Hunting the invisible beast

Here some thing that might interest all rootkit chasers..
hunting all invisible beasts.. like this impossible one

http://i11.tinypic.com/4byk5g2.png

What you see is something quite impossible, it must be located between
ntoskernel and hal.dll, if IceSword is right.

http://i12.tinypic.com/43f96i0.png

Look what UnhackMe shows:

http://i10.tinypic.com/2rzxn5k.png

 

Csrss.exe may play a role too in this wicked game.

http://i14.tinypic.com/2wo9a93.png

Beside: while I am posting these infos, the system got a blue screen with two yellow bars, seems that the intruder is not amused about my revelations..

Another crazy thing happens with power translator, in another thread I already told that typical signs are also if apps will be installed as non-admin, even if you are admin.

http://i16.tinypic.com/449rk11.png

Again Winpooch this time the file is no more available:

http://i11.tinypic.com/3z19i5l.png

What I personally find the most shocking thing is that there is actually no tool available that may be able to remove this nasty, neither nod32, nor gdata, nor process guard, nor appdefend, nor IceSword, nor Gmer, nor AAK,
nor Unhackme, nor RootkitReveal, nor svv, nor Blacklight, simply nothing. Thats the fact.

You can watch it, you can trace it but you can´t eliminate it.

(But maybe it is only paranoia who knows.. but if so why are there so damn much hints like shown above.. ;-))

 

I were you I would wipe out and reinstall your OS simple as that, I would even go as far as resetting the cmos, BIOS, and any PCI hardware you have that can have residual flash memory of its install. Start clean stay clean using good HIPS & or others.. sandbox, virtualization etc...stay away from root kit detectors ahem.......the ones that create can also make...unless you trust these F_____s.

 

That´s true. I guess the bios is the main problem.

Here is another sign for this persistent infection, a kind of rundll32 exploit:

http://i11.tinypic.com/4hthr7m.png

But yankinNcrankin if it were a file infector, maybe only a few invisible adstreams or some few bytes on a executable file your next system would be as vulnerable as your actual system. I think this is what they call stealth by design.

 

Hello,
There is a very simple way of removing anything.
Boot from a Linux live CD and delete the offending files, dlls.
Simple, eh?
Mrk

 

No, not simple, I did that already, maybe you should check the thread with ACPI Biosrootkit. I used Linux from CD and the only thing I could see that there were a unknown device activity, probably flashed, this is far beyond dlls and exes.

Beside the UnhackMe warning is in my opinion a false positive. If I would remove the entry in tcpip parameters, my internet connection would stop to work.

The same thing with AppDefend, I always have to deactivate AppDefend before I go online, otherwise
internet connection won´t work. Don´t know the reason but it´s a fact. After connection I can re-enable AppDefend, but not before dialing into internet.

 

Hello,
Of course, BIOS rootkit.
Mrk

 

Somewhere some how you must of allowed something that seemed to be legit, probably snuck in using trusted apps however a properly configures HIPS would of red flagged it, yes pain in the @$$ with alerts but you get to a point after a while you know when something aint right as you understand what exactly takes place in the running and launching and executing of certain apps N programs...If the above for you is a no go to solve the stealth by design issue you just had bad luck with a real BAD NASTY. So far never had that kind of an issue with my current setup and Im a High risk surfer etc etc etc.....

 

Here's what you can do. Reset the BIOS by opening up your computer and poppin' out the battery or using the jumpers to reset it. Then, before booting up into windows xp, get a lovely thing called http://dban.sourceforge.net/ and then you will be malware and OS free (recommend installing FreeBSD 6.1 or Arch Linux then)

Cheers

Alphalutra1

 

I resetted the bios 100s of time also because of the reason that I OC´d my system many times in the past.

I made some research over past threads and found kareldjags tips. I installed a tool called samurai, it´s pretty cool, surf speed highly increased.

A guy from this address(IP: 204.16.208.135) made a port scan attack right now:
(it´s not the first time, that my udp ports are attacked by this us guy)
OrgName: FAST COLOCATION SERVICES Address: 3791 N. Edgewater Dr
City: Wasilla StateProv: AK PostalCode: 99654 Country: US
Seems to be messenger spam.

Beside Samurai also cleaned up the thing that UnhackMe revealed.

Some fresh info about our invisible beast:

http://i17.tinypic.com/2hhgewj.png

(the hooked one are important the rest not so much)

Probably our invisible beast is a rustock variant, temp ads streams found:

http://i17.tinypic.com/40bjjsz.png

Services.exe kills process, a temporary file is created and ads streams, maybe someone knows this variant more exactly:

http://i16.tinypic.com/2vc6kc0.png

 

go and show pictures and ask here:
http://forum.sysinternals.com/forum_topics.asp?FID=18

Did you run RkU ?

 

Yes I ran RKU.

It primarily detects unknown inline hooks, but if you check with spybro you will see that these hooks are caused by Samurai security tool.

Except the ieframe.dll hooks and a unknown explorer.exe hook:

explorer.exe => kernel32.dll => Free Library 0x00000001 [Unknown Module]

Explorer already crashed 2 times

Another phenomenon is: Starting iexplore.exe, I see other Icons,
e.g. instead of viewing ie icon I see a a-square Icon before http://, this vari with every reboot.
Maybe Icon Exploit.

With high probability it´s a kind of new mixture of ads stream and oldschool rootkit, a hybrid thing, but extremely persistent and beyond formatting the drive, probably any flash component, like bios.

Beside I recently tested Vista RC1, does anyone know, if it is usual to see two csrss.exe one of them is defined in task manager as console.

I am about 80-90% sure that it is russian origin.

Procguard.exe is also infiltrated by this thing. Unknown hooked by 0x00030425.