Reformat/Reinstall/VM beaten by Ramnit.A

Sounds nasty

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=271&sid=cb0042781034ff4656769b095fb6268f

 

I'm interested in seeing how this survives a reformat and reinstall.

Maybe we should call this malware type "Cockroach" for it's survivability.

 

I don,t see any mention of surviving reformat, reinstall or VM bypass. Seems it just trashed the VM though.

 

Ran the a.exe sample provided and it didn't kill my XP VM here.

Managed to grab a dropper that I posted for checking out over at KernelMode.

 

Reread post#1 quote#2=DragonMaster Jay

Can't I still call it "Cockroach"?

 

I stand corrected.

I think he is referring to its nature of being a file infector that t can be carried over to new install( for example via an infected USB stick etc).

 

Got hold of what i believe to be a variant of this



and ran it in XP/SP2 with ShadowDefender. Tries to launch a .dll



allowed it



Uploaded ma.exe to http://virscan.org Scanner results : 28% Scanner(s) (10/36) found malware! SHA1 : 511495ce83b4fb8e7f46791f42ebeabfe0e17977

Identified as Trojan.Inject.9345 by one of the vendors, which leads to me to believe it is one of them.

No outbound attempts were made ?

Prevx detected it on opening the folder i placed it in It wasn't detected on DL by Avira, but the .dll detect on running seems to indicate what's being said on another forum, that elements of different malware have been incorporated into these files, = lazy or ?

Strangely enough, No alert etc from PG ?

Couldn't run GMER ? System locked up shortly after this and i had to do a hard reboot. After which all back to normal Bit of a disappointment really as i expected heaps of **** going on

 

As a classical HIPS, PG is weak. Can't detect low-level disk access and can't prevent loading of drivers and thus is vulnerable to MBR boot rootkits and killdisk type of trojans.

But, is insurmountable as default-deny. If it can't execute, it won't infect.

 

Shellcodes are small and mostly are download and execute types.

 

Yup. But none in the wild exists which is not of the "download and execute" type. And what would that theoretical shellcode do, terminate some security processes or format your whole drive(can be blocked by classical HIPS)?

Going back to PG, I don't think it can prevent loading of malicious dll's. So, it can be bypassed as default-deny? Unless CloneRanger will prove otherwise...

@CloneRanger: Have you tried testing this POC( -http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1308 ) on PG?

 

Got hold of 2 definate INJECT nasties and ran them seperately.



Both files attempt to load the same driver



Not a very suspicious name, Much

Didn't take it any further.

*

Addendum to my previous test.

As i was fortunate to test in SD, i was therefore able to escape any potentially serious consequences from running the nasty. So yes my comp locked up and had to do a hard reboot, but without SD i imagine others "might" have been toast. If not with that nasty, then i expect with the above 2 without AV etc definitions, or other App/s, or indeed just common sense

*

@ trismegistos

Hi, not sure about some of those Can't detects you mentioned ? Here's just one example of a block from today

Indeed

Yes i did, and then some Have a look in here - https://www.wilderssecurity.com/showthread.php?t=276994 - My tests with the POC's began from Post 106, but the whole thread is very enlightening, and Rmus and others also tested etc too

 

Indeed.

Without SD and just PG, your PC is toast already if you had executed that malware. Just a lowlevel disk access is enough to mess up the mbr/partition table if a variant does anything similar to killdisk.

I will try to skim through that thread. Thanks.