Skip navigation.
Home

iStealer 5.0.4 or equivalent infection

|

Hi Guys,

I believe we have a rootkit installed in one of our executive PC. Typical security tools such as procmon generates BSOD, various security downloads get immediately corrupted, etc... In general, the system is very instable as soon as I try to perform sys admin tasks. From what I understand of the symptoms, this rootkit match the new iStealer 5.0.4 but there is very few informations available on this one.

The rootkit activate once the network is up and running. Indeed, we can track SYN SENT to IP 194.165.4.79 on port 8080 (this server, located in Kiev, Ukraine, doesn't answer though).

I tested all rootkit hunters available, without much success. Most of them don't find anything but false positives. AV can't find anything either. MD5 on usual windows system files doesn't show anything suspicious either. HijackThis doesn't help either, nor any of the usual tools (SDFix, Combofix, etc...)

I cleaned Prefetch, DLLCache, Temp directories, etc... from within a Linux box. But still no luck !

In other words, I'm pretty stuck at that point. Any help would be very appreciated ! :-)

Thanks

Try to download Prevx Edge

Try to download Prevx Edge at www.prevx.com, I hope it will reveal the malware,

- -
MegaLab.it redactor.
See my photos at http://www.ipernity.com/doc/ste_95

Will do !

Thanks for the tip; I didn't knew prevx was providing a rootkit hunter.

I'll try it now and come back with the results.

Thanks !

Hi, PrevX 3.0 scan done. He

Hi,

PrevX 3.0 scan done. He found a couple of malware parts, but nothing related to the rootkit I am suspecting. After cleaning the PC, rebooting, rescanning with PrevX which found the machine clean, the rootkit was still there (eg; I still have that outgoing connection, and a BSOD if I run procmon.)

Thanks for the help !

Try

Try this:
http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html

--
MegaLab.it redactor.
See my photos at http://www.ipernity.com/doc/ste_95

Didn't knew this one either;

Didn't knew this one either; thanks for the hint ! I'll try this and come back asap.

Thanks for caring.

Got IT !

I finally found it. This rootkit was hiding behind a registered SCSI driver; located in %SYSTEMROOT%\system32\drivers\celb016.sys. It's MD5 sum is ff584890b254cd7e8e9b6cad95bc6ee5.

Only 9 out of 41 AV in Virustotal catch it, and 3 found it as a Generic rootkit. I'll upload a sample for analysis.

Thanks for the help !

Thanks for the upload, I've

Thanks for the upload, I've downloaded it.
You're welcome!
--
MegaLab.it redactor.
See my photos at http://www.ipernity.com/doc/ste_95

I forgot... Do you have the

I forgot... Do you have the executable that generated all the infection?
--
MegaLab.it redactor.
See my photos at http://www.ipernity.com/doc/ste_95

Unfortunately no. I actually

Unfortunately no. I actually don't believe it's there anymore. I could try to find it within the deleted NTFS files, but I don't know it's name nor original timestamp/size/etc... so I don't even know where to start.

Don't worry, thank you in

Don't worry, thank you in any case.

- -
MegaLab.it redactor.
See my photos at http://www.ipernity.com/doc/ste_95

REG_BINARY Key

Hi

Looking into the registry, I found the following REG_BINARY:

system.reg:/ControlSet003/Services/celb016/ImagePath,EXPAND_SZ,\x5CSystemRoot\x5CSystem32\x5Cdrivers\x5Ccelb016.sys,
system.reg:/ControlSet003/Services/celb016/DisplayName,SZ,celb016,
system.reg:/ControlSet003/Services/celb016/Group,EXPAND_SZ,SCSI Class,
system.reg:/ControlSet003/Services/celb016/Security,KEY,,2009-06-08 02:21:35
system.reg:/ControlSet003/Services/celb016/Security/Security,BINARY,\x01\x00\x14\x80\x90\x00\x00\x00\x9C\x00\x00\x00\x14\x00\x00\x000\x00\x00\x00\x02\x00\x1C\x00\x01\x00\x00\x00\x02\x80\x14\x00\xFF\x01\x0F\x00\x01\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x02\x00`\x00\x04\x00\x00\x00\x00\x00\x14\x00\xFD\x01\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x00\x00\x18\x00\xFF\x01\x0F\x00\x01\x02\x00\x00\x00\x00\x00\x05 \x00\x00\x00 \x02\x00\x00\x00\x00\x14\x00\x8D\x01\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0B\x00\x00\x00\x00\x00\x18\x00\xFD\x01\x02\x00\x01\x02\x00\x00\x00\x00\x00\x05 \x00\x00\x00#\x02\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00,

Does anyone know how to decode such binary code ? I tried to decode it with hexdump, but it doesn't seem to recognize it as a particular encoding format.
I'd like to understand why this code is here, how it related with the celb016 driver, and what does it do.

Any help would be appreciated !

Thanks