Rootkits headed for BIOS

So ppl actually read my post, eh

I may just add one thing. Really simple thing.
Before doing all those test. Why do you beleive you've been compromised.

1)smss.sys rootkit is not a false alarm
2)explorer from unknow process is normal
3)unknown thing in netstat is normal
4)Buffer overflow are normal (read sysinternal post)
5) Vice don't work ... i have no idea what vice is.
Are you sure there isn't another program blocking it's driver to install ?

6) Csrss kill some process.

Have you ever seen on a clean system without security program, process that open, crash and kill themself ? This is probably what happen exept you are intercepting the kill made by crss.


------------------------

I do not say your system is perfect and i know everything ...
All i want from you is to fill the blank:

I beleive my system is compromised because of: ___________________
If you enumerate 4-5 good reason we may be in better position to help you.

If you realise that you beleive your system is compromised because of different crashes and part that don't work properly ... then Hw may be in cause:

- Strange screen on boot
- Bios that don't reconise cable bit
- randoom instability
- some internal test complained about mem86
- floppy disk that don't boot

Etc ...

You have at least the same amout of reasonto beleive it'S hw that software

 

Hi,

Rootkits are always looking for the best area for hiding themselves.
Bios and peripherals in general are an excellent hiding-place: as they're independent from the OS, it's more difficult to suspect their presence.

As pointed out by some papers and article, prevention and detection solutions already exist; and most of all, a bios rootkit is much more possible in the wild with a physical access to a machine.

-"implementing and detecting an ACPI Bios Rootkit" (pdf) by John Heasman from http://www.ngssoftware.com/

-an article related to this paper: http://www.contractoruk.com/news/002490.html

Regarding SystemJunkie problem, i think that what was shown is not exhaustive for an ultimate diagnostic.

An integrity checker just warns about a change, but does not indicates if it's due to a malicious or legitimate change.
Vice is unable to work and to give indications of hooking modules.

I suggest to use IceSWORD and System Virginity Verifier for a more reliable diagnosis.
For a deep and forensic analysis, advanced products like Encase or Prodiscover (http://www.techpathways.com ) will help to find any rootkit on the hard drive.

More detections tools here: http://kareldjag.over-blog.com/article-1232492.html

I've noticed that SystemJunkie uses AntiHook: the last beta version (3.0) is able to detect a rootkit already installed.

For an hidden account, try dumpsec (free) : http://www.somarsoft.com

Or a trial of XPUsermanager (100% in german): http://www.michael-puff.de/Programme/UserManager/

It can also be suited to audit your host for suspect connections.
This can be done with a sniffer like Ethereal; and as a first step, a trial of Shadow Security Scanner for instance: http://www.safety-lab.com/en/

In fact SystemJunkie, the "problem" is simple: or you're able (time, methods and know-how) to define exactly what is happening on your system, or you can't.
And in this last case, you jump from hypothesis to hypothesis; and finally stay in the heart of doubt.

Viel glûck!

Regards

 

Take my interest and support for what it might be worth to you but personally i believe these 2 are the very best of these type and more DEEP intrusions detectors than sliced bread to come along in a very long time here on the public internet.

They are not the end-all by any stretch but they both open up clearly much more detail than most any others. At the very least they should serve to compliment your resident protection when it comes to the unknown or any other attention that is cause for serious interest concerning your pc systems security.

Thanks, great topic.

 

Here are some threads that deal with System Junkies problems.

They cover:

apt.exe with process Guard and random blue screens

https://www.wilderssecurity.com/showthread.php?t=22374

apt.exe and buffer overflow

https://www.wilderssecurity.com/showthread.php?t=121345

Fact: AppDefend found a rootkit win32ksys

http://www.superadblocker.com/definition/winsys32s/

for some reason clicking on my link does not give the name so added text below

Then backdoorapt which may or may not even be revelant

http://vil.nai.com/vil/content/v_113445.htm

 

kareldjag

Hello

You post some good links. Have you tried Shadow Security Scanner?

Interesting program. Lots of options. I tried it with my behind router IP
192.168.x.x then tried it with my routers IP address. Strange results.
It also found about 11 audit problems when using my behind router IP address. Xp syetem is fully patched from MS but audit says MS has patch for problem.
I had a bad exception with the program. I am running ZoneAlarm security suite with AV and antispyware turned off. I shut down ZoneAlarm when running tests.
I am also using MS shared toolkit 1.1, thank god ey? LOL

Anyway there seems to be a ton of option in this scanner. You can chose to use NMap for the scan although not default. I think it would take some time to learn all the options with this program.

controler

 

Kareldjag I know your website it is very good! One of the real useful to fight rootkits! Merci pour toutes ces informations!

That is the prove @fx3:

http://i1.tinypic.com/se1s9j.png

Look exactly, the rootkit coder made a mistake.

Beside actually I reinstalled my backup, but it is the same, like above!
Dos dir is hidden, explorer dir is viewable and SwitchSniffer is unable to work.
Also buffer overflowed.

Following exe don´t work on my system: apt.exe, portexplorer.exe, peid.exe,switchsniffer.exe, hardtcp.exe
(all of them will be killed by csrss.exe) And not because I do the kill ;-)

Antihook3 sounds good. Thanks fx for your long explainations.

Please don´t think IceSword is unbeatable, I use it regularly, but the new version of fu rootkit can easily bypass IceSword.

Another symptom is that tasklist doesn´t work anymore for any unknown reason.

 

You are saying that some file are visible in eplorer.exe but not in dos prompt ?
This is really intesresting... as i guess a rootkiter would want to do the inverse.
You have that rootkit on a brand new reinstall ?
Do you know what program installed the hidden folder ?
Is it possible that explorer.exe and cmd.exe have different security priviledge ?

[edit]

If your task manager don't work ... try to see if this key exist and if it have a stange value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman



I remember that explorer and "dos" does not have the same alphabetical order.
For example e é and è are together in explorer but not in dos.
I wonder if the nextsecurity use a special "N" and is just later in the dos prompt list

 

It is now obvious System Junkie is a ringer LOL

Will this person actualy tell who he-she is?

Did not reply to disable ACPI.

This is getting too funny.
Oh but dear, where will it lead?

con

 

This entry is not existent.

I checked twice, I checked alphabetical order, it is a simple N, nothing special,
yep, normally Rootkit writers want to hide explorer entries, but as you see we have a hidden one in DOS cmd prompt.

I disabled ACPI in this Win installation but it did not change anything, the main problem is the hal.dll of windows xp and the acpi.sys is still installed, no matter if you enable or disable acpi in bios. Standard Win XP simply does not run without ACPI.sys.

Cool, finally I found a way to start VICE from CD on my second PC! Look, ispubdrv is a false alarm, but what about winlogon userland rootkit? Maybe a false alarm too, what say the experts?

http://i2.tinypic.com/v3gjy9.png

Look at this: hooked by total emptiness:

http://i1.tinypic.com/v3llr4.png

http://i1.tinypic.com/v3lttx.png

So, fx3, do you still think about hardware probs?

Experts over the planet now judge if this is paranoia
or a persistent rootkit of extreme kind:

http://i1.tinypic.com/ofzv39.png

Total emptiness part2: (firefox is leaked like a old wine barrel isn´t it?)

http://i1.tinypic.com/v3myl0.png

Ntdll.dll is totally locked by such beasty hooks or are all those software tools fooling us around?

 

I don't know what say the expert but i know you are showing the only part of vice which is irrevelant... the important part of what is useful is the lower section which is half hidden.


I've been toying with the antirootkit prog and i'm curious about what system verginity verifier say about cour case.

"svv check /m"

produce a nicely formated output of useful things.

[edit]

#1
beware ... svv seam to not like having a space in it's path.
run it a root of a drive eg: "c:/svv"

#2
I see "IsPubDrv.sys" belong to icesword.
Please do not do that.
You can't really complain your kernel has been hooked and fill it with hooker program.

Step1: remove any program you know that hook kernel
Step2: Once you know you have a "clean kernel" take a snapshot of it so we can analyse it.

It's verry irreveleant to push alot of thing in the kernel for analysys.
Worst of all, legitimate program WILL hide rootkit

Kernel hooking is a one step modification.
There is no mechanism to do multiple kernel hook.

So when you see that a function is hooked you really can only see the last one who hooked it.
SO if a security app hook the same funciton as the rootkit you'll not see the rootkit
Wich makes the step 1: "Uninstall known legitimate hooker" very important.

#3
Have you tried renaming Netsecurity.net ?
or deleting it'S content.
Once rename does it show up.
Is there any warning that tell you you don't have enougth permission to rename the folder
Or that the folder is in use ?

If it say the folder is in use ... have you tryed using program like
Unlocker to remove the handle ?

Does creating another folder with the same name at a different place hide it ?

#4
Have you tryed to browse that folder with other file manager... is it hidden.
In other word.. is it hidden only from cmd.exe
Or all program that are not explorer.exe


[/edit]


@Controler.
I do not get what you are trying to say.
System Junky is a type of person who never abandon something ?

 

on my other computer svv check/m says:
important module cannot be found: ntoskrnl.exe, Warning: Important modules not found. (means that svv is outwitted isn´t it?)

on this old one actually: innocent hooking level yellow

what does that mean keflushcurrent? Google finds 0.

http://i1.tinypic.com/v3orph.png

Damn, fx3 your idea was good, .net is also not shown on c:\ in dos, I created a folder. But when renamed it is shown due to the fact, that all directories with . will be hidden in dos.

It is the point that makes folders on dos invisible, seems usual isn´t it?

So a . in any folder lets them disappear in dos.

But what the hell is that?

http://i1.tinypic.com/v3pts2.png

more then 2000 infections in usual folders like aol, shared folders, microsoft shared,
ole folders.. countless.. maybe false alarm or file infection.

 

Then if all folder that contain a dot get cleared from dos
It's probable that the folder the rootkit want to hide is in another folder that have dots.


I want you to do another thing
Download another file manager like http://www.explorerxp.com/

It this other file manager cannot see the file it mean that whatever infected you only want explorer.exe to see the hidden folder.

(antivirus etc will not see the folder, but explorer.exe wich is important in autostart will still be able to see it)

Also try renaming cmd.exe to see if it's a plain filename target
-----------------------------------------------------------------------------


It look you have dificulty reading the sdt.
try this to restore it.

http://www.security.org.sg/code/sdtrestore.html

------------------------------------------------------------------------------

modgreper migth help you to find hidden modules. It looks like ntoskernel cannot be found ??
ha ve tryed it ?

 

Some good advice f3x

Yes it is never good to try run a program like IceSword with PG, KAV ect running.

Try doing an advanced search here at Wilders on System Virginity Verifier

What little has been discussed here you should find. I have tried running SVV in the past with some of those programs running and yes you will then get DEEP red. Why shouldn't you? I have also seen some things Unhackme Pro finds, the others missed.

SJ says his hardware is infected and the rootkit comes back with a new BIOS flash and reinstalling the OS ( not an image). If this is true, why does SJ not
try changing some hardware? If SJ thinks it is his video card, why doesn't he change that? His "OLD" machine has same problem? Must be a good rootkit unless SJ is using same manufacture video card huh?

Don't get me wrong, I never said hardware rootkit is not possiable. On the contrare, I say it is. There have been some extensive posting on this over at slashdot.
I hope SJ would not have made the floppy or CD with an infected machine.

No low level program like SVV can be run in usermode.

If you are going to run commands from DOS, you should boot with a bootable floppy. Let us say your spare windows 95 or 98 floppy you keep in closet
I am sure a friend has a computer you can use. You can go to bootdisk dot com to get files to make one. Make the boot disk on good machine. Make sure you have boot from floppy enabled in BIOS and it the booting order. Make it first. You say well why boot to DOS when I can not see the files there? You had to use command prompt to use SVV anyway, right?

Off to work I go again :-(

controler

 

I recently tried to install spybro, but it failed to install lawenforcer.dll (this is on the other pc, bit once I managed to install it and it also showed this claria gain stuff, thousands of files.) Tiny showed this >>> Spybro was prevented from Opening a Device Object called: Tcpip\DevN\-\Ip.

Never seen this in all the time in IDS. Google has 0 entries about, normally IDS show things like: Service xyz openend or file C:\...xy.exe accessed, but this entry above never seenm totally strange.

SDTRestore never worked on the green plated pc, unfortunately, I always thought it is because of 64bit CPU but I am not sure.

I will download the explorer you mentioned for testing, beside what is this kind of entry?

HKLM\System\CCC\Services\Mup ? There is less info available about?

I also noticed a svchost BACKUPINTENT in sometimes ago, seems that this thing use the second partition to store hidden data, just an idea, also because eventlog showed problems on this partition.

Modgreper: the only thing I found strange was the fact that \Systemroot\System32\win32k.sys is located at bf800000. That reminds on a message once I used vmware:
PCI OPROM: Asked to map the SBIOS OPROM at 0xfe800000, because of the last 6 digits. Another thing I always found strange, actually I do not use vmware, but I have the logs here, it showed: mks Ignoring update request in VGA_Expose (mode change pending), also irritating in vmware log: [msg.Backdoor.Osnotfound]
and a log entry I found no exact match in google was:
mks : Detaching from windows system.

And one event was extremely strange, when I used Appinf32 and it did not crash (most crashes are always induced by ntdll.dll) it showed me always a memory infection in vmem, the vmware memory file.

 

Hi SJ.
PLease try to put more blank sapce between different idea... it can get very confusing.


If you try any file manager and see that those file manager have dot file hidden, then it may explain the crash.

Windows use alot of such "dotted" folder for temporay storage of personal data.
If those folder got hidden from any program except explorer... normal program will not have acees to their componment wich can cause crash.


----------------------------

Tcpip\DevN\-\Ip.

This is probably a field (Ip) of an object (DevN) in Tcpip.sys

-----------------------------

Sorry for you.
SO you have a 64 bit PC. This can be important.
Windows 2000 really run on 64 bit chip ?

I tougth the first 64 bit OS was winxp. More important winxp64 is suppose to have patch guard to block such rootkit.

------------------------------

Service/Mup is a service i also have on my clean XP

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q171386

--------------------------------

 

I do not use the old fashioned win2000.

I use a 64bit cpu but not a 64bit system, there is a big difference.
64bit cpu and 32bit WinXP Pro.

Just for fun I actually test BlackICE, a oldschool IDS Firewall, it´s by far not the best but I like this oldschool design.

Look what it says about this ip 0.0.0.0, Black ICE handles it like a Intruder, maybe you remember that GSS also showed a 0.0.0.0 ip which I had to allow otherwise I wouldn´t have been able to create a internet connection.

http://i1.tinypic.com/v5eoee.png

Shadow Scanner found one open port: UDP 1023

I tried out your nice explorerxp tip, but the directory is easy to locate with all explorers, but not in dos.

ICE Sword shows that BLack ICE opens 3 RAW Port nearby System which also opens a RAW port.

Is it usual that rdpclip starts up in this registry key?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd
StartupPrograms rdpclip ?

I underestimated Black ICE look at this:
http://i1.tinypic.com/v5i9fa.png

 

If you use 32bit os on 64bit cpu .. doesnt it just regress to 32 bit ?


smss.exe and win32k.sys should only bother you on new profile creation ... Do you have it frequently or only once when you install ?


Can you try "BootLog XP"
This will list any executable/driver that get loaded on a boot process.. verry usefull and can be used to see if something look stange.

 

Bootlog, you mean the thing with msconfig, boot.ini config?

What you say to the intrusion tries above?

It is a polymorphic shellcode intrusion. Damn sounds hellish.

Indeed a 64 bit cpu doesn´t help so much if you use a 32 bit operating system.

 

http://greatis.com/utilities/bootlogxp/

what the heck is that:
It is a polymorphic shellcode intrusion. Damn sounds hellish.

 

That only shall say that the message of black ice SSRP StackBO can be considered as polymorphic shellcode intrusion attempt.

This method wants to create a buffer overflow in your system to get access.

I actually test your bootlog tool, the bootlog is corrupted. We will after next restart what happens.

 

It seems that I found the rootkit per chance, using a special explorer jump method, tiny discovered C:\Windows\System32\explorer.exe with 4 kb only.

The Data Execution Prevention blocked Explorer.exe then a second Explorer.exe opened. But a 4 kb explorer.exe in system32 looks really less.

This tiny explorer.exe (4 kb) reads from c:\windows\apppatch\acgenral.dll

whats acgenral.dll?

 

Ah yes, the rootkit writer who is so talented as to write malicious code that evades every malware scanner and survive a format yet stupid enough to forget about hiding it from Windows Explorer so any Joe User with a bit of luck can find it.

In case that didn't quite make the point - if you had a real rootkit you would not be able to see it using Windows Explorer period. This is (yet) another false alarm.

I think you'll find that that is just a shortcut (the 4KB size which is the minimum for files on NTFS being the key indicator). If you right-click on the file and select Properties, you should see the Shortcut tab on the Properties dialog giving details of what the shortcut is pointing to. The General tab will give the actual file size which should be 400-700 bytes for a shortcut.

Most likely a Windows Compatibility DLL. There is no reason to have a shortcut named Explorer.exe pointing to it though, but given everything else you've reported doing to your system, messed up shortcuts are likely to be the least of your concerns.

 

SystemJunky, you have not answeared my question.
I asked it 3 times.

DOES THE "ROOTKIT" hide the file from any othe application than cmd.exe ?
If not then i migth agree with paranoid that your thing look more like a bug of cmd rather than an actual rootkit.

 

There's no rootkit involvement here at all - just a file or folder with the DOS hidden attribute set (which is not listed by the DOS dir command though Windows Explorer will show it with a faded icon). Typing attrib -h <file/foldername> will clear this attribute and attrib *.* will list all files (but not folders), with their attribute (archive, system, hidden) settings.

 

Hi Paranoid

May i suggest that you are wrong on this interpretation ?
Look at screenshot post # 81 and # 82

1st the icon doesnt happer ligther in explorer (subjective i know)
SO i doubt it have the hidden attribute.

2nd in my screenshot, i have for example recycler folder that apper in dos even if it's faded (hidden)

3rd ... If i have to trust SJ, then he described that all folder that have dot are dos-Hidden