Hi there,
I know it is old and outdated, nevertheless it sounds quite interesting. Maybe there is still support for this loader.
Has anybody get in touch with this or believes he has a sample which matches the description?
I know it is old and outdated, nevertheless it sounds quite interesting. Maybe there is still support for this loader.
Unikorn Flexible Loader 1.2.0Source: http://pastebin.com/aNi5j7Gy
Hello there,
I'm glad to introduce one of my products to darkode members. Here's the Unikorn FlexLdr 1.1.5.
As in its name, it's basically a loader bot which stays in background, downloads then execute files under master's commands. Moreover, FlexLdr is designed with modular in mind, so that beside loading capability, it's possible to intergrate other plugin into FlexLdr on-the-fly. Such plugins are SOCKS5, Advanced DDoS (HTTP/TCP/UDP), and FTP Stealer. More plugins can be intergrated in the future.
Key features:
+ Tested and working stable on following 32bit systems:
• Windows XP SP2, SP3
• Windows 2003 Server
• Windows Vista
• Windows Vista SP1
• Windows 7 x86 SP0
These following OS isnt tested but there’s no reason it won’t work on them:
• Windows 2000 SP4
• Vista SP2
+ Work with both Admin & Guest privilege
+ Supports multiple controler servers.
+ Supports downloading with HTTP/HTTPS
+ Supports encrypted file downloading and executing.
+ Supports task-based loading. User scan start/stop/delete tasks at ease.
+ Supports loading unlimited or limited files specified in Admin CP.
+ Supports loading files per group of countries.
+ Supports two downloading type: URLDownloadToFile and WININET. (HTTP TCP ws2_32 direct downloading is disabled, can able on custom build)
+ Supports executing in other process memory (only enable in custom builds)
+ Downloading files will be executed with highest privlege possible (most of time it's SYSTEM).
+ Downloaded files can be specified deleted after execution or not.
+ Bots are identified uniquely, files are executed only one per bot.
Unikorn FlexLdr Special features:
- Bypassing Windows 7 UAC.
- Maximize the successful installation rates by unique infection vectors.
- Unique injections scheme (no QueueUserAPC(), OpenProcess(), WriteProcessMemory() and CreateRemoteThread())
- Evading HIPS/personal firewall by anti-usermodehooks (restoring abitrary instructions, not only 5 bytes) on several system DLLs such as ntdll.dll, kernel32.dll, advapi32.dll etc,.
- Anti-memory forensic and scanners.
- Hybrid techniques which make antirootkits fail (tested RkU3.8.384.586, GMER 1.0.15.15281, RootRepeal 1.3.5)
- Evade NIDS by encrypted communication with controler server, support both HTTP/HTTPS.
- Each bots build has unique communication builds.
- Bots file is blocked from Antivirus scanner.
- If installed with Admin privilege, bots will be executed with SYSTEM privilege.
- Asynchronous API usage instead of synchronous APIs, makes bots more stable and reliable.
- Multi-threading based.
- Bots can disabled kernel mode HIPS's hooks (both SDTs, harddisk filter drivers). Tested with following personal firewall and HIPS on Windows SP2/3 without patches:
• Kaspersky Internet Security 2009
• Outpost Firewall Pro 2009
• Online Armor Personal/Premium/++ v4.0.0.15 (even with enable Run Safer, which reduce privileges of the loader)
• Zone Alarm Pro 9.0.112
• Comodo Internet Security 3.13.121240.574
• F-Secure Internet Security 2010 v10.00.246
• Kerio WinRoute Firewall v6.7.1.6399
• BitDefender Internet Security 2010
• Jetico Personal Firewall v.2.1.0.7 (* Firewall still show outbound connection)
• DefenseWall 2.56
• Malware Defender 2.5.0
• PC Tools Firewall Plus 6.0.0.86
Following features are only enabled on custom builds:
- Kernel mode drivers supports advanced rootkit hidding files techniqes. 100% bypassed ALL avaiable antirootkit you can use :’) It's actually advanced, which you can maybe never see it on sale, I guarantee this.
- Support fallback domains which bots generated based on current date. If you domains/control server is cut-off, you still can calculate the new domain name bots communicate to in the abitrary specified date. Bot will download your updated EXE from here, verified if it's actually from you. If it is, execute it. If not, bot will try another domain. Bots will connect ~7000 domain in a day.
- Support execuing inside other process on demand.
+ Bot's size is 40 ~ 70KB and can be packed.
+ All written in C and ASM
ADMIN CONTROL PANEL:
+ Easy to install
+ Admin can easily administrate on detailed graphs and statistic.
PLUGIN features:
+ All plugins are encrypted and loading on-the-fly without writting to disk.
+ If you can code, SDK can also be provided with reasonable price.
+ SOCKS5 plugin supports:
• Authorization
• Periodically change port / username / password
Here’re some demo screenshots of Admin CP:
STAT Board:
LOAD Board:
Graphic Statistic about bots activities
Other Boards:
http://img63.imageshack.us/img63/9547/loginf.jpg
http://img63.imageshack.us/img63/7277/load.jpg
http://img706.imageshack.us/img706/8316/load2.jpg
http://img11.imageshack.us/img11/368/load3.jpg
http://img682.imageshack.us/img682/8458/statu.jpg
http://img682.imageshack.us/img682/3864/chartn.jpg
http://img682.imageshack.us/img682/1354/optionscu.jpg
http://img96.imageshack.us/img96/8708/builds2.jpg
Prices:
- Support free 15 bot builds exe for each customer.
- Discount 5% all products for 5 first darkode.com customers.
+ Standard version:
- First domain: 550 WMZ
- 5 next addon domains: 110 WMZ/domain
- 5 Next domains: 50 WMZ/domain
- 5 Next domains: FREE
+ Custom builds:
- First domain: 850 WMZ
in close-beta dev, will be on shelf soon.
+ Plugin:
- SOCKS5 plugin: 150 WMZ, (close-beta)
- Adv DDoS plugin: in close-beta, will be on shelf soon.
- FTP Stealer: N/A.
+ SDK:
- PM/email for price.
ICQ: 574-358-471
Email: unik.flexldr@gmail.com
Changelog:
1.1.5
- OK: add report loads result
- OK: add hidden DLL: clearing PE header, changing dll name in loaded list.
- OK: add reading encrypted config inside
- OK: add ms08-25
- OK: add anti-debug/anti-emu/anti-vm
- OK: add disable dangerous services & processes
- OK: add melt-down
- OK: add anti usermode hooks (Zone Alarm 9, Comodo IS 3)
- OK: check plugin
- OK: add SOCKS5 plugin
1.1.6:
- FIX: windows 7 install improved
1.1.7:
- OK: http communication engine changed.
- OK: plugin encryption
- OK: change plugin interface to avoid blocking bots because of buggy plugins
- FIX: minors bug in path & movefileex()
1.2.0:
- OK: executing loads inside svchost
- OK: added LPC
- OK: add named object security descriptor for bot files
- NOTOK: plugin will be executed inside other process
Has anybody get in touch with this or believes he has a sample which matches the description?
Malware Reversing
http://www.malware-reversing.com
http://www.malware-reversing.com
