Sinowal: MBR rootkit never dies! (and it always brings some new clever features)
Jump to navigation
Jump to search
(Publication) Google search: [1]
| Sinowal: MBR rootkit never dies! (and it always brings some new clever features) | |
|---|---|
| |
| Botnet | Torpig |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / June 6, 2012 |
| Editor/Conference | ITsec |
| Link | http://www.itsec.it/2012/06/06/sinowal-mbr-rootkit-never-dies-and-it-always-brings-some-new-clever-features/ (Archive copy) |
| Author | Andrea Allievi |
| Type | |
Abstract
“ In this short analysis paper I want to give a technical overview about one of the latest MBR rootkit updates. The sample which is going to be analyzed is dated April 2012.
Bootkit Loader The bootkit part of this rootkit remain almost the same as the one that we have just seen in my previous analysis (available here). Sinowal uses the same algorithm to recover the start sector where it’s storing its loader and the main executable file – Last MBR partition sector + 1 for loader and Last MBR partition sector + 0×19 for the main rootkit driver. It hooks Int13h, then hooks BlOsLoader function from NT OS loader, and finally IoInitSystem API from Windows kernel
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1025,
editor = {ITsec},
author = {Andrea Allievi},
title = {Sinowal: MBR rootkit never dies! (and it always brings some new clever features)},
date = {06},
month = Jun,
year = {2012},
howpublished = {\url{http://www.itsec.it/2012/06/06/sinowal-mbr-rootkit-never-dies-and-it-always-brings-some-new-clever-features/}},
}