Playing with trojans to learn

[emir]

I have Deep Freeze and to make sure the trojan is gone when I reboot and AppDefend/RegDefend to see what it
does on a general level. I have come across a problem I can't seem to figure out how to get around and was hoping
someone could help me. I plan to do some sidework for friends and associates cleaning malware from computers.
I thought maybe I could use the XP recovery console to replace an entire folder such as system32 which I see
now was ignorant of me to assume as this recovery console is only for recovery and not at all for repair. I have come
across a trojan from the upload section of governmentsecurity.org that immediately kills sygate and gains full ownership
in the sense that anything you do through windows explorer which in essence is anything period on windows is run
through the this trojan being the parent process executing everything. This means that all calls to any program are
executed through this program which explains why it cannot be detected even with the best trojan or other malware
removal programs even run from a read-only removable media because once you attempt to execute it on your system
it is always executed with this trojan being the parent process somehow. So I can rename the value of it in the registry
and kill the process but it creates a different strand of itself which is a MS-DOS program with the same name which won't
allow you to delete through regular means and even if you can boot into safe mode and clean up guess what: Once you
delete the initial file in the system32 folder anything you attempt to run on your computer that normally would just run
now asks what program you would like to open it up with meaning you have lost all functionality basically on any program.
So I am wanting to know if there any other suggested methods short of re-formatting and re-installing windows in case I come
up against this sort of sophistication on a clients computer. The name of the trojan is isyst32win.exe and I can say it is on the
3rd page of trojan/virus upload section of governmentsecurity.org forum under the title "mallware" and says it is undetected by
Nod32 which comes as no suprise it also is undetected by almost everything else as you will see:

I think infected from P2P

found in : %systemroot%\system32\isyst32win.exe
Startup Method : Reg - Shell\Open (like sub7 & hidden to msconfig)
Command Line : iwinsyst32.exe PASS "%1" %*
AntiVirus : nod32
AV Detected : Not yet but submitted (it maybe packed)
Solution : open regedit.exe then find iwinsyst32.exe PASS "%1" %* and change it to "%1" %*


Attached File(s)
isyst32win.zip ( 606.33k ) Number of downloads: 98



320X Nov 9 2005, 01:11 AM
Post #2


Master Sergeant


Group: Members
Posts: 442
Joined: 14-December 03
Member No.: 13,884


It seems packed with Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay]



320X Nov 9 2005, 01:26 AM
Post #3


Master Sergeant


Group: Members
Posts: 442
Joined: 14-December 03
Member No.: 13,884


AntiVir Found Backdoor-Server/Small.18.L
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found BackDoor.Small.18.L
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found W32/Backdoor.BGY
Fortinet Found W32/OptixPro.L-bdr
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found Backdoor.Optix.Pro.13
VBA32 Found Backdoor.Win32.Optix.Pro.13



kbnet Nov 9 2005, 04:03 AM
Post #4


Master Sergeant


Group: Specialist
Posts: 520
Joined: 3-September 04
Member No.: 29,761


Have you noticed that its contacting:

http://xx004.netfirms.com/cgi-bin/x3.cgi?action=log&ip=[...-...-...-...]&port=
4455&id=SQLinject&win=repclient1&rpass=mex&connection=Optix_Pro_v1.33&s7pass=14567

"[...-...-...-...]" - This was my ip address, just blanked it out.
I will look into this in a bit! Intriguing.

Its packed with Armadillo ver 2.



LittleHacker Nov 9 2005, 04:48 AM
Post #5


Sergeant First Class


Group: Members
Posts: 379
Joined: 17-October 04
Member No.: 33,625


That's exactly right kbnet.
just afew days ago I found a file in system32 with same icon that was listening on port 4455 and had a startup method Reg:HKLM/Run
I killed the process and cleaned from reg but it but seems to raise again.
So it may had a 2nd process/thread that check itself
it maybe a polymorphic trojan ...

btw I'm intersted in How you determaine the packer. I thought just crackers can do it. It seems there is a tool for it ...



kbnet Nov 9 2005, 05:18 AM
Post #6


Master Sergeant


Group: Specialist
Posts: 520
Joined: 3-September 04
Member No.: 29,761


You dont need a tool to tell you what a file is packed with - althought it can help. I determined it was
Armadillo by quickly looking at the strings, i just opened the file in IDA.

Here are the run keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\erg45htree
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\erg45htree

QUOTE
it maybe a polymorphic trojan ...

Very unlikely bud - what makes you say that anyway?

QUOTE
I thought just crackers can do it.

Not at all m8.

Did you know it also makes 2 copies of itself:

/windows/system32/isyst32win.exe
/windows/system32/msdoswinsyst32.exe



ash^ Nov 9 2005, 08:57 AM
Post #7


Private First Class


Group: Members
Posts: 72
Joined: 2-October 04
Member No.: 32,096


QUOTE(LittleHacker @ Nov 9 2005, 09:48 AM)

btw I'm intersted in How you determaine the packer. I thought just crackers can do it. It seems there is a tool for it ...


Get a tool called Peid i think the website is hxxp://peid.tk its a nifty tool.



lobas Nov 9 2005, 01:33 PM
Post #8


Private First Class


Group: Trial Members
Posts: 44
Joined: 13-March 04
Member No.: 26,784


u can acutally bypass peid easilyish and nod if u have nod32 detects APIS erm u can fool them with NOP
loops peid chaning ep rva base image base etc..


--------------------
http://lobas.info



kbnet Nov 10 2005, 01:55 AM
Post #9


Master Sergeant


Group: Specialist
Posts: 520
Joined: 3-September 04
Member No.: 29,761


QUOTE
u can acutally bypass peid easilyish and nod if u have nod32 detects APIS erm u can fool them with NOP loops
peid chaning ep rva base image base etc..


Do you have any more info on this?



the_mul3 Nov 13 2005, 02:53 PM
Post #10


Private


Group: Trial Members
Posts: 5
Joined: 13-November 05
Member No.: 44,443


QUOTE(ash^ @ Nov 9 2005, 01:57 PM)

QUOTE(LittleHacker @ Nov 9 2005, 09:48 AM)

btw I'm intersted in How you determaine the packer. I thought just crackers can do it. It seems there is a tool for it ...


Get a tool called Peid i think the website is hxxp://peid.tk its a nifty tool.


while yer there check the forums for the custom packer sigs too

AFAIK there are no polymorphic trojans, only partly polymorphs like mosucker and cia.
donald dick is the closest to a real polymorph, but only its dropper is that. the installed server is not



aiO Nov 13 2005, 03:29 PM
Post #11


Private First Class


Group: Members
Posts: 129
Joined: 21-October 05
Member No.: 42,373


QUOTE(LittleHacker @ Nov 9 2005, 09:48 AM)

That's exactly right kbnet.
just afew days ago I found a file in system32 with same icon that was listening on port 4455 and had a startup method Reg:HKLM/Run
I killed the process and cleaned from reg but it but seems to raise again.
So it may had a 2nd process/thread that check itself
it maybe a polymorphic trojan ...

btw I'm intersted in How you determaine the packer. I thought just crackers can do it. It seems there is a tool for it ...

lol i don't get how a hacker gets owned by something like this



the_mul3 Nov 14 2005, 11:51 AM
Post #12


Private


Group: Trial Members
Posts: 5
Joined: 13-November 05
Member No.: 44,443


QUOTE(aiO @ Nov 13 2005, 08:29 PM)

lol i don't get how a hacker gets owned by something like this



i know, its called social engineering



LittleHacker Nov 15 2005, 05:19 AM
Post #13


Sergeant First Class


Group: Members
Posts: 379
Joined: 17-October 04
Member No.: 33,625


QUOTE(kbnet @ Nov 9 2005, 11:18 AM)

You dont need a tool to tell you what a file is packed with - althought it can help. I determined it was
Armadillo by quickly looking at the strings, i just opened the file in IDA.

thanks , good hint! I some times use edit.com but IDA and maybe ollydbg are better


QUOTE(kbnet @ Nov 9 2005, 11:18 AM)

Here are the run keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\erg45htree
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\erg45htree

run again and you may find something otherthan this


QUOTE(kbnet @ Nov 9 2005, 11:18 AM)

Very unlikely bud - what makes you say that anyway?

as I said different startup methds is clear but I don't know ...

QUOTE(kbnet @ Nov 9 2005, 11:18 AM)

Did you know it also makes 2 copies of itself:
/windows/system32/isyst32win.exe
/windows/system32/msdoswinsyst32.exe

yes I've found it before ...



fearstriker2 Nov 28 2005, 11:27 PM
Post #14


Private


Group: Trial Members
Posts: 8
Joined: 20-October 05
Member No.: 42,250


lol i it packed with morphine and got
CODE
File:isyst32.exe
Status:
INFECTED/MALWARE
MD5 6b99d283653570c5cae58586b890ad69
Packers detected:
PE_PATCH.MORPHINE, MORPHINE, ARMADILLO
Scanner results
AntiVir
Found Packer/Morphine
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found BackDoor.Small.18.L
BitDefender
Found Backdoor.Optix.H
ClamAV
Found nothing
Dr.Web
Found BackDoor.Optix.13
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Backdoor.Win32.Optix.Pro.s
NOD32
Found Win32/Optix.Pro.S
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found Backdoor.Win32.Optix.Pro.13


Now its detected by Nod32..lol

This post has been edited by fearstriker: Nov 28 2005, 11:34 PM



Little_Dice Nov 29 2005, 01:35 AM
Post #15


Private First Class


Group: Members
Posts: 83
Joined: 8-October 05
Member No.: 41,038


Im a little new at this but very interested.
1. how did you find the proccesse and know it was a virus.
2. How did you find the registry keys
3. How did you know it was sending information to that website.

[aigle]

Very interesting and very very scary- at least for me.
What happens if u get it while in a sandbox?

[emir]

Have not tested inside sandbox but this program has a way of gaining full ownership and killing a firewall such as sygate in less than 20 seconds of execution and replicating itself also as a MS-DOS program. The only way I could keep it from doing anything it wanted to like accessing it's server was with the high-quality low level protection that AppDefend/RegDefend provides. If you are curious though you should try with Deep-Freeze using your sandbox, I will try. What sanbox are you referring to? I would disconnect from the internet though before executing if you don't have AppDefend/RegDefend on your pc because I have yet to believe there is a program exactly as efficient in every way. But let me know what sandbox to try and I will. I would really like to know how to get rid of it the most though.

[aigle]

I would like to try myself but i am very inexperienced. I am using GesWall so will be excited to see how good is GesWall in this regard?
It will be inafact nice to play with it with Sandboxie, DefenceWall and BufferZone. I just want to see the real efficacy of these programmes. I will be thankful if u can test.
It,s too scary by the way. I wonder who has invented it?

[emir]

I tested in sandboxie environment and it does absolutely nothing. The problem with this though is that you never know what it attempted to do, I mean when I say it did nothing I mean absolutely nothing. You never would know of it's intentions or anything. I mean how will you know what programs to run out of this sandboxie when a known nasty has been run in it and it tells you nothing about what it attempts to do? Buffer Zone requires a reboot to work properly correct? Nothing survives a reboot with Deep Freeze so I cannot tell you about this program. I experienced strange behavior with this Defence Wall like to much trying to contact it's server and other things in the past but none the less I will try them, even though neither are now listed on majorgeeks. I will maybe still do this tonight, I have yet to receive an answer on removal of this nasty if I encounter it on someone's PC that it already infiltrates. Please someone, anyone for removal suggestions based on the info I supplied at the beginning of this post.

[aigle]

http://www.gentlesecurity.com/
http://www.sandboxie.com/
http://www.softsphere.com/


All are trustable to me, DefenceWall writter is a member here as well. Sandnoxie id free and has a really nice forum as well, GeSWall support is also very responsive.
Especially sandbox has a unique feature that it keeps all sandboxed things in a separate portio( vietual?) and all the contents of this sandbox can be deleted with few clicks( a real nice feature that is absent in GesWall and DefenceWall- actually they work in a different way I think).

Thanks.

[aigle]

So any updates?

[emir]

Like I had stated earlier this sandboxie apparently prevents the trojan from doing anything but it never lets you know what the trojan attempted to do, so you never know what is a malicious program or not inside this sandboxie, only once you run it outside then you will know and it is not detected by all but a couple antivirus. To tell you the truth if something gains full ownership and becomes the parent process to everything then how would you overcome this with even the most sophisticated malware detection/removal program, answer:you don't. So I am going to do some toying around with some more nasty's today, I might post some info.

[TNT]

Quote:

Originally Posted by emir

Like I had stated earlier this sandboxie apparently prevents the trojan from doing anything but it never lets you know what the trojan attempted to do, so you never know what is a malicious program or not inside this sandboxie

Is there an 'aftermath' in Sandboxie at all? If it runs in Sandboxie, you should at least do "Explore contents of sandbox" and see the files it created. Maybe it doesn't even start Sandboxie at all (some trojans are 'smart' as not to run at all when sandboxed).

Quote:

once you run it outside then you will know and it is not detected by all but a couple antivirus. To tell you the truth if something gains full ownership and becomes the parent process to everything then how would you overcome this with even the most sophisticated malware detection/removal program, answer:you don't. So I am going to do some toying around with some more nasty's today, I might post some info.

Try uploading it here http://www.cwsandbox.org (the results are mailed to you). The output is somewhat cryptic and it's not guaranteed to work inside THAT sandbox, but you should definitly try.

[aigle]

what is this cw sandbox.

[aigle]

Quote:

Originally Posted by emir

Like I had stated earlier this sandboxie apparently prevents the trojan from doing anything but it never lets you know what the trojan attempted to do, so you never know what is a malicious program or not inside this sandboxie, only once you run it outside then you will know and it is not detected by all but a couple antivirus. To tell you the truth if something gains full ownership and becomes the parent process to everything then how would you overcome this with even the most sophisticated malware detection/removal program, answer:you don't. So I am going to do some toying around with some more nasty's today, I might post some info.

In that case, can u pls upload it to Jotti and virus total and post the results here as many people will be interested to see the results. Thanks.

[TNT]

Quote:

Originally Posted by aigle

what is this cw sandbox.

It's what it says.

[emir]

I'm sorry I have been busy playing with something even worse than this trojan. I also believe figured out a way to entirely replace system 32 folder on a computer whose system 32 folder doesn't even have some of the same dll's and other applications and drivers in it's system 32 folder as the other computer which is not infected which I take a copy of system 32 folder from. This is a breakthrough for me as this folder is where from what I can see almost all malware no matter what it's caliber has to drop it's main components(usually dll's, sometimes exe's). This can mean I can fix a system and tie up any complications from incompatibility because of differences in these folders without having to re-install xp on a customer's computer who does not have restore cd, built-in restore or the xp cd if you know what I mean.(I cannot write what has to be done if all this criteria is unfortunately met) It is nearly impossible to completely clean some of this stuff I am coming across lately, it's like it has evolved recently, it's like a horror movie. That's the only way I know how to describe it. I see that to take a huge swing at this new stuff floating around is to do this with the system32 folder, and then work your way around finding anything anywhere else it has dropped itself. I only have to separately deal with the SAM file and some event log's, of course this can be done. Anyway I was reprimanded for posting the entire page of another website and I think for what administration I guess deemed as to lengthy of an explanation that was quoted from this site.(governmentsecurity.org)So I will be back and explain this newest trojan which seems to use windows native API calls,(I am too much of a newbie too explain right this second) which I have only seen in rootkit technologies until now.

[aigle]

So it is not possible to upload it to Jotti or virus total and it will be good for antivirus vendors as well.

[Mrkvonic]

Hello,

Why don't you do the usual way:

Clean temporary files / cookies.
Boot in safe and normal mode and repeat below

Scan with several anti-virus programs.
Scan with several anti-spyware programs.
Scan with severa anti-trojan programs.

Post a hijack this log in a forum and ask for help.

Are you really infected or just playing with malware?

Mrk