[EP_X0FF]

Wrong identified as Rustock (see Rustock 2010) this is another rootkit with few interesting features at board.

It patches ETHREAD SystemTable pointer to specially allocated in NonPagedPool fake service table, that contains real addresses from SSDT and addresses replaced by rootkit handlers. User threads created after rootkit installation is being patched in same manner. Rootkit uses Thread notification routine to catch threads creation (PsSetCreateThreadNotifyRoutine used).

E.g.

0x81D84E40 Faked ServiceTable-->explorer.exe [ ETHREAD 0x81E4F188 ] TID: 984

Lets explore it.

lkd> dd 0x81D84E40
81d84e40 8182a698 00000000 0000011c 80510088
81d84e50 bf999b80 00000000 0000029b bf99a890

We have actually new faked table entries. This method gives enough stealth level and it is comfortable. As in fact, SSDT wasn’t modified and major rootkit detectors will fail find and remove rootkit hooks.
Syscalls from such “patched” thread is fully under control of rootkit. So such thread (and application in whole) can for example think that some registry keys simple does not exists.
Following functions affected:

NtDeleteValueKey
NtEnumerateValueKey
NtEnumerateKey
NtOpenKey
NtOpenProcess
NtOpenThread
NtProtectVirtualMemory
NtQuerySystemInformation
NtReadVirtualMemory
NtSetContextThread
NtSetValueKey
NtSuspendThread
NtTerminateThread
NtWriteVirtualMemory

Registry routines intercepted by rootkit for self-protection reasons. They helping in survive strategy, by hiding registry entries that belongs to rootkit. It also modifies code of IofCompleteRequest to help protect itself. Rootkit injects payload dll named main.dll inside trusted svchost.exe process, creates thread and guards all these stuff with help of other acquired functions listed above. Thread is hidden from enumeration with help of NtQuerySystemInformation interception.

Main.dll contains several readable strings, full dump below:

.exe SYS TMP cmd.exe /C b k e r n e l p l g _ d a t a getp v e r s i o n n a m e s l e e p f r e q c m d s p l u g i n s x%s_%X C:\ a d d r t y p e s e r v e r s i c m p _ a d d r b u i l d _ i d str.sys \drivers\ \ \ . \ \ \ . \ G l o b a l \ %s%s { 9 D D 6 A F A 1 - 8 6 4 6 - 4 7 2 0 - 8 3 6 B - E D C B 1 0 8 5 8 6 4 A } main.dll .bdata {3D5A1694-CC2C-4ee7-A3D5-A879A9E3A623} POST %.2X & = bid nt %d cn ln id ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ Content-Type: application/x-www-form-urlencoded _TEST_ .dll user32.dll advapi32.dll wininet.dll ws2_32.dll DispatchCommand DispatchEvent GetLastError GetCurrentProcessId ExitThread CloseHandle KERNEL32.dll wsprintfA USER32.dll CoCreateInstance CoInitializeEx ole32.dll OLEAUT32.dll WS2_32.dll RtlUnwind InterlockedExchange VirtualQuery main.dll ConfAllocGetTextByNameA ConfAllocGetTextByNameW ConfGetListNodeByName ConfGetNodeByName ConfGetNodeTextA ConfGetNodeTextW ConfGetPlgNode ConfGetRootNode DownloadFile PlgSendEvent RkLoadKernelImage RkProtectObject SrvAddRequestBinaryData SrvAddRequestStringData

Rootkit driver is not hidden from drivers list but randomly renamed (hexadecimal name). Name differs after each reboot. Rootkit renames itself in list to fool detectors and users. Also this help to prevent “Wiping” by some tools (they can’t get real file path and file name of rootkit driver).

More detailed analysis of this rootkit can be found here
BlackEnergy Version 2 Analysis

VirusTotal
http://www.virustotal.com/analisis/5af3 ... 1268660972

MD5
9219e2cfcc64ccde2d8de507538b9991

SHA1
181e59600d057dc6b31a3b19d7f4f75301a3425e

[gjf]

This method gives enough stealth level and it is comfortable. As in fact, SSDT wasn’t modified and major rootkit detectors will fail find and remove rootkit hooks.

So - no way to live any further? Even RkU cannot see it? ;)

[EP_X0FF]

Hi,

Original kernel service table stays untouched, so there is nothing to dispay :)
Each thread can have it's own service table because of pointer in ETHREAD.
This is done by original NT architecture and we can't change that.
Public RkU will however find and show your this faking at Stealth Code page.
So if something labeled "Faked blah-blah" will be shown -> this type of modification must be taken seriously as it can only be.

Regards.

[gjf]

Hi,

Original kernel service table stays untouched, so there is nothing to dispay :)
Each thread can have it's own service table because of pointer in ETHREAD.
This is done by original NT architecture and we can't change that.
Public RkU will however find and show your this faking at Stealth Code page.
So if something labeled "Faked blah-blah" will be shown -> this type of modification must be taken seriously as it can only be.

Regards.

Thanks for quick answer. It is very interesting because I believe we have an issue with something like that. After all the only decision was to remove using LiveCD.

So - is there any more convenient way to remove this rootkit? If so - which one? According to you we can observe some suspicious faking but no way to detect the path and name to rootkit dll and - of course - no way to delete it.

[GamingMasteR]

Hi,

Fake service table detected and could be restored :

[EP_X0FF]

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
!-->[Hidden] C:\WINDOWS\system32\drivers\paqkkmhplelf.sys
!-->[Hidden] C:\WINDOWS\system32\drivers\str.sys

Public rku is able to find hidden data (as well as hooks and ethread table pointer faked) and successfully wipe rootkit files.
RootRepeal also. Kernel Detective with some magic also. GMER also will be useful.

But you need to do quick reset. That's the key :)

edit:
Beaten by GamingMaster. Yes, here it is - magic :)

[Cr4sh]

Here is original source code of KTHREAD::ServiceTable hooking.

[swirl]

just for sharing this interesting sample, it's old but overall nice compared
to most of copy&paste malware out there..

for a complete analysis :
http://www.secureworks.com/research/thr ... ckenergy2/
http://blog.fireeye.com/research/2010/0 ... rypto.html

in the package (pw: infected):

dropper.bin : the dropper
original.sys : the kernel driver (it's packed, really easy)
unpacked.sys : unpacked driver
hash.py : since most of the apis are imported by hash, it's an utility to simplify the work
ddos_update.py : mimics the agent requests: downloads the various ddos modules
(syn, http, ddos) and downloads the configuration file (who to ddos, etc)

[EP_X0FF]

Hi,

it was originally listed here http://www.kernelmode.info/forum/viewto ... ?f=16&t=42
including partial source code, so I merged your post with this old thread.

Regards.

[NOP]

For anyone interested, this is part of the web panel from this bot I managed to harvest.