A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #7055  by rkhunter
 Mon Jul 04, 2011 10:25 am
New bootkit with fraud component - browser banner.

Image

VT report: http://www.virustotal.com/file-scan/rep ... 1309773726

Unusual infection method of VBR.
Also successfully working in x64.
DrWeb Beta Scanner successfully cure it.
Mentioned in (while only on Russia) http://forum.drweb.com/index.php?showto ... ntry530621
 #7061  by EP_X0FF
 Mon Jul 04, 2011 1:42 pm
IntMayak.dll as payload?

fixboot?
 #7093  by dcmorton
 Wed Jul 06, 2011 2:05 am
Here's the sample referenced in the VT scan.

From the adminus.net 6-25-2011 samples.
You do not have the required permissions to view the files attached to this post.
 #7094  by EP_X0FF
 Wed Jul 06, 2011 4:15 am
Thanks for sample.

In attach driver it stores in the first sectors of the disk, payload dll (seems not much changed since IntMayak v1) binded with driver.
CreateProcess, LoadImage notify callbacks in place (firefox.exe opera.exe chrome.exe as targets of dll injection and svchost.exe iexplore.exe firefox.exe opera.exe chrome.exe for x64 version).

Also in attach Mayachok.1 with extracted payload dll.
d:\work\projects\bk2\kloader\Release\i386\kloader.pdb
d:\work\projects\bk2\kloader\Release\amd64\kloader.pdb
Infected volume boot record attached also.

Overall not impressive. :?
Fixboot, Amen.
You do not have the required permissions to view the files attached to this post.
 #7096  by EP_X0FF
 Wed Jul 06, 2011 9:29 am
x64 driver attached.

This rootkit added to x64 rootkits thread list.
You do not have the required permissions to view the files attached to this post.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 9