Most recent Cutwail/Bulknet malware discussion

Re: The Storm Worm is back

Storm or RT3(eCard.scr)?

 

Re: The Storm Worm is back

The first symptom will be a string of "service failed to start due to the following error: the service did not respond to the start or control request in a timely fashion" errors in the system event log as services are disrupted.

You will also start to see "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts" event log warnings.

If you run a packet sniffer, you will see a lot of SMTP activity...

 

Re: The Storm Worm is back

OK, so it´s not actually a variant of Storm that I just tested. So I wonder what this worm is all about, is it more advanced? Does anyone have a sample?

 

Re: The Storm Worm is back

i have just informed PS_Dev via PM and mail about "PS failur"....

However, it would be nice if some of you, as wilderssecurity guru, could directly contact him since i'm not much considered...



Detto per inciso, mi girano di molto le palle ...ma lascio l'eventuale traduzione di questo mio ultimo passaggio in italiano ad EraserHw, molto più bravo di me in tutto...

 

Re: The Storm Worm is back

Rasheed187,

When you tested the sample in VM,despite what your HIPS alerted you too did you investigate as to whether the SSDT table had been replaced and also whether the rootkit payload had installed or not ?

Alerts are always a good thing but whether or not they have been effective is the final proof.

As i stated in an earliar post both PG and SSM on seperate tests were gutted,in otherwards they were still running but with out their SSDT hooks in place they were bypassed by subsequent code execution(e.g when ntos.exe was called down of the net and installed unchecked).The lights were on but nobody was home

Ps I will lob a Storm variant up on rapishare but the current RK payload is not quite as interesting as RT3

 

Re: The Storm Worm is back

After denying ecard.exe to do its stuff, no hooks were replaced/wiped out, so SSM and NG both passed the test. I assume that when you deny all this, it´s also not able to install the rootkit anymore (so IE won´t be hidden). I´m surprised that KAV v7 (from a few months back) failed to spot all this behavior, except for the hidden IE process.

Edit: Removed the part about IE not being able to make outbound connections, this is not true. I didn´t get to see any alerts because IE already had network access.

 

Re: The Storm Worm is back

Rasheed187,

Had you tested the HIBS seperately or all at the same time,the reason i ask is SSM got borked for me when tested on its own

Unfortunetly the truth is you will not know it is there and chugging away quite merrily unless you go digging for it as highlighted very well in this post>>>
https://www.wilderssecurity.com/showpost.php?p=1148801&postcount=91

Bear in mind here are some sypmtons that are lacking and thus making this a more advanced peace of malware.
1)No appearance in Taskmanger/ProcessExplorer by infection executables once live.
2)All load entries are hidden for both the Rootkit and the PWS trojan it is currently importing.
3)No outbound alert from software firewall(Bypassed) by both the bulk mailer component and the PWS trojan.

HiJackThis would be fully bypassed as a diagnostic tool.
Autoruns is bypassed(even in safe mode).

That said a good ARK tool(GMER,RKU,IceSword) would have it all scoped out for the kill

 

Which version did you test? And to answer your question, I disabled the other HIPS (NG and KAV) when I tested SSM. Like I said before, SSM alerted me about the 2 drivers it´s trying to load. Another interesting thing was that even when ecard.exe was allowed to load the driver, it could not wipe out all of SSM hooks. And because of this, SSM still managed to spot the hidden IE process which I could also kill. So it was nice to see that SSM can indeed spot hidden processes.

 

Re: The Storm Worm is back

Hi Ilya, are you yalking of Storm worm or RT3 Cutwail/Bulknet(eCard.scr)?

Thanks

 

I just tested eCard against COMODO Firewall Pro 3.0 (Thanks for the sample fcukdat).

Looks like COMODO took care of it, I replied no to all 5 prompts. Packet sniffer shows absolutely no traffic. Here are screenshots:

 

Re: The Storm Worm is back

In fact, I checked out both and had no problems at all.

 

Hi, nick s! (i'm Lzx32 on PS Forum...)

I'm nearly sure to have met the driver runtime.sys in one of my test and PS 1.40b2 was able to catch this driver loading attempt thus like all other malware behaviour...

Now:
less than this runtime.sys involved in this particular sample isn't of last generation and PS effectively is not in a position to see its loading, or only the release 1.40 FINAL suffers from this bug....

Only my 2 cent....

Have you got the chance to probe a PS release prior to final release? (ex: 1.40b2...)


EDIT:
here i have a screenshot of the test i made some time ago...
NB: the name of the sample checked was Rootkit.Agent.GO or Troj/Agent-ELV...



As soon as i restore my VM, i will test again....

 

Hi alfa1,

I ran eCard against PS 1.40b2 and still see the same unhooking after the low level disk access alert (allowed or denied). The hooks are, again, restored after a reboot.

Nick

 

Earliar version of Cutwail/Bulknet...dose it include the SSDT table replacement trick ?

 

Simply, i am morally shocked....
I have bet a lot in PS and his development, but, at this point, who knows how many malwares ITW are able to bypass its defence?

Perhaps is truly arrived the moment to redefine my own concept of security and to attribute the right weight to that one that is probably the more strong arm against malwares, the limited user account....
To know, infact, that the infection process would have been blocked only via execution control is indeed too little for me, even if i am not so naive....


PS: e pensare che ho sempre creduto ciecamente in queste soluzioni come unica via alternativa all'account limitato....

Hi, fcukdat!
Sorry but i am not expert like you so to succeed in giving you a right answer...
Moreover, now i am "devasted"...

 

@AJohn

Can u test GesWall and EQSecure?

Thanks

 

Hmmmmmmmmmmz

I suppose just for you lol

Edit:

EQSecure passes, GeSWall allows enough for me to see the communications with a packet filter (I did not test GeSWall upon reboot).

 

eCard.scr = unauthorized executable, terminated by Anti-Executable immediately.

AE detects over 80 executables : .exe .sys .vxd .ocx .drv .scr .ax .x32 .tlb ... and many many more.

Quintuple verification of each executable :
* File Size
* File Type
* File Location
* Creation Date
* Code Sample

http://www.faronics.com/html/AntiExec.asp
Testimonial :

How many security software really deserve to be called "robust" and "intelligent" at the same time ? I know only 3.

 

Can someone send me this sample? I would see if it's the same I've or it's a newer one.

Thanks

 

3.tmp at mwr marco,uploaded last thursday.

Heh,i lied,wrong infection,last live i found was here--> newyearwithlove.com

 

Thanks, got it anyway. Same sample I already had

 

Thanks AJohn! Good news for EQS.

Sorry but i did not understand it fully.

 

I have tested this nasty against OA beta build 2.1.0.58. Much like Comodo OA popped about netdtect.sys, runtime.sys files creation and about eCard.scr trying to start runtime.sys service and explorer.exe. I have allowed everything (isolated VM). After reboot with infected machine OA still had its SSDT hooks active, though it did not see rootkit. Sorry again, I'm not in a mood to make and post the screenshots

And that is to say when I tested it with OA AV+ version it said eCard.scr is infected by sorry I have forgotten what virus.

 

Brian has tested it against GW on my request. GW doesn,t stop outbound access as it is not its job in any way. Malware does not harm the system otherwise and doesn,t survive a reboot. It gives attack notifications as well.