[fatdcuk]

Just bumped into our old freind....

Dropper attached
http://www.virustotal.com/analisis/151b ... 1275081262

Enjoy!

[NOP]

I think this is Black Energy, not Rustock.

Code: Select all

liveinterbet.info/start/auth.php

[Alex]

You are right NOP it's Black Energy.

[fatdcuk]

Sorry about that folks,

Looking like im keeping some esteemed company on that mistake tho :lol:

[B-boy/StyLe/]

bptxnnqhh.sys and vckrdvpaby.sys (looks the same but I'll upload both).

Dropped by TDL3 (sorry the user already deleted the dropper)



http://www.virustotal.com/file-scan/rep ... 1287606486

MD5: 1f614b62aaba805201ecdc111538c7d7

Regards,
G. ;)

[B-boy/StyLe/]

I found the *.exe

DATEA0B.tmp.exe

http://www.virustotal.com/file-scan/rep ... 1287681669

MD5: 317dea854c1d4b8e61e7c375421b6708

2010/10/21 20:01:19.0011 Detected object count: 2
2010/10/21 20:01:31.0545 Locked file(sptd) - User select action: Skip
2010/10/21 20:01:31.0587 \HardDisk0\MBR - will be cured after reboot
2010/10/21 20:01:31.0587 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
2010/10/21 20:01:37.0744 Deinitialize success

Regards,
G. ;)

[EP_X0FF]

This one is not TDL. It looks like new version of Black Energy 2.

It patches ServiceTable pointer for every new thread to point to rootkit prealloacted fake service table + splice hook to get this work. Rootkit code relocated to memory allocated pool. New fake table contains copy of original service table with few replaced by rootkit handlers. This help it to hide user mode thread, registry entries.

NtDeleteValueKey
NtEnumerateKey
NtEnumerateValueKey
NtOpenKey
NtOpenProcess
NtOpenThread and others (I'm lazy to write whole list).

Most antirootkits will not work with this rootkit, they simple dying at start. You need to remove notify routines set by rootkit (CreateProcess, CreateThread, LoadImage) to get them work.

Rootkit driver and data files are hidden from enumeration.

[EP_X0FF]

Black list found.

rootrepeal.sys gmer.sys greypill.sys Normandy.sys gmer.exe RootRepeal.exe RkUnhooker.exe ccSvcHst.exe MsMpEng.exe msseces.exe mcagent.exe mcshield.exe mfefire.exe mfevtps.exe McSvHost.exe avp.exe egui.exe ekrn.exe spideragent.exe spidergate.exe spiderml.exe dwengine.exe cfp.exe cmdagent.exe avwebgrd.exe avmailc.exe avshadow.exe avguard.exe avfwsvc.exe avgnt.exe avgui.exe avgnsx.exe avgam.exe avgemc.exe avgfws9.exe avgwdsvc.exe AVGIDSMonitor.exe avgtray.exe avgfrw.exe avgcsrvx.exe AVGIDSAgent.exe avgrsx.exe avgchsvx.exe

edit:

two payload dlls can be extracted easily from svchost.exe for example.

[swirl]

too bad ddos_update.py doesn't work anymore, they've changed the url format and parameters, and
probably also the encryption method :( Also judging by the response size they are using two separate hosts:
one for the configuration and one for downloading the dos modules

hxxp://91.212.127.147/spm/s_alive.php?id=XXXXXXXXXXXXXX&tick=156328&ver=530&smtp=bad&sl=1&fw=0&pn=-1&psr=0
hxxp://91.212.127.147/spm/s_get_host.php?ver=530

89.149.196.37
POST /e/getcfg.php
ncnt=<hex block here>
mztja=<hex block here>

I'll have a look and see if I can update the script.

[Fyyre]

Black list found.

rootrepeal.sys gmer.sys greypill.sys Normandy.sys gmer.exe RootRepeal.exe RkUnhooker.exe ccSvcHst.exe MsMpEng.exe msseces.exe mcagent.exe mcshield.exe mfefire.exe mfevtps.exe McSvHost.exe avp.exe egui.exe ekrn.exe spideragent.exe spidergate.exe spiderml.exe dwengine.exe cfp.exe cmdagent.exe avwebgrd.exe avmailc.exe avshadow.exe avguard.exe avfwsvc.exe avgnt.exe avgui.exe avgnsx.exe avgam.exe avgemc.exe avgfws9.exe avgwdsvc.exe AVGIDSMonitor.exe avgtray.exe avgfrw.exe avgcsrvx.exe AVGIDSAgent.exe avgrsx.exe avgchsvx.exe

black list with mole tracks...