WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Forum for analysis and discussion about malware.
User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Post by rkhunter » Wed May 07, 2014 8:02 am

You do not have the required permissions to view the files attached to this post.

TouchMe
Posts: 6
Joined: Mon Jun 24, 2013 9:12 pm

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Post by TouchMe » Wed May 07, 2014 9:56 am

I only had a quick look at the latest sample but here's some info.

Dropper drops and executes this very advanced batch file in order to melt.

Code: Select all

@ECHO OFF
:LOOP
timeout 5
DEL /Q /F "Sample.exe"
IF EXIST "Sample.exe" GOTO LOOP
DEL /Q /F %0
EXIT
After an undefined wait period the system will be infected and rebooted.
The virtual filesystem is now stored in a file on the hard disk, is accessible from usermode (lol), and some SSDT hooks are placed to protect it (lmfao).

SSDT Hooks:
NtCreateFile
NtCreateKey
NtDeleteFile
NtEnumerateKey
NtOpenFile
NtOpenKey
NtQueryDirectoryFile
NtQueryInformationFile
NtSetInformationFile
NtShutdownSystem
(jwivs.sys)

SCSI Port IRP hooks (inline jmp):
IRP_MJ_CREATE
IRP_MJ_CLOSE
IRP_MJ_DEVICE_CONTROL
IRP_MJ_INTERNAL_DEVICE_CONTROL
IRP_MJ_POWER
IRP_MJ_SYSTEM_CONTROL
(yurip.sys)

The bot appears to check for a large array of virtual machines, reversing tools and monitoring software, then does nothing with this information.
On windows 7 x64 there are BSODs from time to time and when loading certain drivers, XP 32-Bit gets stuck in BSOD loop. Payload is some crappy logger and ammyy stealer.

This clearly isn't the work of original rovnix coder, It's now a combination of advanced and retarded malware.


User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Post by thisisu » Sat Jun 21, 2014 9:31 pm

You do not have the required permissions to view the files attached to this post.


SomeUnusedName
Posts: 46
Joined: Fri Oct 07, 2011 1:17 pm

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Post by SomeUnusedName » Wed Nov 05, 2014 1:16 pm

For the record, I have no idea why anyone would call this Rovnix, this is a Gozi variant (ISFB Gozi) and behaves as such. Rovnix just adds major confusion. (speaking of the linked paper)

Horgh
Posts: 37
Joined: Fri Dec 07, 2012 9:48 am
Location: France

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Post by Horgh » Wed Nov 05, 2014 7:46 pm

Probably because they're idiots ? This is not in any way rovnix related, but hey, isn't a bootkit sexier than a old trojan ?
Other example of this bullshit : https://www.csis.dk/en/csis/news/4472/

Especially this :
The current version of Rovnix bootkit component has been removed and now only supports a user mode component.
Top fucking lel m8. I called them out on their bullshit but they don't give a shit, their clients aren't gonna know if their analysis are crap right ? If that was the case Trendmicro would surely have no clients anymore.

User avatar
Tigzy
Posts: 384
Joined: Mon Feb 07, 2011 5:03 pm

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Post by Tigzy » Mon Jan 12, 2015 5:57 pm

Assuming we have a Rovnix infection on a computer A, do you think it's safe to fix VBR with a VBR gotten from a computer B (same OS).
If I had to fix automatically, do you think I'd need a VBR copy of every OS?

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Post by EP_X0FF » Tue Jan 13, 2015 8:05 am

Tigzy wrote:Assuming we have a Rovnix infection on a computer A, do you think it's safe to fix VBR with a VBR gotten from a computer B (same OS).
If I had to fix automatically, do you think I'd need a VBR copy of every OS?
1) Why do you wasting your time on this crap? This legacy BIOS crap VBR IPL code is no longer used in modern OS and hardware, only volume geometry data.
2) What you doing is unwise, because VBR ($Boot) contain BPB with volume geometry unique for each volume.
3) Bootrec /fixboot or simple fixboot for old XP - problem solved.

I'm surprised no one answered for a day on this question.
Ring0 - the source of inspiration

User avatar
Tigzy
Posts: 384
Joined: Mon Feb 07, 2011 5:03 pm

Re: WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Post by Tigzy » Tue Jan 13, 2015 8:38 am

1) Why do you wasting your time on this crap? This legacy BIOS crap VBR IPL code is no longer used in modern OS and hardware, only volume geometry data.
I know I'm late, but it's mostly for educational. Having it in my product is just a bonus.
2) What you doing is unwise, because VBR ($Boot) contain BPB with volume geometry unique for each volume.
I forgot to mention I wanted to replace only bootstrap + bootloader, leaving BPB alone and other non-assembly things untouched.
3) Bootrec /fixboot or simple fixboot for old XP - problem solved.
Yes I know :) I'm a little stubborn I have to admit. I want to do it myself and understand what I'm doing. :D

I just want to know if from a machine A to a machine B there's nothing in the assembly code that is strongly related to the machine.

Post Reply