TG Soft's Research Centre (C.R.A.M.) has analyzed in the last months new versions of Bootkit dubbed Pitou. From September to October 2017 we have seen new samples of Pitou in the wild. The first version of Pitou has beeen released on April 2014. It maybe an evolution of the rootkit "Srzizbi" developed on 2008. Pitou is a spambot, the main goal is send spam form the computer of victim. |
CONTENTS==> Bootkit installation==> Switch from Real Mode to Protect Mode on Windows Xp 32 bit ==> Pitou on Windows 10 64 bit ==> Pitou Driver 32bit ==> Pitou & Curiosity ==> IOC ==> Conclusions |
Here we can see the dump of MBR infected: |
![]() |
![]() |
The loader of Pitou on Windows 10 64 bit uses 3 different codes:
We have analyzed the driver 32 bit of Pitou, the 64 bit version is similar.
The driver extracted from the end of disk has the following characteristics:
Size: 437.248 byte
MD5: EA286ABDE0CBBF414B078400B1295D1C
Compilation Time Date Stamp: 10 July 2017 15:59:35
No submission on VT
Fully obfuscated: difficult to analyze in static way
Anti-VM
Stealth
SpamBot (works completely in kernel mode)
Obfuscation
The driver is obfuscated as we can see: It contains a lot of random strings as "Again, one can talk, for to kill" to evade the AVs. |
![]() |
We can see some levels of obfuscation. The first level is at "DriverEntry":
![]() |
![]() |
The DriverEntry sets a local variable [ebp+var_C] with value 0x209fdc, after it calls a lot of subroutines that modifies this value each time until to arrive to call the subroutine "call [ebp+var_C]" with the real "DriverEntry".
A second level of obfuscation is the use of hashes of blocks of 16 byte of code/data to calculate the addresses of objects, structures, strings, data and etc.
These hashes change everytime with the execution of drivers, so it is very difficult to take a snapshot for the analysis.
Here an example:
![]() |
![]() |
Anti-VM
Pitou checks if it is running under VM, Sandboxing or in emulated/virtualized environments:
If it is running under VM or in emuIated/virtualized environments then it stops to work.
Stealth
Pitou uses technique to be stealth, as other bootkits, it hooks the Miniport Device Object of disk to detect the request of read/write of sectors of disk:
\Driver\ACPI -> MajorFunction[IRP_MJ_DEVICE_CONTROL] = 81aefe43 Hook in ???
81aefe43 55 push ebp
81aefe44 8bec mov ebp,esp
81aefe46 51 push ecx
81aefe47 53 push ebx
81aefe48 8b5d08 mov ebx,[ebp+0x8]
81aefe4b 33c0 xor eax,eax
\Driver\ACPI -> MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] = 81ae9a5f Hook in ???
81ae9a5f 55 push ebp
81ae9a60 8bec mov ebp,esp
81ae9a62 83e4f8 and esp,0xf8
81ae9a65 83ec24 sub esp,0x24
81ae9a68 833d68b9b48100 cmp dword ptr [81b4b968],0x0
81ae9a6f 8b4d0c mov ecx,[ebp+0xc]
|
Server C/C
Pitou connects at server C/C with IP 195.154.237.14 Port 7384 TCP, and is hosted in Paris.
In encrypted form it receives commands to send spam:
If Pitou cannot connect at server C/C then it generates 4 domains (DGA), examples:
SpamBot
Pitou sends spam from the pc of victim, this operation is made totally in kernel mode.
Here some example of spam sent by Pitou:
![]() |
![]() |
As you can see Pitou sends spam of Viagra and Cialis.