Samker's Computer Forum - SCforum.info

World TOP Headlines: => Latest Security News & Alerts => Topic started by: Pez on 17. April 2012., 10:41:32

Title: Darkmegi: This is Not the Rootkit You’re Looking For
Post by: Pez on 17. April 2012., 10:41:32

Darkmegi: This is Not the Rootkit You’re Looking For

Darkmegi (http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=836827) was in the (http://www.net-security.org/malware_news.php?id=1974)   news (http://www.pcworld.com/article/248846/drivebydownload_attack_exploits_critical_vulnerability_in_windows_media_player.html) a couple of months back; it was the first known threat to be delivered through the Microsoft vulnerability CVE-2012-0003 (MIDI Remote Code Execution Vulnerability) exploitation. More recently Darkmegi has been seen in CVE-2011-3544 (Java Runtime Remote Code Execution) drive-by attacks as part of the Gong Da Pack exploit kit. Darkmegi uses a kernel rootkit component to maintain a stronghold on infected systems.

Hook Installation
It’s common for rootkits to deny read and/or delete access to its files and/or registry keys, and Darkmegi is no exception.  The Trojan drops its kernel driver to com32.sys in the Drivers directory. This rootkit drops a usermode component, com32.dll, which gets injected into explorer.exe and iexplore.exe. It also hooks the Dispatch table of ntfs.sys [IRP_MJ_CLOSE, IRP_MJ_CREATE, IRP_MJ_DEVICE_CONTROL] and fastfat.sys to prevent applications from reading (or scanning) the com32.dll and com32.sys files.

Hook Impact
Once the rootkit has compromised the operating system, attempts to copy or read protected files are rejected.

(http://blogs.mcafee.com/wp-content/uploads/2012/04/Darkmegi-FileCopy.jpg)
Larger image (http://blogs.mcafee.com/wp-content/uploads/2012/04/Darkmegi-FileCopy.jpg)

Attempting to copy rootkit driver to another directory.


(http://blogs.mcafee.com/wp-content/uploads/2012/04/Darkmegi-FileOpen.jpg)
Larger image (http://blogs.mcafee.com/wp-content/uploads/2012/04/Darkmegi-FileOpen.jpg)

Attempting to open rootkit driver.

No Malware Here
Another trick this Trojan uses is to pad its malware files with garbage data, around 25MB of garbage data! This is surely an attempt to look more legitimate than your typical malware, which takes less than 1MB. Indeed, less than 0.03% of known malware is greater than 25MB. This is another example of how malware authors continue to change their tactics to evade a file-centric view of security.

(http://blogs.mcafee.com/wp-content/uploads/2012/04/MalwareFileSizeDistribution.jpg)
Larger image (http://blogs.mcafee.com/wp-content/uploads/2012/04/MalwareFileSizeDistribution.jpg)

Distribution of 79 million malware file sizes.

But for all Darkmegi does, it does not hide its file locations.

Half-Stealth
So why does a malware author go to the trouble of creating a rootkit and yet not hide the files he or she aims to protect? One reason is that some antirootkit tools compare a list of files returned by the Windows API against a tool-created list created from raw NTFS scanning. Any discrepancies are presented as suspicious.

I wanted to see how various on-demand antirootkit tools fared against Darkmegi running on Windows 7, but alas most tools still haven’t been updated to support Windows 7, including some of the most popular (even Microsoft’s RootkitRevealer).

I did find that one tool was able to identify the usermode component protected by the kernel driver as infected. However, the tool prompted me to reboot to complete the repair. After two reboots (the first hung the system), I read “Cleanup completed”; however, the undetected kernel driver simply restored and reinjected the usermode component.

Another post-infection tool was able to identify the two Darkmegi malicious executables, but when I chose to remove them the tool told me it was not recommended–as it could cause system problems. Indeed, after proceeding anyway, the system went into a BSOD loop, even in Safe Mode.

With no success under Windows 7, I decided to try diffing tools on an infected Windows XP system. That test suggested that the trick of allowing files to be listed, but not read, would evade some tools.

Obviously running rootkit removal tools after the fact is not ideal (unless one is doing forensics or incident response). It’s much better to identify them before they can compromise the OS.

Through real-time kernel-memory monitoring, Deep Defender can block malicious events, and blacklist and delete the offending rootkit.

(http://blogs.mcafee.com/wp-content/uploads/2012/04/DarkMegi1-ss.jpg)
Larger image (http://blogs.mcafee.com/wp-content/uploads/2012/04/DarkMegi1-ss.jpg)

Deep Defender catching Darkmegi during installation.


With the rootkit removed, or even just neutralized, the usermode component no longer loads and is also neutered.


Orginal article: Monday, April 16, 2012 at 5:38pm by Craig Schmugar (http://blogs.mcafee.com/mcafee-labs/darkmegi-not-the-rootkit-youre-looking-for)
 

Title: Re: Darkmegi: This is Not the Rootkit You’re Looking For
Post by: Pez on 17. April 2012., 10:49:58

Other Common Detection Aliases


Company Names                   Detection Names
ahnlab                                    Dropper/Win32.Rootkit
avast                                      Win32:Malware-gen
AVG (GriSoft)                          PSW.Agent.ASED (Trojan horse)
avira                                       HEUR/Crypted
Kaspersky                               Trojan-Spy.Win32.Agent.bwtk
BitDefender                             Trojan.Generic.7160488
clamav                                    PUA.Packed.YodaProt
Dr.Web                                   Trojan.PWS.Gamania.34539
eSafe                                      (Alladin) Suspicious file
F-Prot                                     W32/Heuristic-210!Eldorado (suspicious)
FortiNet                                  W32/Agent.BWTK!tr
Microsoft                                 trojan:win32/meredrop
Symantec                               Downloader.Darkmegi
Eset                                       Win32/CsNowDown.C trojan (variant)
norman                                  W32/Troj_Generic.ASBJ
Sophos                                   Mal/Packer
Trend Micro                            Cryp_Yodap
vba32                                    TrojanSpy.Agent.bwtk
V-Buster                                 TrojanSpy.Agent!30FT96zCSb0 (trojan)

Title: Re: Darkmegi: This is Not the Rootkit You’re Looking For
Post by: Pez on 17. April 2012., 10:58:10

Removal !

You need to have appropriate skill to us this guide and you do it at your own risk.

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT (check your antivirus manufacture for latest update) files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Title: REMOVE: Win32:Malware-gen, Trojan-Spy.Win32.Agent.bwtk, Downloader.Darkmegi
Post by: Samker on 17. April 2012., 20:52:51

Great work! :bih: