Avira 10 detects a rootkit Avira 9 missed

Discussion in 'other anti-virus software' started by sbcc, Mar 24, 2010.

Thread Status:
Not open for further replies.
  1. sbcc

    sbcc Guest

    Before I tell my little anecdote, I'd like to state clearly that this was a real world, drive by infection - NOT A TEST. It is not meant to compare any specific product other than Avira 9 to Avira 10. As such, those are the only products I will mention by name. If anyone remembers my discourse with a certain antimalware researcher a while back over a missed detection, they might appreciate that I want to avoid any misunderstandings or ruffled feathers. :blink:

    I had Avira Personal 9 on one of my laptops with fully updated XP SP3. After noticing a slowdown I ran a scan with it, then with the two very effective and very popular anti-malware scanners I use on-demand. All three came back clean. Avira 9 reported no hidden files. I installed Avira 10, default settings, using the same definition set and upon scanning was alerted to the presence of hidden files. One in particular got my attention - a file in GlobalRoot\Device\HarddiskVolume1. :ninja:

    The scan stopped right after finding the hidden file, and a notice popped up asking me to run Avira Rescue CD. I proceeded to do that - no detections. I tried another Live CD from a highly-rated antivirus company. Nothing. I then tried a combination tool. Also no detections, but its supplementary scan did report a randomly named driver that upon further investigation didn't exist anymore. It took a scan with a dedicated antirootkit to find a patched USBSYS module and a number of hooked drivers, including atapi, disk, acpi, nic1394, imapi and more, all hooked by this non-existent driver. Two other ARK's found the same patched module and hooks. Each had varying successes unhooking some of the drivers, but the infection returned after each reboot, referencing a different random driver that no longer existed. One of the ARK programs allows easy file dumping, so I grabbed a couple of the drivers and the patched USB module. I sent them to Jotti - TDSS/TDL3 was the majority response. :ouch:

    I tried a final scan with a free standalone antivirus that is often able to cure TDL3 infections. Again, no detection.

    So, having had enough "fun" I restored the partition from an image on the same hard drive then replaced the MBR and bootsector. Still infected. Finally I wiped the drive and reloaded Windows. That's what I get for being too impatient to take the time to backup to an external drive. :)

    I'm really pleased that Avira 10 was able to find evidence of a nasty, well hidden rootkit that Avira 9 and a number of other programs missed.

    -edited for typo-
     
  2. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Valuable lesson there. Just a couple of questions, how long you think the problem was there for eg. the slowdown?

    Have you added an additional layer, such as sandboxie, or another program to your setup?
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @sbcc

    First off, good to see you back, and you won something in the contest, that's karma for you ;) Hope you will post more often now.

    Fascinating story, how recent was this ? Must say as i was reading it, TDSS/TDL3 etc occurred to me. Amazed that not one of those products/ARK's couldn't clean it, even if some could see it.

    Crikey, wonder where it was hiding, maybe in those unallocated areas etc at the end of the Disk ?

    Have you still got the nasties ? Whether you have or not, there are some clever researchers who are actively working on TDSS/TDL3 etc, who i'm sure would be Very interested in your experiences with it.

    http://forum.sysinternals.com/malware_forum18.html Posting a new thread on there with a link to this one should get their attention on http://www.kernelmode.info/forum/index.php They contribute on both, but www.kernelmode is only open to the researchers.
     
  4. sbcc

    sbcc Guest

    Thanks, Saraceno. I went into detail so that others could hopefully learn from my experience. I was surfing major US news sites the night before. Never any "high risk" sites - not even Facebook and MySpace. It was slow the next morning. I believe it was there less than 24 hours.

    I've been testing a long list of products and approaches - hips, sandbox, ips, lowered rights, etc. looking for an additional layer to add. It has to be able to run comfortably on older hardware, affordable and easy for anyone to use and interpret. If my mother can't make sense of it, then most of my clients won't be able to do so either.

    Hi CloneRanger! I saw that I won a Paragon license! Thanks again, Wilders and Paragon. I have a license for Partition Commander and also use the personal Backup, so this is certainly a welcome addition!

    As noted above, I think it was resident for less than 24 hours.

    I have been able to clean up a couple of older TDSS-style infections for my customers so I was really surprised also. I always recommend that they let me restore a backup or reload the O/S, but in some cases removal and monitoring is the best (or only) option. I found the Dr. Web writeup on TDL3 while looking for info - the Jotti results seem to confirm that it is some variant. I was very shocked when it came back after restoring the image. I'm 99% sure the image itself was clean. It was from December - specifically done for virus recovery after thorough scanning with multiple programs.

    No nasties saved - I recognize that this thing is too dangerous for me to mess with. I do lurk over at Sysinternals once in a while, but I'm not registered. Much of it is way out of my league so I didn't think I had much to contribute. Having looked into the eyeballs of this monster - and knowing I'll likely have to deal with some form of it again - I'm inspired to learn more.

    Life tends to get in the way this time of year, so I may not be able to get to Sysinternals immediately. I'll try to get there soon. Thanks!
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    What are the 2 antimalware solutions, the rescue disc and the standalone av that is often used to cure TDL3?
    Not about A vs B or bashing, but I might use or have scanned with those products and feel safe because they didn't detect anything, but if they can't detect it I'll get a second opinion.
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    You can refer to this thread for TDL3 removal.

    Note
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Why not a false positive?
     
  8. sbcc

    sbcc Guest

    @BoerenkoolMetWorst , I understand why you want to know but unless a moderator tells me it would be useful in some way I'd rather not name them. I reported the state of detection for one variant of one rootkit at one point in time. Any of the products I used earlier this week might now detect and remove this infection. Listing them means nothing today. All were top-tier, well-known products, mentioned frequently on Wilders.

    Mentioning how one product missed what a competitor found is exactly how I managed to cause an unintentional confrontation with an antimalware researcher. I respect this person's talent greatly. I use and recommend his company's program. I do not want to repeat that - I'm here to learn, not to stir things up. :oops:

    For a second opinion, I'd say to use a dedicated ARK. I will mention that Radix, RkU and GMER were what I used, and all three showed the hooks and compromised modules. I'm now adding regular ARK scans to my detection routines.

    @ Meriadoc, thanks for the links. I tried two of these - both missed, but I see some tools there I didn't try. As you are here, I'm guessing the need to inform the Sysinternals community is no longer necessary. Do I need to start another thread there?

    @Aigle, I do get quite frustrated with replies like yours. It's why I choose to lurk most of the time. I'm not angry with you, please don't think I am, but a one-line question with no supporting reasoning makes me do all the work. I now have to guess why you think it could be a false positive, while you sit back and wait for my answer. :D

    Please note that I have spent quite a bit of time and effort detailing what happened so that others may learn from it. I'll further explain this because the extra details may prove useful to some.

    I looked at a lot of documentation while trying to discover what it was. I recommend this .pdf - http://www.drweb.com/static/BackDoor.Tdss.565_%28aka%20TDL3%29_en.pdf - its quite technical, but it helped me to understand what I was up against.

    It describes the detections I saw, including an explanation for why restoring one partition image couldn't remove it but wiping the disk did. As a previous poster mentioned, TDSS creates a virtual drive at the end of the disk.

    The example in the .pdf is atapi.sys, the variant I found patched usbstor.sys for the first few reboots while I worked to remove it. After I was able to dump it, it then moved to another USB module. A majority of the scanners on Jotti confirmed that the dumped usbstor.sys was infected. The randomly named driver was different at each reboot. Always 4 letters, starting with "s". speo.sys, spjk.sys and spxw.sys were three of the names I remember. This random file is shown hooking various port drivers, but the driver itself cannot be found by the ARK's. This mechanism is also explained in the article.

    Aigle, do you still think it is a false positive? If you do, please take more than a minute and tell me why? :thumb:
     
  9. xorrior

    xorrior Registered Member

    Joined:
    Mar 22, 2010
    Posts:
    66
    Rustock, torpig, and TDL variants are usually the hardest to detect because of how they manipulate native api and kernel tables. Even RKU 3.8 SE and GMER just barely detect them.

    I'm not sure if Avira ever fixed this, but you use to be able to unhook their drivers and Avira anti-rootkit would pick them up as hidden objects. It's pointless but it's kind of funny.
     
  10. cevvalkoala

    cevvalkoala Registered Member

    Joined:
    May 1, 2010
    Posts:
    1
    sbcc you have sptd installed don't you?

    Try uninstalling sptd.
     
  11. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Good job sbcc! Thanks for letting us reap the benefit of your misfortune. I don't think I would have been that crafty in finding it.
     
  12. ad67

    ad67 Registered Member

    Joined:
    Dec 16, 2006
    Posts:
    29
    I ran a GMER scan on my XP SP3 and I also have \Device\HarddiskVolume1 (and 2, 3, and 4) and this is reported as part of Paragon Drive Utilities. Gmer didn't report a problem on mine.
     
Loading...
Thread Status:
Not open for further replies.