WinNT/Pitou (MBR bootkit, alias Backboot)

[Aerosol]

Legacy BIOS MBR WinNT bootkit.

Purpose: kernel mode spambot.

MBR:

This sample: https://www.virustotal.com/en/file/c0150e2041cdfde60121e0fa0fc8247628a9573565a1ccd2d1a0251efbaf749c/analysis/1420199827/

old December analyzed Pitou build: https://www.virustotal.com/en/file/269f35c31bbbc3d18dc055712d535b2ebd8efdc13863b9d4165b6b1878b251ba/analysis/

Current sample doesn't use 0xDEADBEEF as xor key and looks a little bit simplified.

Hooks IRP_MJ_DEVICE_CONTROL and IRP_MJ_INTERNAL_DEVICE_CONTROL for the disk port driver and several routines in NDIS driver by splicing.

Contain antiVM similar to Win32/Avatar lolkit -> MmMapIoSpace and lookup for known VM vendors/products names.

31.184.236.83/crypted.ff.exe

HTTP/1.1 200 OK
Date: Fri, 02 Jan 2015 0X:XX:XX GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sat, 27 Dec 2014 11:56:11 GMT
ETag: "26009a-7da00-50b3153deb85e"
Accept-Ranges: bytes
Content-Length: 514560
Connection: close
Content-Type: application/x-msdos-program

Bootkit data storage:

Located at the end of the system disk in unpartitionable space. Structure is simple -> initialization code, copy of original mbr used for faking while filtering I/O requests and next lolkit driver. Depending on mode there will be x86-32 driver or x64 version of the same trash.

VT scans:

dropper (dotnet crypter)

https://www.virustotal.com/en/file/09b5c048eb5dce6050f6d092c1cb77aa0bfcc9e639d351c68d8aba62b98d2488/analysis/1420203568/

for x64 driver

https://www.virustotal.com/en/file/bbc326da0462bddf11c5cb07f0f9a5af7971f28c140a62e9f5e9f0d425878054/analysis/1420202247/

for x86-32 driver

https://www.virustotal.com/en/file/403fa0744a914ecf1f369f0584358f889cdc77ac45d44f041f58ffd35067daa0/analysis/1420202266/

Previously analyzed Pitou variant used xor encryption over these data with hardcoded 0xDEADBEEF key, decrypting contents of bootkit code upon bootkit MBR execution. This one stores data without any encryption.

Small code for decoding bootkit data used for previous version/build

#include <windows.h>
#include <intrin.h>

#define DATASIZE 0x6c000 //0x78c00 for x64

void main()
{
   HANDLE               f;
   DWORD               iobytes;
   DWORD               *buffer, s0 = 0xdeadbeef;
   ULONG               c;

   f = CreateFile(TEXT("c:\\malware\\pitou\\uspace_32.dat"), GENERIC_READ | SYNCHRONIZE, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
   if ( f != INVALID_HANDLE_VALUE ) {
      buffer = (DWORD *)VirtualAlloc(NULL, DATASIZE, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
      if ( buffer != NULL ) {
         ReadFile(f, buffer, DATASIZE, &iobytes, NULL);

         for (c=0; c<(DATASIZE/4); c++) {
            buffer[c] = buffer[c] ^ s0;
            s0 = _rotr(s0, 1);
         }
      }
      CloseHandle(f);

      f = CreateFile(TEXT("c:\\malware\\pitou\\uspace_32.dmp"), GENERIC_ALL | SYNCHRONIZE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, 0, NULL);
      if ( f != INVALID_HANDLE_VALUE ) {
         WriteFile(f, buffer, DATASIZE, &iobytes, NULL);
         CloseHandle(f);
      }

      VirtualFree(buffer, 0, MEM_RELEASE);
   }

   ExitProcess(0);
}

Pitou dropper + extracted drivers in attach, upon successful installation it will force Windows reboot by NtShutdownSystem call. For direct disk access during installation dropper uses IOCTL_SCSI_PASS_THROUGH request.

P.S.

F-Secure coverage of earlier Pitou version https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf

Pitou UAC bypass reconstructed method UACMe - Defeating Windows User Account Control', however this particular dropper

seems unable to bypass UAC.

Pitou.rar

Pass: infected

Source