Skip navigation.
Home

Research

Wandering Through Trojan.NtRootKit.47 Driver

|

Wandering Through Trojan.NtRootKit.47 Driver
Author: ocean

Introduction

I didn’t have the dropper at the moment of writing this, only the driver. Without the dropper we can only get a generic idea of what the driver is used for. The driver has been reverse engineered by deadlist, a really irritating thing to do actually, but it can be useful to see the generic structure of a typical driver.

It’s a driver with dll functionality. Erssd shows us that the driver is produced by ErrorSafe, a fake-av (scareware) company. Seems like there are no rootkit functionality in this driver, while only a few zw* functions are exposed to the dropper, through the use of IOCTLS, though we can’t know how this is used without access to the dropper.

Driver entry point:
driver entry point graph
Simple start structure, a Device is created with name “erssdd” and linked with a Dosdevice with the same name, next every PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION+1] will be written to point to a general IRP_dispatch procedure. Also a driver unload routine is set.

.text:000113EA push 1Ch ; IRP_MJ_MAXIMUM_FUNCTION+1
.text:000113EC lea edi, [ebx+38h]
.text:000113EF pop ecx
.text:000113F0 mov eax, offset irp_dispatch
.text:000113F5 rep stosd

.text:000113F7 mov dword ptr [ebx+34h], offset unload

unload procedure is pretty simple too

.text:0001133A unload:
.text:0001133A cmp Handle, 0
.text:00011341 jz short loc_1134A
.text:00011343 push 0
.text:00011345 call close_handle
.text:0001134A
.text:0001134A loc_1134A:
.text:0001134A push offset DestinationString
.text:0001134F call ds:IoDeleteSymbolicLink
.text:00011355 push DeviceObject
.text:0001135B call ds:IoDeleteDevice
.text:00011361 retn 4

it will just check if there’s and object handle open and close it (inside function close_handle there’s a call to
ZwClose).

now the irp dispatcher procedure :)

T-IFRAMER. Kit for the injection of malware In-the-Wild

| |

T-IFRAMER is a package that allows you to automate, centralize and manage via http the spread of malicious code via code injection sites violated viral techniques using iframe, and feed a botnet. We then see a screen capture of authentication.

While there is a complex kit allows computer criminals manage the spread of malware via the http protocol type attacks using Drive-by-Download and Drive-by-Injection by inserting iframe tags in web pages violated.

The four key modules: Stats, Manager, Iframes and Injector, and each has the main function to optimize the spread of malware.

The first one (Stats) to manage FTP accounts violated having control over them with the ability to upload files. Thus begins one of the cycles of propagation of malicious code.

Looking for SEO attack PHP

|

Hello,

I'm looking for the PHP used in SEO attacks like [http://hatworship.com/lum8er/781.php?id=free+printable+mystery+party] for some research. Any help would be much appreciated.

Thank you in advance!

ZeuS and power Botnet zombie recruitment

| |

As I have said on several occasions, ZeuS botnets is one of the more "media" (hence one of the best known and popular), more aggressive and criminal activity that has more advanced functions that allow phishing attacks, monitor the zombies in real time and collect all this information through different protocols.

List of polymorphic virus family names needed

|

Hi Friends,

Can someone provide list of all known polymorphic virus names apart from the following:

Virut
Xpaj
Sality
Bayan
Pinfi

Regards,
VLD.

gzip encoded PDF with IE 6.0

|

Hi,

Does any one know if there is some issue in IE 6.0 while opening a PDF file (specially a malicious one) if it is gzip encoded?

If there is an issue, did Microsoft made patch for it or it was just fixed in IE 7.0?

OSSS: Security Suite. Fourth public beta (Vista support)

| |

For the recent six weeks we have implemented a number of new functions.

The first one to mention is automatic customization of rules via Security Master already at the program installation stage.

Starting with version v1.1, search for software in use is performed during the OSSS installation, whereupon the accumulated data are analyzed on our server and the set of rules for the detected applications is generated automatically.

SSDT rootkits

|

Hi guys,
I am doing some R&D on SSDT rootkits. Can you plz help me in finding such rootkits?
Tell me any site or provide me some samples.

Thanks

TROJ_FFSEARCH

|

Anyone willing to share FFSEARCH sample? And how hard is it for removing/analyse

Blackhat USA 2009: Reverse Engineering by Crayon

My Blackhat talk is over and I think things went really well. As promised here is the latest information on the slides. To be able to use VERA you will need to follow the installation instructions from the Ether project. Thanks again to everyone who attended and thank you for all the great questions.

VERA Info and Download Page
Reverse Engineering by Crayon Slides from the Blackhat talk.

If you're going to try and use Ether (which you definitely should) make sure you run Debian Sarge (or Etch or Lenny) with a 64-bit installation. From there the installation instructions from the Ether site should be all you need.

Read more for usage instructions.

Syndicate content