A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #987  by EP_X0FF
 Tue May 04, 2010 4:59 pm
This is actually Rustock.B or Rustock v1.2.
GMER detects it by registry key, it can't detect driver. RkU can detect it hooks, driver and hidden ADS.

Below is the log from system infected with lzx32.sys Rustock.B
Ignore atapi.sys detections, this VM also infected with latest TDL3 and some other rootkits.
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
!!!!!!!!!!!Hidden driver: 0xF8100000 pe386 73728 bytes
0x81B608BE unknown_irp_handler 1858 bytes
!!!!!!!!!!!Hidden driver: 0x81DFDCE2 ?_empty_? 798 bytes
!!!!!!!!!!!Hidden driver: 0x81FDD760 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xF8493000 WARNING: suspicious driver modification [atapi.sys::0x81DFDCE2]
0x66700000 Hidden Image-->mssfc.dll [ EPROCESS 0x81D2EDA0 ] PID: 408, 1576960 bytes
0x10000000 Hidden Image-->sfcfiles.dll [ EPROCESS 0x81D2EDA0 ] PID: 408, 40960 bytes
==============================================
>Files
==============================================
!-->[Hidden] C:\WINDOWS\system32:lzx32.sys:$DATA
==============================================
>Hooks
==============================================
IDT-->Int 2Eh-->_KiSystemService, Type: Inline - RelativeJump 0x806DABA8-->F8104DDF [pe386]
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
ntoskrnl.exe+0x00027327, Type: Inline - DirectJump 0x804FE327-->F501FD8C [Dbgv.sys]
ntoskrnl.exe+0x000B710C, Type: Inline - RelativeJump 0x8058E10C-->81B609EE [unknown_irp_handler]
ntoskrnl.exe-->IofCallDriver, Type: Address change 0x80553480-->F8103863 [pe386]
SYSENTER/Int 2E, Type: System Call & Inline 0x804DE6F0-->F8104E0B [pe386]
tcpip.sys+0x00003D3A, Type: Inline - RelativeCall 0xF8077D3A-->F8106BCF [pe386]
tcpip.sys+0x00005690, Type: Inline - RelativeCall 0xF8079690-->F8106BCF [pe386]
tcpip.sys+0x0001B480, Type: Inline - RelativeCall 0xF808F480-->F8106BCF [pe386]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xF80B33A8-->F8106C33 [pe386]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xF80B33D4-->F8106BE5 [pe386]
wanarp.sys+0x000053FD, Type: Inline - RelativeCall 0xF81673FD-->F8106BD9 [pe386]

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
I've removed nonmeaningful list of drivers and user mode hooks.
 #1014  by EP_X0FF
 Fri May 07, 2010 5:36 am
Since SR2 released this thread will be closed. Last posted build in this thread contains one non critical GUI bug (located at Stealth Code page), it was fixed in release posted at rootkit.com
Newly discovered bugs will be fixed as far as possible by an updates.
Because I'm very busy now, start time of SR3 beta test is currently undefined.
Thanks to all who helped with this release.
http://www.rootkit.com/vault/DiabloNova ... 88.590.rar

MD5: 9851e184d15b4326b8a78262d413ca0f
SHA1: 85f028da197f7669eb36ece54aa67764c2ac8809

Standalone exe
http://www.rootkit.com/vault/DiabloNova ... okerLE.EXE

*MD5: 271ead1d88f23c65af7f0d3b0596d46f)
*SHA1: ca51f559177cd09967586de34c7b22ceb560f4f4

Russian Language Local Dll
http://www.rootkit.com/vault/DiabloNova/local.rar

*local.dll MD5: c8feb0e9bf0530354fbe88af5decf0da

Language Library Project for translation
http://www.rootkit.com/vault/DiabloNova/local_eng.rar

*local_dll.dll MD5: 404ae36075e21d2320ff6b3a8603991a
 #3909  by EP_X0FF
 Fri Dec 10, 2010 3:37 am
STRELiTZIA wrote:handle only 2 charachters... E.g. atapi.sys ->> at
It is handing full file name. What about default drivers directory well this can be added in release.
//I'm currently busy updating some other big project
 #4130  by EP_X0FF
 Fri Dec 24, 2010 5:59 pm
version 3.8 LE build 389/592 Service Release 2
build date 25.12.2010

changelog:
added: BlackEnergy 2+ blacklist bypassing
added: forcesafemode automatically in some cases
added: Dreg's engine
added: FsNotifyChange callback listing/removal
updated: internal service executable
updated: stealth code dll's detection
fixed: crash on code hooks scan with some malware
fixed: mbr scan for some systems
fixed: console command "check" bug
fixed: BSOD on processes page
fixed: multiple range check bugs in application

Windows 2000 and Windows XP RTM are not supported.

Installer file hashes

MD5 for RkU3.8.389.592.exe
ae5ec0e4d997ce90e8f9dadd543f41d0

SHA-512 for RkU3.8.389.592.exe
e9b5859b30bb84c9a713f571825e880d57ee46ebeb1bdc8849091de29f450abd
8b3734694fc6ea657e401cb935092f39f9d342b357cf688f5dfd1e0193d53621

Standalone exe

MD5
2ea45ced56a9752a71ba902db9dcfa91

SHA-512
68396df64a8bab35e32f2067e17f66566875b12cfa8834bcf2129e2ad8cbaa65f
cc0aa99bf9543350ac9e83265c6778d9bc1b9004e018eb2936767d3eee4c3d6

Important:
Use random name for RKU installation directory for counteracting
sophisticated malware.

:WARNING:
To avoid possible problems do not start RKU together with other antirootkits.

There is only unofficial support of this tool available.
This means it may take a long time to me to response on your bugreport/question (if I even). Any bugs please PM me.

Language dll/project wasn't changed.

SR3 in the middle of 2011.
 #4134  by EP_X0FF
 Sat Dec 25, 2010 11:27 am
Thanks. Try this one.

RkU3.8.389.592.exe

MD5
8b38dc15f8a41211be581476b88f3fef

SHA-512
b9db3e8c92694f2d9235c322361388a00b001a3a4f3c96537b975df1ab5921481
1b3919075a64ee5db115b2d83ea1d0bd423708ba088e465c1637e304c8b0646

Standalone exe

MD5
ac370cd39f2f48ba308d496807e54d27

SHA-512
fc8d1db1dadf91751c451e8b2c3aad85a6d1dbdb395feaf4c0da860e56be5d14b
aad89eda492f144b777b8d4732f7c2e3b87a6b892023af6cda6600a4c17f05c
Attachments
Standalone exe
(126.26 KiB) Downloaded 62 times
RkUnhooker v3.8 SR2 25.12.2010
(619.84 KiB) Downloaded 92 times
  • 1
  • 8
  • 9
  • 10
  • 11
  • 12
  • 16