Legacy BIOS MBR WinNT bootkit.
Purpose: kernel mode spambot.
MBR:
This sample https://www.virustotal.com/en/file/c015 ... 420199827/,
old December analyzed Pitou build https://www.virustotal.com/en/file/269f ... /analysis/
Current sample doesn't use 0xDEADBEEF as xor key and looks a little bit simplified.
Hooks IRP_MJ_DEVICE_CONTROL and IRP_MJ_INTERNAL_DEVICE_CONTROL for the disk port driver and several routines in NDIS driver by splicing.
Contain antiVM similar to Win32/Avatar lolkit -> MmMapIoSpace and lookup for known VM vendors/products names.
Source:
Located at the end of the system disk in unpartitionable space. Structure is simple -> initialization code, copy of original mbr used for faking while filtering I/O requests and next lolkit driver. Depending on mode there will be x86-32 driver or x64 version of the same trash.
VT scans:
dropper (dotnet crypter)
https://www.virustotal.com/en/file/09b5 ... 420203568/
for x64 driver
https://www.virustotal.com/en/file/bbc3 ... 420202247/
for x86-32 driver
https://www.virustotal.com/en/file/403f ... 420202266/
Previously analyzed Pitou variant used xor encryption over these data with hardcoded 0xDEADBEEF key, decrypting contents of bootkit code upon bootkit MBR execution. This one stores data without any encryption.
Small code for decoding bootkit data used for previous version/build
P.S.
F-Secure coverage of earlier Pitou version https://www.f-secure.com/documents/9965 ... epaper.pdf + Pitou UAC bypass reconstructed method UACMe - Defeating Windows User Account Control, however this particular dropper seems unable to bypass UAC.
Purpose: kernel mode spambot.
MBR:
This sample https://www.virustotal.com/en/file/c015 ... 420199827/,
old December analyzed Pitou build https://www.virustotal.com/en/file/269f ... /analysis/
Current sample doesn't use 0xDEADBEEF as xor key and looks a little bit simplified.
Hooks IRP_MJ_DEVICE_CONTROL and IRP_MJ_INTERNAL_DEVICE_CONTROL for the disk port driver and several routines in NDIS driver by splicing.
Contain antiVM similar to Win32/Avatar lolkit -> MmMapIoSpace and lookup for known VM vendors/products names.
Source:
Code: Select all
Bootkit data storage:31.184.236.83/crypted.ff.exe
HTTP/1.1 200 OK
Date: Fri, 02 Jan 2015 0X:XX:XX GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sat, 27 Dec 2014 11:56:11 GMT
ETag: "26009a-7da00-50b3153deb85e"
Accept-Ranges: bytes
Content-Length: 514560
Connection: close
Content-Type: application/x-msdos-program
Located at the end of the system disk in unpartitionable space. Structure is simple -> initialization code, copy of original mbr used for faking while filtering I/O requests and next lolkit driver. Depending on mode there will be x86-32 driver or x64 version of the same trash.
VT scans:
dropper (dotnet crypter)
https://www.virustotal.com/en/file/09b5 ... 420203568/
for x64 driver
https://www.virustotal.com/en/file/bbc3 ... 420202247/
for x86-32 driver
https://www.virustotal.com/en/file/403f ... 420202266/
Previously analyzed Pitou variant used xor encryption over these data with hardcoded 0xDEADBEEF key, decrypting contents of bootkit code upon bootkit MBR execution. This one stores data without any encryption.
Small code for decoding bootkit data used for previous version/build
Code: Select all
Pitou dropper + extracted drivers in attach, upon successful installation it will force Windows reboot by NtShutdownSystem call. For direct disk access during installation dropper uses IOCTL_SCSI_PASS_THROUGH request.#include <windows.h>
#include <intrin.h>
#define DATASIZE 0x6c000 //0x78c00 for x64
void main()
{
HANDLE f;
DWORD iobytes;
DWORD *buffer, s0 = 0xdeadbeef;
ULONG c;
f = CreateFile(TEXT("c:\\malware\\pitou\\uspace_32.dat"), GENERIC_READ | SYNCHRONIZE, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
if ( f != INVALID_HANDLE_VALUE ) {
buffer = (DWORD *)VirtualAlloc(NULL, DATASIZE, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if ( buffer != NULL ) {
ReadFile(f, buffer, DATASIZE, &iobytes, NULL);
for (c=0; c<(DATASIZE/4); c++) {
buffer[c] = buffer[c] ^ s0;
s0 = _rotr(s0, 1);
}
}
CloseHandle(f);
f = CreateFile(TEXT("c:\\malware\\pitou\\uspace_32.dmp"), GENERIC_ALL | SYNCHRONIZE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, 0, NULL);
if ( f != INVALID_HANDLE_VALUE ) {
WriteFile(f, buffer, DATASIZE, &iobytes, NULL);
CloseHandle(f);
}
VirtualFree(buffer, 0, MEM_RELEASE);
}
ExitProcess(0);
}
P.S.
F-Secure coverage of earlier Pitou version https://www.f-secure.com/documents/9965 ... epaper.pdf + Pitou UAC bypass reconstructed method UACMe - Defeating Windows User Account Control, however this particular dropper seems unable to bypass UAC.
Attachments
pass: infected
(760.01 KiB) Downloaded 218 times
(760.01 KiB) Downloaded 218 times
Ring0 - the source of inspiration