Re: unknown windows rootkit

["Elia Florio" <eflorio () edmaster it>]

It's a rootkit installed by Spyware.Apropos.C variant.
http://securityresponse.symantec.com/avcenter/venc/data/spyware.apropos.c.html

It comes from a big bundle installer (tipically 1,5 MB),
that installs the spyware itself and its rootkit components.
All the files (the downloader, the installer, the DLL) are
encrypted with a small poly-packer (every downloaded sample
looks different from each other).

The program installs itself inside %ProgramFiles% and %System% and generate
its names using standard legitimate names taken from existing programs.
(e.g. usb42prt.sys , volmndis.sys, amdrxdav.sys).

The SYS file (12 KB) is not HackDefender strain, because the rootkit
itself is protected with a VM layer: basically there is an instruction
controller that executes the program flow in a specific instruction order,
like a kind of virtual machine....in this way it's possible to generate SYS
driver that looks different each time, changing the block order of
instructions (if you compare rootkit file installed by different sample of
the spyware they are different). Inside the rookit there's a static string
"Core. by Zufyxe",

The rookit hooks "NdisAllocatePacket()" in KiServiceTable to
intercept network traffic and use one of the DLL for inline
hooking of registry/files APIs, hiding completely itself.
If you boot in safe mode the rookit does not work,
try to search for the spyware registry section

HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM NAME USED BY SPYWARE]

And you will find all the installed files on the system
(the SYS driver is configurable and it's programmed to start
some executables at boot).

EF

________________________________________________
Messaggio inviato da
Edizioni Master Webmail
http://mbox.edmaster.it

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/