Search found 11 matches

by tomchop
Mon Apr 11, 2016 7:03 pm
Forum: Malware
Topic: Citadel (Zeus clone)
Replies: 197
Views: 392312

Re: Citadel (Zeus clone)

Thanks a lot for this. I'll try to cook up a volatility plugin this week.
by tomchop
Thu Apr 30, 2015 7:51 am
Forum: Malware
Topic: Win32/Xswkit (alias Gootkit)
Replies: 61
Views: 120912

Re: Win32/Xswkit (alias Gootkit)

The link doesn't seem to be working (404). I'm curious to see how the patch works (at least concerning the persistence functionality), since it's basically a Windows "feature" that's being exploited (patches are installed via the sdbinst utility).
by tomchop
Mon Apr 13, 2015 4:41 pm
Forum: Malware
Topic: Win32/Xswkit (alias Gootkit)
Replies: 61
Views: 120912

Re: Win32/Xswkit (alias Gootkit)

Yeah I try to keep the patches up-to-date whenever I can. I have a few month lags at most.
by tomchop
Mon Apr 13, 2015 12:24 pm
Forum: Malware
Topic: Win32/Xswkit (alias Gootkit)
Replies: 61
Views: 120912

Re: Win32/Xswkit (alias Gootkit)

Yeah, I have the main module and I think I've identified the correct JS table. I need to look for the RC4 subroutine (I think I may have stumbled upon it early into my analysis). Thanks a lot for the tip! Will let you know of my findings.
by tomchop
Mon Apr 13, 2015 9:52 am
Forum: Malware
Topic: Win32/Xswkit (alias Gootkit)
Replies: 61
Views: 120912

Re: Win32/Xswkit (alias Gootkit)

That's weird, the malware has no problem running on my Win7 (x86 or x64) VMs. When I open say chrome.exe in Ollydb, I see the .reloc section in kernel32 is patched and contains the shellcode. If you're trying to debug it, then maybe the best solution is to set your JIT debugger and replace the first...
by tomchop
Sat Apr 11, 2015 2:30 pm
Forum: Malware
Topic: Win32/Xswkit (alias Gootkit)
Replies: 61
Views: 120912

Re: Win32/Xswkit (alias Gootkit)

Yes sdb-explorer works pretty well for extracting the patch bits: Trying to process patch by tag type: PATCH_TAGID 00000000: 02 00 00 00 2a 17 00 00 d6 16 00 00 00 80 0c 00 00000010: 00 00 00 00 6b 00 65 00 72 00 6e 00 65 00 6c 00 00000020: 33 00 32 00 2e 00 64 00 6c 00 6c 00 00 00 00 00 00000030: 0...
by tomchop
Sat Apr 11, 2015 11:13 am
Forum: Malware
Topic: Win32/Xswkit (alias Gootkit)
Replies: 61
Views: 120912

Re: Win32/Xswkit (alias Gootkit)

From what I recall it also sends what looks like tons of debug messages over the network (in cleartext)
by tomchop
Sat Apr 11, 2015 10:18 am
Forum: Malware
Topic: Win32/Xswkit (alias Gootkit)
Replies: 61
Views: 120912

Re: Win32/Xswkit (alias Gootkit)

It's the one that came through malicious Word macros a few weeks ago (can be unpacked with Word :))
by tomchop
Sat Apr 11, 2015 10:00 am
Forum: Malware
Topic: Win32/Xswkit (alias Gootkit)
Replies: 61
Views: 120912

Re: Win32/Xswkit (alias Gootkit)

The last sample I got my hands on (I'm attaching the .dll here) uses the AppCompat database to ensure persistence on the system. They effectively use sdbinst to install patches that modify the .reloc section of kernel32.dll (after it's loaded I guess) and insert custom shellcode. A jump to that shel...
by tomchop
Fri Jul 18, 2014 5:17 pm
Forum: Reverse Engineering and Debugging
Topic: Decoding RC4 Strings
Replies: 1
Views: 5574

Re: Decoding RC4 Strings

If you're focusing on Zeus (or its variants like Citadel), I strongly recommend you to dig into the Volatility plugins that have been made to dump part of their configuration (including their RC4 keys). Here are some useful links: Volatility zeusscan.py plugin Volatility 2.0 Plugin Vscan (Very early...