A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15018  by CatalystXP
 Sun Aug 05, 2012 12:56 pm
Hi everyone! I need a live rootkit Sinowal, which infects the MBR. I want to test the ability of antivirus software to detect and treat an active infection of rootkits. Check each file laid out I can not. If there is someone a sample, please send a link to the archive in PM. And that would not be spam, if you have please send a sample of live VBR-rootkit Rovnix.
Sorry for my very bad English.
 #15019  by PX5
 Sun Aug 05, 2012 2:58 pm
CatalystXP wrote:Hi everyone! I need a live rootkit Sinowal, which infects the MBR. I want to test the ability of antivirus software to detect and treat an active infection of rootkits. Check each file laid out I can not. If there is someone a sample, please send a link to the archive in PM. And that would not be spam, if you have please send a sample of live VBR-rootkit Rovnix.
Sorry for my very bad English.
BH URL still active...

mouseinputnolongerworks.com/index.php?tp=0f4b6d00d5c05110

Bin Attached
Attachments
pw=infected
(36.28 KiB) Downloaded 84 times
 #15024  by dumb110
 Mon Aug 06, 2012 10:22 am
16Ko files are corrupted. The other files are cyphered or junk, all are non executables.
 #15027  by PX5
 Mon Aug 06, 2012 11:32 am
Files are fine Kaf, helps if you know what filetypes and such are involved, i knew there was a use for regsvr32. ;)


By the way, 92ce8171d5b529b1fb8d0854dbb04e83 has survived a full re-image using Acronis and is functioning quite well atm. :(
 #15029  by nullptr
 Mon Aug 06, 2012 12:34 pm
It's been sometime since I bothered looking at Sinowal, but IIRC you can just remove the dll flag from the PE characteristics and they'll run fine.
I always used this method + debugger to remove their crypter.
 #15104  by thisisu
 Fri Aug 10, 2012 8:41 pm
PX5 wrote:i knew there was a use for regsvr32. ;)
So you use regsvr32.exe to register these win32 .dlls and then you can be infected with Sinowal?
IIRC I had another tool that could inject dlls into a process but does it matter which process I choose?
What would be the easiest way to infect myself with Sinowal?
  • 1
  • 8
  • 9
  • 10
  • 11
  • 12