A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #5304  by Xylitol
 Fri Mar 04, 2011 2:23 am
Image

reboot:
Image

Image

Image

Probably a fake defrager like hdd rescue who drop Alureon and a broken dll (for me) who is here for launch the fake defrager (assumption)
a file called InternetExplorerUpdate.exe is also dropped in %temp% and deleted after the infection.
http://www.virustotal.com/file-scan/rep ... 1299204960
https://www.virustotal.com/file-scan/re ... 1299205769
https://www.virustotal.com/file-scan/re ... 1299214973
http://www.threatexpert.com/report.aspx ... 2570d7d163
Attachments
See archive comment for password
(188.19 KiB) Downloaded 101 times
See archive comment for password
(38.64 KiB) Downloaded 81 times
See archive comment for password
(55.35 KiB) Downloaded 91 times
Last edited by Xylitol on Fri Mar 04, 2011 5:08 am, edited 2 times in total.
 #5305  by EP_X0FF
 Fri Mar 04, 2011 4:56 am
Yes, it is PRAGMA TDL modification. A little evolved with anti MBAM feature on board.
Seems to be it blocks loading of MBAM driver by creating watchdog thread that constantly deletes (by directly sending IRP_MJ_SET_INFORMATION/FileDispositionInformation) following file
\\SystemRoot\\System32\\Drivers\\mbam.sys
kinda stupid solution, they also have loadimage notify callback.

Posts moved to TDL Mods thread
 #5783  by PX5
 Fri Apr 01, 2011 1:02 pm
Think we hexed ourself saying its dormant, something new out there, as Im in a remote where tdsskiller will not run, nor do many other tools, I know its tdl4 but at present, dont have a current loader. :(
 #5798  by Meriadoc
 Sat Apr 02, 2011 9:24 am
Probably a fake defrager like hdd rescue who drop Alureon and a broken dll (for me) who is here for launch the fake defrager (assumption)
a file called InternetExplorerUpdate.exe is also dropped in %temp% and deleted after the infection.
WindowsRecovery drops InternetExplorerUpdate.exe in temp folder and uses same icon,

Image

some reuse, connection (?)
 #5799  by EP_X0FF
 Sat Apr 02, 2011 10:48 am
Meriadoc wrote:drops InternetExplorerUpdate.exe
If it look like this http://www.virustotal.com/file-scan/rep ... 1301601811

then it's PRAGMA TDL Mod dropper (infects volsnap.sys in TDL3 way). Can be easily removed by sophisticated user even without using special tools or anti-viruses.
 #6326  by rossetoecioccolato
 Sat May 14, 2011 7:30 pm
The (rootkit) technique is only effective against tools that scan memory using the default mapping for virtual addresses (e.g. antivirus and some rootkit detectors). It is not effective against tools that remap physical pages to an alternate virtual address (e.g. memory forensic acquisition software). Also, the rootkit is not particularly sophisticated in that it sets the debug registers of all the logical processors even when no memory scanning tool is running, thus allowing modification of the debug registers to be detected by memory forensic software. A more sophisticated approach would be to detect the memory scanning software when it loads and only set the debug registers on the memory scanning thread, and then only on context shift to that thread, restoring the debug registers when the context shifts away from the scanning thread.

Leaving this aside, the question that I have for the author of the Volatility plugin (MHL) is how kpcr.Prcb.ProcessorState is getting updated to reflect of the current state of the corresponding register (dr0)? Dr0 is on the logical processor while kpcr.Prcb.ProcessorState.SpecialRegisters.KernelDr0 is in main computer memory. kpcr.Prcb.ProcessorState get's set early in the boot process when the KPCR is initialized. It also get's set on hibernation and when a bugcheck occurs. I am not aware of it being set on context shift. Applications which convert a raw memory dump to MS crashdump format also adjust some context values in kpcr.Prcb.ProcessorState of Processor0 so that Windbg will recognize the processor architecture. This is needed because kpcr.Prcb.ProcessorState typically is not current. Maybe in this case the rootkit is updating kpcr.Prcb.ProcessorState; or else MHL is running some software that updates it as part of the acquisition process?
  • 1
  • 2
  • 3
  • 4
  • 5
  • 15