A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22826  by rkhunter
 Wed May 07, 2014 8:02 am
Attachments
pass:infected
(301.9 KiB) Downloaded 153 times
pass:infected
(517.73 KiB) Downloaded 140 times
 #22827  by TouchMe
 Wed May 07, 2014 9:56 am
I only had a quick look at the latest sample but here's some info.

Dropper drops and executes this very advanced batch file in order to melt.
Code: Select all
@ECHO OFF
:LOOP
timeout 5
DEL /Q /F "Sample.exe"
IF EXIST "Sample.exe" GOTO LOOP
DEL /Q /F %0
EXIT
After an undefined wait period the system will be infected and rebooted.
The virtual filesystem is now stored in a file on the hard disk, is accessible from usermode (lol), and some SSDT hooks are placed to protect it (lmfao).

SSDT Hooks:
NtCreateFile
NtCreateKey
NtDeleteFile
NtEnumerateKey
NtOpenFile
NtOpenKey
NtQueryDirectoryFile
NtQueryInformationFile
NtSetInformationFile
NtShutdownSystem
(jwivs.sys)

SCSI Port IRP hooks (inline jmp):
IRP_MJ_CREATE
IRP_MJ_CLOSE
IRP_MJ_DEVICE_CONTROL
IRP_MJ_INTERNAL_DEVICE_CONTROL
IRP_MJ_POWER
IRP_MJ_SYSTEM_CONTROL
(yurip.sys)

The bot appears to check for a large array of virtual machines, reversing tools and monitoring software, then does nothing with this information.
On windows 7 x64 there are BSODs from time to time and when loading certain drivers, XP 32-Bit gets stuck in BSOD loop. Payload is some crappy logger and ammyy stealer.

This clearly isn't the work of original rovnix coder, It's now a combination of advanced and retarded malware.
 #24286  by Horgh
 Wed Nov 05, 2014 7:46 pm
Probably because they're idiots ? This is not in any way rovnix related, but hey, isn't a bootkit sexier than a old trojan ?
Other example of this bullshit : https://www.csis.dk/en/csis/news/4472/

Especially this :
The current version of Rovnix bootkit component has been removed and now only supports a user mode component.
Top fucking lel m8. I called them out on their bullshit but they don't give a shit, their clients aren't gonna know if their analysis are crap right ? If that was the case Trendmicro would surely have no clients anymore.
 #24922  by EP_X0FF
 Tue Jan 13, 2015 8:05 am
Tigzy wrote:Assuming we have a Rovnix infection on a computer A, do you think it's safe to fix VBR with a VBR gotten from a computer B (same OS).
If I had to fix automatically, do you think I'd need a VBR copy of every OS?
1) Why do you wasting your time on this crap? This legacy BIOS crap VBR IPL code is no longer used in modern OS and hardware, only volume geometry data.
2) What you doing is unwise, because VBR ($Boot) contain BPB with volume geometry unique for each volume.
3) Bootrec /fixboot or simple fixboot for old XP - problem solved.

I'm surprised no one answered for a day on this question.
 #24923  by Tigzy
 Tue Jan 13, 2015 8:38 am
1) Why do you wasting your time on this crap? This legacy BIOS crap VBR IPL code is no longer used in modern OS and hardware, only volume geometry data.
I know I'm late, but it's mostly for educational. Having it in my product is just a bonus.
2) What you doing is unwise, because VBR ($Boot) contain BPB with volume geometry unique for each volume.
I forgot to mention I wanted to replace only bootstrap + bootloader, leaving BPB alone and other non-assembly things untouched.
3) Bootrec /fixboot or simple fixboot for old XP - problem solved.
Yes I know :) I'm a little stubborn I have to admit. I want to do it myself and understand what I'm doing. :D

I just want to know if from a machine A to a machine B there's nothing in the assembly code that is strongly related to the machine.
  • 1
  • 5
  • 6
  • 7
  • 8
  • 9