Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco) - Page 8

Trojan:Win32/Alureon.FV (MaxSS)

#15941 by thisisu
Wed Oct 10, 2012 9:51 pm

Hi,

I'm looking for MD5: 196760a62a606b7c7cf09176d2633512

Thanks

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact

Re: Malware Requests, part 2

#15942 by Xylitol
Wed Oct 10, 2012 10:27 pm

thisisu wrote:Hi,

I'm looking for MD5: 196760a62a606b7c7cf09176d2633512

Thanks

Attachments

2074b987f63e21cef758f11de5dfc06f811cd72bb3bc804032f5d5069bad7312.zip

infected
(413.4 KiB) Downloaded 149 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

#15946 by thisisu
Thu Oct 11, 2012 5:01 am

EP_X0FF wrote:This is Alureon.FV. Dropper is about 600 KB in size (one of this https://www.virustotal.com/file/2074b98 ... /analysis/). Nothing impressive. It took half of the year for current support team to adopt and integrate VBR infection. Lack of ideas obviously.

Uploaded by Xylitol :)

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

#15948 by thisisu
Thu Oct 11, 2012 6:59 am

Isn't working for me on VM. Will try tomorrow on a live machine.

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

#15955 by thisisu
Thu Oct 11, 2012 9:16 pm

thisisu wrote:Isn't working for me on VM. Will try tomorrow on a live machine.

Isn't working for me, even on live machine. Tried Win 7 x 64. Dropper goes into a temp folder as something like A3.tmp but disappears after a reboot.

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

#15961 by rkhunter
Fri Oct 12, 2012 10:32 am

Hope it's will useful for someone.
In attach droper, decrypted dropper (with fixed imports).

As we know it not infects VBR on WXPx86 as well on X7x86 too...but it contains code for VBR infection (with help of usual IOCTL_SCSI_PASS_THROUGH_DIRECT) -

Dropper
SHA256: cb45edce8374b316b93ed7cd2f4cf3e774996a053d7fafa52674eff0e921ba2f
SHA1: 63291b0b5a00836bef8eb503c843a8aad024a4da
MD5: eddfd9618010fc3cdd76d6beeab4ca8e

Also note that dropper contains:

- obfuscated code with trash instructions
- anti-emu features
- checking debug from huge number of functions
- calling key functions via stack modification for hiding code flow

Attachments

sst_c_dropper_dumped_imports.zip

pass:infected
(819.77 KiB) Downloaded 106 times

cb45edce8374b316b93ed7cd2f4cf3e774996a053d7fafa52674eff0e921ba2f.zip

pass:infected
(873.53 KiB) Downloaded 131 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

#15973 by thisisu
Sat Oct 13, 2012 3:53 am

Thanks for your analysis, rkhunter :)

Were you able to infect the Windows 7 x64 with SST.C using droppers you attached?

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

#15974 by rkhunter
Sat Oct 13, 2012 6:07 am

thisisu wrote: Were you able to infect the Windows 7 x64 with SST.C using droppers you attached?

Didn't try.

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

#15981 by rkhunter
Sat Oct 13, 2012 6:42 pm

Alureon.FV theme

http://imageshack.us/a/img502/262/tdlvbrtheme.jpg

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

#16003 by kmd
Mon Oct 15, 2012 1:14 pm

@erikloman, @rkhunter

im reading this trashing thread (http://www.anti-malware.ru/forum/index. ... 4034&st=80) and wondering, is this SST.C exists or not? Does it really infect anything or this is just a old MaxSS with hidden volume? and does Kaspersky removes it? asking because im not buying a 1cent of marketing shit they are talking :D

Username

kmd

Posts

271

Joined

Mon Mar 15, 2010 4:09 am

Location

Russian Federation