Posted 10 July 2009 - 08:18 AM
by day, I am a netadmin for a medium sized organization of 500 computers.
by night, I am a computer cleanup expert, er, used to be an expert, er, now kinda floundering over the latest attacks that are happening around me.
Armed with my mighty SUB stick and tons and tons of experience, my motto was that I could clean almost ANY infections and get your computer back to running normally.
As a service to my fellow employees, if their home computers got pooched up, I let them bring them to me for disinfection. It served us well as I got to see the latest threats, and got better and better at cleaning them. Along the way, I have collected a wide variety of tools, techniques, and strategies for disinfecting PCs. At one point, my method had not changed in about 9 months, and I was preparred to write the difinitive approach for cleaning malware, and was offering it to such places as Windows Secrets, who responded that methodologies changed to rapidly to make a claim like that, and that publishing fix it techniques only fueled the bad guys to invent ways to break our tools.
Boy, were they right.
Now, I am one of those guys who has a hard time giving up, but the hacks that have happened lately are beyond my ability to clean, using every tool and technique that I can find. The attack looks like this.
Take away all the malware that got on the machine, take away all the viruses and trojans, and once the computer seems to be running unobstructed, I find that what is left is an ntoskrnl file that has been modified. I have found NOTHING that can restore it to functionality. I can boot from CD and replace it, but after reboot, the same malicious changes have been applied. I have run every rootkit tool that I can find against these boxes, and they CLAIM to unhook things, but after reboot, bam. For a brief period of time, ComboFix was fixing these, but alas, the bad guys have now seemed to find their way around this.
I strive to surround myself with the smartest people I can find, and my goal is to share everything I know, in hopes that they will share everything THEY know, and together we will be better than we were apart. I believe in the collective brain. I believe that if I teach you what I know, I won't have to do it all myself. I believe in good. I believe that people should NOT have to put up with having their systems hacked just for visiting a website that got hacked last night, and that afterwards, they should NOT have to face reloading their operating systems.
But here I sit, my beliefs shattered, with a growing pile of computers that are unfixable, and a small band of coworkers and customers who are waiting for me to re-load an operating system, wherein they will start over, re-loading all their programs, getting their perifs set back up, and all the while, knowing it could happen again TOMORROW, and i am just so sick of it.
We could all buy MAC's, there's not a lot of MAC Hacking going on out there, but people don't like the sound of spending twice as much or MORE to get one. What t hey don't get is that if you had a choice of two cars, one that cost five grand new, was easy to break into, could be made to break down a lot, and every so often you had to go back to the dealership to have it re-programmed, vs a 12,000 dollar car that did not have those same problems, people tend to go price over value.
That being said, the world could go Linux of whatever flavor you like, but now they have to learn to install Linux apps and all those silly little YUM statements and a whole new language. Please, most of them don't know what to do at the command promt and they've been using Windows their whole life.
So I hang my head in dejection, searching for someone who knows as much as I do about these newest system compromises, and really wishing someone SMARTER than I, who knows EXACTLY what I am talking about, and who will tell me and the world of PC cleaners how to fix this or keep itt from happening again. I join FORUM after FORUM, but I do not come up with the answer, and either the communities I join don't KNOW about the SSDT hooks, don't CARE about them, or like me, just don't know what to DO about them, well, that is why I came. I am searching for Yoda, to prepare me for my face off with Darth.
I came HERE because of the high reputation of bleepingcomputer.com, searching for answers. HELP...... I will soon post specific questions but this post is just telling you about me, why I am here, what I do (and lately, CAN'T DO!!!)