18 May 2009

Another rootkit infection and some bugs on the TODO list

Yesterday my malware honeypot ran into a nasty infection. As usual, the malware was installed just by visiting a web page. To do this, the malware distributor used some security hole to get access to the computer. Once the malware had access to the computer it installed a rootkit and hid a few registry keys to prevent detection and removal. The malware also searched the network for shared folders with write permission and infected executable files. The malware also prevented anti-malware tools such as Hijackthis from running and disabled the Task Manager and the registry editors.

Here's the FreeFixer log from the infected computer:

FreeFixer v0.39 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 1
Log dated 2009-05-17 17:05


System policies
HKCU\..\policies\system, DisableTaskMgr = 1
HKCU\..\policies\system, DisableRegistryTools = 1

Browser Helper Objects
{7C7EFE99-C71F-48b8-8CC8-BA506CA76A33}, MS extension, xagkf32.dll(file is missing)

Registry Startups
HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background

Processes (16 whitelisted)
C:\Program\Messenger\msmsgs.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\winbUDYVzKULs5.exe
C:\Program\FreeFixer\freefixer.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\cxurr.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\ixcsmn.exe
C:\Documents and Settings\Roger\Skrivbord\gmer.exe

Services (34 whitelisted)
scardsvrbits, Smart Card SCardSvrBITS, c:\windows\system32\1053k.exe

An error occurred when trying to open the file for reading.
Filename: 'c:\windows\system32\1053k.exe'. 
Current Working Directory: 'C:\Program\FreeFixer\'.
System error message: Det går inte att komma åt filen eftersom den
används av en annan process. Error code: 32.
C++ exception: ios_base::failbit set

This also highlights some problems with the current version of the FreeFixer program. The first issue is that there's a malware driver installed, named a49f4451.sys, which does not appear in the scan result. It was found by the excellent rootkit detection tool GMER. The driver is able to hide itself by patching the Windows API calls that enumerate the registry data describing the installed drivers. This advanced hiding technique will currently go undetected by FreeFixer since the rootkit detection code only looks for hidden processes, not hidden registry keys.

The second problem is that FreeFixer is unable to calculate the md5 for the file "1053k.exe", due to that some other process is locking it.

I will look into these two issues and see what I can do about them.

Comments

Roger Karlsson writes

2 thumbs

Here's another variant of the same security hole exploit:

FreeFixer v0.39 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 1
Log dated 2009-05-18 12:47


System policies
HKCU\..\policies\system, DisableTaskMgr = 1
HKCU\..\policies\system, DisableRegistryTools = 1

Registry Startups
HKLM\..\Run, WinDLL (service.exe) = service.exe
HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background

Processes (14 whitelisted)
C:\Program\Messenger\msmsgs.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\winDDRYcZBRBIkB.exe
C:\WINDOWS\System32\wininet.exe
C:\WINDOWS\service.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\winfismyj.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\aeilmk.exe
C:\Program\FreeFixer\freefixer.exe

Shell services (4 whitelisted)
SysRun, {D7FFD784-5276-42D1-887B-00267870A4C7}, C:\WINDOWS\System32\svshost.dll

# 19 May 2009, 11:28

Monica F writes

-1 thumb

I have had problems with Winlgoon.exe,and several other viruses or malware.I would like to suggest downloading SpyZooka.They gurantee 100% removal of all spyware,malware and viruses.You can always contact them with any issue,and a tech will get back to you and advise you.I love them ! This was the best money I have ever spent on a removal product .

# 11 Dec 2009, 10:27

Christer writes

1 thumb

Sorry Monica!

SpyZooka's rep is bad. Check out
http://hosts-file.net/?s=bluepenguinsoftware.com
or
http://www.mywot.com/sv/scorecard/bluepenguinsoftware.com

btw : spyzooka.com = bluepenguinsoftware.com

# 21 Jan 2010, 21:52

Leave a reply