WinNT/Pitou (MBR bootkit, alias Backboot)

Forum for analysis and discussion about malware.
Post Reply
User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

WinNT/Pitou (MBR bootkit, alias Backboot)

Post by EP_X0FF » Fri Jan 02, 2015 12:52 pm

Legacy BIOS MBR WinNT bootkit.

Purpose: kernel mode spambot.

MBR:
This sample https://www.virustotal.com/en/file/c015 ... 420199827/,
old December analyzed Pitou build https://www.virustotal.com/en/file/269f ... /analysis/
Current sample doesn't use 0xDEADBEEF as xor key and looks a little bit simplified.

Hooks IRP_MJ_DEVICE_CONTROL and IRP_MJ_INTERNAL_DEVICE_CONTROL for the disk port driver and several routines in NDIS driver by splicing.

Contain antiVM similar to Win32/Avatar lolkit -> MmMapIoSpace and lookup for known VM vendors/products names.

Image

Source:

Code: Select all

31.184.236.83/crypted.ff.exe

HTTP/1.1 200 OK
Date: Fri, 02 Jan 2015 0X:XX:XX GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sat, 27 Dec 2014 11:56:11 GMT
ETag: "26009a-7da00-50b3153deb85e"
Accept-Ranges: bytes
Content-Length: 514560
Connection: close
Content-Type: application/x-msdos-program
Bootkit data storage:

Located at the end of the system disk in unpartitionable space. Structure is simple -> initialization code, copy of original mbr used for faking while filtering I/O requests and next lolkit driver. Depending on mode there will be x86-32 driver or x64 version of the same trash.

VT scans:

dropper (dotnet crypter)
https://www.virustotal.com/en/file/09b5 ... 420203568/

for x64 driver
https://www.virustotal.com/en/file/bbc3 ... 420202247/

for x86-32 driver
https://www.virustotal.com/en/file/403f ... 420202266/

Previously analyzed Pitou variant used xor encryption over these data with hardcoded 0xDEADBEEF key, decrypting contents of bootkit code upon bootkit MBR execution. This one stores data without any encryption.

Small code for decoding bootkit data used for previous version/build

Code: Select all

#include <windows.h>
#include <intrin.h>

#define DATASIZE 0x6c000 //0x78c00 for x64

void main()
{
	HANDLE					f;
	DWORD					iobytes;
	DWORD					*buffer, s0 = 0xdeadbeef;
	ULONG					c;

	f = CreateFile(TEXT("c:\\malware\\pitou\\uspace_32.dat"), GENERIC_READ | SYNCHRONIZE, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
	if ( f != INVALID_HANDLE_VALUE ) {
		buffer = (DWORD *)VirtualAlloc(NULL, DATASIZE, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
		if ( buffer != NULL ) {
			ReadFile(f, buffer, DATASIZE, &iobytes, NULL);

			for (c=0; c<(DATASIZE/4); c++) {
				buffer[c] = buffer[c] ^ s0;
				s0 = _rotr(s0, 1);
			}
		}
		CloseHandle(f);

		f = CreateFile(TEXT("c:\\malware\\pitou\\uspace_32.dmp"), GENERIC_ALL | SYNCHRONIZE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, 0, NULL);
		if ( f != INVALID_HANDLE_VALUE ) {
			WriteFile(f, buffer, DATASIZE, &iobytes, NULL);
			CloseHandle(f);
		}

		VirtualFree(buffer, 0, MEM_RELEASE);
	}

	ExitProcess(0);
}
Pitou dropper + extracted drivers in attach, upon successful installation it will force Windows reboot by NtShutdownSystem call. For direct disk access during installation dropper uses IOCTL_SCSI_PASS_THROUGH request.

P.S.

F-Secure coverage of earlier Pitou version https://www.f-secure.com/documents/9965 ... epaper.pdf + Pitou UAC bypass reconstructed method UACMe - Defeating Windows User Account Control, however this particular dropper seems unable to bypass UAC.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
r3shl4k1sh
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Contact:

Re: WinNT/Pitou (MBR bootkit, alias Backboot)

Post by r3shl4k1sh » Wed Jan 07, 2015 11:06 pm

Seems like the xor decryption code is still in the MBR but it doesn't use any key:
Image

At least there isn't any Access-Violation exception....

User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: WinNT/Pitou (MBR bootkit, alias Backboot)

Post by EP_X0FF » Thu Jan 08, 2015 4:22 am

A XOR 0 = A
Ring0 - the source of inspiration

User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: WinNT/Pitou (MBR bootkit, alias Backboot)

Post by R136a1 » Mon Mar 16, 2015 11:01 am

Pitou author seems to be pretty creative when it comes to droppers. This one is coded in PureBasic and drops a slightly older variant of the version described by EP_X0FF.

Behaviour on Windows XP and prior (x86):


Driver hooks IRP_MJ_DIRECTORY_CONTROL for file system driver to hide its driver file inside %SystemRoot%\system32\drivers.

Furthermore it hooks functions NtEnumerateKey and NtOpenKey by splicing (SSDT) to hide registry entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.

It also hooks the ProtocolStatus routine of MS QoS Packet Scheduler (psched.sys) by splicing which is needed for NdisRegisterProtocol function during initialization.

Image

Hardcoded C&C Server and some DGA domains extracted from memory dump:
80.156.86.78
utonbaaaj.com
ovfeaapak.me
iwasubab.biz
biovubba.org


Behaviour on Windows Vista+ (x86/x64):

See EP_X0FF's description


Virustotal:

Dropper
https://www.virustotal.com/en/file/808a ... 426503129/

x86 driver
https://www.virustotal.com/en/file/e347 ... 426503202/

x64 driver
https://www.virustotal.com/en/file/d533 ... 426503247/


Files attached.
You do not have the required permissions to view the files attached to this post.

User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: WinNT/Pitou (MBR bootkit, alias Backboot)

Post by R136a1 » Thu Jul 02, 2015 12:18 pm

Hi folks,

two fresh Pitou droppers attached. Didn't look into it, might contain some new features.
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: WinNT/Pitou (MBR bootkit, alias Backboot)

Post by EP_X0FF » Fri Jul 03, 2015 6:43 am

Well, it stil silently autoelevates, hooks irp etc. Mbr detect reveals count of BitDefender engine usage. Bizarre thing is that this malware even with installed hooks failed to hide its own mbr. Overall its just a indication of the fact - Windows bootkits are dead. Pitou particular malware family is just like a dinousaur and Rovnix is alive just because it open-source and some gangs still use it.

https://www.virustotal.com/en/file/0cec ... 435905091/
Ring0 - the source of inspiration

User avatar
xors
Posts: 158
Joined: Mon May 23, 2016 2:01 am

Re: WinNT/Pitou (MBR bootkit, alias Backboot)

Post by xors » Fri Jan 19, 2018 5:58 pm

@xorsthingsv2

Post Reply