A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4206  by EP_X0FF
 Thu Dec 30, 2010 6:17 pm
You will be surprised, but take a look what we have in this sample.
cmd.exe
<Principals>
<Principal id="LocalSystem">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Actions Context="LocalSystem">
<Exec>
<Command>%s</Command>
</Exec>
</Actions>
</Task>
\\?\globalroot\systemroot\system32\tasks\
task%d
<Actions
Hello Stuxnet and TDL.

aside from this kb.dll name changed to ms.dll
EP overwrite is the same (winlogon/explorer)
system32\dll also in place
 #6329  by EP_X0FF
 Sun May 15, 2011 3:33 am
Bamital with Stuxnet exploit harvested from SpyEye dropzone (upload directory).
Proxy dll named b.dll, main payload (encrypted) stored as C:\windows\system32\dll, name hardcoded, decrypted in attach, pass malware

Contains special blacklist of AV sites, update servers.
127.0.0.1 82.165.237.14
127.0.0.1 82.165.250.33
127.0.0.1 akamai.avg.com
127.0.0.1 antivir.es
127.0.0.1 anti-virus.by
127.0.0.1 avast.com
127.0.0.1 avg.com
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 avp.ru/download/
127.0.0.1 avpg.crsi.symantec.com
127.0.0.1 backup.avg.cz
127.0.0.1 bancoguayaquil.com
127.0.0.1 bcpzonasegura.viabcp.com
127.0.0.1 bitdefender.com
127.0.0.1 clamav.net
127.0.0.1 comodo.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com/products/
127.0.0.1 downloads1.kaspersky-labs.com/updates/
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com/products/
127.0.0.1 downloads2.kaspersky-labs.com/updates/
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com/products/
127.0.0.1 downloads3.kaspersky-labs.com/updates/
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com/products/
127.0.0.1 downloads4.kaspersky-labs.com/updates/
127.0.0.1 downloads5.kaspersky-labs.com
127.0.0.1 downloads5.kaspersky-labs.com/products/
127.0.0.1 downloads5.kaspersky-labs.com/updates/
127.0.0.1 drweb.com
127.0.0.1 emsisoft.com
127.0.0.1 eset.com
127.0.0.1 eset.com/
127.0.0.1 eset.com/download/index.php
127.0.0.1 eset.com/joomla/
127.0.0.1 eset.com/products/index.php
127.0.0.1 eset.es
127.0.0.1 fortinet.com
127.0.0.1 f-prot.com
127.0.0.1 f-secure.com
127.0.0.1 gdata.es
127.0.0.1 go.microsoft.com
127.0.0.1 hacksoft.com.pe
127.0.0.1 ikarus.at
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky.ru
127.0.0.1 kaspersky-labs.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 macafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 microsoft.com
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 networkassociates.com
127.0.0.1 nod32.com
127.0.0.1 norman.com
127.0.0.1 norton.com
127.0.0.1 nprotect.com
127.0.0.1 pandasecurity.com
127.0.0.1 pandasoftware.com
127.0.0.1 pctools.com
127.0.0.1 pif.symantec.com
127.0.0.1 pifmain.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 rising-global.com
127.0.0.1 scanner.novirusthanks.org
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 sunbeltsoftware.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 symantec.com/updates
127.0.0.1 threatexpert.com
127.0.0.1 trendmicro.com
127.0.0.1 u2.eset.com
127.0.0.1 u20.eset.com
127.0.0.1 u3.eset.com
127.0.0.1 u3.eset.com/
127.0.0.1 u4.eset.com
127.0.0.1 u4.eset.com/
127.0.0.1 u7.eset.com
127.0.0.1 update.avg.com
127.0.0.1 update.microsoft.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 updates2.kaspersky-labs.com
127.0.0.1 updates3.kaspersky-labs.com
127.0.0.1 us.mcafee.com
127.0.0.1 viabcp.com
127.0.0.1 virscan.org
127.0.0.1 virusbuster.hu
127.0.0.1 viruslist.com
127.0.0.1 viruslist.ru
127.0.0.1 virusscan.jotti.org
127.0.0.1 virustotal.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 http://www.ahnlab.com
127.0.0.1 http://www.aladdin.com
127.0.0.1 http://www.antivir.es
127.0.0.1 http://www.antiy.net
127.0.0.1 http://www.authentium.com
127.0.0.1 http://www.avast.com
127.0.0.1 http://www.avg.com
127.0.0.1 http://www.avp.com
127.0.0.1 http://www.avp.ru
127.0.0.1 http://www.avp.ru/download/
127.0.0.1 http://www.bitdefender.com
127.0.0.1 http://www.clamav.net
127.0.0.1 http://www.comodo.com
127.0.0.1 http://www.download.mcafee.com
127.0.0.1 http://www.drweb.com
127.0.0.1 http://www.emsisoft.com
127.0.0.1 http://www.eset.com
127.0.0.1 http://www.eset.com/
127.0.0.1 http://www.eset.com/download/index.php
127.0.0.1 http://www.eset.com/joomla/
127.0.0.1 http://www.eset.com/products/index.php
127.0.0.1 http://www.fortinet.com
127.0.0.1 http://www.f-prot.com
127.0.0.1 http://www.f-secure.com
127.0.0.1 http://www.gdata.es
127.0.0.1 http://www.grisoft.com
127.0.0.1 http://www.ikarus.at
127.0.0.1 http://www.kaspersky.com
127.0.0.1 http://www.kaspersky.ru
127.0.0.1 http://www.kaspersky-labs.com
127.0.0.1 http://www.macafee.com
127.0.0.1 http://www.mcafee.com
127.0.0.1 http://www.microsoft.com
127.0.0.1 http://www.my-etrust.com
127.0.0.1 http://www.networkassociates.com
127.0.0.1 http://www.nod32.com
127.0.0.1 http://www.norman.com
127.0.0.1 http://www.norton.com
127.0.0.1 http://www.nprotect.com
127.0.0.1 http://www.pandasecurity.com
127.0.0.1 http://www.pandasoftware.com
127.0.0.1 http://www.pctools.com
127.0.0.1 http://www.rising-global.com
127.0.0.1 http://www.scanner.novirusthanks.org
127.0.0.1 http://www.sophos.com
127.0.0.1 http://www.sunbeltsoftware.com
127.0.0.1 http://www.symantec.com
127.0.0.1 http://www.symantec.com/updates
127.0.0.1 http://www.trendmicro.com
127.0.0.1 http://www.virscan.org
127.0.0.1 http://www.viruslist.com
127.0.0.1 http://www.viruslist.ru
127.0.0.1 http://www.virusscan.jotti.org
127.0.0.1 http://www.virustotal.com
127.0.0.1 http://www.windowsupdate.microsoft.com
Attachments
(19.34 KiB) Downloaded 63 times
pass: malware
(28.36 KiB) Downloaded 77 times
 #8772  by dcmorton
 Tue Sep 27, 2011 10:02 am
Anyone know about a new variant of this out that infects "\windows\system32\svchost.exe" along with explorer.exe and winlogin.exe/wininit.exe? I ran into a couple customer machines yesterday that had all three of these infected, and the various svchost processes were spawning hidden iexplorer.exe windows to various search sites.

VT Links to the explorer.exe and svchost.exe files I pulled off one machine:
explorer.exe: http://www.virustotal.com/file-scan/rep ... 1317068628
svchost.exe : http://www.virustotal.com/file-scan/rep ... 1316462058

A dropper would be much appreciated
 #8793  by EP_X0FF
 Wed Sep 28, 2011 9:00 am
If this Bamital version uses similar approach to load itself, then we can try to extract actual malware payload from infected machine. So infected file is required to proceed.
 #8797  by dcmorton
 Wed Sep 28, 2011 10:10 am
Here's the infected explorer.exe and svchost.exe in the referenced VT scans. I'll work on tracking down an infected winlogon.exe/wininit.exe as well.
Attachments
password: malware
(426.69 KiB) Downloaded 65 times