Monday, August 20, 2012

The case of the gethostbyname() exception

While analyzing a malicious bot in OllyDbg (1.10) on my Windows XP SP3 Virtual Machine, I came across an odd exception (0x000006B0) which always occured trying to step over the Windows API function "gethostbyname()". Every time OllyDbg ended up in kernel32.dll after calling RtlRaiseException() (ntdll.dll). Because a search on Google doesn't gave me any answers I decided to find the cause on my own and hopefully solve the problem.

Figure 1: gethostbyname() exception
Share:

Saturday, August 11, 2012

Dropper of kernel-mode stealer

While searching for some interesting, unknown malware samples I came across a report that took my attention (http://www.threatexpert.com/report.aspx?md5=9c0744b8119df63371b83724bafe2095).
The malware has an user-mode and a kernel-mode component and looks like a legit program at first (.sys + .inf files). By typing one of the created registry entries (NdisrdMP.ndi) into the search mask I discovered several reports of earlier (and also widely detected) versions of this family. By looking at the dates, the first uploaded sample is from year 2009, so this malware family is at least used since then.
Unfortunately I hadn‘t access to the Threatexpert database, so I contacted rkhunter from kernelmode.info if he could provide me a copy. So thanks goes to him!

This paper is about Static Analysis of the Dropper of this malware. You can find the rest of the analysis (Kernel-mode Payload + Additional Components) on rkhunters‘ Blog at http://artemonsecurity.blogspot.com/2012/07/investigation-interesting-kernel-mode.html.

Whitepaper download: http://artemonsecurity.com/research_of_unk_malware.pdf
Share: