Nailuj Rootkit Analysis

Lately a lot of malwares are using rootkit techniques. Private and antivirus companies are trying to develop tools against malwares but, despite the fact that most of the techniques are well documented around the net, only a few companies are getting positive results. This particular malware is a perfect example because when it came out only a few tools were able to recognize its nasty operations. Don't know what you think but that's sound a little bit strange for me.

The malware, named Nailuj by some antivirus companies, is composed of 3 files: VideoAti0.exe, VideoAti0.dll and VideoAti0.sys. I won't talk about all the files, but will focus my attention on only one, the sys file. This malware represents a nice target for those who want to approach a malware for the very first time because it uses well-known techniques, such as hiding files and hooking functions. Nothing hard once you have dealt with them at least once. In addition, the sys file is compiled in debug mode and every operation performed by the malware is documented inside the code. Yes, every time it does something it reveals its success or failure, printing out a comment using DbgPrint function. This is really useful because you know what it will do before starting to analyze the code, not so bad. Do you want something more for your first malware analysis?

Most of the analysis can be done with a disassembler but support from a kernel mode debugger comes in handy. To run the driver, I have used Kernel-Mode Driver Manager by Four-F. Using this software, you don't have to deal with the malware's other files.