Elite
join:2002-10-03
Orange, CT | reply to daveinpoway
Re: One in Five PC's Infected With Rootkits
Yeah, their site went down.
»zj.newhua.com/down/RkU3.7.300.509.zip
--
QUAD!!!! |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
 ·RoadRunner Cable
1 edit | reply to daveinpoway
Thanks a million. The download is crawling very slow. I'll let you know how it goes 
Edit - I found a fast download site with lots of mirrors.
»www.onlinedown.com/detail/12679.htm
With this MD5
ac348df64baf41dd219234b746242bf5 |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
·RoadRunner Cable
| reply to daveinpoway
OK, SSDT finds 8 hooked instances of "Big Worm". File scan finds 12 files. There are no VM found. I found no option to delete the infected files. If I un-hook what SSDT detected, then the file scanner finds no files. Sorry for posting these long reports. I'll start reading the manual to see what else I can find out.
SSDT ;
RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.509
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
NtCreateFile
Actual Address 0xBAD48B8E
Hooked by: C:\WINDOWS\system32\mssync20.sys
NtCreateKey
Actual Address 0xBAD48D48
Hooked by: C:\WINDOWS\system32\mssync20.sys
NtEnumerateKey
Actual Address 0xBAD48C3A
Hooked by: C:\WINDOWS\system32\mssync20.sys
NtEnumerateValueKey
Actual Address 0xBAD48CC4
Hooked by: C:\WINDOWS\system32\mssync20.sys
NtOpenFile
Actual Address 0xBAD48BEC
Hooked by: C:\WINDOWS\system32\mssync20.sys
NtOpenKey
Actual Address 0xBAD48D9A
Hooked by: C:\WINDOWS\system32\mssync20.sys
NtQueryDirectoryFile
Actual Address 0xBAD48A82
Hooked by: C:\WINDOWS\system32\mssync20.sys
NtQuerySystemInformation
Actual Address 0xBAD48DDE
Hooked by: C:\WINDOWS\system32\mssync20.sys
Files ;
Suspect File: C:\Documents and Settings\Cindy\Local Settings\Temp\mssync20.tlb Status: Hidden
Suspect File: C:\mssync20.ex_ Status: Hidden
Suspect File: C:\WINDOWS\system32\mssync20.dl$ Status: Hidden
Suspect File: C:\WINDOWS\system32\mssync20.dll Status: Hidden
Suspect File: C:\WINDOWS\system32\mssync20.dl_ Status: Hidden
Suspect File: C:\WINDOWS\system32\mssync20.exe Status: Hidden
Suspect File: C:\WINDOWS\system32\mssync20.sy$ Status: Hidden
Suspect File: C:\WINDOWS\system32\mssync20.sys Status: Hidden
Suspect File: C:\WINDOWS\system32\mssync20.sy_ Status: Hidden
Suspect File: C:\WINDOWS\system32\mssync20.tl$ Status: Hidden
Suspect File: C:\WINDOWS\system32\mssync20.tlb Status: Hidden
Suspect File: C:\WINDOWS\system32\mssync20.tl_ Status: Hidden
Code Hooks ;
ntkrnlpa.exe+0x00069C2A, Type: Inline - RelativeJump at address 0x80540C2A hook handler located in [ntkrnlpa.exe]
Processes ;
(I'm only posting the hidden one)
!!!!!!!!!!!Hidden process: C:\WINDOWS\system32\mssync20.exe
Process Id: 2008
EPROCESS Address: 0x849CB4F0 |
|
Elite
join:2002-10-03
Orange, CT
·Optimum Online
| reply to daveinpoway
This is going to be really easy...
Go to the "Processes" tab in RkU.
Find "mssync20.exe".
Right click, "Kill Process".
Click the scan button in the "Processes" tab again. If the process came back, use "Force Kill" instead.
Go to the "Files" tab. Scan, it'll find 12 hidden files.
For each of the 12 files, right click and "Wipe File".
Reboot, re-open RkU and post another log.
--
QUAD!!!! |
|
Elite
join:2002-10-03
Orange, CT | reply to daveinpoway
P.S. This rootkit has a keylogger payload.
Change all your passwords after we yank it.
--
QUAD!!!! |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
·RoadRunner Cable
2 edits | reply to daveinpoway
We kicked the sumbitche's ass. It was so brutal ! I'm all excited now. There are no more hooked processes or hidden files. The registry was loaded with about 80 entries. In addition to mssync20.* files, there were also mssync2020* files.
»www.sophos.com/security/analyses···clz.html
I still cannot start in safe mode even after running SFC. Maybe there is some other stuff still in here. I'll give sophos security program a run and see if it can find the rest of what Exaspery was so oblivious to. You saved me and the customer a huge amount of work ! Thank you ! You have a very appropriate screen name Mr. Elite !
Edit - I forgot to mention that it found and deleted only 8 files, not the 12 that had been found on earlier scans. My initial scan with AVG only found 5 files. After I tried to delete them then the beast generated the additional 7. |
|
Bubba17
Less is More
Premium
join:2006-09-21
| reply to fatdcuk
Well, based on the test results you've shared (again, thanks), I obtained GMER 1.0.13 (wasn't able to obtain your beta version) and it's not finding anything.
Notice ... I didn't announce I was clean. |
|
fatdcuk
Premium
join:2005-02-20
England
2 edits | Here is the GMER 1.0.14 Beta link>>>
»www2.gmer.net/beta/
I've been using the Beta version for around 4 weeks now and can safely say it is more stable for my setup and has gained some more functionability over the previous version:) |
|
Elite
join:2002-10-03
Orange, CT
·Optimum Online
| reply to SipSizzurp
Probably a bunch of stupid mutexes to prevent deletion.
Can't name any malware that can hold it's own against RkU though...
As long as there are no more hidden processes, hidden files, or SSDT hooks, the machine should be clean minus all the files it dumped on disk and all the crap it put in the registry.
--
QUAD!!!! |
|
fatdcuk
Premium
join:2005-02-20
England
1 edit | reply to daveinpoway
Here the next pair of ARK's tested versus the test malware rootkits.
Mcafee Rootkit Detective 1.1
Testset 1= 3/5*
*Both Rustock B and Runtime2 were flagged by their hidden registry values.Runtime 2 SSDT hooks also seen.
Blind to Srizbi and Nulprot.
Testset2= 3/4*
*Rustock A only caught by hidden registry data.
Blind to Allinone.
F-Secure Blacklight Rootkit Eliminator
Testset1=3/5
Blind to Rustock B and Nulprot.
Testset2= 3/4
Blind to Rustock A
 |
|
youveshutmedown
@sbcglobal.net | Thanks for the continued tests. It pretty much reinforces what I was already assuming to be the case, just nice to have some third party confirmation.  |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
·RoadRunner Cable
| reply to Elite
said by Elite  :Probably a bunch of stupid mutexes to prevent deletion. That's what I had figured since the file count was transient. I delivered it back into operation. The secretary was very delighted with the repair, and I am very delighted with my nice new shiny nuclear bomb ! Thanks again ! |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
| reply to Elite
How to clean system if
- services are hooked by "Unknown module filename" and
- ntoskrnl.exe is hooked "Inline - Relative Jump"? |
|
Elite
join:2002-10-03
Orange, CT | reply to daveinpoway
Code hook is just Windows kernel splicing. No need to be alarmed.
As for SSDT, this could very well be Symantec hooking your SSDT.
Any hidden process, drivers, or files?
--
QUAD!!!! |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA | According to Report, RkU did not find hidden processes, drivers or files. |
|
fatdcuk
Premium
join:2005-02-20
England
1 edit | N/M |
|
Elite
join:2002-10-03
Orange, CT | reply to foxsteve
Your machine is clean then.
--
QUAD!!!! |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA | Ok, thank you very much!
What do you know about new development with RkU? |
|
fatdcuk
Premium
join:2005-02-20
England
2 edits | said by foxsteve :Ok, thank you very much! What do you know about new development with RkU? As far as i am aware RKU is no longer under public developement.As an ARK forensic tool it is becoming less effective than it once was.This has been highlighted by some of the recent ITW RK malware.IRC the latest DNS changer trojan RK is not detected by RKU nor is Nulprot so that is 2 for definite that the tool is confirmed as blind too but they will almost certainly be more out there ITW.
FWIW if ARK tools are not in constant state of developement like the rootkit malwares they are targeting then they are losing ground on effectiveness.The battle is ongoing between mal writers and the defenders,alas the defenders will always be playing catchup.
IMHO GMER has now superceded RKU as forensic tool as the best available samedrive tool.It has incorperated the best of IceSword and RKU functionability with a few added extra's thrown in.The problem then arises then with *ease of use/data returned* which is where GMER will fall down for most folks.
That said dose new GMER see them all....well there is a very high probability not,the battle still goes on! |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| reply to Bubba17
said by Bubba17 :Notice ... I didn't announce I was clean. Yes, I notice that.
Well, allow me to announce-- my machine is clean!
Yeah, baby! Yee-haaa!
I think I owe a debt of gratitude to SipSizurp's and the others' clients though, that shouldered the burden and helped to keep me in that other 75 or 80% percentile.
Whew! Close one!
Thanks, gents! |
|
