Log in

View Full Version : For you guys to solve out


naides
August 1st, 2008, 20:09
I am not a malware analyzer, nor do I claim to have any knowledge on the subject.
I run into this little critter and open it in a VM.
Looking at its strings, appears to be a downloader, but the curious thing is that it tries to connect to the web even from inside the VM using an instance of SVChost.exe outside the virtual machine, and completely fucks up VMware.
I also noticed that it uses rootkit-like capabilities and hides from view at least one of the main executables called hdrr.exe that lives inside windows\system32\drivers.

Appears to me a VM aware malware, so be extra careful, I cannot guarantee that it does not escape the VM.
The main exe appears to be packed with Themida
password: malware

MALWARE

RadioActive
August 2nd, 2008, 13:26
it's an interesting topic that I'll promise to complete it .
it's known as Beagle win32 virus . it's rogue & many Antivirus products couldn't detect it .
I want to perform a Full analyz on it & as soon as possible I'll put the result here ...

regs,

- RadioActive

vect0r
August 2nd, 2008, 16:38
I have also been having a look. Once the first layer of Themida is stripped away. I have stepped through the code and just encountered a large number of JMP instructions that continually loop.

This code will take a lot more work..

RadioActive
August 2nd, 2008, 18:00
here's some information about this file :

first size & MD5 Checksum :

Code:

MD5: 8b64429b1ae709a93b3e99ca8c2fed8a
Size: 163430


here's some exploit signatures :

Code:

http://roupenboghossian.com/ffl.php
http://cestiregalo.altervista.org/ffl.php
http://eskandaie.com/ffl.php
http://habboaccesstaff.altervista.org/ffl.php
http://indianwintersports.com/ffl.php
http://www.magischekringhaaglanden.nl/ffl.php
http://realisations.net/ffl.php
http://wischalla.de/ffl.php
http://djstoned.dj.funpic.de/ffl.php
http://transwalkers.com/ffl.php
http://iescanpuig.cat/ffl.php
http://gelezis.lt/ffl.php
http://zelenaratolest.cz/ffl.php
http://agmagazine.com.ar/ffl.php
http://www.scharsterrijn.nl/ffl.php
http://nzj.home.pl/ffl.php
http://projetoecotour.com.br/ffl.php
http://addexo.com/ffl.php
http://borkowsk.webd.pl/ffl.php
http://mwiktor.nazwa.pl/ffl.php
http://kinesis-gym.gr/ffl.php
http://coltplus.bremen.tw/ffl.php
http://malasommamarco.com/ffl.php
http://alugil.es/ffl.php
http://surtel.com.br/ffl.php
http://www.bagnoz.com/ffl.php
http://faciltecnologias.com.br/ffl.php
http://delarte.p1718.futuro.pl/ffl.php
http://www.altmannsports.ch/ffl.php
http://aultimahora.com.ar/ffl.php
http://motto.com.pl/ffl.php
http://ladeira.com.br/ffl.php
http://recinservices.com/ffl.php
http://kaosconcept.net/ffl.php
http://pc-hard.com/ffl.php
http://www2.seminariodetenerife.org/ffl.php
http://capriiateclube.com.br/ffl.php
http://statosphere.info/ffl.php
http://nasko.com.br/ffl.php
http://www.speedpicker.com/ffl.php
http://www.cnc-steuerung.de/ffl.php
http://tu
http://perfumeria-online.pl/ffl.php
http://atlas-developpement.com/ffl.php
http://jillclicks.info/ffl.php
http://www.juniordoctors.eu/ffl.php
http://s144758003.onlinehome.fr/ffl.php
http://abservices.es/ffl.php
http://oab-niteroi.org/ffl.php
http://web4.vs165183.vserver.de/ffl.php
http://www.ffcqatar.com/ffl.php
http://strzelectwo.lodz.pl/ffl.php
http://www.infinito.art.br/ffl.php
http://carada.it/ffl.php
http://www.taziocorse.com/ffl.php
http://www.labotest.it/ffl.php
http://elmartinet.cat/ffl.php
http://taximan.fi/ffl.php
http://henryglass.it/ffl.php
http://laruedespavots.org/ffl.php
http://www.silverstoneinn.com/ffl.php
http://rycsim.fr/ffl.php
http://rubios-gay.info/ffl.php
http://62.193.236.47/ffl.php
http://www.diesel.com/ffl.php
http://llar-llibre.com/ffl.php
http://www.rgb-worx.com/ffl.php
http://appartamentitropea.com/ffl.php
http://www.hellseherin.li/ffl.php
http://www.adiscart.com/ffl.php
http://www.azionecattolicamessina.it/ffl.php
http://test.olivierdesforges.fr/ffl.php
http://sminco.nazwa.pl/ffl.php
http://www.avalonvillarrubia.com/ffl.php
http://ivanrusso.com.ar/ffl.php
http://von-hiss.com/ffl.php
http://foroantiguo.acuariofilia.net/ffl.php
http://digisave.ch/ffl.php
http://heniek.w.tkb.pl/ffl.php
http://bittersweet.pl/ffl.php
http://studiavanti.nl/ffl.php
http://www.mona-koenig.de/ffl.php
http://www.swtsound.com/ffl.php
http://66.165.182.166/ffl.php
http://empresariosmineros.com/ffl.php
http://margotmedia.com/ffl.php
http://hostingpuebla.com/ffl.php
http://lisac.si/ffl.php
http://www.fluoreszcens.sote.hu/ffl.php
http://parodiario.tv/ffl.php
http://toshiba-tvru.112.com1.ru/ffl.php
http://evelya.es/ffl.php
http://robert.startime.at/ffl.php
http://www.qualitycolombia.com/ffl.php
http://www.ewbbds.ae/ffl.php
http://karlsgarten.de/ffl.php
http://bungalowsdelsol.com/ffl.php
http://wallat-knauth.de/ffl.php
http://www7.webdesign-promotion.com/ffl.php
http://mariage-tunisien.com/ffl.php
http://agenciahispanoamericana.net/ffl.php
http://ringingcedarsusa.com/ffl.php
http://www.deakteerstudio.nl/ffl.php
http://shop-toyru.125.com1.ru/ffl.php
http://pflanzenoase.pf.funpic.de/ffl.php
http://imaseo.com/ffl.php
http://delzacc.com.ar/ffl.php
http://www.kovos-dvorak.cz/ffl.php
http://rainy.ir/ffl.php
http://www.bellazura.com/ffl.php
http://solar-protec.com/ffl.php
http://monilove.credors.pl/ffl.php
http://e314.de/ffl.php
http://ar-dna.nazwa.pl/ffl.php
http://www.fourelementsjersey.com/ffl.php
http://hacedoresmendoza.altervista.org/ffl.php
http://surlabouche.biz/ffl.php
http://www.aguirre-inc.com/ffl.php
http://www.davidbrookins.com/ffl.php
http://tanja-grimm.eu/ffl.php


registry keys that used :

Code:

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows\Security Center\Svc
[Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\
software
Software\FirstRRRun
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\WinLicense


also there's some Exe reference, there are suspicious :
Code:

File: DiskInternals Raid Recovery 1.0_dmp.exe_
%s\%lu.exe
][rundll32.exe
csrss.exe
Executable file (*.exe)
*.exe
%s\wintems\%lu.exe
ntoskrnl.exe
\hldrrr.exe
\mdelk.exe
ccSetMgr.exe
mcupdmgr.exe
a2cmd.exe
a2guard.exe
a2HiJackFree.exe
a2scan.exe
a2service.exe
a2start.exe
a2upd.exe
a2wizard.exe
aavshield.exe
About.exe
AckWin32.exe
ADVCHK.EXE
Agb5.exe
Agb5_.exe
AhnSD.exe
airdefense.exe
ALERTSVC.EXE
ALMon.exe
ALOGSERV.EXE
ALsvc.exe
ALUNOTIFY.EXE
amon.exe
Anti-Trojan.exe
AntiVirus.exe
ANTS.EXE
APVXDWIN.EXE
Armor2net.exe
ash.exe
ashAvast.exe
ashAvSrv.exe
ashchest.exe
ashDisp.exe
ashDug.exe
ashEnhcd.exe
ashLogV.exe
ashMaiSv.exe
ashPopWz.exe
ashQuick.exe
ashServ.exe
ashsimp2.exe
ashSimpl.exe
ashSkPcc.exe
ashSkPck.exe
ashUpd.exe
ashWebSv.exe
ash_UpdateMediator.exe
aswRegSvr.exe
aswUpdSv.exe
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
AUPDATE.EXE
AUTODOWN.EXE
AutostartExplorer.exe
AUTOTRACE.EXE
AUTOUPDATE.EXE
avadmin.exe
avcenter.exe
avciman.exe
avcmd.exe
avconfig.exe
Avconsol.exe
AVENGINE.EXE
avgamsvr.exe
avgcc.exe
AVGCC32.EXE
AVGCTRL.EXE
avgdiag.exe
avgemc.exe
avgfwsrv.exe
avginet.exe
avgnpdln.exe
avgnpsvc.exe
AVGNT.EXE
avgrssvc.exe
avgscan.exe
AVGSERV.EXE
AVGUARD.EXE
avgupden.exe
avgupsvc.exe
avgvv.exe
avgw.exe
avgwizfw.exe
avinitnt.exe
AvkServ.exe
AVKService.exe
AVKWCtl.exe
avnotify.exe
AVP.EXE
AVP32.EXE
avpcc.exe
avpm.exe
AVPUPD.EXE
avscan.exe
AVSCHED32.EXE
avsynmgr.exe
AVWUPD32.EXE
AVWUPSRV.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE
BackWeb-4476822.exe
bdagent.exe
bdmcon.exe
bdnews.exe
bdoesrv.exe
bdss.exe
bdsubmit.exe
bdsubmitwiz.exe
BDSurvey.exe
bdswitch.exe
bdwizreg.exe
blackd.exe
blackice.exe
blindman.exe
BTIni.exe
BTIniNT.exe
cafix.exe
CavApp.exe
CaVasm.exe
CavAUD.exe
CavEmSrv.exe
Cavmr.exe
CavMUD.exe
Cavoar.exe
CavQ.exe
CAVSCons.exe
cavse.exe
CavSn.exe
CavSub.exe
CAVSubmit.exe
CavUMAS.exe
CavUserUpd.exe
Cavvl.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccSetMgr.exe
CEmRep.exe
CFIAUDIT.EXE
clamscan.exe
ClamTray.exe
ClamWin.exe
Claw95.exe
Claw95cf.exe
cleaner.exe
cleaner3.exe
CliSvc.exe
CMain.exe
CMGrdian.exe
copyx64.exe
cpd.exe
cssexc.exe
custinstall.exe
custsetup.exe
defensewall.exe
DefWatch.exe
dislite.exe
DOORS.EXE
dpatrolq.exe
drvctl.exe
DrVirus.exe
DrvMap.exe
drwadins.exe
drweb32w.exe
drweb386.exe
drwebscd.exe
DRWEBUPW.EXE
drwebwcl.exe
drwreg.exe
ecmd.exe
egni.exe
ekrn.exe
EMM386.EXE
ESCANH95.EXE
ESCANHNT.EXE
ewidoctrl.exe
exit_av.exe
EzAntivirusRegistrationCheck.exe
F-AGNT95.EXE
F-PROT95.EXE
F-Sched.exe
F-StopW.EXE
FAMEH32.exe
FAST.EXE
FCH32.exe
firebird.exe
FireSvc.exe
FireTray.exe
FIREWALL.EXE
FLOPPY.EXE
FLOPPY9x.EXE
FLOPPYME.EXE
FPAVServer.exe
fpavupdm.exe
FProtTray.exe
fpscan.exe
fptrayproc.exe
FPWin.exe
freshclam.exe
FRW.EXE
fsample.exe
fsaua.exe
fsauach.exe
fsav.exe
fsav32.exe
fsavaui.exe
fsavgui.exe
fsavstrt.exe
fsavwsch.exe
fsavwscr.exe
fsbwsys.exe
fsdbuh.exe
fsdc.exe
fsdfwd.exe
FSDIAG.exe
FsDiagUi.exe
fsfwwsch.exe
fsfwwscr.exe
fsgetwab.exe
fsgk32.exe
fsgk32st.exe
fsguidll.exe
fsguiexe.exe
FSHDLL32.exe
fshelp.exe
FSHOTFIX.exe
fsihcomp.exe
fsihs.exe
FSIMAGE.EXE
FSLAUNCH.exe
FSM32.exe
FSMA32.exe
FSMB32.exe
fspc.exe
fspex.exe
fsqh.exe
fssf.exe
fssg.exe
fssm32.exe
fsstm.exe
fssw.exe
fstlui.exe
fsuninst.exe
fsus.exe
gcasDtServ.exe
gcasServ.exe
GIANTAntiSpywareMain.exe
GIANTAntiSpywareUpdater.exe
GUARD.EXE
guardgni.exe
GUARDGUI.EXE
GuardNT.exe
helper.exe
hipsdiag.exe
HRegMon.exe
Hrres.exe
HSockPE.exe
HUpdate.EXE
iamapp.exe
iamserv.exe
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IERegFix.exe
IFACE.EXE
ih8.exe
ih8run.exe
ILAUNCHR.exe
INETUPD.EXE
InocIT.exe
InoRpc.exe
InoRT.exe
InoTask.exe
InoUpTNG.exe
InstallCAVS.exe
InstallLicense.exe
InstallLSP.exe
InstLsp.exe
INWISE.EXE
IOMON98.EXE
isafe.exe
ISATRAY.EXE
ISPNews.exe
isPwdsvc.exe
ISRV95.EXE
ISSVC.exe
isUAC.exe
JEDI.EXE
KAV.exe
kavmm.exe
KAVPF.exe
KavPFW.exe
KAVStart.exe
KAVSvc.exe
KAVSvcUI.EXE
KMailMon.EXE
KPfwSvc.EXE
KWatch.EXE
licmgr.exe
livesrv.exe
LiveUpdate.exe
LOCKDOWN2000.EXE
LogWatNT.exe
lpfw.exe
LUALL.EXE
LUCallbackProxy.exe
LUCheck.exe
LUCOMSERVER.EXE
LuComServer_3_2.EXE
LuConfig.exe
LUInit.exe
Luupdate.exe
MalwareRemoval.exe
MCAGENT.EXE
mcmnhdlr.exe
mcregwiz.exe
Mcshield.exe
MCUPDATE.EXE
mcvsshld.exe
MemString.exe
MINILOG.EXE
MONITOR.EXE
monlite.exe
MonSysNT.exe
MOOLIVE.EXE
MpEng.exe
mpssvc.exe
MSMPSVC.exe
msascui.exe
mva.exe
MVC.exe
myAgtSvc.exe
myagttry.exe
navapsvc.exe
NAVAPW32.EXE
NavLu32.exe
NAVStub.exe
NAVW32.EXE
Navwnt.exe
NDD32.EXE
NeoWatchLog.exe
NeoWatchTray.exe
NetstatViewer.exe
nisoptui.exe
NISUM.EXE
NMAIN.EXE
nod32.exe
nod32krn.exe
nod32kui.exe
NORMIST.EXE
NotifyHA.exe
notstart.exe
npavtray.exe
NPFMNTOR.EXE
npfmsg.exe
NPROTECT.EXE
NSCHED32.EXE
NSMdtr.exe
NssServ.exe
NssTray.exe
ntrtscan.exe
NTXconfig.exe
NUPGRADE.EXE
NVC95.EXE
Nvcod.exe
Nvcte.exe
Nvcut.exe
NWCDEX.EXE
NWService.exe
oasrv.exe
oaui.exe
OfcPfwSvc.exe
olAddin.exe
OnAccessInstaller.exe
osCheck.exe
OUTPOST.EXE
PartIn.exe
PartIn9x.exe
partinfo.exe
PartInNT.exe
PAV.EXE
PavFires.exe
PavFnSvr.exe
Pavkre.exe
PavProt.exe
pavProxy.exe
pavprsrv.exe
pavsrv51.exe
PAVSS.EXE
pccguide.exe
PCCIOMON.EXE
pccntmon.exe
PCCPFW.exe
PcCtlCom.exe
PCTAV.exe
PERSFW.EXE
pertsk.exe
PERVAC.EXE
PM8Flash.exe
PMagic.exe
PMagic9x.exe
PMagicBT.exe
PMagicNT.exe
PNMSRV.EXE
POLUTIL.exe
POP3TRAP.EXE
POPROXY.EXE
postinstall.exe
ppfw.exe
PQBOOT.EXE
Pqboot32.exe
PQBOOTX.EXE
pqbw.exe
PQLAUNCH.EXE
PQMAGIC.EXE
PqPe.exe
pqpe9x.exe
pqpent.exe
preconfig.exe
preupd.exe
prevsrv.exe
PrevxSetup.exe
ProcessViewer.exe
psctrls.exe
pshost.exe
PsImSvc.exe
PTEDIT.EXE
PTEDIT32.EXE
PTEPIT32.EXE
PXAgent.exe
PXConsole.exe
PXL.exe
PXL1.exe
PXReset.exe
pxsupport.exe
QHM32.EXE
QHONLINE.EXE
QHONSVC.EXE
QHPF.EXE
qhwscsvc.exe
qklez.exe
qrtfix.exe
quaranti.exe
RavMon.exe
RavTimer.exe
Realmon.exe
REALMON95.EXE
register.exe
removeit.exe
Remover.exe
Rescue.exe
rfwmain.exe
Rtvscan.exe
RTVSCN95.EXE
RuLaunch.exe
RunSetup.exe
sarcli.exe
sargui.exe
SAV32CLI.EXE
SAVAdminService.exe
SAVMain.exe
savprogress.exe
SAVScan.exe
SCAN32.EXE
scanner.exe
ScanningProcess.exe
sched.exe
sdhelp.exe
sdinvoker.exe
sdloader.exe
SDTrayApp.exe
seccenter.exe
SERVIC~1.EXE
SHSTAT.EXE
sigtool.exe
SiteCli.exe
smc.exe
SNDSrvc.exe
SNUTIL.EXE
SPBBCSvc.exe
SPHINX.EXE
spiderml.exe
spidernt.exe
Spiderui.exe
sporder.exe
SpybotSD.exe
SPYXX.EXE
SS3EDIT.EXE
start_diag.exe
stopsignav.exe
SubmitFiles.exe
svcntaux.exe
swAgent.exe
swdoctor.exe
swdsvc.exe
SWNETSUP.EXE
SymantecRootInstaller.exe
symlcsvc.exe
SymProxySvc.exe
SymSPort.exe
SymWSC.exe
SYNMGR.EXE
Sysinfo.exe
TAUMON.EXE
TBMon.exe
TC.EXE
tca.exe
TCM.EXE
TDS-3.EXE
TeaTimer.exe
TFAK.EXE
tgsvcstp.exe
THAV.EXE
THGnard.exe
THSM.EXE
Tmas.exe
tmlisten.exe
Tmntsrv.exe
TmPfw.exe
tmproxy.exe
tnbutil.exe
tracelog.exe
TRJSCAN.EXE
TrojanGuarder.exe
TrojanHunter.exe
trtddptr.exe
uiscan.exe
UninstallCAVS.exe
Uninstaller.exe
UninstallLSP.exe
unp_test.exe
Up2Date.exe
UPDATE.EXE
UpdaterUI.exe
updclient.exe
upgrepl.exe
UPSObMaker.exe
UUpd.exe
Vba32ECM.exe
Vba32ifs.exe
vba32ldr.exe
Vba32PP3.exe
VBSNTW.exe
vchk.exe
vcrmon.exe
VetTray.exe
viritexp.exe
viritsvc.exe
VirusKeeper.exe
VirusNews.exe
VistAux.exe
VisthLic.exe
VisthUpd.exe
VPTRAY.EXE
vrfwsvc.exe
VRMONNT.EXE
vrmonsvc.exe
vrrw32.exe
VSECOMR.EXE
Vshwin32.exe
vsmon.exe
vsserv.exe
VsStat.exe
WATCHDOG.EXE
Wclose.exe
webfiltr.exe
WebProxy.exe
Webscanx.exe
WEBTRAP.EXE
WGFE95.EXE
wil.exe
Winaw32.exe
WindowList.exe
winroute.exe
winss.exe
winssnotify.exe
WRADMIN.EXE
WRCTRL.EXE
writespid.exe
WRPROG.EXE
wsctool.exe
xcommsvr.exe
zatutor.exe
ZAUINST.EXE
zauninst.exe
zlclient.exe
zonealarm.exe
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
G:\malware collection\Collection1\malware\DiskInternals Raid Recovery 1.0.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\mdelk.exe
G:\malware collection\Collection1\malware\DiskInternals Raid Recovery 1.0.exe
RestartApp.exe
G:\malware collection\Collection1\malware\DiskInternals Raid Recovery 1.0.exe
<9.EXEu
DiskInternals Raid Recovery 1.0.exe
ABCD.EXE [-h] [-p [pro
NTOSKRNL.EXE
setup.exe


I found these suspicious behaviours but this is rogue & as vect0r said it's need alot work and it is a time consuming task,
anyway, I'll continue to analys .
if anybody can give more help and send it's result here, it can be good and we can analys it faster than now ...

evaluator
August 7th, 2008, 03:51
naides!

what you uploaded??
i start to trace prog & it is THEMIDA protected.
it can cause your VM dead.
i not allow THEMIDA run on my PC, do i kamikaze??

vect0r
August 7th, 2008, 06:15
Yes, it did kill it for me also. He did state that this was the case though. Liability is removed!

naides
August 7th, 2008, 07:14
By no means I am trying to trick anyone into destroying your computer with this malware vermin.
Nor do I need any problem solved . . .
I just think it would be an interesting challenge to malware reversing aficionados, particularly how it not only fucks up VMWARE but seems to communicate with the Host OS escaping or bypassing VMWARE. At least that is my impression. If that is the case, it would be bad news for malware researchers that rely on VM technology to handle this dangerous programs in VMWARE "bio-safety chambers" (Think Anthrax).

evaluator
August 7th, 2008, 10:53
as i said, THEMIDA mostly damages not only VM but also real PC..
just don't allow run THEMIDA-protected nor malware nor so_ware.

naides
August 7th, 2008, 10:58
Advice taken. . .

RadioActive
August 8th, 2008, 00:52
hey buddies, if you run this in your real PC then you'll see you can't run your computer in safe mode !
it also causes damage to safe mode ...

xenakis
August 8th, 2008, 08:30
I ran it in vmware and somehow I came down with a bad case of syphilis There's no containing this one!

evaluator
August 8th, 2008, 09:28
booo! naides, things goes wierd!

inside dump found crypred_DRIVER!

in fact it is unwrapper-loader for 33h xored main body!
i uploaded orig.drv & dexored (by HIEW) body.
huh so big malware driver probably lames work!?

evaluator
August 8th, 2008, 09:45
@ VirusTotal found following

File has already been analysed:
MD5: 34c0dfc264200039cdad6488572ed10f
First received: 07.28.2008 05:28:44 (CET)

evaluator
August 8th, 2008, 11:01
woow!

in header are stored old sections! num_sections are redused only!
now i corrected num_sect > 7, first rebuild to ".text",
imports, relocs fixed, oEIP guess in INIT..

original driver REBURNt!
(not tested)

@text:00016A70 intersting cryp_names?

PS. naides, FOR YOU, TEST IT ;D

vect0r
August 8th, 2008, 14:14
Could be kind enough to explain how you were able to analyse it and get to each stage? I would be interested to know!! A simple breakdown even..

My search lacked a result!

Thanks

Kayaker
August 9th, 2008, 04:21
This is one dog-turd of a driver. It uses IoAttachDeviceToDeviceStack to intercept the IRP_MJ_CREATE Irp requests of the Windows afd.sys, Ancillary Function Driver for WinSock. From this hook location it seems to return STATUS_ACCESS_DENIED to a whole range of AV and anti-malware drivers.

It appears that AV drivers use afd.sys as part of their winsock functions. I don't know what afd.sys does but if you disassemble its IRP_MJ_CREATE function you see a reference to "AfdOpenPacketXX" and some associated code. (Winsock + packet) is enough to know for now.


Code:

PDEVICE_OBJECT
IoAttachDeviceToDeviceStack(
IN PDEVICE_OBJECT SourceDevice,
IN PDEVICE_OBJECT TargetDevice
);


IoAttachDeviceToDeviceStack establishes layering between drivers
so that the same IRPs are sent to each driver in the chain.

An intermediate driver can use this routine during initialization
to attach its own device object to another driver's device object.
Subsequent I/O requests sent to TargetDevice are sent first to the
intermediate driver.



The malware calls IoAttachDeviceToDeviceStack on afd.sys during its DriverEntry routine in pretty much a standard fashion

http://msdn.microsoft.com/en-us/library/ms795014.aspx


Here is the main DispatchControl routine of the malware, which was defined during DriverEntry to handle all the DRIVER_OBJECT MajorFunctions. This is also the function that is called as a result of the IoAttachDeviceToDeviceStack hook.

What the malware does is to check the DEVICE_OBJECT to see if it matches its own, or whether the context is from an external Irp. It then goes to separate DeviceControl functions for each case.


Code:

:00026C46
:00026C46 ; int __stdcall DispatchControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
:00026C46 DispatchControl proc near ; DATA XREF: start+2Do
:00026C46
:00026C46 DeviceObject = dword ptr 8
:00026C46 Irp = dword ptr 0Ch
:00026C46
:00026C46 mov edi, edi
:00026C48 push ebp
:00026C49 mov ebp, esp
:00026C4B mov eax, [ebp+DeviceObject]
:00026C4E cmp eax, DeviceObject ; is this our DEVICE_OBJECT?
:00026C54 jz short loc_26C61
:00026C56 push [ebp+Irp] ; Irp
:00026C59 push eax ; DeviceObject
:00026C5A call DeviceControl_AFD_SYS
:00026C5F jmp short loc_26C85
:00026C61 ; ---------------------------------------------------------------------------
:00026C61
:00026C61 loc_26C61: ; CODE XREF: DispatchControl+Ej
:00026C61 mov ecx, [ebp+Irp] ; Irp
:00026C64 mov edx, dword ptr [ecx+IRP.Tail.Overlay.CurrentStackLocation]
:00026C67 and [ecx+IRP.IoStatus.Information], 0
:00026C6B cmp byte ptr [edx], 0Eh ;
:00026C6B ; switch (IrpStack->MajorFunction)
:00026C6B ; is this IRP_MJ_DEVICE_CONTROL?
:00026C6E jnz short default_IRP
:00026C70 push ecx ; Irp
:00026C71 push eax ; DeviceObject
:00026C72 call DeviceControl_MALWARE
:00026C77
:00026C77 default_IRP: ; CODE XREF: DispatchControl+28j
:00026C77 and [ecx+IRP.IoStatus.anonymous_0.Status], 0
:00026C7B xor dl, dl ; PriorityBoost
:00026C7D call ds:IofCompleteRequest
:00026C83 xor eax, eax
:00026C85
:00026C85 loc_26C85: ; CODE XREF: DispatchControl+19j
:00026C85 pop ebp
:00026C86 retn 8
:00026C86 DispatchControl endp
:00026C86




DeviceControl_AFD_SYS tells us that IRP_MJ_CREATE is the specific Irp being hooked.


Code:

:00026A50 ; int __stdcall DeviceControl_AFD_SYS(PDEVICE_OBJECT DeviceObject, PIRP Irp)
:00026A50 DeviceControl_AFD_SYS proc near ; CODE XREF: DispatchControl+14p
:00026A50
:00026A50 DeviceObject = dword ptr 8
:00026A50 Irp = dword ptr 0Ch
:00026A50
:00026A50 mov edi, edi
:00026A52 push ebp
:00026A53 mov ebp, esp
:00026A55 mov eax, [ebp+Irp]
:00026A58 mov ecx, dword ptr [eax+IRP.Tail.Overlay.CurrentStackLocation]


CurrentStackLocation
Ptr32 to struct _IO_STACK_LOCATION

struct _IO_STACK_LOCATION, 9 elements, 0x24 bytes
+0x000 MajorFunction : UChar
+0x001 MinorFunction : UChar
+0x002 Flags : UChar
+0x003 Control : UChar
+0x004 Parameters : union __unnamed, 38 elements, 0x10 bytes
+0x014 DeviceObject : Ptr32 to struct _DEVICE_OBJECT, 25 elements, 0xb8 bytes
+0x018 FileObject : Ptr32 to struct _FILE_OBJECT, 27 elements, 0x70 bytes
+0x01c CompletionRoutine : Ptr32 to long
+0x020 Context : Ptr32 to Void


:00026A5B cmp byte ptr [ecx], 0 ; // case IRP_MJ_CREATE:?


switch (IrpStack->MajorFunction)
case IRP_MJ_CREATE:?

// enum
char* IRP_MJ_REQUEST_STRINGS[] = {
"IRP_MJ_CREATE",
"IRP_MJ_CREATE_NAMED_PIPE",
"IRP_MJ_CLOSE",
"IRP_MJ_READ",
"IRP_MJ_WRITE",
"IRP_MJ_QUERY_INFORMATION",
"IRP_MJ_SET_INFORMATION",
"IRP_MJ_QUERY_EA",
"IRP_MJ_SET_EA",
"IRP_MJ_FLUSH_BUFFERS",
"IRP_MJ_QUERY_VOLUME_INFORMATION",
"IRP_MJ_SET_VOLUME_INFORMATION",
"IRP_MJ_DIRECTORY_CONTROL",
"IRP_MJ_FILE_SYSTEM_CONTROL",
"IRP_MJ_DEVICE_CONTROL",
"IRP_MJ_INTERNAL_DEVICE_CONTROL",
"IRP_MJ_SHUTDOWN",
"IRP_MJ_LOCK_CONTROL",
"IRP_MJ_CLEANUP",
"IRP_MJ_CREATE_MAILSLOT",
"IRP_MJ_QUERY_SECURITY",
"IRP_MJ_SET_SECURITY",
"IRP_MJ_POWER",
"IRP_MJ_SYSTEM_CONTROL",
"IRP_MJ_DEVICE_CHANGE",
"IRP_MJ_QUERY_QUOTA",
"IRP_MJ_SET_QUOTA",
"IRP_MJ_PNP"
};


:00026A5E push eax ; Irp
:00026A5F push [ebp+DeviceObject] ; DeviceObject
:00026A62 jz short to_IRP_MJ_CREATE
:00026A64 call FallThru_AFD_IRP_MJ_
:00026A69 jmp short loc_26A70
:00026A6B ; ---------------------------------------------------------------------------
:00026A6B
:00026A6B to_IRP_MJ_CREATE: ; CODE XREF: DeviceControl_AFD_SYS+12j
:00026A6B call Hook_AFD_IRP_MJ_CREATE
:00026A70
:00026A70 loc_26A70: ; CODE XREF: DeviceControl_AFD_SYS+19j
:00026A70 pop ebp
:00026A71 retn 8
:00026A71 DeviceControl_AFD_SYS endp




The working code for the hook is in Hook_AFD_IRP_MJ_CREATE. The driver goes through a string comparison between a blacklist of AV products and the ImageFileName received from using

ZwQueryInformationProcess / ProcessImageFileName

http://www.osronline.com/article.cfm?article=472


At the end of it all it completes the Irp request with STATUS_ACCESS_DENIED, presumably to the blacklisted processes:


Code:

:00026902 ; Hook_AFD_IRP_MJ_CREATE+2A25
:00026902 sub esi, offset aKavsvc_exe_2 ; "kavsvc.exe"
:00026908 cmp esi, 1163h
:0002690E jnb short fallthru
:00026910 mov eax, [ebp+pIrp]
:00026916 mov ecx, eax ; Irp
:00026918 mov esi, 0C0000022h ; STATUS_ACCESS_DENIED
:0002691D xor dl, dl ; PriorityBoost
:0002691F mov [eax+IRP.IoStatus.Information], ebx
:00026922 mov [ecx+IRP.IoStatus.anonymous_0.Status], esi
:00026925 call ds:IofCompleteRequest ; // fastcall
:00026925 ; IoCompleteRequest(
:00026925 ; IN PIRP Irp,
:00026925 ; IN CCHAR PriorityBoost
:00026925 ; );




Quote:

@text:00016A70 intersting cryp_names?



There's similar code in the IRP_MJ_CREATE hook as well. I don't see any logical use for it. It looks more like garbage code put in to confuse analysis, maybe some crazy loop delay, or it might be involved in the string comparison, I don't know. I welcome other opinions.


Interspersed with crypted string/variable manipulations (and/or/mul/div), are 512 calls to the following seemingly useless code snippet:

:00011FB8 xor_eax proc near
:00011FB8 and null_var1, 0
:00011FBF xor eax, eax
:00011FC1 retn 4
:00011FC1 xor_eax endp

All the work is done on the stack and I don't see any apparent use for the final result.

There's also a call to KeBugCheckEx if some magic numbers aren't the same, the crypted stuff might have something to do with it.


There's also an OS version specific call to IoGetRequestorProcess which makes no sense in the code, in that it returns a PEPROCESS. IoGetRequestorProcess returns a process pointer for the thread that requested the I/O operation.

http://msdn.microsoft.com/en-us/library/ms795464.aspx


The driver also hooks a bunch of system calls and uses a LoadImageNotifyRoutine callback, regular rootkit stuff. The use of IoAttachDeviceToDeviceStack however is something I haven't seen before.



In the end, the main point of the IRP_MJ_CREATE hook appears to be to return STATUS_ACCESS_DENIED to blacklisted processes, thereby halting their communication with afd.sys and winsock.

Is it any wonder it crashes VMWare?


The question was raised - can the malware bypass vmware to the host? While there is code to intercept a winsock function, I don't really see an "escape route". The whole malware needs to be reversed, there are still a lot of questions.

Kayaker

vect0r
August 9th, 2008, 06:02
Thanks kayaker, that is a nice synopsis of the evasion technique. Seems like an intelligent piece of coding.

evaluator
August 9th, 2008, 06:24
ProcessImageFileName proc seems uses ugly CR bit disabling, i will trace it.. fault can be here.

OHPen
August 17th, 2008, 12:13
btw afd in this case really stands for "another fucking driver". This is not an urban legend, ask some microsoft developers

deroko
August 17th, 2008, 13:21
so this is filter driver malware? nice very good way of disabling access to inet for AVs with afd.sys filtering

reverser
August 17th, 2008, 15:28
The file description says Ancillary Function Driver for WinSock.

Woodmann
August 18th, 2008, 21:45
Howdy,

Although I have not disected this shit, I have been a victim of it and/or variations.

Once ingrained into the system there is no way to stop it.
I have had it write itself into data back-ups.
I have had it write to the MBR.

I have seen something like it on two systems and could not figure out
how to destroy it as it was self replicating all over the place.

The only way I could stop it was to nuke the entire box and start all over again from the bios flash and multiple MBR nukers/fixers to find the right one that would work.

Thanks for everything you guys do to figure out this shit

Woodmann

vect0r
August 19th, 2008, 05:21
Was that on an actual box? I take it, that it did not jump out of a VM and bite you in the arse?

Sounds bad..

Woodmann
August 19th, 2008, 16:21
Howdy,

It was not in a VM environment.
I have no idea how they got it or where they got it BUT,
since both boxes had a lot of porn on them I guess that
to be where they got it from.

Woodmann

rendari
August 25th, 2008, 17:25
Talk about viral pornography