Winnti backdoor

#18954 by rkhunter
Tue Apr 16, 2013 9:09 am

Winnti backdoor
with a lot of hashes:
http://www.securelist.com/en/downloads/ ... 130410.pdf

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Winnti backdoor

#19015 by rkhunter
Fri Apr 19, 2013 5:37 pm

I've attached 4 Winnti 2.0 drivers, which mentioned in doc.

https://www.virustotal.com/ru/file/165a ... /analysis/
https://www.virustotal.com/ru/file/c465 ... /analysis/
https://www.virustotal.com/ru/file/c3bb ... /analysis/
https://www.virustotal.com/ru/file/2c73 ... /analysis/

Attachments

malware.zip

pass:infected
(247.86 KiB) Downloaded 123 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Winnti backdoor

#26888 by rkhunter
Tue Oct 06, 2015 11:31 am

I've attached bootkit dropper, mentioned here https://securelist.com/analysis/publica ... ot-part-1/
Haven't played with it.

MD5: 2c85404fe7d1891fd41fcee4c92ad305
SHA1: 4c3171b48d600e6337f1495142c43172d3b01770
SHA256: a9a8dc4ae77b1282f0c8bdebd2643458fc1ceb3145db4e30120dd81676ff9b61

Attachments

winnti_bootkit_hdroot.zip

pass:infected
(222.4 KiB) Downloaded 88 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Winnti backdoor

#26889 by R136a1
Tue Oct 06, 2015 1:34 pm

This bootkit is known in certain circle as "sunx bootkit". Unfortunately, I have deleted the sample that I have found which included a pdb path. Also, I saw a similar sample that also had a pdb path which was detected as Derusbi.
Interestingly, this bootkit includes functionality that searches for the host protected area (HPA) of IBM hard disks, but I haven't looked further..

Malware Reversing
http://www.malware-reversing.com

Username

R136a1

Rank

Forum Admin

Posts

272

Joined

Wed Jul 13, 2011 4:30 pm

Location

Netherlands

Re: Winnti backdoor

#26998 by rkhunter
Sun Oct 18, 2015 6:19 am

Part 2.

https://securelist.com/analysis/publica ... ot-part-2/

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Winnti backdoor

#27027 by D_Harry
Wed Oct 21, 2015 2:58 pm

Does someone have the sample of the 2nd type backdoor - mentioned in part 2 of the report?

MD5: 755351395AA920BC212DBF1D990809AB
SHA1: 00174fc3e98302117b4d17a5ec7eceed04e8474f
SHA256: 7a265dc00f5a5a7401c56021190bf3345d7e39eadcf49d4c36f1e63654b021db

Thanks!

Username

D_Harry

Posts

3

Joined

Mon Jun 07, 2010 7:05 pm

Re: Winnti backdoor

#27057 by rkhunter
Sun Oct 25, 2015 11:53 am

D_Harry wrote:Does someone have the sample of the 2nd type backdoor - mentioned in part 2 of the report?

MD5: 755351395AA920BC212DBF1D990809AB
SHA1: 00174fc3e98302117b4d17a5ec7eceed04e8474f
SHA256: 7a265dc00f5a5a7401c56021190bf3345d7e39eadcf49d4c36f1e63654b021db

Thanks!

In attach.

Attachments

7a265dc00f5a5a7401c56021190bf3345d7e39eadcf49d4c36f1e63654b021db.zip

pass:infected
(117.7 KiB) Downloaded 75 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact