A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #127  by Dreg
 Sun Mar 14, 2010 9:48 pm
(Source code of malware included) This malware by pluf have a ring0 component which hook:

1. NtOpenFile: This routine infects the .exe, except the .exes inside windows directory. It checks if the .exe is already infected.

2. NtEnumerateBootEntries: It returns STATUS_SUCCESS when the args are: "0xBEBE, 0xCAFE".

3. NtDebugActiveProcess: It blocks the attach to ring3 process.

4. DbgPrint/DbgPrintEx/DbgPrintReturnControlC: It blocks the debug using DbgPrint*

5. PsSetCreateProcessNofityRoutine/PsSet//RemoveCreateThreadNotifyRoutine/: It returns STATUS_SUCCESS, but the hook is empty. It is useful to evade software monitors like ProcMon..

Dropper and ring3 component which load driver and other stuff, full explanation in my post:

http://www.biht.org/2009/10/understandi ... malus.html ... rmalus.asm <- src with start includes
http://vx.netlux.org/src.php?info=cermalus.zip <- The original SRC.
http://www.microsoft.com/security/porta ... 2FCermus.A <- Cermalus Analysis by Dan Kurc
http://daim.idi.ntnu.no/masteroppgaver/ ... ppgave.pdf <- More info about Cermalus.
 #176  by pluf
 Mon Mar 15, 2010 3:10 pm
LeastPrivilege wrote:What ARK tool(s) work with this infection?
hi LeastPrivilege,

Cermalus was just a POC and the code does not include anti-anti-rootkit techniques, NtOpenFIle is just modified with a simple inline hook.

You can use your favourite version of RkUnhooker to remove the hook and disable infections :)