Rootkit \\?\globalroot\Device\__max++>\ paths

Hi everyone,

I work on and fix lots of computers with varying degrees of infection by malware/viruses/trojans/rootkits etc.

Lately many rootkit infections on the computers I have been looking at share a common characteristic of being referenced as libraries with this particular path structure:

where XXXXXXX refers to a hex address (I suppose in memory) where the file lies (I guess?) and injects itself into core processes like svchost/alg/lsass/etc. An example of this kind of infection can be found here: http://trusteer.com/ffsearcher-internals-or-defrauding-google-one-click-time

My question is what exactly is this globalroot path?

From what I have searched online, it appears to be called a "mount point" (which wikipedia describes as a convenient way for an OS to reference files from arbritrary locations in memory or on the hard disk). The only reason I know this is that there is a program called Win32kDiag that seems to reveal these mount points and reveal the location of the actual file on the hard drive. It would be nice if anyone could confirm this information.

Is this path indeed a mount point, or something else? In what ways can you derive the original path of such a path and delete the perpetrating library?

I am well aware that tools such as GMER and other rootkit detection tools can detect the presence of such a globalroot path/rootkit, but they cannot remove them. I have tried to use Kaspersky AVZ scripts to remove such infections with BC_DeleteFile() and DeleteFile(), but they do not work. They are however able to quarantine the file and produce a copy of it.

I have produced such a copy of the file quarantined file and uploaded it to VirusTotal ( ~ Snipped VirusTotal Link per Policy ~ ). Perhaps there is a tool that can search for copies of a specific file, like the one I have found? Well, the premise doesn't seem that complicated so I guess I could code one myself.

So in the case that something like Win32kDiag would fail me, what other ways would there be to combat something like this? (I have not yet had a chance to test the capabilities of Win32kDiag on a machine, I have only seen logs online of people who have this very problem). I am aware that it is possible to simply slave the said hard drive to another computer and scan that hard drive with MBAM or another anti-virus program, but I find that the hardware required to do so may not always be convenient or accessible at the given time.

Thanks for taking the time to read this,
Eric

 

Hey StevieO,

This is not on my pc; it is on someone else's. I have fixed an infection like this before by slaving the infected hard drive and running MalwareBytes/GMER/etc on it from another computer. I think this method takes really long though and I hope to find a way which is faster, since I don't like to spend very large amounts of time scanning for things just to have the rootkit end the scanning program. I can probably fix this one the same way but I was wondering if a different method might work.

It's a 32-bit XP Home installation.

I usually don't do anything in safe mode because infections rarely persist in safe mode; most of them purposely do not let themselves be loaded in safe mode so that they can't be detected.

I have seen the MS technet article but I don't know if it can access the same kind of areas that the rootkits can; I'm not even sure if that \\globalroot path is a mount point or not (that's just what the Win32kDiag calls them).

I haven't had a chance to test the Win32kDiag out yet, because the computer is actually at school and I didn't find out about any of this until I did additional research at home.

Yeah I am aware that tools like ComboFix do work but I like the hands on manual targeting method as well to save some time instead of waiting for a dozen different scans to finish (assuming they aren't terminated at run-time).

 

Well, it turns out you can only use Win32kDiag to diagnose and remove the problem files.

This is a set of instructions I have written pertaining to the use of Win32k Diag:

Win32kDiag detects mount points or hidden rootkits which inject themselves
into kernel processes via the \\?\globalroot\device\__max++\XXXXXXXX.x86.dll method.
This can be discovered by GMER/DarkSpy/other rootkit detectors which detect ADS's/SSDT.

The program is command line and will produce a log of all of the mount points it finds.
The files shown are not necessarily all malicious; warning flags or entries will usually
be denoted by the message "could not open/access file". These files are worth
investigating. If you happen upon a file that cannot be FileAlyzed, cannot be copied,
moved, deleted, or renamed (or cannot be handled by Unlocker) and does not show information
about its manufacturer, chances are you have found the malicious library/program.

Search for "DLL" in your Win32kDiag log if you have the XXXXXXXX.x86.dll infection.
If you have a different kind of globalroot path infection, simply look for executables
that match the above criteria.

You can then manually seek out these files and delete/replace them using unlocker or
by other methods (slaving the hard drive to another computer, or accessing the hard drive
outside of Windows (boot disc/recovery console). It is often a wise idea to replace files with versions on other
working computers (for example, replacing an infected shell or critical component).

-eric

 

I just ran Win32kDiag again and got errors once more -





Proceeded and got the log.


Running from: C:\Documents and Settings\ \Desktop\SecTools\Win32kDiag.exe
Log file at : C:\Documents and Settings\ \Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...


Finished!
ed!

Doesn't mention command line here ? - http://forums.majorgeeks.com/showthread.php?t=198257

If i could get it work as you have, that would be cool !

 

That is very strange...what OS are you using?

If that doesn't work, you could also try a program called WinObjEx, though I am not entirely sure how to use it yet.

Sorry, its not exactly command line. It simply operates in a command prompt environment.

 

Yup, a user from the rootkit.com forums PMed me that link and I had just read it today as well.

Wish there were more ways of detecting it, though.

 

xer0syk0

I'm on XP.

Thanx for the WinObjEx tip. Ran it and found a number of things that other Apps don't show !

I'd forgotten about the EP_XOFF aka DiabloNova 017: __max++> rootkit.com article that i had read on there a few weeks ago ! So Thanx to the mystery poster that's dissapeared ? who posted about and reminded me.