Sunday, September 23, 2007

SysProt AntiRootkit v1.0.0.5 Beta Released!

SysProt AntiRootkit v1.0.05 is out! This new version contains IRP Hooks detection feature and also various other improvements, bug fixes etc. IRP Hooks detection may come handy as some of the new Rootkits are utilizing this technique. One such example is Win32/Cutwail trojan, which hooks IRP_MJ_DEVICE_CONTROL of Tcpip.sys driver.

Here's an overview of SysProt AntiRootkit v1.0.0.5 features:
Hidden process detection and removal
Hidden drivers detection
SSDT Hooks detection and removal
Kernel Inline hooks detection and removal
IRP hooks detection
Sysenter Hook detection
TCP/UDP Ports Info
File System browser
Hidden Services Registry keys detection and removal


SysProt AntiRootkit can be downloaded from here.

Supported OS: Windows 2000/XP/2003

Here are some screen shots:
IRP Hooks:


SSDT Hooks:


Processes:


Hidden Services Registry keys:


Kernel Hooks:

Sunday, September 09, 2007

Nuwar's new avatar!

The ecard worm – also known as Nuwar, Storm Worm, W32/Zhelatin – has changed its strategy again. Now, the gang behind ecard worm is trying to encash the NFL fever. Here's a screenshot of the latest ecard spam mail:



As we can see, the mail claims to provide details about NFL football games. And, when we visit the link given in mail, we are presented with a fake webpage that shows schedules of NFL games. Here's a screenshot of one such webpage:



Surprisingly, there's no drive-by-download this time! But ALL hyperlinks present in that page point to a file named tracker.exe.

The file tracker.exe seems to be slightly different from the old variants (ecard.exe, video.exe etc.) and detections are poor at the time of this writing. Only 9 out of 32 AVs at VirusTotal managed to detect this malware:

File tracker.exe received on 09.08.2007 22:46:16 (CET)
CAT-QuickHeal --- (Suspicious) - DNAScan
eSafe --- Suspicious Trojan/Worm
eTrust-Vet --- Win32/Sintun.AF
F-Secure --- Tibs.gen134
Microsoft --- TrojanDropper:Win32/Nuwar.gen!avkill
Norman --- Tibs.gen134
Sophos --- Mal/Dorf-D
Sunbelt --- VIPRE.Suspicious
Webwasher-Gateway --- Win32.Malware.gen (suspicious)

Additional information
File size: 140521 bytes
MD5: 814fe2cdd86e01a5369def9cd9a13458
SHA1: 4cb7ad77d79286911b1c82c548d7f9e0dcda88d1
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.


Tracker.exe, on execution, drops spooldr.exe, spooldr.sys and also patches tcpip.sys in a similar way as mentioned in a previous post here.