A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #29738  by kurt2121
 Fri Dec 16, 2016 10:18 am
Hey guys, I'm very nooby when it comes to malware in general, so I figured this would be a good place to ask about this. So I had this infection way back some time ago, and I was wondering about its exact capabilities.

1. First of all, I can't even find any specifics on E.VBR. Is it the same as what Microsoft calls Alureon.E? (It was malwarebytes that detected it as E.VBR) Generally speaking, it seems like every website has a different description of the Alureon family. Does anybody know about this specific variant.

2. It appears to be one of the infections that steals information, like usernames and passwords/browsing habits. A few sources said they intercept this from network traffic, the microsoft page says it "gathers URLs from browsing history" and others say its a DNS changer so they spoof sites so you'll type your info in. It seems like there are so many differences, and I get that there are different variants and stuff, but there doesn't seem to be a consensus on how they steal the info. Does anybody know? Is there a way to find out?

3. This is a super dumb question, but where does the info that is stolen go? Does it go to a server that everybody else who uses alureon can access? Or is it just one guy running the entire alureon show? Or is there some public place like "alureonleaks.com" that post all the stuff they find (the stuff they probably can't sell) ?

I have more noob questions, so if anybody knows anything about the above, or just want to engage in some delightful discussion with a noob, please let me know!
 #29740  by EP_X0FF
 Fri Dec 16, 2016 4:09 pm
This detection name means nothing like most of AV names. There is no standard global naming between AV. Each AV name malware as it want sometimes bringing total chaos, especially when most of names generated by AV bots. Does Alureon.E or Alureon.XYZ tell you something? Me neither, but I know what Alureon.E mean if it comes from MS AV. What does it mean from MBAM knows only who work with MBAM on everyday basis. Dot VBR at the end suggest that it *could be* detection of VBR sector *infected* by TDL variant known as MaxSS. Only if it correct and this is not BkLoader VBR sector and this is detection for VBR. Too many "if" because you didn't provided file or VT link. The threat description also means nothing as it copy-pasted generic description. TDL and it multiple derivatives working as backdoors, altering network settings/requests by injecting special dll to the popular internet browser processes. TDL communicates with C&C servers which are usually listed in it configuration file. TDL is dead for a coupe of years and exists only on old infected machines running unpatched old Windows versions.

kurt2121 wrote:Hey guys, I'm very nooby when it comes to malware in general, so I figured this would be a good place to ask about this. So I had this infection way back some time ago, and I was wondering about its exact capabilities.

1. First of all, I can't even find any specifics on E.VBR. Is it the same as what Microsoft calls Alureon.E? (It was malwarebytes that detected it as E.VBR) Generally speaking, it seems like every website has a different description of the Alureon family. Does anybody know about this specific variant.

2. It appears to be one of the infections that steals information, like usernames and passwords/browsing habits. A few sources said they intercept this from network traffic, the microsoft page says it "gathers URLs from browsing history" and others say its a DNS changer so they spoof sites so you'll type your info in. It seems like there are so many differences, and I get that there are different variants and stuff, but there doesn't seem to be a consensus on how they steal the info. Does anybody know? Is there a way to find out?

3. This is a super dumb question, but where does the info that is stolen go? Does it go to a server that everybody else who uses alureon can access? Or is it just one guy running the entire alureon show? Or is there some public place like "alureonleaks.com" that post all the stuff they find (the stuff they probably can't sell) ?

I have more noob questions, so if anybody knows anything about the above, or just want to engage in some delightful discussion with a noob, please let me know!
 #29743  by kurt2121
 Fri Dec 16, 2016 5:55 pm
The only remaining thing that comes up on the malwarebytes rootkit scan is "Physical Sector 312576705 on drive 0 (Rootkit.Alureon.E.VBR)" Is there a way to get any more info from that?




So if it is possibly this maxSS, it would steal from site spoofing/DNS redirects?

Also, do you happen to know if Alureon ever happens to be packaged with 0access infections as well? I had both, I was wondering if they were part of the same attack, or if they were different. The zeroaccess infections were in a different windows directory that i cannot get to.

here is a couple examples. How can I get to these files so I can test them?

37. c:\windows\$ntuninstallkblo55$\3728945212\L (Backdoor.0Access)

38. c:\windows\$ntuninstallkblo55$\3728945212\U

39. c:\windows\$ntuninstallkblo55$\3728945212\12 (Backdoor.0Access)
 #29761  by EP_X0FF
 Wed Dec 21, 2016 12:20 pm
kurt2121 wrote:The only remaining thing that comes up on the malwarebytes rootkit scan is "Physical Sector 312576705 on drive 0 (Rootkit.Alureon.E.VBR)" Is there a way to get any more info from that?
What info?


Also, do you happen to know if Alureon ever happens to be packaged with 0access infections as well? I had both, I was wondering if they were part of the same attack, or if they were different. The zeroaccess infections were in a different windows directory that i cannot get to.
This computer simple infected with multiple malware.
 #29823  by kurt2121
 Mon Jan 02, 2017 6:51 pm
Is it common for a rootkit like this to come packaged with adware components like adware.hotbar or adware.mywebsearch?
 #29838  by EP_X0FF
 Sun Jan 08, 2017 6:07 am
This is downloader malware. Downloader. Does this give you any tips?