[korczyn]

Hello,

I'd like to ask for Trojan.Senkrad, other aliases are presented below:

* Trojan.Senkrad [PCTools]
* Trojan.Senkrad [Symantec]
* Gen.Trojan [Ikarus]
* Win-Trojan/Darkness.36352 [AhnLab]
* packed with: UPX [Kaspersky Lab]

some more details can be found at:
http://www.threatexpert.com/report.aspx ... 0cd90c6634

Thanks for help,
regards,
korczyn

[EP_X0FF]

Hello, korczyn.

Also take a look here http://www.kernelmode.info/forum/viewto ... ness#p4117

[korczyn]

Hi there!

Hello, korczyn.

Also take a look here http://www.kernelmode.info/forum/viewto ... ness#p4117

Thanks a lot for help! However, I feel the malware you've sent me is not the one I need... in fact, Trojan.Senkrad causes that the compromised computer becomes the part of Darkness (DDoS) botnet, whereas the one you sent me is more keylogger...

Please chect it out:

The one you sent me:
http://www.threatexpert.com/report.aspx ... a36ccacf48

The one I'm searching for:
http://www.threatexpert.com/report.aspx ... 0cd90c6634

Btw, it's said that Darkness botnet is much more effective than its predecessors (Black Energy, Illusion)

Thakns in advance for your help,
korczyn

[PX5]

BE1A936FEEC2945D29B07C0CD90C6634

http://www.threatexpert.com/report.aspx ... 0cd90c6634

[moranned]

http://www.threatexpert.com/report.aspx ... 0cd90c6634 is in fact a Darkness sample. the give aways are that it drops dwm.exe in %Windir%\system\ and places a file with a unique identifier at %Windir%\Temp\ddid. this is standard behavior for earlier versions of Darkness.

http://www.threatexpert.com/report.aspx ... a36ccacf48 is not darkness. it is a different ddos malware family altogether and appears to be an advanced version of ruskill.

Hi there!

Hello, korczyn.

Also take a look here http://www.kernelmode.info/forum/viewto ... ness#p4117

Thanks a lot for help! However, I feel the malware you've sent me is not the one I need... in fact, Trojan.Senkrad causes that the compromised computer becomes the part of Darkness (DDoS) botnet, whereas the one you sent me is more keylogger...

Please chect it out:

The one you sent me:
http://www.threatexpert.com/report.aspx ... a36ccacf48

The one I'm searching for:
http://www.threatexpert.com/report.aspx ... 0cd90c6634

Btw, it's said that Darkness botnet is much more effective than its predecessors (Black Energy, Illusion)

Thakns in advance for your help,
korczyn

[EP_X0FF]

http://www.threatexpert.com/report.aspx ... 0cd90c6634 is in fact a Darkness sample. the give aways are that it drops dwm.exe in %Windir%\system\ and places a file with a unique identifier at %Windir%\Temp\ddid. this is standard behavior for earlier versions of Darkness.
http://www.threatexpert.com/report.aspx ... a36ccacf48 is not darkness. it is a different ddos malware family altogether and appears to be an advanced version of ruskill.

f03bc8dcc090607f38ffb3a36ccacf48

* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%\system\dwm.exe
[file and pathname of the sample #1] 41 984 bytes MD5: 0xF03BC8DCC090607F38FFB3A36CCACF48
3 %Windir%\Temp\ddid 6 bytes MD5: 0x79A79E5CF4F018A41D292203F4F1E271
SHA-1: 0x339490F05EE70EFD4DD3345BD67DB7CFC6C896C2 (not available)

Have you looked yourself on sample before posting? I'm even not talking about few quite obvious things.

0xF03BC8DCC090607F38FFB3A36CCACF48
darkness IpSectPro service "Running" %Windir%\system\dwm.exe

0xBE1A936FEEC2945D29B07C0CD90C6634
darkness IpSectPro service "Running" %Windir%\system\dwm.exe

[moranned]

Yes, I have looked at and ran the sample in my lab and I noted the following characteristics which are not darkness. Specifically,

%System%\drivers\kmhfoot.exe
%System%\drivers\kmhfoot.exe525
%System%\drivers\kmhfoot.exe706
%Windir%\Temp\tmp.exe 177,664 bytes
MD5: 0xFB88C02090D9A42FEF851B600FD8EC85
SHA-1: 0xD080BEEE2145BF5F962569ED2458625B39BE61F3 Trojan-PSW.Win32.Papras.aiw [Kaspersky Lab]
Trojan:Win32/Dishigy.A [Microsoft]

Youre correct that it also drops a darkness payload. I should have been more precise in my statement, but kmhfoot.exe is definitely not darkness. you'll also notice that khmfoot.exe is checking in with a different controller.

Have you looked yourself on sample before posting? I'm even not talking about few quite obvious things.

0xF03BC8DCC090607F38FFB3A36CCACF48
darkness IpSectPro service "Running" %Windir%\system\dwm.exe

0xBE1A936FEEC2945D29B07C0CD90C6634
darkness IpSectPro service "Running" %Windir%\system\dwm.exe

[EP_X0FF]

It's muldrop trojan with two backdoors inside, what is the difference what is second if first is darkness :)

[Evilcry]

Darkness (also called Optima / Votwup) is a DDoS Bot, additional informations here :)

http://www.shadowserver.org/wiki/pmwiki ... r/20110123

[moranned]

The difference is there is also a second family of DDOS malware that in this case is being distributed with Darkness. Personally, I find that interesting. It may also be important to sites that need to understand how to protect themselves from attacks - as khmfoot.exe has a different signature than darkness.

It's muldrop trojan with two backdoors inside, what is the difference what is second if first is darkness :)