A forum for reverse engineering, OS internals and malware analysis 

Aduska bootkit (Whistler based)

Forum for analysis and discussion about malware.

Aduska bootkit (Whistler based)

 #17991  by K_Mikhail
 Sat Feb 02, 2013 12:26 pm
Dropper: https://www.virustotal.com/file/80c0613 ... /analysis/

Dropped driver: https://www.virustotal.com/file/9998633 ... /analysis/

Infected boot: https://www.virustotal.com/file/431799a ... /analysis/
Attachments
pass: virus
(211.68 KiB) Downloaded 237 times
Last edited by EP_X0FF on Sun Feb 10, 2013 1:45 pm, edited 1 time in total. Reason: renamed

Re: Bootkits

 #17996  by EP_X0FF
 Sat Feb 02, 2013 1:55 pm
K_Mikhail wrote:Dropper: https://www.virustotal.com/file/80c0613 ... /analysis/

Dropped driver: https://www.virustotal.com/file/9998633 ... /analysis/

Infected boot: https://www.virustotal.com/file/431799a ... /analysis/
It is a pretty similar to this http://labs.bitdefender.com/2012/05/pli ... on-gamers/

\SystemRoot\System32\DownDll.dll is injected in the following processes via queued APC:
Code: Select all
EXPLORER.EXE
HIGHLOW2.EXE
POKER7.EXE
LASPOKER.EXE
BADUKI.EXE
DUELPOKER.EXE
The following processes will be terminated if found (check is running inside system thread by calling pNtQuerySystemInformation and the doing 100500 wcsicmp):
Code: Select all
MpCmdRun.exe 
MSASCui.exe 
ntmSCMon.exe 
ntmConfig.exe 
gwupdate1.exe 
gwupdate.exe 
ntmurl.exe 
tskShield.exe 
gwtray.exe 
DTLaunch.exe 
DTShell.aye
DTRunSC.exe 
DTUpdSrv.aye
DTUpdate.aye
DTRTSrv.aye
DTPatch.aye
DTLocalHost.aye
DTHost.aye
DTAgent.aye
Doctor.aye
NVCSvcMgr.npc
NToolsUpdater.exe 
nsvmon.npc
NVC.npc
NVCAgent.npc
NVCOpt.npc
Nsvmon.npc
Nsavsvc.npc
NaverAgent.exe 
NaverAdminAPISvc.exe 
NToolsUpdaterLauncher.exe 
NVCUpgrader.exe 
WscTsk.exe 
V3Proxy.ahn
V3Up.exe 
V3Trust.exe 
V3Svc.exe 
V3SP.exe 
V3Regi.exe 
V3QuaVw.exe 
V3PScan.exe
V3Main.exe 
V3Exec.exe 
V3Delete.exe 
V3Cr.exe 
V3Clnup.exe 
V3Cfg.exe 
V3Au.exe 
V3APRule.exe 
V3APKMD.exe 
restoreu.exe 
MUpdate2.exe 
AhnRpt.exe 
V3Medic.exe 
V3LRun.exe 
V3LNetDn.exe 
V3Light.exe 
V3LExec.exe 
SgSvc.exe 
V3LSvc.exe 
AYPatch.aye
AYCon.exe 
AYLaunch.exe 
install.aye
ESTCM.exe 
AYTask.aye
AYShell.aye
AYRunSC.exe 
AYHost.aye
AYUpdSrv.aye
AYRTSrv.aye
AYAgent.aye
AlYac.aye
Pretty much lame stuff, especially 100500 wcsicmp and the way how it lookups original NtOpenProcess, NtTerminateProcess, NtQuerySystemInformation addresses which is complete facepalm. This lolkit will only work on Windows XP, Vista and 7 due to hardcoded index values of NtOpenProcess, NtTerminateProcess and NtQuerySystemInformation. Yet another Korean? gamers spying lolkit.

MBR copy btw located in the driver.

Re: Bootkits

 #17997  by rinn
 Sat Feb 02, 2013 2:16 pm
Hi EP_X0FF.

Have you wasted your time on this one too? It took less than minute to figure out - it does not cost it, and close my softwares. Gpboot mbr no enough already to put "nops" I guess. 100500 wcsicmp I think it is expanded "for", because these drivers compiled with /DEBUG on and MS compilers like to expand cycles in debug builds :) Driver itself is a loader for second driver, which plays injector and processes terminator role. I assume they did this to evade detection and bypass SSDT hooks. Bootkit MBR sector is on offset 00005400h in the driver body.

Best Regards,
-rin

Re: Bootkits

 #17998  by EP_X0FF
 Sat Feb 02, 2013 2:39 pm
rinn wrote:100500 wcsicmp I think it is expanded "for", because these drivers compiled with /DEBUG on and MS compilers like to expand cycles in debug builds :)
Perhaps you are right. This lolkit is yet another mindless copy-paste work. Original distribution server located in South Korea.
IP address: 164.125.37.95
Host name: boskerbosker.com
Alias: boskerbosker.com
164.125.37.95 is from Korea, Republic of(KR) in region Southern and Eastern Asia
And file is still available for download.

Re: New Plite bootkit (Whistler based)

 #17999  by EP_X0FF
 Sat Feb 02, 2013 2:55 pm
Payload dll can be extracted from original dropper. Just upx -d it, all stuff in resources.
g:\PeepPoker_download\Release\PeepPoker.pdb

Re: New Plite bootkit (Whistler based)

 #18034  by Tigzy
 Tue Feb 05, 2013 11:45 am
Hello

I confirm same signature as Whistler
Code: Select all
------------------------ FILE MBR --------------------
Whistler found!
** Valid MBR

Bootstrap HASH : c17b1098774e837684cd9d558c020719
MBR HASH : 2a86dd2bb62b1a68fc2f1fabceee5dd3

** 1 partition(s):
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 5403 Mo


** Bootstrap:

31  c0  8e  d8  8e  c0  8e  d0  bc  00  7c  be  00  7c  bf  00
06  b9  80  00  fc  f3  66  a5  ea  1d  06  00  00  66  31  c0
be  be  07  b1  04  66  39  44  08  72  08  66  8b  44  08  66
03  44  0c  81  c6  10  00  e2  ec  66  09  c0  74  56  66  05
01  00  00  00  66  50  b9  01  00  bb  00  7c  e8  eb  00  66
58  72  41  66  60  b9  00  02  be  00  7c  80  3c  00  74  03
80  34  ef  46  e2  f5  66  61  66  50  66  31  c0  a1  13  04
24  fc  2d  04  00  a3  13  04  c1  e0  06  8e  c0  66  58  66
05  01  00  00  00  b9  08  00  31  db  e8  ad  00  72  05  06
68  00  00  cb  be  be  07  b1  04  80  3c  80  74  0c  38  2c
75  3f  81  c6  10  00  e2  f1  cd  18  66  8b  44  08  89  e3
b9  01  00  e8  84  00  73  0a  8b  4c  02  b8  01  02  cd  13
72  3a  81  3e  fe  7d  55  aa  75  54  ea  00  7c  00  00  5e
ac  08  c0  74  fc  56  1e  b4  0e  bb  0c  00  cd  10  1f  eb
ee  e8  eb  ff  49  6e  76  61  6c  69  64  20  70  61  72  74
69  74  69  6f  6e  20  74  61  62  6c  65  00  e8  d0  ff  45
72  72  6f  72  20  6c  6f  61  64  69  6e  67  20  6f  70  65
72  61  74  69  6e  67  20  73  79  73  74  65  6d  00  e8  ae
ff  4d  69  73  73  69  6e  67  20  6f  70  65  72  61  74  69
6e  67  20  73  79  73  74  65  6d  00  66  60  bb  aa  55  b4
41  cd  13  73  04  f9  66  61  c3  81  fb  55  aa  75  f6  f6
c1  01  74  f1  66  61  66  60  68  00  00  68  00  00  66  50
06  53  51  68  10  00  b4  42  89  e6  cd  13  61  66  61  c3
00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
00  00  00  00  00  2c  44  63  04  de  04  de  00  00

1.........|..|........f......f1......f9D.r.f.D.f.D.......f..tVf.....fP.....|...f
XrAf`.....|.<.t..4.F..fafPf1....$.-..........fXf........1....r..h.........<.t.8,
u?........f.D.........s..L......r:.>.}U.uT..|..^...t.V..............Invalid part
ition table....Error loading operating system....Missing operating system.f`..U.
A..s..fa...U.u....t.faf`h..h..fP.SQh...B....afa.................................
.....................................,Dc......
 Return to “Malware”