• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

Windows XP Virus

P

philo

Flightless Bird
Daave wrote:
> philo wrote:
>> Daave wrote:
>>> philo wrote:
>>>> Daave wrote:
>>>>> philo wrote:
>>>>>> PA Bear [MS MVP] wrote:
>>>>>>> philo wrote:
>>>>>>> <snip>
>>>>>>>> About a year ago I repaired a machine that had been compromised.
>>>>>>>>
>>>>>>>> It had been used for on-line banking and credit card
>>>>>>>> transactions and two accounts had been hacked.
>>>>>>>>
>>>>>>>> First thing I did was scan for root kits in all the places one
>>>>>>>> would expect.
>>>>>>>>
>>>>>>>> Nothing found.
>>>>>>>>
>>>>>>>> After giving the machine a thorough scan...
>>>>>>>> the root kit was found "hiding" in the restore volume!
>>>>>>> So what? That "restore volume" wasn't active & posed no threat
>>>>>>> unless you or the user selected that particular Restore Point.
>>>>>>>
>>>>>> You missed the point entirely..
>>>>>>
>>>>>> the root kit was able to "phone home"
>>>>>>
>>>>>> from within the restore volume.
>>>>>>
>>>>>> those Russian chaps are rather clever
>>>>> If the rootkit was phoing home, it was doing so from a location
>>>>> other than the restore volume. Just because you are unable to
>>>>> detect it doesn't mean it isn't there!
>>>>>
>>>>>
>>>> I'll answer the both of you here:
>>>>
>>>> Wrong
>>> Unsubstantiated.
>>>
>>> It has already been established that certain rootkits are
>>> next-to-impossible to detect.
>>>
>>> The rootkit that you say was "hiding" in the restore point obviously
>>> wasn't hidden! However, the rootkit very likely remained in the
>>> system (the restore volume doesn't count unless you use SR, using
>>> that particular restore point), hidden from you. And your situation
>>> is not the only one.
>>>
>>>
>> I used the word "hiding"
>> as I needed to scan the drive from another system to detect it.
>>
>> The rootkit was designed to operate from within the restore volume.
>
> Please provide documentation.
>
>
some good reading here

(may warp)


http://books.google.com/books?id=5C...v=onepage&q=rootkit in restore volume&f=false
 
G

glee

Flightless Bird
"philo" <philo@privacy.net> wrote in message
news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d@ntd.net...
>> snip
>>>>
>>> I used the word "hiding"
>>> as I needed to scan the drive from another system to detect it.
>>>
>>> The rootkit was designed to operate from within the restore volume.
>>
>> Please provide documentation.
> some good reading here
>
> (may warp)
>
>
> http://books.google.com/books?id=5C...v=onepage&q=rootkit in restore volume&f=false

VERY Interesting.....thanks for the link. I have not seen mention of
this before.....will send it on to folks in the field to see what kind
of feedback I get from there...should be interesting.
--
Glen Ventura, MS MVP Oct. 2002 - Sept. 2009
A+
http://dts-l.net/
 
P

philo

Flightless Bird
glee wrote:
> "philo" <philo@privacy.net> wrote in message
> news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d@ntd.net...
>>> snip
>>>>>
>>>> I used the word "hiding"
>>>> as I needed to scan the drive from another system to detect it.
>>>>
>>>> The rootkit was designed to operate from within the restore volume.
>>>
>>> Please provide documentation.
>> some good reading here
>>
>> (may warp)
>>
>>
>> http://books.google.com/books?id=5C...v=onepage&q=rootkit in restore volume&f=false
>>
>
> VERY Interesting.....thanks for the link. I have not seen mention of
> this before.....will send it on to folks in the field to see what kind
> of feedback I get from there...should be interesting.


You are welcome
those evil folks who write rootkits

I must admit ... are quite clever.

That kind of malware is far more dangerous that a virus
in that it may actually result in savings accounts and credit card
compromises.

Rootkits are a very real and a very nasty threat!!!!!

Not to be taken lightly.

I urge all people to take caution

and for the folks at MS to work very hard on the issue of root kits!!!!
 
M

MowGreen

Flightless Bird
Upon further review ... root kits that can penetrate System Restore
*** DO EXIST ***. I had downloaded this paper from Microsoft Australia
in January but neglected to read it:

http://www.microsoft.com/downloads/...6EE185C59CE&amp;displaylang=en&displaylang=en



‘I CAN’T GO BACK TO YESTERDAY, BECAUSE I WAS A
DIFFERENT PERSON THEN'
Chun Feng
Microsoft, Level 5

" ABSTRACT
System Restore hardware and software have been widely
implemented, and are commonly used by computer users to
revert back to a pre-preserved ‘good’ state after being affected
by malware or other threats to system integrity. As these
restore facilities have become commonplace, so too has the
malware that attempts to penetrate them. This type of malware
reaches into the depths of the affected machine and targets the
ï¬le system driver.
In late 2007, a mysterious new breed of malware appeared in
China and has been evolving quickly since. This malware,
named Win32/Dogrobot, is designed deliberately to penetrate
a ‘hard disk recovery card’ – hardware widely used by Internet
cafés in China. Surprisingly, Dogrobot has caused more than
eight billion RMB (around 1.2 billion USD) in losses to
Internet cafés in China. (This cost far exceeds that caused by
the notorious Win32/Viking virus.)
This paper tracks the ï¬ve generations of Dogrobot and
presents the novel rootkit technique used by Dogrobot to
penetrate System Restore on Windows systems, covering
penetration from the Windows volume management layer used
by early variants, to the Windows IDE/ATAPI Port Driver layer
used by the latest variants. This paper also closely examines
Dogrobot’s propagation methods, including the use of
zero-day exploits and ARP spooï¬ng. "


Seeing that paper was published in 2008 I'm wondering what generation
Win32/Dogrobot is now at and what other capabilities it currently has.
Perhaps the MS Malware Protection page has some info. It does:

http://www.microsoft.com/security/p...&sortby=relevance&sortdir=desc&size=10&page=1

So the misconception was on my part. Mowa culpa.

MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked



philo wrote:
> glee wrote:
>> "philo" <philo@privacy.net> wrote in message
>> news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d@ntd.net...
>>>> snip
>>>>>>
>>>>> I used the word "hiding"
>>>>> as I needed to scan the drive from another system to detect it.
>>>>>
>>>>> The rootkit was designed to operate from within the restore volume.
>>>>
>>>> Please provide documentation.
>>> some good reading here
>>>
>>> (may warp)
>>>
>>>
>>> http://books.google.com/books?id=5C...v=onepage&q=rootkit in restore volume&f=false
>>>
>>
>> VERY Interesting.....thanks for the link. I have not seen mention of
>> this before.....will send it on to folks in the field to see what kind
>> of feedback I get from there...should be interesting.
>
>
> You are welcome
> those evil folks who write rootkits
>
> I must admit ... are quite clever.
>
> That kind of malware is far more dangerous that a virus
> in that it may actually result in savings accounts and credit card
> compromises.
>
> Rootkits are a very real and a very nasty threat!!!!!
>
> Not to be taken lightly.
>
> I urge all people to take caution
>
> and for the folks at MS to work very hard on the issue of root kits!!!!
 
P

PA Bear [MS MVP]

Flightless Bird
IIRC, the...

> ...'hard disk recovery card', hardware
> widely used by Internet cafés in China

to which the author refers has nothing to do with (Windows) System Restore
but
rather the hardware equivalent of the hidden Recovery partition found on so
many Notebook PCs now (in place of the OEM supplying disks).
--
~PA Bear
Errabundi Saepe, Semper Certi


MowGreen wrote:
> Upon further review ... root kits that can penetrate System Restore
> *** DO EXIST ***. I had downloaded this paper from Microsoft Australia
> in January but neglected to read it:
>
> http://www.microsoft.com/downloads/...6EE185C59CE&amp;displaylang=en&displaylang=en
>
>
>
> ‘I CAN’T GO BACK TO YESTERDAY, BECAUSE I WAS A
> DIFFERENT PERSON THEN'
> Chun Feng
> Microsoft, Level 5
>
> " ABSTRACT
> System Restore hardware and software have been widely
> implemented, and are commonly used by computer users to
> revert back to a pre-preserved ‘good’ state after being affected
> by malware or other threats to system integrity. As these
> restore facilities have become commonplace, so too has the
> malware that attempts to penetrate them. This type of malware
> reaches into the depths of the affected machine and targets the
> ï¬le system driver.
> In late 2007, a mysterious new breed of malware appeared in
> China and has been evolving quickly since. This malware,
> named Win32/Dogrobot, is designed deliberately to penetrate
> a ‘hard disk recovery card’ – hardware widely used by Internet
> cafés in China. Surprisingly, Dogrobot has caused more than
> eight billion RMB (around 1.2 billion USD) in losses to
> Internet cafés in China. (This cost far exceeds that caused by
> the notorious Win32/Viking virus.)
> This paper tracks the ï¬ve generations of Dogrobot and
> presents the novel rootkit technique used by Dogrobot to
> penetrate System Restore on Windows systems, covering
> penetration from the Windows volume management layer used
> by early variants, to the Windows IDE/ATAPI Port Driver layer
> used by the latest variants. This paper also closely examines
> Dogrobot’s propagation methods, including the use of
> zero-day exploits and ARP spooï¬ng. "
>
>
> Seeing that paper was published in 2008 I'm wondering what generation
> Win32/Dogrobot is now at and what other capabilities it currently has.
> Perhaps the MS Malware Protection page has some info. It does:
>
> http://www.microsoft.com/security/p...&sortby=relevance&sortdir=desc&size=10&page=1
>
> So the misconception was on my part. Mowa culpa.
>
> MowGreen
> ================
> *-343-* FDNY
> Never Forgotten
> ================
>
> banthecheck.com
> "Security updates should *never* have *non-security content* prechecked
>
>
>
> philo wrote:
>> glee wrote:
>>> "philo" <philo@privacy.net> wrote in message
>>> news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d@ntd.net...
>>>>> snip
>>>>>>>
>>>>>> I used the word "hiding"
>>>>>> as I needed to scan the drive from another system to detect it.
>>>>>>
>>>>>> The rootkit was designed to operate from within the restore volume.
>>>>>
>>>>> Please provide documentation.
>>>> some good reading here
>>>>
>>>> (may warp)
>>>>
>>>>
>>>> http://books.google.com/books?id=5C...v=onepage&q=rootkit in restore volume&f=false
>>>>
>>>
>>> VERY Interesting.....thanks for the link. I have not seen mention of
>>> this before.....will send it on to folks in the field to see what kind
>>> of feedback I get from there...should be interesting.
>>
>>
>> You are welcome
>> those evil folks who write rootkits
>>
>> I must admit ... are quite clever.
>>
>> That kind of malware is far more dangerous that a virus
>> in that it may actually result in savings accounts and credit card
>> compromises.
>>
>> Rootkits are a very real and a very nasty threat!!!!!
>>
>> Not to be taken lightly.
>>
>> I urge all people to take caution
>>
>> and for the folks at MS to work very hard on the issue of root kits!!!!
 
P

philo

Flightless Bird
MowGreen wrote:
> MowGreen wrote:
>> Seeing that paper was published in 2008
>
> Correction. The presentation was done in Geneva at VB2009, on the 23rd
> of September, 2009:
> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx
>
>
>
> MowGreen
> ================
> *-343-* FDNY
> Never Forgotten
> ================
>
> banthecheck.com
> "Security updates should *never* have *non-security content* prechecked


Thanks for posting back

my main point was to alert people who think their systems are secured

to think again!
 
D

Daave

Flightless Bird
philo wrote:
> MowGreen wrote:
>> MowGreen wrote:
>>> Seeing that paper was published in 2008
>>
>> Correction. The presentation was done in Geneva at VB2009, on the
>> 23rd of September, 2009:
>> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx
>>
>>
>>
>> MowGreen
>> ================
>> *-343-* FDNY
>> Never Forgotten
>> ================
>>
>> banthecheck.com
>> "Security updates should *never* have *non-security content*
>> prechecked
>
>
> Thanks for posting back
>
> my main point was to alert people who think their systems are secured
>
> to think again!

We are all on the same page as far as that is concerned, philo. The
point I was making was that even if you are able to delete rootkit files
in the restore volume, you aren't necessarily rootkit-free. If the
rootkit was indeed phoning home, it is highly unlikely it was doing so
from that location (then again, I appreciate your link; I will read that
in depth). Chances are it was phoning home from another location you
were unable to detect.
 
M

MowGreen

Flightless Bird
Read the article again, BroBear. And, 'bear' in mind that the author
has NOT analyzed any newer generations than what existed in *August 2008*.
A check of the MS Malware Protection's encyclopedia shows plenty more
variants of Dogrobot that have appeared since then:

http://www.microsoft.com/security/p...rue&CBF=True&sortby=date&sortdir=desc&size=10

" Fifth generation
The ï¬fth generation of Dogrobot was noticed in the wild in
August 2008. In this generation, Dogrobot uses a new
technique, PASS_THROUGH, in order to penetrate through
System Restore. Windows OS provides three I/O control
codes: IOCTL_SCSI_PASS_THROUGH (0x4D004),
IOCTL_ATA_PASS_THROUGH (0x4D02C) and IOCTL_
IDE_PASS_THROUGH (0x4D028), and user-mode
applications can send IRP with these I/O control codes via
DeviceIoControl( ) to the disk.sys driver. These IRPs will be
forwarded directly down to the lower driver (e.g. atapi.sys) in
order to perform disk read/write or other disk operations [10].
Some System Restore solutions don’t intercept the read/write
access via PASS_THROUGH and this is exploited by the ï¬ fth
generation to compromise System Restore. The disassembly
of the code used by Dogrobot to write to disk via IOCTL_
ATA_PASS_THROUGH is depicted in Figure 11. "

Does atapi.sys ring a bell ? Remember the TDSS rookit ?


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked




PA Bear [MS MVP] wrote:
> IIRC, the...
>
>> ...'hard disk recovery card', hardware
>> widely used by Internet cafés in China
>
> to which the author refers has nothing to do with (Windows) System
> Restore but
> rather the hardware equivalent of the hidden Recovery partition found on so
> many Notebook PCs now (in place of the OEM supplying disks).
> --
> ~PA Bear
> Errabundi Saepe, Semper Certi
>
>
> MowGreen wrote:
>> Upon further review ... root kits that can penetrate System Restore
>> *** DO EXIST ***. I had downloaded this paper from Microsoft Australia
>> in January but neglected to read it:
>>
>> http://www.microsoft.com/downloads/...6EE185C59CE&amp;displaylang=en&displaylang=en
>>
>>
>>
>>
>> ‘I CAN’T GO BACK TO YESTERDAY, BECAUSE I WAS A
>> DIFFERENT PERSON THEN'
>> Chun Feng
>> Microsoft, Level 5
>>
>> " ABSTRACT
>> System Restore hardware and software have been widely
>> implemented, and are commonly used by computer users to
>> revert back to a pre-preserved ‘good’ state after being affected
>> by malware or other threats to system integrity. As these
>> restore facilities have become commonplace, so too has the
>> malware that attempts to penetrate them. This type of malware
>> reaches into the depths of the affected machine and targets the
>> ï¬le system driver.
>> In late 2007, a mysterious new breed of malware appeared in
>> China and has been evolving quickly since. This malware,
>> named Win32/Dogrobot, is designed deliberately to penetrate
>> a ‘hard disk recovery card’ – hardware widely used by Internet
>> cafés in China. Surprisingly, Dogrobot has caused more than
>> eight billion RMB (around 1.2 billion USD) in losses to
>> Internet cafés in China. (This cost far exceeds that caused by
>> the notorious Win32/Viking virus.)
>> This paper tracks the ï¬ve generations of Dogrobot and
>> presents the novel rootkit technique used by Dogrobot to
>> penetrate System Restore on Windows systems, covering
>> penetration from the Windows volume management layer used
>> by early variants, to the Windows IDE/ATAPI Port Driver layer
>> used by the latest variants. This paper also closely examines
>> Dogrobot’s propagation methods, including the use of
>> zero-day exploits and ARP spooï¬ng. "
>>
>>
>> Seeing that paper was published in 2008 I'm wondering what generation
>> Win32/Dogrobot is now at and what other capabilities it currently has.
>> Perhaps the MS Malware Protection page has some info. It does:
>>
>> http://www.microsoft.com/security/p...&sortby=relevance&sortdir=desc&size=10&page=1
>>
>>
>> So the misconception was on my part. Mowa culpa.
>>
>> MowGreen
>> ================
>> *-343-* FDNY
>> Never Forgotten
>> ================
>>
>> banthecheck.com
>> "Security updates should *never* have *non-security content* prechecked
>>
>>
>>
>> philo wrote:
>>> glee wrote:
>>>> "philo" <philo@privacy.net> wrote in message
>>>> news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d@ntd.net...
>>>>>> snip
>>>>>>>>
>>>>>>> I used the word "hiding"
>>>>>>> as I needed to scan the drive from another system to detect it.
>>>>>>>
>>>>>>> The rootkit was designed to operate from within the restore volume.
>>>>>>
>>>>>> Please provide documentation.
>>>>> some good reading here
>>>>>
>>>>> (may warp)
>>>>>
>>>>>
>>>>> http://books.google.com/books?id=5C...v=onepage&q=rootkit in restore volume&f=false
>>>>>
>>>>>
>>>>
>>>> VERY Interesting.....thanks for the link. I have not seen mention of
>>>> this before.....will send it on to folks in the field to see what kind
>>>> of feedback I get from there...should be interesting.
>>>
>>>
>>> You are welcome
>>> those evil folks who write rootkits
>>>
>>> I must admit ... are quite clever.
>>>
>>> That kind of malware is far more dangerous that a virus
>>> in that it may actually result in savings accounts and credit card
>>> compromises.
>>>
>>> Rootkits are a very real and a very nasty threat!!!!!
>>>
>>> Not to be taken lightly.
>>>
>>> I urge all people to take caution
>>>
>>> and for the folks at MS to work very hard on the issue of root kits!!!!
>
 
P

philo

Flightless Bird
Daave wrote:
> philo wrote:
>> MowGreen wrote:
>>> MowGreen wrote:
>>>> Seeing that paper was published in 2008
>>> Correction. The presentation was done in Geneva at VB2009, on the
>>> 23rd of September, 2009:
>>> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx
>>>
>>>
>>>
>>> MowGreen
>>> ================
>>> *-343-* FDNY
>>> Never Forgotten
>>> ================
>>>
>>> banthecheck.com
>>> "Security updates should *never* have *non-security content*
>>> prechecked
>>
>> Thanks for posting back
>>
>> my main point was to alert people who think their systems are secured
>>
>> to think again!
>
> We are all on the same page as far as that is concerned, philo. The
> point I was making was that even if you are able to delete rootkit files
> in the restore volume, you aren't necessarily rootkit-free. If the
> rootkit was indeed phoning home, it is highly unlikely it was doing so
> from that location (then again, I appreciate your link; I will read that
> in depth). Chances are it was phoning home from another location you
> were unable to detect.
>
>


I ran numerous scans using four different root kit detection programs.

It appears to be clean and the user has since made on-line financial
transactions without getting hacked...

but with root kits...I don't know of one can ever be 100% sure

nasty stuff!
 
G

glee

Flightless Bird
"philo" <philo@privacy.net> wrote in message
news:6YednTAIgKspFAPWnZ2dnUVZ_hWdnZ2d@ntd.net...
> Daave wrote:
>> philo wrote:
>>> MowGreen wrote:
>>>> MowGreen wrote:
>>>>> Seeing that paper was published in 2008
>>>> Correction. The presentation was done in Geneva at VB2009, on the
>>>> 23rd of September, 2009:
>>>> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx
>>>>
>>>>
>>>>
>>>>
>>>
>>> Thanks for posting back
>>>
>>> my main point was to alert people who think their systems are
>>> secured
>>>
>>> to think again!
>>
>> We are all on the same page as far as that is concerned, philo. The
>> point I was making was that even if you are able to delete rootkit
>> files in the restore volume, you aren't necessarily rootkit-free. If
>> the rootkit was indeed phoning home, it is highly unlikely it was
>> doing so from that location (then again, I appreciate your link; I
>> will read that in depth). Chances are it was phoning home from
>> another location you were unable to detect.
>
>
> I ran numerous scans using four different root kit detection programs.
>
> It appears to be clean and the user has since made on-line financial
> transactions without getting hacked...
>
> but with root kits...I don't know of one can ever be 100% sure
>
> nasty stuff!

Did you run those rootkit programs while the drive was slaved to another
computer, rather than being booted from the drive being scanned? I ask
for obvious reasons.

The safest method is to scan from outside the OS with a rootkit scanner
AND an anti-virus app AND a spyware detection app like MBAM. I think we
all agree on that as a *preferred* protocol.

What is being described in the articles both you and Mow posted, is not
conclusive that the malware is actually being run (and therefore
"active") from within the SVI folders. It appears that the folder
created by the infection inside the SVI folder was used to store
components used for the initial installation of the infection, but the
infection itself is actually executing as a service out of the System32
folder tree and loading from the Service Registry Key.....note please
the quote from the article you cited: "....running as a service allows
the rootkit to survive a reboot".

Even if this is the case, that it isn't active in the SVI, the fact that
the folder was easily hacked for storage makes it possible that sooner
or later, a rootkit will come along that will succeed in actually
running from there. It just get nastier all the time....and we can't
afford to be smug and say it can "never" happen. Never say
never...especially about malware. ;-)
--
Glen Ventura, MS MVP Oct. 2002 - Sept. 2009
A+
http://dts-l.net/
 
P

philo

Flightless Bird
glee wrote:
> "philo" <philo@privacy.net> wrote in message
> news:6YednTAIgKspFAPWnZ2dnUVZ_hWdnZ2d@ntd.net...
>> Daave wrote:
>>> philo wrote:
>>>> MowGreen wrote:
>>>>> MowGreen wrote:
>>>>>> Seeing that paper was published in 2008
>>>>> Correction. The presentation was done in Geneva at VB2009, on the
>>>>> 23rd of September, 2009:
>>>>> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> Thanks for posting back
>>>>
>>>> my main point was to alert people who think their systems are secured
>>>>
>>>> to think again!
>>>
>>> We are all on the same page as far as that is concerned, philo. The
>>> point I was making was that even if you are able to delete rootkit
>>> files in the restore volume, you aren't necessarily rootkit-free. If
>>> the rootkit was indeed phoning home, it is highly unlikely it was
>>> doing so from that location (then again, I appreciate your link; I
>>> will read that in depth). Chances are it was phoning home from
>>> another location you were unable to detect.
>>
>>
>> I ran numerous scans using four different root kit detection programs.
>>
>> It appears to be clean and the user has since made on-line financial
>> transactions without getting hacked...
>>
>> but with root kits...I don't know of one can ever be 100% sure
>>
>> nasty stuff!
>
> Did you run those rootkit programs while the drive was slaved to another
> computer, rather than being booted from the drive being scanned? I ask
> for obvious reasons.
>
> The safest method is to scan from outside the OS with a rootkit scanner
> AND an anti-virus app AND a spyware detection app like MBAM. I think we
> all agree on that as a *preferred* protocol.
>
> What is being described in the articles both you and Mow posted, is not
> conclusive that the malware is actually being run (and therefore
> "active") from within the SVI folders. It appears that the folder
> created by the infection inside the SVI folder was used to store
> components used for the initial installation of the infection, but the
> infection itself is actually executing as a service out of the System32
> folder tree and loading from the Service Registry Key.....note please
> the quote from the article you cited: "....running as a service allows
> the rootkit to survive a reboot".
>
> Even if this is the case, that it isn't active in the SVI, the fact that
> the folder was easily hacked for storage makes it possible that sooner
> or later, a rootkit will come along that will succeed in actually
> running from there. It just get nastier all the time....and we can't
> afford to be smug and say it can "never" happen. Never say
> never...especially about malware. ;-)


Fortunately my machines have removable drive kits
so it was easy for me to pop the infected drive in another machine
to scan it...



Once I was sure the machine was clean...I did check to see what services
were running and made sure I could identify all non-Microsoft services.

Of course one thing I did not do was see if the rootkit may have been
spawning some service...which of course would mean that it was not
running from within the restore volume. of course that does not make it
less dangerous...and we all need to use caution and not assume our
machines are impervious to malware
 
M

MowGreen

Flightless Bird
glee wrote:
> "philo" <philo@privacy.net> wrote in message
> news:6YednTAIgKspFAPWnZ2dnUVZ_hWdnZ2d@ntd.net...
>> Daave wrote:
>>> philo wrote:
>>>> MowGreen wrote:
>>>>> MowGreen wrote:
>>>>>> Seeing that paper was published in 2008
>>>>> Correction. The presentation was done in Geneva at VB2009, on the
>>>>> 23rd of September, 2009:
>>>>> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> Thanks for posting back
>>>>
>>>> my main point was to alert people who think their systems are secured
>>>>
>>>> to think again!
>>>
>>> We are all on the same page as far as that is concerned, philo. The
>>> point I was making was that even if you are able to delete rootkit
>>> files in the restore volume, you aren't necessarily rootkit-free. If
>>> the rootkit was indeed phoning home, it is highly unlikely it was
>>> doing so from that location (then again, I appreciate your link; I
>>> will read that in depth). Chances are it was phoning home from
>>> another location you were unable to detect.
>>
>>
>> I ran numerous scans using four different root kit detection programs.
>>
>> It appears to be clean and the user has since made on-line financial
>> transactions without getting hacked...
>>
>> but with root kits...I don't know of one can ever be 100% sure
>>
>> nasty stuff!
>
> Did you run those rootkit programs while the drive was slaved to another
> computer, rather than being booted from the drive being scanned? I ask
> for obvious reasons.
>
> The safest method is to scan from outside the OS with a rootkit scanner
> AND an anti-virus app AND a spyware detection app like MBAM. I think we
> all agree on that as a *preferred* protocol.
>
> What is being described in the articles both you and Mow posted, is not
> conclusive that the malware is actually being run (and therefore
> "active") from within the SVI folders. It appears that the folder
> created by the infection inside the SVI folder was used to store
> components used for the initial installation of the infection, but the
> infection itself is actually executing as a service out of the System32
> folder tree and loading from the Service Registry Key.....note please
> the quote from the article you cited: "....running as a service allows
> the rootkit to survive a reboot".
>
> Even if this is the case, that it isn't active in the SVI, the fact that
> the folder was easily hacked for storage makes it possible that sooner
> or later, a rootkit will come along that will succeed in actually
> running from there. It just get nastier all the time....and we can't
> afford to be smug and say it can "never" happen. Never say
> never...especially about malware. ;-)

Mal-coders stash executables in TIF but they are not executed until
something outside of TIF calls them to run. So, technically speaking,
malware executables are not active in TIF.
It's the same with executables in SVI but ... the prevailing notion was
that one needed to utilize an infected restore point to pWn the system.

Another anti-malware warrior explained how this Vista System Restore
Rootkit functions: http://www.rootkit.com/newsread.php?newsid=900

" This is not a rootkit that runs from SVI either. The rootkit
initiates a system restore, and it then intercepts and diverts SR
execution so malicious files and registry keys are restored. Once the PC
is shutdown and restarted the infected file(s) and autostart(s) that
were introduced by the subverted SR, will take effect. The advantage of
using such a rootkit, is that it is enables malware to silently install
without activating any HIPS or security program alerts. "



MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked
 
You must log in or register to reply here.
Top