Hunting the invisible beast

Discussion in 'malware problems & news' started by SystemJunkie, Nov 29, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
  2. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Csrss.exe may play a role too in this wicked game.

    http://i14.tinypic.com/2wo9a93.png

    Beside: while I am posting these infos, the system got a blue screen with two yellow bars, seems that the intruder is not amused about my revelations..

    Another crazy thing happens with power translator, in another thread I already told that typical signs are also if apps will be installed as non-admin, even if you are admin.

    http://i16.tinypic.com/449rk11.png

    Again Winpooch this time the file is no more available:

    http://i11.tinypic.com/3z19i5l.png

    What I personally find the most shocking thing is that there is actually no tool available that may be able to remove this nasty, neither nod32, nor gdata, nor process guard, nor appdefend, nor IceSword, nor Gmer, nor AAK,
    nor Unhackme, nor RootkitReveal, nor svv, nor Blacklight, simply nothing. Thats the fact.

    You can watch it, you can trace it but you can´t eliminate it.

    (But maybe it is only paranoia who knows.. but if so why are there so damn much hints like shown above.. ;-))
     
    Last edited: Nov 29, 2006
  3. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    I were you I would wipe out and reinstall your OS simple as that, I would even go as far as resetting the cmos, BIOS, and any PCI hardware you have that can have residual flash memory of its install. Start clean stay clean using good HIPS & or others.. sandbox, virtualization etc...stay away from root kit detectors ahem.......the ones that create can also make...unless you trust these F_____s.
    :D
     
  4. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    That´s true. I guess the bios is the main problem.

    Here is another sign for this persistent infection, a kind of rundll32 exploit:

    http://i11.tinypic.com/4hthr7m.png

    But yankinNcrankin if it were a file infector, maybe only a few invisible adstreams or some few bytes on a executable file your next system would be as vulnerable as your actual system. I think this is what they call stealth by design.
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    There is a very simple way of removing anything.
    Boot from a Linux live CD and delete the offending files, dlls.
    Simple, eh?
    Mrk
     
  6. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    No, not simple, I did that already, maybe you should check the thread with ACPI Biosrootkit. I used Linux from CD and the only thing I could see that there were a unknown device activity, probably flashed, this is far beyond dlls and exes.

    Beside the UnhackMe warning is in my opinion a false positive. If I would remove the entry in tcpip parameters, my internet connection would stop to work.

    The same thing with AppDefend, I always have to deactivate AppDefend before I go online, otherwise
    internet connection won´t work. Don´t know the reason but it´s a fact. After connection I can re-enable AppDefend, but not before dialing into internet.
     
    Last edited: Nov 30, 2006
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Of course, BIOS rootkit.
    Mrk
     
  8. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    Somewhere some how you must of allowed something that seemed to be legit, probably snuck in using trusted apps however a properly configures HIPS would of red flagged it, yes pain in the @$$ with alerts but you get to a point after a while you know when something aint right as you understand what exactly takes place in the running and launching and executing of certain apps N programs...If the above for you is a no go to solve the stealth by design issue you just had bad luck with a real BAD NASTY. So far never had that kind of an issue with my current setup and Im a High risk surfer etc etc etc.....:D
     
  9. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Here's what you can do. Reset the BIOS by opening up your computer and poppin' out the battery or using the jumpers to reset it. Then, before booting up into windows xp, get a lovely thing called http://dban.sourceforge.net/ and then you will be malware and OS free :D (recommend installing FreeBSD 6.1 or Arch Linux then)

    Cheers

    Alphalutra1
     
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I resetted the bios 100s of time also because of the reason that I OC´d my system many times in the past.

    I made some research over past threads and found kareldjags tips. I installed a tool called samurai, it´s pretty cool, surf speed highly increased.

    A guy from this address(IP: 204.16.208.135) made a port scan attack right now:
    (it´s not the first time, that my udp ports are attacked by this us guy)
    OrgName: FAST COLOCATION SERVICES Address: 3791 N. Edgewater Dr
    City: Wasilla StateProv: AK PostalCode: 99654 Country: US
    Seems to be messenger spam.

    Beside Samurai also cleaned up the thing that UnhackMe revealed.

    Some fresh info about our invisible beast:

    http://i17.tinypic.com/2hhgewj.png

    (the hooked one are important the rest not so much)

    Probably our invisible beast is a rustock variant, temp ads streams found:

    http://i17.tinypic.com/40bjjsz.png

    Services.exe kills process, a temporary file is created and ads streams, maybe someone knows this variant more exactly:

    http://i16.tinypic.com/2vc6kc0.png
     
    Last edited: Nov 30, 2006
  11. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
  12. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yes I ran RKU.

    It primarily detects unknown inline hooks, but if you check with spybro you will see that these hooks are caused by Samurai security tool.

    Except the ieframe.dll hooks and a unknown explorer.exe hook:

    explorer.exe => kernel32.dll => Free Library 0x00000001 [Unknown Module]

    Explorer already crashed 2 times

    Another phenomenon is: Starting iexplore.exe, I see other Icons,
    e.g. instead of viewing ie icon I see a a-square Icon before http://, this vari with every reboot.
    Maybe Icon Exploit.

    With high probability it´s a kind of new mixture of ads stream and oldschool rootkit, a hybrid thing, but extremely persistent and beyond formatting the drive, probably any flash component, like bios.

    Beside I recently tested Vista RC1, does anyone know, if it is usual to see two csrss.exe one of them is defined in task manager as console.

    I am about 80-90% sure that it is russian origin.

    Procguard.exe is also infiltrated by this thing. Unknown hooked by 0x00030425.
     
    Last edited: Dec 1, 2006
Thread Status:
Not open for further replies.