A forum for reverse engineering, OS internals and malware analysis 

PbBot bootkit (alias Plite, GBPBoot)

Forum for analysis and discussion about malware.

PbBot bootkit (alias Plite, GBPBoot)

 #13418  by Brookit
 Fri May 25, 2012 8:56 am
As the title suggests the following Blogpost describes another Bootkit:

Plite Bootkit Spies on Gamers

And as the Blogpost title suggests "Bootkit/Rootkit" in combination with "Game" there is generally a high probability that the threat comes from South Korea. ;-)

If somebody has a sample, please upload:
MD5: b12fe0dd8fbef09b2ad78deadbe2311a

Re: Rootkit.MBR.Plite.A

 #13420  by EP_X0FF
 Fri May 25, 2012 9:03 am
Someone was inspired by old rootkits :)
To conceal its presence on the system the payload will hide it’s process using an undocumented API, ZwSystemDebugControl, but this only works on operating systems before Vista. With the help of this function it can read and can write kernel memory directly, it will unlink its process from the list of running processes, thereby making it invisible.
edit:

MBR attached. Everything else can be extracted directly from dropper - it has no protection. Also due to damage to system files this bootkit triggers WFP.

Image
Attachments
pass: malware
(458 Bytes) Downloaded 118 times

Re: Malware Requests, part 2

 #16442  by Xylitol
 Sun Nov 04, 2012 11:10 pm
kmd wrote:looking for Trojan.GBPBoot.1 new MBR infector

http://news.drweb.com/show/?lng=ru&i=2927&c=9

sorry drweb not posted any hashes
Finally.
https://www.virustotal.com/file/6a06244 ... 352070602/
Attachments
infected
(105.39 KiB) Downloaded 148 times

Re: GBPBoot

 #16447  by EP_X0FF
 Mon Nov 05, 2012 4:50 am
Dropper -> MBR modification -> drop installer -> installer -> config+servicedll -> servicedll -> download more crap :)

Re: GBPBoot

 #16457  by rkhunter
 Mon Nov 05, 2012 5:02 pm
EP_X0FF wrote:Dropper -> MBR modification -> drop installer -> installer -> config+servicedll -> servicedll -> download more crap :)
Most laconic analysis I've ever seen :)

PbBot bootkit (alias Plite, GBPBoot)

 #16613  by cjbi
 Wed Nov 14, 2012 2:19 pm
Fresh PbBot bootkit dropper.
Obvious Korean targeted malware is obvious.

Very short analysis:
6B92F6E2390444EB52562E494F87D392 (Legit installer + Downloader) -> Drop & Execute ->
-> CA536C5C9C3BAD792D503F4279F0FFB8 (Downloader) -> Download & Execute -> 39AEC94919064E03CD11B487AEE08CFA (Bootkit)

... and more payloads... 294AEB00F6945BF8867C0400D87393B0 (explorer.exe inside(tm)), 61EC58BC4B61E17E75E3033F657D36CD (OnlineGameHack)

More detailed analysis:
Plite Bootkit Spies on Gamers (by Bitdefender)

Some strings:
Code: Select all
...

FAT12
FAT16
FAT32
NTFS
\\.\PHYSICALDRIVE0
_uninsep.bat

...

 inflate 1.1.3 Copyright 1995-1998 Mark Adler 
- unzip 0.15 Copyright 1998 Gilles Vollant 

...

Invalid partition table
Error loading operating system
Missing operating system

...

Invalid partition table
Error loading operating system
Missing operating system
no active partition found
read error while reading drive
partition signature != 55AA
:Repeat
del "%s"
if exist "%s" goto Repeat
rmdir "%s"
del "%s"

...

explorer.exe

...

explorer.exe
_GBP

...

_C_FILE_INFO=

...

Invalid partition table
Error loading operating system
Missing operating system
 ------- IsPMSInstalled -------------
C:\Windows\system32
Windows folder not exist!
golfinfo.ini
C:\Windows\system32\golfinfo.ini
.exe
 ------- ExistAgentFile -------------
 agent file name : 
C:\Windows\system32
Windows folder not exist!
C:\Windows\system32
 capture file path : 
Starting GBP...
_GBP
_GBP
RestoreSectorNum: 
RestoreSize: 
Boot Sector number:
Reading boot sector Failed!
SectorsPerCluster: 
winlog file already exist!
File Creating Fail!
File Creating Fail!
Get File System Failed!
Install OK!!
Please reboot
Install failed!!
Please reboot
FAT12
FAT16
FAT32
NTFS
Read Mbr Sector failed!!!
Reading Fail!
Writing Fail!
Not FAT32!
Read FAT Failed!
Read FAT Failed!
Finding "
" from 
Read FAT Failed!
Finding File Name: 
Not Found! 
Found!
Finding File Name: 
Not Found! 
Found!
----------- FAT32_CreateFile -------------
Already Exist!
-------- FAT32_ReplaceFileData ---------
Does Not Exist!
Creating File Name: 
Writing Cluster Count: 
Read FAT Failed!
Written Cluster Count: 
Read FAT Failed!
NTFS
Not NTFS!
Finding File Name: 
Reading boot sector Failed!
Reading MFT Failed!
Finding directory Fail: 
Found!
 Writing Sector Count: 
 Written Sector Count: 
Finding: 
Index buffer count
change directory entry success
read standard attribute of prev file failed
find filename attribute of prev file failed
write new file record failed
Get Data Attribute failed
WriteAttributeDataFromDisk failed
ReplaceFileDataAttr failed
 -------------- NTFS_CreateFile ------------
Start.exe
0.000
Directory Rec No: 
 File Rec No: 
Creating File Record 
Reading File Record failed
Creating Directory Entry
 --------- NTFS_ReplaceFileData --------
Not Found
Directory Rec No: 
 File Rec No: 
Reading File Record failed

...

MS Run-Time Library - Copyright (c) 1992, Microsoft Corp
_C_FILE_INFO=
 ------- IsPMSInstalled -------------
C:\Windows
Windows folder not exist!
gbp.ini
C:\Windows\gbp.ini
Starting GBP...
Unpartition Sector Number:
ReadInitData failed!
_GBP
GBP Data Error!
Boot Sector number:
Reading boot sector Failed!
SectorsPerCluster: 
File Creating Fail!
File Creating Fail!
Get File System Failed!
Install OK!!
Please reboot
Install failed!!
Please reboot
FAT12
FAT16
FAT32
NTFS
Read Mbr Sector failed!!!
Reading Fail!
Writing Fail!
Not FAT32!
Read FAT Failed!
Read FAT Failed!
Finding "
" from 
Read FAT Failed!
Finding File Name: 
Not Found! 
Found!
Finding File Name: 
Not Found! 
Found!
----------- FAT32_CreateFile -------------
Already Exist!
-------- FAT32_ReplaceFileData ---------
Does Not Exist!
Creating File Name: 
Read FAT Failed!
Read FAT Failed!
NTFS
Not NTFS!
Finding File Name: 
Reading boot sector Failed!
Reading MFT Failed!
Finding directory Fail: 
Found!
Finding: 
Index buffer count
change directory entry success
read standard attribute of prev file failed
find filename attribute of prev file failed
write new file record failed
Get Data Attribute failed
WriteAttributeDataFromDisk failed
ReplaceFileDataAttr failed
 -------------- NTFS_CreateFile ------------
Start.exe
0.000
Directory Rec No: 
 File Rec No: 
Creating File Record 
Reading File Record failed
Creating Directory Entry
 --------- NTFS_ReplaceFileData --------
Not Found
Directory Rec No: 
 File Rec No: 
Reading File Record failed

...
VirusTotal result(s):
Currently, MBR only. I'm too lazy to upload. :twisted:
mbr.bin 1/44 https://www.virustotal.com/file/2c781e0 ... /analysis/

P.S. PbBot is not new malware! :(
P.P.S. Thank you, EP_X0FF! :)
Attachments
pass: infected
(2.42 MiB) Downloaded 146 times
Last edited by cjbi on Wed Nov 14, 2012 2:59 pm, edited 4 times in total.

Re: PbBot bootkit (alias Plite, GBPBoot)

 #16614  by EP_X0FF
 Wed Nov 14, 2012 2:28 pm
Because Dr.Web never published any kind of hashes in their "News" it is sometimes impossible to say what they really found. Like in this case - old known malware positioned as "totally new" dangerous bootkit. Topic title changed, thanks to cjbi.

Re: PbBot bootkit (alias Plite, GBPBoot)

 #16617  by rkhunter
 Wed Nov 14, 2012 4:52 pm
EP_X0FF wrote:Because Dr.Web never published any kind of hashes in their "News" it is sometimes impossible to say what they really found.
It's true. In terms of community can said that this is "Innovations and modern malware investigations in Dr.Web style", lol.
 Return to “Malware”