Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkits


  • Please log in to reply
7 replies to this topic

#1 LOVEMYPC

LOVEMYPC

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 14 November 2013 - 07:11 PM

HI,I have seen some of the tutorials about using rootkit downloads just how do they work and are they safe for relatively
inexperienced user to use and not ruin their PC so that it would make a door stop,thanks

Edit: Moved topic from Firewall Software and Hardware to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

    Almost Retired


  • Members
  • 9,645 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria Australia
  • Local time:04:56 AM

Posted 14 November 2013 - 08:11 PM

Hello LOVEMYPC -

 

Rootkit - Wikipedia

Wiki is always a good place to start .........
A standard check tool is this -
TDSSKiller - TDSSKiller is a utility created by Kaspersky Labs that is designed to remove the TDSS rootkit. This rootkit is know under other names such as Rootkit.Win32.TDSS, Tidserv, TDSServ, and Alureon. TDSSKiller will also attempt to remove other rootkits such as the ZeroAccess or ZeroAccess rootkit if it is detected.

You can run this (it will not hurt in any way) Directions -
Download TDSSKiller and save it to your desktop.
* Extract (unzip) its contents to your desktop.
* Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
* If an infected file is detected, the default action will be Cure, click on Continue.
* If a suspicious file is detected, the default action will be Skip, click on Continue.
* It may ask you to reboot the computer to complete the process. Click on Reboot Now.
* If no reboot is require, click on Report. A log file should appear.

* You can copy and paste the contents of that file here if you wish (unless the topic is moved)
* If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,103 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:56 PM

Posted 15 November 2013 - 08:32 AM

HI,I have seen some of the tutorials about using rootkit downloads just how do they work and are they safe for relatively
inexperienced user to use and not ruin their PC so that it would make a door stop,thanks


There are many free anti-rootkit (ARK) tools but some require a certain level of expertise and investigative ability to use. Some ARK tools are intended for advanced users or to be used under the guidance of an expert who can interpret the log results and investigate it for malicious entries before taking any removal action. Incorrectly removing legitimate entries could lead to disastrous problems with your operating system. Most of the more effective ARK tools should only be used under the guidance of an expert who knows how to investigate its log for malicious entries before taking any removal action.

Why? Not all hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators, virtual machines, sandboxes and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.

These are a few of the easier ARKS for novice users:

Malwarebytes Anti-Malware uses a proprietary low level driver (similar to some ARK detectors) to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits. SUPERAntiSpyware Free offers technology to deal with rootkit infections as well. Both of these scanners are easy enough for any novice to safely use.

 


Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#4 LOVEMYPC

LOVEMYPC
  • Topic Starter

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 15 November 2013 - 10:59 AM

Thank you both for the replies,i have run across and article about McAfee rootkits and how he explained how they could find root kit problems and it kinda

mirrored some of the minor problems that showing up on my PC.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,103 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:56 PM

Posted 15 November 2013 - 04:13 PM

There are many different types of rootkits...these are a few examples.

TDSS/TDL2 used random names like TDSSpaxt.sys - TDSServ.sys - TDSSmqlt.sys - TDSSpqlt.sys - TDSSmhxt.sys - TDSSmaxt.sys with randomly named .dll's (i.e. TDSSosvn.dll, TDSSriqp.dll, TDSSurxb.dll). Other variants uncluded UACd.sys, GAOPDXserv.sys, SKYNETtyushyne.sys and those with naming conventions like MSIVXfpqebwwxpiswvenobbndeitvrjiwprcc.sys, ESQULcaqdnewnwtfswbfuqcsdruxpfjpqpfpn.sys.

TDL3 (Alurion) rootkit is the third generation TDSS which uses rootkit technology to hide itself on a system by infecting drivers like atapi.sys, iastor.sys and a few others. Atapi.sys is a common target for this rootkit because it loads early during the boot process and is difficult to detect.

TDL4 (Alurion) infects 2 drivers, one being random and the other, a legitimate driver (such as atapi.sys) in the Windows drivers folder. If the legitimate drive is swapped (cured) without the other being swapped at the same time the swapped file becomes infected again. Newer TDL variants can infect the Master Boot Record and MBR partition table.

TDL4/MaxSS creates a hidden partition by modifying a free partition table entry in the MBR partition table at the end of the bootable hard drive. Rather than overwriting the Windows MBR code as its predecessor did, this variant leaves the original MBR code fully intact and gains a foothold onto the system by creating a new, hidden partition where it stashes its malicious file system.

ZeroAccess or Max++ infects a random system driver, overwriting its code with its own infected driver, hijacks the storage driver chain in order to hide its presence on the disk; creates a new kernel device object called __max++, creates a hidden file system, downloads more malware, and opens a back door on the compromised computer.

Rootkit.boot.SST.B (and SST.A) is the MaxSS modifcation of TDL4 and infects the VBR (volume boot record).

Olmasco (also known as SST, MaxSS) is a modification of the TDL4 bootkit and the second to use VBR (Volume Boot Record) infection to bypass kernel-mode code signing policy.

More detailed information about various rootkits can be found in the Glossary of Malware Related Terms.

If you were infected with this type of malware you would be experiencing signs of infection and various problems with your computer. These are some examples (not all are present as symptoms depend on the malware variant and extent of infection).

* Google search results redirected as the malware modifies DNS query results.
* Infected (patched) files like atapi.sys, iastor.sys and others in the Windows drivers folder.
* Internet Explorer opens on its own.
* Pop ups when no browser is open.
* Mouse clicking sounds or suddenly freezing.
* Heavy network-activity without any obvious reason
* Services.exe is constantly increasing in size or using a lot of memory.
* New service created, connected to a new user created that links to an exe file.
* BSOD and Stop 0x0000007B error message while booting the system.
* Random Audio/Radio/Voice ads.
* Commercials in foreign languages.
* Repeated Fake alerts indicating the computer is infected.
* Redirections in all browsers.
* Redirection to a phishing screen asking for personal information when attempting to log into ebay (Paypal, gmail, Yahoo! mail, etc).
* Infected consrv.dll file which places various files in a random folder in the systemroot\INSTALLER folder.
* Hidden malicious partition.
* Presence of C:\WINDOWS\$NtUninstallKB3057$, %WinDir%\$NtUninstallKB32069$, etc folder
* Presence of system64 folder in C:\Windows
* Booting issues.
* Infected/modified Master Boot Record (MBR)
* Infected/modified Partition Table
* Infected/modified VBR (volume boot record)
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#6 LOVEMYPC

LOVEMYPC
  • Topic Starter

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 15 November 2013 - 10:34 PM

HI,I have run most of the programs that was suggested,the one that would like to run is ROOT KIT TOOL by McAfee,it is in beta form right now you run it at your own risk and i also have seen beta form is not for the novice just to run.

I also ran across a article by McAfee about how root kit tools work and almost all of the problems that was in the article pertains to how my PC is running right now,all the programs that i ran did not find any problems.

I was thinking if may be i pour holy water on my PC and do a exorcism on it,it may start to work better.

Not to get off of topic but i see there is a update to FIREFOX 25.0.

On another note if you left one forum and went to another without logging out would that leave a back door into a PC,thanks



#7 LOVEMYPC

LOVEMYPC
  • Topic Starter

  • Members
  • 520 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 16 November 2013 - 06:12 AM

HI,I just read the rootkit-wikipedia article and if i understand it right it is almost a losing battle with root kits.

Now my next question is do these root kits get installed when you download anything off of the internet,if so when i use my external backup

will i still have root kit problems and if i replace the existing HDD with a new one will the bad root kits go along for the ride or have i misunderstood

how and where root kits are installed,thanks



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,103 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:56 PM

Posted 16 November 2013 - 09:05 AM

Various distribution mechanisms and infection vectors are used to spread rootkits. Rootkits commonly spread though peer-to-peer (P2) sharing networks that allow for the downloading of corrupted shareware or bundled software, drive-by downloads while visiting gaming, porn and underground sites, and sharing infected removable drives. Other methods of distribution involves social engineering and infected web content...disception and trickery by the display of deceptive pop-up ads that may appear as legitimate Windows notifications with active links. Clicking on one of these links may result in downloading and installation of malware in the background without your knowledge or consent or redirection to a malicious site where the download occurs.

noknojon has already provided you with instructions for checking for rootkits.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users