[CatalystXP]

Hi everyone! I need a live rootkit Sinowal, which infects the MBR. I want to test the ability of antivirus software to detect and treat an active infection of rootkits. Check each file laid out I can not. If there is someone a sample, please send a link to the archive in PM. And that would not be spam, if you have please send a sample of live VBR-rootkit Rovnix.
Sorry for my very bad English.

[PX5]

Hi everyone! I need a live rootkit Sinowal, which infects the MBR. I want to test the ability of antivirus software to detect and treat an active infection of rootkits. Check each file laid out I can not. If there is someone a sample, please send a link to the archive in PM. And that would not be spam, if you have please send a sample of live VBR-rootkit Rovnix.
Sorry for my very bad English.

BH URL still active...

mouseinputnolongerworks.com/index.php?tp=0f4b6d00d5c05110

Bin Attached

[Kafeine]

113 items

[dumb110]

16Ko files are corrupted. The other files are cyphered or junk, all are non executables.

[Kafeine]

Ok. Trying to understand how to bring better samples, could you tell me status for : sinowal4_+20120805-14 ?
Checking this :
https://www.virustotal.com/file/af33a06 ... 344249026/
make me think the sample is ok...but would like to understand why it's not.

[PX5]

Files are fine Kaf, helps if you know what filetypes and such are involved, i knew there was a use for regsvr32. ;)


By the way, 92ce8171d5b529b1fb8d0854dbb04e83 has survived a full re-image using Acronis and is functioning quite well atm. :(

[nullptr]

It's been sometime since I bothered looking at Sinowal, but IIRC you can just remove the dll flag from the PE characteristics and they'll run fine.
I always used this method + debugger to remove their crypter.

[Kafeine]

Tilt

[Kafeine]

103 Items (from 08 to 10)
Most Items have doubled size. Don't know why. Can't explain. Wouldn't be surprise if items were not all Sinowal. Too big to be Attached.
http://minus.com/lZWbdssjL0C8J

Thread : http://min.us/mbkiPTU7Bc/1f

[thisisu]

i knew there was a use for regsvr32. ;)

So you use regsvr32.exe to register these win32 .dlls and then you can be infected with Sinowal?
IIRC I had another tool that could inject dlls into a process but does it matter which process I choose?
What would be the easiest way to infect myself with Sinowal?