A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22460  by R136a1
 Thu May 31, 2012 2:49 pm
Flying under the radar:

The following link shows some interesting informations of a malware not yet classified:
http://threatexpert.com/reports.aspx?fi ... r&x=12&y=7

First uploaded in 2010, but some of the C&C servers are still online, so maybe it is still actively used.
Moreover it contains a kernel mode component and the origin is stated as Russian Federation, which may indicate a real challenge.

MD5 hashes
 #22334  by CloneRanger
 Sun Mar 02, 2014 5:18 am
@ R136a1 Good catches, Thanx :)

ALL the samples in your 2 Zips, are reported by PeStudio as Signed. But viewing Properties indicates they are Not ! Have the coders discovered a clever way of tricking the OS's into believing they are signed, or is there another reason why my screenies show what they do ?

If they have managed to do that, how ?

Sample in screenies = inj_snake_x64.dll
prop.png (8.53 KiB) Viewed 2670 times
pes.png (7.41 KiB) Viewed 2670 times
 #22335  by R136a1
 Sun Mar 02, 2014 8:04 am
When PeStudio detects something as digitally signed, it has to be 100% correct. So let's find out how they managed to fool Windows into thinking the files are signed! [/irony]

No, none of the files is digitally signed! And they also didn't find a way to fool Windows (why Windows anyway? PeStudio detects it as signed!) into thinking so. I don't know what PeStudio is using as an indicator for detecting files as digitally signed, but the implementation is obviously buggy.

Why do you blindly trust in any tools when the opposite is obviously right (as you saw yourself)? ;)
 #22342  by t4L
 Mon Mar 03, 2014 2:58 am
I guess you're understanding incorrectly PeStudio. IMHO, the file has the characteristic when the star on the left of lights up. In this case, the file isn't signed since that star is blurred.

PeStudio GUI design is bad, but not that hard to recognize.
 #22343  by CloneRanger
 Mon Mar 03, 2014 5:44 am
@ R136a1

Well i don't pretend to be an expert. I just thought that there "might" be something worth exploring further. Anyway, see below.


Yes it was an earlier version i was using.

@ t4L

You're right, i mistakenly glossed over that. Ah well, live n learn ! Actally i think is a useful addition to our Tools etc box ;)


 #22345  by frank_boldewin
 Mon Mar 03, 2014 5:29 pm
Yesterday i wrote on facebook that the Uroboros malware reminds me on a similar case back in 2008. Now i'm pretty sure. When the dropper executes first it checks if it runs on a 32bit or 64bit system to select what driver to drop later. It creates a directory $NtUninstallQ817473 inside the windows directory and drops an encrypted driver called fdisk.sys. Then a 400MB file is created called fixdata.dat. This is an encrypted filesystem storing usermode files of the malware, which are being injected in services.exe and explorer.exe
Further it is used to store stolen documents e.g. word, excel, powerpoint. The driver fdisk.sys manages the fixdata.dat filesystem and the network communication. The driver avoids to use hiding itself or using defense tactics. Symantec analysed an older version of this malware in November 2009 and called it Backdoor.Pfinet. Of course i haven't made a deep dive inside the malware in that short period of time i looked at it, so there will be still a lot of things to explore. ;)

Someone has seen a deep analysis already?
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7