[EP_X0FF]

This malware was detected below software/program/service.. suspected registry token keys.

Code: Select all

Windows Defender
wscntfy.exe
MSASCui.exe
MpCmdRun.exe
NisSrv.exe
msseces.exe
fp.exe
MsMpSvc
windefend
SharedAccess
iphlpsvc
wscsvc
mpssvc
(etc)

The reason is for deletion purpose, I found many stuffs deleted in registry like:

Code: Select all

..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
..\System\CurrentControlSet\Services\SharedAccess\Setup
..\System\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
..\System\CurrentControlSet\Services\wscsvc
..\System\CurrentControlSet\Services\wscsvc\Enum
..\System\CurrentControlSet\Services\wscsvc\Parameters
..\System\CurrentControlSet\Services\wscsvc\Security

Explanation starting from this page http://www.kernelmode.info/forum/viewto ... &start=110 and down.
Posts moved.

[unixfreaxjp]

Additionals:
(installed/used IDA, starting to like it...)

Just found that in the .text PE section found the operation to close all processes of :
MsMpSvc, windefen, SharedAccess, iphlpsvc, wscsvc, mpssvc, bfe

PoC, see .text of the unpack binary, coded: http://pastebin.com/raw.php?i=MwgAzEEZ
Comment/direction are welcome..

[unixfreaxjp]

Explanation starting from this page http://www.kernelmode.info/forum/viewto ... &start=110 and down. Posts moved.

I thank you, and sorry for always posting in wrong places, thank's for your patient. I will learn harder of KM structure.

[EP_X0FF]

Additionals:
(installed/used IDA, starting to like it...)

Just found that in the .text PE section found the operation to close all processes of :
MsMpSvc, windefen, SharedAccess, iphlpsvc, wscsvc, mpssvc, bfe

PoC, see .text of the unpack binary, coded: http://pastebin.com/raw.php?i=MwgAzEEZ
Comment/direction are welcome..

It attempt to disable embedded Windows security components, Sirefef is doing this from the beginning.

I thank you, and sorry for always posting in wrong places, thank's for your patient. I will learn harder of KM structure.

No problem.

[Horgh]

It brutes the dlls to load like below catch-record...

Only ntdll.dll is "bruteforced". The packer then retrieves the others dll / apis in a classic way in order to reconstruct the import table of the binary. I don't know if this packer is used on other malwares, I only saw it on ZeroAccess samples.

[unixfreaxjp]

Just wacked new fresh sample from Blackhole "/closest/" version.

Code: Select all

Landing page: h00p://3thtyjtyjcc.ns02.us/closest/209tuj2dsljdglsgjwrigslgkjskga.php

Got no time to post properly so I wrote the report in text here (pastebin).
↑The poor JS/guidance to get exploit urls is in there for all to freely use.

This one searched for remote DNS below:

Code: Select all

194.165.17.3:53
66.85.130.234:53

and sending malformed UDP packet to so many hosts to as per below list:

Code: Select all

206.254.253.254:16464
190.254.253.254:16464
182.254.253.254:16464
180.254.253.254:16464
166.254.253.254:16464
135.254.253.254:16464
134.254.253.254:16464
119.254.253.254:16464
117.254.253.254:16464
115.254.253.254:16464
92.254.253.254:16464
88.254.253.254:16464
87.254.253.254:16464
71.254.253.254:16464
69.254.253.254:16464
46.150.37.29:16464
68.9.31.32:16464
69.133.27.61:16464
95.57.233.74:16464
94.210.172.145:16464
184.155.123.146:16464
194.165.17.3:123
91.242.217.247:123
75.95.95.148:16464
24.92.201.152:16464
222.254.253.254:16464
98.149.145.253:16464
66.65.129.254:16464
97.83.82.254:16464
190.190.239.72:16464
118.171.55.88:16464
14.97.157.71:16464
173.20.198.123:16464
24.186.214.38:16464
218.173.39.25:16464
116.193.142.246:16464
76.97.134.59:16464
68.204.131.69:16464
114.178.175.1:16464
118.171.44.79:16464
173.17.47.76:16464
123.143.96.27:16464
173.20.128.26:16464
90.94.246.250:16464
70.171.38.38:16464
79.136.67.28:16464
95.169.211.29:16464
87.111.189.32:16464
75.109.170.11:16464
97.89.4.235:16464

Still don't understand why ZeroAccess can have so many botnets but I am sure we can shut this for good.
God loves the braves! Salute KernelMode!
(attached: binary sample, calc.exe)
#MalwareMustDie!!!

[unixfreaxjp]

It looks like we have a huge ZeroAccess infection now. All weaponized blackholes from Rusonyx, Ltd. networks in RU are dropping ZeroAccess:

(You can enlarge the pic by accessing below url)
https://lh6.googleusercontent.com/-xAP1 ... 90/001.jpg

[EP_X0FF]

Still don't understand why ZeroAccess can have so many botnets

Because it P2P bot.

[unixfreaxjp]

Hi. Fresh Blackhole "closest" version serving ZeroAccess VT: 5/46
At IP: 178.63.214.21 (Dynamic Addr)
---------------------------------------------------------------------------------
ASN |Prefix |ASName |CN |Domain |ISP of an IP Address
---------------------------------------------------------------------------------
24940 | 178.63.0.0/16 | HETZNER | DE | YOUR-SERVER.DE | JUST HOSTING
Payload URL:

WARNING! Is up and alive now so don't click below URL, the BHEK was "tweaked" into open download (smile)
h00p://5jijefijdjw.mywww[.]biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php?swgvl=30%20:1n:1i:1i:33&fsc=30:33:1n:1m:1h:33:30:1o:30:1h&jvlli=1i&jqnawl=pre&obihxani=scbpntas%20
VT: https://www.virustotal.com/file/d61c8ae ... 360236062/
Just in case I attached sample too.

[unixfreaxjp]

We shutdown this Ip successfully, so pls use tha attached sample previously posted.