A forum for reverse engineering, OS internals and malware analysis 

Search found 11 matches

 Go to advanced search

Re: Citadel (Zeus clone)

 by tomchop ¦  Mon Apr 11, 2016 7:03 pm ¦  Forum: Malware ¦  Topic: Citadel (Zeus clone) ¦  Replies: 197 ¦  Views: 398264

Thanks a lot for this. I'll try to cook up a volatility plugin this week.

Re: Win32/Xswkit (alias Gootkit)

 by tomchop ¦  Thu Apr 30, 2015 7:51 am ¦  Forum: Malware ¦  Topic: Win32/Xswkit (alias Gootkit) ¦  Replies: 61 ¦  Views: 123399

The link doesn't seem to be working (404). I'm curious to see how the patch works (at least concerning the persistence functionality), since it's basically a Windows "feature" that's being exploited (patches are installed via the sdbinst utility).

Re: Win32/Xswkit (alias Gootkit)

 by tomchop ¦  Mon Apr 13, 2015 4:41 pm ¦  Forum: Malware ¦  Topic: Win32/Xswkit (alias Gootkit) ¦  Replies: 61 ¦  Views: 123399

Yeah I try to keep the patches up-to-date whenever I can. I have a few month lags at most.

Re: Win32/Xswkit (alias Gootkit)

 by tomchop ¦  Mon Apr 13, 2015 12:24 pm ¦  Forum: Malware ¦  Topic: Win32/Xswkit (alias Gootkit) ¦  Replies: 61 ¦  Views: 123399

Yeah, I have the main module and I think I've identified the correct JS table. I need to look for the RC4 subroutine (I think I may have stumbled upon it early into my analysis). Thanks a lot for the tip! Will let you know of my findings.

Re: Win32/Xswkit (alias Gootkit)

 by tomchop ¦  Mon Apr 13, 2015 9:52 am ¦  Forum: Malware ¦  Topic: Win32/Xswkit (alias Gootkit) ¦  Replies: 61 ¦  Views: 123399

That's weird, the malware has no problem running on my Win7 (x86 or x64) VMs. When I open say chrome.exe in Ollydb, I see the .reloc section in kernel32 is patched and contains the shellcode. If you're trying to debug it, then maybe the best solution is to set your JIT debugger and replace the first...

Re: Win32/Xswkit (alias Gootkit)

 by tomchop ¦  Sat Apr 11, 2015 2:30 pm ¦  Forum: Malware ¦  Topic: Win32/Xswkit (alias Gootkit) ¦  Replies: 61 ¦  Views: 123399

Yes sdb-explorer works pretty well for extracting the patch bits: Trying to process patch by tag type: PATCH_TAGID 00000000: 02 00 00 00 2a 17 00 00 d6 16 00 00 00 80 0c 00 00000010: 00 00 00 00 6b 00 65 00 72 00 6e 00 65 00 6c 00 00000020: 33 00 32 00 2e 00 64 00 6c 00 6c 00 00 00 00 00 00000030: 0...

Re: Win32/Xswkit (alias Gootkit)

 by tomchop ¦  Sat Apr 11, 2015 11:13 am ¦  Forum: Malware ¦  Topic: Win32/Xswkit (alias Gootkit) ¦  Replies: 61 ¦  Views: 123399

From what I recall it also sends what looks like tons of debug messages over the network (in cleartext)

Re: Win32/Xswkit (alias Gootkit)

 by tomchop ¦  Sat Apr 11, 2015 10:18 am ¦  Forum: Malware ¦  Topic: Win32/Xswkit (alias Gootkit) ¦  Replies: 61 ¦  Views: 123399

It's the one that came through malicious Word macros a few weeks ago (can be unpacked with Word :))

Re: Win32/Xswkit (alias Gootkit)

 by tomchop ¦  Sat Apr 11, 2015 10:00 am ¦  Forum: Malware ¦  Topic: Win32/Xswkit (alias Gootkit) ¦  Replies: 61 ¦  Views: 123399

The last sample I got my hands on (I'm attaching the .dll here) uses the AppCompat database to ensure persistence on the system. They effectively use sdbinst to install patches that modify the .reloc section of kernel32.dll (after it's loaded I guess) and insert custom shellcode. A jump to that shel...

Re: Decoding RC4 Strings

 by tomchop ¦  Fri Jul 18, 2014 5:17 pm ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Decoding RC4 Strings ¦  Replies: 1 ¦  Views: 5705

If you're focusing on Zeus (or its variants like Citadel), I strongly recommend you to dig into the Volatility plugins that have been made to dump part of their configuration (including their RC4 keys). Here are some useful links: Volatility zeusscan.py plugin Volatility 2.0 Plugin Vscan (Very early...