A forum for reverse engineering, OS internals and malware analysis 

Search found 197 matches

 Go to advanced search

WinLocker with some rootkit technology

 by gjf ¦  Wed Mar 17, 2010 12:14 pm ¦  Forum: Malware ¦  Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 374 ¦  Views: 325490

Dear All! Could you please help in analysis of the following: hxxp://www.mediafire.com/?wgxtxmyybiy hxxp://www.mediafire.com/?zzjmjmzorln (possibly the same just repacked versions) What is this - it's a malware which locks the Windows requesting sms for unlocking. We have a huge amount of such malwa...

Re: Nixoa/Bubnix Rootkit

 by gjf ¦  Mon Mar 15, 2010 8:19 pm ¦  Forum: Malware ¦  Topic: Rustock ¦  Replies: 28 ¦  Views: 38006

This rootkit is already well studied, some info here and here . If I remeber correctly I removed this rootkit using Gmer without any problem. "Boot Bus Extender" is quite special name for this. Concerning the subj - the rootkit dies because manual installation I believe. Dropper could solve the prob...

Re: Black Energy 2.1+

 by gjf ¦  Mon Mar 15, 2010 4:28 pm ¦  Forum: Malware ¦  Topic: WinNT/BlackEnergy ¦  Replies: 38 ¦  Views: 61764

Hi, Original kernel service table stays untouched, so there is nothing to dispay :) Each thread can have it's own service table because of pointer in ETHREAD. This is done by original NT architecture and we can't change that. Public RkU will however find and show your this faking at Stealth Code pa...

Re: Black Energy 2.1+

 by gjf ¦  Mon Mar 15, 2010 3:56 pm ¦  Forum: Malware ¦  Topic: WinNT/BlackEnergy ¦  Replies: 38 ¦  Views: 61764

This method gives enough stealth level and it is comfortable. As in fact, SSDT wasn’t modified and major rootkit detectors will fail find and remove rootkit hooks.
So - no way to live any further? 8-) Even RkU cannot see it? ;)

Re: Rootkit ZeroAccess (aka MAX++)

 by gjf ¦  Mon Mar 15, 2010 3:46 pm ¦  Forum: Malware ¦  Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 374 ¦  Views: 325490

Could you please provide more info concerning detection and removal? I know VBA32 removes it, but nope concerning detection specs and some other tools to help.

Re: Rootkit 4DW4R3 (TDL 2 clone)

 by gjf ¦  Mon Mar 15, 2010 10:52 am ¦  Forum: Malware ¦  Topic: Rootkit 4DW4R3 (TDL 2 clone) ¦  Replies: 5 ¦  Views: 11293

"TDL2 Clone" - does it mean the standard detection/removal tools for TDSS can be used? Actually TDL2 could be easily detected and removed using Gmer (and even AVZ but with Gmer information of course).

Re: Rootkit TDL 3 (alias TDSS, Alureon)

 by gjf ¦  Mon Mar 15, 2010 10:46 am ¦  Forum: Malware ¦  Topic: Rootkit TDL 3 (alias TDSS, Alureon.CT, Olmarik) ¦  Replies: 395 ¦  Views: 284490

Actually you don't even need to store original atapi.sys because it is almost similar for all SPs of Windows (but possibly different for XP-Vista-Seven). I have an infection yesterday (quite stupid - just testing new Tdss.ayec). Looks like that version don't love my system (SPTD conflict???) so it d...

  • 1
  • 16
  • 17
  • 18
  • 19
  • 20