Bootkit: Win32/Gapz

Forum for analysis and discussion about malware.
User avatar
kmd
Posts: 268
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation

Re: Bootkit: Win32/Gapz

Post by kmd » Thu Mar 28, 2013 3:52 am

@EP_X0FF

thx
i think number of HIPS will allow write that way

and other question:

if you read ESET article about gapz they mentioned ELAM is bad in relation to bootkits.

Opinions?

User avatar
EP_X0FF
Global Moderator
Posts: 4781
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Bootkit: Win32/Gapz

Post by EP_X0FF » Thu Mar 28, 2013 4:28 am

kmd wrote:and other question:

if you read ESET article about gapz they mentioned ELAM is bad in relation to bootkits.
lolwut?

I didn't noticed it earlier.

ELAM was created for ISV, so they will be able load their drivers before "boot" drivers and ISV be able to control other boot drivers loading, in simple words: give the safe, documented way to start first in drivers booting chain. It wasn't designed to fight against bootkits. He stated this and can stop at this point. But no, next you can see an example of crappy AV promotion -> security researcher from AV company shows OS vendor as if it is lacking of security in their newly implemented security feature. Yes, they are all idiots, and only in ESET are real specialists.

ELAM was designed to be a part of Windows NT 6.2 secured boot architecture. Not a standalone feature. "Secure boot" protocol which is part of UEFI 2.3.1 is what was designed to address bootkits.

Overall I suggest author RTFM next time before posting such crappy AV article.
Ring0 - the source of inspiration

User avatar
r3shl4k1sh
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Contact:

Re: Bootkit: Win32/Gapz

Post by r3shl4k1sh » Tue Apr 09, 2013 6:44 am


User avatar
Alex
Posts: 268
Joined: Sun Mar 07, 2010 11:34 am

Re: Bootkit: Win32/Gapz

Post by Alex » Tue Apr 09, 2013 7:24 pm

Maybe Gapz is "the most complex bootkit seen so far in the wild", but it doesn't change a fact that it is easier to detect and clean it than some older bootkits (see real mebroot for example).
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)

User avatar
r3shl4k1sh
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Contact:

Re: Bootkit: Win32/Gapz

Post by r3shl4k1sh » Tue Apr 09, 2013 8:11 pm

Alex wrote:Maybe Gapz is "the most complex bootkit seen so far in the wild", but it doesn't change a fact that it is easier to detect and clean it than some older bootkits (see real mebroot for example).
IMO: Once you detect that its there you probably won't leave it alone so why the attacker needs to care about it?

User avatar
EP_X0FF
Global Moderator
Posts: 4781
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Bootkit: Win32/Gapz

Post by EP_X0FF » Wed Apr 10, 2013 7:00 am

r3shl4k1sh wrote:
Alex wrote:Maybe Gapz is "the most complex bootkit seen so far in the wild", but it doesn't change a fact that it is easier to detect and clean it than some older bootkits (see real mebroot for example).
IMO: Once you detect that its there you probably won't leave it alone so why the attacker needs to care about it?
Because AV scanners mostly scan files/folders/startup locations by accessing disk so they can next use signature matcher/other modules working with read data. Inability to remove in most cases is a side effect of filtering used to "hide" actual data from scanners. Quick example from the past. TDL3 injected dll was detected by memory scan by some AV, but infected driver - not detected, as I/O requests filtered by rootkit. Scanner reports to user that he has infection on computer, then scanner "neutralizes" malware in memory, asks for reboot (as it cannot safely unmap all dll code), computer reboots - TDL3 starting up, injecting dll -> scannner again reports about infection. User panics and starts to create topics on internet forums - "invincible virus, please help", "gpu paravirtualization rootkit", "am i infected with blue pill?" etc.

Plus that active "antiremoval feature" give +$$$$ to malware price, as the most users of it are too dumb so they even cannot properly configure their webshits.

As for bootkits overall - they all are mediocre shit, where most advanced setting their I/O filters on the disk port driver level and exploiting computer boot scheme in a different ways (MBR/VBR with variations).
Ring0 - the source of inspiration

eyer
Posts: 2
Joined: Tue Oct 23, 2012 11:49 pm

Re: Bootkit: Win32/Gapz

Post by eyer » Thu Apr 25, 2013 4:03 am

I was only able to get the first Gapz.a dropper to infect WinXP & Win7x64SP1.
2nd one only Win7x64SP1.
Gapz.b no infection on xpsp3.

Did you guys observe anything differently?

eyer
Posts: 2
Joined: Tue Oct 23, 2012 11:49 pm

Re: Bootkit: Win32/Gapz

Post by eyer » Fri Apr 26, 2013 1:11 am

Is Gapz.b even a rootkit? On Win7 it only creates an Autorun Key to launch itself :\!

User avatar
EP_X0FF
Global Moderator
Posts: 4781
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Bootkit: Win32/Gapz

Post by EP_X0FF » Fri Apr 26, 2013 1:20 am

eyer wrote:Is Gapz.b even a rootkit? On Win7 it only creates an Autorun Key to launch itself :\!
What is your test hardware configuration btw? What is "Gapz.b"? Use hashes instead of non meaninful names. Except explorer trick, this sad shit is totally uninteresting.
Ring0 - the source of inspiration

User avatar
r3shl4k1sh
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Contact:

Gapz A, B, C

Post by r3shl4k1sh » Wed May 15, 2013 11:45 pm

Looking for Gapz samples mentioned in the ESET article http://www.welivesecurity.com/wp-conten ... epaper.pdf
  • Win32/Gapz.A
    1f206ea64fb3ccbe0cd7ff7972bef2592bb30c84
  • Win32/Gapz.B
    e4b64c3672e98dc78c5a356a68f89e02154ce9a6
  • Win32/Gapz.C
    85fb77682705b06a77d73638df3b22ac1dbab78b

Post Reply