Rustock

Forum for analysis and discussion about malware.

Nixoa/Bubnix Rootkit

Postby ConanTheLibrarian » Mon Mar 15, 2010 5:57 pm

I just removed this from a machine. I don't know how to reverse engineer yet. I am unfamiliar with it - first time I've seen it.

http://www.virustotal.com/analisis/4c77aaee95af6c4a54d839002e09d460c6f13638bbd8cd45e44d15f65a86cd2d-1268674852

Found a way to upload it:
http://www.filedropper.com/nixoa


MD5...: acfe49f6431a608e520d8935c749f399
SHA1..: f9d9d4eaf075ab4e43d9d7ae1ac6953c42cce053
Last edited by ConanTheLibrarian on Mon Mar 15, 2010 6:52 pm, edited 1 time in total.
User avatar
ConanTheLibrarian
 
Posts: 56
Joined: Mon Mar 15, 2010 1:12 am
Location: USA
Reputation point: 6

Re: Nixoa/Bubnix Rootkit

Postby EP_X0FF » Mon Mar 15, 2010 6:00 pm

Hi,

Thanks for information.

The file is over 800KB so I am unable to attach it to this forum

You can try to zip it and upload to http://rapidshare.com free file hoster.

Regards.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Nixoa/Bubnix Rootkit

Postby markusg » Mon Mar 15, 2010 6:15 pm

rapidshare
at evening you get no download as free user.
perhaps you can use
http://www.file-upload.net
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Nixoa/Bubnix Rootkit

Postby ConanTheLibrarian » Mon Mar 15, 2010 6:53 pm

Edited original post with URL to the sys file. Thanks for suggestions.
User avatar
ConanTheLibrarian
 
Posts: 56
Joined: Mon Mar 15, 2010 1:12 am
Location: USA
Reputation point: 6

Re: Nixoa/Bubnix Rootkit

Postby EP_X0FF » Mon Mar 15, 2010 7:28 pm

Hi again,

Thanks for the sample. I was able to load it inside test box. So huge size of driver file caused by malware "packer".

Rootkit set's CmRegistry callback to protect registry keys.
It hooks Key object-->ParseProcedure, so this rootkit using DKOH technique also.
Probably also to protect rootkit registry keys from being revealed / removed.

Also it hooks IRP_MJ_CREATE handler of ntfs.sys

Rootkit driver file is not hidden from high level enumeration (it is visible in Explorer).
Maybe it is requiring something to work properly.

After reboot rootkit died.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Nixoa/Bubnix Rootkit

Postby ConanTheLibrarian » Mon Mar 15, 2010 8:00 pm

Thanks for that. I can confirm.

The root file and key is visible but untouchable. Gmer was able to hack the reg key values by saving using raw writing. After a reboot it was offline.
User avatar
ConanTheLibrarian
 
Posts: 56
Joined: Mon Mar 15, 2010 1:12 am
Location: USA
Reputation point: 6

Re: Nixoa/Bubnix Rootkit

Postby gjf » Mon Mar 15, 2010 8:19 pm

This rootkit is already well studied, some info here and here.

If I remeber correctly I removed this rootkit using Gmer without any problem. "Boot Bus Extender" is quite special name for this.

Concerning the subj - the rootkit dies because manual installation I believe. Dropper could solve the problem.
VirusInfo / Defendium / SafeZone Helpers Crew
User avatar
gjf
 
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Reputation point: 26

Rootkit.Shitkit.AA

Postby Elite » Tue Aug 24, 2010 10:37 pm

Found this dropper in the shitty section of the internet this evening. Nothing even remotely impressive.

Dropper spawns a few command prompt windows. Spews files in local profile temp directory. Unleashes hell.
Installs a few fake codecs. Drops a driver in drivers directory with random name and locks read access to file. Uses callback routine, some DLL injection into usermode.
Runs tons of processes from temp directory. Runs hidden IE window and sends data over SSL.

Makes a big mess. Easily defeated with public RkU.
You do not have the required permissions to view the files attached to this post.
Elite
 
Posts: 32
Joined: Sat Mar 13, 2010 7:44 pm
Reputation point: 55

Re: Rootkit.Shitkit.AA

Postby Quads » Tue Aug 24, 2010 11:33 pm

Quads
 
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand
Reputation point: 22


Next

Return to Malware

Who is online

Users browsing this forum: Ludvig and 11 guests