A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8263  by EP_X0FF
 Thu Aug 25, 2011 5:31 am
Another sample.

In attach original + unpacked.

Original (many detects on crypter only)
http://www.virustotal.com/file-scan/rep ... 1314249436

Unpacked
http://www.virustotal.com/file-scan/rep ... 1314249856
Attachments
pass: malware
(318.19 KiB) Downloaded 80 times
 #8278  by Xylitol
 Thu Aug 25, 2011 5:12 pm
Another 'hex' builder
Image

ngrBot commands
Code: Select all
ngrBot Commands
view sourceprint?

Note: parameters within "[" and "]" are required, and parameters within "<" and ">" are optional.

!dl [url] <md5> <-r> <-n>

	The bot downloads and executes a file from the specified URL.

	Parameters

	url        URL of the file to download and execute
	md5        optional MD5 hash of the file to download for integrity check, the bot will not redownload a file with the same hash until reboot
	-r        Enable RusKill on downloaded file
	-n        Disables PDef+ on the system until reboot or until it is manually re-enabled

!up [url] [md5] <-r>

	The bot updates its file, but the update does not take effect until the system is restarted.

	Parameters

	url        URL of the file to update to
	md5        MD5 hash of the update file
	-r        Reboot immediately

!die

	The bot disconnects from the IRC server and does not reconnect until its system reboots.

!rm

	The bot will remove itself from the system.

!m [state]

	Enable/disable all output to IRC regarding to commands and features.

Parameters

	state Enable (on) or disable (off) muting of all output to IRC
	The bot displays its version, customer name, the MD5 hash of its file, and its installed filepath.

!vs [url] [state]

	The bot creates a browser instance and visits the specified link.

	Parameters

	url        URL to open
	state    Open in a visible (1) or invisible (0) window

!rc <-n|-g>

	The bot disconnects from the IRC server and waits 15 seconds before reconnecting.

	Parameters

	-n    Only reconnect if the bot is currently marked as "new"
	-g    Only reconnect if the bot did not previously succeed in determining its country using GeoIP

!j [<[rule] [options]> channel] <key>

	The bot joins the specified channel. If rules are specified, the bot will only join if the rules apply to it.

	Parameters

	rule        Optional rule for the bot to check for. Supported options are -c (country) and -v (version)
	options        Options for selected rule
	With -c,     you can put a single or multiple comma-separated country code(s)
	With -v,     you can put a single or multiple comma-separated version(s)
	channel        Channel to join
	key            Key of channel to join

!p [<[rule] [options]> channel]

	The bot parts the specified channel.

	Parameters

	rule        Optional rule for the bot to check for. Supported options are -c (country) and -v (version)
	options        Options for selected rule
	With -c,     you can put a single or multiple comma-separated country code(s)
	With -v,     you can put a single or multiple comma-separated version(s)
	channel        Channel to part

!s <rule>

	The bot joins the channel for its country (e.g. Russian bots (RU) join #RU).

	Parameters

	rule    Optional rule for the bot to sort by instead of country. Supported options are -o (operating system), -n (new/old), -u (admin/user), and -v (version)

!us <rule>

	The bot parts the channel for its country (e.g. Russian bots (RU) part #RU).
	Parameters
	rule    Optional rule for the bot to unsort by instead of country. Supported options are -o (operating system), -n (new/old), -u (admin/user), and -v (version)

!mod [module] [state]

	Enable/disable modules that use hooks.
	Note: disabling bdns will only unblock AV and other preset sites, not sites set using the !mdns command.
	
	Parameters

	module        Module to change. Supported modules: msn, msnu, pdef, iegrab, ffgrab, ftpgrab, bdns, usbi
	state        Enable (on) or disable (off) module

!stats <-l|-s>

	Retrieves statistics for spreading and/or login grabbing. If no parameters are specified, it will display both.

	Parameters

	-l    Display login grabber stats
	-s    Display spreading stats

!logins <site|-c>

	Retrieves all grabbed and cached logins and prints them to channel or PM. Can also be used to clear login cache.

	Parameters

	site    Site to retrieve logins for (case insensitive, see here for the list of sites)
	-c        Clear login cache

!stop
	bot will end all running flood tasks.

!ssyn [host] [port] [seconds]

	Parameters

	host        Host to flood with SYN requests.
	port        Port to flood. If 0, the bot uses a random port
	seconds        Number of seconds to flood the target

!udp [host] [port] [seconds]

	Parameters

	host        Host to flood with UDP packets
	port        Port to flood. If 0, the bot uses a random port
	seconds        Number of seconds to flood the target

!slow [host] [minutes]

	Parameters

	host        Host to flood using slowloris
	minutes        Number of minutes to flood the target

!msn.int [interval]

	Set the number of MSN messages in a conversation before one is changed with your spreading message. See here for more information.
	Note: use '#' for a random interval between 1 and 9.

	Parameters

	interval    Number of MSN messages before spread

!msn.set [message]

	Set the message that will be used for MSN spreading. See here for more information.
	Note: use '#' for a random digit and '*' for a random lowercase letter.
	
	Parameters

	message        Message to spread via MSN

!http.int [interval]

	Set the number of Facebook messages in a conversation before one is changed with your spreading message. See here for more information.
	Note: use '#' for a random interval between 1 and 9.

	Parameters

	interval    Number of Facebook messages before spread

!http.set [message]

	Set the message that will be used for Facebook spreading. See here for more information.
	Note: use '#' for a random digit and '*' for a random lowercase letter.

	Parameters

	message        Message to spread via Facebook

-------------------------

!mdns [url|[domain1 <domain2|ip2>]|[ip1 <ip2>]]

 
	The bot will block access to or redirect the specified domain/IP address.
	Note: domain to domain, domain to IP address, and IP address to IP address redirects work. IP address to domain redirection does not yet work.

	Note: it must be the exact domain, for example "example.com" will not include "www.example.com". Wildcard support will be added in an update.

	Parameters

	url            Plaintext file with one redirect/blocking rule per line, rules are formatted in the same way as the command parameters.
	domain1        Requests for this domain will be redirected to domain2 or ip2 if they are set, otherwise it is blocked
	ip1            Requests for this IP address will be redirected to ip2 if it is set, otherwise it is blocked
	domain2        DNS queries for domain1 will be redirected to this domain if set
	ip2            DNS queries for ip1 or domain1 will be redirected to this IP address if set
4/44 >> 9.1%
http://www.virustotal.com/file-scan/rep ... 1314144944
Attachments
pwd: infected
(116.72 KiB) Downloaded 72 times
 #8393  by Xylitol
 Sat Sep 03, 2011 11:43 pm
I've looked ngrbot for see the difficulty to 'rip' it, and it's really lame.

ecx tell the position what part to decode and the call under decode byte per byte
Image

string decode 'routine'
Image

part of decoded strings
Image

you just have to replace by the good strings and patch this lame crap (or more simple add your own string on empty bytes and modify the rest of the code who connect etc..
Image

I thought that would be more harder, lol :|
 #8403  by Xylitol
 Sun Sep 04, 2011 5:55 pm
The following text is from a forum where its beeing sold.
I am selling ngrBot bin's for sale.
These are not code hooks, these actually have 0 bytes of code patched.
I have reversed some bots and have the ability to produce legit bin's.

NO CODE is changed or altered in the binary.
This ensures maximum compatibility.

Please do not post here asking for a test bin.
Please do not post here asking for any samples.
There have been some leaked ngrBot binaries out for reversers.
Don't contact me to help you to reverse this please.
If you have reversed this yourself, that is good, but I have fubar's permission to do this.

I stand by this bot and believe it is one of the best out there by far right now.

I don't normally sell other peoples work, but right now I could use the $.
So I will be selling a limited amount of copies.

Should any domains get reported on either bot, if you contact me I will rebuild for free if you are a customer.

The binary I offer has 3 domains optional, and a list of settings and commands that can be specified upon purchase.
Channel, pass, and sethost can be specified.
SSL and other options are available/customizable.

Also I have some of the original files included with the package.
This includes all modules. This is truly an amazing bot.

Again these have not been patched, I make these builds by re-writing the settings and correctly fix other values, so there is no need for me to touch any of the code.

Originally my patch worked just fine, without any help, when I patched 1 byte of code before.
But after verifying with aadster, fubar told me the last part to fix, so no code is patched now.
Only the encrypted settings themself are actually over-written.

If you're serious, maybe I will show you a demonstration in which I run a binary file from my vmware for you to test.
The file size is the SAME size as the leaked binary. Don't ask me where to find this, you can find it somewhere and reverse it yourself if you like.

Any sales made will forward commission to fubar, as I have his permission to sell builds for now.
Starting Price 300$ (includes unlimited domain rebuilds upon blacklisting)
LR only, after 1 or 2 customers price will go up 50$ for anyone else.
As for previous ngrBot customers you'll receive updated bins for $100 each until you've reached the full selling price, then updates will be free of charge.

I won't be selling anymore than 5 copies for now.
Like I said I'm not looking to get rich just short on $ and figure I would help some people who want to progress their activities.
Facebook spread in action:
Image

Image

If you would like to purchase a bin or the builder contact on jabber, xmpp: loadscc@xmpp.jp
 #8451  by Xylitol
 Wed Sep 07, 2011 2:16 pm
VT: 6/44 >> 13.6%
http://www.virustotal.com/file-scan/rep ... 1315403676
Detected as "P2P-Worm.Win32.Palevo" and "Trojan-Ransom.Win32.HmBlocker"
AV fail on the crypter probably.
Attachments
pwd: infected
(122.65 KiB) Downloaded 62 times
 #8453  by EP_X0FF
 Wed Sep 07, 2011 3:12 pm
Two stage decryption/uncompressing process with hardcoded VM detection on board, zombie process spawning and memory injects.

And finally inside the same primitive crap
Main reasons:
- you stupid cracker
- you stupid cracker...
- you stupid cracker?!
yes detection on crypter only, see unpacked result, P2P worms and hmblockers magically disappears
http://www.virustotal.com/file-scan/rep ... 1315407782

Added.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 8