[R136a1]

Flying under the radar:

The following link shows some interesting informations of a malware not yet classified:
http://threatexpert.com/reports.aspx?fi ... r&x=12&y=7

First uploaded in 2010, but some of the C&C servers are still online, so maybe it is still actively used.
Moreover it contains a kernel mode component and the origin is stated as Russian Federation, which may indicate a real challenge.

MD5 hashes
0482d1652c2a0e6c16ca3e2a53be0783
9dc0f7e7aec2bda05d70fdfa2fc50bd0
fa4bda12c94824ab451da83bae240c5d
938b92958ded4d50a357d22eddf141ad
4f6f873d25b32698ffb3488769109269

[Xylitol]

@R136a1, found only these:
0482d1652c2a0e6c16ca3e2a53be0783
9dc0f7e7aec2bda05d70fdfa2fc50bd0
938b92958ded4d50a357d22eddf141ad

[shaheen]

https://www.virustotal.com/en/file/bf1c ... /analysis/


http://blog.gdatasoftware.com/blog/arti ... roots.html

Any thoughts on this?

[R136a1]

For samples and some info take a look at my tweets:
https://twitter.com/theenergystory
https://twitter.com/malwarechannel

Regards

[CloneRanger]

@ R136a1 Good catches, Thanx :)

ALL the samples in your 2 Zips, are reported by PeStudio as Signed. But viewing Properties indicates they are Not ! Have the coders discovered a clever way of tricking the OS's into believing they are signed, or is there another reason why my screenies show what they do ?

If they have managed to do that, how ?

Sample in screenies = inj_snake_x64.dll

[R136a1]

When PeStudio detects something as digitally signed, it has to be 100% correct. So let's find out how they managed to fool Windows into thinking the files are signed! [/irony]

No, none of the files is digitally signed! And they also didn't find a way to fool Windows (why Windows anyway? PeStudio detects it as signed!) into thinking so. I don't know what PeStudio is using as an indicator for detecting files as digitally signed, but the implementation is obviously buggy.

Why do you blindly trust in any tools when the opposite is obviously right (as you saw yourself)? ;)

[STRELiTZIA]

@CloneRanger
Are you sure to use updated release ?

[t4L]

I guess you're understanding incorrectly PeStudio. IMHO, the file has the characteristic when the star on the left of lights up. In this case, the file isn't signed since that star is blurred.

PeStudio GUI design is bad, but not that hard to recognize.

[CloneRanger]

@ R136a1

Well i don't pretend to be an expert. I just thought that there "might" be something worth exploring further. Anyway, see below.

@ STRELiTZIA

Yes it was an earlier version i was using.

@ t4L

You're right, i mistakenly glossed over that. Ah well, live n learn ! Actally i think is a useful addition to our Tools etc box ;)

*

Thanx

[frank_boldewin]

Yesterday i wrote on facebook that the Uroboros malware reminds me on a similar case back in 2008. Now i'm pretty sure. When the dropper executes first it checks if it runs on a 32bit or 64bit system to select what driver to drop later. It creates a directory $NtUninstallQ817473 inside the windows directory and drops an encrypted driver called fdisk.sys. Then a 400MB file is created called fixdata.dat. This is an encrypted filesystem storing usermode files of the malware, which are being injected in services.exe and explorer.exe
Further it is used to store stolen documents e.g. word, excel, powerpoint. The driver fdisk.sys manages the fixdata.dat filesystem and the network communication. The driver avoids to use hiding itself or using defense tactics. Symantec analysed an older version of this malware in November 2009 and called it Backdoor.Pfinet. Of course i haven't made a deep dive inside the malware in that short period of time i looked at it, so there will be still a lot of things to explore. ;)


Someone has seen a deep analysis already?