Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Deeply imbedded Windows 7 rootkit


  • This topic is locked This topic is locked
2 replies to this topic

#1 Maj. Matt Mason

Maj. Matt Mason

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:46 PM

Posted 09 January 2011 - 10:05 PM

I have a Linux server running as a web, mail, and file server, as well as my firewall. About a month ago, I found that the system had been turned into an open mail relay and was in the process of conducting a DoS attack against a server in China. I blocked all traffic to/from China, South Korea, Taiwan, and Hong Kong, as well as closing port 80 to all traffic, leaving only port 25 open. The DoS attack has ceased, and I had been watching my logs closely and reporting abnormal activity to the proper ISPs.

Early last week, I had turned my Windows system on (it usually remains off) and got to the desktop. Before I launched any applications, I had to leave the machine unattended. When I returned, I found that the system had rebooted and was stuck on the word Welcome. I rebooted the system again and got in, but things were "not right". After some poking around, found that all the system restore data was gone. The installed update list was completely empty. The system was also unstable. Prior to the issues, I had been running Avira antivirus, Panda Cloud antivirus, Ad-Aware, and Malwarebytes. None of these could find any infections. I tried for 2 days to run GMER, but possibly due to limitations on the number of files it can scan, it would slow down to about 1 file per second after an hour or so. The system has over 800k files and would have at least had 300k more to go, which would mean several months to complete (if it would at all). I attached the drive to another system and tried to just scan the files on the drive, but got the same results. I also need to mention that Windows Update keeps trying to install KB977165 and KB979683. A search on the web quickly told me that this is a symptom of a "deeply embedded rootkit". My feeling is that whomever had compromised my Linux server still has some level of access and compromised my Windows 7 system through it.

I have since tried scanning the system with Avira Antiroot, RootkitBuster, F-Secure Black Light, and Sophos Antirootkit. None of which find anything. I am a seasoned technician with many, many years of experience. I have experience removing virii from corporate systems and have had very great success in doing so, but this one has me completely stumped. I had a virus problem a few years ago and was helped by people on this forum (and I must say that they greatly increased my knowledge in virus removal), but were never completely sure they had solved the issue, finally having to do a clean install. I know I will be admonished for this (I've read a great many threads these past few days on several boards including yours), but as a last resort, tried running Combofix. Combofix will not even complete Stage 1 (after about 20 mins, the system BSODs and restarts). As per instructions posted here, I downloaded DDS. That, too, will not complete and after 20 mins the system BSODs and restarts, so I never get the log (I tried running this 3 times).

Bottom line: Avira antivirus, Panda Cloud antivirus, and Malwarebytes detect nothing. The antirootkit software listed above detect nothing. MBR.EXE gets a read error on item 3 (does not specify the exact problem), says the Kernel is OK and then hangs. Combofix, as well as DDS, stalls and eventually BSODs. GMER will not complete, possibly due to the number of files being scanned. It would be easy enough just to do a clean install, but I would rather track this down and fix it. Not only for my knowledge, but a bug as nasty as this needs to be identified so that countermeasures can be developed, especially since it seems to know to block tools available on this site. It truly is an undetectable rootkit. I know this is a place for techs to train, but you might want to put one of your more seasoned people on this one.

System Specifications:

Windows 7 Ulitmate 32-bit (was fully patched as of mid-December)
Dell Precision 530 running 2 Xeon 2.8gHz processors
Syba SilRaid SATA controller
1T SATA drive
2G RAM

In advance, thank you so much.

Edited by Maj. Matt Mason, 09 January 2011 - 10:14 PM.


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:46 AM

Posted 17 January 2011 - 08:38 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 PM

Posted 23 January 2011 - 08:48 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users