[EP_X0FF]

img.png (2.05 KiB) Viewed 861 times

Copy of famous rootkit for historical purposes. More can be found here http://www.kernelmode.info/forum/viewto ... f=16&t=630

SHA256: 9cb9d88755dc97275c343d54148a3c77e9e4a47993d77bb96049432440e4cb45
SHA1: e053da98951c66cd2f07bb2d92fdded2ef373e7b
MD5: 0206d052cfd59ef3c7770ca53b8ca43a

https://www.virustotal.com/en/file/9cb9 ... /analysis/

[fatdcuk]

Probaly data shared in private but will share my 2 static sources(a 3rd is variable as it is delivered by exploit on compromised sites).

Excluding rogues that have sold seats on their installs i have found that the iframe$ bundle downloader has been habitual offender for eitherTDL2 or TDL3 or both...

Type1(Cracksite/Keygen)

Code: Select all

http://keygen.name

All roads lead to Rome with a self extracting executable(Take care as it has been know to include Virut every so often along with Hiloti and other freind(s)).
Hosting of file is not to static but currently pointing to for example.

Code: Select all

http://get.serdb01.com/keygens/norton_antivirus__trial-keygen.exe

File attached.
http://www.virustotal.com/analisis/9a6d ... 1269278326

Type2(driveby)...

Type3(P2P land)
Attached is the current bundle downloader floated on Gnutella and other dirty P2P nets appearing near you(Zipped folder 2-4.5mb in size,all the names under the sun with 2 yellow key executables= Bundle downloader)
http://www.virustotal.com/analisis/1a35 ... 1267782429
Lot of goodies on that bundle(very worth tracking ;))

Code: Select all

http://joetracker.info/links/20100209082754.exe
http://joetracker.info/links/tb.exe
http://joetracker.info/links/cb.exe
http://joetracker.info/links/hamburgaler.exe
http://joetracker.info/links/20100204103420.exe
http://joetracker.info/links/20100218031245.exe
http://joetracker.info/links/20100228082137.exe

Enjoy!

[Meriadoc]

Hi Ade,

Yes a good source, I've been diving into that crack/keygen site for awhile, same as the associated links - always a winner

thanks for the links and samples :)

Regards

[EP_X0FF]

Hi Ade,

thanks for sharing.
keygen.name providing refined bundle each day very well ;)
Well actually all their "cracks" are just a same malware package.

Usually I also pick up everything recent from malc0de - but it's mostly trash and script-kiddies trojans.

Thank you for samples.

Regards.

[fatdcuk]

New Paladin AV/Malware Defender Family clone.

TDL2(_VOID) dropper along for the ride.

http://www.virustotal.com/analisis/d814 ... 1270228340

Enjoy :)

[EP_X0FF]

Excellent Ade! :D

extracted urls from TDL2 mini loader

hxxp://findernos.org/up3/setup;
hxxp://www.increafind.org/up3/setup;
hxxp://www.zealandsecurity.com/up3/setup;
hxxp://findernos.org/up3/install01;
hxxp://www.increafind.org/up3/install01;
hxxp://www.zealandsecurity.com/up3/install01;

[STRELiTZIA]

Loader strings:

UNICODE "TMP"
UNICODE "%s%s%d.tmp"
ASCII "_VOID"
UNICODE "%s%S%x.tmp"
UNICODE "\license.dat"
ASCII "94804860143697233939975370329435970097710202"
UNICODE "Azerbaijan"
UNICODE "Belarus"
UNICODE "Kazakhstan"
UNICODE "Kyrgyzstan"
UNICODE "Russia"
UNICODE "Uzbekistan"
UNICODE "Ukraine"
UNICODE "Czech Republic"
UNICODE "Poland"
UNICODE "Algeria"
UNICODE ".exe"
ASCII "ERROR . LOADER : %s nothing was executed ."
UNICODE "\AE0DD401-4FE0-4b74-8F0B-5C2CEBD36952"
UNICODE ".exe"
UNICODE ".manifest"
ASCII "<?xml version=""1.0"" encoding=""UTF-8"" standalone=""yes""?><assembly xmlns=""urn:schemas-microsoft-com:asm.v1"" manifestVersion=""1.0""><ms_asmv2:trustInfo xmlns:ms_asmv2=""urn:schemas-microsoft-com:asm.v2""><ms_asmv2:security><ms_asmv"...
ASCII "Printers\Connections"
ASCII "affid"
ASCII "subid"
ASCII "%[^;];%[^;];"
ASCII "software\_VOID"
ASCII "subid"
ASCII "%[^;];%[^;];"
UNICODE "\knowndlls\dll.dll"
UNICODE "\\?\globalroot\systemroot\system32\msvcrt.dll"
UNICODE "\D9A2BC6E-912D-451a-B433-1D6EE914F861"
ASCII "\\?\globalroot\systemroot\system32\msvcrt.dll"
UNICODE "\knowndlls\msvcrt.dll"
ASCII "fgetc"
ASCII "ntdll.dll"
UNICODE "spooler"
ASCII ".srt"
ASCII "IsWow64Process"
ASCII "kernel32"
ASCII "2831689418-1935655697-1177238915-725345543"
ASCII "%u-%s"
ASCII "urlmon.dll"
ASCII "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
ASCII "ObtainUserAgentString"

URL:

Code: Select all

hxxp://securityattendance.com/page/setup

Attached unpacked disassembly listing (loader.txt)

[EP_X0FF]

Does anybody has a payload from this URL? Server seems to be down.

[STRELiTZIA]

Does anybody has a payload from this URL? Server seems to be down.

it same for me.

[Meriadoc]

Is it YourProtector or Your Protection.

I helped someone nail the rootkit and then got them to clean up with mbam. Apparently it stops the user having an internet they can use and installing new software.

edit : I can see from the attachment it is your protection :)

I got them to send me the log :

Malwarebytes' Anti-Malware 1.45
http://www.malwarebytes.org

Database version: 3960

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18904

06/04/2010 18:04:53
mbam-log-2010-04-06 (18-04-53).txt

Scan type: Quick scan
Objects scanned: 129614
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Your Protection (Rogue.YourProtection) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe_reader (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Administrator\AppData\Local\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\cleansweep.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\_VOIDdvpfdtqcsw (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection (Rogue.YourProtection) -> Quarantined and deleted successfully.

Files Infected:
C:\cleansweep.exe\config.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\about.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\activate.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\buy.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\help.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\scan.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\settings.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\splash.mp3 (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\update.ico (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\urp.db (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Your Protection\virus.mp3 (Rogue.YourProtection) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDqvwebeevmp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDuuforstvir.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\_VOIDeaqcxspnmy.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\_VOIDbfc9.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\acrotray .exe (Trojan.Agent) -> Quarantined and deleted successfully.