15/01/2018 09:23:28 - Bootkits are not dead. Pitou is back!
It uses the sophisticated technique of Bootkit to bypass the Microsoft Kernel-Mode Code Signing policy for load the own driver (kernel payload) on Windows. The Bootkits have reached the peak of popularity from 2010 to 2012 with Sinowal, TDL4, TDSS (Olmasco), Cidox (Rovnix) and GAPZ. These Bootkits was diseappear after 2012 and seemed the end of era of Bootkit. In the 2014 Pitou was detected as a new Bootkit, but it seem that not have had a big diffusion in the wild. In the last months of 2017 Pitou is back! Pitou spreads in various way:
Pitou maybe considered as the last Bootkit that infects the partitions type MBR (it cannot infect UEFI). Pitous is known with name "Backboot". The sample analyzed: Name: 63.TMP.EXE Size: 673.792 byte MD5: B6BA98AB70571172DA9731D2C183E3CC Found: 20 September 2017 Compilation Time Date Stamp: 19 September 2017 20:55:31 First submission on VT: 2017-09-23 04:58:27 Bootkit installation
When the dropper is executed, the malware infects the Master Boot Record of disk in the following way: |
Here we can see the dump of MBR infected: |
The loader of Pitou on Windows 10 64 bit uses 3 different codes:
We have analyzed the driver 32 bit of Pitou, the 64 bit version is similar.
The driver extracted from the end of disk has the following characteristics:
Size: 437.248 byte
MD5: EA286ABDE0CBBF414B078400B1295D1C
Compilation Time Date Stamp: 10 July 2017 15:59:35
No submission on VT
Fully obfuscated: difficult to analyze in static way
Anti-VM
Stealth
SpamBot (works completely in kernel mode)
Obfuscation
The driver is obfuscated as we can see: It contains a lot of random strings as "Again, one can talk, for to kill" to evade the AVs. |
We can see some levels of obfuscation. The first level is at "DriverEntry":
The DriverEntry sets a local variable [ebp+var_C] with value 0x209fdc, after it calls a lot of subroutines that modifies this value each time until to arrive to call the subroutine "call [ebp+var_C]" with the real "DriverEntry".
A second level of obfuscation is the use of hashes of blocks of 16 byte of code/data to calculate the addresses of objects, structures, strings, data and etc.
These hashes change everytime with the execution of drivers, so it is very difficult to take a snapshot for the analysis.
Here an example:
Anti-VM
Pitou checks if it is running under VM, Sandboxing or in emulated/virtualized environments:
If it is running under VM or in emuIated/virtualized environments then it stops to work.
Stealth
Pitou uses technique to be stealth, as other bootkits, it hooks the Miniport Device Object of disk to detect the request of read/write of sectors of disk:
\Driver\ACPI -> MajorFunction[IRP_MJ_DEVICE_CONTROL] = 81aefe43 Hook in ???
81aefe43 55 push ebp
81aefe44 8bec mov ebp,esp
81aefe46 51 push ecx
81aefe47 53 push ebx
81aefe48 8b5d08 mov ebx,[ebp+0x8]
81aefe4b 33c0 xor eax,eax
\Driver\ACPI -> MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] = 81ae9a5f Hook in ???
81ae9a5f 55 push ebp
81ae9a60 8bec mov ebp,esp
81ae9a62 83e4f8 and esp,0xf8
81ae9a65 83ec24 sub esp,0x24
81ae9a68 833d68b9b48100 cmp dword ptr [81b4b968],0x0
81ae9a6f 8b4d0c mov ecx,[ebp+0xc]
|
Server C/C
Pitou connects at server C/C with IP 195.154.237.14 Port 7384 TCP, and is hosted in Paris.
In encrypted form it receives commands to send spam:
If Pitou cannot connect at server C/C then it generates 4 domains (DGA), examples:
SpamBot
Pitou sends spam from the pc of victim, this operation is made totally in kernel mode.
Here some example of spam sent by Pitou:
As you can see Pitou sends spam of Viagra and Cialis.
|
Legal & Eula | Privacy | Uninstall |
TG Soft S.r.l. - via Pitagora 11/B, 35030 Rubàno (PD), ITALY - C.F. e P.IVA 03296130283 |