Digitally signed malware

Forum for analysis and discussion about malware.

Signed malware with rootkit from China

Postby cjbi » Fri Jun 08, 2012 2:35 pm

What a nice combo! :P

Dropper(Signed) = Main module(Signed) + Rootkit

String(s)
Code: Select all
SetSecurityDescriptorControl
advapi32.dll
AddAccessAllowedAceEx
\Drivers
%s\%d_res.tmp
LocalService_0x%d
LocalService
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
.PAX
.PAD
FILE
HI1.DLL
ServiceMain
ClientMain
ServiceDll
\Parameters
Description
SYSTEM\CurrentControlSet\Services\%s
CreateService(Parameters)
%SystemRoot%\System32\svchost.exe -k LocalService
MACHINE\SYSTEM\CurrentControlSet\Services\%s
%s\HI1.DLL
OpenSCManager()
RegQueryValueEx(Svchost\LocalService)
Windows Driver
%s\HI2.DLL
LocalService_0x0
FILE2
HI2.DLL
%s\hi.ini
InstallModule
Microsoft Windows
Update
2008
2003
2000
Vista
ProductName
SOFTWARE\Microsoft\Windows NT\CurrentVersion

...

svchost.dll
ClientMain
.PAX
.PAD
bad Allocate
bad buffer
Mozilla/4.0 (compatible)
C:\WINDOWS\TEMP\%d%d%d%d.ccc
%s?abc=%d%d%d%d
C:\Del.bat
Del c:\windows\temp\**.ccc
Del %0
GET %s HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/chpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
If-Modified-Since: Sun, 11 Jun 2008 11:22:33 GMT
If-None-Match: "60794-12b3-e4169440"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 1.0.3705)
Host:%s
http://
\Program Files\Internet Explorer\IEXPLORE.EXE
"%s" "%s?abc=%d%d%d%d"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)
InternetOpenUrlA
InternetOpenA
InternetCloseHandle
WININET.dll
GET /%s HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/x-ms-xbap, application/x-ms-application, application/QVOD, application/QVOD, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE %u.0; Windows NT %u.1; SV1; .NET4.0C; .NET4.0E; TheWorld)
Host: %s
Connection: Keep-Alive
%s:%u
%d.%d.%d.%d
www.%s
%s.com
SYSTEM\CurrentControlSet\Services\%s
InstallModule
Type
SYSTEM\CurrentControlSet\Services\
RegQueryValueEx(Type)
WinSta0\Default
\Mark.ini
Host
2008
2003
2000
ProductName
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\DNM.ini
\DN.ini
\UDM.ini
\UD.ini
\SYM.ini
\SY.ini
\SPM.ini
\SP.ini
\ICM.ini
\IC.ini
kernel32.dll
%-24s %-15s
REG_BINARY
%-24s %-15s 0x%x(%d)
REG_DWORD
REG_MULTI_SZ
%-24s %-15s %s
REG_SZ
REG_EXPAND_SZ
[%s]
XXX.DLL
XXX.DLL
%s\hi.ini
\cmd.exe

...

www.mehome1.com
www.mehome2.com
www.mehome3.com
www.meserver1.com
www.meserver2.com
www.fz0575.com
www.af0575.com
www.wk1888.com
1:%s
http://%s:2011/%d.exe?=%d
2:%s
http://%s:2011/%dv.exe?=%d
%d%d%d.exe
%s %s
.xvx
~MHz
HARDWARE\DESCRIPTION\System\CentralProcessor\0
Null
\\.\K_HIDE_MODULE
FILE2
FILE
Microsoft Windows
Client\Client %d
winsta0
LocalService_0x0
Process32First

...

Driver Loaded Successfully...
Hide Pid :%u
Hide IP  :%u
Hide File:%s
Hide Svc :%ws
Recv Bytes:%u
Struct Bytes:%u
This is HideDirFile!
services.exe
XXX.DLL
XXX.DLL
KeServiceDescriptorTable
ExFreePoolWithTag
swprintf
ExAllocatePoolWithTag
RtlCompareUnicodeString
_except_handler3
RtlImageDirectoryEntryToData
DbgPrint
PsGetVersion
ZwQueryDirectoryFile
ZwDeviceIoControlFile
ZwQuerySystemInformation
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
RtlInitUnicodeString
IofCompleteRequest
RtlFreeAnsiString
RtlCompareMemory
RtlUpperString
RtlUnicodeStringToAnsiString
RtlInitAnsiString
KeDetachProcess
_wcsicmp
ProbeForRead
KeAttachProcess
IoGetCurrentProcess
ntoskrnl.exe

VirusTotal result(s)

Dropper(Signed): VT 28/41 https://www.virustotal.com/file/1e7b501 ... 339162109/
Main module(Signed): VT 21/42 https://www.virustotal.com/file/f4f27fa ... 339162451/
Rootkit: VT 34/42 https://www.virustotal.com/file/eb0d5a7 ... 339162579/
Dropped exe(Signed): VT 0/42 https://www.virustotal.com/file/a532f05 ... 339162700/

Old samples...
VT 7/43 https://www.virustotal.com/file/b0c579d ... /analysis/
VT 11/43 https://www.virustotal.com/file/1f64dd7 ... /analysis/
VT 16/43 https://www.virustotal.com/file/63391e6 ... /analysis/
You do not have the required permissions to view the files attached to this post.
cjbi
 
Posts: 92
Joined: Sun Mar 14, 2010 7:16 am
Reputation point: 84

Re: Digitally signed malware

Postby rkhunter » Sat Jun 09, 2012 1:23 pm

Flamer infector with MS sign viewtopic.php?f=16&t=1675&start=80#p13750
User avatar
rkhunter
 
Posts: 1141
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Digitally signed malware

Postby rkhunter » Wed Jul 11, 2012 5:38 pm

Microsoft Revokes Trust in 28 of Its Own Certificates http://threatpost.com/en_us/blogs/micro ... tes-071012
User avatar
rkhunter
 
Posts: 1141
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Digitally signed malware

Postby rkhunter » Fri Jul 13, 2012 12:52 pm

You do not have the required permissions to view the files attached to this post.
User avatar
rkhunter
 
Posts: 1141
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Digitally signed malware

Postby thisisu » Thu Aug 09, 2012 11:09 pm

Pretty good read on bProtector
Did not know it was digitally signed but according to this it is: http://secure-computer-solutions.com/bl ... hould.html
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Digitally signed malware

Postby Flamef » Mon Sep 03, 2012 5:03 pm

Flamef
 
Posts: 65
Joined: Thu Jul 07, 2011 6:06 pm
Reputation point: 7

Re: Digitally signed malware

Postby cjbi » Mon Feb 11, 2013 1:29 am

Fresh digital signed malware from China.
Downloaded from Aduska bootkit distribution server.

VirusTotal result(s):
7/44 https://www.virustotal.com/file/52fd500 ... 360544942/
You do not have the required permissions to view the files attached to this post.
cjbi
 
Posts: 92
Joined: Sun Mar 14, 2010 7:16 am
Reputation point: 84

Re: Digitally signed malware

Postby 360Tencent » Thu May 23, 2013 12:35 pm

360Tencent
 
Posts: 116
Joined: Thu Dec 15, 2011 12:47 pm
Reputation point: 52

Re: Digitally signed malware

Postby EP_X0FF » Thu May 23, 2013 1:32 pm

360Tencent wrote:http://www.ccssforum.org/malware-certificates.php

via https://twitter.com/PhysicalDrive0/stat ... 2996075520


viewtopic.php?f=2&t=1260

I don't think there is anything changed since that time. They do not analyze what they collect, making this list completely useless.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4744
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 560

Re: Digitally signed malware

Postby Blaze » Thu May 23, 2013 5:15 pm

Another case of signed adware / PUP. Not very special, yet pretty annoying.

https://www.virustotal.com/nl/file/ce86 ... /analysis/

Related blogpost:
http://bartblaze.blogspot.com/2013/05/s ... speed.html
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests