Thursday, October 30, 2014

BlackEnergy 2 (alias BlackEnergy Version 2) Live Debugging

Last night I took a quick look at BlackEnergy 2, a rootkit that surfaced in 2010. BlackEnergy 2 was essentially a rewrite of its predecessor as BlackEnergy 2 contains rootkit techniques, process-injection, and encryption. Surprisingly for being a now 'dated' rootkit, there's really not too much accessible (or not buried) reverse kernel-debugging documentation for the rootkit aside from when it was first surfacing. A lot of misc. information pops up throughout very few blogs/forums that are Russian, but that's about it.

There's a lot of additional lore behind the rootkit, but I really won't go into that. If you're interested about where the rootkit core came from before it was implemented into BlackEnergy 2, BlackReleaver is the answer!

NT Corruption

First off, we can view corruption regarding ntokskrnl:


 lkd> !chkimg -d -v nt  
 Searching for module with expression: nt  
 Will apply relocation fixups to file used for comparison  
 Will ignore NOP/LOCK errors  
 Will ignore patched instructions  
 Image specific ignores will be applied  
 Comparison image path: C:\Symbols\ntoskrnl.exe\41108004214780\ntoskrnl.exe  
 No range specified  

 Scanning section:  .text  
 Size: 466369  
 Range to scan: 804d7580-80549341  
   804ded5a-804ded5d 4 bytes - nt!KiBBTUnexpectedRange+8
      [ 00 ff 09 00:6b a0 c1 01 ]  
   804e59a1-804e59a5 5 bytes - nt!KeInsertQueueApc (+0x6c47)  // Not malicious -- Malwarebytes.
      [ 8b ff 55 8b ec:e9 e4 45 4e 77 ]  
 Total bytes compared: 466369(100%)  
 Number of errors: 9  

!chkimg compares the current loaded executable with the version within the symbol store. This is a helpful command to detect corruptions with images, and especially helpful when dealing with rootkits. The -d parameter displays a summary of all mismatched areas. The -v parameter makes the information verbose. In this case, the -v parameter is optional.

As noted above, we have two out-of-range values. We're interested in disassembling nt!KiBBTUnexpectedRange+8, but not nt!KeInsertQueueApc (+0x6c47). nt!KeInsertQueueApc (+0x6c47) as I commented above is in relation to the Chameleon technology from Malwarebytes. I had MWB ARK installed on this VM for testing purposes, so that is where it was spawning from.

nt!KiBBTUnexpectedRange+8 Disassembly - Healthy

If we disassemble nt!KiBBTUnexpectedRange+8 on a system not infected with BlackEnergy 2, we should expect similar results:

 lkd> u nt!KiBBTUnexpectedRange+8  
 nt!KiBBTUnexpectedRange+0x8:  
 804ded5a 00ff      add   bh,bh  
 804ded5c 0900      or   dword ptr [eax],eax  
 804ded5e 0bc0      or   eax,eax  
 804ded60 58       pop   eax  
 804ded61 5a       pop   edx  
 804ded62 8bec      mov   ebp,esp  
 804ded64 89ae34010000  mov   dword ptr [esi+134h],ebp  
 804ded6a 0f8490020000  je   nt!KiFastCallEntry+0x8d (804df000)  

nt!KiBBTUnexpectedRange+8 Disassembly - Corrupted

If we disassemble nt!KiBBTUnexpectedRange+8 on a system that has been infected with BlackEnergy 2, we should expect similar results:

 lkd> u nt!KiBBTUnexpectedRange+8  
 nt!KiBBTUnexpectedRange+0x8:  
 804ded5a 6ba0c1010bc058 imul  esp,dword ptr [eax-3FF4FE3Fh],58h  
 804ded61 5a       pop   edx  
 804ded62 8bec      mov   ebp,esp  
 804ded64 89ae34010000  mov   dword ptr [esi+134h],ebp  
 804ded6a 0f8490020000  je   nt!KiFastCallEntry+0x8d (804df000)  
 804ded70 8d15509b5580  lea   edx,[nt!KeServiceDescriptorTableShadow+0x10 (80559b50)]  
 804ded76 8b4a08     mov   ecx,dword ptr [edx+8]  
 804ded79 8b12      mov   edx,dword ptr [edx]  

So, why do we have corruptions in ntoskrnl and a corrupted nt!KiBBTUnexpectedRange+8 output? It's a side effect of the rootkit creating additional 'fake' service tables. It does this by patching the ETHREAD SystemTable pointer, which allows for things such as user threads to be patched, thread creation notification and service table pointer updating by using PsSetCreateThreadNotifyRoutine, etc.

The main use behind creating fake service tables is it gives anti-rootkit software a much harder time (harder back in 2010, at least) detecting its presence. It doesn't just 'hook' and/or modify the SSDT (which as we know would be a big red flag), it instead creates its own fake service tables, and then hooks (acquires?) the following functions:

 NtDeleteValueKey  
 NtEnumerateValueKey  
 NtEnumerateKey  
 NtOpenKey  
 NtOpenProcess  
 NtOpenThread  
 NtProtectVirtualMemory  
 NtQuerySystemInformation  
 NtReadVirtualMemory  
 NtSetContextThread  
 NtSetValueKey  
 NtSuspendThread  
 NtTerminateThread  
 NtWriteVirtualMemory
 etc...  

KTHREAD Structure
 
Given we're adding new/fake service tables, we need applications to be able to access them. This is done by using pointers as discussed above, which is accomplished in the KTHREAD Structure. Every single thread has a pointer to a ServiceTable which is ultimately set by KeInitThread. Additionally, if the thread requires GUI functions within the Shadow SSDT, PsConvertToGuiThread is called.

We can dump the KTHREAD Structure:

 lkd> dt -v nt!_KTHREAD  
 struct _KTHREAD, 73 elements, 0x1c0 bytes  
   +0x000 Header      : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes  
   +0x010 MutantListHead  : struct _LIST_ENTRY, 2 elements, 0x8 bytes  
   +0x018 InitialStack   : Ptr32 to Void  
   +0x01c StackLimit    : Ptr32 to Void  
   +0x020 Teb       : Ptr32 to Void  
   +0x0e0 ServiceTable   : Ptr32 to Void  

At this point if you'd like to see the tables, you can use the following command:

 !for_each_thread ".echo Thread: @#Thread; dt nt!_kthread ServiceTable @#Thread"   

If you see anything other than KeServiceDescriptorTable or KeServiceDescriptorTableShadow, it's a new/fake ServiceTable.

Registry Hiding

In order to survive reboots, etc, it hides its registry entry. If you're using Windows' Registry Editor, it won't find the hidden entry. For example, here's our hidden service:

 lkd> !ms_services  
 [205] | 0x01 | | qtcst | qtcst | SERVICE_RUNNING | \Driver\qtcst  

If we try and find qtcst with Registry Editor:


If we however use a 3rd party registry tool (any will probably work so long as it doesn't use Windows API calls):


We catch our culprit and the dropped driver red-handed. The driver renames after each reboot, so if you remove it and don't get the driver+registry entry at once, it'll just re-create with a different name.

Main.dll

 .exe SYS TMP cmd.exe /C b k e r n e l p l g _ d a t a getp v e r s i o n n a m e s l e e p f r e q c m d s p l u g i n s x%s_%X C:\ a d d r t y p e s e r v e r s i c m p _ a d d r b u i l d _ 
 i d str.sys \drivers\ \ \ . \ \ \ . \ G l o b a l \ %s%s { 9 D D 6 A F A 1 - 8 6 4 6 - 4 7 2 0 - 8 3 6 B - E D C B 1 0 8 5 8 6 4 A } main.dll .bdata {3D5A1694-CC2C-4ee7-A3D5-A879A9E3A623} 
 POST %.2X & = bid nt %d cn ln id ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ Content-Type: application/x-www-form-urlencoded _TEST_ .dll user32.dll advapi32.dll 
 wininet.dll ws2_32.dll DispatchCommand DispatchEvent GetLastError GetCurrentProcessId ExitThread CloseHandle KERNEL32.dll wsprintfA USER32.dll CoCreateInstance CoInitializeEx ole32.dll 
 OLEAUT32.dll WS2_32.dll RtlUnwind InterlockedExchange VirtualQuery main.dll ConfAllocGetTextByNameA ConfAllocGetTextByNameW ConfGetListNodeByName ConfGetNodeByName ConfGetNodeTextA 
 ConfGetNodeTextW ConfGetPlgNode ConfGetRootNode DownloadFile PlgSendEvent RkLoadKernelImage RkProtectObject SrvAddRequestBinaryData SrvAddRequestStringData  

Main.dll is the payload that is injected via trusted svchost. It contains as you can see a lot of readable stings, like str.sys for example. We can see str.sys in action here:


Overall, this rootkit was certainly a step up from most SSDT hooking/modification rootkits at the time. It can be a pain in the ass to remove if you don't kill everything properly : )

Thanks for reading.

References

Black Energy 2.1+
BlackEnergy Version 2 Analysis

78 comments:

  1. Replies
    1. Nice read! Always a pleasure reading! Thank you for sharing!
      Anyway, anyone heard of the project Whistler Grand in D05 in Singapore? I heard it is a pretty good project with huge potential upside. Anyone else interested? Check this out! 🇸🇬

      Whistler Grand

      Delete


  2. zapya
    zapya app
    zapya apk
    zapya download
    The transfer speed is 200 times faster than via Bluetooth.

    ReplyDelete
  3. Thanks for sharing, very informative blog.
    ReverseEngineering

    ReplyDelete
  4. Hey, this is amazing content. thank you for sharing.
    ReverseEngineering

    ReplyDelete
    Replies
    1. Nice read! Always a pleasure reading! Thank you for sharing!
      Anyway, anyone heard of the project Whistler Grand in D05 in Singapore? I heard it is a pretty good project with huge potential upside. Anyone else interested? Check this out! 🇸🇬

      Whistler Grand

      Delete
  5. Appvn has a genuinely basic, easy to understand interface. The application has a huge number of applications that are perfectly characterized. Store and in-application substance is refreshed normally

    ReplyDelete
  6. Nice read! Always a pleasure reading! Thank you for sharing!
    Anyway, anyone heard of the project Whistler Grand in D05 in Singapore? I heard it is a pretty good project with huge potential upside. Anyone else interested? Check this out! 🇸🇬

    Whistler Grand

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete
  8. mobdro
    mobdro apk
    mobdro app
    mobdro download
    mobdro for android
    The videos present on Mobdro can be recommended to other friends with just a tap.

    ReplyDelete
  9. Thanks for sharing this wonderful article.
    East9ja

    ReplyDelete
  10. Interesting post. I Have Been wondering about this issue, so thanks for posting.
    Pretty cool post.It ‘s really very nice and Useful post.Thanks

    Kahan Hum Kahan Tum Episode


    ReplyDelete
  11. thanks for your post i have found the information that i want on your blog its such a nice theme .
    thanks for your infomative post .
    Survivalgamingzone

    ReplyDelete
  12. Hey, thanks for sharing I always look forward to reading your posts one of the few blogs I still follow. Kasauti Zindagi Ki

    ReplyDelete
  13. I have learnt lots of things from This Website. I want to say Thanks from my core of heart.
    Naati Pinky Ki Lambi Love Story Episode

    ReplyDelete
  14. Thanks for this information, I got to learn about Apache Spark in Python. I will use this information for my service.
    Yeh Rishtey Hain Pyaar Ke

    ReplyDelete
  15. I would really appreciate it if you could also check out our work and leave some .
    Dil Jaise Dhadke Dhadakne Do
    Dadi Amma Maan Jao

    ReplyDelete
  16. I have learnt lots of things from This Website. I want to say Thanks from my core of heart.
    Kasauti Zindagi Ki episode
    https://chotisardarni.su/

    ReplyDelete
  17. Windows 10 activator is a free tool which is developed by Team Daz. It can be used to get license for Windows 10 and Microsoft Office. This is 100% safe to use and it doesn't contain any type of malicious code

    https://crackedking.com/windows-10-activator-full-loader-free-download/

    ReplyDelete
  18. I have Learned Big Lesson from you Post thanks for this Interesting post. On this Website Avilabe Colors Tv , Star plus and Zee Tv and Sony Tv All Latest Episode Uploaded You Can see here and Bookmarked this website for long time see All Episode

    https://www.kahanhumkahatum.com/category/pavitra-bhagya/

    ReplyDelete
  19. Very Much Intersting Post Watch Video of Star Plus Dramas that is hindi tv serial Sony Tv and Colors Tv and Zee Tv All Dramas are Avilable on this Website

    https://www.yehjaduhaijinnk.com/category/kasauti-zindagi-ki/

    ReplyDelete
  20. Watch here indain dramas and indain movies on Star plus and Colors Tv and Zee Tv sony Tv All darama latest episode Avilable here Bookmark us to wath more

    https://www.bepanahpeyar.com/category/yeh-jadu-hai-jinn-ka/

    ReplyDelete
  21. Adobe Photoshop CC 2020 Crack + Torrent. Adobe Photoshop CC Serial Key. Adobe Photoshop CC Crack is the most widely too used Adobe Photoshop CC Serial Key. Adobe Photoshop CC Crack: It is the world's best-known software with advanced editing tools for editing
    https://procrackch.com/adobe-photoshop-crack-activation-key/

    ReplyDelete
  22. Avast SecureLine VPN is a subscription based virtual private network service developed by Avast. It is available for Android, Microsoft Windows, macOS and iOS operating systems. SecureLine VPN encrypts the user's internet traffic and redirects the traffic
    https://owncracks.com/idm-crack-serial-key-plus-license-key-free-download/

    ReplyDelete
  23. mart Driver Updater Crack Free Download. Mirror Link. This content is locked. Please support us, use one of the buttons below With License & Serial Key[LATEST] Smart Driver Updater 5.0. 371 Crack is the first best product that automatically updates all your device drivers

    https://naveedsoft.org/smart-driver-updater-crack-download/

    ReplyDelete
  24. Internet Download Manager is a shareware download manager owned by American company Tonec, Inc. which is based in New York City. It is only available for the Microsoft Windows operating system. Internet download manager is a tool to manage and schedule downloads
    https://crackstips.com/idm-crack-6-incl-serial-number/

    ReplyDelete
  25. Thanks For your Post Watch Video of Star Plus Dramas that is Hindi tv serial Sony Tv and Colors Tv and Zee Tv All Dramas are Avilable on this Website

    https://www.yehrishteyhainpyaarkay.com/category/yeh-rishta-kya-kehlata-hai/

    ReplyDelete
  26. Searching for a Delta seat for an incredible worth, yet wouldn't fret where you sit? Essential Economy may be the correct decision for you. You'll despite everything appreciate a similar Main Cabin involvement with a lower cost, in return for fewer civilities on select flights, such as getting your seat task after check-in. Investigate the subtleties to check whether Basic Economy meets your requirements.

    Delta Economy Seats

    Delta Basic Economy

    ReplyDelete
  27. I admire this website in this is very beneficial content and really informative web page

    ReplyDelete
  28. Dirilis Ertugrul All Seasons watch Video Ertugrul Ghazi All Seasons All Episodes Watch Online Free Desi Serial, Watch Turkish Drama Series Dirilis Ertugrul Total Episodes Ptv Home In Urdu Dubbing Complete 480, 720p HD Quality. Ertugrul Ghazi All Seasons in Urdu All Episodes Download Drama 123Movies/Go Movierulz Free.

    ReplyDelete
  29. Nice Blog. Here are some good profile of educational sites.

    Boarding School in Dehradun

    ReplyDelete
  30. Very nice blog, Thanks for sharing great article.
    You are providing wonderful information, it is very useful to us.
    Keep posting like this informative articles.
    Thank you.

    From: Field Engineer
    Get to know about Database Administrator

    ReplyDelete
  31. Microsoft Toolkit is a kind of program, which is necessary to have by every person. Its primary tasks to perform are activating and deploying Microsoft Office and Windows, and managing the licensing.

    ReplyDelete
  32. AnyDesk Premium is a software for a remote connection. It stands out in the market for its speed. It provides access to computers when you are working remotely.

    ReplyDelete
  33. Call of Duty World War 2 is a video game. This game is about the circumstances and incidents of world war 2.

    ReplyDelete
  34. CLIP STUDIO PAINT EX is an advanced painting tool to make manga, comics, and illustration. This software is a versatile tool for working with every kind of graphics.

    ReplyDelete
  35. Howdy! This is my 1st comment here so I just wanted to give a
    quick shout out and tell you I truly enjoy reading through your posts.
    Can you suggest any other blogs/websites/forums that go over the same topics?
    Thanks a ton!
    adobe premiere pro crack
    ez cd audio converter crack
    itrash crack
    ntlite crack plus license key free download

    ReplyDelete
  36. After studying many pages on your site, I love your blog.
    I have added it as a book to my catalog and will see it longer.
    Please check out my website and let me know what you think.
    copy protect full crack
    wintousb-enterprise-crack-license-code

    ReplyDelete
  37. thanks for sharing such great information is benificial for me
    cleanmymac crack

    ReplyDelete
  38. It's a place where everyone can find something that interests and excites them. With the OK app, you can: – Stay in touch with your nearest and dearest
    rarevision free

    ReplyDelete
  39. Hello! This post could not be written any better! Reading this post
    reminds me of my good old room mate! He always kept talking about this.
    I will forward this page to him. Pretty sure he will have a good read.
    Thank you for sharing!
    tally erp 9 crack

    ReplyDelete
  40. Your source for fun, free mobile and PC download games. Thousands of free ... Download or play free online! ... Here is the Exact Arcade Version of Dig Dug!
    nfs payback highly compressed 100mb download

    ReplyDelete
  41. ทางเข้าเล่นsuperslothttps://superslot.game/

    ReplyDelete
  42. เล่นป็อกเด้งฟรีhttp://superslot.games

    ReplyDelete
  43. Appreciation! It shows me that I could express my appreciation for the great post.
    Amibroker crack

    ReplyDelete

  44. It is very interesting, you are an experienced blogger. I have added your feed and I hope to continue searching.
    great posts. Also, I have shared your site on social media!

    daemon tools lite serial number crack

    ReplyDelete
  45. I think this is one of the most important pieces of information.
    Mine. I am satisfied to study your article.
    But I want to comment on some common problems: the site tastes great, the articles are really great.
    anytrans
    angry birds activation key
    filebot license key
    razer surround pro crack

    ReplyDelete
  46. Have a nice day! Writing this article can't be better!
    Reading this article reminds me of my great housing partner! He has already mentioned this.
    I will send you this article, are you sure?
    You will read well Thank you very much for sharing!
    microsoft visio pro crack
    smadav crack
    beyond compare
    vmware workstation pro crack
    careueyes pro crack

    ReplyDelete