Coffeehouse Thread

38 posts

I've got a rootkit...

Back to Forum: Coffeehouse
  • W3bbo

    Apparently my Windows 7 x64 laptop is infected with something, it intercepts HTTP traffic and hijacks links to different websites to webplains.net, which then issues HTTP redirects to various websites that have presumably paid for this "service".

    It works regardless of what browser is used, and it only seems to affect Google.com search results (so Bing has a use after all).

    Some searching, especially for "webplains.net" suggests this may be the work of a known malware, TDSS, that can be removed with a one-off Kaspersky tool. I ran the tool, but it reported nothing out of the ordinary. Furthermore I can't find any tools that help with removing malware on 64-bit systems.

    I don't really have anything to boot off to have a look at the filesystem. I can't see any malware in my current filesystem (of course, that's how rootkits work) - but I did find a malware file in my SysWow64 directory that has since been deactivated (it setup a Scheduled Task to rundll.exe itself on system startup).

    My computer doesn't have an optical drive, so I'll have to boot from a USB stick, but I don't know what system is best for this. I have run the official WinPE in the past and I wasn't too impressed with it, but BartPE leaves a lot to be desired. Unfortunately the HDD in my laptop cannot be removed without breaking the warranty (as it involves the complete removal of the underside cover).

    Any suggestions?

  • blowdart

    Didn't you use to say you didn't run antivirus? *grin*

    So for a windows solution there's a connect beta right now of System Sweeper - http://connect.microsoft.com/systemsweeper

    Webplains doesn't seem to be using root kits though, from what I can see. Did you remove the system TDSSserve.sys hidden device first? And checked proxy settings once rebooted and scanned?

  • cbae

    This came up on Bing search. Wink

    BTW, how did you discover you had this malware?

  • evildictait​or

    That's very foolish of you.

    You should probably download something like AVG to do a scan of your system. If that doesn't work, you might want to consider formatting your machine and starting over.

  • ManipUni

    Why waste time attempting to remove it? The Windows installation is suspect, it is beyond repair. 

    Buy a 2.5" HDD caddy, copy off all of the files you need, format it including destroying the MBR (if it has one) then use a USB Key to reinstall Windows and copy your files back across. 

    Even if you were able to remove the rootkit, you likely won't get all of the components or be able to determine if it added a reinfection vector (e.g. added malware CA, HOSTS corruption, new trusted sites, et al).    

    The more I learn the less willing I am to ever attempt to remove infections. "Reinstall Windows" is the call of both the guru and low-hanging technical fruit alike. 

     

  • RamblingGeek​UK

    I would agree with ManipUni's appoach.  You could run this: RootkitRevealer v1.71 

  • ZippyV

    , Kryptos wrote

    I would agree with ManipUni's appoach.  You could run this: RootkitRevealer v1.71 

    Doesn't work anymore because the rootkit writers would keep finding ways to circumvent it.

     

    What I like to know W3bbo is how you got it? You are probably up-to-date with your patches on MicrosoftUpdate and don't run executable stuff from e-mail attachments nor do you download malware from websites and click yes on the UAC dialog. Was it Flash or Java that allowed your pc to get infected? Are they up-to-date?

  • davewill

    @W3bbo: A simple google toolbar infection combined with some entries in the Hosts file could exhibit the behavior as well.  It may not be a rootkit.  Then again, if it is a rootkit you need to blow that partition away and recreate it.  If you don't take the approach to just reinstall Windows, then you will spend more time analyzing and trying to clean and then more time still wondering and watching if it was actually clean.

    Even if the infection is not a rootkit, what is to say that the infection has not put in enough hooks to always have a backdoor in place no matter how many different virus cleaners you run on it.  Whack-a-mole style.

    Save your data files and blow that partition away.

    I presume you have other machines with which you can download the Win7 ISO and use the Windows 7 USB/DVD Download Tool ( http://wudt.codeplex.com/ ) to reinstall.

    There is also the option to do an in place upgrade of Windows 7 to see if that might work.  Although I don't know how it would distinguish a viral hook from any other legitimate hook.

    In conclusion ... Blow it away and reinstall!

  • evildictait​or

    , ZippyV wrote

    What I like to know W3bbo is how you got it? You are probably up-to-date with your patches on MicrosoftUpdate and don't run executable stuff from e-mail attachments nor do you download malware from websites and click yes on the UAC dialog. Was it Flash or Java that allowed your pc to get infected? Are they up-to-date?

    The #1 way of getting infected is not being exploited, but running an exe written directly by the malware author. These tend to be either
    a) Quick download my smileys!
    b) Run this program to get rid of malware!
    c) Run me because I am *popular game* / crack for a *popular game*! 
    d) Click me to install codecs to watch *popular movie* / porn
    e) Install this toolbar to use *popular application*
    f) Install this toolbar to use *seemingly popular website*
    g) Friend sends "Run this program it's amazing" which then installs malware and sends "Run this program it's amazing" to all of your friends. 

    Only after all of these does drive-by infections kick in as methods of infecting computers - and again malware authors are lazy and tend to use easy-to-exploit bugs or bugs whose PoC are easy to turn around, which in practise means you need to be quite out of date for drive-by-downloads to work.

  • ManipUni

    Don't forget secret option

    h) Someone breaks into a trusted software vendor and injects it into your favourite desktop application. 

    In theory if they signed their releases it wouldn't be an issue, but very few Open Source Windows application installers do (e.g. Filezilla, GAIM, [The] GIMP, et al).   

     

  • Royal​Schrubber

    Format windows partition and delete all executables on all other partitions on internal and external storage devices that had writing access.

    Last time a roommate of mine reported his computer behaving odd and after checking and finding malware I recommend reinstalling Windows. I forgot to mention he shouldn't reinstall his applications from backed up installer executables and so he promptly reinfected his fresh windows again. Bah. He gave up and ran his computer infected, obviously I avoided any software that he tried to give me on USB keys like a plague.

    Don't advertise that you got infected and did not do a proper sanitation of your (build?) environment. You aren't making me confident your software on your web properties are safe, there are enough scary stories on the internet with compromised upsteam. This paragraph will self destruct in a few hours. 

  • Bass

    How did you discover this? From your router?

     

  • blowdart

    , Royal​Schrubber wrote

     

    Don't advertise that you got infected and did not do a proper sanitation of your (build?) environment. You aren't making me confident your software on your web properties are safe, there are enough scary stories on the internet with compromised upsteam. This paragraph will self destruct in a few hours. 

    A certificate authority has gone offline this week because their servers were used to distribute malware. *boggle*

  • davewill

    @blowdart: Who went offline?  Someone other than RSA?

  • Bass

    Some CA in Malaysia had their authority revoked by the major browser makers for distributing 512-bit certificates. Don't know if that's related.

  • W3bbo

    , blowdart wrote

    Didn't you use to say you didn't run antivirus? *grin*

    So for a windows solution there's a connect beta right now of System Sweeper - http://connect.microsoft.com/systemsweeper

    Webplains doesn't seem to be using root kits though, from what I can see. Did you remove the system TDSSserve.sys hidden device first? And checked proxy settings once rebooted and scanned?

    Yes, I am put to shame. To make things even worse I had UAC disabled at the time.

    , cbae wrote

    This came up on Bing search. Wink

    BTW, how did you discover you had this malware?

    I started noticing google search links were being hijacked. I ran my Live HTTP Headers extension for Firefox and it showed that HTTP 301 redirects were being inserted. At first I thought Wikipedia was hacked (as it only affected links to WP to begin with). Then it started happening to other links and in other browsers, I ruled out anything at my ISP and realised something was amiss locally.

    Process Explorer revealed that the Task Scheduler was launching rundll.exe with a program argument to a DLL called "dswaved.dll" under SysWow64. I quickly terminated it and extracted the file. The question remains how Task Scheduler was manipulated.

    , evildictait​or wrote

    That's very foolish of you.

    You should probably download something like AVG to do a scan of your system. If that doesn't work, you might want to consider formatting your machine and starting over.

    I'm running a Trend Micro house call right now, but I'm sceptical - rootkits usually can't be detected by AV software by their very nature.

    , ManipUni wrote

    Why waste time attempting to remove it? The Windows installation is suspect, it is beyond repair. 

    Buy a 2.5" HDD caddy, copy off all of the files you need, format it including destroying the MBR (if it has one) then use a USB Key to reinstall Windows and copy your files back across. 

    Even if you were able to remove the rootkit, you likely won't get all of the components or be able to determine if it added a reinfection vector (e.g. added malware CA, HOSTS corruption, new trusted sites, et al).    

    The more I learn the less willing I am to ever attempt to remove infections. "Reinstall Windows" is the call of both the guru and low-hanging technical fruit alike.

    You missed the part where I said the HDD was inaccessible.

    Nonetheless, Sony was meant to collect my laptop for repairs last week (hint: they didn't) so there's not much on it anyway.

    , Kryptos wrote

    I would agree with ManipUni's appoach.  You could run this: RootkitRevealer v1.71 

    RootkitRevealer only works on 32-bit systems.

    , ZippyV wrote

    *snip*Doesn't work anymore because the rootkit writers would keep finding ways to circumvent it.

     

    What I like to know W3bbo is how you got it? You are probably up-to-date with your patches on MicrosoftUpdate and don't run executable stuff from e-mail attachments nor do you download malware from websites and click yes on the UAC dialog. Was it Flash or Java that allowed your pc to get infected? Are they up-to-date?

    The Date Created field on the DLL file I recovered was at 2011-11-05 01:22.

    I checked my browser history, I was browsing two websites at the time, stackoverflow.com, and a thread on iphonedevsdk.com - I'm going to assume Jeff Atwood's website is secure, but iphonedevsdk.com runs vBadvanced 3.1.0 which is an old version. A cursory Google search suggests that version of vBadvanced has a number of security vulnerabilities that may have been broken.

    Assuming that's the case, the vector was that broken website, and something in my browser, possibly Flash or Acrobat (though I am running the latest version of both of these softwares). But the odd thing is that I run Flashblock in Firefox, so I'm stuck for ideas.

    , davewill wrote

    @W3bbo: A simple google toolbar infection combined with some entries in the Hosts file could exhibit the behavior as well.  It may not be a rootkit.  Then again, if it is a rootkit you need to blow that partition away and recreate it.  If you don't take the approach to just reinstall Windows, then you will spend more time analyzing and trying to clean and then more time still wondering and watching if it was actually clean.

    Even if the infection is not a rootkit, what is to say that the infection has not put in enough hooks to always have a backdoor in place no matter how many different virus cleaners you run on it.  Whack-a-mole style.

    Save your data files and blow that partition away.

    I presume you have other machines with which you can download the Win7 ISO and use the Windows 7 USB/DVD Download Tool ( http://wudt.codeplex.com/ ) to reinstall.

    There is also the option to do an in place upgrade of Windows 7 to see if that might work.  Although I don't know how it would distinguish a viral hook from any other legitimate hook.

    In conclusion ... Blow it away and reinstall!

    Looks like I'll be taking that path.

    , evildictait​or wrote

    *snip*

    The #1 way of getting infected is not being exploited, but running an exe written directly by the malware author. These tend to be either
    a) Quick download my smileys!
    b) Run this program to get rid of malware!
    c) Run me because I am *popular game* / crack for a *popular game*! 
    d) Click me to install codecs to watch *popular movie* / porn
    e) Install this toolbar to use *popular application*
    f) Install this toolbar to use *seemingly popular website*
    g) Friend sends "Run this program it's amazing" which then installs malware and sends "Run this program it's amazing" to all of your friends. 

    Only after all of these does drive-by infections kick in as methods of infecting computers - and again malware authors are lazy and tend to use easy-to-exploit bugs or bugs whose PoC are easy to turn around, which in practise means you need to be quite out of date for drive-by-downloads to work.

    I can assure you, I haven't been running any programs like that. This appears to be an example of the worst kind of drive-by download you can get: unauthorised remote code execution.

    , ManipUni wrote

    Don't forget secret option

    h) Someone breaks into a trusted software vendor and injects it into your favourite desktop application. 

    In theory if they signed their releases it wouldn't be an issue, but very few Open Source Windows application installers do (e.g. Filezilla, GAIM, [The] GIMP, et al).   

    Now you've got me scared. I recently downloaded and installed the ffmpeg binaries from http://ffmpeg.zeranoe.com/builds/, but that was hours before any problems started appearing.

    , Royal​Schrubber wrote

    Format windows partition and delete all executables on all other partitions on internal and external storage devices that had writing access.

    Last time a roommate of mine reported his computer behaving odd and after checking and finding malware I recommend reinstalling Windows. I forgot to mention he shouldn't reinstall his applications from backed up installer executables and so he promptly reinfected his fresh windows again. Bah. He gave up and ran his computer infected, obviously I avoided any software that he tried to give me on USB keys like a plague.

    Don't advertise that you got infected and did not do a proper sanitation of your (build?) environment. You aren't making me confident your software on your web properties are safe, there are enough scary stories on the internet with compromised upsteam. This paragraph will self destruct in a few hours. 

    Good point, why would any potential customer or client of mine want to be trust in someone who lets his own laptop get infected?

    Fortunately "W3bbo" isn't associated with my "real-life" business identity Smiley

    , Bass wrote

    How did you discover this? From your router?

    See above: after I noticed search results being hijacked.

    Oddly enough, searching for "webplains.net" in Google, gave me an immediate 301 redirect to http://support.microsoft.com/kb/827315 - the evidence suggests that that redirect was caused by the malware - perhaps the author was under duress when he wrote it? (In any event, that Microsoft support article didn't help).

  • W3bbo

    To all those who said I should use AV software:

    I just put the captured dodgy file through MSE, Kaspersky, and Trend Micro, and none of them reported it as being malware.

    If none of these AV programs can detect malware, what's the point of running it at all?

  • evildictait​or

    , W3bbo wrote

    I'm running a Trend Micro house call right now, but I'm sceptical - rootkits usually can't be detected by AV software by their very nature.

    On the contrary. That's actually one of the rare things that AV companies are good at. AVs go out of their way to make sure any common strain of malware in the wild gets pick up by them. If you're the first to be hit with a new strain they might not pick it up straight away, but if you got it from dodgy executables, drive-by-downloads or publically known exploits on the internet the AV will have seen it and signatured it.

    I can assure you, I haven't been running any programs like that. This appears to be an example of the worst kind of drive-by download you can get: unauthorised remote code execution.

    If you're running latest OS / browser / flash it won't have been a drive-by download attack. Zero days are traded for hundreds of thousands of dollars on the black market and criminals aren't stupid enough to use them on machines that don't have something really valuable on them.

    Now you've got me scared. I recently downloaded and installed the ffmpeg binaries from http://ffmpeg.zeranoe.com/builds/, but that was hours before any problems started appearing.

    Lots of malware is bundled with the single task of download and run executables from a known source. The original exploit kit or executable author then "sells" installs to the criminals behind zeus and other malware who are then responsible for monetizing the infected computers - either through credit card theft, information theft, attaching the computer to a bot-net for DDoS and so on.

    This behaviour can cause a delay between you running something dodgy and it getting picked up by AV vendors, or between you running something and your computer starting to behave maliciously.

    To be honest, I know you think you probably haven't done anything wrong and it's easier to blame ingenious hackers and exploits, but the reality is that exploits are the exception rather than the norm (and almost exclusively against old machines running Windows XP and running software that hasn't been patched for months on end) for client machines getting infected.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.