Vermilion Voice
December 05, 2022, 05:09:05 am
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Welcome to the Vermilion Voice
 
  Home Help Search Arcade Gallery Links Staff List Login Register  

Be On The Lookout For A Dangerous Rootkit That Can Infect Your Computer!

Pages: [1]
  Print  
Author Topic: Be On The Lookout For A Dangerous Rootkit That Can Infect Your Computer!  (Read 111 times)
DejaVu
Hero Member
*****
Gender: Female
Posts: 2023



View Profile
Badges: (View All)
« on: October 04, 2011, 09:41:19 am »

Rootkit

Quote
A rootkit is a software system that consists of one or more programs designed to obscure the fact that a system has been compromised. Contrary to what its name may imply, a rootkit does not grant a user administrator privileges, as it requires prior access to execute and tamper with system files and processes. An attacker may use a rootkit to replace vital system executables, which may then be used to hide processes and files the attacker has installed, along with the presence of the rootkit. Access to the hardware, e.g., the reset switch, is rarely required, as a rootkit is intended to seize control of the operating system. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security scan and surveillance mechanisms such as anti-virus or anti-spyware scan. Often, they are Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system. Rootkits may also install a "back door" in a system by replacing the login mechanism (such as /bin/login) with an executable that accepts a secret login combination, which, in turn, allows an attacker to access the system, regardless of the changes to the actual accounts on the system.

These things can cause a very nasty infection and are extremely hard to get rid of. I know because I've been trying for the past 4 days. I had the Zero Access Rootkit and I've got my computer running again but actually I'm still not sure it's completely free of it and no longer compromised. I'll be posting ways to get rid of these infections.

 
Report Spam   Logged

The most successful tyranny is not the one that uses force to assure uniformity, but the one that removes awareness of other possibilities, that makes it seem inconceivable that other ways are viable, that removes the sense that there is an outside. --Allan Bloom

Share on Facebook Share on Twitter

DejaVu
Hero Member
*****
Gender: Female
Posts: 2023



View Profile
Badges: (View All)
« Reply #1 on: October 04, 2011, 09:48:35 am »

How to completely remove ZeroAccess/Sirefef rootkit (Removal Guide)

What is ZeroAccess/Sirefef rootkit?

ZeroAccess is a family of Rootkits, capable of infecting the Windows Operating System.On infection, it replaces Windows System Files and installs Kernel Hooks in an attempt to remain stealthy. Once the hooks are installed, the target operating system falls under control of the rootkit, which is then able to hide processes, files, networks connections, as well as to kill any security tools trying to access its files or processes. This rootkit is known to infect both 32 and 64 bit Windows operating systems.
ZeroAccess also patches system files to load its malicious code. The original file name is then kept inside an encrypted virtual file system the rootkit creates. The virtual file system is stored in a file on disk.

You can find more details here and here.

Continue here for removal instructions : http://malwaretips.com/Thread-How-to-completely-remove-ZeroAccess-Sirefef-rootkit-Removal-Guide?highlight=zeroaccess
Report Spam   Logged

The most successful tyranny is not the one that uses force to assure uniformity, but the one that removes awareness of other possibilities, that makes it seem inconceivable that other ways are viable, that removes the sense that there is an outside. --Allan Bloom
DejaVu
Hero Member
*****
Gender: Female
Posts: 2023



View Profile
Badges: (View All)
« Reply #2 on: October 09, 2011, 01:46:58 am »

Risk Assessment:    Home Low | Corporate Low
Date Discovered:    8/16/2011
Date Added:    8/16/2011
Origin:    N/A
Length:    varies
Type:    Trojan
Subtype:    Rootkit
DAT Required:    6440


Virus Characteristics


ZeroAccess is a family of Rootkits, capable of infecting the Windows Operating System. On infection, it overwrite Windows System Files and installs Kernel Hooks in an attempt to remain stealthy. Once the hooks are installed, the target operating system falls under control of the rootkit, which is then able to hide processes, files, networks connections, as well as to kill any security tools trying to access its files or processes. This rootkit is known to infect both 32 and 64 bit Windows operating systems.

ZeroAccess patches system files to load its malicious code. The original file content is overwritten, but the original system file is kept inside an encrypted virtual file system the rootkit creates. The virtual file system is stored in an unsuspecting file on disk.

ZeroAccess is usually installed on a system by a malicious executable. Once this dropper is executed, it will install the rootkit which will perform the actions described below:

NOTE: A detailed description of this malware can be found on our Threat Advisory page here.

The following files are changed or created by the malware:

    The rootkit will create a file with a random name in %SYSTEMROOT%\system32\config\[random] or c:\windows\prefetch\[random]. This file will be used to store a virtual encrypted file system, used by the rootkit to store its configuration files and other supporting files.
    Some recent variants are creating a hidden folder named c:\windows\$NtUninstallKB[random]$ to store its files.
    ZeroAccess will then patch a randomly chosen system driver file. The patched file will be used as the rootkit’s restart mechanism to load its malicious kernel component when the system boots.
    The malware will create a trip-wire file which will be monitored to detect security tools scanning the system. Any process touching this file will be terminated. The file may be created as a system device or as an ADS (Alternate Data Stream) as follows:
    \\??\Global\systemroot\system32\svchost.exe\svchost.exe
    %SYSTEMROOT%\[random]:[random].exe

(where %SYSTEMROOT% represents the folder where Windows is installed, usually C:\Windows)

The following registry keys are changed or created:

    The malware then creates a service, and points the service's ImagePath key to the file above, to run it every time the system boots. The following is an example of such key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\54e61bbc\Type: 0x00000001
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\54e61bbc\Start: 0x00000003
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\54e61bbc\ImagePath: "\systemroot\3155945044:2870600771.exe"
    It may also create the following key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{f8cec7e5-22d1-631d-b463-054fb5b74060}


In newer variants, besides killing the process, the rootkit component will also remove all NTFS permissions from the offending files (by modifying its DACL) and install an Image File Execution Option to disable execution of the file. This action is an attempt to disable security related tools and components.

Network Activity

ZeroAccess will report its installation and user activity to a remote server. Since the rootkit hides network connections from any tool running on the infected machine, system administrators may need to use external monitoring tools to check the network activity.

After infection, the malware will report installation and system activity using HTTP requests. These requests are usually made to destination port 80 but some variants also use port 8083 to communicate.

The requests have the following characteristics:

GET /stat2.php?w=46&i=d5d6a3459af7a34558e98254eb873a62&a=11 HTTP/1.1
Host:
User-Agent: Opera/6 (Windows NT 5.1; U; LangID=416; x86)

GET /bad.php?w=109&fail=0&i=d5d6a3459af7a3457ce3916737df5160 HTTP/1.1
Connection: keep-alive
Host:
User-Agent: Opera/6 (Windows NT 5.1; U; LangID=416; x86)

The following user-agent may also be used:

GET /%s HTTP/1.0
Host: %s
User-Agent: NSIS_Inetc (Mozilla)

During our test replication, the following IP addresses were contacted by the malware:

    95.64.46.44
    193.105.154.210
    69.50.212.157
    85.17.226.180


Rootkit Behavior

The rootkit component of ZeroAccess utilizes an advanced method for protecting itself and disabling any security tool trying to detect and remove it.

When a security tool tries to access the monitored file on disk or the service process in memory, the rootkit identifies the access attempt, triggering its protection system.

The protection consists of killing the process from kernel mode, making it effective against any type of security tool.

The rootkit also hooks some system APIs, an example of such hooks are shown below as depicted in the log by the publicly available GMER tool:

---- Kernel code sections - GMER 1.0.15 ----
.text  ntkrnlpa.exe!IoReuseIrp + 8B                        804EE879 7 Bytes  CALL F60880F5
.text  atapi.sys                                           F850384D 7 Bytes  CALL F60838F0
.text  mrxsmb.sys                                          F6D93000 107 Bytes  [06, 0F, 83, 2D, B5, 00, 00, ...]
.text  mrxsmb.sys                                          F6D9306C 101 Bytes  [EC, 8B, 45, 08, 8B, 40, 40, ...]
.text  mrxsmb.sys                                          F6D930D2 52 Bytes  CALL 386296E7
.text  mrxsmb.sys                                          F6D93107 31 Bytes  [90, 90, 90, 90, 90, FF, 25, ...]
.text  mrxsmb.sys                                          F6D93127 42 Bytes  [F6, 42, 08, 80, 0F, 84, C5, ...]

---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT    \SystemRoot\system32\DRIVERS\mrxsmb.sys[HAL.dll!HalGetAdapter]          840FFC4D
IAT    \SystemRoot\system32\DRIVERS\mrxsmb.sys[HAL.dll!IoWritePartitionTable]  00008258
IAT    \SystemRoot\system32\DRIVERS\mrxsmb.sys[HAL.dll!HalDisplayString]       0F01FE83
Back to Top


Source: http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=562354#
Report Spam   Logged

The most successful tyranny is not the one that uses force to assure uniformity, but the one that removes awareness of other possibilities, that makes it seem inconceivable that other ways are viable, that removes the sense that there is an outside. --Allan Bloom


Pages: [1]
  Print  
 
Jump to:  

Bookmark this site! | Upgrade This Forum
SMF For Free - Create your own Forum

Powered by SMF | SMF © 2016, Simple Machines
Privacy Policy