Back to Home

Win32 / Gapz: Latest Episode / ESET NOD32 Blog

gapz

Win32 / Gapz: The Last Episode

    Today we publish the last part of the Win32 / Gapz bootkit analysis , and also want to submit a PDF that contains an analysis of this interesting threat with all the technical details. His analysis took several months of intensive reverse. In Gapz, we saw that the developers of these types of threats have reached a new level of complexity. We also believe that Win32 / Gapz, in fact, is the most complex bootkit of all that we have seen before. You can find a detailed technical analysis of this threat in our PDF document Mind the Gapz: The most complex bootkit ever analyzed? .

    Our colleagues Evgeny Rodionov and Alexander Matrosovconducted a Win32 / Gapz code analysis starting in December 2012. This analysis revealed more and more interesting details about this threat.



    We already wrote about Gapz earlier:

    Win32 / Gapz has a fairly low prevalence (since the beginning of its first detection, we have recorded less than a hundred active samples). Most of these findings were in Russia. All known C&C panels were already closed at the time the analysis began in December 2012. The domains for loading the additional payload have been registered through the DynDNS service. The following is a list of URLs that were found in dropper after unpacking:
    • hxxp: //xpiracyrt.is-into-cars.com/apps/32.lz
    • hxxp: //retguard.is-into-cars.com/apps/32.lz
    • hxxp: //soparesolv.is-into-cars.com/apps/32.lz
    • hxxp: //xpiracyrt.is-into-cars.com/upds/7/1/upd.lz
    • hxxp: //retguard.is-into-cars.com/upds/7/1/upd.lz
    • hxxp: //soparesolv.is-into-cars.com/upds/7/1/upd.lz

    The Win32 / Gapz.C modification , which contains the MBR infection functionality, sends debug information of the infection process to the following IP address: The



    hosting for this IP address is located in Germany and, at the time of publication, is still online.



    We found that this IP is associated with several domains: meetafora.ru, sukarabotay.com. Both of these domains were registered in 2011, and expire in mid-2013. Now this IP has already stopped accepting debug information from the bot.

    In all Gapz modifications that contained the bootkit, the addresses of the additional C&C were extracted from the configuration file, which is stored in a hidden FS. This file is embedded in the main kernel-mode component located on a hidden drive. C&C domains are generated as third-level domains (a variable component is a third-level domain) using the dynamic DNS service strangled.net (used in Win32 / Gapz.A ).



    An example of network interaction with such a domain is presented below.



    The Win32 / Gapz.C modification uses a different domain generation scheme:



    Interaction with the network in kernel mode is based on the manual implementation of the TCP / IP stack and the HTTP protocol in order to circumvent the check using local IPS / IDS.For complete information on stack implementation, see here .

    We believe that the Win32 / Gapz family is the most complex bootkit we've ever seen before. The following is a table comparing Gapz features with other prominent bootkit representatives:



    Hidden File System Reader with FS Gapz support.

    To assist security professionals and AV receivers who encounter Gapz, we updated our Hidden File System Reader tool with the requirements for this bootkit. Now it can also save hidden FS components from Gapz. You can download the utility here .

    Read Next