A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18035  by Tigzy
 Tue Feb 05, 2013 12:01 pm
It seems like the old variant is coming back!
The one with patched system drivers and locked NtUpdateKBxxxx directory
Some exploit kit must be spreading it, anyone got infos ?
¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤
[Faked.Drv][FILE] tmtdi.sys : C:\WINDOWS\system32\drivers\tmtdi.sys --> IMPOSSIBLE DE REPARER

¤¤¤ Infection : ZeroAccess ¤¤¤
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!
Last edited by Tigzy on Tue Feb 05, 2013 12:28 pm, edited 1 time in total.
 #18038  by EP_X0FF
 Tue Feb 05, 2013 12:17 pm
Sirefef.B always here, just in different proportions and variants (I count 4 major). Nothing new. These SSDT hooks probably from AV.
 #18039  by Tigzy
 Tue Feb 05, 2013 12:28 pm
EP_X0FF wrote:Sirefef.B always here, just in different proportions and variants (I count 4 major). Nothing new. These SSDT hooks probably from AV.
Yes, the SSDT hooks are junks. Removed from report.
The interesting things are just patched file + locked dir
 #18202  by EP_X0FF
 Thu Feb 14, 2013 5:49 am
Warning: "anykey", "download-every-security-shit-and-run-on-my-pc" lovers may skip this post as it requires brain.sys, hands.dll up to date. This thread is strictly moderated so AV fanboys will be banned immediately and at forever.

February 2013, Win32/Sirefef family detection/removal now included into MRT package, including removal of notorious rootkit component, and delivered as part of Windows Update.

Win32/Sirefef is not so Zero Access as it pretend to be. In fact it is another lolkit well PR'ed by AV companies. It is known to be very aggressive and attractive on victim computers. It has been evolving all recent years, moving from major version A to B (considering old 2009 win32k router rootkit as ZeroAccess beta), periodically updating driver obfuscator, delivering aggressive self-protection modules (trap processes/keys for scanners - also known as "apk v eblo" in the narrow circle), multicomponent plugins etc. During switching versions from A to B they seems also changed developers team to that who previously worked with TDL3 or improved their coding skills. Win32/Sirefef uses different approaches for self-hiding, like splicing on IRP handlers, adding new device (TDL style) for filtering I/O requests, using NTFS container, reparse points etc etc, it is very creative. It also have x64 backdoor (without lolkit), x86-x64 pure user mode trojan with 4 different configurations - 1 known as "CLSID ZeroAccess", system file patcher (TLS+NTFS EA), system file patcher 2 (Deep inline + NTFS EA), "CLSID ZeroAccess" + autorunner. Probably the main idea of ZeroAccess rootkit developers was "make it harder to remove no matter what it will cost". Well, this is main problem of this lolkit. Due to such aggressive position, it is completely not stealth.

Short overview of MRT vs ZeroAccess, 100% success is not guaranteed as always.

As test example take last rootkit from this thread. ZeroAccess has not changed dramatically since this time. Test platform - Windows XP SP3 32 bit.
When possible MRT will find and deactivate all ZeroAccess rootkit variants by disinfecting driver file. Here is a step by step removal using only MRT and built-in Windows tools.

1. Installing rootkit (as we are doing technical demo). While installation process Sirefef infects legitimate Windows driver and forces it to be loaded with "asterisk" trick. In this case it was "afd.sys"

https://www.virustotal.com/ru/file/970f ... 360817886/

Infected driver verified by DrvMon (not a part of Windows, used only for demonstration).
Image

Dir command reveals where exactly Sirefef installed
Image

rku 5 (used only for demonstration)
==============================================
>Drivers
==============================================
!-->[Hidden Driver] 0xF4933000 .afd, size: 102400 bytes
0x81BDE7A9 unknown_irp_handler, size: 2135 bytes
==============================================
>Stealth
==============================================
0x81E09F18 Suspicious device \GLOBAL??\0b765132
WARNING: Virus alike driver modification [afd.sys], size: 138112 bytes
"Very stealth" yeah.

Inside this wonderful directory all the Sirefef components, including plugins and configuration data.

(screenshot taken after MRT disinfection, see next)
Image

2. Downloading MRT
http://www.microsoft.com/en-us/download ... aspx?id=16

3. Running full system scan with MRT.

It reveals active Sirefef components. Reboot is required to complete removal.

Image

After reboot rootkit will be removed and all is left -> cleanup trash from Windows folder. The binary data inside this folder is no longer a threat as it encrypted and cannot be executed without active ZeroAccess. This directory still cannot be accessed because of reparse-point Sirefef installed. Rootkit also may trash security attributes for this directory, so lets gain full access to it first.

Remove "All" ("Everyone" etc) user from security attributes list and set it back.
cacls c:\windows\$NtUninstallKB23108$ /e /c /r All
cacls c:\windows\$NtUninstallKB23108$ /e /c /g All:F
Note1: for Vista+ use icacls
Note2: NtUninstallKB23108 is Sirefef directory where digits can be random value. How to find which directory is ZeroAccess see above.

Image

Now it is time for "fsutil" tool.

Let's query reparse point to check if security attributes now OK to continue.
fsutil reparsepoint query c:\windows\$NtUninstallKB23108$
Image

Accessible OK. Remove reparse point.
fsutil reparsepoint delete c:\windows\$NtUninstallKB23108$
After reparse point removed you can access this directory from Windows Explorer, explore it contents and finally delete this trash, Shift-Del.

Image

Done with no 3rd party bsod-generators involved.
Waiting for something more interesting from Win32/Sirefef in future.
 #18600  by EP_X0FF
 Wed Mar 20, 2013 6:03 am
Sirefef with rootkit component and x64 backdoor.

x64 backdoor not changed for months.

Live link hxxp://videofreefiles.com/dl/Play_Video_Now.exe

https://www.virustotal.com/en/file/9399 ... /analysis/

Dropper + extracted payload in attach.

s32
Code: Select all
[000] 2013.3.20 1:51:42	50.149.168.118
[001] 2013.3.20 1:51:42	146.52.64.130
[002] 2013.3.20 1:51:42	98.213.70.67
[003] 2013.3.20 1:51:42	24.8.165.183
[004] 2013.3.20 1:51:42	24.107.184.54
[005] 2013.3.20 1:51:42	121.165.223.118
[006] 2013.3.20 1:51:42	74.196.175.227
[007] 2013.3.20 1:51:42	68.2.174.32
[008] 2013.3.20 1:51:42	139.194.71.231
[009] 2013.3.20 1:51:42	180.215.104.236
[010] 2013.3.20 1:51:42	182.21.212.237
[011] 2013.3.20 1:51:42	67.242.214.252
[012] 2013.3.20 1:51:42	75.114.209.7
[013] 2013.3.20 1:51:41	92.254.253.254
[014] 2013.3.20 1:51:41	88.254.253.254
[015] 2013.3.20 1:51:41	87.254.253.254
[016] 2013.3.20 1:51:41	115.254.253.254
[017] 2013.3.20 1:51:41	70.170.73.254
[018] 2013.3.20 1:51:41	24.179.157.11
[019] 2013.3.20 1:51:41	200.125.80.12
[020] 2013.3.20 1:51:41	75.72.66.253
[021] 2013.3.20 1:51:41	69.245.192.15
[022] 2013.3.20 1:51:41	71.228.244.252
[023] 2013.3.20 1:51:41	117.254.253.254
[024] 2013.3.20 1:51:41	24.131.147.251
[025] 2013.3.20 1:51:41	71.95.82.250
[026] 2013.3.20 1:51:41	76.106.81.16
[027] 2013.3.20 1:51:41	176.9.198.247
[028] 2013.3.20 1:51:41	86.21.143.247
[029] 2013.3.20 1:51:41	92.40.38.247
[030] 2013.3.20 1:51:41	71.201.217.19
[031] 2013.3.20 1:51:41	210.170.176.244
[032] 2013.3.20 1:51:41	97.83.232.19
[033] 2013.3.20 1:51:41	119.254.253.254
[034] 2013.3.20 1:51:41	117.200.73.20
[035] 2013.3.20 1:51:41	78.227.237.20
[036] 2013.3.20 1:51:41	134.254.253.254
[037] 2013.3.20 1:51:41	71.7.216.21
[038] 2013.3.20 1:51:41	89.136.165.235
[039] 2013.3.20 1:51:41	24.67.149.235
[040] 2013.3.20 1:51:41	69.246.128.22
[041] 2013.3.20 1:51:41	97.82.189.26
[042] 2013.3.20 1:51:41	75.97.103.28
[043] 2013.3.20 1:51:41	219.112.117.29
[044] 2013.3.20 1:51:41	98.222.44.31
[045] 2013.3.20 1:51:41	222.150.122.232
[046] 2013.3.20 1:51:41	89.36.80.31
[047] 2013.3.20 1:51:41	65.25.169.32
[048] 2013.3.20 1:51:41	135.254.253.254
[049] 2013.3.20 1:51:41	166.254.253.254
[050] 2013.3.20 1:51:41	180.254.253.254
[051] 2013.3.20 1:51:41	96.30.142.227
[052] 2013.3.20 1:51:41	24.125.196.33
[053] 2013.3.20 1:51:41	76.95.18.227
[054] 2013.3.20 1:51:41	24.114.217.33
[055] 2013.3.20 1:51:41	178.254.210.221
[056] 2013.3.20 1:51:41	216.19.11.34
[057] 2013.3.20 1:51:41	72.53.113.34
[058] 2013.3.20 1:51:41	69.125.224.35
[059] 2013.3.20 1:51:41	220.47.0.37
[060] 2013.3.20 1:51:41	75.95.15.37
[061] 2013.3.20 1:51:41	113.254.209.219
[062] 2013.3.20 1:51:41	112.202.26.218
[063] 2013.3.20 1:51:41	72.220.212.217
[064] 2013.3.20 1:51:41	217.164.127.215
[065] 2013.3.20 1:51:41	76.75.26.37
[066] 2013.3.20 1:51:41	182.254.253.254
[067] 2013.3.20 1:51:41	24.212.210.40
[068] 2013.3.20 1:51:41	24.122.88.42
[069] 2013.3.20 1:51:41	24.47.70.45
[070] 2013.3.20 1:51:41	83.242.88.46
[071] 2013.3.20 1:51:41	131.151.106.47
[072] 2013.3.20 1:51:41	109.109.44.204
[073] 2013.3.20 1:51:41	69.247.144.52
[074] 2013.3.20 1:51:41	174.134.73.53
[075] 2013.3.20 1:51:41	24.177.193.197
[076] 2013.3.20 1:51:41	75.71.215.196
[077] 2013.3.20 1:51:41	184.254.253.254
[078] 2013.3.20 1:51:41	189.29.119.55
[079] 2013.3.20 1:51:41	50.154.173.56
[080] 2013.3.20 1:51:41	78.251.121.192
[081] 2013.3.20 1:51:41	50.15.143.58
[082] 2013.3.20 1:51:41	84.29.46.190
[083] 2013.3.20 1:51:41	197.207.201.188
[084] 2013.3.20 1:51:41	175.28.231.186
[085] 2013.3.20 1:51:41	68.9.153.184
[086] 2013.3.20 1:51:41	190.254.253.254
[087] 2013.3.20 1:51:41	67.78.102.59
[088] 2013.3.20 1:51:41	98.234.208.182
[089] 2013.3.20 1:51:41	85.138.115.182
[090] 2013.3.20 1:51:41	24.183.157.61
[091] 2013.3.20 1:51:41	24.190.107.64
[092] 2013.3.20 1:51:41	72.178.77.66
[093] 2013.3.20 1:51:41	68.190.166.176
[094] 2013.3.20 1:51:41	197.254.253.254
[095] 2013.3.20 1:51:41	122.150.189.173
[096] 2013.3.20 1:51:41	173.238.39.69
[097] 2013.3.20 1:51:41	75.131.206.69
[098] 2013.3.20 1:51:41	173.3.172.170
[099] 2013.3.20 1:51:41	24.42.165.73
[100] 2013.3.20 1:51:41	1.173.214.73
[101] 2013.3.20 1:51:41	2.180.74.78
[102] 2013.3.20 1:51:41	198.45.186.165
[103] 2013.3.20 1:51:41	218.144.187.164
[104] 2013.3.20 1:51:41	76.127.98.161
[105] 2013.3.20 1:51:41	173.238.149.79
[106] 2013.3.20 1:51:41	98.216.45.84
[107] 2013.3.20 1:51:41	68.46.113.156
[108] 2013.3.20 1:51:41	87.97.101.86
[109] 2013.3.20 1:51:41	98.210.177.155
[110] 2013.3.20 1:51:41	197.6.135.154
[111] 2013.3.20 1:51:41	68.59.99.87
[112] 2013.3.20 1:51:41	209.173.186.89
[113] 2013.3.20 1:51:41	181.73.53.91
[114] 2013.3.20 1:51:41	71.237.65.151
[115] 2013.3.20 1:51:41	115.242.30.150
[116] 2013.3.20 1:51:41	68.190.3.150
[117] 2013.3.20 1:51:41	69.122.29.148
[118] 2013.3.20 1:51:41	124.125.45.146
[119] 2013.3.20 1:51:41	190.83.153.144
[120] 2013.3.20 1:51:41	69.119.46.144
[121] 2013.3.20 1:51:41	197.6.8.143
[122] 2013.3.20 1:51:41	61.21.130.142
[123] 2013.3.20 1:51:41	124.241.18.135
[124] 2013.3.20 1:51:41	184.161.222.131
[125] 2013.3.20 1:51:41	65.128.86.130
[126] 2013.3.20 1:51:41	206.254.253.254
[127] 2013.3.20 1:51:41	65.30.131.129
[128] 2013.3.20 1:51:41	189.81.60.129
[129] 2013.3.20 1:51:41	66.183.247.127
[130] 2013.3.20 1:51:41	189.32.69.127
[131] 2013.3.20 1:51:41	98.198.208.122
[132] 2013.3.20 1:51:41	123.225.0.39
[133] 2013.3.20 1:51:41	222.254.253.254
[134] 2013.3.20 1:51:41	97.89.29.118
[135] 2013.3.20 1:51:41	108.185.168.116
[136] 2013.3.20 1:51:41	71.21.91.116
[137] 2013.3.20 1:51:41	174.100.11.112
[138] 2013.3.20 1:51:41	96.45.226.108
[139] 2013.3.20 1:51:41	190.142.167.106
[140] 2013.3.20 1:51:41	193.136.136.104
[141] 2013.3.20 1:51:41	174.69.199.101
[142] 2013.3.20 1:51:41	38.125.108.100
[143] 2013.3.20 1:51:41	178.94.44.100
[144] 2013.3.20 1:51:41	208.93.81.97
[145] 2013.3.20 1:51:41	213.107.68.92
[146] 2013.3.20 1:51:41	218.251.5.4
[147] 2013.3.20 1:51:40	114.190.110.96
[148] 2013.3.20 1:51:40	97.85.212.91
[149] 2013.3.20 1:51:40	71.229.190.151
[150] 2013.3.20 1:51:40	72.221.74.90
[151] 2013.3.20 1:51:40	70.234.5.90
[152] 2013.3.20 1:51:40	174.62.184.152
[153] 2013.3.20 1:51:40	71.68.200.87
[154] 2013.3.20 1:51:40	173.175.218.152
[155] 2013.3.20 1:51:40	74.88.33.156
[156] 2013.3.20 1:51:40	134.130.117.84
[157] 2013.3.20 1:51:40	85.207.110.84
[158] 2013.3.20 1:51:40	189.4.218.156
[159] 2013.3.20 1:51:40	186.123.130.82
[160] 2013.3.20 1:51:40	70.82.242.81
[161] 2013.3.20 1:51:40	24.230.244.80
[162] 2013.3.20 1:51:40	50.134.180.158
[163] 2013.3.20 1:51:40	115.43.230.165
[164] 2013.3.20 1:51:40	59.191.173.74
[165] 2013.3.20 1:51:40	92.60.18.74
[166] 2013.3.20 1:51:40	24.237.18.168
[167] 2013.3.20 1:51:40	67.180.66.168
[168] 2013.3.20 1:51:40	122.102.202.71
[169] 2013.3.20 1:51:40	200.8.167.172
[170] 2013.3.20 1:51:40	216.121.222.172
[171] 2013.3.20 1:51:40	89.228.122.176
[172] 2013.3.20 1:51:40	70.64.207.179
[173] 2013.3.20 1:51:40	24.88.66.66
[174] 2013.3.20 1:51:40	114.36.148.180
[175] 2013.3.20 1:51:40	24.185.76.64
[176] 2013.3.20 1:51:40	203.165.198.61
[177] 2013.3.20 1:51:40	122.30.24.181
[178] 2013.3.20 1:51:40	135.19.64.183
[179] 2013.3.20 1:51:40	75.109.75.190
[180] 2013.3.20 1:51:40	97.92.196.192
[181] 2013.3.20 1:51:40	66.227.140.56
[182] 2013.3.20 1:51:40	24.37.225.192
[183] 2013.3.20 1:51:40	108.182.17.55
[184] 2013.3.20 1:51:40	71.62.170.195
[185] 2013.3.20 1:51:40	84.192.93.202
[186] 2013.3.20 1:51:40	98.86.145.203
[187] 2013.3.20 1:51:40	218.250.123.51
[188] 2013.3.20 1:51:40	70.53.31.49
[189] 2013.3.20 1:51:40	24.175.191.47
[190] 2013.3.20 1:51:40	76.171.83.206
[191] 2013.3.20 1:51:40	70.75.5.47
[192] 2013.3.20 1:51:40	186.93.204.46
[193] 2013.3.20 1:51:40	72.224.215.207
[194] 2013.3.20 1:51:40	190.135.168.211
[195] 2013.3.20 1:51:40	24.3.219.44
[196] 2013.3.20 1:51:40	65.25.107.44
[197] 2013.3.20 1:51:40	66.225.187.211
[198] 2013.3.20 1:51:40	98.246.10.213
[199] 2013.3.20 1:51:40	78.84.104.40
[200] 2013.3.20 1:51:40	115.38.229.214
[201] 2013.3.20 1:51:40	77.102.113.38
[202] 2013.3.20 1:51:40	98.148.180.37
[203] 2013.3.20 1:51:40	72.146.101.215
[204] 2013.3.20 1:51:40	42.144.76.220
[205] 2013.3.20 1:51:40	174.2.97.220
[206] 2013.3.20 1:51:40	125.58.111.36
[207] 2013.3.20 1:51:40	71.10.235.35
[208] 2013.3.20 1:51:40	173.19.147.220
[209] 2013.3.20 1:51:40	69.108.230.34
[210] 2013.3.20 1:51:40	76.123.186.220
[211] 2013.3.20 1:51:40	114.161.96.221
[212] 2013.3.20 1:51:40	67.190.183.224
[213] 2013.3.20 1:51:40	186.88.98.227
[214] 2013.3.20 1:51:40	121.100.67.33
[215] 2013.3.20 1:51:40	75.197.161.229
[216] 2013.3.20 1:51:40	68.60.76.231
[217] 2013.3.20 1:51:40	187.25.195.231
[218] 2013.3.20 1:51:40	70.67.11.233
[219] 2013.3.20 1:51:40	66.227.187.30
[220] 2013.3.20 1:51:40	210.146.238.29
[221] 2013.3.20 1:51:40	98.233.51.233
[222] 2013.3.20 1:51:40	60.62.66.29
[223] 2013.3.20 1:51:40	212.92.225.233
[224] 2013.3.20 1:51:40	116.81.144.234
[225] 2013.3.20 1:51:40	173.26.63.24
[226] 2013.3.20 1:51:40	98.254.187.23
[227] 2013.3.20 1:51:40	75.87.144.234
[228] 2013.3.20 1:51:40	14.96.171.235
[229] 2013.3.20 1:51:40	14.99.154.236
[230] 2013.3.20 1:51:40	76.184.50.237
[231] 2013.3.20 1:51:40	69.142.230.241
[232] 2013.3.20 1:51:40	69.247.191.245
[233] 2013.3.20 1:51:40	68.113.125.16
[234] 2013.3.20 1:51:40	76.174.78.248
[235] 2013.3.20 1:51:40	75.82.254.252
[236] 2013.3.20 1:51:40	98.222.102.15
[237] 2013.3.20 1:51:40	173.216.9.14
[238] 2013.3.20 1:51:40	67.10.171.13
[239] 2013.3.20 1:51:40	174.110.156.13
[240] 2013.3.20 1:51:40	12.23.230.253
[241] 2013.3.20 1:51:40	67.230.77.12
[242] 2013.3.20 1:51:40	189.47.247.253
[243] 2013.3.20 1:51:40	203.165.95.11
[244] 2013.3.20 1:51:40	68.12.183.10
[245] 2013.3.20 1:51:40	67.252.92.10
[246] 2013.3.20 1:51:40	174.57.57.10
[247] 2013.3.20 1:51:40	71.192.104.9
[248] 2013.3.20 1:51:40	177.138.73.9
[249] 2013.3.20 1:51:40	74.199.120.8
[250] 2013.3.20 1:51:40	67.87.175.254
[251] 2013.3.20 1:51:40	71.10.163.7
[252] 2013.3.20 1:51:40	79.119.31.7
[253] 2013.3.20 1:51:40	12.27.26.7
[254] 2013.3.20 1:51:40	66.191.206.4
[255] 2013.3.20 1:51:40	72.186.158.4
s64
Code: Select all
[000] 2013.3.20 1:51:24	222.254.253.254
[001] 2013.3.20 1:51:24	206.254.253.254
[002] 2013.3.20 1:51:24	197.254.253.254
[003] 2013.3.20 1:51:24	190.254.253.254
[004] 2013.3.20 1:51:24	184.254.253.254
[005] 2013.3.20 1:51:24	182.254.253.254
[006] 2013.3.20 1:51:24	180.254.253.254
[007] 2013.3.20 1:51:24	166.254.253.254
[008] 2013.3.20 1:51:24	135.254.253.254
[009] 2013.3.20 1:51:24	134.254.253.254
[010] 2013.3.20 1:51:24	119.254.253.254
[011] 2013.3.20 1:51:24	117.254.253.254
[012] 2013.3.20 1:51:24	115.254.253.254
[013] 2013.3.20 1:51:24	92.254.253.254
[014] 2013.3.20 1:51:24	88.254.253.254
[015] 2013.3.20 1:51:24	87.254.253.254
[016] 2013.3.20 1:51:24	110.4.215.42
[017] 2013.3.20 1:51:24	84.231.134.45
[018] 2013.3.20 1:51:24	67.162.51.250
[019] 2013.3.20 1:51:24	66.36.156.247
[020] 2013.3.20 1:51:24	76.30.96.48
[021] 2013.3.20 1:51:24	128.146.123.59
[022] 2013.3.20 1:51:24	74.194.187.75
[023] 2013.3.20 1:51:24	186.81.168.241
[024] 2013.3.20 1:51:24	126.115.230.76
[025] 2013.3.20 1:51:24	5.12.9.79
[026] 2013.3.20 1:51:24	50.82.118.82
[027] 2013.3.20 1:51:24	24.101.244.86
[028] 2013.3.20 1:51:24	71.89.126.89
[029] 2013.3.20 1:51:24	81.242.106.232
[030] 2013.3.20 1:51:24	98.30.7.96
[031] 2013.3.20 1:51:24	126.117.244.229
[032] 2013.3.20 1:51:24	68.196.96.7
[033] 2013.3.20 1:51:24	74.176.138.228
[034] 2013.3.20 1:51:24	66.191.199.16
[035] 2013.3.20 1:51:24	93.183.132.101
[036] 2013.3.20 1:51:24	111.234.192.103
[037] 2013.3.20 1:51:24	126.120.172.113
[038] 2013.3.20 1:51:24	70.161.157.224
[039] 2013.3.20 1:51:24	218.227.46.116
[040] 2013.3.20 1:51:24	76.91.146.116
[041] 2013.3.20 1:51:24	24.185.199.117
[042] 2013.3.20 1:51:24	209.197.172.20
[043] 2013.3.20 1:51:24	89.228.70.121
[044] 2013.3.20 1:51:24	68.52.14.123
[045] 2013.3.20 1:51:24	71.43.169.123
[046] 2013.3.20 1:51:24	210.203.197.125
[047] 2013.3.20 1:51:24	98.163.211.125
[048] 2013.3.20 1:51:24	114.181.92.216
[049] 2013.3.20 1:51:24	71.62.32.128
[050] 2013.3.20 1:51:24	184.155.89.213
[051] 2013.3.20 1:51:24	50.128.166.128
[052] 2013.3.20 1:51:24	24.138.30.129
[053] 2013.3.20 1:51:24	36.246.24.145
[054] 2013.3.20 1:51:24	5.12.88.146
[055] 2013.3.20 1:51:24	219.103.119.158
[056] 2013.3.20 1:51:24	70.92.180.164
[057] 2013.3.20 1:51:24	50.151.247.166
[058] 2013.3.20 1:51:24	203.160.116.173
[059] 2013.3.20 1:51:24	98.93.227.178
[060] 2013.3.20 1:51:24	178.141.3.195
[061] 2013.3.20 1:51:24	50.152.65.28
[062] 2013.3.20 1:51:24	46.223.61.31
[063] 2013.3.20 1:51:24	175.35.80.199
[064] 2013.3.20 1:51:24	177.212.16.30
[065] 2013.3.20 1:51:24	68.229.98.41
[066] 2013.3.20 1:51:23	87.0.66.30
[067] 2013.3.20 1:51:23	72.178.96.201
[068] 2013.3.20 1:51:23	173.81.149.29
[069] 2013.3.20 1:51:23	24.79.0.197
[070] 2013.3.20 1:51:23	65.29.254.28
[071] 2013.3.20 1:51:23	106.208.121.195
[072] 2013.3.20 1:51:23	98.198.80.206
[073] 2013.3.20 1:51:23	70.122.247.194
[074] 2013.3.20 1:51:23	96.52.60.194
[075] 2013.3.20 1:51:23	101.99.144.192
[076] 2013.3.20 1:51:23	68.173.181.191
[077] 2013.3.20 1:51:23	67.86.111.190
[078] 2013.3.20 1:51:23	64.121.242.186
[079] 2013.3.20 1:51:23	61.6.220.183
[080] 2013.3.20 1:51:23	68.112.216.183
[081] 2013.3.20 1:51:23	184.36.227.206
[082] 2013.3.20 1:51:23	219.64.177.176
[083] 2013.3.20 1:51:23	78.84.40.176
[084] 2013.3.20 1:51:23	75.64.9.28
[085] 2013.3.20 1:51:23	24.44.36.173
[086] 2013.3.20 1:51:23	75.74.236.169
[087] 2013.3.20 1:51:23	74.56.176.168
[088] 2013.3.20 1:51:23	210.191.149.167
[089] 2013.3.20 1:51:23	190.121.37.167
[090] 2013.3.20 1:51:23	37.128.153.27
[091] 2013.3.20 1:51:23	111.254.199.207
[092] 2013.3.20 1:51:23	67.184.100.163
[093] 2013.3.20 1:51:23	68.235.154.162
[094] 2013.3.20 1:51:23	69.142.144.162
[095] 2013.3.20 1:51:23	67.161.94.161
[096] 2013.3.20 1:51:23	219.117.59.160
[097] 2013.3.20 1:51:23	27.142.145.159
[098] 2013.3.20 1:51:23	109.236.81.159
[099] 2013.3.20 1:51:23	94.205.230.208
[100] 2013.3.20 1:51:23	68.207.90.157
[101] 2013.3.20 1:51:23	98.124.81.157
[102] 2013.3.20 1:51:23	67.183.182.153
[103] 2013.3.20 1:51:23	24.188.239.152
[104] 2013.3.20 1:51:23	174.61.30.152
[105] 2013.3.20 1:51:23	119.173.113.148
[106] 2013.3.20 1:51:23	50.151.160.147
[107] 2013.3.20 1:51:23	75.64.92.209
[108] 2013.3.20 1:51:23	173.176.11.146
[109] 2013.3.20 1:51:23	190.43.165.211
[110] 2013.3.20 1:51:23	65.96.93.144
[111] 2013.3.20 1:51:23	194.44.159.143
[112] 2013.3.20 1:51:23	24.222.49.140
[113] 2013.3.20 1:51:23	24.136.218.137
[114] 2013.3.20 1:51:23	74.196.193.137
[115] 2013.3.20 1:51:23	184.163.234.136
[116] 2013.3.20 1:51:23	75.80.141.132
[117] 2013.3.20 1:51:23	67.184.120.131
[118] 2013.3.20 1:51:23	61.27.100.131
[119] 2013.3.20 1:51:23	24.73.5.131
[120] 2013.3.20 1:51:23	24.117.54.129
[121] 2013.3.20 1:51:23	68.49.52.129
[122] 2013.3.20 1:51:23	137.224.239.212
[123] 2013.3.20 1:51:23	68.184.102.26
[124] 2013.3.20 1:51:23	89.27.37.128
[125] 2013.3.20 1:51:23	67.149.32.128
[126] 2013.3.20 1:51:23	95.79.39.216
[127] 2013.3.20 1:51:23	92.53.2.127
[128] 2013.3.20 1:51:23	58.167.247.126
[129] 2013.3.20 1:51:23	68.234.222.126
[130] 2013.3.20 1:51:23	122.31.228.125
[131] 2013.3.20 1:51:23	107.10.138.217
[132] 2013.3.20 1:51:23	173.217.79.22
[133] 2013.3.20 1:51:23	76.120.173.125
[134] 2013.3.20 1:51:23	195.238.191.124
[135] 2013.3.20 1:51:23	189.47.81.219
[136] 2013.3.20 1:51:23	63.142.85.123
[137] 2013.3.20 1:51:23	124.171.53.22
[138] 2013.3.20 1:51:23	69.112.172.122
[139] 2013.3.20 1:51:23	24.137.122.222
[140] 2013.3.20 1:51:23	141.140.184.119
[141] 2013.3.20 1:51:23	124.40.245.118
[142] 2013.3.20 1:51:23	76.10.59.223
[143] 2013.3.20 1:51:23	50.8.155.117
[144] 2013.3.20 1:51:23	61.21.74.18
[145] 2013.3.20 1:51:23	67.83.76.224
[146] 2013.3.20 1:51:23	71.228.244.115
[147] 2013.3.20 1:51:23	76.108.246.226
[148] 2013.3.20 1:51:23	184.76.160.110
[149] 2013.3.20 1:51:23	65.28.72.110
[150] 2013.3.20 1:51:23	95.75.83.109
[151] 2013.3.20 1:51:23	72.174.242.108
[152] 2013.3.20 1:51:23	24.182.41.108
[153] 2013.3.20 1:51:23	98.253.247.107
[154] 2013.3.20 1:51:23	69.88.222.107
[155] 2013.3.20 1:51:23	68.40.79.107
[156] 2013.3.20 1:51:23	70.236.32.107
[157] 2013.3.20 1:51:23	71.85.11.107
[158] 2013.3.20 1:51:23	5.14.183.105
[159] 2013.3.20 1:51:23	116.232.231.104
[160] 2013.3.20 1:51:23	210.79.44.227
[161] 2013.3.20 1:51:23	79.117.31.103
[162] 2013.3.20 1:51:23	66.63.96.227
[163] 2013.3.20 1:51:23	76.119.105.101
[164] 2013.3.20 1:51:23	24.209.53.100
[165] 2013.3.20 1:51:23	125.13.167.99
[166] 2013.3.20 1:51:23	72.251.36.97
[167] 2013.3.20 1:51:23	50.63.66.232
[168] 2013.3.20 1:51:23	119.238.1.96
[169] 2013.3.20 1:51:23	71.20.225.95
[170] 2013.3.20 1:51:23	153.177.126.95
[171] 2013.3.20 1:51:23	75.76.54.95
[172] 2013.3.20 1:51:23	71.236.219.94
[173] 2013.3.20 1:51:23	75.191.160.94
[174] 2013.3.20 1:51:23	96.33.109.91
[175] 2013.3.20 1:51:23	98.145.165.89
[176] 2013.3.20 1:51:23	74.141.181.232
[177] 2013.3.20 1:51:23	66.215.51.89
[178] 2013.3.20 1:51:23	1.77.120.234
[179] 2013.3.20 1:51:23	71.17.221.85
[180] 2013.3.20 1:51:23	68.42.235.235
[181] 2013.3.20 1:51:23	98.197.39.82
[182] 2013.3.20 1:51:23	76.88.166.80
[183] 2013.3.20 1:51:23	114.180.102.80
[184] 2013.3.20 1:51:23	87.5.184.79
[185] 2013.3.20 1:51:23	178.237.177.79
[186] 2013.3.20 1:51:23	72.175.124.5
[187] 2013.3.20 1:51:23	76.92.236.78
[188] 2013.3.20 1:51:23	69.127.113.78
[189] 2013.3.20 1:51:23	76.103.79.78
[190] 2013.3.20 1:51:23	24.243.164.3
[191] 2013.3.20 1:51:23	178.82.217.242
[192] 2013.3.20 1:51:23	24.225.177.73
[193] 2013.3.20 1:51:23	220.67.127.72
[194] 2013.3.20 1:51:23	98.218.197.71
[195] 2013.3.20 1:51:23	177.158.142.71
[196] 2013.3.20 1:51:23	98.226.44.71
[197] 2013.3.20 1:51:23	98.235.8.70
[198] 2013.3.20 1:51:23	68.185.157.67
[199] 2013.3.20 1:51:23	72.194.221.243
[200] 2013.3.20 1:51:23	60.234.52.58
[201] 2013.3.20 1:51:23	220.130.12.56
[202] 2013.3.20 1:51:23	66.235.62.55
[203] 2013.3.20 1:51:23	118.104.202.53
[204] 2013.3.20 1:51:23	98.240.47.53
[205] 2013.3.20 1:51:23	76.177.98.52
[206] 2013.3.20 1:51:23	188.65.74.52
[207] 2013.3.20 1:51:23	76.187.147.51
[208] 2013.3.20 1:51:23	75.65.81.51
[209] 2013.3.20 1:51:23	37.59.72.49
[210] 2013.3.20 1:51:23	206.72.25.49
[211] 2013.3.20 1:51:23	120.137.245.48
[212] 2013.3.20 1:51:23	72.192.48.246
[213] 2013.3.20 1:51:23	87.95.62.47
[214] 2013.3.20 1:51:23	174.48.171.251
[215] 2013.3.20 1:51:23	84.73.73.253
[216] 2013.3.20 1:51:23	178.149.50.42
[217] 2013.3.20 1:51:23	123.202.195.41
[218] 2013.3.20 1:51:23	153.137.162.203
[219] 2013.3.20 1:51:23	67.87.97.39
[220] 2013.3.20 1:51:23	66.115.237.37
[221] 2013.3.20 1:51:23	50.130.35.37
[222] 2013.3.20 1:51:23	74.60.214.36
[223] 2013.3.20 1:51:23	98.14.54.36
[224] 2013.3.20 1:51:23	74.76.123.34
[225] 2013.3.20 1:51:23	116.65.80.34
[226] 2013.3.20 1:51:23	5.167.19.0
[227] 2013.3.20 1:51:22	117.18.95.31
[228] 2013.3.20 1:51:22	70.123.169.196
[229] 2013.3.20 1:51:22	84.215.108.203
[230] 2013.3.20 1:51:22	71.207.161.203
[231] 2013.3.20 1:51:22	76.16.114.204
[232] 2013.3.20 1:51:22	68.198.101.29
[233] 2013.3.20 1:51:22	78.27.98.205
[234] 2013.3.20 1:51:22	24.140.191.28
[235] 2013.3.20 1:51:22	71.229.186.28
[236] 2013.3.20 1:51:22	118.238.127.205
[237] 2013.3.20 1:51:22	86.52.126.207
[238] 2013.3.20 1:51:22	184.91.186.27
[239] 2013.3.20 1:51:22	68.112.138.207
[240] 2013.3.20 1:51:22	96.42.247.26
[241] 2013.3.20 1:51:22	76.27.133.26
[242] 2013.3.20 1:51:22	72.128.53.213
[243] 2013.3.20 1:51:22	98.194.1.24
[244] 2013.3.20 1:51:22	201.69.52.23
[245] 2013.3.20 1:51:22	187.188.198.22
[246] 2013.3.20 1:51:22	81.170.184.22
[247] 2013.3.20 1:51:22	184.161.193.217
[248] 2013.3.20 1:51:22	1.112.87.219
[249] 2013.3.20 1:51:22	66.215.174.222
[250] 2013.3.20 1:51:22	75.64.117.20
[251] 2013.3.20 1:51:22	180.40.234.223
[252] 2013.3.20 1:51:22	24.179.42.228
[253] 2013.3.20 1:51:22	174.60.121.229
[254] 2013.3.20 1:51:22	114.27.69.237
[255] 2013.3.20 1:51:22	50.77.22.238
MRT removes.
Attachments
pass: infected
(227.32 KiB) Downloaded 86 times
 #18713  by EP_X0FF
 Wed Mar 27, 2013 3:18 am
Sirefef (2012 year) with x86-32 rootkit, x64 backdoor and TDL style cfg.ini

SHA256: f61f5110b03d2a590072bce37ff1681015673c90b750b16e939b43c6d9067d94
SHA1: 92410517c32347621c23341d6b4b78f67ee993a0
MD5: 085c4e0072714be6da3db619a7d25283

https://www.virustotal.com/en/file/f61f ... /analysis/

All extracted components and dropper in attach.
Attachments
pass: malware
(279.6 KiB) Downloaded 86 times
 #18736  by kmd
 Thu Mar 28, 2013 8:37 am
EP_X0FF wrote:Additional info: name "MaxSS" was created from a part of rootkit configuration file -> string "maxsscore". Name "SST" is created from name of driver-loader "sst2.sys" first variants of this malware used. And name "PRAGMA" comes from earlier variants of TDL2 based rootkit this affilate used.
hah, Sirefef created from?
 #18737  by EP_X0FF
 Thu Mar 28, 2013 8:45 am
kmd wrote:
EP_X0FF wrote:Additional info: name "MaxSS" was created from a part of rootkit configuration file -> string "maxsscore". Name "SST" is created from name of driver-loader "sst2.sys" first variants of this malware used. And name "PRAGMA" comes from earlier variants of TDL2 based rootkit this affilate used.
hah, Sirefef created from?
Well it was soon 4 years ago. I don't really remember so can be wrong. Initial ZeroAccess (we did not even know the real name in that time) has a string "Snifer67". Like many malware names in AV industry Sirefef is an anagram.

Snifer
Siref+(ef)
  • 1
  • 34
  • 35
  • 36
  • 37
  • 38