A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19134  by EP_X0FF
 Wed May 01, 2013 10:29 am
I really like the advertisement of this lolkit, but unfortunately it is just advertising. As in fact this is compilation of 2005 year ideas inspired by TDL3 source code. Especially I like laughable attempt to detect VM's by reading BIOS data. Any true forensic environment is always randomized, and the following BIOS strings trick will only work against home-made "virus analysts".

As for this:
Can not detect anti-rootkits: GMER, RKU
epic fail. Multiple system modifications found, even crappy gmer can see it.
0xF845A1E2 Timer [ 0x823669B0 ]-->Dpc, size: 40 bytes
0xF8474EA8 Timer [ 0x8235A768 ]-->Dpc, size: 40 bytes
0xF843EBBC Page with executable code [ ETHREAD 0x82385B20 ] TID: 112, size: 1092 bytes
0xF846FF6E Page with executable code [ ETHREAD 0x823C65D8 ] TID: 8, size: 146 bytes
0x8158BA29 Page with executable code [ ETHREAD 0x817DE1F8 ] TID: 1392, size: 1495 bytes
0xF847783E Page with executable code [ ETHREAD 0x823C65D8 ] TID: 8, size: 1986 bytes
0xF845B78F Page with executable code [ ETHREAD 0x82366DA0 ] TID: 116, size: 2161 bytes
0xF8476760 Page with executable code [ ETHREAD 0x82383B20 ] TID: 128, size: 2208 bytes
0xF843F6EF Page with executable code [ ETHREAD 0x82385B20 ] TID: 112, size: 2321 bytes
0xF843968D Page with executable code [ ETHREAD 0x823C65D8 ] TID: 8, size: 2419 bytes
0xF8457481 Page with executable code [ ETHREAD 0x82383B20 ] TID: 128, size: 2943 bytes
0xF8470466 Page with executable code [ ETHREAD 0x823C65D8 ] TID: 8, size: 2970 bytes
0xF845B37F Page with executable code [ ETHREAD 0x82383B20 ] TID: 128, size: 3201 bytes
0x8158A2BD Page with executable code [ ETHREAD 0x823C5D18 ] TID: 16, size: 3395 bytes
0xF84752B8 Page with executable code [ ETHREAD 0x82385B20 ] TID: 112, size: 3400 bytes
0xF846F117 Page with executable code [ ETHREAD 0x82385B20 ] TID: 112, size: 3817 bytes
0xF84780AD Page with executable code [ ETHREAD 0x82385DA0 ] TID: 108, size: 3923 bytes
0xF8478096 Unknown thread object [ ETHREAD 0x82385DA0 ] TID: 108, size: 600 bytes
0xF846FC46 Unknown thread object [ ETHREAD 0x82385B20 ] TID: 112, size: 600 bytes
0xF845B968 Unknown thread object [ ETHREAD 0x82366DA0 ] TID: 116, size: 600 bytes
0xF845B968 Unknown thread object [ ETHREAD 0x82366B20 ] TID: 120, size: 600 bytes
0xF845B968 Unknown thread object [ ETHREAD 0x82383DA0 ] TID: 124, size: 600 bytes
0xF845B968 Unknown thread object [ ETHREAD 0x82383B20 ] TID: 128, size: 600 bytes
==============================================
>Callbacks
==============================================
Callback with handler outside any module :: 0x8158A410, Type: LoadImage

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
Who are interested in driver loader which in my case infected bthport.sys, DM_000038DD-00000000-twayx.sys, for injected code see @DllInitialize, after first "cmp" and in samples of infected system drivers, they are in attach.

https://www.virustotal.com/en/file/c6b4 ... /analysis/
https://www.virustotal.com/en/file/2e21 ... /analysis/

and this nice BSOD at the end.

Image
Attachments
pass: infected
(389.09 KiB) Downloaded 129 times
 #19137  by EP_X0FF
 Wed May 01, 2013 12:14 pm
@corehook

See first post.

Have no idea from what this quote, used in rootkit driver.
Why did he do that ? To see if he could get away with it.
ah found, http://en.wikipedia.org/wiki/Murder_of_Glenn_Kopitske. Facepalm.

avatar.sys
https://www.virustotal.com/en/file/17bb ... 367410067/

avcmd.dll
https://www.virustotal.com/en/file/4706 ... /analysis/

csrsrv.dll
https://www.virustotal.com/en/file/09fd ... /analysis/

both dlls inside rootkit driver resources. I/O filtering set at port driver level, pretty easy to find handler as it placed in section named "NONPAGE". Terminating system thread responsible for filtering result in system hung after any attempt to do something with disk :) VFS created only once (end of the disk as usual) and if VFS is zeroed - rootkit is dead and system is bootable.

Zerodays not found, x64 support in current model is impossible by design.
Attachments
pass: infected
(132.59 KiB) Downloaded 105 times
 #19139  by rinn
 Wed May 01, 2013 3:09 pm
Hi,
just out of interest, first dll mapped into csrss.exe address space, and second in svchost.exe, notice executable code page injected in both <- perfect signature btw. Both seems built from one source and difference is only in payload part. All downloader routines implemented in avcmd.dll with WinInet. Also notice several similarities in avatar.sys and old TDL3 code. And yes, every average antirootkit will detect it, well at least presence of infection, so pastebin advert is marketing BS ;)

Best Regards,
-rin
 #19144  by EP_X0FF
 Thu May 02, 2013 4:34 am
Step by step guide for detection and remediation for this TDL3 inspired lolkit.

Warning: this lolkit is very unstable. Expect random BSOD at any time. The descibed scenario was used against Avatar on both Windows XP and Windows 7 (Avatar also claim to have support for Windows 8 and inside driver has a specific "case" in switch for NT 6.2 BTW).

1. Identify presense of infection. Instead of using old splicing or IRP hooking this lolkit using memory hard hacks for port driver. Since authors of this crapware were really dumb they decided to mirror these changes to the disk at I/O filter level leaving port driver file at disk untoched.

We are asume atapi.sys as target. Usual atapi.sys section headers structure
Image

Run sigverif. It will reveal atapi.sys modification as dumb lolkit wants.

Image

Or use RKU or GMER or every other average antirootkit. They ALL will detect anomalies.

Note: you can also simple dump atapi.sys from kernel memory and look inside.

2. Download WinHex. Even trial version is enough. Run it with admin rights and open disk as physical media. Navigate to systemroot\system32\drivers and look at atapi.sys. Usual I/O will be filtered by rootkit. Copy atapi.sys somewhere and look inside. Notice mirrored from kernel memory changes -> new NONPAGE section added, injected rootkit code damaged resource directory.

Image
Image

3. Next go to WinHex options and turn on "Alternate disk access mode 1". Go to unallocated partition space. There you will find encrypted container serving all this "undetectable" and "unremovable" lolkit.

Image

4. Select all sectors with payload (~2 Mb) and fill it with zeroes.

5. Immediatelly reboot computer.

6. Run sigverif again. It will reveal all infected drivers. Replace them with clean copies.

Image

Note: in case if authors will fix their pathetic BSOD-generator in next releases - you can do the same offline, there is nothing "unremovable" in this lolkit.
P.S. Additionally it can be easily detected by primitive user mode memory scanning of "svchost.exe", "csrss.exe" processes, because this lolkit maps PAGE_SIZE region with executable code inside.
 #19146  by EP_X0FF
 Thu May 02, 2013 7:05 am
Attachments
pass: infected
(718.14 KiB) Downloaded 90 times
 #19147  by t4L
 Thu May 02, 2013 10:47 am
Not to mention that this wont and never be x64 compatible w/o bootkit.
 #19159  by kmd
 Thu May 02, 2013 12:56 pm
EP_X0FF wrote:Since authors of this crapware were really dumb they decided to mirror these changes to the disk at I/O filter level leaving port driver file at disk untoched.
there must be any reason for this isn't?