• Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg
  • Delicious

Anti-Malware Laboratory

Yet Another Malware Blog

About

An informal blog from your friendly neighborhood software security humans.

Blog Archive

  • ►  2015 (5)
    • ►  October (1)
    • ►  August (2)
    • ►  May (1)
    • ►  March (1)
  • ►  2014 (8)
    • ►  October (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (4)
    • ►  April (1)
  • ▼  2013 (12)
    • ►  December (3)
    • ▼  November (5)
      • Upatre - Zbot downloader in a Spam
      • CryptoLocker - a Ransomware
      • DETAILED ANALYSIS OF Trojan.Win32.Duqu: The Key Lo...
      • CVE 2013 3918 - Another zero day?
      • CIDOX Bootkit
    • ►  August (2)
    • ►  March (2)
  • ►  2012 (35)
    • ►  April (4)
    • ►  March (12)
    • ►  February (17)
    • ►  January (2)

Categories

adobe (1) android (10) android february (1) baksmali (1) Black Hole (2) crimepack (1) disassembler (1) exploit (3) Exploits (4) Fakeav Winrar sfx (1) Fishbowl (1) flash (1) gift certificates (1) Google Authenticator (1) google play (1) hcp (1) java (1) Malware (5) mdac (1) Mobile (24) NSA Mobility Program (1) obfuscated script (1) pdf (1) Reversing (2) rhino (1) skype (1) smali (1) spam (1) test (1) Unpacking (1) vouchers (1) vulnerability (3)

Popular Posts

  • Bank of America spam: An Analysis
    An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The mess...
  • [BE CAUTIOUS] Dragon Ball Z: Resurrection of F MALWARE and SCAM
    Be wary of downloading movies in torrent sites.  Executables can also be executed with a file size as huge as a gigabyte...
  • Unpacking MFC Compiled CryptoWall Malware
    Unpacking MFC Compiled CryptoWall Malware Introduction First and foremost, this article does not intend to analyze what CryptoWall malw...

Visitors to this blog

Monday, November 11, 2013

CIDOX Bootkit

Posted on Monday, November 11, 2013 by Unknown | No comments
There has been a growth of the use of bootkit in recent years and it has been an annoyance and a source of frustration of many computer users today. A bootkit, strictly speaking, refers to a set of programs that loads itself before the operating system does. It provides flexible means to hide its activities or modify key components that are not accessible normally. By modifying the initial boot loader of the hard drive it can bypass detection from most traditional AV vendors and perform kernel level operations not normally available on user level programs. Because of these, bootkits are generally hard to remove as they require extensive study as to how to restore the original MBR or partition.
Such is the case of Cidox.

This malware initially arrives as a single downloaded executable file, whether via drive-by-download, exploits or any other possible means. It carries within itself vital components to successfully infiltrate and compromise the system. Excluding the dropper, its tools are the boot loader (bootkit), the rootkit drivers (w32/w64), shutdown file and the attribute modifier.

 Cidox in the middle

The main purpose of this malware is to intercept, modify and gather information on the search requests made by the unsuspecting user. By modifying the volume boot record of an NTFS drive, it utilizes its rootkit, loads and sets up a library that monitors specific browsers and redirects their queries on a remote location. It has the capability to modify a webpage seen by users on their browsers. It has also been reported that it uses the said technique to hold the system ransom, and trick the user into believing that they need to pay a monetary amount to remove an infection on their system.


Browsers monitored by Cidox
The following section describes in technical detail what each Cidox component does.


DROPPER

Upon execution, it will perform the following actions to install the components in the said order
  • Check for windows version
  • Copy the w32 or w64 version of rootkit in memory
  • Write it directly on hard drive
  • Modify the boot loader of the hard drive to load the written rootkit
  • Create and execute a small file to force restart the system
  • Modify attributes and delete self
Overview of dropper




This executable employs anti-debugging tricks to avoid being emulated and analyzed. For one, it uses the classic large, almost infinite loop which does nothing. This is because most emulators avoid loop due to engine performance issues. In conjunction with the previous trick, it uses the GetTickCount API to know if it is being debugged and if so, will modify the first few bytes of its main function so that execution will not continue. This can be easily defeated by bypassing the code or modifying the registers.


Overwriting of function if it assumes it is being debugged
Instead of directly decrypting parts of itself, the dropper allocates memory multiple times, decrypts and uses those portion in memory to transfer execution. It is obvious that it uses this jumping technique to avoid third party programs to easily dump Cidox in memory.

Passing of execution
Cidox carries 2 versions of rootkit drivers within itself. It chooses either one of these depending on the version of windows of the infected system. It will perform some checks and verify whether it is 32bit or 64bit platform. It then saves the result in a memory location, and "drops" the file by writing it directly to the free sector of the hard disk.
Rootkit driver written to a free sector


At this point, it will prepare to write directly to the hard disk by mounting it. Saves the original volume boot partition to a random sector in the first disk, then write the malicious boot loader directly to it.



Uses ZwCreateFile to mount and read/write directly to hard disk


Finally, it will create and execute a small file with the specific purpose of forcing a restart on the system. Immediately proceeding after this is the creation of a batch file for changing attributes and deleting the small shutdown file.




BOOT LOADER

Cidox modifies the sector containing the active volume boot record of an NTFS partition in order to properly load its root kit. Once the malicious boot code is executed, it reads the malicious rootkit driver file in the disk, transfers execution to it and resumes normal boot operation.


Clean and infected copy of w32 infected partition


The original program loader is encrypted at the end of the malicious boot loader. After loading the malicious rootkit driver, the original loader will be decrypted and Cidox will pass execution to it to resume normal boot operations. Below is a copy of the malicious program loader and the highlighted hex bytes are the encrypted original loader.

Highlighted is the encrypted loader



ROOTKIT


Cidox rootkit driver employs its hooks by installing the following hook callbacks
 
  • PsSetLoadImageNotifyRoutine
  • PsSetCreateProcessNotifyRoutine
Driver loaded in memory

These functions are called whenever an image is loaded or a process is created, respectively. The handlers for the hooks checks to see if it is called in any of the process stated below.


  • iexplore.exe
  • firefox.exe
  • chrome.exe
  • safari.exe
  • opera.exe
  • maxthon.exe

The said process names are names of common internet browsers used by many computer users. Once all the conditions are verified, the rootkit will load a special DLL in memory which installs additional hooks and is the one responsible for intercepting messages. 


Hooks the following ws2_32 functions
  • recv
  • send
  • wsasend
  • wsarecv
  • closesocket
  • wsasocketw
  • connect
  • wsaconnect
  • select
  • wsagetoverlappedresult
  • wsaasyncselect
  • ioctlsocket
  • wsaenumnetworkevents
  • wsaeventselect
 
Hooked Send ws2_32 function


Cidox gathers information on the target infected system, uses them to form a GET http operation, send the request and awaits result. It can be seen that it checks for existing AV engines installed (in program files directory), checks for VMware process running, the OS and versioning.
  
 Sample message formed by Cidox DLL

 Checks hash for common AV filenames in Program Directory

While the target processes are being monitored, Cidox alters web queries sent by the user and replaces with data coming from the following remote addresses
 
  • 213.133.103.21x
  • V1s.cx
  • 1nfo.cx 

SHUTDOWN FILE

The shutdown file, as its name implies, is a small executable created and activated by the dropper. Its specific purpose: to forcefully shutdown the system. This will execute the malicious modified partition and thus load the rootkit driver.
 




ATTRIBUTE MODIFIER

A small batch file with a randomly generated name is created and called at the end part of the dropper file. Its purpose is to delete the dropper and delete itself to remove possible detection.


Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
volute-glacial
volute-glacial
 volute-glacial
volute-glacial
Copyright © Anti-Malware Laboratory | Powered by Blogger
Design by Fabthemes | Blogger Template by NewBloggerThemes.com