Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Serious new google redirect rootkit.


  • Please log in to reply
16 replies to this topic

#1 DangerousDonnie

DangerousDonnie

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 22 October 2008 - 02:10 PM

I am an MCSE and my expertise is in security and virus removal. This is the first time that I have been completely stumped. I believe this is a serious new threat.
OS : Windows XP sp1.
Apps affected: IE6sp1 or sp2 and IE7. Firefox.

Symtoms: google, yahoo and windows live search redirects to bogus sites such as monstermarketplace. Example: you type in google "quantum physics"; the search returns: wikipedia at the top, but at the bottom it says monstermarketplace. Using netmon you see the infection goes to 78.157.142.58 before the results are returned in google. This ip has been flagged on SBL as part of a block of IPs belonging to a Russian Cybercrime hosting company. The virus even runs in safe mode with networking. This is not the common google redirect that involves tds*.dlls. This is something new and very dangerous. I am currently working with kaspersky and eset, but they have no clue at the moment.

Things I have tried:
Kaskerpsky purchased edition with infected drive slaved - nothing.
Eset purchased edition with infected drive slaved - nothing.
Panda antirootkit - nothing
F-backlight - nothing
Sophos antirootkit - nothing.
IceSword - nothing
Avenger - nothing.
Logs analyzed by me:
combofix - clean
hijackthis - clean
findawf - clean
After making an Acronis image I updated to IE7 and windows xp sp2 - no change.
Gmer - log is clean from hidden processess or services but it does find hooks.
Gmer - stack modifications found.
When windows is first started GMER shows the following:

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]

Whenever IE is opened these additional stack mods are found:
.text C:\Program Files\internet explorer\iexplore.exe[280] kernel32.dll!ExitProcess 77E798FD 6 Bytes PUSH 10002970; RET
.text C:\Program Files\internet explorer\iexplore.exe[280] WS2_32.dll!WSARecv 71AB19A0 6 Bytes PUSH 10002504; RET
.text C:\Program Files\internet explorer\iexplore.exe[280] WS2_32.dll!send 71AB1AF4 6 Bytes PUSH 1000269C; RET
.text C:\Program Files\internet explorer\iexplore.exe[280] WS2_32.dll!recv 71AB5690 6 Bytes PUSH 100024C4; RET
.text C:\Program Files\internet explorer\iexplore.exe[280] WS2_32.dll!WSASend 71AB5722 6 Bytes PUSH 10002924; RET

After restoring the code (ie unhooking) then IE and google function properly until IE is opened again and GMER shows these hooks are now back!

I have been working on this for 3 weeks and have even replaced windows xp low level files such as kernel32,ws2_32.dll and others but to know avail.

I can make the infection stop with IE explorer if I remove the Browsenewprocess keys from the registry which means that mshtml will be running as a process in place of IE. But Firefox still has symptoms.

Then I tried blocking 78.157.142.58 at the firewall. IT IS BLOCKED. When I open IE, netmon shows that this ip is connected!!!
When I add 78.157.142.58 to the host file and point it to 127.0.0.6 it stills says connected in the network monitor programs I use.
This is when I started considering suicide as a viable option.

I need your help in finding this one. I may have to use ollydbug which I am not very good at.
I have not posted anywhere else, but of course I have searched.

If you need more info on this just type 78.157.142.58 virus in google and you will see there are only about 4 topics on this all without answers. So it is very new and very deep. According to these threads it may also affect Vista.
Please help.
Dangerous to Spyware, that is![COLOR=red]

BC AdBot (Login to Remove)

 


#2 nicolai_gm

nicolai_gm

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 22 October 2008 - 06:43 PM

I may have the same problem on my system. I am nowhere near as computer savvy as you, so hearing this from you is pretty disturbing. I need to double check on the 78.157.... when I get home from work, but I do recognize monstermarketplace as one of the sites that I have been routed to.

So in your opinion, if I were to implement the work arounds you mentioned for IE, does that make it safe to use? I'm definitely more interested in fixing the problem, but it sounds like a fix may not be in the near future so should I even have my modem turned on? Right now everything is off.

I'm fairly computer illiterate and will not be able to offer much to this forum, so please keep me posted if you figure anything out. Thanks.

#3 DangerousDonnie

DangerousDonnie
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 22 October 2008 - 08:03 PM

Yes, you can stop IE from doing this by running regedit in the start/run box and searching for any key that = "browsenewprocess" and deleting that key. Then reboot. This is will fix IE but will not fix Firefox. I still do not know why. You may have to reboot.

Please use at your own risk. This is not dangerous, it simply does not allow IE to run as a separate process. Please let me know if it works for you. If you have any problems, just let me know and I will give you the .reg file to restore what you have done.

God Bless.
Dangerous to Spyware, that is![COLOR=red]

#4 nicolai_gm

nicolai_gm

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 23 October 2008 - 04:21 PM

Thanks. I'm still not sure what I have. I have yet to see anything routed to anywhere beginning with 78.157.... I get re-directed using search engines, but it also blocks me from certain sites like this one and anything else computer troubleshooting related. After some persistance I was able to download Hijackthis and generate a log, but I could not evaluate it because the site that it goes to for evaluation was getting blocked. All my other anti virus/spyware programs get blocked when trying to update definitions. I did notice one .dll file in the mix in my hijackthis log so I may just have a "run of the mill" hijacker virus. I am currently getting clean bills of health from McAfee, Defender and Adaware. Its been challenging to figure anything out because I can't get on these sites for advice from my home computer and I'm kind of reluctant to just start deleting things.

In your opinion are these types of bugs just a nuisance, or is my security at risk? Or is it hard to say?

#5 DangerousDonnie

DangerousDonnie
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 23 October 2008 - 05:54 PM

I am not a moderator here so I should not be giving you advise. But you do not have the same infection I have. I hope that makes you feel better. Your hosts file may have a lot of 127.0.0* blocking you from going to the sites you mentioned. You could download a free program called hoster to look into this. But I suggest opening a topic here for help. I am waiting for help just like you. I do not want bleepingcomputer to get mad at me for giving advice when I am not a moderator. I believe what you have is probably just a nuisance. Please feel free to try hoster and write me again for advice.
God bless.
Dangerous to Spyware, that is![COLOR=red]

#6 nicolai_gm

nicolai_gm

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 23 October 2008 - 06:49 PM

Sorry. This is my first time using the site. I'm still trying to figure out how it works. I'll go through the proper channels, but really do appreciate the help. I'm definitely relieved that I don't have your bug. Good luck and thanks again for the guidance.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:41 PM

Posted 24 October 2008 - 11:55 AM

I've blogged about this infection 2 weeks ago: http://miekiemoes.blogspot.com/2008/10/fak...archengine.html
If you're uncertain, I suggest you post a HijackThislog in the HijackThisforum here. Not sure why scanners are still not detecting this one, because samples were sent more than 2 weeks ago. So, make sure first that your Antivirus is up to date.
By the way, Combofix removes this infection as well.

Edit.. by the way, this is no rootkit ;)

Edited by miekiemoes, 24 October 2008 - 11:58 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 DangerousDonnie

DangerousDonnie
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 24 October 2008 - 12:30 PM

Thank you so much!!! Combofix does not fix the problem on this system. But I do see the sysaudio.sys file. Can you explain the hooks in GMER if it is not a rootkit. It seems to have rootkit like behaviour.
Dangerous to Spyware, that is![COLOR=red]

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:41 PM

Posted 24 October 2008 - 12:45 PM

No, it isn't a rootkit. It doesn't mean because gmer displays these hooks, that it is a rootkit.
It's a script injected in IE and other browsers. This one is generated by the fake sysaudio.sys file.
It appears that you're quite knowledgeable, so if it interests you, just use a file analyzing tool to view the contents of the fake sysaudio.sys.
For example, you can use FileAlyzer for this ( http://www.safer-networking.org/en/filealyzer/index.html ).
Then look at the strings inside the file - very interesting how the strings appears. It's written in backwards (sdrawkcab). :thumbsup:

Edited by miekiemoes, 24 October 2008 - 12:46 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 DangerousDonnie

DangerousDonnie
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 24 October 2008 - 01:45 PM

I just disassembled sysaudio.sys with PE explorer and you are absolutely right!! After reading the code I also discovered the stack mods I was seeing with GMER and some other unsettling things; it also stops windows update from working, and is also trying to modify kmixer.sys which may or may not be involved.

I reinstalled and tried the latest purchased version of Kaspersky and Nod32 and neither found it!

I will also try combofix later although as of last week combofix did not find it either.

So you are correct, it is not a true rootkit in the sense that it is not hiding it's processess but it is a nasty little hooker. My client must have a new version of this virus. I will send the sample files to everyone as soon as I have done more research.

Thanks, you have saved me. How did you find it? I had tried everything and I know what I am doing. I think. haha.

You are amazing.
Dangerous to Spyware, that is![COLOR=red]

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:41 PM

Posted 24 October 2008 - 02:02 PM

I will also try combofix later although as of last week combofix did not find it either.

It does though - see log here where it shows it as deleted.

I found this infection after analyzing some sites where this so called "Yahoo! Counter starts here" malicious javascript was present... and played with it :thumbsup:
It's indeed a sneaky one because, since the filename is actually legitimate, many people think that there's nothing wrong with that sysaudio.sys file. Ofcourse the legitimate sysaudio.sys file is present in the system32\drivers folder and not in the system32 folder.

Edit - but in your case and since you know what file is responsible, there's really no need to use Combofix to remove it. You can remove the file manually. There should be another file present there as well, divx.nls and/or ntnet.drv, present in the system32 folder, related with this infection.

Edited by miekiemoes, 24 October 2008 - 02:06 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 DangerousDonnie

DangerousDonnie
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 26 October 2008 - 06:46 PM

Thank you for your expertise.

Combofix does find it just as you said! I had not run combofix recently, that was the problem. I hope combofix does more than just file name searching because as of this post, nod32, kaspersky, and norton does not detect this infection. I just sent them the samples with detailed descriptions. I know I could have just deleted sysaudio.sys and solved this problem, but since this is my profession I had to learn more before I did that. If you want a sample of this sysaudio.sys, let me know.

I believe that this version is definately trying to infect kmixer.sys.
This version does not allow windows update to function properly. It could be because of the loading inside of the script or something other.
This version does hook sfc_os.dll.

Also discovered on both computers: After I ran combofix was NVSVC32.EXE.

Hopefully the anti-virus people will discover exactly what this version of sysaudio.sys is doing along with nvsvc32.exe.

Thank you, and if you have no other input or questions, we can consider this topic closed.

God Bless.
Dangerous to Spyware, that is![COLOR=red]

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:41 PM

Posted 27 October 2008 - 02:32 AM

The deletion of nvsvc32.exe by Combofix is a false positive, so you'll have to restore it again.
To restore it, navigate to the C:\Qoobox\quarantine\C\windows\system32 folder and rename the nvsvc32.exe.vir file back to nvsvc32.exe
Then copy it back into the C:\Windows\system32 folder
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 DangerousDonnie

DangerousDonnie
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 27 October 2008 - 08:56 PM

Thank you again. I submitted the virus samples to eset and kaspersky yesterday and this morning when I booted up the clients infected image Kaspersky immediately detected it as: rootkit.win32.agent.eoj. They also emailed me and told me this is a new threat not previously detected and they are currently analyzing it. As of this posting NOD32 still does not detect it. So I resent the virus sample to them just now. I will keep you updated as to what I learn about this.

Why are so many anti-virus softwares having a problem with this?

Notice the name: rootkit.win32.agent.eoj.

You said it wasn't a rootkit.

Got ya! Just kidding. haha.
Dangerous to Spyware, that is![COLOR=red]

#15 dlsimon

dlsimon

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 30 November 2008 - 10:46 PM

I have gotten a very similar-sounding virus: Google searches show redirected links in the results, although the result descriptions look legit (like one result might show text from a wikipedia entry, but the link goes to a completely different site and a visible IP address for the URL on the redirected link... starting with 74.x.x.x). No other symptoms that I can tell of: nothing out of ordinary running in list of processes, no extra bookmarks added to my browser, no extra pop up windows.

Anyway, I am running Windows XP sp3, with the latest version of AVG anti-virus and Microsoft Windows Defender in the background. Whatever it is, it snuck in somehow without tripping off alarms.

The only thing I've found that could get rid of it was Malwarebytes Anti-Malware http://www.malwarebytes.org/mbam.php I hope this doesn't come across as a spam post for them, but if anyone is getting stumped by this virus, might give them a shot (they have a freebie-personal use version). I did a search for 'rootkit' and 'sysaudio.sys' and stumbled onto this thread here, which is what the name of the virus was listed as by that program. (a Trojan with the name of Rootkit that had infected the file called sysaudio.sys).

I don't run this program full-time, but I was hoping my antivirus program would keep this from getting in. I haven't found what can prevent it appearently, as I got my 2nd infection in a month.

Edited by dlsimon, 30 November 2008 - 10:47 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users