Wednesday, July 25, 2007

My First Rootkit

I actually came across a rootkit in the wild this week. I did not recognize it as such at first. It was obvious that there was malware at work, since email would spontaneously begin sending about 1 minute after the Windows desktop appeared, and Norton AV would begin a scan on each one, but would not apparently complete the scan. Then a message window would pop up that indicated that either the ISP rejected sending the email because it contained a known virus or because it was obvious spam.

Shutting off the wireless connection would stop it but scanning with Norton, either in normal or safe mode, turned up nothing. I also installed Spybot S&D and scanned, but still no luck. I thought that the Norton AV application "DoScan.exe" might be infected or a trojan because there was a bigger copy in the prefetch area than the real one, so I deleted it. I also thought I got it, but it still was infected.

I finally had to give up for the day and come back. I thought Norton might actually be infected so I was going to go back and install AVG to see if it could have better luck. This morning I woke up thinking about something I had heard about on a "Security Now" podcast; rootkits. Designed to hide files and registry entries from the operating system, they can also hide from scanners who rely on the OS to show them the files to be scanned. They can also be detected by comparing the OS results to data read and parsed from a BIOS level read of the HDD.

"Rootkit Revealer" was a scanner I had heard about on the podcast and had downloaded and played with it. I had it in my thumbdrive toolkit, so I thought I would try a scan before doing any other detective work. Bingo. Two hidden files and several hidden entries in the registry to load a service. Armed with the names of the hidden files, I went to the internet and found references to similar, but not exact file names. The posts indicated to download and run Smitfraud.exe and ComboFix.exe. I already had Smifraud, and had run it, with no apparent results. So I downloaded ComboFix and it indicated that it had removed the two hidden files.

A final scan by Rootkit Revealer showed no hidden files or registry entries. When the network connection was turned back on and the system rebooted, no sign of any infection. Ta Da!

Update: Had my second today. I was a lot quicker on the uptake this time.

1 comment:

Michal said...

Hi, I found some interesting information about system and malicious processes at process-info.org.