editor, locate
Code: Select all
2E 20 65 00 74 00 61 00  64 00 70 00 75 00 67      . e t a d p u g 
we need to fix first symbol -> dot (actually it is invalid unicode character)
replace it with something like
Code: Select all
65 00 65 00 74 00 61 00  64 00 70 00 75 00 67   e e t a d p u g
4) Save hive file and import it back via regedit. This will overwrite whole "services" key.

5) Download and run http://technet.microsoft.com/en-us/sysi ... 97448.aspx

regdelnull hklm -s, allow program remove malformed key
img1.png
img1.png (12.39 KiB) Viewed 766 times
6) After malformed key removed, remove eetadpug key normally from regedit. That is all.
 #20291  by EP_X0FF
 Wed Jul 31, 2013 3:56 am
markusg wrote:SHA256:
d7c288cc1ac67f4f557dc82b8c81d59a8869653171feb7b41b4077546a12050d 
File name:
autorun.exe 
Detection ratio:
6 / 45  
https://www.virustotal.com/en/file/d7c2 ... /analysis/
This is unusual Sirefef dropper based on x64 PE32+ wextract. Inside as payload stored real Sirefef dropper, new like above.
What is the source of this file BTW?

In attach:

1_cfg
2_cfg
32.dll
64.dll
decrypted main dropper extracted from PE32+ dropper.

edit: There actually two Sirefef droppers inside.
1 - new, second old with self-debugging. What interesting they both share same bootstrap configs :)

VT
https://www.virustotal.com/en/file/be65 ... /analysis/
https://www.virustotal.com/en/file/fa83 ... /analysis/
https://www.virustotal.com/en/file/a58d ... /analysis/
https://www.virustotal.com/en/file/33fc ... /analysis/
https://www.virustotal.com/en/file/587f ... /analysis/
Attachments
pass: infected
(138.83 KiB) Downloaded 82 times
 #20293  by EP_X0FF
 Wed Jul 31, 2013 6:33 am
215 Sirefef droppers from June-July 2013.

SHA1
Code: Select all
01ad5c7940f764e5fd40ab50fbadfa8f73e1ca0d
01d6d12dee32e0a24f763bf6b3f3aee496f49d89
0375ec9ac11843cbeb0a65e29fae7adb27cf60d5
038f272677c6d39b73401cdf73863b7d2d7ccfce
03cdc7e72f01f7b8a5103747d0a84ad09eaa546b
054a2bbae143f8990eee7a51141872869a0fa78d
074f38ea2d77e843e049cf013a9373c7b921ee28
08c89d71f66a825a85750eeee18c6240fc1a8a8f
0c07858428156d78b45ea7394065109260968009
0f23233f8510428ab8494d8d0f7776971a0189f3
11e52b0dacf0f24ac93ac5cb8728bb0f0e28a614
137278c451172c0c253815df17bd12b5aac2e124
144dbb74d54de914bb49e65083788bae035f7238
145f8d0b51a4f5b448659373579700a3616f8c4a
181c5968a6cccecbce82a63901cf69408502193f
1da8ab91155fc1d5cb93d70f3a89f04fb0e08127
21415a44711db14674fedd748e0efeacc6cbe5ce
221b0592f7ea7adff7a7f26330471c497a65c434
22544038ecbb37c6e43455609d530d38a7ec4cf5
2271b9304041b571156e7d3c6298f1ef4b268176
232bc38852639c59656dcaec727dc785bbbdd0fd
2337f4d0eb0748c1902a1821d8ef7057c889d290
23a8d2318abcd6bc33f57735b6f03b7163a8e82d
24cbe496154678dd4c5c3d6195b07582156919c1
25e178ef2986d6bcfc345d1e7d973176dd476084
2884e3da74d909e0fca388c73196588feece925f
29ffe5ea2c3896326ba530ffaf6808ab2f2468d5
2ca6bc7dadeb8a1be89d5378d932f756ec64642b
2caf316a95c18115123fcd52a8ea86b98ee91c52
3035b644162e3449abc84bbe00513ce0aecab36e
3100769ae43c288f2d82f5f7f56dff55cc83cd0d
32e4a023a05a72e5d98ad23a4f9a0b1a8b3adc18
33659a04ca6c2562aa27982cd6f528ce1af37cf2
33bca5c580a156f27c9cf8a7704e4bee4907ecc2
359a79d9c61eb2a04f74a2bd8b4a6a7db38354f2
35ede945a789352b078be4413eb310c85fc1d6f0
367e90e8ed8136c07bbbc7e3a3eb3946007724a3
36f3a5e629aee25ed29e90c29288f41c9dacb79a
3abccd74195df0a42ff2f9b90f0486ba64ffcddf
3c6e4642c06f553349a4847af97335d0ea0d07e2
41ca5a03e328666f7153a7c0b219519178bdfc6b
41d0352b4746f21e152817620689ceb7d9e33e8d
4289c9c49ef4faed7eedd0bad931191c1f0b5c18
42932c4ffeb198c3354efa13a2950299c0e85b4f
45023845b93e9f7a8b7458f58515bab8f67953a0
45965318bf2463215273d69fc5f383c5ec18f65f
48829ea0b1a000d9ff6478d3349fd99ebe3312ca
4929b5cf68d2d1be962a0b08ab3c0cec67ccc340
495374b8548025babacfff428bed6655bc3f1cf0
496e21c12c84ab6d116d7a41cc44198a414b032b
4970edf777a50da8933977615ee3d40095542544
49e9d14d155d3f7691f3c9cc8ce22f7d2f1f916c
4a420366d74fd956daa6d6f2c6293c344087fae3
4d106cc5b784ac4c4ef99fd31070153eb722c536
4ef1a6c5f82a9ba2a7d5011ba4b06d40a5bd5668
502ff154220f5a38db9e021014feb5e623f3b0a8
5108cd31f18af4599aa236b5c09004e91602d988
52f296ca68990c52942b04caf14a1e4b7b671774
562e2f791ac0da4f7eba0728698098db660f9018
5750386eea067993f3bb42808f71e74c9f30f186
58a54ea19aec6d92daf81e362197eb613c8163a9
5922285f4e40df24391a07cffe0c8676a9ef07b5
59dee3dba8d8c4fe8d0a86648caa54e768aff575
5a822291709bde1eafc70a1075f8a5fec9969968
5c3b1905dd4083c7ffcac18fa254dffa40bf8d57
5c4e8c472f760a648b65dbb0b43075a24433f0fc
5d11e51265966fc4770f4c099065ee95141016d6
6374d981839e1d9fde50f4db29c9ebc624473492
63c79cd89c622ae01f113c9f966a1fbf3918d062
64f79aa0445e44b91442fd16706aae0f150faf09
662490d778fff22e8133aee0a27425a81308f377
66bc01e0e000880ee67ee334e1fe074d4bec3857
673b5a742b7ea0764f95414d984afd590bae9b94
6887310f2153f189169c8b9743e42feed3c4b332
6a9c7a8abdae925dd5a7831b89fb1ad55d38c340
6c353404f2cc886e7851b8f34a4f16aed83b37cf
6c48e6dfddb85d7beb0f944eeb29561c837e581b
6caadd6d73eeb8bf2225f4108819c05bf8bee2c7
6cc55abf2accf4750ba39d7f3cb1542397022b8b
6d0511d15b4e34ec8a50f9798695bf0d8b8425ce
701744e2e66234fbe8793061cfa417621a056c42
7040bfc4a7a8035365a85cc731b65ae8602db335
7126710633b0455e9846b7dacf185fb7a20979aa
7271bb969b42ab6d1e152e23b1b6e4a0671e3ed3
72df24f41d79cb7e3c7de59206612108fe6e95f4
7812939080186facfcf32d699febb50e812a279f
781ea6cb814fd8fa5ce23be7aca3ae2afb4a1d3b
78ba40c2bccbafb3b96a7b4db33e37157a88e490
7abdb57d1d00e44b981ad9f68652f22bec769202
7c31bf4245b61481eb24738035857ca843d55372
7c50e84a20cf09eae09dad407aa90d9ac29fbcc2
7c801bbf9fcfd6b25b1f5dd59029c408d45dd424
7f91e6f9721d2a72b8861302ba577098a0a27e13
7fc9a016c70b022f24285cc529159f6d21c3a7e0
80cdcb245aebf38689cd8e7d0e656bc7a4d53289
830d1be758a70d899a4b6c82359e471d7ac92502
837141e1cfa205a67a502488512decc9262e4052
8440f945719094097fd80d2e29c3e6a490a98d1c
8510725c5dfbd9270439004e457a13c6cf6695d1
851fe7ce109f68c4b1eabfb0fbaeda56f825dcac
85412573eacde33ef035aa472652632a27b2bf2c
85cb4711a5e78f913acba83bc4a79c53e209be68
86050c6115d180e80e9ed4f99fc4dfbb6e848227
86472aa11401a969190ba7843a213259abd6baac
88298b95bc3aaeb30e7834b23959ff1cc5ae5a97
89051f86a9dab19411b9e7099197a137648d2032
8aed7bf92788be91befd120bf8ea7d440bbeb200
8b034869f382f9c0f72a8b1913a660ac582fec72
8b51913a9d05576461e0b13245579853c27cb2ba
8dd531d1c56253a6b1bae098aed5d95d97571545
8f9b06e9958ef425d9bc25c54a7c15747a7eb3a5
8fd55addeff341572c7ab4f62fa1c64e62fe7aea
9129ba2d6d4f946d6a7037c1ba6c6eb7dd2a438f
928afd8a2b834de724561ef0593cb6ff93160c94
930d49172a28bc1ac8e40192a9e5a5afc5909209
93f598df7b5cf1be64ab348a3b3e91ced18eee99
958d4f7a16bfb09248c5d23e0919766220c71100
959f16130e308d3dcd3d3455cc2c19d2a6c4e89b
95c06c384d55896f34d8bce3e0d778de13af4374
964876ae83d981bd9a8bb031c7d39e204330f3c2
99193c25a0cf5d3927e0ae863032dd70082f6c51
99a9c8d8390456e4ff3432a1dfe827c262d1e24b
99f11c364111a141a23cb32ba01c4bf2a05bd9cc
9a3f9c7a899e1781b4f9eb7222e9423cd8459873
9ac02a610df70c6ffe3efb88d14d1ac71c258fd3
9b0bc9e6c275ad557a17dec9931e7c10766ec139
9caf190c69dcdde056766832170d30d04782dddb
a108e98814a91a28999537d662ef2a02e5346145
a1b432acedf7902510dc9eaddc02960622dfaefe
a22155701034c5e6c2e3f2907786b5e6dffde0b1
a222ff9b51138d5dd80e5eb2cfe658c2d1e3b86b
a343d574a920c5d6c79321af66d8f9ecfe53674c
a3e95e811dca350075ec59ce9a54d0a8d0b2b960
a433951642228594079293284d8a00d2cd61ada1
a6f9aaa35b353d1e38e3c1a907e2d04a22bc5ae6
a70d1f8ad67659c9c3d92868e94a3115e10f3cba
a81f694d5d752755c7fe5dc9abe035e09bc7449d
a841d7e5d5dd41e55b5a8ab2eaebafcd32f297e0
aa063780da5ed6e92bb32c24dc3dcc66c70e20f2
aab9e3ec727339e6a1c44032ef696a44ef135cef
ab5087e5c3bd837310741d6b851721518f84e3dc
ac8b13db9bf83540f2875c835ff5520826dbc5de
af04d8e11ecf9be9948315ab74fe5c06f8bf6a07
b0adecaaad0e91a5c24528865171e327a81d8583
b206ee6a61e3136b314391ee7035b368ae9f32e7
b24e7c28a9368cccc23e394fe8636e4dca8d6755
b289dffc53b0f49bb0b28f156cec708fa570ecf3
b41c5239c0fd6518d225c51ff30ce7e9cc7f8c44
b46289abfbe05aa04aa3301d61b3810487319246
b4660ec33c351e226b212fa3ec0faeb4854c08b5
b470c5c03c42e497d4ad8a90c5d76fe6084a9a1e
b54b6b0166ee2bc058ad398faf13441b8c09b432
b6c9954ef3a588ac31f10f7a762e3f4a8bfd6e1e
b85c09af5a708df6b33fcdaf02cb0868d5eb71ab
b8c270a38c7ef03925aba413fc9c420ff2061a68
b987deddca55a19e5745d78d24b16a1bf1c922ef
b9a70d8cce406d6e2e6d96380a12ae808ec2afa5
ba9bd41a40babe11042f35e2096c93bc1619f8d1
bb3d35fe99583f023638578150ccd29c1c758cd5
bbbc13e46ded6448b54c3df1e22ea59e0e302474
bc4243e083dbe6c3da9f829db91959af3a996371
bdbb39d9857afdbee5cf4557660753bdf0d198c5
c43cdb9025ca31c05823e2f3d84293d303f1603b
c47e793072b81cb551838447b163ed044c695777
c5b041e293c7724125efd397078c950912d8dad3
c8484087ec4e2dc43bee6f712fbf6e7985bbe0ce
ca7548f7f64a890da99cb8699544c1015462b0cb
ccc814ba9a5a4b147ab522fc8233a7e25de189ef
cd757f1dca46948dc8d1aefbb29cefb3e3ec6f5c
cda03de943ebf82048a0387095caf863b94f3c0e
cda2f33fdd90dc091e01bee6f785ee8ab0e03f5b
d0369869c87b36a6d67cdec39c77553e97ce84b0
d32f80f6ec670d26a5775da0590cdb4410534829
d478d74f30f7a55a33887f15e5031ba72760a705
d52df6dbe52fc2ee926952c119cc1b67d75db95f
d53657e32685758b0b00d5d6d63eee38c0b26952
d6039a6e7e03ce940593b7dfec2216359b5d24ed
d79d64fb4abd30b54bc1d9276514cc3b44362ee7
d8bfe407f537f14cf53a3ee286d52c146a02567d
d8d9a1bf5c5971ebec1328e38c767168ca82ef6f
d8dfed6294d05ab52c9a652cac3afdcce06e323d
d9660abfe632442bb3d84e78704b58efe2b11909
d98cb096c7c0686b685697ce666925a1e02e8c2c
d99465f705cc98c055f59f1e8c4e7cc433f0e303
dab788e5918d829dc3c92a807f2f361dae20e370
dac44bc380549e27ea0fa629be8c83aeee653984
dba17736b1727a6d542a84bdc680c6c14f6edd9c
dc12b83775721809dce575a138bc151b59de4941
dc302f3ca42380bf1d1187b50ac1506ceb253cc6
dda3f29f8552fa90e1d4da170e441d1186298a72
dfc5322b1597db277f2ec8411b6e956b20a8c225
e1a3a1ed00a97c2ec268eceebf19cc9a8c7fad9f
e1f667b6eb8a0433fe021b2486e8629d4266da21
e281be9727aaaf62ee702dbdd97a527f8d73b049
e569a5584b152d30439391176d4bf138f8bf1703
e6208e1c6e410f5694ec76bba76634442a614002
e8b7ada7631778ccde4f07dc98957ea61565fad5
eaaf6ef8d769fed4c5c2d10d50aa09b8ad239d8c
ebf97e80f3e20699a1240bf39f7e426bbe5b7c00
ec9b98ca95f1e63bd7d69bafa6941514c5671805
ee231cd2fd5e2ecfcda8fd709c8ac7963a862187
f0be21eb76784dc67f8e5fdf9e6c8d84b5632f3d
f2d1b2db42fc8df49b69472139a65535d2d19e50
f4d26e31e559dcd4212ee9e714f2e51ad56726c9
f4e1bfe4c5cc4e67b44032c36acbcb8125ead41d
f75712aae6c4b48c59318376dd6c2375a073eb22
f7744853f8e6232187a2c8c79fba63fdfb655f4e
f788029c25b2a38987827cb264aaa8022070d053
f8b9785cc1216e097024a1329d4a45392ebc9242
fa6c9890518228ebed2beef82e9561766d3456e3
fb78d8c60cb98a1f733fd77e758dca3afb4f3415
fbb601efa9859de3adbd718f4bfdcdf6fd2e3d27
fc0bd4275175d8fd59dba061e1f6e0281c3cddae
ff178e31caf95ff42cbe9afb5d54121de9d18d98
ff521f712d652d14f3cc248023dccad12ffd550b
https://mega.co.nz/#!xlQBFBjT!U8zd2XUNY ... 4rPV6v1QSw

pass: infected
 #20295  by thisisu
 Wed Jul 31, 2013 7:57 am
Easiest way so far that I've found to disable and delete the service is by using XueTr -- http://www.xuetr.com/download/XueTr.zip
Detects the service as hidden and this should be differentiated from Google's legitimate service name which isn't hidden + different File Corporation (Company Name).
Downside is that this program only works on x86 systems.

As for the backup startup (HKCU\..\Run) .. need more time with it to see if can be resolved without deleting entire Run key.

I made a short video of XueTr and this variant. -- http://www.youtube.com/watch?v=9WfvT7pgqs4
 #20296  by EP_X0FF
 Wed Jul 31, 2013 8:13 am
I wouldn't recommend anyone use this Chinese bsod-generator.
  • 1
  • 40
  • 41
  • 42
  • 43
  • 44
  • 56