Today let's have a peek at a spambot that uses rootkit technology to hide itself. Although most antivirus compagnies often change the name of the threats, it's mainly known as Srizbi.

File details


Filename: win4.exe

File size: 138240 bytes
Build: 9 November 2007 1:44:37 PM
MD5: d64cc4cb8e86744aa188b821dc5f75df
SHA1: 9a2af4fd489166f5ce647463819953687d56e48d
Packers: UPX
QUOTE
AhnLab-V3 2007.11.22.1 2007.11.22 -
AntiVir 7.6.0.34 2007.11.21 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2007.11.21 -
Avast 4.7.1074.0 2007.11.21 -
AVG 7.5.0.503 2007.11.21 SHeur.ABZS
BitDefender 7.2 2007.11.21 -
CAT-QuickHeal 9.00 2007.11.21 -
ClamAV 0.91.2 2007.11.22 -
DrWeb 4.44.0.09170 2007.11.21 -
eSafe 7.0.15.0 2007.11.21 suspicious Trojan/Worm
eTrust-Vet 31.3.5315 2007.11.21 -
Ewido 4.0 2007.11.21 -
FileAdvisor 1 2007.11.22 -
Fortinet 3.14.0.0 2007.11.22 -
F-Prot 4.4.2.54 2007.11.22 -
F-Secure 6.70.13030.0 2007.11.22 -
Ikarus T3.1.1.12 2007.11.22 -
Kaspersky 7.0.0.125 2007.11.21 -
McAfee 5168 2007.11.21 -
Microsoft 1.3007 2007.11.22 -
NOD32v2 2677 2007.11.22 Win32/Rootkit.Agent.NDX
Norman 5.80.02 2007.11.21 -
Panda 9.0.0.4 2007.11.22 -
Prevx1 V2 2007.11.22 -
Rising 20.19.22.00 2007.11.22 -
Sophos 4.23.0 2007.11.22 -
Sunbelt 2.2.907.0 2007.11.21 -
Symantec 10 2007.11.22 -
TheHacker 6.2.9.136 2007.11.21 -
VBA32 3.12.2.5 2007.11.20 -
VirusBuster 4.3.26:9 2007.11.21 -
Webwasher-Gateway 6.0.1 2007.11.22 Trojan.Crypt.XPACK.Gen
______________________________

Filename: Aom58.sys - symavc32.sys

File size: 179200 bytes
Build: 9 November 2007 1:44:20 PM
Compiler: Borland Delphi
MD5: e6624f80cab394a407544387c6026a0b
SHA1: 7f76d910284ab225be702b84cd264c99fb4f25f9
QUOTE
AhnLab-V3 2007.11.22.1 2007.11.22 -
AntiVir 7.6.0.34 2007.11.21 TR/Rootkit.Gen
Authentium 4.93.8 2007.11.21 -
Avast 4.7.1074.0 2007.11.21 Win32:Agent-MET
AVG 7.5.0.503 2007.11.21 BackDoor.Generic9.BLR
BitDefender 7.2 2007.11.21 Trojan.Srizbi.AB
CAT-QuickHeal 9.00 2007.11.21 Rootkit.Agent.mf
ClamAV 0.91.2 2007.11.22 -
DrWeb 4.44.0.09170 2007.11.21 Trojan.Sentinel
eSafe 7.0.15.0 2007.11.21 -
eTrust-Vet 31.3.5315 2007.11.21 -
Ewido 4.0 2007.11.21 Rootkit.Agent.mq
FileAdvisor 1 2007.11.22 -
Fortinet 3.14.0.0 2007.11.22 -
F-Prot 4.4.2.54 2007.11.22 -
F-Secure 6.70.13030.0 2007.11.22 Rootkit.Win32.Agent.ok
Ikarus T3.1.1.12 2007.11.22 Rootkit.Win32.Agent.ea
Kaspersky 7.0.0.125 2007.11.21 Rootkit.Win32.Agent.ok
McAfee 5168 2007.11.21 -
Microsoft 1.3007 2007.11.22 Trojan:Win32/Srizbi.gen
NOD32v2 2677 2007.11.22 Win32/Rootkit.Agent.HU
Norman 5.80.02 2007.11.21 W32/Rootkit.AVX
Panda 9.0.0.4 2007.11.22 -
Prevx1 V2 2007.11.22 -
Rising 20.19.22.00 2007.11.22 RootKit.Win32.Agent.mq
Sophos 4.23.0 2007.11.22 Troj/RKAgen-Fam
Sunbelt 2.2.907.0 2007.11.21 -
Symantec 10 2007.11.22 Trojan.Srizbi
TheHacker 6.2.9.136 2007.11.21 -
VBA32 3.12.2.5 2007.11.20 -
VirusBuster 4.3.26:9 2007.11.21 -
Webwasher-Gateway 6.0.1 2007.11.22 Trojan.Rootkit.Gen

Visible signs


None.

Technical details


Registry changes.
  • Adds a service with a random name. The service is hidden, only the Legacy keys are visible.
    QUOTE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AOM58
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AOM58\0000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AOM58\0000\Control
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AOM58 "NextInstance"
    Type: REG_DWORD
    Data: 01, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AOM58\0000 "Class"
    Type: REG_SZ
    Data: LegacyDriver
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AOM58\0000 "ClassGUID"
    Type: REG_SZ
    Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AOM58\0000 "ConfigFlags"
    Type: REG_DWORD
    Data: 00, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AOM58\0000 "DeviceDesc"
    Type: REG_SZ
    Data: Aom58
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AOM58\0000 "Legacy"
    Type: REG_DWORD
    Data: 01, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AOM58\0000 "Service"
    Type: REG_SZ
    Data: Aom58
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AOM58\0000\Control "*NewlyCreated*"
    Type: REG_DWORD
    Data: 00, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AOM58\0000\Control "ActiveService"
    Type: REG_SZ
    Data: Aom58
  • Rewrites an existing, legit service. Random too. Names already seen: beep, AppMgmt, irenum ...
    QUOTE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security
  • Loads in Safe mode.
    QUOTE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved "(Default)"
    Type: REG_SZ
    Data: Driver Group
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Reserved "(Default)"
    Type: REG_SZ
    Data: Driver Group
  • Modifies TCP/IP parameters
    QUOTE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters "MaxUserPort"
    Type: REG_DWORD
    Data: FF, 7C, 00, 00
  • Manipulates CrashDump Values and may delete dump files from %SystemRoot%\Minidump
    Value & Meaning
    0: Debugging information is not written to a file.
    1: Complete crash dump is written to a file.
    2: Kernel memory dump is written to a file.
    3: Small memory dump is written to a file.
    QUOTE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl "CrashDumpEnabled"
    Old data: 00, 00, 00, 00
    New data: 03, 00, 00, 00
File system changes.

QUOTE
C:\WINDOWS\system32\drivers\Aom58.sys
C:\WINDOWS\system32\drivers\symavc32.sys
Those files aren't visible in the Explorer window, you can see them with icesword for example.

Notes


Random file name: YES
Random service / servicename: YES

The threat runs only in Kernel mode and uses rootkit techniques to hide files, registry keys, and network connections as seen in the Gmer scan below.
ZwEnumerateKey is used to hide the registry entries. \FileSystem\Ntfs \Ntfs is used to hide it's files. TCP/IP network drivers are patched to bypass completely firewalls, IDS systems, and network sniffers. Firewall, Ethereal will show no activity at all. (PAGENDSM NDIS.sys!NdisMIndicateStatus)

QUOTE
GMER 1.0.14.13626 - http://www.gmer.net
Rootkit scan 2007-11-22 18:15:19
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

Code \SystemRoot\System32\Drivers\Aom58.SYS ZwEnumerateKey

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!ZwEnumerateKey 8056F76A 7 Bytes JMP F5AADF4E \SystemRoot\System32\Drivers\Aom58.SYS
PAGENDSM NDIS.sys!NdisMIndicateStatus F98B9A5F 12 Bytes [ 58, 68, 80, 91, 87, 81, 50, ... ]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs Aom58.SYS

---- Services - GMER 1.0.14 ----

Service (*** hidden *** ) [BOOT] Aom58

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\Aom58
Reg HKLM\SYSTEM\CurrentControlSet\Services\Aom58@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Aom58@Tag 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Aom58@Group System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?Symantec Services?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?SmartCardGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI Configuration?MS Transactions?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Aom58@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Aom58@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\Aom58
Reg HKLM\SYSTEM\ControlSet002\Services\Aom58@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\Aom58@Tag 1
Reg HKLM\SYSTEM\ControlSet002\Services\Aom58@Group System Reserved?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Encryption?FSFilter Compression?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Event Log?Streams Drivers?NDIS Wrapper?COM Infrastructure?UIGroup?LocalValidation?PlugPlay?PNP_TDI?NDIS?TDI?Symantec Services?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?AudioGroup?SmartCardGroup?NetworkProvider?RemoteValidation?NetDDEGroup?Parallel arbitrator?Extended Base?PCI Configuration?MS Transactions?
Reg HKLM\SYSTEM\ControlSet002\Services\Aom58@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\Services\Aom58@Start 0

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\drivers\Aom58.sys 179200 bytes
File C:\WINDOWS\system32\drivers\symavc32.sys 179200 bytes

---- EOF - GMER 1.0.14 ----

Network activity


Spambot, uses port 25

The trojan starts by downloading configuration files and sends spam to the IP's contained in the config files.
Since I did create a rule to block smtp traffic in my router, I was able to log it's spam activity. Below is an exerpt.
CODE
Thu, 2007-11-22 18:09:17 - TCP Packet - Source:192.168.x.x,48002 Destination:200.31.101.137,25 - SMTP rule match
Thu, 2007-11-22 18:09:17 - TCP Packet - Source:192.168.x.x,48077 Destination:193.64.27.11,25 - SMTP rule match
Thu, 2007-11-22 18:09:17 - TCP Packet - Source:192.168.x.x,48078 Destination:89.19.160.138,25 - SMTP rule match
Thu, 2007-11-22 18:09:17 - TCP Packet - Source:192.168.x.x,48079 Destination:195.121.6.51,25 - SMTP rule match
Thu, 2007-11-22 18:09:17 - TCP Packet - Source:192.168.x.x,48080 Destination:213.36.80.90,25 - SMTP rule match
Thu, 2007-11-22 18:09:17 - TCP Packet - Source:192.168.x.x,48081 Destination:61.221.67.194,25 - SMTP rule match
Thu, 2007-11-22 18:09:19 - TCP Packet - Source:192.168.x.x,48006 Destination:146.228.80.105,25 - SMTP rule match
Thu, 2007-11-22 18:09:19 - TCP Packet - Source:192.168.x.x,48005 Destination:207.97.230.2,25 - SMTP rule match
Thu, 2007-11-22 18:09:19 - TCP Packet - Source:192.168.x.x,48004 Destination:209.3.212.2,25 - SMTP rule match
Thu, 2007-11-22 18:09:19 - TCP Packet - Source:192.168.x.x,48003 Destination:144.95.32.5,25 - SMTP rule match
Thu, 2007-11-22 18:09:19 - TCP Packet - Source:192.168.x.x,48002 Destination:200.31.101.137,25 - SMTP rule match
Thu, 2007-11-22 18:09:21 - TCP Packet - Source:192.168.x.x,48081 Destination:61.221.67.194,25 - SMTP rule match
Thu, 2007-11-22 18:09:22 - TCP Packet - Source:192.168.x.x,48006 Destination:146.228.80.105,25 - SMTP rule match
Thu, 2007-11-22 18:09:22 - TCP Packet - Source:192.168.x.x,48005 Destination:207.97.230.2,25 - SMTP rule match
Thu, 2007-11-22 18:09:22 - TCP Packet - Source:192.168.x.x,48004 Destination:209.3.212.2,25 - SMTP rule match
Thu, 2007-11-22 18:09:22 - TCP Packet - Source:192.168.x.x,48003 Destination:144.95.32.5,25 - SMTP rule match
Thu, 2007-11-22 18:09:22 - TCP Packet - Source:192.168.x.x,48002 Destination:200.31.101.137,25 - SMTP rule match
Thu, 2007-11-22 18:09:24 - TCP Packet - Source:192.168.x.x,48081 Destination:61.221.67.194,25 - SMTP rule match
Thu, 2007-11-22 18:09:24 - TCP Packet - Source:192.168.x.x,48006 Destination:146.228.80.105,25 - SMTP rule match
Thu, 2007-11-22 18:09:24 - TCP Packet - Source:192.168.x.x,48005 Destination:207.97.230.2,25 - SMTP rule match
Thu, 2007-11-22 18:09:24 - TCP Packet - Source:192.168.x.x,48004 Destination:209.3.212.2,25 - SMTP rule match
Thu, 2007-11-22 18:09:24 - TCP Packet - Source:192.168.x.x,48003 Destination:144.95.32.5,25 - SMTP rule match

Offending IP


tizin.cn - 88.255.94.51

QUOTE
IP Location - Turkey - Abdallah Internet Hizmetleri
Response Code: 404
Blacklist Status: Clear
Domain Status: Registered And No Website

Domain Name: tizin.cn
ROID: 20071113s10001s14431705-cn
Domain Status: ok
Registrant Organization: 0
Registrant Name: SileticTihana
Sponsoring Registrar:
Name Server:ns1.otlili.cn
Name Server:ns2.otlili.cn
Registration Date: 2007-11-13 04:48
Expiration Date: 2008-11-13 04:48