Jump to content
Nytro

Necurs rootkit under microscope

Recommended Posts

[h=1]Necurs rootkit under microscope[/h]

Okay, we already know about Necurs, just remind it interesting features:

  • Highly difficult in terms of removal from infected system;
  • Targeted to blocking drivers around 30 AV products [and 130 drivers in total];
  • Also targeted to x64 platform [has x64 version of driver];
  • Driver has obfuscated relocatable code;
  • Provides for itself the earliest start in the system [before all AV or Anti-malware drivers and system drivers];
  • Has it's own PE-loader with features of module relocation and IAT tuning for creation a complete copy of working driver;
  • Three types of black list: checking version info, special code signatures and drivers names.

123.gif

I already wrote about detection of this rootkit by various anti-rootkits here Security/malware blog: Necurs rootkit detection. In that post also listed symptoms of infection and various kernel anomalies. Today we'll talk about Necurs more detail.

https://twitter.com/artem_i_baranov/status/284941235934875648

First of all - black list and how it's implemented. According to list, which is subject to examination by the rootkit, it includes about 30 various AV products (checking via version info), and 130 various drivers (checking via image names comparison). Full list of vendors avalaible here - Necurs targeted to prevent work products of these firms: Agnitum Ltd ALWIL S - Pastebin.com and list of drivers here - Necurs targeted to prevent work the following drivers: kprocesshacker.sys Vb - Pastebin.com.

3.jpg

Before you start the static analysis you should retrieve decrypted version of driver. In normal encrypted state it looks like this:

7.jpg

To be convinced that rootkit is active, you need to check presence of NtSecureSys device object.

6.jpg

On the next step need to dump it decrypted body from memory with help of anti-rootkit or windbg. Ok, let's do it with windbg. Necurs sets some hooks to SSDT and this is one of the start point for dumping it image from memory.

8.jpg

9.jpg

Next we can dump it from memory.

Instead !pool command you can use search for MZ header in reverse order for retrieving start of decrypted copy:

s 822bbe2b L-10000 'M' 'Z'

Decrypted driver:

21.jpg

Start point of black list checks - LoadImageNotifyRoutine function. Detailed info about this feature http://msdn.microsoft.com/en-us/library/windows/hardware/ff559957(v=vs.85).aspx. This callback is called every time when new driver [or user mode image] was loaded in system [or in process].

5.jpg

This function contains all types of blacklist checks. For example, on this screenshot below is represented check via vendors names in version info.

4.jpg

If the driver is blacklisted, Necurs patches it entry point with two instructions, so DriverEntry after that returns STATUS_UNSUCCESSFULL and IO manager not load this driver.

2.jpg

1.jpg

Rootkit also contains two special white lists of drivers that not included into black list.

11.jpg

Collection of information into white list rootkit performs on stage of initialization. Rootkit performs scanning of \drivers directory and look for drivers not included into blacklist.

12.jpg

13.jpg

Also it walks by services registry key and adds drivers into these lists.

14.jpg

To avoid misunderstanding it adds loaders into these lists.

15.jpg

Ways of drivers entry point modifications looks like:

20.jpg

Necurs also blocks registry operations for own service key. So, any attempt to access to key fails. It possible with help of http://msdn.microsoft.com/ru-ru/library/windows/hardware/ff545879(v=vs.85).aspx

17.jpg

Similar situation with file system. Necurs attaches his device object to volume and tracks all FS operation, so rootkit body on volume is unaccessible.

22.jpg

Another interesting feature of Necurs - possibility of start before ALL drivers in the system [including boot bus extender drivers].

18.jpg

But on clean system we have another picture:

19.jpg

Ok, all right.

The conclusion is obvious: Necurs adds itself into "Boot Bus Extender" group and modifies priority ("Tag") of all drivers from this group (increases their Tag numbers by one, +1). Detailed about priority of drivers load, look CurrentControlSet\Services Subkey Entries

Summary:

23.jpg

Necurs also registers callback for tracking operations about handle creation for process with help of ObRegisterCallback. API - http://msdn.microsoft.com/en-us/library/windows/hardware/ff558692(v=vs.85).aspx

From this callback rootkit performs modification of original final desired access for the handle in special cases of handle opening.

24.jpg

Mission of NtOpenProcessHook consists in blocking open handle operation for process which rootkit considers as trusted.

25.jpg

26.jpg

According to Microsoft Malware Protection Center (MMPC) Necurs found on more than 83,000 machines and Microsoft report calls rootkit a "prevalent threat". This is not surprising after disclosure of the threat, it becomes clear why this is so.

http://www.darkreading.com/risk-management/167901115/security/attacks-breaches/240144203/necurs-rootkit-spreading-quickly-microsoft-warns.html

Unexpected reboot: Necurs - Microsoft Malware Protection Center - Site Home - TechNet Blogs

Fingerprints:

x32 version:

SHA256: 742a3c8c0a3601af29daffb966e947334d4f20501e5568b9c9fbf4c3526b4b84

SHA1: 30f63b8cae41a97456a82131c4577a2020697b89

MD5: 0907292986e05a8752bc1863556d229e

File size: 59776 bytes

x64 version:

SHA256: b3fea8183670ecf6150325f05aed28dfa27d7c6d2c1007808661f97c27fd7e1e

SHA1: d69b06801a8378e8c9ac8b369cb9e14ef8c8d479

MD5: 39b447e293979ac7259d4d9a2711c9a0

File size: 75720 bytes

640px-Blue_shift_wallpaper.jpg

posted by https://twitter.com/artem_i_baranov

Posted 29th December 2012 by Artem

Sursa: Security/malware blog: Necurs rootkit under microscope

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...