Thursday, February 24, 2011

ZeroAccess / Max++ / Smiscer Crimeware Rootkit sample for Step-by-Step Reverse Engineering by Giuseppe Bonfa - << (Update 2011 version available)

Post Update Feb 24, 2011

 The new version is available here, thanks to Guiseppe :)

Download MaxRootkit_2011_1.exe as a password protected archive (contact me if you need the password)

  File name: 392ddf0d2ee5049da11afa4668e9c98f

Submission date 2011-02-14 14:41:24 (UTC)
Result:25 /43 (58.1%)
Antivirus     Version     Last Update     Result
AhnLab-V3     2011.02.14.02     2011.02.14     Trojan/Win32.Gen
AntiVir     2011.02.14     TR/Dropper.Gen
Avast     4.8.1351.0     2011.02.14     Win32:FakeAlert-FC
Avast5     5.0.677.0     2011.02.14     Win32:FakeAlert-FC
AVG     2011.02.14     Dropper.Generic3.AJH
BitDefender     7.2     2011.02.14     Trojan.Generic.5349632
CAT-QuickHeal     11.00     2011.02.14     Worm.Sirefef.a
DrWeb     2011.02.14     Trojan.DownLoader2.2219
Emsisoft     2011.02.14     Worm.Win32.Sirefef!IK
F-Secure     9.0.16160.0     2011.02.14     Trojan.Generic.5349632
Fortinet     2011.02.14     W32/Dx.VUZ!tr
GData     21     2011.02.14     Trojan.Generic.5349632
Ikarus     T3.     2011.02.14     Worm.Win32.Sirefef
McAfee     5.400.0.1158     2011.02.14     Generic.dx!vuz
McAfee-GW-Edition     2010.1C     2011.02.14     Heuristic.BehavesLike.Win32.Suspicious.H
Microsoft     1.6502     2011.02.14     Worm:Win32/Sirefef.gen!A
NOD32     5872     2011.02.14     a variant of Win32/Sirefef.C
Panda     2011.02.13     Trj/CI.A
PCTools     2011.02.13     Trojan.Gen
Rising     2011.02.14     [Suspicious]
Symantec     20101.3.0.103     2011.02.14     Trojan.Gen
TheHacker     2011.02.13     Trojan/Sirefef.c
TrendMicro     2011.02.14     TROJ_GEN.R3EC1BD
TrendMicro-HouseCall     2011.02.14     TROJ_GEN.R3EC1BD
VIPRE     8416     2011.02.14     Trojan.Win32.Generic!BT
MD5   : 392ddf0d2ee5049da11afa4668e9c98f


Infosec resources published  an excellent and very detailed 4 part tutorial by Giuseppe Bonfa
Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware Rootkit

Part 1: Introduction and De-Obfuscating and Reversing the User-Mode Agent Dropper
Part 2: Reverse Engineering the Kernel-Mode Device Driver Stealth Rootkit
Part 3: Reverse Engineering the Kernel-Mode Device Driver Process Injection Rootkit
Part 4: Tracing the Crimeware Origins by Reversing the Injected Code

The full tutorial is at Infosec resources

To follow the tutorial, you need a hex editor of your choice (e.g. Hex Workshop) , debugger (Ollydbg) plus the malware ZeroAccess rootkit (see download section below)


Nov 18, 2010 Whitehat cracks notorious rootkit wide open - The Register


Download MaxRootkit_2011_1.exe as a password protected archive (contact me if you need the password)

 If you are interested in other Reverse Engineering tutorials, you can find many at  



Thursday, February 17, 2011

Targeted attacks against personal accounts of military, government employees and associates

See this update: Aug 11 Targeted attacks against personal Gmail accounts Part II - CNAS Report

  General threat Information

The spear phishing method used in this attack is far from being new or sophisticated. However, I am posting the following information due to the particularly invasive approach of the attack. Google, Yahoo, and other personal mail services do not offer the same protection against spoofing and malware as enterprise accounts. In addition, it is often being checked at home in a relaxed atmosphere, which helps to catch the victim off guard, especially if it appears to arrive from a frequent contact. Some people have a habit of forwarding messages from enterprise accounts to their personal mail for saving or easy reading at home, which may potentially offer some sensitive information.


File  - ServiceLoginAuthen.htm (not malware, file from a phishing site)
from visiting hxxp://

g in this example but there are many others in use

View Download
link in Gmail masquerading as a link to view or download an attachment. The message comes without any attachments.

Email link, targeted phishing message sent to Gmail account of a person associated with military or political affairs. Links are customized and individualized for each target.

Target recipients:
Government and non government employees working on questions of defense, political affairs, national security, defense/military personnel,  etc

Attack approach:
Victims get a message from an address of a close associate or a collaborating organization/agency, which is spoofed. The message is crafted to appear like it has an attachment with links like View Download and a name of the supposed attachment. The link leads to a fake Gmail login page for harvesting credentials.

Once the attackers gets the credentials, they login to the victims gmail account and may do the following

  • Create rules to forward all incoming mail to another account. The third party account ID is made to closely resemble the victims ID
  • Read mail and gather information about the closest associates and family/friends, especially about  frequent correspondents.
  • Use the harvested information for making future mailings more plausible. Some messages are empty while others may have references to family members and friends (e.g. mention names of spouses or refer to recent meetings) and plausible enough to generate responses or conversations from victims. We are not posting those examples due to personal nature.
  • Send such emails on monthly or biweekly basis . The messages are different like you see below but all have have the same link and designed for updating the victim credential information they already have.


Monday, February 7, 2011

Phishing messages from possibly compromised .edu accounts

Original Message

From: Webmaster []
Sent: Monday, February 07, 2011 11:14 AM
Subject: User Quarantine Release Notification


   We are carrying out a routine quarantine exercise . we have started our yearly server (inactive email-accounts / spam protecting etc) clean-up process to enable service upgrade/migration efficiency. Please be informed that your account usage will be fully restricted if you do not adhere to this notice.

You are to provide your account details for immediate Quarantine by clicking on your reply button to respond as follows (This will confirm your account login/usage
Frequency / account continuation potentials):

*Alternate Email:

  All IT Service utilities will not be altered during this period, This will not affect the operation of your IT service systems or the manner in which you currently login to your account.  Account access and usage will be disabled if you fail to comply as required.

Help Desk
Information Technology
© 2011 All rights reserved

Saturday, February 5, 2011

Slow / Busy days - 2011 edition

Last year the Chinese New Year was marked not only by the festivities (lovely fun time, I have to admit) but also by the significant reduction in the number of the targeted attacks we receive ( see this post of Feb 20, 2010 Slow / busy days )  This year, I am happy to report that we got another break - the last targeted attack I saw was on February 1, 2011 and it was the message re-sent from earlier in January - two days before the actual Chinese New Year. By the way, I noticed an increase in targeted attacks and malicious activity (attacks on mail servers) around July 4, 2010, which is a holiday in USA but not in Asia.
Again, it might be a coincidence but I don't think so :)

I wish you all a great Year of the Rabbit!