A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18416  by radikal
 Tue Mar 05, 2013 2:54 am
I recently got bin of some interesting bot with ring3 rootkit, i executed on XP Vmware, and i cannot kill the process it injects in, someone can do a brief analysis on what techniques it uses ?

http://anubis.iseclab.org/?action=resul ... c290d02258
Attachments
infected
(121.17 KiB) Downloaded 299 times
Last edited by EP_X0FF on Tue Jun 04, 2013 3:45 am, edited 2 times in total. Reason: renamed
 #18417  by EP_X0FF
 Tue Mar 05, 2013 5:55 am
Why do you think this is rootkit?

Trivial infostealer backdoor with huge AV blacklist inside + trick inspired by this http://www.kernelmode.info/forum/viewto ... =11&t=1926 Pretty fresh (compiled 04 March) that's why not detected well.

In order to fool and complicate removal by casual user this malware (original name vBetaLib.exe) creates autorun entry %ProgramFiles\Common Files\CreativeAudio.{2227A280-3AEA-1069-A2DE-08002B30309D} with hardcoded CLSID value which represent standard Windows "Printers" folder. Damages Explorer settings to turn off displaying of "hidden", "system" files.

In oder to communicate with operator this malware uses code injection into wuauclt.exe process it executes. Bugged like hell. Able to spread via Skype Messenger. Contains several Spanish-Turkish-English messages.

Another mad skillz trash from HF?
 #18418  by R00tKit
 Tue Mar 05, 2013 6:56 am
Why do you think this is rootkit?
i think this idea come from => wuauclt.exe process cant be kill with procexp ,taskkill , taskmgr and in my os " Rootkit unhooker" faild to start
xuetr kill it and "inaccessible from user mode " in Xuetr and kernel detective
permission of process object in procexp.exe is disable and security tab is empty

but anyway this is not Rootkit
 #18419  by EP_X0FF
 Tue Mar 05, 2013 7:38 am
Hard to name it rootkit, but

It hooks KiFastSystemCall and filters system calls.

Image

Short jump to PUSH/RET with target inside injected malware binary at 0x7FFXXXXX address range.

Used also for self-propagation purposes. Hooks restoration set on short delay. Due to mass remote threads injection in different processes wuauclt.exe will be respawned from other affected processes if terminated. Need complex cleanup -> terminate everything started from Explorer and Explorer itself, after this it can be cleaned easily. Malware runs from HKCU, HKLM \Run registry key, disposition on disk already mentioned.

Symantec writeup http://www.symantec.com/security_respon ... 16-2352-99
 #18423  by radikal
 Tue Mar 05, 2013 12:47 pm
I am a bit newbie to malware analysis, i am trying to write remover for this bot, i think it injects only in explorer.exe and wuauclt.exe, i tried to kill them both at once via Xuetr, but i got BSOD.
I am going to try to inject code in both processes just to SUSPEND all threads, then i delete file and registry.
Will that work and is it good approach ?

Thanks for time spend to help me :oops:
 #18429  by EP_X0FF
 Tue Mar 05, 2013 3:51 pm
radikal wrote:I am a bit newbie to malware analysis, i am trying to write remover for this bot, i think it injects only in explorer.exe and wuauclt.exe, i tried to kill them both at once via Xuetr, but i got BSOD.
I am going to try to inject code in both processes just to SUSPEND all threads, then i delete file and registry.
Will that work and is it good approach ?

Thanks for time spend to help me :oops:
You want to solve your task programmatically or by using tool?

If first then you will have find a way to open affected processes bypassing KiFastSystemCall hook, for example by direct syscall of NtOpenProcess.
If second then forget about xuetr, its bugfest, use wj32 Process Hacker, it should be able to solve this task as it terminates processes from driver.
 #18431  by radikal
 Tue Mar 05, 2013 4:03 pm
I want to solve the issue programmatically, i believe i have to inject code in all malware processes, and to suspend and then kill them from inside.
Injecting code should be easy, i just have to find in which processes exactly it resides.
 #18432  by EP_X0FF
 Tue Mar 05, 2013 4:09 pm
radikal wrote:I want to solve the issue programmatically, i believe i have to inject code in all malware processes, and to suspend and then kill them from inside.
Injecting code should be easy, i just have to find in which processes exactly it resides.
Not necessary, just kill all where this bot injected, there will be not so many. To locate all affected processes do a simple memory scan for example for various strings inside this bot. After this it will be unable to stop you from removing anything from disk or registry. Also make sure you terminated all it injected threads inside your own app.
 #18524  by Userbased
 Thu Mar 14, 2013 4:37 pm
Latest version of the bot. Packed with vb6 runpe crypter.
Gate: highroller.pxnet.to:666/sbn-admin/order.php
Backup domains: sbn.pxnet.to, cpstw.santros.ws, ccc.santros.ws, vg.allrounders.cc, zp.swissfaking.biz
Attachments
password "infected"
(224.28 KiB) Downloaded 169 times
 #19204  by Userbased
 Mon May 06, 2013 1:56 pm
11 Betabot/Neurevt droppers

MD5
Code: Select all
3E4EC6A3AE42FD65AC7C57B3710CDA22
09ABF42BC0782621124C5F3B1FA3C694
53F1F7EF322FD53D0C606137CBA4A1D6
5938DF09C5DE8E322722CE6C3DDAA474
0563606FC6CD061320C8F2582702D1A0
6943066B573F738DA86838C2A4F90863
A4EDEA3CECE92C31D4C4049850F44A9E
A517E8AE9D14A69E8BE6C3C1B09E4837
C6D35E56AF60025EEC4020B56C0BAD7E
D9C6B16F7EAEEFFF7F754CEFB8376D06
FC457CAF2F2A20EE1C4B21999BDF68A4
Attachments
password - infected
(3.02 MiB) Downloaded 171 times