A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17396  by R136a1
 Thu Dec 27, 2012 12:27 pm
Hi there,

ESET (Aleksandr Matrosov) released an analysis of an interesting new Bootkit:

Win32/Gapz: steps of evolution
Win32/Gapz: New Bootkit Technique

Hashes of droppers and MBR are as follows:

Win32/Gapz.A (dropper)
SHA1 hash: 1f206ea64fb3ccbe0cd7ff7972bef2592bb30c84

Win32/Gapz.A (dropper)
SHA1 hash: dff6933199137cc49c2af5f73a2d431ce2e41084

Win32/Gapz.B (dropper)
SHA1 hash: e4b64c3672e98dc78c5a356a68f89e02154ce9a6

Win32/Gapz.C (dropper)
SHA1 hash: 85fb77682705b06a77d73638df3b22ac1dbab78b

Win32/Gapz.C (MBR)
SHA1 hash: b37afc51104688ea74d279b690d8631d4c0db2ad

If someone can provide a sample, please upload. Thanks!
 #17397  by 360Tencent
 Thu Dec 27, 2012 1:01 pm
3 droppers
Win32Gapz.zip
You do not have the required permissions to view the files attached to this post.
 #17431  by kmd
 Sat Dec 29, 2012 5:29 am
http://blog.eset.com/2012/12/27/win32ga ... -evolution
very "professional" analysis from twitter expert.

I. Shell_TrayWnd inject was publically available since 2009 and was initially posted on virustech.org - PUBLIC forum as PUBLIC post.
II. SetWindowLongA it call sets address of injected shellcode not KiUserApcDispatcher (wtf Matrosov?) as proflink use 82a19f2e4c9a1b4295a51df9d23af84aae848a7984c141a0c7f67b3bbb77b271 attached sample. Break on SetWindowLongA - address it points located in explorer.exe address space - dump it and look inside.
 #17432  by Mut4nt
 Sat Dec 29, 2012 6:58 am
This crap looks like that was made by skiddies
 #17438  by EP_X0FF
 Sat Dec 29, 2012 11:04 am
Matrosov maybe not really understand what he reverse, this happens sometimes with everyone (with some people more often) but what exactly you found in this "crap" that made you think
Mut4nt wrote:looks like that was made by skiddies
:?:
 #17452  by stds
 Mon Dec 31, 2012 7:53 am
Mut4nt wrote:This crap looks like that was made by skiddies
I remember reversing one of your programs you tried to sell on hackforums, you had copy and pasted a public DKOM rootkit into a crypter, you even left in the debug strings from the original author.

I don't think you have any room to be calling anyting crap....Especially not a bootkit....
 #18610  by EP_X0FF
 Wed Mar 20, 2013 4:01 pm
kmd wrote:Sandboxie bypassed by gapz?

http://exelab.ru/f/index.php?action=vth ... &page=1#11
The method of code injection used by Gapz is not isolated by Sandboxie 3.76 and Sandboxie 4.01 (Windows XP only), x86. As sandboxing 4.0x now uses limited accounts for sandboxed processes it is indeed more difficult to exploit - arbitrary code execution also will not work from restricted account, as GetWindowLongPtr/SetWindowLongPtr will fail. It is very boring to test but if you want you can follow steps described in that link from exelab.
Code: Select all
RtlInitUnicodeString(&usShimSection, L"\\BaseNamedObjects\\ShimSharedMemory");
InitializeObjectAttributes(&obja, &usShimSection, OBJ_CASE_INSENSITIVE, NULL, NULL);
Status = NtOpenSection(&hSection, GENERIC_WRITE, &obja);
if ( NT_SUCCESS(Status) ) {
      Status = NtMapViewOfSection(
		hSection,
		GetCurrentProcess(),
		(PVOID*)&BaseAddress,
		0,
		0,
		NULL,
		&ViewSize,
		ViewUnmap,
		0,
		PAGE_READWRITE
	);
memcpy ((BaseAddress + ViewSize) - sizeof(payload), payload, sizeof(payload));
If Sandboxie allows this, then this kind of sandboxing is one big lulz and successful explotation of this code is a question of just another exploit suitable for arbitrary code execution. Need more testing in various systems, various sections. As this is paid software I have no intentions to help author fix his ridiculous bugs or mistakes in sandbox architecture overall.

This method of arbitrary code execution was known for years before Matrosov "discovery" and we pretty sure know how and where he found it, hmm.. "itw".

If you really care about security you already use virtual machine (freeware btw), not paid half-part implemented virtualization with sleeping zerodays.