Need help identiying a nasty rootkit in Windows

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by goofrider on Super User See other posts from Super User or by goofrider
Published on 2012-09-06T20:22:18Z Indexed on 2012/09/06 21:42 UTC
Read the original article Hit count: 302

Filed under:
|
|
|

I have a nasty rootkit that not tools seem to be able to idenity. I know for sure it's a rootkit, but I can figure out which rootkit it is. Here's what I gathered so far:

  • It creates multiple copies of itself in %HOME%\Local Settings\Temp with names like Q.EXE, IAJARZ.exe, etc., and install them as hidden services. These EXE have SysInternals identifiers in them so they're definitely rootkits.
  • It hooked very deep in the system, including file read/write, security policies, registry read/write, and possibly WinSock/TCP/IP.
  • When going to Sophos.com to download their software, the rootkit inject something called Microsoft Ajax Tootkit into the page, which injects code into the email submission form in order to redirect it. (EDIT: I might have panicked. Looks like Sophos does use an AJAZ email form, their form is just broken on Chrome so it looked like a mail form injection attack, the link is http://www.sophos.com/en-us/products/free-tools/virus-removal-tool/download.aspx )
  • Super-Antispyware found a lot of spyware cookies, in the name of .kaspersky.2o7.net, etc. (just chedk 2o7.net, looks like it's a legit ad company)
  • I tried comparing DNS lookup from the infected systems and from system in other physical locations, no DNS redirections it seems.
  • I used dd to copy the MBR and compared it with the MBR provided by ms-sys package, no differences so it's not infecting MBR.
  • No antivirus or rootkit scanner be able to identify it. Most of them can't even find it. I tried scanning, in-situ (normal mode), in safe mode, and boot to linux live CD. Scanners used: Avast, Sophos anti rootkit, Kasersky TDSSKiller, GMER, RootkitRevealer, and many others.
  • Kaspersky reported some unsigned system files that ought to be signed (e.g. tcpip.sys), and reported a number of MD5 mismatches. But otherwise couldn't identify anything based on signature.
  • When running Sysinternal RootkitRevealer and Sophos AntiRootkit, CPU usage goes up to 100% and gets stucked. The Rootkit is blocking them.
  • When trying running/installing HiJackThis, RootkitRevealer and some other scanners, it tells me system security policy prevent running/installing it.

The list of malicious acitivities go on and on. here's a sample of logs from all my scans. In particular, aswSnx.SYS, apnenfno.sys and PROCMON20.SYS has a huge number of hooks. It's hard to tell if the rootkit replaced legit program files like aswSnx.SYS (from Avast) and PROCMON20.SYS (from Sysinternal Process Monitor). I can't find whether apnenfno.sys is from a legit program.

Help to identify it is appreciated.

Trend Micro RootkitBuster
------

[HIDDEN_REGISTRY][Hidden Reg Value]:
    KeyPath   : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg
    Root      : 586bfc0
    SubKey    : Cfg
    ValueName : g0
    Data      : 38 23 E8 D0 BF F2 2D 6F ...
    ValueType : 3
    AccessType: 0
    FullLength: 61
    DataSize  : 32

    [HOOKED_SERVICE_API]:
    Service API     : ZwCreateMutant
    Image Path      : C:\WINDOWS\System32\Drivers\aswSnx.SYS
    OriginalHandler : 0x8061758e
    CurrentHandler  : 0xaa66cce8
    ServiceNumber   : 0x2b
    ModuleName      : aswSnx.SYS
    SDTType         : 0x0
    [HOOKED_SERVICE_API]:
    Service API     : ZwCreateThread
    Image Path      : c:\windows\system32\drivers\apnenfno.sys
    OriginalHandler : 0x805d1038
    CurrentHandler  : 0xaa5f118c
    ServiceNumber   : 0x35
    ModuleName      : apnenfno.sys
    SDTType         : 0x0
    [HOOKED_SERVICE_API]:
    Service API     : ZwDeleteKey
    Image Path      : C:\WINDOWS\system32\Drivers\PROCMON20.SYS
    OriginalHandler : 0x80624472
    CurrentHandler  : 0xa709b0f8
    ServiceNumber   : 0x3f
    ModuleName      : PROCMON20.SYS
    SDTType         : 0x0

HiJackThis
------

O23 - Service: JWAHQAGZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\jeff\LOCALS~1\Temp\JWAHQAGZ.exe
O23 - Service: LHIJ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\jeff\LOCALS~1\Temp\LHIJ.exe


Kaspersky TDSSKiller
------
21:05:58.0375 3936  C:\WINDOWS\system32\ati2sgag.exe - copied to quarantine
21:05:59.0217 3936  ATI Smart ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 
21:05:59.0342 3936  C:\WINDOWS\system32\BUFADPT.SYS - copied to quarantine
21:05:59.0856 3936  BUFADPT ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 
21:05:59.0965 3936  C:\Program Files\CrashPlan\CrashPlanService.exe - copied to quarantine
21:06:00.0152 3936  CrashPlanService ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 
21:06:00.0246 3936  C:\WINDOWS\system32\epmntdrv.sys - copied to quarantine
21:06:00.0433 3936  epmntdrv ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 
21:06:00.0464 3936  C:\WINDOWS\system32\EuGdiDrv.sys - copied to quarantine
21:06:00.0526 3936  EuGdiDrv ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 
21:06:00.0604 3936  C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe - copied to quarantine
21:06:01.0181 3936  FLEXnet Licensing Service ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 
21:06:01.0321 3936  C:\Program Files\AddinForUNCFAT\UNCFATDMS.exe - copied to quarantine
21:06:01.0430 3936  OTFSDMS ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 
21:06:01.0492 3936  C:\WINDOWS\system32\DRIVERS\tcpip.sys - copied to quarantine
21:06:01.0539 3936  Tcpip ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 
21:06:01.0601 3936  C:\DOCUME~1\jeff\LOCALS~1\Temp\TULPUWOX.exe - copied to quarantine
21:06:01.0664 3936  HKLM\SYSTEM\ControlSet003\services\TULPUWOX - will be deleted on reboot
21:06:01.0664 3936  C:\DOCUME~1\jeff\LOCALS~1\Temp\TULPUWOX.exe - will be deleted on reboot
21:06:01.0664 3936  TULPUWOX ( UnsignedFile.Multi.Generic ) - User select action: Delete 
21:06:01.0757 3936  C:\WINDOWS\system32\Drivers\usbaapl.sys - copied to quarantine
21:06:01.0866 3936  USBAAPL ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 
21:06:01.0913 3936  C:\Program Files\VMware\VMware Player\vmware-authd.exe - copied to quarantine
21:06:02.0443 3936  VMAuthdService ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 
21:06:02.0443 3936  vmount2 ( UnsignedFile.Multi.Generic ) - skipped by user
21:06:02.0443 3936  vmount2 ( UnsignedFile.Multi.Generic ) - User select action: Skip 
21:06:02.0459 3936  vstor2 ( UnsignedFile.Multi.Generic ) - skipped by user
21:06:02.0459 3936  vstor2 ( UnsignedFile.Multi.Generic ) - User select action: Skip

© Super User or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about Windows

Related posts about virus

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle