WinNT/BlackEnergy

Forum for analysis and discussion about malware.
egomoo
Posts: 19
Joined: Fri May 07, 2010 5:02 am
Location: Shaoxing,China

Re: Black Energy 2.1+

Post by egomoo » Tue Oct 26, 2010 5:16 am

EP_X0FF wrote:
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
!-->[Hidden] C:\WINDOWS\system32\drivers\paqkkmhplelf.sys
!-->[Hidden] C:\WINDOWS\system32\drivers\str.sys
But you need to do quick reset. That's the key :)

edit:
Beaten by GamingMaster. Yes, here it is - magic :)
the random driver will recreated while deleted by other antirootkit tool.

in my test,Safe Returner could remove the new Black Energy 2.1+ rootkit. (Use "DATEA0B.tmp.exe" sample)
You do not have the required permissions to view the files attached to this post.

User avatar
GamingMasteR
Global Moderator
Posts: 228
Joined: Sun Mar 07, 2010 10:52 am

Re: Black Energy 2.1+

Post by GamingMasteR » Wed Oct 27, 2010 8:34 am

the random driver will recreated while deleted by other antirootkit tool.
KDetective v1.3.1 can still defeat it :
- delete all suspicious notify routines
- restore hooked threads service table
- suspend the two suspicious system threads
- restore other splice hooks
- get the driver name from Kd+ -> Unloaded Drivers and delete it from system32\drivers folder
You do not have the required permissions to view the files attached to this post.

spaceman
Posts: 8
Joined: Tue Sep 21, 2010 2:05 am

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Post by spaceman » Fri Dec 03, 2010 3:26 am

EP_X0FF wrote:Black list found.
rootrepeal.sys gmer.sys greypill.sys Normandy.sys gmer.exe RootRepeal.exe RkUnhooker.exe ccSvcHst.exe MsMpEng.exe msseces.exe mcagent.exe mcshield.exe mfefire.exe mfevtps.exe McSvHost.exe avp.exe egui.exe ekrn.exe spideragent.exe spidergate.exe spiderml.exe dwengine.exe cfp.exe cmdagent.exe avwebgrd.exe avmailc.exe avshadow.exe avguard.exe avfwsvc.exe avgnt.exe avgui.exe avgnsx.exe avgam.exe avgemc.exe avgfws9.exe avgwdsvc.exe AVGIDSMonitor.exe avgtray.exe avgfrw.exe avgcsrvx.exe AVGIDSAgent.exe avgrsx.exe avgchsvx.exe
edit:

two payload dlls can be extracted easily from svchost.exe for example.
This probably belongs in the Newbie Questions forum, but how do you extract dlls from a process?

User avatar
EP_X0FF
Global Moderator
Posts: 4884
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Black Energy 2.1+

Post by EP_X0FF » Fri Dec 03, 2010 9:22 am

Locate memory regions marked as r/w + executable (which are not belongs to any visible in loader list dlls) and dump them to disk.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4884
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Black Energy 2.1+

Post by EP_X0FF » Sat Mar 05, 2011 4:48 am

Here is some fresh BlackEnergy2 to play.
Same antirootkits blacklist still in place.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

dphrag
Posts: 11
Joined: Sat Aug 14, 2010 10:26 pm

Re: Black Energy 2.1+

Post by dphrag » Wed May 11, 2011 7:22 am

Hi all

I am trying to identify a data structure to enum/check for the service/filename , is there any ?

thanks

User avatar
EP_X0FF
Global Moderator
Posts: 4884
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Black Energy 2.1+

Post by EP_X0FF » Wed May 11, 2011 2:41 pm

dphrag wrote:Hi all

I am trying to identify a data structure to enum/check for the service/filename , is there any ?

thanks
Hello,

personally I don't understand what you asking. Can you be more specific?
Ring0 - the source of inspiration

dphrag
Posts: 11
Joined: Sat Aug 14, 2010 10:26 pm

Re: Black Energy 2.1+

Post by dphrag » Wed May 11, 2011 3:31 pm

I am using Windbg to debug some samples. I can find the servicetable hooks and the threads . I am trying to find a way by using windbg to get the service name or the driver name

User avatar
EP_X0FF
Global Moderator
Posts: 4884
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Black Energy 2.1+

Post by EP_X0FF » Wed May 11, 2011 4:06 pm

dphrag wrote:I am using Windbg to debug some samples. I can find the servicetable hooks and the threads . I am trying to find a way by using windbg to get the service name or the driver name
Did you tried lm command? AFAIR this rootkit real driver filename can be retrieved through unloaded modules list.
Ring0 - the source of inspiration

dphrag
Posts: 11
Joined: Sat Aug 14, 2010 10:26 pm

Re: Black Energy 2.1+

Post by dphrag » Fri May 13, 2011 12:47 pm

Thats works great , thanks !

Post Reply