Skip navigation.
Home

unknown rootkit or expolit have anyone experiance with this malware ? No antimalware scanner seems to detect it

|

Hi,
No known antivirus or antimaleware software seems to detect it
I have this malware in one of my vmware for already a month now
symptoms

sending varouis spam mails

hooked into svhost.exe. I know mswsock is a winsock api. I never saw it into a svhost

Does anyone have experiance with this kind of malware. I do not know how look for finding the source.
The only strange thing is that in this period the ndis.sys has changed his datestamp

result of netstat - b

TCP vanassche:3569 89-149-244-30.internetserviceteam.com:3954 ESTAB
ISHED 2944
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP vanassche:3581 207.46.16.243:http TIME_WAIT 0
TCP vanassche:3586 65.242.27.34:http TIME_WAIT 0

Proto Lokaal adres Extern adres Status PID
TCP vanassche:4114 mail.graindealers.com:smtp SYN_SENT 2960
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

TCP vanassche:4115 205.134.245.9:smtp SYN_SENT 2960
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\svchost.exe
[svchost.exe]

If I go deeper into the process then I find

ntkrnlpa.exe!KiUnexpectedInterrupt+0x8d
ntkrnlpa.exe!PsLookupThreadByThreadId+0x4abc
ntkrnlpa.exe!KiDeliverApc+0xb3
ntkrnlpa.exe!ZwYieldExecution+0x196c
ntkrnlpa.exe!NtWaitForSingleObject+0x9a
ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb14
ntdll.dll!KiFastSystemCallRet
mswsock.dll+0x56e8
mswsock.dll+0x55b0
mswsock.dll+0x542d
WS2_32.dll!connect+0x53
svchost.exe+0x10acf
svchost.exe+0x10959
svchost.exe+0x1129a
svchost.exe+0x11ae5
svchost.exe+0x10f48
svchost.exe+0xc2f4
svchost.exe+0xc1ef
svchost.exe+0xad94
svchost.exe+0x1b8d3

thread stack shows me

ntkrnlpa.exe!KiUnexpectedInterrupt+0x8d
ntkrnlpa.exe!PsLookupThreadByThreadId+0x4abc
ntkrnlpa.exe!KiDeliverApc+0xb3
ntkrnlpa.exe!ZwYieldExecution+0x196c
ntkrnlpa.exe!NtWaitForSingleObject+0x9a
ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb14
ntdll.dll!KiFastSystemCallRet
mswsock.dll+0x56e8
mswsock.dll+0x55b0
mswsock.dll+0x542d
WS2_32.dll!connect+0x53
svchost.exe+0x10acf
svchost.exe+0x10959
svchost.exe+0x1129a
svchost.exe+0x11ae5
svchost.exe+0x10f48
svchost.exe+0xc2f4
svchost.exe+0xc1ef
svchost.exe+0xad94
svchost.exe+0x1b8d3

Stack of thead

ntkrnlpa.exe!KiUnexpectedInterrupt+0x8d
ntkrnlpa.exe!PsLookupThreadByThreadId+0x4abc
ntkrnlpa.exe!KiDeliverApc+0xb3
ntkrnlpa.exe!ZwYieldExecution+0x196c
ntkrnlpa.exe!NtWaitForSingleObject+0x38c
ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb14
ntdll.dll!KiFastSystemCallRet
kernel32.dll!WaitForMultipleObjects+0x18
svchost.exe+0x5482
svchost.exe+0x40ae
svchost.exe+0x1b8d3

I found the source. It was

I found the source. It was the virus.protect.c

It injected the ndis.sys driver. It also protected the file so it prevented from scanning. That was the main reason why no antivirus could not detect it.
Also by injecting the ndis it could by-pass the firewall. Pretty advanced virus/rootkit
does anyone have an other sample of such a kind of malware ?
Do anyone have experience or reversed engineered such kind of malware ?
does anybody knows how the maker protected the file and how to break it ?

Sample

Can you post a sample of that? I would really like to take a look at it.

I uploaded the infected file

I uploaded the infected ndis.sys file

MD5 9b340d0e62c3f1cf122672e52c85d51b