A forum for reverse engineering, OS internals and malware analysis 

Win32/Caphaw (Shylock)

Forum for analysis and discussion about malware.

Re: Win32/Caphaw (Shylock)

 #18531  by Xylitol
 Fri Mar 15, 2013 7:16 am
kmd wrote:hi
looking for Wolcape.A, Wolcape.B rootkit, bootkit components of Shylock.

http://www.welivesecurity.com/2013/02/2 ... ct-plugin/

Win32/Wolcape.A (driver) 766da148d74f7ea9aca692246a945bd70da6cf18
Win32/Wolcape.B (bootkit dropper) f8da98763e345f42c62db02e51bf5d80342cd4d2
Attachments
infected
(146.02 KiB) Downloaded 154 times

Re: Win32/Caphaw (Shylock)

 #18533  by EP_X0FF
 Fri Mar 15, 2013 9:22 am
kmd wrote:hi
looking for Wolcape.A, Wolcape.B rootkit, bootkit components of Shylock.

http://www.welivesecurity.com/2013/02/2 ... ct-plugin/

Win32/Wolcape.A (driver) 766da148d74f7ea9aca692246a945bd70da6cf18
Win32/Wolcape.B (bootkit dropper) f8da98763e345f42c62db02e51bf5d80342cd4d2
Hehehe, Matrosov article entertaining. Yes indeed after reading this cool story with a lot of IDAPro+HexRays screenshots (don't forget also always put some Hiew screenshot - no matter how actually useless this program - it has cool blue hackers view, I also bought it - specially for screenshots), you can think it is something "wow" and super fancy. No it is not.

Do not expect from this "bootkit" component anything. So called rootkit here is sad trash. It misses even obfuscator (not enough money?) and based on SSDT hooking (yes-yes, necrofilia here) - NtCreateSection, NtEnumerateKey, NtEnumerateValueKey, NtQueryDirectoryFile (super file stealth), NtQuerySystemInformation.

The way it installs these SSDT hooks clearly demonstrate level of developers professionalism, who interested -> look how it manupulates with cr0. Additionally it hooks Tcpip driver IRP_MJ_DEVICE_CONTROL handler. Contains fingerprinting, so it won't work on newest Windows versions. Malware container + encrypted driver in systemroot\system32. IDK maybe even RootkitRevealer can find them. Having such lolkit in 2012-2013 year is ridiculous.

edit: yes =)
Code: Select all
C:\Utils>rootkitrevcons

RootkitRevealer v1.10 - Rootkit detection utility
Copyright (C) 2005 Bryce Cogswell and Mark Russinovich
Sysinternals - www.sysinternals.com

You may not redistribute RootkitRevealer without express written
permission. Contact licensing@sysinternals.com for information.

C:\WINDOWS\SYSTEM32\0.EDP:
   Description: Hidden from Windows API.
   Date:        3/15/2013 4:50 PM
   Size:        27.38 KB
C:\WINDOWS\SYSTEM32\0EDP:
   Description: Hidden from Windows API.
   Date:        3/15/2013 4:50 PM
   Size:        107.00 KB

Re: Win32/Caphaw (Shylock)

 #18537  by EP_X0FF
 Fri Mar 15, 2013 10:07 am
kmd wrote:Matrosov sharply criticized yestarday when this article was posted on habrahabr, http://habrahabr.ru/company/eset/blog/171929/, watch comments.
I don't see anything to blame him in not professionalism. Even having all this screenshots you can't reproduce malware. Programming tricks? Maybe, but I don't see if he posted anything related to antiemulation for example, or any wise trick to detect VM/Sandboxing. Anything else is not important. As for Carberp and "hacker" magazine article, well I broke my mind while reading the part related to injection, work with section objects described even by Richter, and I don't see anything really dangerous in posting it to public (especially in a way as he wrote).

This guy is just making a money from self-promoution, what is the problem. Someone doing this by stealing others work, someone doing this by annoying BS screaming (F-Secure). This one lurking in internet and describing not widely known material as he understands it (unlikely he can really reproduce or create something like he describes).

Re: Win32/Caphaw (Shylock)

 #18555  by kloent
 Sun Mar 17, 2013 7:51 am
Caphaw VNC module (vnc.dll - md5: 84475b815bc2bc2cec8d50dfceebae71 sha1: f7c9770c69e32585885d76725d68866e0e470937)
Attachments
pass: infected
(99.91 KiB) Downloaded 101 times
 Return to “Malware”