• 1: Home
• 2: Presentations
  • 2.1: Hibernation File Attack
  • 2.2: Stoned Bootkit
  • 2.3: The Rise of MBR Rootkits & Bootkits in the Wild
  • 2.4: Stoned déjà vu - again
• 3: Trainings
  • 3.3: Hibernation File Attack - Reino de España
• 4: Articles
  • 4.1: Polymorphic Encryption Methods
  • 4.2: Writing a Boot Scan Engine
  • 4.3: The Magic of Bootkits
  • 4.4: Analysis of Sinowal
  • 4.5: Advanced Analysis of Sinowal
  • 4.6: Microsofts Rich Header
  • 4.7: Analysis of Conficker
  • 4.8: CIPAV
  • 4.9: Windows Exception Handling
  • 4.10: Pagefile Attack
  • 4.11: Software Watermarking
  • 4.12: Analysis of Stoned
  • 4.13: The Old New Thing About Development
  • 4.14: AntiWPA
  • 4.15: Kon-Boot
  • 4.16: Compiling Shellcode
  • 4.17: Elevated rights, process token and security identifier
  • 4.18: Abusing the TrueCrypt driver
  • 4.19: Nothing new: Msvcrt.dll
  • 4.21: Identifying Source Code
  • 4.22: Analysis of Mebratix
  • 4.23: Popsomp Hills
• 5: Projects
  • 5.1: DiskEdit
  • 5.2: Forensic Deletion Software
    • 5.2.1: Additional Deletion Methods
    • 5.2.2: Visual C++ Source Code
  • 5.3: Forensic Lockdown Software
  • 5.5: Information System
  • 5.6: QuickView
  • 5.7: Smart Boot Manager
  • 5.8: USB View
  • 5.9: Windows 3.1 Emulation
  • 5.10: Windows Boot System
  • 5.11: AV Tracker
  • 5.12: EIPTN
• 6: Services
  • 6.1: Boot-US work
  • 6.2: TeraByte Unlimited work
  • 6.3: EPIGUS work
• 8: Research
  • 8.1: Ascrimez Kit
  • 8.2: Analysing the PDF Exploit
  • 8.3: ZeuS
  • 8.4: infobox.ru: Botnet
  • 8.5: Operating System Development
  • 8.6: 4 million email addresses
• 9: About
  • 9.1: Links
  • 9.3: Peter Kleissner
  • 9.4: Last Modified Pages
  • 9.5: Meeting Points
  • 9.6: Live Search
  • 9.7: Terms of Use
  • 9.8: Contact

Popsomp Hills

While chinese people are happily using my reversed Sinowal source (which I was informed months ago already), and court process against the Stoned Bootkit goes on, I am happily reversing all the bootkits out there. I would suggest let us all pop some pills!

Active Bootkit development in China

A forum posting here and a comparison with my Sinowal analysis reveals that parts were copied 1:1, the full source is available at http://pastebin.ca/1886370:

[Stolen:1]
; create 16 bit code and assembly only instructions up to 386 instruction set
[bits 16]
CPU 386

[Original:15]
; create 16 bit code and assembly only instructions up to 386 instruction set
[bits 16]
CPU 386


[Stolen:35]
; execute original Master Boot Record
jmp word 0000h:7C00h

[Original:87]
; execute original Master Boot Record
jmp word 0000h:7C00h


[Stolen:40]
times 510-($-$$)  db 0

Boot_Signature            dw  0AA55h

[Original:348]
times 510-($-$$)  db 0

Boot_Signature            dw  0AA55h

"create 16 bit code" is one of the things I am always writing as first in the assembler source file, also in my operating system ToasterOS since 2005. For example ToasterOS' FAT32 bootloader:

[bits 16]					; create a 16 Bit Code
CPU 386						; Assemble instructions up to the 386 instruction set

%define	Type_Legacy_System
%include "interface.asm"

org 7C00h

...

Trojan.Alipop

There is again a new bootkit - called Trojan.Alipop. I shortly took a look at the bootloader, and can say the bootloader is different from what I have seen so far:

0000004E  0F31              rdtsc
00000050  6691              xchg eax,ecx
00000052  0F31              rdtsc
00000054  6629C8            sub eax,ecx
00000057  663D01000000      cmp eax,0x1
0000005D  7E24              jng 0x83

It checks the time stamp counter after executing xchg. Previously this was a good anti-vm operation, but nowadays most VMs run through virtualization on real CPU anyway and other emulators set the time stamp counters now correctly. It further screws the desktop and installs other software and a kind of desktop toolbar. It also set the home page in Internet Explorer to Google searching for some chinese term.