Win32 / Gapz: The Last Episode
Our colleagues Evgeny Rodionov and Alexander Matrosovconducted a Win32 / Gapz code analysis starting in December 2012. This analysis revealed more and more interesting details about this threat.

We already wrote about Gapz earlier:
- Gapz and Redyms droppers based on Power Loader code
- Modern bootkit technology and detailed analysis of Win32 / Gapz
Win32 / Gapz has a fairly low prevalence (since the beginning of its first detection, we have recorded less than a hundred active samples). Most of these findings were in Russia. All known C&C panels were already closed at the time the analysis began in December 2012. The domains for loading the additional payload have been registered through the DynDNS service. The following is a list of URLs that were found in dropper after unpacking:
- hxxp: //xpiracyrt.is-into-cars.com/apps/32.lz
- hxxp: //retguard.is-into-cars.com/apps/32.lz
- hxxp: //soparesolv.is-into-cars.com/apps/32.lz
- hxxp: //xpiracyrt.is-into-cars.com/upds/7/1/upd.lz
- hxxp: //retguard.is-into-cars.com/upds/7/1/upd.lz
- hxxp: //soparesolv.is-into-cars.com/upds/7/1/upd.lz
The Win32 / Gapz.C modification , which contains the MBR infection functionality, sends debug information of the infection process to the following IP address: The

hosting for this IP address is located in Germany and, at the time of publication, is still online.

We found that this IP is associated with several domains: meetafora.ru, sukarabotay.com. Both of these domains were registered in 2011, and expire in mid-2013. Now this IP has already stopped accepting debug information from the bot.
In all Gapz modifications that contained the bootkit, the addresses of the additional C&C were extracted from the configuration file, which is stored in a hidden FS. This file is embedded in the main kernel-mode component located on a hidden drive. C&C domains are generated as third-level domains (a variable component is a third-level domain) using the dynamic DNS service strangled.net (used in Win32 / Gapz.A ).

An example of network interaction with such a domain is presented below.

The Win32 / Gapz.C modification uses a different domain generation scheme:

Interaction with the network in kernel mode is based on the manual implementation of the TCP / IP stack and the HTTP protocol in order to circumvent the check using local IPS / IDS.For complete information on stack implementation, see here .
We believe that the Win32 / Gapz family is the most complex bootkit we've ever seen before. The following is a table comparing Gapz features with other prominent bootkit representatives:

Hidden File System Reader with FS Gapz support.
To assist security professionals and AV receivers who encounter Gapz, we updated our Hidden File System Reader tool with the requirements for this bootkit. Now it can also save hidden FS components from Gapz. You can download the utility here .
