Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 09-27-2010, 06:37 PM
Galdorf Galdorf is offline
 
Join Date: Feb 2009
Location: Ontario, Canada
Posts: 1,678
Galdorf will become famous soon enough
Default new antivirus 2010 with new rootkit

Wow this one is nasty it runs both in normal and safe mode prevents ANY even renamed security apps from running , if you install them it deletes them.
Ran autoruns from live cd tried removing the startup for the rootkit gave me an error could not remove it, tdsskiller,gmer and 18 other rootkit scanners found nothing.
Ran antivir from ubcd4win it picked up BDS/TDSS.VN seems none of the rootkit scanners can pick this up i tried 20 of them.
Funny thing is you can install malwarebytes in safemode as soon as you run it it terminates it and deletes the EXE file.
I tried renaming the exe from malwarebytes same thing it terminates and deletes the EXE file.
Tried autoruns and renamed autoruns it terminates it as well including process explorer.
Reply With Quote
  #2  
Old 09-27-2010, 06:49 PM
Technotch's Avatar
Technotch Technotch is offline
 
Join Date: Sep 2010
Location: Cavite, Philippines
Posts: 65
Technotch is an unknown quantity at this point
Default

never encountered anything like this yet but its probably smarter to backup and do a clean install.
Reply With Quote
  #3  
Old 09-27-2010, 07:40 PM
gunslinger's Avatar
gunslinger gunslinger is offline
 
Join Date: Jul 2007
Location: Cookeville, Tennessee
Posts: 3,170
gunslinger has a spectacular aura aboutgunslinger has a spectacular aura about
Send a message via Skype™ to gunslinger
Default

I had a system come in the other day with the owner complaining it was "slow". I checked and it was running Vista with a gig of RAM so I was like "well duh its slow" Vista just runs that way. After scanning with both superantispyware and malwarebytes found a total of 953 infected files. Not tracking cookies but actual infected files. After removing them I did a virus scan and came up with 19 more.

I have also had a few machines come back after a very thorough cleaning. Only to have the infection come right back due to an undetected rootkit. Its almost to the point were I just want to do a backup and clean install on almost every system that comes in "slow".
Reply With Quote
  #4  
Old 09-27-2010, 09:00 PM
MobileTechie's Avatar
MobileTechie MobileTechie is offline
 
Join Date: Oct 2009
Location: UK
Posts: 4,337
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

Quote:
Originally Posted by Galdorf View Post
Wow this one is nasty it runs both in normal and safe mode prevents ANY even renamed security apps from running , if you install them it deletes them.
Ran autoruns from live cd tried removing the startup for the rootkit gave me an error could not remove it, tdsskiller,gmer and 18 other rootkit scanners found nothing.
Ran antivir from ubcd4win it picked up BDS/TDSS.VN seems none of the rootkit scanners can pick this up i tried 20 of them.
Funny thing is you can install malwarebytes in safemode as soon as you run it it terminates it and deletes the EXE file.
I tried renaming the exe from malwarebytes same thing it terminates and deletes the EXE file.
Tried autoruns and renamed autoruns it terminates it as well including process explorer.
So you're saying that a generic rootkit tool like say Rootkit Unhooker doesn't flag up any file, process, driver, service etc as being hidden or hooked?

And you couldn't remove a start up registry key from a boot CD? Are you talking about the DART disk?
Reply With Quote
  #5  
Old 09-27-2010, 09:39 PM
Galdorf Galdorf is offline
 
Join Date: Feb 2009
Location: Ontario, Canada
Posts: 1,678
Galdorf will become famous soon enough
Default

Quote:
Originally Posted by MobileTechie View Post
So you're saying that a generic rootkit tool like say Rootkit Unhooker doesn't flag up any file, process, driver, service etc as being hidden or hooked?

And you couldn't remove a start up registry key from a boot CD? Are you talking about the DART disk?
Nothing showed up on any rootkit scanner this was on xp so i used erd 2005 from sysinternals slipstreamed with a bunch of my favorite utilites.

Most rootkit scanners are VERY outdated and will not find anything current.
Reply With Quote
  #6  
Old 09-27-2010, 10:25 PM
MobileTechie's Avatar
MobileTechie MobileTechie is offline
 
Join Date: Oct 2009
Location: UK
Posts: 4,337
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

Quote:
Originally Posted by Galdorf View Post
Nothing showed up on any rootkit scanner this was on xp so i used erd 2005 from sysinternals slipstreamed with a bunch of my favorite utilites.

Most rootkit scanners are VERY outdated and will not find anything current.
Rootkit Unhooker isn't just a scanner. It just flags up objects that are hooked or hidden.

Last edited by MobileTechie; 09-27-2010 at 10:31 PM.
Reply With Quote
  #7  
Old 09-27-2010, 10:57 PM
RedFoxComp's Avatar
RedFoxComp RedFoxComp is offline
 
Join Date: Sep 2010
Posts: 355
RedFoxComp is on a distinguished road
Default

Quote:
Originally Posted by Galdorf View Post
Wow this one is nasty it runs both in normal and safe mode prevents ANY even renamed security apps from running , if you install them it deletes them.
Ran autoruns from live cd tried removing the startup for the rootkit gave me an error could not remove it, tdsskiller,gmer and 18 other rootkit scanners found nothing.
Ran antivir from ubcd4win it picked up BDS/TDSS.VN seems none of the rootkit scanners can pick this up i tried 20 of them.
Funny thing is you can install malwarebytes in safemode as soon as you run it it terminates it and deletes the EXE file.
I tried renaming the exe from malwarebytes same thing it terminates and deletes the EXE file.
Tried autoruns and renamed autoruns it terminates it as well including process explorer.
You need to get in there manually and start investigating services, drivers and processes. Once you kill them you'll be able to scan and check for more using malwarebytes, autoruns etc.

I think I know the infection you're dealing with. In my case it had patched explorer.exe and winlogon.exe in system32 AS WELL as the DLL cache (sneaky). I cleared the DLL cache, booted from a CD and deleted explorer.exe and winlogon.exe replacing them with files from an XP SP3 install CD. Then I did an SFC /scannow and let it rebuild the DLL cache from the CD.

That was step 3 of 7 or something though, I don't recall everything else but you are right it was VERY nasty to clean completely.

Last edited by RedFoxComp; 09-27-2010 at 11:42 PM.
Reply With Quote
  #8  
Old 09-28-2010, 06:49 AM
MobileTechie's Avatar
MobileTechie MobileTechie is offline
 
Join Date: Oct 2009
Location: UK
Posts: 4,337
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

So how did you discover which files it had patched?
Reply With Quote
  #9  
Old 09-28-2010, 01:20 PM
RedFoxComp's Avatar
RedFoxComp RedFoxComp is offline
 
Join Date: Sep 2010
Posts: 355
RedFoxComp is on a distinguished road
Default

Quote:
Originally Posted by MobileTechie View Post
So how did you discover which files it had patched?
I believe it was one of 2 ways, I think this patching virus created an additional file 'explorer .exe' So i searched for "* .exe" and found it had patched a lot of .exe's. So what was happening was any time you ran a patched file it was restoring the service or driver that was causing the problems. If you don't have a good method of dealing with a threat like this it's probably easier to reinstall, otherwise it's like boxing with someone that has 8 arms

I also searched for files dated a week old or newer in the windows directory. Anything new was suspect.

You can use a tool like systemlook to check out processes and see if they are up to anything funny.

To find out what you're dealing with you can use Dr. Web and/or Avira Live CD and hopefully it will give you an idea of the type of infection you're dealing with and you can go from there.

Last edited by RedFoxComp; 09-28-2010 at 01:23 PM.
Reply With Quote
  #10  
Old 09-28-2010, 01:52 PM
MobileTechie's Avatar
MobileTechie MobileTechie is offline
 
Join Date: Oct 2009
Location: UK
Posts: 4,337
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

Quote:
Originally Posted by RedFoxComp View Post
I believe it was one of 2 ways, I think this patching virus created an additional file 'explorer .exe' So i searched for "* .exe" and found it had patched a lot of .exe's. So what was happening was any time you ran a patched file it was restoring the service or driver that was causing the problems. If you don't have a good method of dealing with a threat like this it's probably easier to reinstall, otherwise it's like boxing with someone that has 8 arms

I also searched for files dated a week old or newer in the windows directory. Anything new was suspect.

You can use a tool like systemlook to check out processes and see if they are up to anything funny.

To find out what you're dealing with you can use Dr. Web and/or Avira Live CD and hopefully it will give you an idea of the type of infection you're dealing with and you can go from there.
Yes I understand that. I'm intereted to know how you knew which files it patched. It sounds like you did it through the dates alone?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 06:56 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.