WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Forum for analysis and discussion about malware.

WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Postby R136a1 » Thu May 31, 2012 2:49 pm

Flying under the radar:

The following link shows some interesting informations of a malware not yet classified:
http://threatexpert.com/reports.aspx?fi ... r&x=12&y=7

First uploaded in 2010, but some of the C&C servers are still online, so maybe it is still actively used.
Moreover it contains a kernel mode component and the origin is stated as Russian Federation, which may indicate a real challenge.

MD5 hashes
0482d1652c2a0e6c16ca3e2a53be0783
9dc0f7e7aec2bda05d70fdfa2fc50bd0
fa4bda12c94824ab451da83bae240c5d
938b92958ded4d50a357d22eddf141ad
4f6f873d25b32698ffb3488769109269
User avatar
R136a1
 
Posts: 215
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Re: Malware Requests

Postby Xylitol » Thu May 31, 2012 3:52 pm

@R136a1, found only these:
0482d1652c2a0e6c16ca3e2a53be0783
9dc0f7e7aec2bda05d70fdfa2fc50bd0
938b92958ded4d50a357d22eddf141ad
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1637
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 497

WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Postby shaheen » Sat Mar 01, 2014 7:10 am

shaheen
 
Posts: 35
Joined: Wed Jun 09, 2010 11:08 pm
Reputation point: 4

Re: Uroburos rootkit

Postby R136a1 » Sat Mar 01, 2014 8:24 am

For samples and some info take a look at my tweets:
https://twitter.com/theenergystory
https://twitter.com/malwarechannel

Regards
User avatar
R136a1
 
Posts: 215
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Re: Uroburos rootkit

Postby CloneRanger » Sun Mar 02, 2014 5:18 am

@ R136a1 Good catches, Thanx :)

ALL the samples in your 2 Zips, are reported by PeStudio as Signed. But viewing Properties indicates they are Not ! Have the coders discovered a clever way of tricking the OS's into believing they are signed, or is there another reason why my screenies show what they do ?

If they have managed to do that, how ?

Sample in screenies = inj_snake_x64.dll
You do not have the required permissions to view the files attached to this post.
Malware = If your names not down, you're Not coming in !
User avatar
CloneRanger
 
Posts: 124
Joined: Sat Aug 14, 2010 11:54 pm
Reputation point: 14

Re: Uroburos rootkit

Postby R136a1 » Sun Mar 02, 2014 8:04 am

When PeStudio detects something as digitally signed, it has to be 100% correct. So let's find out how they managed to fool Windows into thinking the files are signed! [/irony]

No, none of the files is digitally signed! And they also didn't find a way to fool Windows (why Windows anyway? PeStudio detects it as signed!) into thinking so. I don't know what PeStudio is using as an indicator for detecting files as digitally signed, but the implementation is obviously buggy.

Why do you blindly trust in any tools when the opposite is obviously right (as you saw yourself)? ;)
User avatar
R136a1
 
Posts: 215
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Re: Uroburos rootkit

Postby STRELiTZIA » Sun Mar 02, 2014 9:59 am

@CloneRanger
Are you sure to use updated release ?
User avatar
STRELiTZIA
 
Posts: 103
Joined: Sun Mar 14, 2010 7:02 am
Reputation point: 82

Re: Uroburos rootkit

Postby t4L » Mon Mar 03, 2014 2:58 am

I guess you're understanding incorrectly PeStudio. IMHO, the file has the characteristic when the star on the left of lights up. In this case, the file isn't signed since that star is blurred.

PeStudio GUI design is bad, but not that hard to recognize.
t4L
Global Moderator
 
Posts: 138
Joined: Tue Mar 09, 2010 5:44 pm
Reputation point: 61

Re: Uroburos rootkit

Postby CloneRanger » Mon Mar 03, 2014 5:44 am

@ R136a1

Well i don't pretend to be an expert. I just thought that there "might" be something worth exploring further. Anyway, see below.

@ STRELiTZIA

Yes it was an earlier version i was using.

@ t4L

You're right, i mistakenly glossed over that. Ah well, live n learn ! Actally i think is a useful addition to our Tools etc box ;)

*

Thanx
Malware = If your names not down, you're Not coming in !
User avatar
CloneRanger
 
Posts: 124
Joined: Sat Aug 14, 2010 11:54 pm
Reputation point: 14

Re: Uroburos rootkit

Postby frank_boldewin » Mon Mar 03, 2014 5:29 pm

Yesterday i wrote on facebook that the Uroboros malware reminds me on a similar case back in 2008. Now i'm pretty sure. When the dropper executes first it checks if it runs on a 32bit or 64bit system to select what driver to drop later. It creates a directory $NtUninstallQ817473 inside the windows directory and drops an encrypted driver called fdisk.sys. Then a 400MB file is created called fixdata.dat. This is an encrypted filesystem storing usermode files of the malware, which are being injected in services.exe and explorer.exe
Further it is used to store stolen documents e.g. word, excel, powerpoint. The driver fdisk.sys manages the fixdata.dat filesystem and the network communication. The driver avoids to use hiding itself or using defense tactics. Symantec analysed an older version of this malware in November 2009 and called it Backdoor.Pfinet. Of course i haven't made a deep dive inside the malware in that short period of time i looked at it, so there will be still a lot of things to explore. ;)


Someone has seen a deep analysis already?
User avatar
frank_boldewin
 
Posts: 115
Joined: Thu Apr 22, 2010 8:59 am
Location: germany
Reputation point: 89

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests