My experience with a rootkit

Discussion in 'Application Software' started by Myrrh, Sep 12, 2012.

  1. Myrrh

    Myrrh MDL Expert

    Nov 26, 2008
    1,401
    500
    60
    #1 Myrrh, Sep 12, 2012
    Last edited: Sep 12, 2012
    Maybe relating my adventure yesterday which wasted the whole day will help someone save some time.

    I have a teenage family member who brought me a laptop to diagnose. All the desktop icons, all documents, everything on the start menu had disappeared, and instead various errors kept popping up on the screen about hardware failure. As described to me previously on the phone, I thought I was going to be attempting to retrieve data from a dying hard drive for transfer to a new computer, when I got it in my hands and read the actual "error" messages I realized it was instead a nasty malware wanting to sell a "repair" application that would "fix" the "hardware problem."

    I researched what it was, I forget the exact one, google found it and gave good advice how to get rid of it. Everything was fine.

    Three days later I get a call, guess what. He brought me the machine, I cleaned it up again and provided a lecture about not clicking on suspicious links.

    This time it lasted less than 24 hours. It was obvious that something else was going on, he can't be this stupid to keep going to the same infected sites over and over can he?

    I brought the machine to my office and plugged it in. As soon as it was connected to the network, the phone in my pocket started buzzing. It was receiving notification emails from the router (a Netgear UTM with malware detection) that something was attempting to download malware, specifically configuration instructions for a TDSS rootkit.

    I spent the day downloading and trying different tools to eliminate this. MalwareBytes found stuff and got rid of it, tdsskiller and aswMBR would not run at all, SuperAntiSpyware got stuck, the other tools I tried pronounced the machine "clean" yet when connected to the network it was still trying to download malware. Obviously not clean. I got to a command prompt and ran netstat -b which revealed that explorer.exe was trying to connect to a bunch of Internet sites. So obviously something is infecting explorer which would be what kept tdsskiller and aswMBR from launching. No matter what I tried, nothing could find or eliminate it, so it must be getting its hooks in very deep in the OS to hide itself.

    Finally in desperation, I removed the hard drive from the machine, attached a USB to SATA bridge adapter, and plugged it into my Windows 8 machine on my desk. Instantly Defender found a problem in the MBR and eliminated it (it also told me I needed to reboot for it to be clean, a warning that could be safely ignored since this is not the boot device for that machine).

    Putting the drive back in the laptop, I found it would not boot. This was resolved by booting a Win7 DVD, selecting repair, going to the command prompt, and using diskpart to mark the Windows partiton as active. I then was able to boot the machine and run the various AV tools I had been using to clean up what was left. tdsskiller found the filesystem left over by the rootkit; MalwareBytes found that in tdsskiller's quarantine; SuperAntiSpyware found nothing.

    Total time to remove and clean up after the rootkit: 20 minutes. Total time spent fighting with it before finding a method that worked: 12 hours. :(

    Mental note for next time I have one of these to work on: attaching the drive to another (fully protected and updated) machine is the first thing to try, before any of this trying to fix it natively on the infected system which is actively fighting back.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. LatinMcG

    LatinMcG Bios Borker

    Feb 27, 2011
    5,389
    1,463
    180
    #2 LatinMcG, Sep 12, 2012
    Last edited: Sep 12, 2012
    or u can just boot hirens (i use yumi usb tool to make usb) or ubcd4win or even the windows 7 disk and replace bootsector and save combofix.exe (from bleepingcomputer) as comb.com boot in safemode with network and run combofix aka comb.com
    after that u can do the rest of cleanup.

    why rename to comb.com ?
    the rootkits like to block some file names from anti malwares and the .exe extension gets hijacked .com usualy doesnt and runs the executable code

    warning combofix doesnt like dvd mounting software drivers (alcohol120, winiso and others).. uninstall then reboot before running it.

    i have cleaned this rootkit 1 month ago.

    seems the hordes of mordor are attacking in masses with rootkits :jester:
     
  3. Myrrh

    Myrrh MDL Expert

    Nov 26, 2008
    1,401
    500
    60
    #4 Myrrh, Sep 12, 2012
    Last edited: Sep 12, 2012
    (OP)
    combofix - I tried that one too, did not actually fix anything though it ran for a long time.

    In the end the only thing of any accomplishment was attaching and disinfecting on another machine.

    I am quite confident in my network security, yes. I do however plan to build a separate isolated space for these things, with Internet access but nothing else local.

    Thanks for the mention of other tools and bootdisks, I'll try those; and those articles look interesting. After reading that, I am sure that's the exact same one I was dealing with.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. stayboogy

    stayboogy MDL Addicted

    May 1, 2011
    710
    116
    30
    MBR infections are pretty common with scareware

    not really a revelation or anything...

    combofix is crap. it's unneeded and really only for people who don't know anything about fighting viruses. combofix can actually screw up an installation at times. worthless program in my opinion.

    and those types of infections are very possible and easy to cure without attaching it to another machine. take the time and build some live disks of your favorite windows environment, get your favorite scanner that will run as a portable app (malewarebytes will not because it has its own driver) and clean it that way. not hard at all.

    now, manually removing the "+h" attribute from every personal file on a machine that was previously infected with scareware is another issue. but there are tools available for that which make it not that hard to deal with either.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. master131

    master131 MDL Novice

    Apr 12, 2011
    45
    22
    0
    #6 master131, Sep 13, 2012
    Last edited: Sep 13, 2012
    You shouldn't be running Combofix so carelessly like that, the disclaimer/warning posted by professionals who suggest to use it are there for a reason. But then again, you seem to know what you are doing (I hope).

    Perhaps if you still had a sample you could send it to MBAM or another vendor for detection. Might be some new variant of the TDSS rootkit or something other wild virus out there.