Looking for some specific Malware

[addepalli]

Hello Everybody,
I am new to this forum.
I am interested in reversing malware and I am currently researching a couple of specific malware infections.

The first type is a Winlogon Notify DLL (random file names) which modifies file permissions for itself - the user cannot modify or remove file permissions - this prevents the file from being deleted and the infection can stay alive this way.

The second type of infection is again a Winlogon Notify DLL (append.dll) - this file gets dropped into the system32 folder even if deleted. Autoruns/Process explorer/HJT do not show any indications of malicious processes running - but the file gets dropped.

The only abnormal thing about the system that had the append.dll was that the system had a device driver "nvantv" (HKLM\system\currentcontrolset\services\nvnatv) with the name "Nvidia Native Rendering".
This was abnormal because the system had a Sis chipset based graphics card.

Has anyone come across these malware or have access to these samples?
More than analysing these samples, I am actually looking at determining removal steps.

I am also looking for good examples of sites with drive-by-downloads (no-pop-ups, silent installs).

I dont know if I am breaking the rules here.. If I am, please let me know.

Cheers,
Prasad Addepalli

[sowhat-x]

...Welcome on board! 

Has anyone come across these malware or have access to these samples?

...append.dll / nvantv.sys:haven't ever came across these ones personally...
A bit of googling revealed there exists an 'append.dll' out there,part of the Vundo family...
But from what you've described above though,haven't you already got access to these samples? 
If not,probably your best bet to find them,is to search their names/hashes over at Offensive Computing...

More than analysing these samples,I am actually looking at determining removal steps.

Winlogon Notify...my guess is you should remove the relevant entries for these .dlls from the registry,
as for the 'nvantv" driver,there are quite a few tools that can install/load and unload drivers...
a few reboots will most probably be required,in "safe mode" or so.

But these should only be considered as some very general assumptions...
for example,are you 100% sure these names/entries on the aformentioned system,
aren't just leftovers from some kind of unsuccessful un-installation?
NVidia is known to add quite a few of autostart entries,
installers are generally also widely known to be overbloated without reason...
Having said the above,for proper disinfection and specific malware removal instructions,
the following post lists more than a few sites that specialize in such tasks...
http://www.malwaredomainlist.com/forums/index.php?topic=40.0

I am also looking for good examples of sites with drive-by-downloads (no-pop-ups, silent installs).

I wish I could give you a more specific answer-'good example' by myself,
haven't gone out personally for malware hunting these latest days though.
There's plenty of "drive-by-download" sites recorded in the list...
some of them are also "loosely" described in the "Malicious Domains" sub-forum:
sites with obfuscated exploits in hidden iframes,
malware samples camouflaged via pseudo file extensions,and not only...
Allow me to make a guess in the wild...
you want to test some behavioral-blocking malware prevention application or so?

I dont know if I am breaking the rules here.. If I am, please let me know.

...you shouldn't even worry about that...
Besides "common logic",there are basically just two rules...and personally,
I wouldn't even call them as "rules",but exactly what "common logic" suggests...
http://www.malwaredomainlist.com/forums/index.php?topic=1282.0

[addepalli]

Thanks for the reply 

But from what you've described above though,haven't you already got access to these samples?

I do have the samples - I have both the files that I talked about - I confirmed these files were malicious at virustotal - at least - one of the scanners determinted that these files were malicious.
I am actually trying to re-infect my test box so that i can check what these files actually do..

I do know a very easy method of taking even winlogon Notify type extensions. Just have to remove the file permissions; can be done even in normal mode..
But I have started seeing cases where these files dont allow the permissions to be modified..
Its either ownership..or something else with the infection methods thats making these files unique.
I will continue searching for methods.. if anyone comes across a case - please do pass me on a sample or tell me a way of getting it.

you want to test some behavioral-blocking malware prevention application or so?

More than testing (testing is what I do mainly), I am currently working on a training session - I need demonstrate a drive-by-download in a vmware box during a session. I guess I should be able to locate a good one by running a few - right? (I know these sites go on and off the list - so I will be doing a screen capture and playing a the demo).

...you shouldn't even worry about that...

I am trying to specialize in signature less removal techniques - I have not stepped into full time reversing of malware - I am currently working on the behavioural or dynamic part of malware analysis.
Any insights on this.. please do let me know....

Thank you

[sowhat-x]

- at least one of the scanners determined that these files were malicious

Lol,I wouldn't put too much trust in VirusTotal's results,
as it's quite easy for AV heuristics to get fooled...
It's way more than a few times that I've came across legitimate apps,
that at least 30-40% of the AV products triggered a false alarm... 
Not talking about actual malware that goes completely undetected,
as this is by far more common...in short,you can never be sure about with AV's detection rate,
especially nowadays that things evolve way too fast,even VirusTotal states that clearly...
Anubis is also a nice service to keep in mind and make use of,
in case the sample is smaller than 2mb...gives a really useful 'behavioral' report:
http://analysis.seclab.tuwien.ac.at/

But I have started seeing cases where these files dont allow the permissions to be modified..

...windows permissions,a bit of pain in the...when things got way too much complicated,
I used to fire-up a command prompt under 'system' account,
then did the job with SetACL,xcacls,subinacl and few other tools taken from the resource kits...
SetACL is here...open source project: http://setacl.sourceforge.net/
ACLView is also a quite good solution,if (...for some weird reason) you dislike command line apps...
http://www.nativecs.com/page.en.php?f=data/en/aclview.desc

For deleting files regardless of permissions/handles/whatever,
until now I have been using "Unlocker",it has never failed on me,driver based...
He,now that was a nice coincidence,just yesterday I stumbled upon a tool,
that claims that it deletes files while bypassing ntfs permissions,
but it doesn't use a driver to get the trick done...
http://seconfig.sytes.net/delany/
Take also a look at his BreakPE,quite dangerous tool though,lol...

...working on the behavioral or dynamic part of malware analysis...any insights on this...

Pheew...we could talk hours,if not days about this,he-he...
I mean,it's a quite general statement,lol...lot's of stuff,tools,info and tutorials in the net,
in order to make the task of behavioral analysis easier:
the SysInternals suite obviously,the malware analysis tools from iDefense,
Regshot,api tracers,and the list goes on...now,ok,let's see/think...
you said you need to record a VMware session,in order to make a presentation afterwards...
my guess you'll probably find this recently released utility more than useful then:
http://zairon.wordpress.com/2007/09/19/tool-compare-vmware-snapshots/
VMware can be kind of tricky though,lots of malware use anti-vmware tricks nowadays...
but for the most part of it,DeepFreeze or say Qemu and similar apps can give a solution to that,
in case you don't have physical access to many different boxes...

I guess I should be able to locate a good one by running a few - right?

...had came across more than a few chinese "drive-by-download" domains,
in the middle of November or so...
some of them attempted checking the os/browser version,
and depending on this info,they ran multiple ms06/ms07-based exploits...
thereby if you play a bit around with the http addresses,
that are mentioned in the latest threads in the 'Malicious Domains',
it's almost certain that you'll stand..."lucky",ie.infected...
It's been while since though,thereby it's quite probable,
that some of these domains might have got killed by their admins or the isp providers...
The main list is regularly updated though,
thereby it really won't be difficult to stumble upon what you need...

[addepalli]

Had another case today of a malware DLL that modifies permissions..

c:\windows\system32\dx8v.dll

Tried Unlocker, Was not able to remove permissions even with ACLview, DelAny also did not work..
The file inherits its permissions from some other file..
still researching for a removal process..
I guess I am digressing from the topic here..but can we start a new thread for reporting and discussing this kind of stuff..I am seeing quite a few..

Thanks,
Prasad..

PS.. Thank you for those mxlinx links..