Windows XP Virus

  • Thread starter Thread starter Eric
  • Start date Start date
Daave wrote:

> philo wrote:

>> Daave wrote:

>>> philo wrote:

>>>> Daave wrote:

>>>>> philo wrote:

>>>>>> PA Bear [MS MVP] wrote:

>>>>>>> philo wrote:

>>>>>>>

>>>>>>>> About a year ago I repaired a machine that had been compromised.

>>>>>>>>

>>>>>>>> It had been used for on-line banking and credit card

>>>>>>>> transactions and two accounts had been hacked.

>>>>>>>>

>>>>>>>> First thing I did was scan for root kits in all the places one

>>>>>>>> would expect.

>>>>>>>>

>>>>>>>> Nothing found.

>>>>>>>>

>>>>>>>> After giving the machine a thorough scan...

>>>>>>>> the root kit was found "hiding" in the restore volume!

>>>>>>> So what? That "restore volume" wasn't active & posed no threat

>>>>>>> unless you or the user selected that particular Restore Point.

>>>>>>>

>>>>>> You missed the point entirely..

>>>>>>

>>>>>> the root kit was able to "phone home"

>>>>>>

>>>>>> from within the restore volume.

>>>>>>

>>>>>> those Russian chaps are rather clever

>>>>> If the rootkit was phoing home, it was doing so from a location

>>>>> other than the restore volume. Just because you are unable to

>>>>> detect it doesn't mean it isn't there!

>>>>>

>>>>>

>>>> I'll answer the both of you here:

>>>>

>>>> Wrong

>>> Unsubstantiated.

>>>

>>> It has already been established that certain rootkits are

>>> next-to-impossible to detect.

>>>

>>> The rootkit that you say was "hiding" in the restore point obviously

>>> wasn't hidden! However, the rootkit very likely remained in the

>>> system (the restore volume doesn't count unless you use SR, using

>>> that particular restore point), hidden from you. And your situation

>>> is not the only one.

>>>

>>>

>> I used the word "hiding"

>> as I needed to scan the drive from another system to detect it.

>>

>> The rootkit was designed to operate from within the restore volume.

>

> Please provide documentation.

>

>

some good reading here



(may warp)





http://books.google.com/books?id=5C...v=onepage&q=rootkit in restore volume&f=false
 
"philo" wrote in message

news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d@ntd.net...

>> snip

>>>>

>>> I used the word "hiding"

>>> as I needed to scan the drive from another system to detect it.

>>>

>>> The rootkit was designed to operate from within the restore volume.

>>

>> Please provide documentation.

> some good reading here

>

> (may warp)

>

>

> http://books.google.com/books?id=5C...v=onepage&q=rootkit in restore volume&f=false



VERY Interesting.....thanks for the link. I have not seen mention of

this before.....will send it on to folks in the field to see what kind

of feedback I get from there...should be interesting.

--

Glen Ventura, MS MVP Oct. 2002 - Sept. 2009

A+

http://dts-l.net/
 
glee wrote:

> "philo" wrote in message

> news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d@ntd.net...

>>> snip

>>>>>

>>>> I used the word "hiding"

>>>> as I needed to scan the drive from another system to detect it.

>>>>

>>>> The rootkit was designed to operate from within the restore volume.

>>>

>>> Please provide documentation.

>> some good reading here

>>

>> (may warp)

>>

>>

>> http://books.google.com/books?id=5C...v=onepage&q=rootkit in restore volume&f=false

>>

>

> VERY Interesting.....thanks for the link. I have not seen mention of

> this before.....will send it on to folks in the field to see what kind

> of feedback I get from there...should be interesting.





You are welcome

those evil folks who write rootkits



I must admit ... are quite clever.



That kind of malware is far more dangerous that a virus

in that it may actually result in savings accounts and credit card

compromises.



Rootkits are a very real and a very nasty threat!!!!!



Not to be taken lightly.



I urge all people to take caution



and for the folks at MS to work very hard on the issue of root kits!!!!
 
Upon further review ... root kits that can penetrate System Restore

*** DO EXIST ***. I had downloaded this paper from Microsoft Australia

in January but neglected to read it:



http://www.microsoft.com/downloads/...D7-66EE185C59CE&displaylang=en&displaylang=en







‘I CAN’T GO BACK TO YESTERDAY, BECAUSE I WAS A

DIFFERENT PERSON THEN'

Chun Feng

Microsoft, Level 5



" ABSTRACT

System Restore hardware and software have been widely

implemented, and are commonly used by computer users to

revert back to a pre-preserved ‘good’ state after being affected

by malware or other threats to system integrity. As these

restore facilities have become commonplace, so too has the

malware that attempts to penetrate them. This type of malware

reaches into the depths of the affected machine and targets the

ï¬Âle system driver.

In late 2007, a mysterious new breed of malware appeared in

China and has been evolving quickly since. This malware,

named Win32/Dogrobot, is designed deliberately to penetrate

a ‘hard disk recovery card’ – hardware widely used by Internet

cafés in China. Surprisingly, Dogrobot has caused more than

eight billion RMB (around 1.2 billion USD) in losses to

Internet cafés in China. (This cost far exceeds that caused by

the notorious Win32/Viking virus.)

This paper tracks the ï¬Âve generations of Dogrobot and

presents the novel rootkit technique used by Dogrobot to

penetrate System Restore on Windows systems, covering

penetration from the Windows volume management layer used

by early variants, to the Windows IDE/ATAPI Port Driver layer

used by the latest variants. This paper also closely examines

Dogrobot’s propagation methods, including the use of

zero-day exploits and ARP spooï¬Âng. "





Seeing that paper was published in 2008 I'm wondering what generation

Win32/Dogrobot is now at and what other capabilities it currently has.

Perhaps the MS Malware Protection page has some info. It does:



http://www.microsoft.com/security/p...&sortby=relevance&sortdir=desc&size=10&page=1



So the misconception was on my part. Mowa culpa.



MowGreen

================

*-343-* FDNY

Never Forgotten

================



banthecheck.com

"Security updates should *never* have *non-security content* prechecked







philo wrote:

> glee wrote:

>> "philo" wrote in message

>> news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d@ntd.net...

>>>> snip

>>>>>>

>>>>> I used the word "hiding"

>>>>> as I needed to scan the drive from another system to detect it.

>>>>>

>>>>> The rootkit was designed to operate from within the restore volume.

>>>>

>>>> Please provide documentation.

>>> some good reading here

>>>

>>> (may warp)

>>>

>>>

>>> http://books.google.com/books?id=5C...v=onepage&q=rootkit in restore volume&f=false

>>>

>>

>> VERY Interesting.....thanks for the link. I have not seen mention of

>> this before.....will send it on to folks in the field to see what kind

>> of feedback I get from there...should be interesting.

>

>

> You are welcome

> those evil folks who write rootkits

>

> I must admit ... are quite clever.

>

> That kind of malware is far more dangerous that a virus

> in that it may actually result in savings accounts and credit card

> compromises.

>

> Rootkits are a very real and a very nasty threat!!!!!

>

> Not to be taken lightly.

>

> I urge all people to take caution

>

> and for the folks at MS to work very hard on the issue of root kits!!!!
 
IIRC, the...



> ...'hard disk recovery card', hardware

> widely used by Internet cafés in China



to which the author refers has nothing to do with (Windows) System Restore

but

rather the hardware equivalent of the hidden Recovery partition found on so

many Notebook PCs now (in place of the OEM supplying disks).

--

~PA Bear

Errabundi Saepe, Semper Certi





MowGreen wrote:

> Upon further review ... root kits that can penetrate System Restore

> *** DO EXIST ***. I had downloaded this paper from Microsoft Australia

> in January but neglected to read it:

>

> http://www.microsoft.com/downloads/...D7-66EE185C59CE&displaylang=en&displaylang=en

>

>

>

> ‘I CAN’T GO BACK TO YESTERDAY, BECAUSE I WAS A

> DIFFERENT PERSON THEN'

> Chun Feng

> Microsoft, Level 5

>

> " ABSTRACT

> System Restore hardware and software have been widely

> implemented, and are commonly used by computer users to

> revert back to a pre-preserved ‘good’ state after being affected

> by malware or other threats to system integrity. As these

> restore facilities have become commonplace, so too has the

> malware that attempts to penetrate them. This type of malware

> reaches into the depths of the affected machine and targets the

> ï¬Âle system driver.

> In late 2007, a mysterious new breed of malware appeared in

> China and has been evolving quickly since. This malware,

> named Win32/Dogrobot, is designed deliberately to penetrate

> a ‘hard disk recovery card’ – hardware widely used by Internet

> cafés in China. Surprisingly, Dogrobot has caused more than

> eight billion RMB (around 1.2 billion USD) in losses to

> Internet cafés in China. (This cost far exceeds that caused by

> the notorious Win32/Viking virus.)

> This paper tracks the ï¬Âve generations of Dogrobot and

> presents the novel rootkit technique used by Dogrobot to

> penetrate System Restore on Windows systems, covering

> penetration from the Windows volume management layer used

> by early variants, to the Windows IDE/ATAPI Port Driver layer

> used by the latest variants. This paper also closely examines

> Dogrobot’s propagation methods, including the use of

> zero-day exploits and ARP spooï¬Âng. "

>

>

> Seeing that paper was published in 2008 I'm wondering what generation

> Win32/Dogrobot is now at and what other capabilities it currently has.

> Perhaps the MS Malware Protection page has some info. It does:

>

> http://www.microsoft.com/security/p...&sortby=relevance&sortdir=desc&size=10&page=1

>

> So the misconception was on my part. Mowa culpa.

>

> MowGreen

> ================

> *-343-* FDNY

> Never Forgotten

> ================

>

> banthecheck.com

> "Security updates should *never* have *non-security content* prechecked

>

>

>

> philo wrote:

>> glee wrote:

>>> "philo" wrote in message

>>> news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d@ntd.net...

>>>>> snip

>>>>>>>

>>>>>> I used the word "hiding"

>>>>>> as I needed to scan the drive from another system to detect it.

>>>>>>

>>>>>> The rootkit was designed to operate from within the restore volume.

>>>>>

>>>>> Please provide documentation.

>>>> some good reading here

>>>>

>>>> (may warp)

>>>>

>>>>

>>>> http://books.google.com/books?id=5C...v=onepage&q=rootkit in restore volume&f=false

>>>>

>>>

>>> VERY Interesting.....thanks for the link. I have not seen mention of

>>> this before.....will send it on to folks in the field to see what kind

>>> of feedback I get from there...should be interesting.

>>

>>

>> You are welcome

>> those evil folks who write rootkits

>>

>> I must admit ... are quite clever.

>>

>> That kind of malware is far more dangerous that a virus

>> in that it may actually result in savings accounts and credit card

>> compromises.

>>

>> Rootkits are a very real and a very nasty threat!!!!!

>>

>> Not to be taken lightly.

>>

>> I urge all people to take caution

>>

>> and for the folks at MS to work very hard on the issue of root kits!!!!
 
MowGreen wrote:

> MowGreen wrote:

>> Seeing that paper was published in 2008

>

> Correction. The presentation was done in Geneva at VB2009, on the 23rd

> of September, 2009:

> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx

>

>

>

> MowGreen

> ================

> *-343-* FDNY

> Never Forgotten

> ================

>

> banthecheck.com

> "Security updates should *never* have *non-security content* prechecked





Thanks for posting back



my main point was to alert people who think their systems are secured



to think again!
 
philo wrote:

> MowGreen wrote:

>> MowGreen wrote:

>>> Seeing that paper was published in 2008

>>

>> Correction. The presentation was done in Geneva at VB2009, on the

>> 23rd of September, 2009:

>> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx

>>

>>

>>

>> MowGreen

>> ================

>> *-343-* FDNY

>> Never Forgotten

>> ================

>>

>> banthecheck.com

>> "Security updates should *never* have *non-security content*

>> prechecked

>

>

> Thanks for posting back

>

> my main point was to alert people who think their systems are secured

>

> to think again!



We are all on the same page as far as that is concerned, philo. The

point I was making was that even if you are able to delete rootkit files

in the restore volume, you aren't necessarily rootkit-free. If the

rootkit was indeed phoning home, it is highly unlikely it was doing so

from that location (then again, I appreciate your link; I will read that

in depth). Chances are it was phoning home from another location you

were unable to detect.
 
Read the article again, BroBear. And, 'bear' in mind that the author

has NOT analyzed any newer generations than what existed in *August 2008*.

A check of the MS Malware Protection's encyclopedia shows plenty more

variants of Dogrobot that have appeared since then:



http://www.microsoft.com/security/p...rue&CBF=True&sortby=date&sortdir=desc&size=10



" Fifth generation

The ï¬Âfth generation of Dogrobot was noticed in the wild in

August 2008. In this generation, Dogrobot uses a new

technique, PASS_THROUGH, in order to penetrate through

System Restore. Windows OS provides three I/O control

codes: IOCTL_SCSI_PASS_THROUGH (0x4D004),

IOCTL_ATA_PASS_THROUGH (0x4D02C) and IOCTL_

IDE_PASS_THROUGH (0x4D028), and user-mode

applications can send IRP with these I/O control codes via

DeviceIoControl( ) to the disk.sys driver. These IRPs will be

forwarded directly down to the lower driver (e.g. atapi.sys) in

order to perform disk read/write or other disk operations [10].

Some System Restore solutions don’t intercept the read/write

access via PASS_THROUGH and this is exploited by the ﬠfth

generation to compromise System Restore. The disassembly

of the code used by Dogrobot to write to disk via IOCTL_

ATA_PASS_THROUGH is depicted in Figure 11. "



Does atapi.sys ring a bell ? Remember the TDSS rookit ?





MowGreen

================

*-343-* FDNY

Never Forgotten

================



banthecheck.com

"Security updates should *never* have *non-security content* prechecked









PA Bear [MS MVP] wrote:

> IIRC, the...

>

>> ...'hard disk recovery card', hardware

>> widely used by Internet cafés in China

>

> to which the author refers has nothing to do with (Windows) System

> Restore but

> rather the hardware equivalent of the hidden Recovery partition found on so

> many Notebook PCs now (in place of the OEM supplying disks).

> --

> ~PA Bear

> Errabundi Saepe, Semper Certi

>

>

> MowGreen wrote:

>> Upon further review ... root kits that can penetrate System Restore

>> *** DO EXIST ***. I had downloaded this paper from Microsoft Australia

>> in January but neglected to read it:

>>

>> http://www.microsoft.com/downloads/...D7-66EE185C59CE&displaylang=en&displaylang=en

>>

>>

>>

>>

>> ‘I CAN’T GO BACK TO YESTERDAY, BECAUSE I WAS A

>> DIFFERENT PERSON THEN'

>> Chun Feng

>> Microsoft, Level 5

>>

>> " ABSTRACT

>> System Restore hardware and software have been widely

>> implemented, and are commonly used by computer users to

>> revert back to a pre-preserved ‘good’ state after being affected

>> by malware or other threats to system integrity. As these

>> restore facilities have become commonplace, so too has the

>> malware that attempts to penetrate them. This type of malware

>> reaches into the depths of the affected machine and targets the

>> ï¬Âle system driver.

>> In late 2007, a mysterious new breed of malware appeared in

>> China and has been evolving quickly since. This malware,

>> named Win32/Dogrobot, is designed deliberately to penetrate

>> a ‘hard disk recovery card’ – hardware widely used by Internet

>> cafés in China. Surprisingly, Dogrobot has caused more than

>> eight billion RMB (around 1.2 billion USD) in losses to

>> Internet cafés in China. (This cost far exceeds that caused by

>> the notorious Win32/Viking virus.)

>> This paper tracks the ï¬Âve generations of Dogrobot and

>> presents the novel rootkit technique used by Dogrobot to

>> penetrate System Restore on Windows systems, covering

>> penetration from the Windows volume management layer used

>> by early variants, to the Windows IDE/ATAPI Port Driver layer

>> used by the latest variants. This paper also closely examines

>> Dogrobot’s propagation methods, including the use of

>> zero-day exploits and ARP spooï¬Âng. "

>>

>>

>> Seeing that paper was published in 2008 I'm wondering what generation

>> Win32/Dogrobot is now at and what other capabilities it currently has.

>> Perhaps the MS Malware Protection page has some info. It does:

>>

>> http://www.microsoft.com/security/p...&sortby=relevance&sortdir=desc&size=10&page=1

>>

>>

>> So the misconception was on my part. Mowa culpa.

>>

>> MowGreen

>> ================

>> *-343-* FDNY

>> Never Forgotten

>> ================

>>

>> banthecheck.com

>> "Security updates should *never* have *non-security content* prechecked

>>

>>

>>

>> philo wrote:

>>> glee wrote:

>>>> "philo" wrote in message

>>>> news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d@ntd.net...

>>>>>> snip

>>>>>>>>

>>>>>>> I used the word "hiding"

>>>>>>> as I needed to scan the drive from another system to detect it.

>>>>>>>

>>>>>>> The rootkit was designed to operate from within the restore volume.

>>>>>>

>>>>>> Please provide documentation.

>>>>> some good reading here

>>>>>

>>>>> (may warp)

>>>>>

>>>>>

>>>>> http://books.google.com/books?id=5C...v=onepage&q=rootkit in restore volume&f=false

>>>>>

>>>>>

>>>>

>>>> VERY Interesting.....thanks for the link. I have not seen mention of

>>>> this before.....will send it on to folks in the field to see what kind

>>>> of feedback I get from there...should be interesting.

>>>

>>>

>>> You are welcome

>>> those evil folks who write rootkits

>>>

>>> I must admit ... are quite clever.

>>>

>>> That kind of malware is far more dangerous that a virus

>>> in that it may actually result in savings accounts and credit card

>>> compromises.

>>>

>>> Rootkits are a very real and a very nasty threat!!!!!

>>>

>>> Not to be taken lightly.

>>>

>>> I urge all people to take caution

>>>

>>> and for the folks at MS to work very hard on the issue of root kits!!!!

>
 
Daave wrote:

> philo wrote:

>> MowGreen wrote:

>>> MowGreen wrote:

>>>> Seeing that paper was published in 2008

>>> Correction. The presentation was done in Geneva at VB2009, on the

>>> 23rd of September, 2009:

>>> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx

>>>

>>>

>>>

>>> MowGreen

>>> ================

>>> *-343-* FDNY

>>> Never Forgotten

>>> ================

>>>

>>> banthecheck.com

>>> "Security updates should *never* have *non-security content*

>>> prechecked

>>

>> Thanks for posting back

>>

>> my main point was to alert people who think their systems are secured

>>

>> to think again!

>

> We are all on the same page as far as that is concerned, philo. The

> point I was making was that even if you are able to delete rootkit files

> in the restore volume, you aren't necessarily rootkit-free. If the

> rootkit was indeed phoning home, it is highly unlikely it was doing so

> from that location (then again, I appreciate your link; I will read that

> in depth). Chances are it was phoning home from another location you

> were unable to detect.

>

>





I ran numerous scans using four different root kit detection programs.



It appears to be clean and the user has since made on-line financial

transactions without getting hacked...



but with root kits...I don't know of one can ever be 100% sure



nasty stuff!
 
"philo" wrote in message

news:6YednTAIgKspFAPWnZ2dnUVZ_hWdnZ2d@ntd.net...

> Daave wrote:

>> philo wrote:

>>> MowGreen wrote:

>>>> MowGreen wrote:

>>>>> Seeing that paper was published in 2008

>>>> Correction. The presentation was done in Geneva at VB2009, on the

>>>> 23rd of September, 2009:

>>>> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx

>>>>

>>>>

>>>>

>>>>

>>>

>>> Thanks for posting back

>>>

>>> my main point was to alert people who think their systems are

>>> secured

>>>

>>> to think again!

>>

>> We are all on the same page as far as that is concerned, philo. The

>> point I was making was that even if you are able to delete rootkit

>> files in the restore volume, you aren't necessarily rootkit-free. If

>> the rootkit was indeed phoning home, it is highly unlikely it was

>> doing so from that location (then again, I appreciate your link; I

>> will read that in depth). Chances are it was phoning home from

>> another location you were unable to detect.

>

>

> I ran numerous scans using four different root kit detection programs.

>

> It appears to be clean and the user has since made on-line financial

> transactions without getting hacked...

>

> but with root kits...I don't know of one can ever be 100% sure

>

> nasty stuff!



Did you run those rootkit programs while the drive was slaved to another

computer, rather than being booted from the drive being scanned? I ask

for obvious reasons.



The safest method is to scan from outside the OS with a rootkit scanner

AND an anti-virus app AND a spyware detection app like MBAM. I think we

all agree on that as a *preferred* protocol.



What is being described in the articles both you and Mow posted, is not

conclusive that the malware is actually being run (and therefore

"active") from within the SVI folders. It appears that the folder

created by the infection inside the SVI folder was used to store

components used for the initial installation of the infection, but the

infection itself is actually executing as a service out of the System32

folder tree and loading from the Service Registry Key.....note please

the quote from the article you cited: "....running as a service allows

the rootkit to survive a reboot".



Even if this is the case, that it isn't active in the SVI, the fact that

the folder was easily hacked for storage makes it possible that sooner

or later, a rootkit will come along that will succeed in actually

running from there. It just get nastier all the time....and we can't

afford to be smug and say it can "never" happen. Never say

never...especially about malware. ;-)

--

Glen Ventura, MS MVP Oct. 2002 - Sept. 2009

A+

http://dts-l.net/
 
glee wrote:

> "philo" wrote in message

> news:6YednTAIgKspFAPWnZ2dnUVZ_hWdnZ2d@ntd.net...

>> Daave wrote:

>>> philo wrote:

>>>> MowGreen wrote:

>>>>> MowGreen wrote:

>>>>>> Seeing that paper was published in 2008

>>>>> Correction. The presentation was done in Geneva at VB2009, on the

>>>>> 23rd of September, 2009:

>>>>> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx

>>>>>

>>>>>

>>>>>

>>>>>

>>>>>

>>>>

>>>> Thanks for posting back

>>>>

>>>> my main point was to alert people who think their systems are secured

>>>>

>>>> to think again!

>>>

>>> We are all on the same page as far as that is concerned, philo. The

>>> point I was making was that even if you are able to delete rootkit

>>> files in the restore volume, you aren't necessarily rootkit-free. If

>>> the rootkit was indeed phoning home, it is highly unlikely it was

>>> doing so from that location (then again, I appreciate your link; I

>>> will read that in depth). Chances are it was phoning home from

>>> another location you were unable to detect.

>>

>>

>> I ran numerous scans using four different root kit detection programs.

>>

>> It appears to be clean and the user has since made on-line financial

>> transactions without getting hacked...

>>

>> but with root kits...I don't know of one can ever be 100% sure

>>

>> nasty stuff!

>

> Did you run those rootkit programs while the drive was slaved to another

> computer, rather than being booted from the drive being scanned? I ask

> for obvious reasons.

>

> The safest method is to scan from outside the OS with a rootkit scanner

> AND an anti-virus app AND a spyware detection app like MBAM. I think we

> all agree on that as a *preferred* protocol.

>

> What is being described in the articles both you and Mow posted, is not

> conclusive that the malware is actually being run (and therefore

> "active") from within the SVI folders. It appears that the folder

> created by the infection inside the SVI folder was used to store

> components used for the initial installation of the infection, but the

> infection itself is actually executing as a service out of the System32

> folder tree and loading from the Service Registry Key.....note please

> the quote from the article you cited: "....running as a service allows

> the rootkit to survive a reboot".

>

> Even if this is the case, that it isn't active in the SVI, the fact that

> the folder was easily hacked for storage makes it possible that sooner

> or later, a rootkit will come along that will succeed in actually

> running from there. It just get nastier all the time....and we can't

> afford to be smug and say it can "never" happen. Never say

> never...especially about malware. ;-)





Fortunately my machines have removable drive kits

so it was easy for me to pop the infected drive in another machine

to scan it...







Once I was sure the machine was clean...I did check to see what services

were running and made sure I could identify all non-Microsoft services.



Of course one thing I did not do was see if the rootkit may have been

spawning some service...which of course would mean that it was not

running from within the restore volume. of course that does not make it

less dangerous...and we all need to use caution and not assume our

machines are impervious to malware
 
glee wrote:

> "philo" wrote in message

> news:6YednTAIgKspFAPWnZ2dnUVZ_hWdnZ2d@ntd.net...

>> Daave wrote:

>>> philo wrote:

>>>> MowGreen wrote:

>>>>> MowGreen wrote:

>>>>>> Seeing that paper was published in 2008

>>>>> Correction. The presentation was done in Geneva at VB2009, on the

>>>>> 23rd of September, 2009:

>>>>> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx

>>>>>

>>>>>

>>>>>

>>>>>

>>>>>

>>>>

>>>> Thanks for posting back

>>>>

>>>> my main point was to alert people who think their systems are secured

>>>>

>>>> to think again!

>>>

>>> We are all on the same page as far as that is concerned, philo. The

>>> point I was making was that even if you are able to delete rootkit

>>> files in the restore volume, you aren't necessarily rootkit-free. If

>>> the rootkit was indeed phoning home, it is highly unlikely it was

>>> doing so from that location (then again, I appreciate your link; I

>>> will read that in depth). Chances are it was phoning home from

>>> another location you were unable to detect.

>>

>>

>> I ran numerous scans using four different root kit detection programs.

>>

>> It appears to be clean and the user has since made on-line financial

>> transactions without getting hacked...

>>

>> but with root kits...I don't know of one can ever be 100% sure

>>

>> nasty stuff!

>

> Did you run those rootkit programs while the drive was slaved to another

> computer, rather than being booted from the drive being scanned? I ask

> for obvious reasons.

>

> The safest method is to scan from outside the OS with a rootkit scanner

> AND an anti-virus app AND a spyware detection app like MBAM. I think we

> all agree on that as a *preferred* protocol.

>

> What is being described in the articles both you and Mow posted, is not

> conclusive that the malware is actually being run (and therefore

> "active") from within the SVI folders. It appears that the folder

> created by the infection inside the SVI folder was used to store

> components used for the initial installation of the infection, but the

> infection itself is actually executing as a service out of the System32

> folder tree and loading from the Service Registry Key.....note please

> the quote from the article you cited: "....running as a service allows

> the rootkit to survive a reboot".

>

> Even if this is the case, that it isn't active in the SVI, the fact that

> the folder was easily hacked for storage makes it possible that sooner

> or later, a rootkit will come along that will succeed in actually

> running from there. It just get nastier all the time....and we can't

> afford to be smug and say it can "never" happen. Never say

> never...especially about malware. ;-)



Mal-coders stash executables in TIF but they are not executed until

something outside of TIF calls them to run. So, technically speaking,

malware executables are not active in TIF.

It's the same with executables in SVI but ... the prevailing notion was

that one needed to utilize an infected restore point to pWn the system.



Another anti-malware warrior explained how this Vista System Restore

Rootkit functions: http://www.rootkit.com/newsread.php?newsid=900



" This is not a rootkit that runs from SVI either. The rootkit

initiates a system restore, and it then intercepts and diverts SR

execution so malicious files and registry keys are restored. Once the PC

is shutdown and restarted the infected file(s) and autostart(s) that

were introduced by the subverted SR, will take effect. The advantage of

using such a rootkit, is that it is enables malware to silently install

without activating any HIPS or security program alerts. "







MowGreen

================

*-343-* FDNY

Never Forgotten

================



banthecheck.com

"Security updates should *never* have *non-security content* prechecked
 
You must log in or register to reply here.
Back
Top