[gjf]

Looks like another x64 rootkit appeared.
Information from kaspersky Lab (sorry for Russian - English version will follow). So all credits to them.

Dropper/payload

[EP_X0FF]

Hello,

thanks for sample.

I would not call it innovative or comparable with TDL4. Probably next one innovation will be GUI hacks to bypass UAC. And looks like this blacklist works not like expected - for example on my machines it blocked from loading ALL drivers (Process Explorer, WinObj, any other tool with driver on board). However this can be easily bypassed and this rootkit wipes out without any problem.

[Blitskrieg]

English version of the article - http://www.securelist.com/en/blog/473/A ... _for_MacOS

[EP_X0FF]

Additionally attached to forum.

[rough_spear]

Hi All,
Fake AV Advanced PC Shield 2012 With necurs rootkit.This rootkit declares it's driver of "BOOT BUS EXTENDER" driver group which has precedence over antivirus fsfilter driver group. Necurs's driver installation style reminds me of famous Bubnix rootkit.

This time i dont have web link. :cry:

6f4c.exe
File size - 292 KB
VT link - http://www.virustotal.com/file-scan/rep ... 1317313161

MD5 : 09e2a15e9ed0a3e165d9ead2faa61d8a
SHA1 : 3210d561767f03934bbd51d92de1b361859ddfeb
SHA256: 64d31dd3816763464d5ad5b73c7084741acce53fab89ed4dcdc40b9bb84d7081
ssdeep: 6144:eFG2DDfc/vtDqH/uL2/ytzSwF18VoiNsGwes:yHOtefuL2szDypG1e

147.sys
File Size - 35 KB.
VT link - http://www.virustotal.com/file-scan/rep ... 1317306213

MD5 : ec44ddcec6418a6bcd83b02ae38f1b09
SHA1 : 051e02c4fb169e2a6dd529ade0d44dc4d0857f5e
SHA256: cc6d4a41c78d21c492ed8bacbb08a2db9f8881ca212c13e03dc6bbea006e93d1
ssdeep: 384:ceKpRkFXO3adQ8wqRJ7R6HdZsEtXvybFs0dnfmSpt/WVSD5cjU2vmZNO5DqiXVWv:cVszpAdpXvOBVfmMrATbpNXEb//4qbB

Advanced PC Shield 2012-1.jpg (106.48 KiB) Viewed 2393 times

Advanced PC Shield 2012-2.jpg (125.3 KiB) Viewed 2393 times

Regards,


rough_spear. ;)

[Striker]

Hi All,
Fake AV Advanced PC Shield 2012 With necurs rootkit.This rootkit declares it's driver of "BOOT BUS EXTENDER" driver group which has precedence over antivirus fsfilter driver group. Necurs's driver installation style reminds me of famous Bubnix rootkit.

damn rootkit, i don't know how to fix that..

dropped@ C:\Documents and Settings\USER\Local Settings\Temp\Application data

register window:

[Striker]

@Xylitol

how do you solved it? @ Advanced PC Shield 2012

[Xylitol]

just unpack/debug it :| nothing special.
http://xylibox.blogspot.com/2011/09/adv ... -2012.html

[Striker]

I mean the rootkit. 51126187ddf6104c.exe

[EP_X0FF]

I mean the rootkit. 51126187ddf6104c.exe

The rootkit you mention uses blacklisting of AV and 3rd party software drivers like for example Process Hacker and blocks their loading with help of CmRegistry/LoadImageNotify callbacks from it's own driver. This blacklisting can be bypased by configuring AM driver to boot earlier than rootkit driver (for example).

This is Necurs.A (NtSecureSys \Device\NtSecureSys)

lkd> !devobj \Device\NtSecureSys
Device object (8245fd78) is for:
NtSecureSys \Driver\4c0229575e3961cb DriverObject 825e5490
Current Irp 00000000 RefCount 0 Type 00000022 Flags 00000040
Dacl e12d9d74 DevExt 00000000 DevObjExt 8245fe30
ExtensionFlags (0000000000)
Device queue is not busy.

lkd> dt nt!_DEVICE_OBJECT 0x8245FD78
+0x000 Type : 0n3
+0x002 Size : 0xb8
+0x004 ReferenceCount : 0n0
+0x008 DriverObject : 0x825e5490 _DRIVER_OBJECT
+0x00c NextDevice : (null)
+0x010 AttachedDevice : (null)
+0x014 CurrentIrp : (null)
+0x018 Timer : (null)
+0x01c Flags : 0x40
+0x020 Characteristics : 0
+0x024 Vpb : (null)
+0x028 DeviceExtension : (null)
+0x02c DeviceType : 0x22
+0x030 StackSize : 1 ''
+0x034 Queue : __unnamed
+0x05c AlignmentRequirement : 0
+0x060 DeviceQueue : _KDEVICE_QUEUE
+0x074 Dpc : _KDPC
+0x094 ActiveThreadCount : 0
+0x098 SecurityDescriptor : 0xe12d9d60 Void
+0x09c DeviceLock : _KEVENT
+0x0ac SectorSize : 0
+0x0ae Spare1 : 0
+0x0b0 DeviceObjectExtension : 0x8245fe30 _DEVOBJ_EXTENSION
+0x0b4 Reserved : (null)

lkd> dt nt!_DRIVER_OBJECT 0x825e5490
+0x000 Type : 0n4
+0x002 Size : 0n168
+0x004 DeviceObject : 0x82542d60 _DEVICE_OBJECT
+0x008 Flags : 0x12
+0x00c DriverStart : 0xf338c000 Void
+0x010 DriverSize : 0xd000
+0x014 DriverSection : 0x826d8118 Void
+0x018 DriverExtension : 0x825e5538 _DRIVER_EXTENSION
+0x01c DriverName : _UNICODE_STRING "\Driver\4c0229575e3961cb"
+0x024 HardwareDatabase : 0x8068fa90 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
+0x028 FastIoDispatch : 0xf3395330 _FAST_IO_DISPATCH
+0x02c DriverInit : 0xf338f917 long +0
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : (null)
+0x038 MajorFunction : [28] 0xf338f877 long +0

Registry database snapshot.



Blacklist + some additional stuff for Vista/7

kprocesshacker.sys Vba32dNT.sys v3engine.sys AntiyFW.sys AhnRec2k.sys ahnflt2k.sys KmxStart.sys KmxAMVet.sys KmxAMRT.sys KmxAgent.sys ssfmonm.sys rvsmon.sys lbd.sys klif.sys kldtool.sys kldlinf.sys kldback.sys klbg.sys avgntflt.sys MiniIcpt.sys PktIcpt.sys HookCentre.sys aswmonflt.sys AVC3.sys bdfm.sys bdfsfltr.sys AVCKF.sys issfltr.sys nvcmflt.sys K7Sentry.sys cmdguard.sys mfehidk.sys mfencoas.sys kmkuflt.sys catflt.sys ggc.sys PZDrvXP.sys antispyfilter.sys ZxFsFilt.sys ikfilesec.sys PCTCore.sys PCTCore64.sys fsgk.sys vradfil2.sys savant.sys sascan.sys strapvista64.sys strapvista.sys ssvhook.sys snscore.sys HookSys.sys Rtw.sys cwdriver.sys fpav_rtp.sys fsfilter.sys fildds.sys SCFltr.sys UFDFilter.sys STKrnl64.sys Spiderg3.sys dwprot.sys EstRkr.sys EstRkmon.sys pwipf6.sys OADevice.sys savonaccess.sys fortishield.sys fortirmon.sys fortimon2.sys avgmfrs.sys avgmfi64.sys avgmfx64.sys avgmfx86.sys pervac.sys THFilter.sys issregistry.sys nregsec.sys nprosec.sys shldflt.sys NanoAVMF.sys AntiLeakFilter.sys NxFsMon.sys vchle.sys vcreg.sys vcdriv.sys V3Flu2k.sys OMFltLh.sys AszFltNt.sys AhnRghLh.sys ArfMonNt.sys V3IftmNt.sys V3Ift2k.sys V3MifiNt.sys V3Flt2k.sys ATamptNt.sys SMDrvNt.sys tkfsavxp64.sys tkfsavxp.sys tkfsft64.sys tkfsft.sys BdFileSpy.sys NovaShield.sys eeyehv64.sys eeyehv.sys SegF.sys csaav.sys AshAvScan.sys PLGFltr.sys avmf.sys ino_fltr.sys caavFltr.sys amm6460.sys amm8660.sys amfsm.sys PSINFILE.sys PSINPROC.sys mpFilter.sys drivesentryfilterdriver2lite.sys vcMFilter.sys tmpreflt.sys tmevtmgr.sys SDActMon.sys MaxProtector.sys eamonm.sys mbam.sys a2acc64.sys a2acc.sys a2gffi64.sys a2gffx64.sys a2gffx86.sys SRTSP64.sys SRTSPIT.sys SRTSP.sys eraser.sys eeCtrl.sys ZwFlushBuffersFile \??\NtSecureSys \Device\NtSecureSys \Device\Tcp PAGE BootBus Extender Group \SystemRoot\System32\Drivers\ImagePath Tag Start Type Error Control DisplayName \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services%s \Services\%S ControlSet\REGISTRY\MACHINE\SYSTEM\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\%S \SystemRoot\System32\Drivers\%S.sys %x%xservices.exe DB1 lsass.exe svchost.exe 20101 ObRegisterCallbacks \SystemRoot \\??\\SystemRoot\System32\Drivers\%s.sys System32\* DB2 DB0 \SystemRoot\System32\winload.exe \bootmgr\boot.ini \ntldr \SystemRoot\System32\*.dll \SystemRoot\System32\ntdll.dll win32k.sys

Posts moved