[cjbi]

Fresh PbBot bootkit dropper, payloads and MBR dump attached.

VirusTotal result(s):
MBR dump only. I'm too lazy to upload. :twisted:
mbr.bin 1/43 https://www.virustotal.com/file/11fbcd6 ... 353938961/

[Win32:Virut]

PbBot_20121126\Dropper
FastPingInstall.exe.vir https://www.virustotal.com/file/3cf6942 ... 353944352/
TwentySix_K2(CCCC).exe.vir https://www.virustotal.com/file/b97ae11 ... 353944321/

PbBot_20121126\Payload
mbr.bin https://www.virustotal.com/file/11fbcd6 ... 353944471/
SamGal.exe.vir https://www.virustotal.com/file/252b73c ... 353944486/
~B9A54.exe.vir https://www.virustotal.com/file/423e899 ... 353944535/
winlog_p.exe.vir https://www.virustotal.com/file/32b61f8 ... 353944700/

[cjbi]

Fresh PbBot bootkit dropper, payloads and MBR dump attached, again.

P.S MBR code and SamGal.exe is not changed (yet? :twisted: )

[cjbi]

Fresh PbBot bootkit dropper, payloads and MBR dump attached, again.

MBR code has been changed.

VirusTotal result(s):
mbr.bin 1/45 https://www.virustotal.com/file/6855de0 ... 354704811/
SamGal.exe.vir 26/46 https://www.virustotal.com/file/e01538b ... 354705625/
~DFA20.tmp.vir 26/46 https://www.virustotal.com/file/9748f64 ... 354705650/
lefapo.exe.vir & etc... No results yet.

[EP_X0FF]

The only thing they change in MBR is number and location of nops :) Probably in manual mode vs VT.

[cjbi]

Marianne Mallen @ Microsoft Malware Protection Center posted blog about Korean card gamer targeted malware.

Korean gaming malware - served 3 ways (By Marianne Mallen @ MMPC)

Actually, there's more ways...

[unixfreaxjp]

A new PbBot bootkit in study. Trojan:Win32/Urelas variant. Reported by @2gg in twitter, nature of infection is Korean game software, I got involved because of one of the CnC is in Japan. I am in assisting position of this case (not familiar well with the infection nature)
VT is https://www.virustotal.com/file/5ca2471 ... 357307928/
It supposed to move my TestPC original MBR into 0×28 and also supposed to change the explorer into payload loader 32bit.
but somehow it crashed my TestPC in every reboot and every re-infection, made me difficult to compare MBR before and after infection. Tried it 3times.
Only I only got one shot for gathering all of the information below. Be free to help in any additional information.
The dropped payload (Trojan.Win32/Urelas bot client variant) uploaded here: https://www.virustotal.com/file/80f25ff ... /analysis/
The sample upon executed, self copied & self deleted & run itself to modify MBR (still under confirmation),
and drop the spyware component to send info + etc data to remote host. The process goes like this:

The dropped trojan:


The batch file/command was used to erase the trace of original infector:

Code: Select all

0x02EB64   0x02EB64   _uninsep.bat
  :           :
0x037840   0x037840  :Repeat
0x037849   0x037849  del "%s"
0x037853   0x037853  if exist "%s" goto Repeat
0x03786E   0x03786E  rmdir "%s"
0x03787A   0x03787A  del "%s"

The CnC of this infection are in two servers, Japan & S.Korea:

Code: Select all

103.1.249.164
218.54.28.199 

Suspected a local online card game mafia group is using it.
PoC:

This bootkit is targeting online games as auto-update installer to get the snapshot/capture screen of an infected gamers, game lists are:

Code: Select all

baduki.exe, RealBaduki.exe, highlow2.exe, LASPOKER.exe,
poker7.exe, Baduki.exe, HOOLA3.EXE, DuelPoker.exe,
FNF.EXE, i,e,, site:hanGame.co.jp

All of the callback to mothership are encrypted with "not" operator, which can be reversed as per below...

Also the config file, looks like a binary but can be decoded the same way:

I attached the analysis data (regshot/pcap/memdump, etc) here with password: infected.
If you want to seek more details about this sample I wrote official Japanese report in :
http://unixfreaxjp.blogspot.jp/2013/01/ ... 49164.html
(please use google translate to read, but for viewing the code better see japanese one)

[cjbi]

Fresh PbBot bootkit dropper, payloads and MBR dump attached, again.

J:\PMS\_CurRSC\Projects(20130408)\GbpInstall_DllInjection\bin\GolfSetup_25.pdb

VirusTotal result(s):
Legit installer + Dropper
ChaosOne.exe.vir 17/46 https://www.virustotal.com/ru/file/5d15 ... 367402532/

Dropper
EEEE_Proc.exe.vir 18/46 https://www.virustotal.com/ru/file/185d ... 367402447/

Payload: MBR
mbr.bin 0/46 :!: https://www.virustotal.com/ru/file/3fe6 ... 367401741/

Payloads: PbBot bootkit
E1F11C.exe.vir 25/46 https://www.virustotal.com/ru/file/adeb ... 367402283/
Temp727.exe.vir 22/46 https://www.virustotal.com/ru/file/90cd ... 367401169/
ydziq.exe.vir 7/46 https://www.virustotal.com/ru/file/b098 ... 367401155/

Final payload: Delphi coded PbBot
dyqex.exe.vir 12/46 https://www.virustotal.com/ru/file/41b2 ... 367401027/

[R136a1]

Hi folks,

here is a fresh sample from 2016. After a brief comparison it shows there are only some minor updates, presumably for compatibility reasons. However, I haven't checked in detail.

Strings from 16-bit loader:

Code: Select all

-------------- ReadInitData ------------
------- IsPMSInstalled -------------
C:\Windows
Windows folder not exist!
gbp.ini
C:\Windows\gbp.ini
Starting GBP
_GBP
_GBP
Reading boot sector Failed!
SectorsPerCluster:
PMS already installed!
Start File Creating
File Creating Fail!
End of Creating!
FAT12
FAT16
FAT32
NTFS
Read Mbr Sector failed!!!
Reading Fail!
Writing Fail!
Not FAT32!
Find file
Read FAT Failed!
Finding "." from
Read FAT Failed!
Finding File Name:
Not Found!
Found!
Finding File Name:
Finding
Not Found!
Found!
----------- FAT32_CreateFile -------------
FAT32_FindFile failed
Already Exist!
Creating File Name:
New allocated Cluster No:
New entry pos:
Need Cluster Count:
Writing File Data
Empty Cluster No:
Creating File Entry
Read FAT  Failed!
NTFS
Not NTFS!
Finding File Name:
Reading boot sector Failed!
Reading MFT Failed!
Finding directory Fail:
Found!
Finding:
------- NTFS_FindFileInEntrys  -----------
file sequence:
Index buffer count
change directory entry success
FindAttribute bitmap failed
NTFS_FindRun failed
file sequence:
find filename attribute of prev file failed
FindAttribute bitmap failed
write new file record failed
:\windows\explorer.exe
-------------- NTFS_CreateFile ------------
Directory Rec No:
FindEmptyBitmapAttrPosOfMFT failed
File Rec No:
Creating File Record
Creating Directory Entry
make run byte
allocated size of bitmap
init size of bitmap
ReAllocateBitmapAttrOfMFT failed

Strings from injector:

Code: Select all

f:\Zombie_work\zombi_gbp\MainWork\win7_GBP\bin\Release\mmc64.pdb
OpenProcessToken error: %u
LookupPrivilegeValue error: %u
AdjustTokenPrivileges error: %u
The token does not have the specified privilege. 
OpenProcess(%d) failed!!!
LoadLibraryA
kernel32.dll
\acm.dll
IDR_DLL
explorer.exe
_uninsep.bat
test_WATCHDOG
SeDebugPrivilege

Strings from final payload:

Code: Select all

highlow2.exe
LASPOKER.exe
poker7.exe
Baduki.exe
HOOLA3.EXE
DuelPoker.exe
FRN.exe
FN AND FRN ver1.0
pmlauncher.exe
image/jpeg
Calculator
DISPLAY
47.88.8.135

Dropper: https://virustotal.com/de/file/7335e4f5 ... /analysis/

MBR: https://www.virustotal.com/en/file/5bf7 ... /analysis/
MBR (with NOPs): https://www.virustotal.com/en/file/d5c1 ... /analysis/
16-bit loader: https://www.virustotal.com/en/file/c93d ... /analysis/

Injector: https://www.virustotal.com/en/file/06b0 ... /analysis/
Payload: https://www.virustotal.com/en/file/981e ... /analysis/

[ikolor]

next..
https://www.virustotal.com/en/file/c127 ... 467457618/


https://www.virustotal.com/en/file/5bf7 ... 467459457/