{
	"id": "6b89d810-6396-4878-99df-baf790fb0ce9",
	"created_at": "2026-04-06T00:15:07.754003Z",
	"updated_at": "2026-04-10T03:20:40.245661Z",
	"deleted_at": null,
	"sha1_hash": "b9af79849520875ef16eacf05939704ff74002a2",
	"title": "Newcomers in the Derusbi family",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 215297,
	"plain_text": "Newcomers in the Derusbi family\r\nBy Fabien Perigaud\r\nPublished: 2015-12-15 · Archived: 2026-04-02 12:14:36 UTC\r\nWindows x64 driver\r\nInstallation\r\nWe found various samples of this driver, all signed by legitimate, stolen certificates. One has been revoked,\r\nanother one is expired, and the last one is still perfectly valid. However, we didn't find any installer delivering the\r\ndriver, which might mean it is installed manually, for example along with the installation of the HD Root bootkit,\r\nas multiple evidences link to Derusbi.\r\nAccording to the samples we found, the driver filename is either wd.sys or udfs.sys.\r\nThe following malicious certificates are used to sign the drivers:\r\nName Serial Number Status\r\nFuqing Dawu Technology Co.,Ltd. 4c0b2e9d2ef909d15270d4dd7fa5a4a5 Revoked\r\nXL Games Co.,Ltd. 7bd55818c5971b63dc45cf57cbeb950b Expired\r\nWemade Entertainment co.Ltd 476bf24a4b1e9f4bc2a61b152115e1fe Valid\r\nRootkit \u0026 Evasion capabilities\r\nIn the 4 different samples we found, only one was using VMProtect to obfuscate its imports. The other ones were\r\nnot packed.\r\nDuring the initialization phase, the driver tries to disable the kernel debugger by calling nt!KdDisableDebugger\r\nto prevent dynamic analysis.\r\nAs for the previous client versions (also using a kernel driver for rootkit features), the drivers filters both the\r\nfilesystem and the network to hide the RAT activities..\r\nNetwork rootkit\r\nDepending on the Windows versions, hooks are performed either on \\\\Device\\Tcp or \\\\Driver\\nsiproxy.\r\nWhenever a specific IOCTL is performed on the device (0x120003 or 0x12001b respectively), the hook function\r\nhides network connections using ports between 1025 and 1777.\r\nFilesystem rootkit\r\nhttps://web.archive.org/web/20180607084223/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family\r\nPage 1 of 10\n\nThe filesystem rootkit is installed by hooking the IRP_MJ_DIRECTORY_CONTROL major function of\r\n\\\\Filesystem\\Ntfs, and hides the presence of the driver file (which is grabbed by reading the service ImagePath\r\nregistry value).\r\nEmbedded DLL loading\r\nTo perform all its RAT capabilities, the driver relies on a userland component, which is dynamically injected in\r\nmemory from the kernel. This ensures a better stealthiness, as the userland component is never written to the disk.\r\nThis userland component is a DLL, located in the .data section and ciphered using the classical Derusbi ciphering\r\n(which simply consists in a 4-bytes XOR).\r\nThe DLL is injected in one of the svchost.exe processes running as SYSTEM or LocalSystem, using the following\r\nsteps:\r\nAllocation and copy of 2 shellcodes in the process memory\r\nAllocation and copy of an array containing:\r\nPointers to LoadLibraryA / GetProcAddress\r\nName of the DLL export to call (“Func” in our samples)\r\nContent of the DLL\r\nUsage of nt!KeInitializeApc and nt!KeInsertQueueApc to make the process execute the first shellcode,\r\nwith address of the second shellcode and of the array as arguments\r\nFirst shellcode is simply:\r\nSecond shellcode is a custom DLL loader, which directly loads the DLL in memory without writing it to the disk.\r\nThe export is then called, with a randomly generated integer as parameter.\r\nThe randomly generated integer is used to build a named pipe called \\\\.\\pipe\\usbpcex%d. This pipe is then used\r\nfor the communication between the driver and the userland DLL.\r\nhttps://web.archive.org/web/20180607084223/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family\r\nPage 2 of 10\n\nOnce loaded, the DLL writes the machine IP address to the registry key\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\lpstatus.\r\nConfiguration\r\nThe configuration is stored just after a string made of 15 \"X”. It is obfuscated using a simple XOR loop:\r\nThe configuration has the following structure:\r\nOffset 0x44: Timer\r\nOffset 0x48-0x50: Two hour values, only authorize communication between these hours\r\nOffset 0x50: URL for additional C\u0026C retrieval\r\nOffset 0x150: 8 C\u0026C structures, 0x6c bytes each\r\nThe C\u0026C structure is:\r\nOffset 0x0: protocol\r\nOffset 0x4: IP/domain address\r\nOffset 0x24: port\r\nThe rest of the configuration is filled with garbage.\r\n00000000: 0100 0000 0048 c75f 409d 51b9 d2c8 f30c .....H._@.Q.....\r\n00000010: 566a 1e47 12b4 3735 638d b549 fd06 76aa Vj.G..75c..I..v.\r\n00000020: 6200 617f a41c 427c 5ee4 e2ad f137 6682 b.a...B|^....7f.\r\n00000030: fcfa ea1c 1efd 5ed7 ef2b a018 3cf6 da58 ......^..+..\u003c..X\r\n00000040: 8301 1f71 2100 0000 0000 0000 0000 0000 ...q!...........\r\nhttps://web.archive.org/web/20180607084223/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family\r\nPage 3 of 10\n\n00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n*\r\n00000150: 2000 0000 7761 7265 2e6e 6963 6574 7279 ...ware.XXXXXXX\r\n00000160: 2e62 697a 007c e4ee 3c09 a2a8 d427 f51e .biz.|..\u003c....'..\r\n00000170: 504e 9d65 bb01 0000 0025 e96e 4d1a 9eb6 PN.e.....%.nM...\r\n00000180: 58b9 c133 c719 8c5e 3359 d429 9911 6f0a X..3...^3Y.)..o.\r\n00000190: d9f9 c548 6ed8 b485 0000 0000 0028 fd5e ...Hn........(.^\r\n000001a0: b139 8e77 771d 9f66 6b75 f18c 00b9 2133 .9.ww..fku....!3\r\n000001b0: 00e5 45d4 d062 c2a2 e532 715a 2000 0000 ..E..b...2qZ ...\r\n000001c0: 7761 7265 2e6e 6963 6574 7279 2e62 697a ware.XXXXXXX.biz\r\n000001d0: 006a 55a0 6f17 cffa 9003 766f 3e9a 34a1 .jU.o.....vo\u003e.4.\r\n000001e0: 5000 0000 00be e79c 7e6d c95b 77a4 139f P.......~m.[w...\r\n000001f0: 0be1 2e45 c4d1 94a5 677c f161 2baf 7b6e ...E....g|.a+.{n\r\n00000200: 3caa 8e60 0000 0000 00fa f5f6 2b96 c211 \u003c..`........+...\r\n00000210: dea0 065a 4766 c8bd 00f3 1bcb 8575 7fcc ...ZGf.......u..\r\nNetwork Communications\r\nThe malware configuration can embed up to 8 C\u0026C addresses. A configuration update mechanism is also\r\navailable, by requesting the URL in the configuration. The resulting web page is then parsed, looking for tags $$$-\r\n-Hello and Wrod--$$$ surrounding a base64 string, which is the new encoded configuration blob.\r\nUp to 3 different protocols are supported:\r\nRaw TCP\r\nRaw UDP\r\nHTTP\r\nOnce a C\u0026C has been reached, its information is stored in the following registry key, xored with 0x51:\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Level10.\r\nThe DNS Server to use for DNS requests is stored in value Level01, xored with 0x51. Source port for the DNS\r\nrequests is randomly chosen between 1025 and 1777.\r\nProxy settings are stored in registry values Level02 to Level05, xored with 0x51.\r\nDNS server IP address and proxy settings are retrieved by the userland DLL, by setting up a raw socket to sniff all\r\noutcoming traffic and parsing:\r\nDNS requests\r\nHTTP requests to look for a Proxy-Authorization: Basic header and the proxy address\r\nThese two settings are then written to the registry.\r\nAll network communications are performed by the kernel driver. Each received packet is decoded and sent to the\r\nuserland in the pipe, and each data received through the pipe is encoded and sent back on the network.\r\nhttps://web.archive.org/web/20180607084223/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family\r\nPage 4 of 10\n\nPackets have a 0x1c bytes clear header, followed by encrypted/compressed data. The header has the following\r\nstructure:\r\nstruct packetHeader {\r\n DWORD random;\r\n DWORD moduleID;\r\n DWORD rawPacketSize;\r\n DWORD checkSum;\r\n DWORD xorKey;\r\n DWORD bCompressed;\r\n DWORD uncompressedSize;\r\n};\r\nThe ciphering is a simple XOR with the 4-bytes key, packet might be compressed with LZO and checkSum is a\r\nCRC32.\r\nUserland component\r\nThe userland component is in charge of the network communications decoding and commands interpretation. It\r\nreceives, from the kernel module, the moduleID and the deciphered/uncompressed data from the network packet.\r\nModules\r\nThis part of the malware seems modular, and each module is associated to a module ID. Previous papers described\r\nsome of those modules, but our samples contained two new modules. Here is the list of all the modules compiled\r\nin the DLL:\r\nModule ID Class Name Description\r\n0x80 PCC_SYS Various commands related to processes and services\r\n0x81 PCC_CMD Execute commands\r\n0x82 PCC_PROXY Network proxy\r\n0x83 PCC_GUI Remote Desktop\r\n0x84 PCC_FILE Files manipulation\r\n0xC0 PCC_VPN VPN feature\r\n0xF0 - Uninstall, Disconnect, GetLastError, etc.\r\nThe two new modules are PCC_GUI and PCC_VPN.\r\nEmbedded PE files\r\nhttps://web.archive.org/web/20180607084223/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family\r\nPage 5 of 10\n\nThe userland DLL embeds 5 PE files, all stored in .data section and ciphered with a 4-bytes XOR key.\r\nEmbedded PE #1\r\nThis one is a 64-bits DLL (export \"Func\") for the PCC_GUI module. It is injected in \"winlogon.exe\" directly in\r\nmemory, with the custom DLL loader. Communication with the main DLL is performed through a named pipe\r\ncalled \\\\.\\pipe\\usbpcg%d.\r\nEmbedded PE #2\r\nThis is a 64-bits DLL (export \"R32\") used for commands execution (PCC_CMD module). It is dropped in\r\n%Systemroot%\\web\\safemedo.html, and executed with rundll32.exe.\r\nCommunication with the main DLL is performed through named pipes \\\\.\\pipe\\usb%si and \\\\.\\pipe\\usb%so,\r\nwhere “%s” is GetTickCount output in decimal.\r\nProcess is created with its IO redirected to the pipes. It can be run under a logged-in user, or by specifying user\r\ncredentials.\r\nEmbedded PE #3\r\nThis is a 64-bits DLL (export \"Func\") for keylogging capabilities via the GetAsyncKeyState API. It is directly\r\ninjected in \"explorer.exe\" process, and a mutex Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770-ww_05FDF087 is created.\r\nData is saved to %tmp%\\Ziptmp$$__.1.\r\nEmbedded PE #4\r\nThis one is another 64-bits DLL (export \"Func\") for keylogging capabilities, this time via the SetWindowsHook\r\nAPI. It is dropped in %Systemroot%\\web\\safemode.html, executed with rundll32.exe, and a mutex\r\nMicrosoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770-x_05FDF087 is created.\r\nData is saved to %tmp%\\Ziptmp$$__.2.\r\nEmbedded PE #5\r\nThis is a 64-bits NDIS driver for the VPN feature. It is dropped in %SystemRoot%\\Drivers\\{1D24B7E2-869D-49D8-B4EB-1424B36C42B6}.sys, and is signed with the XL Games Co.,Ltd.\r\n(7bd55818c5971b63dc45cf57cbeb950b) certificate.\r\nOverall Architecture\r\nhttps://web.archive.org/web/20180607084223/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family\r\nPage 6 of 10\n\nThe architecture of this new Derusbi variant is distributed amongst various drivers and processes, each one being\r\nresponsible of a specific task. This avoids having a single process performing all the malicious tasks, and prevents\r\nsecurity software from raising alerts.\r\nLinux Library\r\nWe recently noticed that the group behind HD Root bootkit was interested in compromising Linux systems as\r\nwell. A very interesting Chinese article describes the features of the Linux version of the bookit. Focusing on the\r\npayload loading part, we can see that a userland library is loaded into a /usr/bin/sshd process using\r\nLD_PRELOAD.\r\nInterestingly, we discovered a Linux library exporting all the classical PAM exports, with an added CTOR leading\r\nto a PccMain() function exposing the Derusbi server behaviour. This library could be the perfect payload for the\r\nhttps://web.archive.org/web/20180607084223/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family\r\nPage 7 of 10\n\nLinux HD Root, comforting us in the assumption of a strong link between the bootkit and the RAT.\r\nThe sample we found included all debug symbols, helping the understanding and the naming of each feature.\r\nLock\r\nWhen started, the malware creates a lock in /dev/shm/.shmfs.lock.\r\nNetwork Communications\r\nThe sample listens on port 40101 for incoming connections. The communication protocol is the same than the\r\nWindows version. All the network I/O are handled by the BD_SOCK and PCC_SOCK classes.\r\nModules\r\nAs for the Windows versions, various modules are embedded in the library, each one dedicated to a specific task:\r\nModule ID Class Name Description\r\n0x80 PCC_SYS Various commands related to processes and services\r\n0x81 PCC_CMD Execute commands\r\n0x82 PCC_PROXY Network proxy\r\n0x84 PCC_FILE Files manipulation\r\n0xF0 - Uninstall, Deconnect, GetLastError, etc.\r\nThe PCC_CMD module spawns a new process, which argv[0] is replaced by [diskio]. The following PS1\r\nvariable is set:\r\nRK# \\u@\\h:\\w \\$\r\nDevelopment framework\r\nRegarding the debugging information still present in the library, it seems that the authors reused code from the\r\nWindows version of their RAT, and implemented wrappers for the original Windows API. Source file name is\r\nWin32APIWarp.cpp. We found various functions corresponding to Windows API, such as:\r\nCreateThread(void *, unsigned int, void *(__cdecl *start_routine)(void *), void *, unsigned int, unsigned\r\nint *)\r\nGetFileAttributesW(wchar_t *)\r\nGetTickCount(void)\r\nWSAGetLastError(void)\r\nhttps://web.archive.org/web/20180607084223/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family\r\nPage 8 of 10\n\nDropped kernel module\r\nA kernel module is embedded in the .data section, ciphered using the classical 4-bytes XOR algorithm. Its goal is\r\nto perform rootkit features, by accepting all packets to port 40101 and hiding network communications\r\ncorresponding to the RAT.\r\nTechnically, it sets hooks in the netfilter stack by using the nf_register_hook function, and accept all packets\r\nmatching the RAT communication. For the hiding part, a hook is set on special file /proc/net/tcp which hides\r\nconnections using ports between 40101 and 40500.\r\nThe driver is first patched to insert proper .modinfo and dropped in /tmp/.secure. It is then loaded by simply\r\ncalling insmod. The correct version information inserted in .modinfo is retrieved by trying to read various\r\nhardcoded kernel modules which should be present on Linux machines. After loading, the module file is deleted.\r\nConclusion\r\nDerusbi seems to be a trendy malware, evolving on several fields. The interest of APT actors in the Linux systems\r\nshould encourage the community to improve and develop forensics and malware investigation tools for these\r\nplatforms.\r\nAnnex\r\nHashes\r\n1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016\r\n50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a\r\n6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58\r\ne27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59\r\n75c3b22899e39333c0313e80c4e6958d6612381c535d70b691f5f42afc8c214f\r\nYara rules\r\nrule derusbi_kernel\r\n{\r\n meta:\r\n description = \"Derusbi Driver version\"\r\n date = \"2015-12-09\"\r\n author = \"Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud\"\r\n strings:\r\n$token1 = \"$$$--Hello\"\r\n$token2 = \"Wrod--$$$\"\r\n$cfg = \"XXXXXXXXXXXXXXX\"\r\n$class = \".?AVPCC_BASEMOD@@\"\r\n$MZ = \"MZ\"\r\nhttps://web.archive.org/web/20180607084223/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family\r\nPage 9 of 10\n\ncondition:\r\n $MZ at 0 and $token1 and $token2 and $cfg and $class\r\n}\r\nrule derusbi_linux\r\n{\r\n meta:\r\n description = \"Derusbi Server Linux version\"\r\n date = \"2015-12-09\"\r\n author = \"Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud\"\r\n strings:\r\n$PS1 = \"PS1=RK# \\\\u@\\\\h:\\\\w \\\\$\"\r\n$cmd = \"unset LS_OPTIONS;uname -a\"\r\n$pname = \"[diskio]\"\r\n$rkfile = \"/tmp/.secure\"\r\n$ELF = \"\\x7fELF\"\r\n condition:\r\n $ELF at 0 and $PS1 and $cmd and $pname and $rkfile\r\n}\r\nSource: https://web.archive.org/web/20180607084223/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family\r\nhttps://web.archive.org/web/20180607084223/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family\r\nPage 10 of 10\n\nOffset The rest of the 0x24: port configuration is filled with garbage. \n00000000: 0100 0000 0048 c75f 409d 51b9 d2c8 f30c .....H._@.Q.....\n00000010: 566a 1e47 12b4 3735 638d b549 fd06 76aa Vj.G..75c..I..v.\n00000020: 6200 617f a41c 427c 5ee4 e2ad f137 6682 b.a...B|^....7f.\n00000030: fcfa ea1c 1efd 5ed7 ef2b a018 3cf6 da58 ......^..+..\u003c..X\n00000040: 8301 1f71 2100 0000 0000 0000 0000 0000 ...q!...........\n    Page 3 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20180607084223/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
	],
	"report_names": [
		"Newcomers-in-the-Derusbi-family"
	],
	"threat_actors": [],
	"ts_created_at": 1775434507,
	"ts_updated_at": 1775791240,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b9af79849520875ef16eacf05939704ff74002a2.pdf",
		"text": "https://archive.orkl.eu/b9af79849520875ef16eacf05939704ff74002a2.txt",
		"img": "https://archive.orkl.eu/b9af79849520875ef16eacf05939704ff74002a2.jpg"
	}
}