(no subject)
Re: Spyware/Rootkit
To: Other coders and hackers
This morning, I pulled up the computer to see a BSOD with the simple message "Unknown Hard Error", some random STOP code (and nothing else).
Figuring, eh, they happen, if rarely, I just rebooted.
Logged in, only to see a spyware program - cleverly running as an anti-spyware program - popping up, as well as XP "Data Execution Prevention" windows left and right, alongside process termination windows, relating predominantly or solely to "svchost.exe" and "services.exe", though one used the name of "DHCP Helper" or the like.
It's been a long battle.
How the software wound up on the computer, I don't know. I don't run IE, I keep the system up to date, I don't download and run random things, etc. Who knows - maybe I just missed a critical OS update (one of hundreds per day, eh) and picked a bad time to miss it.
I'd been playing hide and seek with the malware, between safe modes and restore shells, etc, deleting its traces. It seems it generally likes to overwrite "svchost.exe" and "services.exe", though I also wound up with an "ati7mixx.sys" file (couldn't find anything on it, but it always kept loading in the boot log, and I could never manually delete it from within the shell). Oddly, it also seems to drop 32-33 Kbyte .exe files in random "Documents and Settings" or "Program Files" directories, always in pairs, with esoteric names such as "UT 2003 Password Cracker.exe" and similar.
(Concrete examples: in "C:\Program Files\Warcraft III\Maps\" the pair of "Microsoft Visual Basic KeyGen.exe" and "Microsoft Visual C++ Keygen.exe". The file pairs don't always match like this, but are named generally as "KeyGen" or "[Password] Cracker" of some sort. Both are precisely 33,280 bytes in size.
Another example pair I just found: in "C:\Program Files\World of Warcraft\Interface\Addons\" the files "UT 2003 KeyGen.exe" and "DivX 5.0 Pro KeyGen.exe" - precisely 33,280 bytes in size.
Files that also share this precise size are "rundll.exe", "aspnet_wp.exe", *"C:\Windows\system32\drivers\services.exe"*, as well as "C:\Documents and Settings\%Username%\Start Menu\Programs\Startup\userinit.exe". I'm not sure if this indicates something.
Er. The services.exe file is that size. Its size in "C:\i386", however, is 103,032! I should note that "C:\Windows\services.exe" is also 103,032 bytes in size, as is "C:\Windows\system32\services.exe" - not sure why there are two copies, might be me.)
So far, it hasn't touched \i386, so I've restored "svchost.exe" and "services.exe", once or twice. Since I managed to delete "ati7mixx.sys", they haven't been overwritten in "windows\system32" and friends.
First pass, I deleted a ton of randomly named .exe and .dll files (ie "klhkjwethcertxx.exe", usually 8-20 characters before the extension), most in root.
They haven't been recreated. About then, I also cleared the registry of quite a few "\Run" and "\RunOnce" entries, almost predominantly randomly named exes.
Most of these have been clear since my first pass or two. Oddly, "\Run" has had, and currently (haven't cleaned it again yet) has, two entries that reoccur with each boot (normal or safe mode):
[system] = c:\windows\system32\drivers\services.exe
winlogon = C:\Documents and Settings\%Username%\svchost.exe
Each cleaning, these exact lines have shown back up, no matter how often I delete them.
Presently, svchost.exe hasn't shown back up in D&S since I did one purge, while w\s\d\services.exe has been there, but it's my i386 copy (ie unmodified).
I had last loaded up Normal Mode, post a recovery mode virus scan (and file purge). I still had issues - things would run slowly, or not at all, I got a couple Data Execution Preventions - but there's little else that's manually visible to me.
Currently, Ad Aware is scanning. I have another app while will run next. A third can't run in Safe Mode. Another piece, meant to indicate presence of a rootkit, won't run in Safe Mode, and while I did get it to run in Normal Mode, this last time, it hanged upon execution (as did various other pieces of software, anti-virus included).
I'm of the mind that most - not all, but most - of the malware, initial install and minion spawnings, are clear. However, because the \Run key keeps being rewritten, and because random 32-33 Kbyte exe files with random names *may* still be popping up between reboots, and due to the fact that both Task Manager and the one Root Kit detection software were unable to terminate processes - in addition to the fact that the root kit detection indicated many discrepancies, far too many to be chance or simple errors - that I've got a root kit. This would also explain how it managed to overwrite system files (though isn't strictly necessary to do so).
So, fellow coders and hackers of Facebook - this is my first root kit (and ideally my last). Any helpful experience, pointers, etc? I've tried to include all the pertinent information possible (none too easy, as this system I'm on is literally typing out my words several second at a time, meaning a sentence takes a minute or so to fully appear before me!), but I can provide further details if there are any queries.
Update - While AdAware first came up with a few infected files (what they were/did, dunno), it didn't find anything on subsequent runs (and I was thorough!). However, I just ran Malwarebytes' Antimalware, quick scan, and it came upon about 28 things, registry keys and files, that were noted as Rootkit, Trojan, or Backdoor files. All but one was successfully deleted, and the one will be removed on reboot (actually, I'll be removing it prior to OS restart, so, same thing). Currently (0236 Tuesday 17 February 2009) just started a full thorough scan of this one. I don't expect it'll find anything else, but there's always a chance - may as well be thorough.
To: Other coders and hackers
This morning, I pulled up the computer to see a BSOD with the simple message "Unknown Hard Error", some random STOP code (and nothing else).
Figuring, eh, they happen, if rarely, I just rebooted.
Logged in, only to see a spyware program - cleverly running as an anti-spyware program - popping up, as well as XP "Data Execution Prevention" windows left and right, alongside process termination windows, relating predominantly or solely to "svchost.exe" and "services.exe", though one used the name of "DHCP Helper" or the like.
It's been a long battle.
How the software wound up on the computer, I don't know. I don't run IE, I keep the system up to date, I don't download and run random things, etc. Who knows - maybe I just missed a critical OS update (one of hundreds per day, eh) and picked a bad time to miss it.
I'd been playing hide and seek with the malware, between safe modes and restore shells, etc, deleting its traces. It seems it generally likes to overwrite "svchost.exe" and "services.exe", though I also wound up with an "ati7mixx.sys" file (couldn't find anything on it, but it always kept loading in the boot log, and I could never manually delete it from within the shell). Oddly, it also seems to drop 32-33 Kbyte .exe files in random "Documents and Settings" or "Program Files" directories, always in pairs, with esoteric names such as "UT 2003 Password Cracker.exe" and similar.
(Concrete examples: in "C:\Program Files\Warcraft III\Maps\" the pair of "Microsoft Visual Basic KeyGen.exe" and "Microsoft Visual C++ Keygen.exe". The file pairs don't always match like this, but are named generally as "KeyGen" or "[Password] Cracker" of some sort. Both are precisely 33,280 bytes in size.
Another example pair I just found: in "C:\Program Files\World of Warcraft\Interface\Addons\" the files "UT 2003 KeyGen.exe" and "DivX 5.0 Pro KeyGen.exe" - precisely 33,280 bytes in size.
Files that also share this precise size are "rundll.exe", "aspnet_wp.exe", *"C:\Windows\system32\drivers\services.exe"*, as well as "C:\Documents and Settings\%Username%\Start Menu\Programs\Startup\userinit.exe". I'm not sure if this indicates something.
Er. The services.exe file is that size. Its size in "C:\i386", however, is 103,032! I should note that "C:\Windows\services.exe" is also 103,032 bytes in size, as is "C:\Windows\system32\services.exe" - not sure why there are two copies, might be me.)
So far, it hasn't touched \i386, so I've restored "svchost.exe" and "services.exe", once or twice. Since I managed to delete "ati7mixx.sys", they haven't been overwritten in "windows\system32" and friends.
First pass, I deleted a ton of randomly named .exe and .dll files (ie "klhkjwethcertxx.exe", usually 8-20 characters before the extension), most in root.
They haven't been recreated. About then, I also cleared the registry of quite a few "\Run" and "\RunOnce" entries, almost predominantly randomly named exes.
Most of these have been clear since my first pass or two. Oddly, "\Run" has had, and currently (haven't cleaned it again yet) has, two entries that reoccur with each boot (normal or safe mode):
[system] = c:\windows\system32\drivers\services.exe
winlogon = C:\Documents and Settings\%Username%\svchost.exe
Each cleaning, these exact lines have shown back up, no matter how often I delete them.
Presently, svchost.exe hasn't shown back up in D&S since I did one purge, while w\s\d\services.exe has been there, but it's my i386 copy (ie unmodified).
I had last loaded up Normal Mode, post a recovery mode virus scan (and file purge). I still had issues - things would run slowly, or not at all, I got a couple Data Execution Preventions - but there's little else that's manually visible to me.
Currently, Ad Aware is scanning. I have another app while will run next. A third can't run in Safe Mode. Another piece, meant to indicate presence of a rootkit, won't run in Safe Mode, and while I did get it to run in Normal Mode, this last time, it hanged upon execution (as did various other pieces of software, anti-virus included).
I'm of the mind that most - not all, but most - of the malware, initial install and minion spawnings, are clear. However, because the \Run key keeps being rewritten, and because random 32-33 Kbyte exe files with random names *may* still be popping up between reboots, and due to the fact that both Task Manager and the one Root Kit detection software were unable to terminate processes - in addition to the fact that the root kit detection indicated many discrepancies, far too many to be chance or simple errors - that I've got a root kit. This would also explain how it managed to overwrite system files (though isn't strictly necessary to do so).
So, fellow coders and hackers of Facebook - this is my first root kit (and ideally my last). Any helpful experience, pointers, etc? I've tried to include all the pertinent information possible (none too easy, as this system I'm on is literally typing out my words several second at a time, meaning a sentence takes a minute or so to fully appear before me!), but I can provide further details if there are any queries.
Update - While AdAware first came up with a few infected files (what they were/did, dunno), it didn't find anything on subsequent runs (and I was thorough!). However, I just ran Malwarebytes' Antimalware, quick scan, and it came upon about 28 things, registry keys and files, that were noted as Rootkit, Trojan, or Backdoor files. All but one was successfully deleted, and the one will be removed on reboot (actually, I'll be removing it prior to OS restart, so, same thing). Currently (0236 Tuesday 17 February 2009) just started a full thorough scan of this one. I don't expect it'll find anything else, but there's always a chance - may as well be thorough.