Black Energy 2.1+

Forum for analysis and discussion about malware.

Black Energy 2.1+

Postby EP_X0FF » Mon Mar 15, 2010 2:19 pm

Wrong identified as Rustock (see Rustock 2010) this is another rootkit with few interesting features at board.

It patches ETHREAD SystemTable pointer to specially allocated in NonPagedPool fake service table, that contains real addresses from SSDT and addresses replaced by rootkit handlers. User threads created after rootkit installation is being patched in same manner. Rootkit uses Thread notification routine to catch threads creation (PsSetCreateThreadNotifyRoutine used).

E.g.
rku5 wrote:0x81D84E40 Faked ServiceTable-->explorer.exe [ ETHREAD 0x81E4F188 ] TID: 984


Lets explore it.

WinDbg wrote:lkd> dd 0x81D84E40
81d84e40 8182a698 00000000 0000011c 80510088
81d84e50 bf999b80 00000000 0000029b bf99a890


We have actually new faked table entries. This method gives enough stealth level and it is comfortable. As in fact, SSDT wasn’t modified and major rootkit detectors will fail find and remove rootkit hooks.
Syscalls from such “patched” thread is fully under control of rootkit. So such thread (and application in whole) can for example think that some registry keys simple does not exists.
Following functions affected:

NtDeleteValueKey
NtEnumerateValueKey
NtEnumerateKey
NtOpenKey
NtOpenProcess
NtOpenThread
NtProtectVirtualMemory
NtQuerySystemInformation
NtReadVirtualMemory
NtSetContextThread
NtSetValueKey
NtSuspendThread
NtTerminateThread
NtWriteVirtualMemory


Registry routines intercepted by rootkit for self-protection reasons. They helping in survive strategy, by hiding registry entries that belongs to rootkit. It also modifies code of IofCompleteRequest to help protect itself. Rootkit injects payload dll named main.dll inside trusted svchost.exe process, creates thread and guards all these stuff with help of other acquired functions listed above. Thread is hidden from enumeration with help of NtQuerySystemInformation interception.

Main.dll contains several readable strings, full dump below:

.exe SYS TMP cmd.exe /C b k e r n e l p l g _ d a t a getp v e r s i o n n a m e s l e e p f r e q c m d s p l u g i n s x%s_%X C:\ a d d r t y p e s e r v e r s i c m p _ a d d r b u i l d _ i d str.sys \drivers\ \ \ . \ \ \ . \ G l o b a l \ %s%s { 9 D D 6 A F A 1 - 8 6 4 6 - 4 7 2 0 - 8 3 6 B - E D C B 1 0 8 5 8 6 4 A } main.dll .bdata {3D5A1694-CC2C-4ee7-A3D5-A879A9E3A623} POST %.2X & = bid nt %d cn ln id ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ Content-Type: application/x-www-form-urlencoded _TEST_ .dll user32.dll advapi32.dll wininet.dll ws2_32.dll DispatchCommand DispatchEvent GetLastError GetCurrentProcessId ExitThread CloseHandle KERNEL32.dll wsprintfA USER32.dll CoCreateInstance CoInitializeEx ole32.dll OLEAUT32.dll WS2_32.dll RtlUnwind InterlockedExchange VirtualQuery main.dll ConfAllocGetTextByNameA ConfAllocGetTextByNameW ConfGetListNodeByName ConfGetNodeByName ConfGetNodeTextA ConfGetNodeTextW ConfGetPlgNode ConfGetRootNode DownloadFile PlgSendEvent RkLoadKernelImage RkProtectObject SrvAddRequestBinaryData SrvAddRequestStringData


Rootkit driver is not hidden from drivers list but randomly renamed (hexadecimal name). Name differs after each reboot. Rootkit renames itself in list to fool detectors and users. Also this help to prevent “Wiping” by some tools (they can’t get real file path and file name of rootkit driver).

More detailed analysis of this rootkit can be found here
BlackEnergy Version 2 Analysis

VirusTotal
http://www.virustotal.com/analisis/5af3fd53aea5e008d8725c720ea0290e2e0cd485d8a953053ccf02e5e81a94a0-1268660972

MD5
9219e2cfcc64ccde2d8de507538b9991

SHA1
181e59600d057dc6b31a3b19d7f4f75301a3425e
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Black Energy 2.1+

Postby gjf » Mon Mar 15, 2010 3:56 pm

This method gives enough stealth level and it is comfortable. As in fact, SSDT wasn’t modified and major rootkit detectors will fail find and remove rootkit hooks.

So - no way to live any further? 8-) Even RkU cannot see it? ;)
VirusInfo / Defendium / SafeZone Helpers Crew
User avatar
gjf
 
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Reputation point: 26

Re: Black Energy 2.1+

Postby EP_X0FF » Mon Mar 15, 2010 4:19 pm

Hi,

Original kernel service table stays untouched, so there is nothing to dispay :)
Each thread can have it's own service table because of pointer in ETHREAD.
This is done by original NT architecture and we can't change that.
Public RkU will however find and show your this faking at Stealth Code page.
So if something labeled "Faked blah-blah" will be shown -> this type of modification must be taken seriously as it can only be.

Regards.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Black Energy 2.1+

Postby gjf » Mon Mar 15, 2010 4:28 pm

EP_X0FF wrote:Hi,

Original kernel service table stays untouched, so there is nothing to dispay :)
Each thread can have it's own service table because of pointer in ETHREAD.
This is done by original NT architecture and we can't change that.
Public RkU will however find and show your this faking at Stealth Code page.
So if something labeled "Faked blah-blah" will be shown -> this type of modification must be taken seriously as it can only be.

Regards.


Thanks for quick answer. It is very interesting because I believe we have an issue with something like that. After all the only decision was to remove using LiveCD.

So - is there any more convenient way to remove this rootkit? If so - which one? According to you we can observe some suspicious faking but no way to detect the path and name to rootkit dll and - of course - no way to delete it.
VirusInfo / Defendium / SafeZone Helpers Crew
User avatar
gjf
 
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Reputation point: 26

Re: Black Energy 2.1+

Postby GamingMasteR » Mon Mar 15, 2010 4:35 pm

Hi,

Fake service table detected and could be restored :
Image
User avatar
GamingMasteR
Global Moderator
 
Posts: 228
Joined: Sun Mar 07, 2010 10:52 am
Reputation point: 78

Re: Black Energy 2.1+

Postby EP_X0FF » Mon Mar 15, 2010 4:44 pm

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
!-->[Hidden] C:\WINDOWS\system32\drivers\paqkkmhplelf.sys
!-->[Hidden] C:\WINDOWS\system32\drivers\str.sys


Public rku is able to find hidden data (as well as hooks and ethread table pointer faked) and successfully wipe rootkit files.
RootRepeal also. Kernel Detective with some magic also. GMER also will be useful.

But you need to do quick reset. That's the key :)

edit:
Beaten by GamingMaster. Yes, here it is - magic :)
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Black Energy 2.1+

Postby Cr4sh » Mon Mar 15, 2010 7:19 pm

Here is original source code of KTHREAD::ServiceTable hooking.
You do not have the required permissions to view the files attached to this post.
User avatar
Cr4sh
 
Posts: 77
Joined: Sun Mar 14, 2010 6:07 pm
Reputation point: 88

BlackEnergy DDoS Agent

Postby swirl » Thu Apr 29, 2010 10:50 pm

just for sharing this interesting sample, it's old but overall nice compared
to most of copy&paste malware out there..

for a complete analysis :
http://www.secureworks.com/research/thr ... ckenergy2/
http://blog.fireeye.com/research/2010/0 ... rypto.html

in the package (pw: infected):

dropper.bin : the dropper
original.sys : the kernel driver (it's packed, really easy)
unpacked.sys : unpacked driver
hash.py : since most of the apis are imported by hash, it's an utility to simplify the work
ddos_update.py : mimics the agent requests: downloads the various ddos modules
(syn, http, ddos) and downloads the configuration file (who to ddos, etc)
You do not have the required permissions to view the files attached to this post.
swirl
 
Posts: 15
Joined: Wed Apr 21, 2010 5:11 pm
Reputation point: 8

Re: BlackEnergy DDoS Agent

Postby EP_X0FF » Fri Apr 30, 2010 2:27 am

Hi,

it was originally listed here http://www.kernelmode.info/forum/viewtopic.php?f=16&t=42
including partial source code, so I merged your post with this old thread.

Regards.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Black Energy 2.1+

Postby NOP » Fri Apr 30, 2010 12:27 pm

For anyone interested, this is part of the web panel from this bot I managed to harvest.
You do not have the required permissions to view the files attached to this post.
NOP
 
Posts: 36
Joined: Wed Mar 31, 2010 4:56 pm
Reputation point: 5

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 8 guests