Winnti backdoor

Forum for analysis and discussion about malware.
Post Reply
User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Winnti backdoor

Post by rkhunter » Tue Apr 16, 2013 9:09 am

Winnti backdoor
with a lot of hashes:
http://www.securelist.com/en/downloads/ ... 130410.pdf

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Winnti backdoor

Post by rkhunter » Fri Apr 19, 2013 5:37 pm

You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Winnti backdoor

Post by rkhunter » Tue Oct 06, 2015 11:31 am

I've attached bootkit dropper, mentioned here https://securelist.com/analysis/publica ... ot-part-1/
Haven't played with it.

MD5: 2c85404fe7d1891fd41fcee4c92ad305
SHA1: 4c3171b48d600e6337f1495142c43172d3b01770
SHA256: a9a8dc4ae77b1282f0c8bdebd2643458fc1ceb3145db4e30120dd81676ff9b61
You do not have the required permissions to view the files attached to this post.

User avatar
R136a1
Forum Admin
Posts: 225
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: Winnti backdoor

Post by R136a1 » Tue Oct 06, 2015 1:34 pm

This bootkit is known in certain circle as "sunx bootkit". Unfortunately, I have deleted the sample that I have found which included a pdb path. Also, I saw a similar sample that also had a pdb path which was detected as Derusbi.
Interestingly, this bootkit includes functionality that searches for the host protected area (HPA) of IBM hard disks, but I haven't looked further..

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Winnti backdoor

Post by rkhunter » Sun Oct 18, 2015 6:19 am


D_Harry
Posts: 3
Joined: Mon Jun 07, 2010 7:05 pm

Re: Winnti backdoor

Post by D_Harry » Wed Oct 21, 2015 2:58 pm

Does someone have the sample of the 2nd type backdoor - mentioned in part 2 of the report?

MD5: 755351395AA920BC212DBF1D990809AB
SHA1: 00174fc3e98302117b4d17a5ec7eceed04e8474f
SHA256: 7a265dc00f5a5a7401c56021190bf3345d7e39eadcf49d4c36f1e63654b021db

Thanks!

User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Winnti backdoor

Post by rkhunter » Sun Oct 25, 2015 11:53 am

D_Harry wrote:Does someone have the sample of the 2nd type backdoor - mentioned in part 2 of the report?

MD5: 755351395AA920BC212DBF1D990809AB
SHA1: 00174fc3e98302117b4d17a5ec7eceed04e8474f
SHA256: 7a265dc00f5a5a7401c56021190bf3345d7e39eadcf49d4c36f1e63654b021db

Thanks!
In attach.
You do not have the required permissions to view the files attached to this post.

Post Reply