A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1748  by Every1is=
 Tue Aug 03, 2010 10:21 pm
Hi everyone,

Noob here... ;)

http://www.megafileupload.com/en/file/2 ... e-zip.html

Hope that is allowed. I ran GMER on my system and found iexplore.exe running on it as a hidden process. I believe this is the version that got infected. Will try again tomorrow with a fresh copy and will see if the result is the same. I am 99% sure it will be. Only "but" is that I was (am) very tired and might have ffed up in the copying last week... ;)

Anyway, I found hidden iexplore.exe processes on my system (multiple) and when I took a good look at the .exe the IE icon was gone from this one, while other copies still have the icon shown even as a standalone exe (I assume its embedded within). The size on disk for both is shown as 624kb but differ a tiny bit when compared closely. When uploaded to jotti the results are:

http://virusscan.jotti.org/en/scanresul ... a035a41598
That one is an iexplore.exe file which is 624kb on disk BUT has its embedded IE icon missing when shown in explorer (the iexplore.exe that is infected presumably)

http://virusscan.jotti.org/en/scanresul ... ed8fc06a6a
And that one is ALSO 624kb on disk BUT has its IE icon like it should.

When I run AVZ I get a ridiculous amount of fake processes which have no name. No security software is installed ATM on that system. It was running Spybot S&D and MSE and SAS (bought and paid for so resident protection). It passed them all. Spybot S&D was not resident... so does not count I guess. Vista 32bit.

Only reason I found out is because I heard an incredibly stupid "farm" tune (as in.... hmz... a commercial for farmville or some rip-off) while listening to a podcast. I thought someone at the PC was messing around so after a basic running process check I thought all was ok. Later on I noticed the stupid song again. Ran gmer: hidden IE processes. When I try to end them they just pop up again and again, even more then before. Also, but I need to recreate and write down, a "GoogleUpda" process (in red) was shown all of a sudden when refreshing the process tab in rootrepeal. So maybe it also interacts with that as a fall back mechanism?

I read on this forum (TDSS topic) about attaching a debugger to a process, but I am such a noob still that it doesn't really get me anywhere, although I do find the process fascinating, so I am reading up and trying out stuff (I am no programmer, I could not focus when I was younger and did some basic and pascal, and regret not going upwards to c or assembler by now. Have regreted it on multiple occasions by now, so I think I'll at least try and stick with a bit of fooling around with a debugger).

Apart from the hiddenie process, what makes me focus on this file is the missing icon, its filesize and the fact that it is not even recognized as a valid win32 executable anymore. Which, to my unexperienced mind, can only mean three things: the file got corrupted during the copying of it, which seems highly unlikely since I only moved it from dir to dir (I did this on reboot, in hopes of crippling the infection, which worked cause now I CAN run OTL and GMER and Rootrepeal and AVZ without the system rebooting, when iexplore.exe is in place I cannot, the screen corrupts for a short second and then the system reboots). Or the file is 600 and a bit of IE code and a small bit of redirection code somehow? Or the whole file is just 624kb of virus which also behaves as a true IE since I could run IE normally as far as I could tell.

The download link for the infected or defective IE file is in this post, tomorrow I will put a clean copy back on the system and see what happens to it. Then I will post that one and the clean copy also. If any of could take a look at it... I am very curious, but seem (not yet) be able to. I was not able to make anything strange up out of dumping the text strings in the file.

Whichever virusscanner I try (MBAM, ESET, BD, SAS, MSSE, AVZ, TDSS scanners etc) on my system, nothing comes up. I have ran OTL and the problem is still there. And although no hidden IE process is shown in GMER (processID could be found in PXplorer but came up empty/error on the process itself) AVZ DOES show a whole buckload of hidden/false "noname" -> "" processes. I'll post a log when I wake up.

If anyone knows what is going on, maybe this is a new infection of some kind.... Although I do not know how it has entered the system. Possibly via java since I was not totally up to date on that one. I'd appreciate it if some of you would take a look. I mean... reinstalling the system is easy enough and by far much quicker than the time that has gone into this already. But this is more of a challenge, more interesting. But I appear not to be able to do this myself yet.

Thanks and best regards,

Every1is=

edit: scanning was also done via linux live cd's and via sata2usb adapter and ran under windows as an external drive, indepth. I am truly at a loss. It must be getting or giving or redirecting some calls somehow, right?
 #1751  by EP_X0FF
 Wed Aug 04, 2010 2:56 am
Hello,

The file you uploaded has damaged executable structure (several bytes overwritten).

After recovering this appears to be Internet Explorer 8 executable (with valid digital signature), v8.00.6001.18928 (longhorn_ie8_gdr.100503-1700)
Rescanned VT result: http://www.virustotal.com/analisis/44b8 ... 1280890394
Such behavior could be a sign of malware infection because structure was damaged in very specific places.

Please post logs from antirootkits (GMER, RootRepeal, RkUnhooker).

Regards.

recovered file attached (no pass)
Attachments
(242.76 KiB) Downloaded 48 times
 #1755  by Every1is=
 Wed Aug 04, 2010 9:13 am
Thanks for the replies guys! Super :D
@ VT I see that slowly more and more engines are recognizing it as... whatever it may be. Will update SAS on my system and see if it detects it now. However, I will make logs and post. I have gone over them multiple times (there is hooked dll by andreas verhoeve in my system which I do trust, he writes several tools for windows customization) but am curious to hear if anyone can spot something obvious I have missed in the logs. Thanks for the offer. I might be missing something. Maybe especially since I seem to have crippled it by removing iexplore.exe.
Have to hurry to a customer now, should have been there 12 minutues ago. Check bck l8r.

Thanks!!

EDIT: AVZ is running at max settings, will take a day. Updates made system reboot while I was gone, dumb mistake from me. Will run OTL and GMER/RootRepeal later on and post those asap. In light of completeness, would it be wise to leave the system the way it is (without IE in its expected location) or put IE executable back in its location and reboot, run scans?
 #1758  by SecConnex
 Wed Aug 04, 2010 6:04 pm
Just to make a quick comment...it sounds somewhat like the Black Internet Bootkit.
 #1761  by Every1is=
 Wed Aug 04, 2010 6:41 pm
Mkay... This is weird. The AVZ scan completed and the log is attached.
The scan(s) from tools like rootrepeal work partially, then the system crashes.
So I tried RootkitUnhooker LE, since I think rootrepeal crashed on the files section (I must correct myself: the tool hung, the system didn't crash). I scanned the system, except the files so I could post the report here, see attachments. The files scan is running ATM and will post it as soon as it is done. I have some older OTL logs, from before I ran the script below and I have some logs from after that time.
This is the script I ran (I know there are traces of OLD infections inhere that I removed so it is difficult to determine what's what, but I thought I should include this for "completeness" (what is the correct english term for that? ;) )
Code: Select all
:Services
SRV - File not found [On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\NVNJ.exe -- (NVNJ) 
SRV - File not found [On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\FFAIVHOLLCTFAG.exe -- (FFAIVHOLLCTFAG) 
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rootrepeal.sys -- (rootrepeal) 
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) 
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) 
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\A5CF.tmp -- (MEMSWEEP2) 
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp) 
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\DRIVERS\inspect.sys -- (Inspect) 
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\hitmanpro3.sys -- (hitmanpro3) 
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys -- (catchme) 
DRV - [2010-07-30 23:44:56 | 000,052,736 | ---- | M] (eSage Lab) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rk_remover.sys -- (rk_remover-boot) 
DRV - [2010-07-30 20:26:50 | 000,069,456 | ---- | M] (Kaspersky Lab, SLA) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\klmd.sys -- (klmd24) 
:OTL
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.) 
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found 
O32 - AutoRun File - [2006-09-18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] 
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found 
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found 
[2010-07-28 23:06:03 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe  
[2010-07-28 23:06:03 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe 
[2010-07-28 23:06:03 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ] 
[3 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ] 
[2010-07-31 01:03:57 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat 
[2010-07-30 23:44:56 | 000,052,736 | ---- | M] (eSage Lab) -- C:\Windows\System32\drivers\rk_remover.sys
[2010-07-30 22:50:28 | 000,433,515 | ---- | M] () -- D:\Admin moved items\Desktop\catchme.zip
[2010-07-30 20:26:50 | 000,069,456 | ---- | M] (Kaspersky Lab, SLA) -- C:\Windows\System32\drivers\klmd.sys
[2010-07-29 13:06:40 | 000,000,022 | ---- | M] () -- C:\Windows\S.dirmngr 
[2010-07-28 23:00:51 | 000,001,356 | ---- | M] () -- C:\Users\Administrator\AppData\Local\d3d9caps.dat 
[2010-07-12 16:32:41 | 000,001,782 | ---- | M] () -- C:\Users\Public\Desktop\Kleopatra.lnk 
[2010-07-12 16:32:41 | 000,000,892 | ---- | M] () -- C:\Users\Public\Desktop\GPA.lnk
[2010-07-30 22:50:28 | 000,433,515 | ---- | C] () -- D:\Admin moved items\Desktop\catchme.zip 
[2010-07-29 14:46:05 | 000,093,056 | ---- | C] () -- D:\Admin moved items\Desktop\dumped.sys
[2010-07-28 23:06:03 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010-07-28 23:06:03 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010-07-28 23:06:03 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010-07-28 23:06:03 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010-07-28 23:06:03 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe 
[2010-07-12 16:32:41 | 000,001,782 | ---- | C] () -- C:\Users\Public\Desktop\Kleopatra.lnk
[2010-07-12 16:32:41 | 000,000,892 | ---- | C] () -- C:\Users\Public\Desktop\GPA.lnk
[2010-07-11 18:39:24 | 000,001,024 | ---- | C] () -- C:\.rnd
[2009-12-27 21:55:33 | 000,122,880 | ---- | C] () -- C:\Windows\System32\trc.dll 
[2009-12-27 21:55:14 | 000,118,784 | ---- | C] () -- C:\Windows\System32\mp3dec.dll 
[2009-12-27 21:55:14 | 000,081,920 | ---- | C] () -- C:\Windows\System32\dsp_trc.dll
[2009-12-27 21:55:14 | 000,005,120 | ---- | C] () -- C:\Windows\System32\IcdSptSvps.dll
[2008-10-04 14:20:44 | 000,188,416 | ---- | C] () -- C:\Windows\System32\intelbth.dll
[2008-10-04 14:20:44 | 000,065,536 | ---- | C] () -- C:\Windows\System32\ICE_JNIRegistry.dll
[2008-08-03 14:43:17 | 000,024,944 | ---- | C] () -- C:\Windows\System32\drivers\GVTDrv.sys
@Alternate Data Stream - 85 bytes -> D:\Admin moved items\Desktop\320excalibur20silver [].jpg:VsoSummaryInformation
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158305b34e]
"0015a8996ce9"=hex:0c,82,8e,e9,2f,63,d2,05,78,12,f3,b4,4b,16,b3,d7
"000d18a0084f"=hex:fd,18,70,9a,fa,3e,ea,e7,4e,16,43,ad,6d,28,4f,98
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158305b34e]
"0015a8996ce9"=hex:0c,82,8e,e9,2f,63,d2,05,78,12,f3,b4,4b,16,b3,d7
"000d18a0084f"=hex:fd,18,70,9a,fa,3e,ea,e7,4e,16,43,ad,6d,28,4f,98
:Commands
[EMPTYTEMP]
[EMPTYFLASH]
[purity]
[resethosts] 
[CreateRestorePoint]
[Reboot]
The registry keys are KEY here I think :) they are still there and came up in a CATCHME.exe run, are locked and will not be removed. Not on boot, etc.

I still have not yet replaced the IE file in its original place, I think I might need to do so, so it can do its thing fully right? That might have influence (no... will have influence) on the logs I presume. So that is also coming up. But I think you wizards might already be able to point some stuff out. And of course, any file requested will be send to you. Just please don't ask for the private vids of my girlfriend :lol:

As I understand it some of you are responsible for creating rootrepeal? My deepest respect for that. I wish I had your brains and ability to focus. Me? I stopped programming after basic and a bit of pascal in the old days and regret it. Someone I admire very much and is probably at the level you guys are on, told me that "it is never too late to start". And... well, the swf file in the TDL3 thread got me interested in the debugging bit, so any pointers to some good basic tutorials are very welcome. I'd really like to be able to contribute instead of just asking questions. Even in the form of donating. I think that is well earned for these activities and helping others.
Which brings me to another question which I hope someone is willing to help me with: reading the OTL logs is no problem for me, mostly. Some registry stuff might be though, but that can be overcome quite easily when I encounter it. However, when I saw the output of the RootkitUnhooker LE program, I saw quite a lot I do not understand. Is there any tutorial or reading you can recommend to me so I can get to grips with it more easily? See connections I am not aware of yet?

Thanks a bunch! And if there is anything I need to do/change in order to get the logs you need, please say so and I will do it.

Edit: also, as far as I know, GMER does not show hidden running processes ATM, since IE is not in its place. When I put it there, I think it will pick up on the hidden processes again. I am curious though, to what the AVZ log is showing in regards to all the hidden processes running: "" (they have no name and mask as something else, I am assuming it is not AVZ related)

I will take a look at what the Black Internet Bootkit is. Sorry for my noobness.
Attachments
Inside, report.txt and avz_log.txt are of today
(1.1 MiB) Downloaded 36 times
 #1762  by Every1is=
 Wed Aug 04, 2010 7:04 pm
DragonMaster Jay wrote:Just to make a quick comment...it sounds somewhat like the Black Internet Bootkit.
Oooohhh... YES!! It definately does!! Especially when I read just a moment ago that it connects to verticalhorizonads.com.

I say this because the stupid farm song I heard sounded like a advertisement. I think it might have been on a series of pages with ads that are rotating somehow, since it replayed that tune at pretty steady intervals that evening. The next day, nothing was played.

At that moment I thought: hey, it is running IE hidden, it is running different, or at least changing, pages (I suspected) and I had read an article by Dancho Danchev from ZDnet some weeks ago about the k00bfacegang using "fake ad click" stuff in their malware, I believe. (don't shoot me for getting it wrong, it has been a couple of weeks already) So that got me into that frame of mind. And now you telling me this, and reading what the BIB is... yep. I'd have to say yes.

Although, I ran MBRcheck.exe not even an hour ago, but it hung. That might be because of some Guard driver that was loaded by AVZ, so if the files scan of RootkitUnhookerLE is done, I will remove that, reboot, recheck. Also I will install Eset smart security if possible, restore IE and let it run its course. Eset has built in adress resolving in its firewall log, which will make it clear where IE is going to. At least... if Eset firewall detects the hidden IE process.

Or are there other tools that can display hidden "connections" to IP adresses? (a tool that shows hidden TCP connections instead of hidden processes maybe?)
 #1763  by SecConnex
 Wed Aug 04, 2010 7:07 pm
If MBRCheck hangs, do this:

Download Bootkit Remover to your Desktop.
  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press Enter
  • Open a Notepad and press CTRL V
  • Post the output back here.
 #1764  by Every1is=
 Wed Aug 04, 2010 8:13 pm
Its a bit messy, but I have attached the file. And yes, it does say it sees unknown boot code.
I have disabled AVZ guard drivers and can run the mbrcheck utility.
Just write new MBR correct? Then reboot, rescan?
Or remover.exe fix \\.PhysicalDrive0 ?
Attachments
(52.35 KiB) Downloaded 36 times
 #1765  by Every1is=
 Wed Aug 04, 2010 8:35 pm
Well, that was fun. I rewrote the MBR using the tool. Rebooted. No joy.
Took out original Vista disk, rewrote MBR, rebooted. Joy.
Immediately after rebooting, two devices drivers installed themselves nice and easy.
That's what I "feared" would happen, something like that at least. Ran GMER, just to check if IE was running in the background (since I had replaced it with the fresh copy) hidden. No joy. Screen corruption, system reboot :D
I should have gone into safe mode of course, and clear up after myself, but now: tadaa...
Now it is back with a vengeance.
MBR is clean though :D
Hm, its an agressive one. Won't let me run:
- RootkitUnHookerLE at all, fails at init
- GMER reboots on init
- Rootrepeal hangs on the Hidden Services scan, and hung explorer shell pretty much too. Only mouse movement was possible. (skipped the files scan, result in my mind would be clear upfront atm and the wait would be in vain)

Since MBR is clean, I am going to go to safe mode and run OTL/DDS.
In safe mode GMER ran through its init this time. And found a beautyful copy of Normandy.sys running at Systemroot\System32\Drivers with values:
ExAllocatePool
ExAllocatePoolWithTag
KeDelayExecutionThread