A forum for reverse engineering, OS internals and malware analysis 

Rootkit MaxSS (alias TDSS, SST, Alureon.FE, Olmasco)

Forum for analysis and discussion about malware.

Re: Malware/Not classified

 #6384  by EP_X0FF
 Wed May 18, 2011 7:12 am
markusg wrote:Adobe_Flash_Player.exe
http://www.virustotal.com/file-scan/rep ... 1305630154
MaxSS TDL3 mod. Infinite loop of blue screens after installation - TDL3 mod brand behavior.

In attach raw binary data (free from initial crypter), you can extract all components (driver, payload dll's, loader) from it.
or if you lazy - try DM_92017-0-1754A archive.

Posts moved.
Attachments
pass: malware
(39.43 KiB) Downloaded 110 times
pass: malware
(94.67 KiB) Downloaded 107 times

Mal/GSPFx

 #6682  by swirl
 Sat Jun 04, 2011 11:06 pm
HTTP/DNS redirector

- NDIS hooking
- filesystem IRP hooking

gspfx.sys
SHA1: 0f9f0935d0db58983014b1d263687d2e11556a59
VT 16/38: http://www.virustotal.com/file-scan/rep ... 1307209741

unpacked.sys
SHA1: ce011ef8b18e5b10d15f800ea784d339f4286616
VT 0/43: http://www.virustotal.com/file-scan/rep ... 1307212748

configuration:
Code: Select all
[redirected_dns]
-affiliate=44;
-host=89.248.168.188;
[redirected_domains]
-www.google.com.=74.125.87.99;
-google.com.=74.125.87.103;
-google.com.au.=74.125.87.104;
-www.google.com.au.=74.125.87.147;
-google.be.=74.125.87.148;
-www.google.be.=74.125.87.148;
-google.com.br.=74.125.87.109;
-www.google.com.br.=74.125.87.150;
-google.ca.=74.125.87.152;
-www.google.ca.=74.125.87.153;
-google.ch.=74.125.87.155;
-www.google.ch.=74.125.87.158;
-google.de.=74.125.87.160;
-www.google.de.=74.125.87.161;
-google.dk.=74.125.87.123;
-www.google.dk.=74.125.87.160;
-google.fr.=74.125.87.154;
-www.google.fr.=74.125.87.134;
-google.ie.=74.125.87.170;
-www.google.ie.=74.125.87.177;
-google.it.=74.125.87.173;
-www.google.it.=74.125.87.147;
-google.co.jp.=74.125.87.103;
-www.google.co.jp.=74.125.87.147;
-google.nl.=74.125.87.103;
-www.google.nl.=74.125.87.147;
-google.no.=74.125.87.103;
-www.google.no.=74.125.87.147;
-google.co.nz.=74.125.87.103;
-www.google.co.nz.=74.125.87.147;
-google.pl.=74.125.87.103;
-www.google.pl.=74.125.87.147;
-google.se.=74.125.87.103;
-www.google.se.=74.125.87.147;
-google.co.uk.=74.125.87.103;
-www.google.co.uk.=74.125.87.147;
-google.co.za.=74.125.87.103;
-www.google.co.za.=74.125.87.147;
-www.google-analytics.com.=74.125.87.101;
-www.bing.com.=92.123.68.97;
-search.yahoo.com.=72.30.186.249;
-www.search.yahoo.com.=72.30.186.249;
-uk.search.yahoo.com.=87.248.112.8;
-ca.search.yahoo.com.=87.248.112.8;
-de.search.yahoo.com.=87.248.112.8;
-fr.search.yahoo.com.=87.248.112.8;
-au.search.yahoo.com.=87.248.112.8;

strings:
Code: Select all
\SystemRoot\system32\drivers\
*.sys
\systemroot\system32\drivers\etc\hosts
\BaseNamedObjects
{B35867ED-8377-44d9-9EAB-973E99447B37}
\systemRoot\system32\drivers\cntnr0.sys
\systemRoot
%s\%s
\SystemRoot
C:\WINDDK\7600.16385.0\inc\ddk\wdm.h
Irp->CurrentLocation <= Irp->StackCount + 1
redirected_dns
host
redirected_domains
.config
Windows
Opera
AppleWebKit
.NET CLR
Gecko
Trident/4.0
compatible
Mozilla
Safari
?Ff
Firefo
Firefox
Presto
?FWP
FunWebProducts
?AOB
America Online Browser 1.1
?O962
Opera/9.62
?O963
Opera/9.63
?O964
Opera/9.64
?P2
Presto/2.1.1
?P22
Presto/2.2.15 Version/10.00
?W6
Windows NT 6.0
?W61
Windows NT 6.1
?W5
Windows NT 5.1
?W50
Windows NT 5.0
?W5U
Windows NT 5.1; U
?W5Ur
Windows NT 5.1; U; ru
W5Ud
Windows NT 5.1; U; de
?W5Ue
Windows NT 5.1; U; en
?I6
MSIE 6.0
?I7
MSIE 7.0
?I8
MSIE 8.0
?M5
Mozilla/5.0
?M4
Mozilla/4.0
?cI6W5
compatible; MSIE 6.0; Windows NT 5.1
?cI7W5
compatible; MSIE 7.0; Windows NT 5.1
?cI8W5
compatible; MSIE 8.0; Windows NT 5.1
?cI6W50
compatible; MSIE 6.0; Windows NT 5.0
?cI7W50
compatible; MSIE 7.0; Windows NT 5.0
?cI8W50
compatible; MSIE 8.0; Windows NT 5.0
?cI6W6
compatible; MSIE 6.0; Windows NT 6.0
?cI7W6
compatible; MSIE 7.0; Windows NT 6.0
?cI8W6
compatible; MSIE 8.0; Windows NT 6.0
?WUW61
Windows; U; Windows NT 6.1;
?WUW6
Windows; U; Windows NT 6.0;
?WUW5
Windows; U; Windows NT 5.1;
?WUW50
Windows; U; Windows NT 5.0;
?WUW61e
Windows; U; Windows NT 6.1; en-US;
?WUW6e
Windows; U; Windows NT 6.0; en-US;
?WUW50e
Windows; U; Windows NT 5.0; en-US;
?WUW5e
Windows; U; Windows NT 5.1; en-US;
affiliate
User-Agent:
%.08X%.08X%.08X%.08X
%.05d%s
%.05d
Attachments
pw: infected
(46.49 KiB) Downloaded 88 times

Re: Mal/GSPFx

 #6707  by swirl
 Mon Jun 06, 2011 4:58 pm
it came to me without a father :cry:

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

 #8762  by dcmorton
 Tue Sep 27, 2011 6:42 am
Couple of samples of Trojan:Win32/Alureon.FE referenced in the article

7c2d273c453ed366e80807f678e0d633
http://www.virustotal.com/file-scan/rep ... 1315775582

db9984106cc88700c035c545c21d5aae
http://www.virustotal.com/file-scan/rep ... 1314922124
Attachments
pass: malware
(500.95 KiB) Downloaded 340 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 15
 Return to “Malware”