WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Forum for analysis and discussion about malware.
Post Reply
User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

WinNT/Turla (WinNT/Pfinet, Uroburos rootkit)

Post by R136a1 » Thu May 31, 2012 2:49 pm

Flying under the radar:

The following link shows some interesting informations of a malware not yet classified:
http://threatexpert.com/reports.aspx?fi ... r&x=12&y=7

First uploaded in 2010, but some of the C&C servers are still online, so maybe it is still actively used.
Moreover it contains a kernel mode component and the origin is stated as Russian Federation, which may indicate a real challenge.

MD5 hashes
0482d1652c2a0e6c16ca3e2a53be0783
9dc0f7e7aec2bda05d70fdfa2fc50bd0
fa4bda12c94824ab451da83bae240c5d
938b92958ded4d50a357d22eddf141ad
4f6f873d25b32698ffb3488769109269

User avatar
Xylitol
Global Moderator
Posts: 1667
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Malware Requests

Post by Xylitol » Thu May 31, 2012 3:52 pm

@R136a1, found only these:
0482d1652c2a0e6c16ca3e2a53be0783
9dc0f7e7aec2bda05d70fdfa2fc50bd0
938b92958ded4d50a357d22eddf141ad
You do not have the required permissions to view the files attached to this post.


User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: Uroburos rootkit

Post by R136a1 » Sat Mar 01, 2014 8:24 am

For samples and some info take a look at my tweets:
https://twitter.com/theenergystory
https://twitter.com/malwarechannel

Regards

User avatar
CloneRanger
Posts: 124
Joined: Sat Aug 14, 2010 11:54 pm

Re: Uroburos rootkit

Post by CloneRanger » Sun Mar 02, 2014 5:18 am

@ R136a1 Good catches, Thanx :)

ALL the samples in your 2 Zips, are reported by PeStudio as Signed. But viewing Properties indicates they are Not ! Have the coders discovered a clever way of tricking the OS's into believing they are signed, or is there another reason why my screenies show what they do ?

If they have managed to do that, how ?

Sample in screenies = inj_snake_x64.dll
You do not have the required permissions to view the files attached to this post.
Malware = If your names not down, you're Not coming in !

User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: Uroburos rootkit

Post by R136a1 » Sun Mar 02, 2014 8:04 am

When PeStudio detects something as digitally signed, it has to be 100% correct. So let's find out how they managed to fool Windows into thinking the files are signed! [/irony]

No, none of the files is digitally signed! And they also didn't find a way to fool Windows (why Windows anyway? PeStudio detects it as signed!) into thinking so. I don't know what PeStudio is using as an indicator for detecting files as digitally signed, but the implementation is obviously buggy.

Why do you blindly trust in any tools when the opposite is obviously right (as you saw yourself)? ;)

User avatar
STRELiTZIA
Posts: 103
Joined: Sun Mar 14, 2010 7:02 am

Re: Uroburos rootkit

Post by STRELiTZIA » Sun Mar 02, 2014 9:59 am

@CloneRanger
Are you sure to use updated release ?

t4L
Global Moderator
Posts: 139
Joined: Tue Mar 09, 2010 5:44 pm

Re: Uroburos rootkit

Post by t4L » Mon Mar 03, 2014 2:58 am

I guess you're understanding incorrectly PeStudio. IMHO, the file has the characteristic when the star on the left of lights up. In this case, the file isn't signed since that star is blurred.

PeStudio GUI design is bad, but not that hard to recognize.

User avatar
CloneRanger
Posts: 124
Joined: Sat Aug 14, 2010 11:54 pm

Re: Uroburos rootkit

Post by CloneRanger » Mon Mar 03, 2014 5:44 am

@ R136a1

Well i don't pretend to be an expert. I just thought that there "might" be something worth exploring further. Anyway, see below.

@ STRELiTZIA

Yes it was an earlier version i was using.

@ t4L

You're right, i mistakenly glossed over that. Ah well, live n learn ! Actally i think is a useful addition to our Tools etc box ;)

*

Thanx
Malware = If your names not down, you're Not coming in !

User avatar
frank_boldewin
Posts: 116
Joined: Thu Apr 22, 2010 8:59 am
Location: germany
Contact:

Re: Uroburos rootkit

Post by frank_boldewin » Mon Mar 03, 2014 5:29 pm

Yesterday i wrote on facebook that the Uroboros malware reminds me on a similar case back in 2008. Now i'm pretty sure. When the dropper executes first it checks if it runs on a 32bit or 64bit system to select what driver to drop later. It creates a directory $NtUninstallQ817473 inside the windows directory and drops an encrypted driver called fdisk.sys. Then a 400MB file is created called fixdata.dat. This is an encrypted filesystem storing usermode files of the malware, which are being injected in services.exe and explorer.exe
Further it is used to store stolen documents e.g. word, excel, powerpoint. The driver fdisk.sys manages the fixdata.dat filesystem and the network communication. The driver avoids to use hiding itself or using defense tactics. Symantec analysed an older version of this malware in November 2009 and called it Backdoor.Pfinet. Of course i haven't made a deep dive inside the malware in that short period of time i looked at it, so there will be still a lot of things to explore. ;)


Someone has seen a deep analysis already?

Post Reply