Bootkit: Win32/Gapz

Forum for analysis and discussion about malware.

Re: Bootkit: Win32/Gapz

Postby kmd » Thu Mar 28, 2013 3:52 am

@EP_X0FF

thx
i think number of HIPS will allow write that way

and other question:

if you read ESET article about gapz they mentioned ELAM is bad in relation to bootkits.

Opinions?
User avatar
kmd
 
Posts: 268
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation
Reputation point: 17

Re: Bootkit: Win32/Gapz

Postby EP_X0FF » Thu Mar 28, 2013 4:28 am

kmd wrote:and other question:

if you read ESET article about gapz they mentioned ELAM is bad in relation to bootkits.


lolwut?

I didn't noticed it earlier.

ELAM was created for ISV, so they will be able load their drivers before "boot" drivers and ISV be able to control other boot drivers loading, in simple words: give the safe, documented way to start first in drivers booting chain. It wasn't designed to fight against bootkits. He stated this and can stop at this point. But no, next you can see an example of crappy AV promotion -> security researcher from AV company shows OS vendor as if it is lacking of security in their newly implemented security feature. Yes, they are all idiots, and only in ESET are real specialists.

ELAM was designed to be a part of Windows NT 6.2 secured boot architecture. Not a standalone feature. "Secure boot" protocol which is part of UEFI 2.3.1 is what was designed to address bootkits.

Overall I suggest author RTFM next time before posting such crappy AV article.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Bootkit: Win32/Gapz

Postby r3shl4k1sh » Tue Apr 09, 2013 6:44 am

User avatar
r3shl4k1sh
 
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Reputation point: 41

Re: Bootkit: Win32/Gapz

Postby Alex » Tue Apr 09, 2013 7:24 pm

Maybe Gapz is "the most complex bootkit seen so far in the wild", but it doesn't change a fact that it is easier to detect and clean it than some older bootkits (see real mebroot for example).
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)
User avatar
Alex
 
Posts: 268
Joined: Sun Mar 07, 2010 11:34 am
Reputation point: 89

Re: Bootkit: Win32/Gapz

Postby r3shl4k1sh » Tue Apr 09, 2013 8:11 pm

Alex wrote:Maybe Gapz is "the most complex bootkit seen so far in the wild", but it doesn't change a fact that it is easier to detect and clean it than some older bootkits (see real mebroot for example).


IMO: Once you detect that its there you probably won't leave it alone so why the attacker needs to care about it?
User avatar
r3shl4k1sh
 
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Reputation point: 41

Re: Bootkit: Win32/Gapz

Postby EP_X0FF » Wed Apr 10, 2013 7:00 am

r3shl4k1sh wrote:
Alex wrote:Maybe Gapz is "the most complex bootkit seen so far in the wild", but it doesn't change a fact that it is easier to detect and clean it than some older bootkits (see real mebroot for example).


IMO: Once you detect that its there you probably won't leave it alone so why the attacker needs to care about it?


Because AV scanners mostly scan files/folders/startup locations by accessing disk so they can next use signature matcher/other modules working with read data. Inability to remove in most cases is a side effect of filtering used to "hide" actual data from scanners. Quick example from the past. TDL3 injected dll was detected by memory scan by some AV, but infected driver - not detected, as I/O requests filtered by rootkit. Scanner reports to user that he has infection on computer, then scanner "neutralizes" malware in memory, asks for reboot (as it cannot safely unmap all dll code), computer reboots - TDL3 starting up, injecting dll -> scannner again reports about infection. User panics and starts to create topics on internet forums - "invincible virus, please help", "gpu paravirtualization rootkit", "am i infected with blue pill?" etc.

Plus that active "antiremoval feature" give +$$$$ to malware price, as the most users of it are too dumb so they even cannot properly configure their webshits.

As for bootkits overall - they all are mediocre shit, where most advanced setting their I/O filters on the disk port driver level and exploiting computer boot scheme in a different ways (MBR/VBR with variations).
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Bootkit: Win32/Gapz

Postby eyer » Thu Apr 25, 2013 4:03 am

I was only able to get the first Gapz.a dropper to infect WinXP & Win7x64SP1.
2nd one only Win7x64SP1.
Gapz.b no infection on xpsp3.

Did you guys observe anything differently?
eyer
 
Posts: 2
Joined: Tue Oct 23, 2012 11:49 pm
Reputation point: 0

Re: Bootkit: Win32/Gapz

Postby eyer » Fri Apr 26, 2013 1:11 am

Is Gapz.b even a rootkit? On Win7 it only creates an Autorun Key to launch itself :\!
eyer
 
Posts: 2
Joined: Tue Oct 23, 2012 11:49 pm
Reputation point: 0

Re: Bootkit: Win32/Gapz

Postby EP_X0FF » Fri Apr 26, 2013 1:20 am

eyer wrote:Is Gapz.b even a rootkit? On Win7 it only creates an Autorun Key to launch itself :\!


What is your test hardware configuration btw? What is "Gapz.b"? Use hashes instead of non meaninful names. Except explorer trick, this sad shit is totally uninteresting.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Gapz A, B, C

Postby r3shl4k1sh » Wed May 15, 2013 11:45 pm

Looking for Gapz samples mentioned in the ESET article http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf


  • Win32/Gapz.A
    1f206ea64fb3ccbe0cd7ff7972bef2592bb30c84
  • Win32/Gapz.B
    e4b64c3672e98dc78c5a356a68f89e02154ce9a6
  • Win32/Gapz.C
    85fb77682705b06a77d73638df3b22ac1dbab78b
User avatar
r3shl4k1sh
 
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Reputation point: 41

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 15 guests