Reformat/Reinstall/VM beaten by Ramnit.A

Discussion in 'malware problems & news' started by CloneRanger, Aug 13, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Sounds nasty :(

    http://www.kernelmode.info/forum/viewtopic.php?f=16&t=271&sid=cb0042781034ff4656769b095fb6268f
     
  2. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I'm interested in seeing how this survives a reformat and reinstall.

    Maybe we should call this malware type "Cockroach" for it's survivability.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I don,t see any mention of surviving reformat, reinstall or VM bypass. Seems it just trashed the VM though.
     
  4. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Ran the a.exe sample provided and it didn't kill my XP VM here.

    Managed to grab a dropper that I posted for checking out over at KernelMode.
     
  5. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Reread post#1 quote#2=DragonMaster Jay

    Can't I still call it "Cockroach"?
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I stand corrected.

    I think he is referring to its nature of being a file infector that t can be carried over to new install( for example via an infected USB stick etc).
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Got hold of what i believe to be a variant of this ;)

    ma.gif

    and ran it in XP/SP2 with ShadowDefender. Tries to launch a .dll

    peg11.gif

    allowed it

    av1.gif

    Uploaded ma.exe to http://virscan.org Scanner results : 28% Scanner(s) (10/36) found malware! SHA1 : 511495ce83b4fb8e7f46791f42ebeabfe0e17977

    Identified as Trojan.Inject.9345 by one of the vendors, which leads to me to believe it is one of them.

    No outbound attempts were made ?

    Prevx detected it on opening the folder i placed it in :thumb: It wasn't detected on DL by Avira, but the .dll detect on running seems to indicate what's being said on another forum, that elements of different malware have been incorporated into these files, = lazy or ?

    Strangely enough, No alert etc from PG ?

    Couldn't run GMER ? System locked up shortly after this and i had to do a hard reboot. After which all back to normal :) Bit of a disappointment really as i expected heaps of **** going on :D
     
  8. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    As a classical HIPS, PG is weak. Can't detect low-level disk access and can't prevent loading of drivers and thus is vulnerable to MBR boot rootkits and killdisk type of trojans.

    But, is insurmountable as default-deny. If it can't execute, it won't infect. :)
     
  9. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Shellcodes are small and mostly are download and execute types.
     
  10. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Yup. But none in the wild exists which is not of the "download and execute" type. And what would that theoretical shellcode do, terminate some security processes or format your whole drive(can be blocked by classical HIPS)?

    Going back to PG, I don't think it can prevent loading of malicious dll's. So, it can be bypassed as default-deny? Unless CloneRanger will prove otherwise...

    @CloneRanger: Have you tried testing this POC( -http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1308 ) on PG?
     
    Last edited: Aug 15, 2010
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Got hold of 2 definate INJECT nasties and ran them seperately.

    a-l.gif

    Both files attempt to load the same driver

    smith.gif

    Not a very suspicious name, Much :D

    Didn't take it any further.

    *

    Addendum to my previous test.

    As i was fortunate to test in SD, i was therefore able to escape any potentially serious consequences from running the nasty. So yes my comp locked up and had to do a hard reboot, but without SD i imagine others "might" have been toast. If not with that nasty, then i expect with the above 2 without AV etc definitions, or other App/s, or indeed just common sense ;)

    *

    @ trismegistos

    Hi, not sure about some of those Can't detects you mentioned ? Here's just one example of a block from today

    driv.gif

    Indeed :thumb:

    Yes i did, and then some :D Have a look in here - https://www.wilderssecurity.com/showthread.php?t=276994 - My tests with the POC's began from Post 106, but the whole thread is very enlightening, and Rmus and others also tested etc too :thumb:
     
  12. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Indeed.

    Without SD and just PG, your PC is toast already if you had executed that malware. Just a lowlevel disk access is enough to mess up the mbr/partition table if a variant does anything similar to killdisk.

    I will try to skim through that thread. Thanks. :)
     
    Last edited: Aug 15, 2010
Thread Status:
Not open for further replies.