Security Basics mailing list archives
Re: computer with rootkit?
From: Francois Yang <francois.y () gmail com>
Date: Thu, 29 Sep 2011 12:20:14 -0500
Maybe I didn't explain myself good enough. I'm trying to figure out what it is and what its doing and not trying to remove it. I want to figure that out so I can monitor the rest of the network and logs to see if other machines are also infected. Here's an update to what I've been doing. This thing is pretty cool. :) so I already explained that it watches for rootkit and AV tools and shuts them down. I also mentioned that if you boot into safe mode, it will know it and shutdown the computer. I've noticed that if you have it plugged into the network while in Safe mode, it will continue to work fine, but about 2min after you unplug the network cable. it shuts down. I suspected I didn't see any outbound traffic because it couldn't get to the internet so I connected it to a wireless modem. onces that happened I noticed it created a bunch of http connections to multiple computers from different ISPs. verizon, road runner, comcast, sbc etc... I also noticed a bunch of outbound connections to random IP addresses on port 34354. those destinations where all over but mainly out of the US. I saw many from Russia. Any attempt to visit an AV website gets redirected to random sites. Internet browsing is very very slow. I'm assuming it's watching the browser activities. The computer is just sitting here with nothing open and I can see many outbound connections to random websites. not sure what it's pulling or uploading yet. I will have to look deeper into the pcap file. The file name mentioned was located in multiple places in the registry. hklm/system/controlset002/services/6a6bb2e and controlset004/services/6a6bb2e the file is also located in /windows/prefetch which I believe will load at boot. fun fun...I'll keep working on it. Frank On Thu, Sep 29, 2011 at 11:35 AM, Jamie Ivanov <jamie.ivanov () gmail com> wrote:
Clearly you don't have any experience with rootkits. If one were to get loaded from boot (bootkit) to initialize a driver or hook a driver, once the kernel SSDT gets modified your process list becomes inaccurate. You cannot perform *ANY* rootkit removal on an active system or your changes will be nullified by monitoring hooks. You need an offline environment like the Hirens boot CD to load portable envoronment. Not only wipe the mbr but check loaded drivers at each runlevel then check local user and global registry startup points. Also a system file check to verify/replace modified system files. Then, and only then, you can even run your malware finders such as combofix, malwarebytes antimalware, and spybot s&d. Repairing a rootkit infection is not that difficult. I've been reverse engineering them for years. Those who have suggested a reinstall should be ashamed. Jamie Ivanov / KC9LFD m.608.399.4252 Blackberry: 32DD619E http://www.linkedin.com/in/jamieivanov -- -- -- -- -- -- -- -- -- -- -- -- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. Sent from my BlackBerry -----Original Message----- From: Brian Rogalski <brogalski () bkrservices com> Sender: listbounce () securityfocus com Date: Thu, 29 Sep 2011 07:01:20 To: security basics<security-basics () securityfocus com> Subject: RE: computer with rootkit? There are a few things that you could try... Use tools like process hacker, what's running, capture bat and regshot ... Process explorer and process monitor can tell you what path and device files are being used. Also look at the (HKLM\currentversion\microsoft\windows\software\run) key in the registry ... most malicious program want to stay resident after a reboot... You can use a tool called autoruns at well. It looks like you may have a Kernel mode root kit. There is only so far that those tools will take you .. To complete your process you are going to have to dump the executable to a unaffected machine and perform more behavioral analysis follow by code and memory forensics. Hope that helps Brian ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: computer with rootkit?, (continued)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)
- RE: computer with rootkit? Joe DeMarco (Sep 29)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)
- RE: computer with rootkit? Dan Lynch (Sep 30)
- Re: computer with rootkit? Security (Sep 30)
- Re: computer with rootkit? Jeff Stebelton (Sep 30)
- Re: computer with rootkit? Ansgar Wiechers (Sep 29)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)
- Re: computer with rootkit? Ansgar Wiechers (Sep 29)
- RE: computer with rootkit? Mikesch, David A (Sep 30)
- Re: computer with rootkit? Francois Yang (Sep 29)
- Re: computer with rootkit? rogue5 (Sep 29)