A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #14683  by rkhunter
 Mon Jul 16, 2012 4:25 pm
Original dropper:

SHA1: e83ca87a39a5f15ca5942fd57d78e790861c2937
MD5: 15e692cf34a70fb364591622bff1e43a


Extracted bootkit dropper:

SHA1: 5ecefefe4bbfc040927e827ab81c10caf5d10f90
MD5: f72e3d86b8f4f97d103ff1b7f87213f2


In brief:
- Infects MBR
- Contains rootkit
- Multi-AV killing, system-tools killing features
- Some anti-debug features
- Anti-drvmon features (greeting to EP_X0FF and Fyyre)


Dropper + decrypted payload (mbr+rootkit+dll) in attach.
Attachments
pass:infected
(17.42 KiB) Downloaded 132 times
pass:infected
(43.85 KiB) Downloaded 149 times
pass:infected
(51.9 KiB) Downloaded 143 times
 #14684  by EP_X0FF
 Mon Jul 16, 2012 5:46 pm
I dont see any specific anti-drvmon features in this crap. It installs itself, open default IE browser and then tries to load it randomly (hex) named driver dropped in system32\drivers, if it fails then it tries again and again.
DrvMon 21:21:53.637 DrvMon.sys loaded, output directory C:\WINDOWS\TEMP\
ImageLoad 21:22:08.986 C:\WINDOWS\system32\drivers\kmixer.sys
Captured 21:22:08.986 C:\WINDOWS\TEMP\DM_000012B1-00000000-kmixer.sys
ImageLoad 21:22:18.379 C:\WINDOWS\system32\310B0D2F.sys
Captured 21:22:18.389 C:\WINDOWS\TEMP\DM_0000165B-00000000-310B0D2F.sys
Denied 21:22:21.504 C:\WINDOWS\system32\310B0D2F.sys
ImageLoad 21:22:23.607 C:\WINDOWS\system32\08CE5B8D.sys
Captured 21:22:23.617 C:\WINDOWS\TEMP\DM_00001865-00000000-08CE5B8D.sys
Denied 21:22:27.372 C:\WINDOWS\system32\08CE5B8D.sys
ImageLoad 21:22:29.165 C:\WINDOWS\system32\69074A33.sys
Captured 21:22:29.165 C:\WINDOWS\TEMP\DM_00001A90-00000000-69074A33.sys
Denied 21:22:30.146 C:\WINDOWS\system32\69074A33.sys
I only noticed this blacklist
nod32krn.exe egui.exe ekrn.exe 360tray.exe 360leakfixer.exe 360Safe.exe safeboxTray.exe 360safebox.exe 360sd.exe ZhuDongFangYu.exe 360rp.exe 360sdupd.exe Calc.exe KSWebShield.exe kxesapp.exe kxeserv.exe kwstray.exe kxedefend.exe upsvc.exe kxescore.exe KVExpert.exe kxetray.exe KSafeSvc.exe KSafeTray.exe guiyingfix.exe RavMonD.exe RsTray.exe RsAgent.exe RegGuide.exe RsMain.exe RsCopy.exe Rav.exe KVSrvXP.exe KVExpert.exe KVMonXp.exe avp.exe avp.exe ras.exe knownsvr.exe rstray.exe knsdtray.exe knsd.exe knsdsvc.exe knsdsve.exe QQPCLeakScan.exe QQPCWebShield.exe QQPCTAVSrv.exe QQPCRTP.exe QQPCMgr.exe QQPCUpdateAVLib.exe QQPCTray.exe QQRepair.exe QQPCPatch.exe
which contains mostly stuff available/popular in China.

If under anti DrvMon you mean procedure at @00403B0A then it is something else with device named DP0000 and the string containing DrvMon word is actually set of params.
Code: Select all
BOOL __cdecl sub_403B0A()
{
  BOOL bResult; // esi@1
  HANDLE hDevice; // ebx@1
  char Dst; // [sp+Ch] [bp-204h]@2
  DWORD BytesReturned; // [sp+20Ch] [bp-4h]@2

  bResult = 0;
  hDevice = CreateFileA("\\\\.\\DP0000", 0xC0000000u, 3u, 0, 3u, 0x30000000u, 0);
  if ( hDevice != INVALID_HANDLE_VALUE )
  {
    BytesReturned = 0;
    memset(&Dst, 0, 0x200u);
    lstrcpyA(&Dst, "Set|DrvMon|0");
    bResult = DeviceIoControl(hDevice, 0xC4DCu, &Dst, 0x200u, &Dst, 0x200u, &BytesReturned, 0);
    CloseHandle(hDevice);
  }
  return bResult;
}
Maybe this disables some AV monitor capabilities, IDK.
 #14686  by rkhunter
 Mon Jul 16, 2012 6:03 pm
EP_X0FF wrote: If under anti DrvMon you mean procedure at @00403B0A then it is something else with device named DP0000 and the string containing DrvMon word is actually set of params.
This one.
 #14687  by rkhunter
 Mon Jul 16, 2012 6:14 pm
Installation has an interesting feature of hooking imm32.dll!ImmLoadLayout with calling of user32.dll!LoadKeyboardLayout with next PostMessage calling that results to execute main dropper as Dll (bootkit dropper with installed dll flag in Characteristics that was copied to systemroot\system32\random.tmp). There are two flows of dropper execution: as exe and as dll.
 #14688  by Peter Kleissner
 Mon Jul 16, 2012 6:32 pm
Those crooks! They stole my NTFS driver source from my bootkit, and they are not even paying me! Crooks! Chinese copycats! Polizei!

It looks like they used my source 1:1. Look at this for example:
Code: Select all
Get_Count_of_Clusters:

; CountofClusters = DataSec / BPB_SecPerClus
call Get_DataSec

xor edx,edx
movzx ebx,byte [Drive_Context+0Bh]
div ebx

mov [Drive_Context+0Ah],byte 12				        ; suppose FAT Type is FAT12
cmp eax,4085
jb Get_Count_of_Clusters_Exit					; if CountofClusters < 4085 exit

mov [Drive_Context+0Ah],byte 16				        ; suppose FAT Type is FAT16
cmp eax,65525
jb Get_Count_of_Clusters_Exit					; if CountofClusters < 65525 exit

; else FAT Type is FAT32
mov [Drive_Context+0Ah],byte 32

Get_Count_of_Clusters_Exit:

ret
Code: Select all
seg000:0B96 sub_B96         proc near               ; CODE XREF: sub_B40+1Cp
seg000:0B96                 call    sub_BC5
seg000:0B99                 xor     edx, edx
seg000:0B9C                 movzx   ebx, byte ptr [bp-0C4h]
seg000:0BA2                 div     ebx
seg000:0BA5                 mov     byte ptr [bp-0C5h], 12
seg000:0BAA                 cmp     eax, 4085
seg000:0BB0                 jb      short locret_BC4
seg000:0BB2                 mov     byte ptr [bp-0C5h], 16
seg000:0BB7                 cmp     eax, 65525
seg000:0BBD                 jb      short locret_BC4
seg000:0BBF                 mov     byte ptr [bp-0C5h], 32
seg000:0BC4
seg000:0BC4 locret_BC4:                             ; CODE XREF: sub_B96+1Aj
seg000:0BC4                                         ; sub_B96+27j
seg000:0BC4                 retn
seg000:0BC4 sub_B96         endp
Attachments
(38.45 KiB) Downloaded 91 times
 #14689  by rkhunter
 Mon Jul 16, 2012 6:32 pm
EP_X0FF wrote: If under anti DrvMon you mean procedure at @00403B0A then it is something else with device named DP0000 and the string containing DrvMon word is actually set of params.
Of course I don't insist...but if you are look to code, it performs this operation directly before driver installation. Don't sure that it will work of course, but it exists....
 #14694  by EP_X0FF
 Tue Jul 17, 2012 1:14 am
rkhunter wrote:
EP_X0FF wrote: If under anti DrvMon you mean procedure at @00403B0A then it is something else with device named DP0000 and the string containing DrvMon word is actually set of params.
Of course I don't insist...but if you are look to code, it performs this operation directly before driver installation. Don't sure that it will work of course, but it exists....
Sure it will not work, our DrvMon never had:

1) symbolic links
2) 0xC4DCu IOCTL
3) string based params

Have no idea who is from this list had DP0000. Overall this lolkit is nothing interesting and represent common thrend of malware in China -> badly written copy-pasted scope of crappy code.
 #14709  by Peter Kleissner
 Tue Jul 17, 2012 6:46 pm
Don't wanna steal you Artem the show but this is what I found out:

- Seems to only really work on XP, broken on 7 SP1
- Stores its stuff at end of hard disk -8200h, the original MBR, bootkit code (8.5 KB) and a dll (24 KB)
- The bootkit always extracts a dll to ?:\WINDOWS\System32\sfc_os.dll using my NTFS driver
- The file name of this dll is encrypted with F7h each letter, stored at offset 2 of the bootkit code
- The dropped dll has a driver embedded as resource
- Code very badly written
- Has a blacklist of 53 executables, checks every 2 second for a blacklisted process
- Also has calc.exe in the blacklist: Check if you are infected!
- Uses 4 IOCTLs (222439h, 22243Dh, 222440h and 222444h) to communicate with the driver, device \Device\Guntior (symbolic link \??\Guntior)
- The driver uses direct I/O to hardware ports
- Communicates with 183.60.132.220:690?
Attachments
Pw infected
(17.19 KiB) Downloaded 95 times
 #14711  by rkhunter
 Tue Jul 17, 2012 8:16 pm
Peter Kleissner wrote: - Seems to only really work on XP, broken on 7 SP1
- Stores its stuff at end of hard disk -8200h, the original MBR, bootkit code (8.5 KB) and a dll (24 KB)
- The bootkit always extracts a dll to ?:\WINDOWS\System32\sfc_os.dll using my NTFS driver
- The file name of this dll is encrypted with F7h each letter, stored at offset 2 of the bootkit code
- The dropped dll has a driver embedded as resource
- Code very badly written
- Has a blacklist of 53 executables, checks every 2 second for a blacklisted process
- Also has calc.exe in the blacklist: Check if you are infected!
- Uses 4 IOCTLs (222439h, 22243Dh, 222440h and 222444h) to communicate with the driver, device \Device\Guntior (symbolic link \??\Guntior)
- The driver uses direct I/O to hardware ports
- Communicates with 183.60.132.220:690?
+
- Interesting method of initialization via dll and keyboard layout switching
- Interesting method of driver loading via PnpManager (look function at 403118)
- Killing processes of AV-products via driver - PsTerminateProcess

just a simple screen
Image