Wrong identified as Rustock (see Rustock 2010) this is another rootkit with few interesting features at board.
It patches ETHREAD SystemTable pointer to specially allocated in NonPagedPool fake service table, that contains real addresses from SSDT and addresses replaced by rootkit handlers. User threads created after rootkit installation is being patched in same manner. Rootkit uses Thread notification routine to catch threads creation (PsSetCreateThreadNotifyRoutine used).
E.g.
Syscalls from such “patched” thread is fully under control of rootkit. So such thread (and application in whole) can for example think that some registry keys simple does not exists.
Following functions affected:
NtDeleteValueKey
NtEnumerateValueKey
NtEnumerateKey
NtOpenKey
NtOpenProcess
NtOpenThread
NtProtectVirtualMemory
NtQuerySystemInformation
NtReadVirtualMemory
NtSetContextThread
NtSetValueKey
NtSuspendThread
NtTerminateThread
NtWriteVirtualMemory
Registry routines intercepted by rootkit for self-protection reasons. They helping in survive strategy, by hiding registry entries that belongs to rootkit. It also modifies code of IofCompleteRequest to help protect itself. Rootkit injects payload dll named main.dll inside trusted svchost.exe process, creates thread and guards all these stuff with help of other acquired functions listed above. Thread is hidden from enumeration with help of NtQuerySystemInformation interception.
Main.dll contains several readable strings, full dump below:
More detailed analysis of this rootkit can be found here
BlackEnergy Version 2 Analysis
VirusTotal
http://www.virustotal.com/analisis/5af3 ... 1268660972
MD5
9219e2cfcc64ccde2d8de507538b9991
SHA1
181e59600d057dc6b31a3b19d7f4f75301a3425e
It patches ETHREAD SystemTable pointer to specially allocated in NonPagedPool fake service table, that contains real addresses from SSDT and addresses replaced by rootkit handlers. User threads created after rootkit installation is being patched in same manner. Rootkit uses Thread notification routine to catch threads creation (PsSetCreateThreadNotifyRoutine used).
E.g.
rku5 wrote:0x81D84E40 Faked ServiceTable-->explorer.exe [ ETHREAD 0x81E4F188 ] TID: 984Lets explore it.
WinDbg wrote:lkd> dd 0x81D84E40We have actually new faked table entries. This method gives enough stealth level and it is comfortable. As in fact, SSDT wasn’t modified and major rootkit detectors will fail find and remove rootkit hooks.
81d84e40 8182a698 00000000 0000011c 80510088
81d84e50 bf999b80 00000000 0000029b bf99a890
Syscalls from such “patched” thread is fully under control of rootkit. So such thread (and application in whole) can for example think that some registry keys simple does not exists.
Following functions affected:
NtDeleteValueKey
NtEnumerateValueKey
NtEnumerateKey
NtOpenKey
NtOpenProcess
NtOpenThread
NtProtectVirtualMemory
NtQuerySystemInformation
NtReadVirtualMemory
NtSetContextThread
NtSetValueKey
NtSuspendThread
NtTerminateThread
NtWriteVirtualMemory
Registry routines intercepted by rootkit for self-protection reasons. They helping in survive strategy, by hiding registry entries that belongs to rootkit. It also modifies code of IofCompleteRequest to help protect itself. Rootkit injects payload dll named main.dll inside trusted svchost.exe process, creates thread and guards all these stuff with help of other acquired functions listed above. Thread is hidden from enumeration with help of NtQuerySystemInformation interception.
Main.dll contains several readable strings, full dump below:
.exe SYS TMP cmd.exe /C b k e r n e l p l g _ d a t a getp v e r s i o n n a m e s l e e p f r e q c m d s p l u g i n s x%s_%X C:\ a d d r t y p e s e r v e r s i c m p _ a d d r b u i l d _ i d str.sys \drivers\ \ \ . \ \ \ . \ G l o b a l \ %s%s { 9 D D 6 A F A 1 - 8 6 4 6 - 4 7 2 0 - 8 3 6 B - E D C B 1 0 8 5 8 6 4 A } main.dll .bdata {3D5A1694-CC2C-4ee7-A3D5-A879A9E3A623} POST %.2X & = bid nt %d cn ln id ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ Content-Type: application/x-www-form-urlencoded _TEST_ .dll user32.dll advapi32.dll wininet.dll ws2_32.dll DispatchCommand DispatchEvent GetLastError GetCurrentProcessId ExitThread CloseHandle KERNEL32.dll wsprintfA USER32.dll CoCreateInstance CoInitializeEx ole32.dll OLEAUT32.dll WS2_32.dll RtlUnwind InterlockedExchange VirtualQuery main.dll ConfAllocGetTextByNameA ConfAllocGetTextByNameW ConfGetListNodeByName ConfGetNodeByName ConfGetNodeTextA ConfGetNodeTextW ConfGetPlgNode ConfGetRootNode DownloadFile PlgSendEvent RkLoadKernelImage RkProtectObject SrvAddRequestBinaryData SrvAddRequestStringDataRootkit driver is not hidden from drivers list but randomly renamed (hexadecimal name). Name differs after each reboot. Rootkit renames itself in list to fool detectors and users. Also this help to prevent “Wiping” by some tools (they can’t get real file path and file name of rootkit driver).
More detailed analysis of this rootkit can be found here
BlackEnergy Version 2 Analysis
VirusTotal
http://www.virustotal.com/analisis/5af3 ... 1268660972
MD5
9219e2cfcc64ccde2d8de507538b9991
SHA1
181e59600d057dc6b31a3b19d7f4f75301a3425e
Attachments
pass: malware
(70.82 KiB) Downloaded 402 times
(70.82 KiB) Downloaded 402 times
Ring0 - the source of inspiration