Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

Forum for analysis and discussion about malware.

Re: Malware/Not classified

Postby markusg » Tue May 17, 2011 11:18 am

You do not have the required permissions to view the files attached to this post.
markusg
 
Posts: 713
Joined: Mon Mar 15, 2010 2:53 pm
Reputation point: 141

Re: Malware/Not classified

Postby EP_X0FF » Wed May 18, 2011 7:12 am

markusg wrote:Adobe_Flash_Player.exe
http://www.virustotal.com/file-scan/rep ... 1305630154


MaxSS TDL3 mod. Infinite loop of blue screens after installation - TDL3 mod brand behavior.

In attach raw binary data (free from initial crypter), you can extract all components (driver, payload dll's, loader) from it.
or if you lazy - try DM_92017-0-1754A archive.

Posts moved.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: TDL Modifications (PRAGMA and others)

Postby EP_X0FF » Mon May 23, 2011 4:31 pm

Topic type changed.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Mal/GSPFx

Postby swirl » Sat Jun 04, 2011 11:06 pm

HTTP/DNS redirector

- NDIS hooking
- filesystem IRP hooking

gspfx.sys
SHA1: 0f9f0935d0db58983014b1d263687d2e11556a59
VT 16/38: http://www.virustotal.com/file-scan/rep ... 1307209741

unpacked.sys
SHA1: ce011ef8b18e5b10d15f800ea784d339f4286616
VT 0/43: http://www.virustotal.com/file-scan/rep ... 1307212748

configuration:
Code: Select all
[redirected_dns]
-affiliate=44;
-host=89.248.168.188;
[redirected_domains]
-www.google.com.=74.125.87.99;
-google.com.=74.125.87.103;
-google.com.au.=74.125.87.104;
-www.google.com.au.=74.125.87.147;
-google.be.=74.125.87.148;
-www.google.be.=74.125.87.148;
-google.com.br.=74.125.87.109;
-www.google.com.br.=74.125.87.150;
-google.ca.=74.125.87.152;
-www.google.ca.=74.125.87.153;
-google.ch.=74.125.87.155;
-www.google.ch.=74.125.87.158;
-google.de.=74.125.87.160;
-www.google.de.=74.125.87.161;
-google.dk.=74.125.87.123;
-www.google.dk.=74.125.87.160;
-google.fr.=74.125.87.154;
-www.google.fr.=74.125.87.134;
-google.ie.=74.125.87.170;
-www.google.ie.=74.125.87.177;
-google.it.=74.125.87.173;
-www.google.it.=74.125.87.147;
-google.co.jp.=74.125.87.103;
-www.google.co.jp.=74.125.87.147;
-google.nl.=74.125.87.103;
-www.google.nl.=74.125.87.147;
-google.no.=74.125.87.103;
-www.google.no.=74.125.87.147;
-google.co.nz.=74.125.87.103;
-www.google.co.nz.=74.125.87.147;
-google.pl.=74.125.87.103;
-www.google.pl.=74.125.87.147;
-google.se.=74.125.87.103;
-www.google.se.=74.125.87.147;
-google.co.uk.=74.125.87.103;
-www.google.co.uk.=74.125.87.147;
-google.co.za.=74.125.87.103;
-www.google.co.za.=74.125.87.147;
-www.google-analytics.com.=74.125.87.101;
-www.bing.com.=92.123.68.97;
-search.yahoo.com.=72.30.186.249;
-www.search.yahoo.com.=72.30.186.249;
-uk.search.yahoo.com.=87.248.112.8;
-ca.search.yahoo.com.=87.248.112.8;
-de.search.yahoo.com.=87.248.112.8;
-fr.search.yahoo.com.=87.248.112.8;
-au.search.yahoo.com.=87.248.112.8;



strings:
Code: Select all
\SystemRoot\system32\drivers\
*.sys
\systemroot\system32\drivers\etc\hosts
\BaseNamedObjects
{B35867ED-8377-44d9-9EAB-973E99447B37}
\systemRoot\system32\drivers\cntnr0.sys
\systemRoot
%s\%s
\SystemRoot
C:\WINDDK\7600.16385.0\inc\ddk\wdm.h
Irp->CurrentLocation <= Irp->StackCount + 1
redirected_dns
host
redirected_domains
.config
Windows
Opera
AppleWebKit
.NET CLR
Gecko
Trident/4.0
compatible
Mozilla
Safari
?Ff
Firefo
Firefox
Presto
?FWP
FunWebProducts
?AOB
America Online Browser 1.1
?O962
Opera/9.62
?O963
Opera/9.63
?O964
Opera/9.64
?P2
Presto/2.1.1
?P22
Presto/2.2.15 Version/10.00
?W6
Windows NT 6.0
?W61
Windows NT 6.1
?W5
Windows NT 5.1
?W50
Windows NT 5.0
?W5U
Windows NT 5.1; U
?W5Ur
Windows NT 5.1; U; ru
W5Ud
Windows NT 5.1; U; de
?W5Ue
Windows NT 5.1; U; en
?I6
MSIE 6.0
?I7
MSIE 7.0
?I8
MSIE 8.0
?M5
Mozilla/5.0
?M4
Mozilla/4.0
?cI6W5
compatible; MSIE 6.0; Windows NT 5.1
?cI7W5
compatible; MSIE 7.0; Windows NT 5.1
?cI8W5
compatible; MSIE 8.0; Windows NT 5.1
?cI6W50
compatible; MSIE 6.0; Windows NT 5.0
?cI7W50
compatible; MSIE 7.0; Windows NT 5.0
?cI8W50
compatible; MSIE 8.0; Windows NT 5.0
?cI6W6
compatible; MSIE 6.0; Windows NT 6.0
?cI7W6
compatible; MSIE 7.0; Windows NT 6.0
?cI8W6
compatible; MSIE 8.0; Windows NT 6.0
?WUW61
Windows; U; Windows NT 6.1;
?WUW6
Windows; U; Windows NT 6.0;
?WUW5
Windows; U; Windows NT 5.1;
?WUW50
Windows; U; Windows NT 5.0;
?WUW61e
Windows; U; Windows NT 6.1; en-US;
?WUW6e
Windows; U; Windows NT 6.0; en-US;
?WUW50e
Windows; U; Windows NT 5.0; en-US;
?WUW5e
Windows; U; Windows NT 5.1; en-US;
affiliate
User-Agent:
%.08X%.08X%.08X%.08X
%.05d%s
%.05d
You do not have the required permissions to view the files attached to this post.
swirl
 
Posts: 15
Joined: Wed Apr 21, 2010 5:11 pm
Reputation point: 8

Re: Mal/GSPFx

Postby tomatto007 » Mon Jun 06, 2011 12:15 pm

Anyone can help with dropper? ;)
tomatto007
 
Posts: 21
Joined: Fri Mar 19, 2010 8:16 pm
Reputation point: 2

Re: Mal/GSPFx

Postby swirl » Mon Jun 06, 2011 4:58 pm

it came to me without a father :cry:
swirl
 
Posts: 15
Joined: Wed Apr 21, 2010 5:11 pm
Reputation point: 8

Re: Forged memory fools antimalware: new development in root

Postby Flopik » Thu Jun 09, 2011 2:45 pm

Any sample analyzed that do this?
Flopik
 
Posts: 47
Joined: Wed Sep 08, 2010 5:39 pm
Reputation point: 5

Re: Forged memory fools antimalware: new development in root

Postby EP_X0FF » Thu Jun 09, 2011 3:52 pm

Check this thread.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Postby kmd » Tue Sep 27, 2011 5:06 am

new Alureon mod ITW, now usng steganography to hold backup list of operating domains
likely from old PRAGMA guys (installer name remembers something)

http://blogs.technet.com/b/mmpc/archive ... raphy.aspx
User avatar
kmd
 
Posts: 268
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation
Reputation point: 17

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Postby dcmorton » Tue Sep 27, 2011 6:42 am

You do not have the required permissions to view the files attached to this post.
dcmorton
 
Posts: 30
Joined: Tue Nov 16, 2010 4:56 pm
Location: United States
Reputation point: 13

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 11 guests