A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4241  by EP_X0FF
 Mon Jan 03, 2011 11:41 am
Here is probably new variant of TDL. Or another copy-paste clone, I'm not sure, currently can't get it work because of nice Blue Screens it provides to me (BSOD in atapi.sys and then system unbootable) :)

Three different methods of drivers loading used (tdl3 method, beep.sys method, direct NtLoadDriver).

443-direct.e_ = dropper itself
269E.dll to be injected into spooler (contains sys, see next)
sst2.sys driver it's trying to load

here is ThreatExpert entry describing the same behavior
http://www.threatexpert.com/report.aspx ... 9cdfb34340

source hxxp://clickcalm.org/any5/443-direct.exe
pass: malware
(286.53 KiB) Downloaded 343 times
 #4245  by nullptr
 Mon Jan 03, 2011 12:33 pm
I had just been looking at 443-direct myself, but it freezes the VM at AddPrintProvidor(..) lol
Managed to extract the dll and unpack it and watch it (with a bit of help) write the driver, load it and write its service entry to the registry.
It has notify callbacks for CreateProcess and LoadImage. As soon as I establish an internet connection the VM freezes. :?
Will probably have a bit more of a play with it later. Maybe emulate the internet functionality of the driver and see what turns up. ;)

It downloaded a heap of things, but as soon as I tried to browse directories everything froze. Maybe this malware is alpha version.
 #4247  by EP_X0FF
 Mon Jan 03, 2011 2:03 pm
Ok, crap reversed. It is PALEVO :D Or if it wants, it will be MaxSS.
s e r f _ c o n f b b r _ c o n f [injects_begin] [injects_end] c m d s s c o r e \ D r i v e r \ a c p i \ D r i v e r \ A C P I \ D e v i c e \ H a r d D i s k 0 \ D R 0 volsnap.sys s v c h o s t . e x e I m a g e P a t h INIT .rsrc \ S y s t e m R o o t \ o r i g v o l s n v o l s n h o o k e d \ S y s t e m R o o t \ S y s t e m 3 2 \ D r i v e r s \ v o l s n a p . s y s m a x s s c o r e * A D V A P I 3 2 . D L L ZwTerminateProcess LoadLibraryExA k e r n e l 3 2 . d l l n t d l l . d l l System ntoskrnl.exe hal.dll .text \ S y s t e m R o o t \ S y s t e m 3 2 \ m a i n . s c r i p t svchost.exe K E R N E L 3 2 . D L L N T D L L . D L L | .dll explorer.exe * N T D L L . D L L * K E R N E L 3 2 . D L L e x p l o r e r . e x e cmdsscore
Here is what's inside payload dll that this driver injecting to processes (actually inside driver 2 libraries)
http://anonymitylines.com/ftp1/cat | e x p l o r e r . e x e SeDebugPrivilege winsta0\default cmd_dll: DownloadFileToBuffer: try url %s
HTTP/1.1 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: GeckaSeka/20090911 Firefox/3.5.1 GET 404 NOT FOUND % S % S m a x s s c o r e c m d s s c o r e % S maxsscore cmdsscore http://www.microsoft.com/ cmd_dll: MainWorkThread started
affid subid cmd_dll: affid = %s subid = %s
cmd_dll: MainWorkThread: try read script
main.script cmd_dll: lpstrMainScript: read script OK
[servers_end] [servers_begin] %s/main.php?affid=%s&subid=%s&v=3 [SCRIPT_SIGNATURE_CHECK] cmd_dll: main.script not valid, SCRIPT_SIGNATURE_CHECK failed
cmd_dll: lpstrMainScript downloaded = %s
[servers_end] [servers_begin] cmd_dll: read script failed
cmd_dll: try download script
%s/main.php?affid=%s&subid=%s&v=3 cmd_dll: script url: %s
cmd_dll: lpstrMainScript = %s
[SCRIPT_SIGNATURE_CHECK] cmd_dll: main.script not valid, SCRIPT_SIGNATURE_CHECK failed
[servers_end] [servers_begin] main.script [kit_hash_end] [kit_hash_begin] [cmd_dll_hash_end] [cmd_dll_hash_begin] %s/files/core/maxsscore %s/files/core/cmdsscore [modules_end] [modules_begin] %s/files/mods/%s %s/testadd.php?aid=%s&sid=%s&mode=check_point4&data=try_url_%s %s/testadd.php?aid=%s&sid=%s&mode=check_point5&data=url_%s_download_OK_and_save_sectors_OK %s/testadd.php?aid=%s&sid=%s&mode=check_point_fail5&ntstatus=%d cmd_dll loaded
svchost.exe JKgxdd5ff44okghk75ggp43423ksf89034jklsdfjklas89023 cmd_dll install OK %s!!!
wininet.dll wininet.dll InternetCloseHandle InternetConnectA InternetOpenA HttpOpenRequestA InternetCrackUrlA HttpSendRequestA InternetReadFile InternetCheckConnectionA
and from second
ldr_dll: DLL = %s api ord = %X addr = %X
ldr_dll: DLL = %s api = %s addr = %X
ldr_dll: MainThread started
ldr_dll: g_dwNamesCount = %d
ldr_dll: pbDllBuffer = %X
ldr_dll: LoadDll() pbDllBuffer = %X, pminidll[%d].modeof = %d pminidll[%d].pbbrconfig = %X
ldr_dll: LoadDll() pbDllBuffer = %X, pminidll[%d].modeof = %d Addr of pminidll[%d] = %X
ldr_dll: hMod = %X
ldr_dll: ldr_dll started
ldr_dll: array of PMINIDLLPARAMS addr = %X
And after reboot - infinite loop of PAGE_FAULT_IN_NONPAGED_AREA :D
 #4248  by EP_X0FF
 Mon Jan 03, 2011 2:11 pm

Can you please upload what it downloaded? :)

New IE found with http://www.clickleg.org/ac.php?q=cloning&aid=5&sid=direct2
searching for cloning
searching for cloning

looking for cloning
looking for cloning


 #4249  by nullptr
 Mon Jan 03, 2011 3:26 pm
EP_X0FF wrote:@nullptr
Can you please upload what it downloaded? :)
Unfortunately not, I just saw numerous things executing in Task Manager, one was AMdelta.exe, but as soon as I tried to look for anything, the VM froze.
I tried removing the callbacks before it downloaded anything, but that ended with the same result. Trojan.pcCrippler :?:
 #4250  by PX5
 Mon Jan 03, 2011 3:29 pm
In message, you see .ex

Those should be PRAGMA, I havent got to all the others yet. :roll:

Think ones look like windowsupdate logo may be FakeAV
 #4251  by EP_X0FF
 Mon Jan 03, 2011 4:02 pm
Thanks PX5.

Excellent. 20+ megabytes of malware, archive split on 4 parts, enjoy.

pass: malware
(2.4 MiB) Downloaded 153 times
(4.25 MiB) Downloaded 139 times
(4.25 MiB) Downloaded 145 times
(4.25 MiB) Downloaded 154 times
 #4252  by EP_X0FF
 Mon Jan 03, 2011 5:11 pm
Yes, it is some sort of new TDL.

The same I/O filtering, now working for hiding infected volsnap.sys modification.
Here is infected driver sample if somebody want to look. To counteract simple removal it constantly reopens handle for infected driver in queued WorkItem.
pass: infected
(27.06 KiB) Downloaded 155 times
 #4257  by EP_X0FF
 Mon Jan 03, 2011 6:39 pm
Samples from the target site with size ~ 17 kb all are classical TDSS downloaders.
Unfortunately payload inaccessible for me.
 #4259  by EP_X0FF
 Tue Jan 04, 2011 5:26 am
If you take a look on injected code you will find a lot of things.
This trojan is very self descriptive :)

All samples with size of 420+ kb from archive posted above - recrypt of the same Fake AV (Malware Defense reincarnation).

PX5 is rights, it's PRAGMA :)
(12.02 KiB) Downloaded 121 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 15