Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - RootRepeal (old name: DriverDetect)
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

RootRepeal (old name: DriverDetect)

 Post Reply Post Reply Page  <1 3536373839 59>
Author
Message
USForce View Drop Down
Senior Member
Senior Member


Joined: 26 October 2007
Location: United States
Status: Offline
Points: 150
Post Options Post Options   Thanks (0) Thanks(0)   Quote USForce Quote  Post ReplyReply Direct Link To This Post Posted: 23 July 2008 at 6:06pm
It would be interesting if I could get a sample of this rootkit.

Thank you  Wink
Back to Top
Diablo View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 July 2008
Location: Western Sahara
Status: Offline
Points: 251
Post Options Post Options   Thanks (0) Thanks(0)   Quote Diablo Quote  Post ReplyReply Direct Link To This Post Posted: 23 July 2008 at 7:23pm
This last bsoddy rootkit adds some pain in the back side of the body... and from other view of thing, more stuff to research and implement lately.
Back to Top
Diablo View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 July 2008
Location: Western Sahara
Status: Offline
Points: 251
Post Options Post Options   Thanks (0) Thanks(0)   Quote Diablo Quote  Post ReplyReply Direct Link To This Post Posted: 24 July 2008 at 8:15am
Okay, several conceptual bypassing solutions were found and implemented, at least in *our* project. Hope AD will be able to deal with this rootkit soon too.

Except this Objects Directory trashing *feature* there is nothing interesting in this HMR73.SYS.

These ANTIRK *features* seen in the last rootkits really annoying. While having a big troubles to bypass antirootkits conceptually (or even like rustock.b) rk writers seems to be started playing in the "i will f**k here everything, try to even start with me" game. Well, they are not so smart as they think.

Addition, if somebody really interested how this rootkit works.

Actually HMR73.sys itself a kernel mode "loader" for real rootkit driver, crypted inside loader. First driver allocates memory, copies actual rootkit inside it (this was done to avoid antirootkits detection) and starts it. Exactly this crap and f**king object directory (looks like this made specially, look on decrypted imports) and doing hooking IRP's and all the payload (again afaik - code injection).

Edited by Diablo - 24 July 2008 at 8:29am
Back to Top
USForce View Drop Down
Senior Member
Senior Member


Joined: 26 October 2007
Location: United States
Status: Offline
Points: 150
Post Options Post Options   Thanks (0) Thanks(0)   Quote USForce Quote  Post ReplyReply Direct Link To This Post Posted: 24 July 2008 at 8:40am
I agree. Nothing *really* new.

If it's quite trivial to bypass most commercial antirootkits conceptually, they seem to prefer war.

From a money perspective, this is maybe the right choice. From a technology and improvement perspective, it's a total failure.

Edited by USForce - 24 July 2008 at 8:41am
Back to Top
Diablo View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 July 2008
Location: Western Sahara
Status: Offline
Points: 251
Post Options Post Options   Thanks (0) Thanks(0)   Quote Diablo Quote  Post ReplyReply Direct Link To This Post Posted: 24 July 2008 at 8:48am
Quote RAW --> [IRP_MJ_CREATE], Type: Address Change 0x81C6E9E0-->81C6E9E0 [unknown_irp_handler]
FltMgr --> [IRP_MJ_CREATE], Type: Address Change 0x81C6E9E0-->81C6E9E0 [unknown_irp_handler]
Ntfs --> [IRP_MJ_CREATE], Type: Address Change 0x81C6E9E0-->81C6E9E0 [unknown_irp_handler]
Mup --> [IRP_MJ_CREATE], Type: Address Change 0x81C6E9E0-->81C6E9E0 [unknown_irp_handler]
Msfs --> [IRP_MJ_CREATE], Type: Address Change 0x81C6E9E0-->81C6E9E0 [unknown_irp_handler]
Npfs --> [IRP_MJ_CREATE], Type: Address Change 0x81C6E9E0-->81C6E9E0 [unknown_irp_handler]
NetBIOS --> [IRP_MJ_CREATE], Type: Address Change 0x81C6E9E0-->81C6E9E0 [unknown_irp_handler]
Rdbss --> [IRP_MJ_CREATE], Type: Address Change 0x81C6E9E0-->81C6E9E0 [unknown_irp_handler]
MRxSmb --> [IRP_MJ_CREATE], Type: Address Change 0x81C6E9E0-->81C6E9E0 [unknown_irp_handler]
Cdfs --> [IRP_MJ_CREATE], Type: Address Change 0x81C6E9E0-->81C6E9E0 [unknown_irp_handler]
Fastfat --> [IRP_MJ_CREATE], Type: Address Change 0x81C6E9E0-->81C6E9E0 [unknown_irp_handler]
MRxDAV --> [IRP_MJ_CREATE], Type: Address Change 0x81C6E9E0-->81C6E9E0 [unknown_irp_handler]
MRxVPC --> [IRP_MJ_CREATE], Type: Address Change 0x81C6E9E0-->81C6E9E0 [unknown_irp_handler]
Srv --> [IRP_MJ_CREATE], Type: Address Change 0x81C6E9E0-->81C6E9E0 [unknown_irp_handler]
HMR37 --> [IRP_MJ_CREATE], Type: Address Change 0x81C6DFC0-->81C6DFC0 [unknown_irp_handler]
HMR37 --> [IRP_MJ_CLOSE], Type: Address Change 0x81C6DFC0-->81C6DFC0 [unknown_irp_handler]
HMR37 --> [IRP_MJ_DEVICE_CONTROL], Type: Address Change 0x81C6DFF0-->81C6DFF0 [unknown_irp_handler]


Here some stuff from HMR37 which is name is Siberia2 Prot actually.

edit: latest gmer works, but suxx completely with this rootkit.

Edited by Diablo - 24 July 2008 at 8:50am
Back to Top
Diablo View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 July 2008
Location: Western Sahara
Status: Offline
Points: 251
Post Options Post Options   Thanks (0) Thanks(0)   Quote Diablo Quote  Post ReplyReply Direct Link To This Post Posted: 24 July 2008 at 9:10am
And here we go to the last one monkey from the zoo.

GLOK.sys

It is a trivial trojan downloader.

Hooks three entries in SSDT
NtEnumerateKey       <-hiding reg keys
NtEnumerateValueKey <-hiding reg key
NtQueryDirectoryFile <-hiding file

Hooks IRP_MJ_DEVICE_CONTROL of the tcpip.sys

While working this rootkit caused services.exe to trash (ops I mean crash of course lol), probably due to incorrect code injection attempt via APC.

Originally posted by GLOK.sys GLOK.sys wrote:

g l o k +   g l o k +   g l o k +
\BaseNamedObjects\KKklkK23jKKj3kJJ
bad allocation >   <   
   IЎ@ yahoo.com   Can't get mx    TCP connection is failed    @   From:   ;   Software\Microsoft\Windows\ITStorage\Finders    Counter ID config \glok+serv.config   postmaster@ root@   local   noreply @avp.   pgp spam    cafee   panda   abuse   samples winrar google winzip @messagelab free-av @iana   @foo    sopho   certific    listserv    linux   bsd unix    ntivi   support icrosoft    admin   kasp    noone@ nobody@ info@   help@   gold-certs@ feste   contract@   bugs@   anyone@ update news    f-secur rating@ @microsoft .lst    .dat    .jsp
    .dhtm   .mht    .cgi    .uin    .oft    .xls
    .sht    .tbb    .adb    .wsh    .pl .php    .asp
    .cfg    .ods    .mmf    .nch    .eml    .mdx
    .mbx    .dbx    .xml    .stm    .shtm   .htm
    .msg    .txt    .wab    K K k l k K 2 3 j K K j 3 k
J J WindowsNT 3.51 Windows 95 Windows NT 4.0 Windows 98 Windows Me Win%s %d.%d 32 NT Windows 2000    Windows XP Windows 2003    Windows Vista   7hA ~! \   anonymous   Mozilla/4.0 (compatible; MSIE 6.0; Windoss NT 5.1; SV1921) 0   1   Torrents    <5@ ф8@ ^@ 14@ download    1.2.3   ŽJ@ ^@ policy-studies.cn/getbackup.php NameServer SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
=_NextPart_%03d_%04X_%08.8lX.%08.8lX%04x%08.8lx$%08.8lx$%08x@   </FONT></DIV>   <DIV><FONT face=3DArial size=3D2>   =20
   <DIV><FONT face=3DArial size=3D2></FONT> </DIV>    %i .html   Content-Type: application/x-www-form-urlencoded. htm gif jpg a= POST    &b= .exe    .. *.* :   peers   %d uport   %08X%04X%02X invalid block type invalid stored block lengths    too many length or distance symbols invalid distance too far back   invalid distance code   invalid literal/length code invalid distances set   invalid literal/lengths set invalid bit length repeat   invalid code lengths set
/   ordinaire_http_1.0_url HTTP/1.0    Host:   
IP:    Content-Length: Content-Expire:



And yeah, this rootkit contains inside dll, which is doing most of payload work

Edited by Diablo - 24 July 2008 at 9:15am
Back to Top
USForce View Drop Down
Senior Member
Senior Member


Joined: 26 October 2007
Location: United States
Status: Offline
Points: 150
Post Options Post Options   Thanks (0) Thanks(0)   Quote USForce Quote  Post ReplyReply Direct Link To This Post Posted: 24 July 2008 at 9:16am
Have you wasted your time on this last sh*t too? It took me 2 minutes before I closed my softwares to analyze it LOL

Edited by USForce - 24 July 2008 at 9:18am
Back to Top
Diablo View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 July 2008
Location: Western Sahara
Status: Offline
Points: 251
Post Options Post Options   Thanks (0) Thanks(0)   Quote Diablo Quote  Post ReplyReply Direct Link To This Post Posted: 24 July 2008 at 11:02am
Originally posted by USForce USForce wrote:

Have you wasted your time on this last sh*t too?


Yes, and since it is rhetoric question I've loaded all these four rootkits in different instances of the vm emulator, traced their behaviour (what they hooks, what they creates), automatically unpacked some of them (another sh*tty "cryptors" were here). After all zipped them and added to my malware rootkits collection, located in ZOO subdirectory without any further wishes to touch them again
Back to Top
USForce View Drop Down
Senior Member
Senior Member


Joined: 26 October 2007
Location: United States
Status: Offline
Points: 150
Post Options Post Options   Thanks (0) Thanks(0)   Quote USForce Quote  Post ReplyReply Direct Link To This Post Posted: 24 July 2008 at 11:06am
My question wasn't mean to insult you, I hope you've understood that Wink It was a different way to say that rootkit is nothing than sh*t
Back to Top
Diablo View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 July 2008
Location: Western Sahara
Status: Offline
Points: 251
Post Options Post Options   Thanks (0) Thanks(0)   Quote Diablo Quote  Post ReplyReply Direct Link To This Post Posted: 24 July 2008 at 11:17am
I know Probably you don't understand my previous post correctly It is quite humor.
Back to Top
 Post Reply Post Reply Page  <1 3536373839 59>
  Share Topic   

Forum Jump Forum Permissions View Drop Down