Coffeehouse Thread

38 posts

I've got a rootkit...

Back to Forum: Coffeehouse
  • User profile image
    ZippyV

    Install Scriptblock instead of Flashblock.

  • User profile image
    W3bbo

    I'm running the TrendMicro House Call on my laptop still. Been going for over 6 hours now and it's only 60% complete :o

    Interestingly, it says it's found "2 threats".

    It won't tell me what they are until the scan's over, it'll be interesting to see what they are.

  • User profile image
    cbae

    , W3bbo wrote

    I'm running the TrendMicro House Call on my laptop still. Been going for over 6 hours now and it's only 60% complete :o

    Interestingly, it says it's found "2 threats".

    It won't tell me what they are until the scan's over, it'll be interesting to see what they are.

    Didn't you say had hardly any data on this HD? Dayam.

  • User profile image
    BitFlipper

    , W3bbo wrote

    To all those who said I should use AV software:

    I just put the captured dodgy file through MSE, Kaspersky, and Trend Micro, and none of them reported it as being malware.

    If none of these AV programs can detect malware, what's the point of running it at all?

    That is because the "dodgy file" you refer to is really part of DirectX. See the file listed here. There is some other executable that you missed that is the real culprit.

    Seriously, running something like MSE takes no noticeable resources, and I run some heavy duty realtime music applications at low buffer latencies without any audio glitches. And I don't see what the big issue is with leaving UAC turned on. Once in a while I have click on "Yes/No". I really can't remember the last time I had an infection, it has been years now.

  • User profile image
    W3bbo

    , cbae wrote

    *snip*

    Didn't you say had hardly any data on this HD? Dayam.

    I meant to clarify that as "hardly any data worth keeping" - i.e. personal documents, it still feels the need to scan my 80GB collection of legitimately acquired MP3s, the MSDN content installations and of course, the tens of gigabytes that Microsoft Windows likes to amass in the WinSxS directory.

    It's now 2011-11-06 00:40 and it's just hit 70%, so far it's found 4 threats, I note that for as long as I've been watching it it's been scanning my Firefox cache - so if the malware installer found its way through there it makes sense.

    I'll post a follow-up when I check back in the morning.

  • User profile image
    AndyC

    , W3bbo wrote

    *snip*

    I meant to clarify that as "hardly any data worth keeping" - i.e. personal documents, it still feels the need to scan my 80GB collection of legitimately acquired MP3s, the MSDN content installations and of course, the tens of gigabytes that Microsoft Windows likes to amass in the WinSxS directory.

    Well obviously it's going to scan all your MP3s, one of those might contain viral code. As for WinSxS, it's a bunch of hard links to files elsewhere, it doesn't really occupy "tens of gigabytes"

    If there's nothing worth keeping though I don't really see the point of trying to disinfect the machine, reformatting and reinstalling is really the only sane option anyway. And this time leave UAC on and actually use a proper on-access virus scanner at all times.

  • User profile image
    W3bbo

    The scan completed a short while ago, 7 threats were found in total.

    However all of them were inactive (i.e. just passive virulent files that weren't configured by the system to be loaded anywhere). Curiously enough, it flagged a JPEG file as a virus. I inspected it with a binary editor and apparently it was a renamed zip file containing an EXE. It came attached with some email.

  • User profile image
    Bass

    That must be a pretty crappy rootkit if you could detect it without even switching operating systems.

  • User profile image
    PaoloM

    , Bass wrote

    That must be a pretty crappy rootkit if you could detect it without even switching operating systems.

    ++

  • User profile image
    PaoloM

    , W3bbo wrote

    The scan completed a short while ago, 7 threats were found in total.

    However all of them were inactive (i.e. just passive virulent files that weren't configured by the system to be loaded anywhere). Curiously enough, it flagged a JPEG file as a virus. I inspected it with a binary editor and apparently it was a renamed zip file containing an EXE. It came attached with some email.

    Using a better browser (with real security features) and an av would have prevented all that to show up on your system.

    Live and learn, eh? Smiley

  • User profile image
    evildictait​or

    , Bass wrote

    That must be a pretty crappy rootkit if you could detect it without even switching operating systems.

    On the contrary. The way rootkit detectors work is they ask for the same information in about 100 different ways. If any of them disagree with the others then something is wrong. E.g. if you enumerate the files in a folder and see nothing, but do an NtQueryObject on the directory and discover that it contains 1 file, then something is amiss. The point is that rootkits can hook stuff, but unless they hook everything (which requires a lot of time, effort and Winternals knowledge) they're going to screw up and will get caught.

    Also AVs tend to look for heuristics as well as file signatures, so if an image gets mapped from disk but the file doesn't show up in an ZwOpenFile then something is wrong.

  • User profile image
    AndyC

    , W3bbo wrote

    The scan completed a short while ago, 7 threats were found in total.

    However all of them were inactive (i.e. just passive virulent files that weren't configured by the system to be loaded anywhere). Curiously enough, it flagged a JPEG file as a virus. I inspected it with a binary editor and apparently it was a renamed zip file containing an EXE. It came attached with some email.

    The thing is, you now know the system was infected but you don't really know it isn't still compromised by something the anti-virus tool didn't spot. So you've lost the best part of a day scanning a system and you can still only be sure it's clean by reinstalling everything. Not unsurprised to see executables hidden inside renamed files though, that's pretty common.

    , PaoloM wrote

    *snip*Using a better browser (with real security features) and an av would have prevented all that to show up on your system.

    ++

    Eventually everyone I've ever known to make the statement "I don't need an AV, I know what I am doing" has ended up in exactly this position.

  • User profile image
    blowdart

    Generic Forum Image

  • User profile image
    Bass

    @evildictaitor:

    And if the rootkit answers correctly all 100 ways? The fact of the matter is though, there is no perfect security. Intrusion detection with no false negatives has been shown to be an undecidable problem.[1]

    [1]: http://vxheavens.com/lib/afc01.html

  • User profile image
    spivonious

    I've successfully removed some pretty nasty viruses, but if there's no data on there that you care about, just wipe out the partition table and start over. It's much, much faster. Hours versus days.

  • User profile image
    W3bbo

    , spivonious wrote

    I've successfully removed some pretty nasty viruses, but if there's no data on there that you care about, just wipe out the partition table and start over. It's much, much faster. Hours versus days.

    what I'd like Microsoft (or anyone) to make, is a program that inspects a HDD and ensures the boot path from the boot sector to loading the desktop is free of contamination - which means you can safely boot it up and run a manual scan at your leisure knowing your system isn't compromised in a way that betrays your trust in it.

  • User profile image
    blowdart

    , W3bbo wrote

    *snip*

    what I'd like Microsoft (or anyone) to make, is a program that inspects a HDD and ensures the boot path from the boot sector to loading the desktop is free of contamination - which means you can safely boot it up and run a manual scan at your leisure knowing your system isn't compromised in a way that betrays your trust in it.

    And how would you do that? There are so many points that you can plug into legitimately, and of course a myriad of software that does it, which has updates.

    Or of course you can take the trusted boot option, but then, well, you get a lot of complaints that Microsoft is trying to control your software so only Microsoft sourced programs will run.

  • User profile image
    Craig_​Matthews

    , blowdart wrote

    *snip*

    And how would you do that? There are so many points that you can plug into legitimately, and of course a myriad of software that does it, which has updates.

    Or of course you can take the trusted boot option, but then, well, you get a lot of complaints that Microsoft is trying to control your software so only Microsoft sourced programs will run.

    Microsoft could include as part of the install process, a separate, trusted minimal Windows installation (there are a plethora of ways to protect it), that can be used strictly for antivirus and malware scanning. In other words, they can build in to the installation the same thing that technicians cobble together every day with Hirens or UBCD4Win for the exact same purposes. Or just extend the current system recovery image that lets you do system restore and startup file check to include the ability to run virus or malware scans.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.