[evild3ad]

:twisted: Blackhole-Sinowal analysis (Windows 7, 32-bit) online: http://www.evild3ad.com/?p=1556

Feel free to contact me. I'm always interested in additional infos about Sinowal. Thx.

Regards
evild3ad

[Kafeine]

Thanks evild3ad for sharing this. It seems Blackhole serving sinowal are themselves hosted on Sinowal bots.
They are serving the landing page throught fastflux dns domain:
/index.php?tp=001e4bb7b4d7333d
/index.php?tp=16db1e9316b87590
The admin login page is adm.php (nginx reply: 403)
I am wondering if you got this kind of hosting on your node...but maybe specific conditions are required to get the BH EK installed (like accessible tcp 80)

I also noticed some strange files available on Sinowal BH EK. (some looks like configuration file or Grabber)
File : 29651 for instance



... but files e0ca, 97d19, 14095 & 31359 seems not pe too.

I did not found good explanation about that. Any idea anyone ?

[Kafeine]

http://www.unmaskparasites.com/security ... rator.html
o_0. And it's just working

[erikloman]

HitmanPro 3.6 build 148 removes Sinowal.knf variant. It was tricky to get around the miniport hook and counter the watchdog.

Sinowal.knf was served by the Nuclear Exploit Pack from India through the Dutch NU.nl news site on March 14, 2012 from 11:30 till 13:30.
The NU.nl website is Holland's #6 website in terms of unique visits.

Potentially 100.000+ visitors of NU.nl got infected:
http://www.waarschuwingsdienst.nl/Risic ... lware.html
http://www.volkskrant.nl/vk/nl/2694/Int ... ware.dhtml
http://www.telegraaf.nl/digitaal/117235 ... .nl__.html

[erikloman]

Fox-IT posted their writeup on the SmokeLoader + Sinowal.knf infection campaign that occured on March 14 through NU.nl website:
http://blog.fox-it.com/2012/03/16/post- ... -incident/

[rkhunter]

The SmokeLoader distributed a component known as ‘miniloader’, which downloads the installer component from the Sinowal installer server. On Windows 2000 and Windows XP it will install the MBR bootkit, which is used since the end of 2007 as the method of startup, which is also commonly referred to as Mebroot. ...On Windows Vista and Seven systems the threat would install a userland component but we have not verified this during the nu.nl compromise.

As I understand it not infects MBR at Vista+.

[Kafeine]

Attached : 36 files found on the BH EK volhoparatel.info.

There are some non PE file (as explained before) and many packed sinowal.

[Tanaisius]

Hello,

Did anyone noticed strange code in recent mebroot samples, look at screenshots attached.
It works in kernel mode and does some manipulations with PCI configurations regs and other i/o ports, any clues what it could be?

[bytejammer]

I've been investigating Sinowal.knf recently and stumbled across its watchdog which uses a clever trick to re-infect the MBR when it is being cleaned. The watchdog is able re-infect by performing I/O without calling the miniport's SCSI dispatch. How does the watchdog do this? I'm guessing its copying N instructions of the original SCSI dispatch function (like IdePortDispatch) and jumping N instructions ahead in the original code. But maybe I'm wrong. Does someone have a clue how Sinowal.knf is re-infecting?

[Kafeine]

On more "raw" extraction of a Blackhole Exploit Kit deploying Sinowal.
vafernatre.in - on ip 216.12.221.139 at the time of extraction.