A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #16024  by EP_X0FF
 Mon Oct 15, 2012 5:29 pm
rkhunter wrote:
EP_X0FF wrote: Well, you can find lots of different detections for sinowal for example. Alone itself it does not indicate anything. As I posted before I want to hear any updates from Erik, since he started this and probably he can share more info.
Don't understand...post ago you told that them completely equal, you mean droppers or malicious VBRs? Or u mean various detections for both exactly equal boot-components? :?
My post was about yours
guys all info here viewtopic.php?f=16&t=596&start=70#p15961
Most of main code, I/O routines the same, reboot routine the same (just moved into separate procedure in new dropper) - everyone can verify this, I think even delay between reboot is the same.
Btw, currently I see that we haven't 100% facts, because these new droppers won't infect VBR.
Lets start from the beginning. Under "infecting" VBR, what do you mean?
 #16026  by rkhunter
 Mon Oct 15, 2012 5:46 pm
EP_X0FF wrote:Lets start from the beginning. Under "infecting" VBR, what do you mean?
How u can confirm that this dropper [posted above with screens] infects VBR with the same malicious code as a previous version?
 #16027  by EP_X0FF
 Mon Oct 15, 2012 5:50 pm
rkhunter wrote:
EP_X0FF wrote:Lets start from the beginning. Under "infecting" VBR, what do you mean?
How u can confirm that this dropper [posted above with screens] infects VBR with the same malicious code as a previous version?
They key word there "infects". What does this mean to you?

- modifying existing code
- replacing existing code
- adding new code and somehow transfering control to it

what is "infecting VBR" all you talking about? :)
 #16028  by kmd
 Mon Oct 15, 2012 6:08 pm
EP_X0FF wrote:
rkhunter wrote:
EP_X0FF wrote:Lets start from the beginning. Under "infecting" VBR, what do you mean?
How u can confirm that this dropper [posted above with screens] infects VBR with the same malicious code as a previous version?
They key word there "infects". What does this mean to you?

- modifying existing code
- replacing existing code
- adding new code and somehow transfering control to it

what is "infecting VBR" all you talking about? :)
Image

old maxss adds new entry to mbr+active flag, no code modification. vbr written to new hidden volume
so it not infecting anything

original tdl4 replacing mbr with it own also not "infect" in virus mean but mass media prefer to use word "infect" and "virus"
 #16029  by sww
 Mon Oct 15, 2012 6:58 pm
EP_X0FF wrote:They key word there "infects". What does this mean to you?
Dammit, i love you :lol:

Also, kmd is right about modifying mbr. I'm not analysed this one, but i trust Vaber. So, it's not an infection in a "virus" word meaning...
 #16054  by 0x16/7ton
 Tue Oct 16, 2012 7:35 pm
thisisu wrote:
thisisu wrote:Isn't working for me on VM. Will try tomorrow on a live machine.
Isn't working for me, even on live machine. Tried Win 7 x 64. Dropper goes into a temp folder as something like A3.tmp but disappears after a reboot.
Because malware check:
-the path to filename must contain temp directory
-compares filename with black list (by calculating hashes )
-compares username with black list...
maybe it's not everything,but i think randomization in environment os help you :)

additional info:
sst_c hash alg pseudo code:
Code: Select all
int Hash_proc (len_string,string)
{
  int r = 0,temp_round=0;
  int length_string=len_string;
  for ( hash  = -1; length_string; hash = temp_round ^ (hash  >> 8) )
  {
    temp_round= string[r] ^ (hash&0xff);
    round_count= 0;
    --length_string;
    ++r;
    do
    {
      if ( temp_round & 1 )
        temp_round= (temp_round >> 1) ^ 0xEDB88320;
      else
       {
        temp_round= temp_round >> 1;
        ++round_count;
       }
    }
    while ( round_count< 8 );
  }
  return ~hash  ;
}
All hash get from unicode strings.
Some example:
hash:0xbcb2c8fe unicode_string:file.exe
hash:0xf37288c2 unicode_string:temp
Last edited by 0x16/7ton on Tue Oct 16, 2012 11:16 pm, edited 1 time in total.
 #16056  by frank_boldewin
 Tue Oct 16, 2012 9:33 pm
Here are the decrypted and decompressed ressources file from SST_C.

4 AFFID
3.059 BOOT
25.088 CMD32
43.520 CMD64
6.656 DBG32
9.088 DBG64
38.912 DRV32
41.472 DRV64
6.144 LDR32
5.632 LDR64
3.817 MAIN
440 MBR
8 SUBID
12.800 TDI32
16.384 TDI64
512 VBR

enjoy!

ps: haven't seen the files TDI32 and TDI64. seems to be newly added. correct me if i'm wrong.
Attachments
pw: infected
(95.39 KiB) Downloaded 95 times
 #16067  by kmd
 Wed Oct 17, 2012 5:40 am
0x16/7ton wrote:Because malware check:
-the path to filename must contain temp directory
-compares filename with black list (by calculating hashes )
-compares username with black list...
maybe it's not everything,but i think randomization in environment os help you :)
are u able to run it on your box to the infection stage? coz environment randomization was a first thing i did. still not working after your tips. additionally dropper misses manifest and %temp%+filename requirement suggest me it normally install with user rights escalation exploit from exploit kit imo.
 #16068  by thisisu
 Wed Oct 17, 2012 6:22 am
0x16/7ton wrote:Because malware check:
-the path to filename must contain temp directory
Not sure if you were giving me a hint here but this worked for me so thanks :)

For Windows 7 x64 live added the dropper that Xylitol uploaded into %temp% ( C:\Users\<username>\AppData\Local\Temp )
Run as administrator and you should see a randomly generated .tmp file (usually 2-4 alphanumberic characters) and a file called "UAC.exe".
Keep opening UAC.exe using Run as administrator and it will spawn 2-5 more .tmp files and will eventually disappear.
Once UAC.exe disappears, SST.c should be installed. :P

__

Side note, UAC.exe is also generated on VM Windows XP but I guess fails to install SST.c properly.

Here is link to dropper again: http://www.kernelmode.info/forum/viewto ... 310#p15942
Attachments
(115.19 KiB) Downloaded 52 times
(3.29 KiB) Downloaded 43 times
 #16069  by EP_X0FF
 Wed Oct 17, 2012 6:50 am
Put dropper in %temp% under any name. Then launch dropper as usual. Under admin rights of course. Then start cmd. Navigate to temp folder. Start new file with start command. Is it works for you?
  • 1
  • 9
  • 10
  • 11
  • 12
  • 13
  • 15