As you can see in this image, there is evidence of a bootkit present in the solution, however the files have been deleted by either the seller or someone who had the source before me. The files that have been deleted have the same names as those in the rovnix bootkit (from leaked carberp), I can say with 100% certainty that the bootkit being used by KINS is the one from the carberp leak.
This is some basic code to allow execution of 64-bit instructions from inside a 32-bit (wow64) process, I explained how this sort of thing is done in a previous blog post
. The code was taken from rewolf’s blog
The above code makes use of the code taken from rewolf, it allows the bot to escape from the wow64 emulation layer. This code is useful because the wow64 layer prevents 32-bit processes from injecting into 64-bit processes on a 64-bit system, KINS makes use of this code to inject 64-bit processes from inside a 32-bit (wow64) process.
After a quick look, I wasn’t able to find any evidence of a rootkit, however i did find this. The code keeps attempting to read the malware’s file until it is successful, then keep rewriting the file and registry key every 2 seconds. You’ll noticed the local variable “hFile” isn’t actually used, so the check is useless.
I just highlighted the interesting stuff i found in the source, the rest of the code is taken from Zeus, however there is a lot of evidence in the solution that point to the presence of a bootkit and some exploits: ms10-073, ms10-092, and a spooler elevation (possibly MS10-061). You can also read xylitol’s post about it here