Saturday, August 11, 2012

Dropper of kernel-mode stealer

While searching for some interesting, unknown malware samples I came across a report that took my attention (
The malware has an user-mode and a kernel-mode component and looks like a legit program at first (.sys + .inf files). By typing one of the created registry entries (NdisrdMP.ndi) into the search mask I discovered several reports of earlier (and also widely detected) versions of this family. By looking at the dates, the first uploaded sample is from year 2009, so this malware family is at least used since then.
Unfortunately I hadn‘t access to the Threatexpert database, so I contacted rkhunter from if he could provide me a copy. So thanks goes to him!

This paper is about Static Analysis of the Dropper of this malware. You can find the rest of the analysis (Kernel-mode Payload + Additional Components) on rkhunters‘ Blog at

Whitepaper download:

0 Kommentare:

Post a Comment