Rustock

Forum for analysis and discussion about malware.
User avatar
ConanTheLibrarian
Posts: 56
Joined: Mon Mar 15, 2010 1:12 am
Location: USA
Contact:

Nixoa/Bubnix Rootkit

Post by ConanTheLibrarian » Mon Mar 15, 2010 5:57 pm

I just removed this from a machine. I don't know how to reverse engineer yet. I am unfamiliar with it - first time I've seen it.

http://www.virustotal.com/analisis/4c77 ... 1268674852

Found a way to upload it:
http://www.filedropper.com/nixoa


MD5...: acfe49f6431a608e520d8935c749f399
SHA1..: f9d9d4eaf075ab4e43d9d7ae1ac6953c42cce053
Last edited by ConanTheLibrarian on Mon Mar 15, 2010 6:52 pm, edited 1 time in total.

User avatar
EP_X0FF
Global Moderator
Posts: 4788
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Nixoa/Bubnix Rootkit

Post by EP_X0FF » Mon Mar 15, 2010 6:00 pm

Hi,

Thanks for information.
The file is over 800KB so I am unable to attach it to this forum
You can try to zip it and upload to http://rapidshare.com free file hoster.

Regards.
Ring0 - the source of inspiration

markusg
Posts: 730
Joined: Mon Mar 15, 2010 2:53 pm

Re: Nixoa/Bubnix Rootkit

Post by markusg » Mon Mar 15, 2010 6:15 pm

rapidshare
at evening you get no download as free user.
perhaps you can use
http://www.file-upload.net

User avatar
ConanTheLibrarian
Posts: 56
Joined: Mon Mar 15, 2010 1:12 am
Location: USA
Contact:

Re: Nixoa/Bubnix Rootkit

Post by ConanTheLibrarian » Mon Mar 15, 2010 6:53 pm

Edited original post with URL to the sys file. Thanks for suggestions.

User avatar
EP_X0FF
Global Moderator
Posts: 4788
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Nixoa/Bubnix Rootkit

Post by EP_X0FF » Mon Mar 15, 2010 7:28 pm

Hi again,

Thanks for the sample. I was able to load it inside test box. So huge size of driver file caused by malware "packer".

Rootkit set's CmRegistry callback to protect registry keys.
It hooks Key object-->ParseProcedure, so this rootkit using DKOH technique also.
Probably also to protect rootkit registry keys from being revealed / removed.

Also it hooks IRP_MJ_CREATE handler of ntfs.sys

Rootkit driver file is not hidden from high level enumeration (it is visible in Explorer).
Maybe it is requiring something to work properly.

After reboot rootkit died.
Ring0 - the source of inspiration

User avatar
ConanTheLibrarian
Posts: 56
Joined: Mon Mar 15, 2010 1:12 am
Location: USA
Contact:

Re: Nixoa/Bubnix Rootkit

Post by ConanTheLibrarian » Mon Mar 15, 2010 8:00 pm

Thanks for that. I can confirm.

The root file and key is visible but untouchable. Gmer was able to hack the reg key values by saving using raw writing. After a reboot it was offline.

User avatar
gjf
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Contact:

Re: Nixoa/Bubnix Rootkit

Post by gjf » Mon Mar 15, 2010 8:19 pm

This rootkit is already well studied, some info here and here.

If I remeber correctly I removed this rootkit using Gmer without any problem. "Boot Bus Extender" is quite special name for this.

Concerning the subj - the rootkit dies because manual installation I believe. Dropper could solve the problem.
VirusInfo / Defendium / SafeZone Helpers Crew

Elite
Posts: 32
Joined: Sat Mar 13, 2010 7:44 pm

Rootkit.Shitkit.AA

Post by Elite » Tue Aug 24, 2010 10:37 pm

Found this dropper in the shitty section of the internet this evening. Nothing even remotely impressive.

Dropper spawns a few command prompt windows. Spews files in local profile temp directory. Unleashes hell.
Installs a few fake codecs. Drops a driver in drivers directory with random name and locks read access to file. Uses callback routine, some DLL injection into usermode.
Runs tons of processes from temp directory. Runs hidden IE window and sends data over SSL.

Makes a big mess. Easily defeated with public RkU.
You do not have the required permissions to view the files attached to this post.

Quads
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand

Re: Rootkit.Shitkit.AA

Post by Quads » Tue Aug 24, 2010 11:33 pm


archan
Posts: 1
Joined: Wed Aug 25, 2010 12:24 am

Re: Rootkit.Shitkit.AA

Post by archan » Wed Aug 25, 2010 12:28 am


Post Reply