A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15089  by EP_X0FF
 Fri Aug 10, 2012 3:47 am
How many times you will bump this thread for necroposting with stuff actually already posted there or ripped by Prevx from this site? Thread closed until any rootkit updates.
 #17130  by Quads
 Wed Dec 12, 2012 12:47 am
Hi

Does anyone have a backed up copy of the BCD with the Pihar /TDL4 custom code inside??

Thanks

Quads
 #17290  by Cassiel
 Wed Dec 19, 2012 11:11 am
Hi

I have a copy of Purple haze which I included, is this what you are looking for ?

Cassiel
Attachments
pswd = infected
(176.1 KiB) Downloaded 100 times
 #17297  by Quads
 Wed Dec 19, 2012 10:48 pm
Thanks anyway, but NO

I have all that,there is a reason why I asked for the BCD with custom code inside and didn't ask for the rest, the rest is easy to create, I can't get the BCD to patch with the custom code.

Quads
 #17299  by EP_X0FF
 Thu Dec 20, 2012 1:29 am
TDL4 AFAIR was patching BCD by ldr16 in memory. Did you tried dump BCD of already infected machine?
 #17300  by Quads
 Thu Dec 20, 2012 2:15 am
I can infect my systems, It is just that the BCD is not touched (no custom code)

And trying to get some PC users to follow instructions to run a program is hard enough at times, I hope they don't drive a car like they drive a PC.

Quads
 #18721  by EP_X0FF
 Wed Mar 27, 2013 10:34 am
TDL4 clone, combination of MaxSS/TDL4/Pihar. Bugged like hell.

New active entry in partition table -> ldrm (copy of TDL4 mbr code with usual ror decryption cycle) -> ldr16 -> ldr32/ldr64 -> drv32/drv64 (lolkit itself) -> cmdXX.dll -> profit. Rendered machine into unbootable state.

Config simplified, dropper contain UAC COM elevation dll (Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}), similar to that used by Win32/Simda and seems insipired by this code http://www.pretentiousname.com/misc/W7E ... t.cpp.html

SHA256: f3773764307cad8af08519db29b490124aa1f068a5e5373b7aaf56c7fe8f8793
SHA1: 62db6704a6a32389b17be46552f6d2cab26363ad
MD5: 03d41f944eea9c4be5f5e34a74f03462

https://www.virustotal.com/en/file/f377 ... /analysis/

Rootkit components stored without encryption at the end of the disk, Pihar FS. SD marked sector describes whole directory.

All extracted components attached.
Attachments
pass: malware
(161.87 KiB) Downloaded 140 times
  • 1
  • 56
  • 57
  • 58
  • 59
  • 60