Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remove a windows rootkit using linux


  • Please log in to reply
9 replies to this topic

#1 flavaflav

flavaflav

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 26 December 2011 - 10:49 AM

I dual-boot Windows XP and Arch Linux. I don't use Windows for anything except playing video games and getting on the internet occasionally. Somehow though, my Windows has gotten the Zeroaccess rootkit. This wouldn't bother me except that I can't get to my Windows install cd for at least another week and, because Zeroaccess is blocking my network access, I can't play Skyrim.

My computer would be unusable if I didn't have Arch installed on here already. I've read a lot about Zeroaccess and I understand why it's so hard to remove from inside Windows. However, it should be a piece of cake to remove from sda1 while I'm booted into sda3 and running Linux. Are there any tools for this?

BC AdBot (Login to Remove)

 


#2 stiltskin

stiltskin

  • Members
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Western MO
  • Local time:05:08 PM

Posted 26 December 2011 - 12:42 PM

I've never removed a Windows rootkit, so don't really have any experience with it. I've gotten rid of several worms, viruses and trojans with linux, though.

See if any of these help:

http://www.tomshardware.com/forum/237330-50-best-windows-computer-rootkit-backdoor-linux

<deleted link to hirens, see this topic>

http://www.anitgenius.com/remove-windows-rootkit

Edited by elise025, 26 December 2011 - 01:55 PM.
link removed


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:08 AM

Posted 26 December 2011 - 01:57 PM

I would not recommend to attempt to clean ZA from a linux partition. This rootkit infects more than one file, which need to be replaced, not deleted. It also infects/changes parts of the registry, which cannot be fixed from outside Windows.

I will move this topic to the malware removal forum.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 flavaflav

flavaflav
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 26 December 2011 - 04:02 PM

I appreciate the help but I'm actually not interested in removing it. I mean this in the nicest way but I am genuinely curious about information on removing rootkits from windows with Linux. If you, or any other mod, check this again soon, will you please move it back to where it was? Thank you again for your help.

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:08 AM

Posted 26 December 2011 - 04:15 PM

There is nothing wrong with that discussion. :)
Given your initial post I understood you were looking for help to remove the ZA rootkit from your Windows installation.

Generally speaking, it is not a good idea to remove malware using linux, although it is certainly not impossible.
First of all, MBR rootkits; if you dual-boot linux you don't have to worry about them, as they will leave the linux boot loader alone. You can remove MBR rootkits using linux live CDs on a computer with a single boot though (I actually prefer doing this with newer MBR rootkit variants, as it sometimes is the easiest way).

What you also can do using linux, is replace infected system files. You can see this with ZeroAccess/Sirefef rootkits as well as TDL3 (this isn't that much around anymore). The problem is that you'll need to identify first. I would not recommend linux live CD scanners for that (so-called rescue CDs) as they have the tendency to just delete and thus cause more harm than good.

Finally a complication is that many infections are using the Windows Registry. This cannot be edited easily using Linux. I wouldn't recommend anyone to do it unless there really is no alternative.

I hope this answers your question!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 flavaflav

flavaflav
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 26 December 2011 - 04:28 PM

Those are my thoughts too. Because the Windows kernel hooks won't be active while windows isn't running, it would be trivial to scan all the drivers, find the infected one, and remove the infection. I could ignore every single defense mechanism this rootkit has because windows wouldn't be running. I think I want to learn how to do this.

I don't know if you do this or not but if you do, could you point me at some good resources for writing anti-malware tools? I am very familiar with Linux and I know more than one programming language. If you could help me I would be very thankful.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:08 AM

Posted 26 December 2011 - 04:34 PM

I am sorry, while I use tools like this on a daily basis, I am no programmer and I don't write them.
The problem however is not writing the tools (you can make them as simple or complicated as you'd like), the problem is keeping up to date with what the latest malware does and how you can use tools to detect that (for example latest MBR rootkits can be detected with a simple fdisk or dd command).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 flavaflav

flavaflav
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 26 December 2011 - 04:45 PM

That's what I want to do. Try to keep up to date with how it works and learn how to stop it. If the Joker made Zeroaccess then I want to be Batman haha. Anyway, thanks for your help. I'm going to try to figure this stuff out :)

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:08 AM

Posted 26 December 2011 - 05:12 PM

Good luck! :thumbup2:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 flavaflav

flavaflav
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 27 December 2011 - 11:52 AM

Thank you! Hopefully I'll be back.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users