[rkhunter]

Original dropper:

SHA1: e83ca87a39a5f15ca5942fd57d78e790861c2937
MD5: 15e692cf34a70fb364591622bff1e43a

Extracted bootkit dropper:

SHA1: 5ecefefe4bbfc040927e827ab81c10caf5d10f90
MD5: f72e3d86b8f4f97d103ff1b7f87213f2

In brief:
- Infects MBR
- Contains rootkit
- Multi-AV killing, system-tools killing features
- Some anti-debug features
- Anti-drvmon features (greeting to EP_X0FF and Fyyre)

Dropper + decrypted payload (mbr+rootkit+dll) in attach.

[EP_X0FF]

I dont see any specific anti-drvmon features in this crap. It installs itself, open default IE browser and then tries to load it randomly (hex) named driver dropped in system32\drivers, if it fails then it tries again and again.

DrvMon 21:21:53.637 DrvMon.sys loaded, output directory C:\WINDOWS\TEMP\
ImageLoad 21:22:08.986 C:\WINDOWS\system32\drivers\kmixer.sys
Captured 21:22:08.986 C:\WINDOWS\TEMP\DM_000012B1-00000000-kmixer.sys
ImageLoad 21:22:18.379 C:\WINDOWS\system32\310B0D2F.sys
Captured 21:22:18.389 C:\WINDOWS\TEMP\DM_0000165B-00000000-310B0D2F.sys
Denied 21:22:21.504 C:\WINDOWS\system32\310B0D2F.sys
ImageLoad 21:22:23.607 C:\WINDOWS\system32\08CE5B8D.sys
Captured 21:22:23.617 C:\WINDOWS\TEMP\DM_00001865-00000000-08CE5B8D.sys
Denied 21:22:27.372 C:\WINDOWS\system32\08CE5B8D.sys
ImageLoad 21:22:29.165 C:\WINDOWS\system32\69074A33.sys
Captured 21:22:29.165 C:\WINDOWS\TEMP\DM_00001A90-00000000-69074A33.sys
Denied 21:22:30.146 C:\WINDOWS\system32\69074A33.sys

I only noticed this blacklist

nod32krn.exe egui.exe ekrn.exe 360tray.exe 360leakfixer.exe 360Safe.exe safeboxTray.exe 360safebox.exe 360sd.exe ZhuDongFangYu.exe 360rp.exe 360sdupd.exe Calc.exe KSWebShield.exe kxesapp.exe kxeserv.exe kwstray.exe kxedefend.exe upsvc.exe kxescore.exe KVExpert.exe kxetray.exe KSafeSvc.exe KSafeTray.exe guiyingfix.exe RavMonD.exe RsTray.exe RsAgent.exe RegGuide.exe RsMain.exe RsCopy.exe Rav.exe KVSrvXP.exe KVExpert.exe KVMonXp.exe avp.exe avp.exe ras.exe knownsvr.exe rstray.exe knsdtray.exe knsd.exe knsdsvc.exe knsdsve.exe QQPCLeakScan.exe QQPCWebShield.exe QQPCTAVSrv.exe QQPCRTP.exe QQPCMgr.exe QQPCUpdateAVLib.exe QQPCTray.exe QQRepair.exe QQPCPatch.exe

which contains mostly stuff available/popular in China.

If under anti DrvMon you mean procedure at @00403B0A then it is something else with device named DP0000 and the string containing DrvMon word is actually set of params.

Code: Select all

BOOL __cdecl sub_403B0A()
{
  BOOL bResult; // esi@1
  HANDLE hDevice; // ebx@1
  char Dst; // [sp+Ch] [bp-204h]@2
  DWORD BytesReturned; // [sp+20Ch] [bp-4h]@2

  bResult = 0;
  hDevice = CreateFileA("\\\\.\\DP0000", 0xC0000000u, 3u, 0, 3u, 0x30000000u, 0);
  if ( hDevice != INVALID_HANDLE_VALUE )
  {
    BytesReturned = 0;
    memset(&Dst, 0, 0x200u);
    lstrcpyA(&Dst, "Set|DrvMon|0");
    bResult = DeviceIoControl(hDevice, 0xC4DCu, &Dst, 0x200u, &Dst, 0x200u, &BytesReturned, 0);
    CloseHandle(hDevice);
  }
  return bResult;
}

Maybe this disables some AV monitor capabilities, IDK.

[rkhunter]

If under anti DrvMon you mean procedure at @00403B0A then it is something else with device named DP0000 and the string containing DrvMon word is actually set of params.

This one.

[rkhunter]

Installation has an interesting feature of hooking imm32.dll!ImmLoadLayout with calling of user32.dll!LoadKeyboardLayout with next PostMessage calling that results to execute main dropper as Dll (bootkit dropper with installed dll flag in Characteristics that was copied to systemroot\system32\random.tmp). There are two flows of dropper execution: as exe and as dll.

[Peter Kleissner]

Those crooks! They stole my NTFS driver source from my bootkit, and they are not even paying me! Crooks! Chinese copycats! Polizei!

It looks like they used my source 1:1. Look at this for example:

Code: Select all

Get_Count_of_Clusters:

; CountofClusters = DataSec / BPB_SecPerClus
call Get_DataSec

xor edx,edx
movzx ebx,byte [Drive_Context+0Bh]
div ebx

mov [Drive_Context+0Ah],byte 12				        ; suppose FAT Type is FAT12
cmp eax,4085
jb Get_Count_of_Clusters_Exit					; if CountofClusters < 4085 exit

mov [Drive_Context+0Ah],byte 16				        ; suppose FAT Type is FAT16
cmp eax,65525
jb Get_Count_of_Clusters_Exit					; if CountofClusters < 65525 exit

; else FAT Type is FAT32
mov [Drive_Context+0Ah],byte 32

Get_Count_of_Clusters_Exit:

ret

Code: Select all

seg000:0B96 sub_B96         proc near               ; CODE XREF: sub_B40+1Cp
seg000:0B96                 call    sub_BC5
seg000:0B99                 xor     edx, edx
seg000:0B9C                 movzx   ebx, byte ptr [bp-0C4h]
seg000:0BA2                 div     ebx
seg000:0BA5                 mov     byte ptr [bp-0C5h], 12
seg000:0BAA                 cmp     eax, 4085
seg000:0BB0                 jb      short locret_BC4
seg000:0BB2                 mov     byte ptr [bp-0C5h], 16
seg000:0BB7                 cmp     eax, 65525
seg000:0BBD                 jb      short locret_BC4
seg000:0BBF                 mov     byte ptr [bp-0C5h], 32
seg000:0BC4
seg000:0BC4 locret_BC4:                             ; CODE XREF: sub_B96+1Aj
seg000:0BC4                                         ; sub_B96+27j
seg000:0BC4                 retn
seg000:0BC4 sub_B96         endp

[rkhunter]

If under anti DrvMon you mean procedure at @00403B0A then it is something else with device named DP0000 and the string containing DrvMon word is actually set of params.

Of course I don't insist...but if you are look to code, it performs this operation directly before driver installation. Don't sure that it will work of course, but it exists....

[EP_X0FF]

If under anti DrvMon you mean procedure at @00403B0A then it is something else with device named DP0000 and the string containing DrvMon word is actually set of params.

Of course I don't insist...but if you are look to code, it performs this operation directly before driver installation. Don't sure that it will work of course, but it exists....

Sure it will not work, our DrvMon never had:

1) symbolic links
2) 0xC4DCu IOCTL
3) string based params

Have no idea who is from this list had DP0000. Overall this lolkit is nothing interesting and represent common thrend of malware in China -> badly written copy-pasted scope of crappy code.

[Peter Kleissner]

Don't wanna steal you Artem the show but this is what I found out:

- Seems to only really work on XP, broken on 7 SP1
- Stores its stuff at end of hard disk -8200h, the original MBR, bootkit code (8.5 KB) and a dll (24 KB)
- The bootkit always extracts a dll to ?:\WINDOWS\System32\sfc_os.dll using my NTFS driver
- The file name of this dll is encrypted with F7h each letter, stored at offset 2 of the bootkit code
- The dropped dll has a driver embedded as resource
- Code very badly written
- Has a blacklist of 53 executables, checks every 2 second for a blacklisted process
- Also has calc.exe in the blacklist: Check if you are infected!
- Uses 4 IOCTLs (222439h, 22243Dh, 222440h and 222444h) to communicate with the driver, device \Device\Guntior (symbolic link \??\Guntior)
- The driver uses direct I/O to hardware ports
- Communicates with 183.60.132.220:690?

[rkhunter]

- Seems to only really work on XP, broken on 7 SP1
- Stores its stuff at end of hard disk -8200h, the original MBR, bootkit code (8.5 KB) and a dll (24 KB)
- The bootkit always extracts a dll to ?:\WINDOWS\System32\sfc_os.dll using my NTFS driver
- The file name of this dll is encrypted with F7h each letter, stored at offset 2 of the bootkit code
- The dropped dll has a driver embedded as resource
- Code very badly written
- Has a blacklist of 53 executables, checks every 2 second for a blacklisted process
- Also has calc.exe in the blacklist: Check if you are infected!
- Uses 4 IOCTLs (222439h, 22243Dh, 222440h and 222444h) to communicate with the driver, device \Device\Guntior (symbolic link \??\Guntior)
- The driver uses direct I/O to hardware ports
- Communicates with 183.60.132.220:690?

+
- Interesting method of initialization via dll and keyboard layout switching
- Interesting method of driver loading via PnpManager (look function at 403118)
- Killing processes of AV-products via driver - PsTerminateProcess

just a simple screen

[rkhunter]

About your files, Peter:

PE File Inside.bin - driver that stored into resource 101
MBR.bin + Bootkit Code.bin - contents of 112
PE file.bin - dll payload and contents of 111.

http://www.kernelmode.info/forum/viewto ... 765#p14683