WinNT/BlackEnergy

Forum for analysis and discussion about malware.
fatdcuk
Posts: 46
Joined: Mon Mar 15, 2010 7:45 pm
Contact:

Rustock

Post by fatdcuk » Fri May 28, 2010 10:49 pm

Just bumped into our old freind....

Dropper attached
http://www.virustotal.com/analisis/151b ... 1275081262

Enjoy!
You do not have the required permissions to view the files attached to this post.
Ade Gill
Malwarebytes Researcher
Image

NOP
Posts: 36
Joined: Wed Mar 31, 2010 4:56 pm

Re: Rustock

Post by NOP » Sat May 29, 2010 3:39 pm

I think this is Black Energy, not Rustock.

Code: Select all

liveinterbet.info/start/auth.php

User avatar
Alex
Posts: 268
Joined: Sun Mar 07, 2010 11:34 am

Re: Rustock

Post by Alex » Sat May 29, 2010 3:59 pm

You are right NOP it's Black Energy.
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)

fatdcuk
Posts: 46
Joined: Mon Mar 15, 2010 7:45 pm
Contact:

Re: Rustock

Post by fatdcuk » Sun May 30, 2010 7:56 pm

:oops: Sorry about that folks,

Looking like im keeping some esteemed company on that mistake tho :lol:
Ade Gill
Malwarebytes Researcher
Image

User avatar
B-boy/StyLe/
Posts: 51
Joined: Mon Mar 22, 2010 2:43 am

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Post by B-boy/StyLe/ » Wed Oct 20, 2010 9:47 pm

bptxnnqhh.sys and vckrdvpaby.sys (looks the same but I'll upload both).

Dropped by TDL3 (sorry the user already deleted the dropper)

Image

http://www.virustotal.com/file-scan/rep ... 1287606486

MD5: 1f614b62aaba805201ecdc111538c7d7

Regards,
G. ;)
You do not have the required permissions to view the files attached to this post.

User avatar
B-boy/StyLe/
Posts: 51
Joined: Mon Mar 22, 2010 2:43 am

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Post by B-boy/StyLe/ » Thu Oct 21, 2010 5:27 pm

I found the *.exe

DATEA0B.tmp.exe

http://www.virustotal.com/file-scan/rep ... 1287681669

MD5: 317dea854c1d4b8e61e7c375421b6708
2010/10/21 20:01:19.0011 Detected object count: 2
2010/10/21 20:01:31.0545 Locked file(sptd) - User select action: Skip
2010/10/21 20:01:31.0587 \HardDisk0\MBR - will be cured after reboot
2010/10/21 20:01:31.0587 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
2010/10/21 20:01:37.0744 Deinitialize success
Regards,
G. ;)
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4884
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Post by EP_X0FF » Fri Oct 22, 2010 3:36 am

This one is not TDL. It looks like new version of Black Energy 2.

It patches ServiceTable pointer for every new thread to point to rootkit prealloacted fake service table + splice hook to get this work. Rootkit code relocated to memory allocated pool. New fake table contains copy of original service table with few replaced by rootkit handlers. This help it to hide user mode thread, registry entries.

NtDeleteValueKey
NtEnumerateKey
NtEnumerateValueKey
NtOpenKey
NtOpenProcess
NtOpenThread and others (I'm lazy to write whole list).

Most antirootkits will not work with this rootkit, they simple dying at start. You need to remove notify routines set by rootkit (CreateProcess, CreateThread, LoadImage) to get them work.

Rootkit driver and data files are hidden from enumeration.

Image
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4884
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Post by EP_X0FF » Fri Oct 22, 2010 4:07 am

Black list found.
rootrepeal.sys gmer.sys greypill.sys Normandy.sys gmer.exe RootRepeal.exe RkUnhooker.exe ccSvcHst.exe MsMpEng.exe msseces.exe mcagent.exe mcshield.exe mfefire.exe mfevtps.exe McSvHost.exe avp.exe egui.exe ekrn.exe spideragent.exe spidergate.exe spiderml.exe dwengine.exe cfp.exe cmdagent.exe avwebgrd.exe avmailc.exe avshadow.exe avguard.exe avfwsvc.exe avgnt.exe avgui.exe avgnsx.exe avgam.exe avgemc.exe avgfws9.exe avgwdsvc.exe AVGIDSMonitor.exe avgtray.exe avgfrw.exe avgcsrvx.exe AVGIDSAgent.exe avgrsx.exe avgchsvx.exe
edit:

two payload dlls can be extracted easily from svchost.exe for example.
Ring0 - the source of inspiration

swirl
Posts: 15
Joined: Wed Apr 21, 2010 5:11 pm

Re: Black Energy 2.1+

Post by swirl » Fri Oct 22, 2010 2:49 pm

too bad ddos_update.py doesn't work anymore, they've changed the url format and parameters, and
probably also the encryption method :( Also judging by the response size they are using two separate hosts:
one for the configuration and one for downloading the dos modules
hxxp://91.212.127.147/spm/s_alive.php?id=XXXXXXXXXXXXXX&tick=156328&ver=530&smtp=bad&sl=1&fw=0&pn=-1&psr=0
hxxp://91.212.127.147/spm/s_get_host.php?ver=530

89.149.196.37
POST /e/getcfg.php
ncnt=<hex block here>
mztja=<hex block here>
I'll have a look and see if I can update the script.

User avatar
Fyyre
Posts: 56
Joined: Sat Mar 13, 2010 8:01 pm

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Post by Fyyre » Fri Oct 22, 2010 9:02 pm

EP_X0FF wrote:Black list found.
rootrepeal.sys gmer.sys greypill.sys Normandy.sys gmer.exe RootRepeal.exe RkUnhooker.exe ccSvcHst.exe MsMpEng.exe msseces.exe mcagent.exe mcshield.exe mfefire.exe mfevtps.exe McSvHost.exe avp.exe egui.exe ekrn.exe spideragent.exe spidergate.exe spiderml.exe dwengine.exe cfp.exe cmdagent.exe avwebgrd.exe avmailc.exe avshadow.exe avguard.exe avfwsvc.exe avgnt.exe avgui.exe avgnsx.exe avgam.exe avgemc.exe avgfws9.exe avgwdsvc.exe AVGIDSMonitor.exe avgtray.exe avgfrw.exe avgcsrvx.exe AVGIDSAgent.exe avgrsx.exe avgchsvx.exe
black list with mole tracks...

Post Reply