A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4566  by korczyn
 Wed Jan 19, 2011 3:53 pm
Hello,

I'd like to ask for Trojan.Senkrad, other aliases are presented below:

* Trojan.Senkrad [PCTools]
* Trojan.Senkrad [Symantec]
* Gen.Trojan [Ikarus]
* Win-Trojan/Darkness.36352 [AhnLab]
* packed with: UPX [Kaspersky Lab]

some more details can be found at:
http://www.threatexpert.com/report.aspx ... 0cd90c6634

Thanks for help,
regards,
korczyn
 #4582  by korczyn
 Thu Jan 20, 2011 11:49 am
Hi there!
EP_X0FF wrote:Hello, korczyn.

Also take a look here http://www.kernelmode.info/forum/viewto ... ness#p4117
Thanks a lot for help! However, I feel the malware you've sent me is not the one I need... in fact, Trojan.Senkrad causes that the compromised computer becomes the part of Darkness (DDoS) botnet, whereas the one you sent me is more keylogger...

Please chect it out:

The one you sent me:
http://www.threatexpert.com/report.aspx ... a36ccacf48

The one I'm searching for:
http://www.threatexpert.com/report.aspx ... 0cd90c6634

Btw, it's said that Darkness botnet is much more effective than its predecessors (Black Energy, Illusion)

Thakns in advance for your help,
korczyn
 #4724  by moranned
 Tue Jan 25, 2011 5:41 pm
http://www.threatexpert.com/report.aspx ... 0cd90c6634 is in fact a Darkness sample. the give aways are that it drops dwm.exe in %Windir%\system\ and places a file with a unique identifier at %Windir%\Temp\ddid. this is standard behavior for earlier versions of Darkness.

http://www.threatexpert.com/report.aspx ... a36ccacf48 is not darkness. it is a different ddos malware family altogether and appears to be an advanced version of ruskill.
korczyn wrote:Hi there!
EP_X0FF wrote:Hello, korczyn.

Also take a look here http://www.kernelmode.info/forum/viewto ... ness#p4117
Thanks a lot for help! However, I feel the malware you've sent me is not the one I need... in fact, Trojan.Senkrad causes that the compromised computer becomes the part of Darkness (DDoS) botnet, whereas the one you sent me is more keylogger...

Please chect it out:

The one you sent me:
http://www.threatexpert.com/report.aspx ... a36ccacf48

The one I'm searching for:
http://www.threatexpert.com/report.aspx ... 0cd90c6634

Btw, it's said that Darkness botnet is much more effective than its predecessors (Black Energy, Illusion)

Thakns in advance for your help,
korczyn
 #4726  by EP_X0FF
 Tue Jan 25, 2011 6:19 pm
moranned wrote:http://www.threatexpert.com/report.aspx ... 0cd90c6634 is in fact a Darkness sample. the give aways are that it drops dwm.exe in %Windir%\system\ and places a file with a unique identifier at %Windir%\Temp\ddid. this is standard behavior for earlier versions of Darkness.
http://www.threatexpert.com/report.aspx ... a36ccacf48 is not darkness. it is a different ddos malware family altogether and appears to be an advanced version of ruskill.
f03bc8dcc090607f38ffb3a36ccacf48
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%\system\dwm.exe
[file and pathname of the sample #1] 41 984 bytes MD5: 0xF03BC8DCC090607F38FFB3A36CCACF48
3 %Windir%\Temp\ddid 6 bytes MD5: 0x79A79E5CF4F018A41D292203F4F1E271
SHA-1: 0x339490F05EE70EFD4DD3345BD67DB7CFC6C896C2 (not available)
Have you looked yourself on sample before posting? I'm even not talking about few quite obvious things.

0xF03BC8DCC090607F38FFB3A36CCACF48
darkness IpSectPro service "Running" %Windir%\system\dwm.exe

0xBE1A936FEEC2945D29B07C0CD90C6634
darkness IpSectPro service "Running" %Windir%\system\dwm.exe
 #4731  by moranned
 Wed Jan 26, 2011 3:28 am
Yes, I have looked at and ran the sample in my lab and I noted the following characteristics which are not darkness. Specifically,

%System%\drivers\kmhfoot.exe
%System%\drivers\kmhfoot.exe525
%System%\drivers\kmhfoot.exe706
%Windir%\Temp\tmp.exe 177,664 bytes
MD5: 0xFB88C02090D9A42FEF851B600FD8EC85
SHA-1: 0xD080BEEE2145BF5F962569ED2458625B39BE61F3 Trojan-PSW.Win32.Papras.aiw [Kaspersky Lab]
Trojan:Win32/Dishigy.A [Microsoft]

Youre correct that it also drops a darkness payload. I should have been more precise in my statement, but kmhfoot.exe is definitely not darkness. you'll also notice that khmfoot.exe is checking in with a different controller.
Have you looked yourself on sample before posting? I'm even not talking about few quite obvious things.

0xF03BC8DCC090607F38FFB3A36CCACF48
darkness IpSectPro service "Running" %Windir%\system\dwm.exe

0xBE1A936FEEC2945D29B07C0CD90C6634
darkness IpSectPro service "Running" %Windir%\system\dwm.exe
 #4737  by EP_X0FF
 Wed Jan 26, 2011 4:37 am
It's muldrop trojan with two backdoors inside, what is the difference what is second if first is darkness :)
 #4743  by moranned
 Wed Jan 26, 2011 12:22 pm
The difference is there is also a second family of DDOS malware that in this case is being distributed with Darkness. Personally, I find that interesting. It may also be important to sites that need to understand how to protect themselves from attacks - as khmfoot.exe has a different signature than darkness.
EP_X0FF wrote:It's muldrop trojan with two backdoors inside, what is the difference what is second if first is darkness :)