New kind of root kit / virus , that overclocked my computer :|

Discussion in 'malware problems & news' started by Erya, Nov 15, 2006.

Thread Status:
Not open for further replies.
  1. Erya

    Erya Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    Location:
    South of france in Toulouse
    Hi everyone ,

    lets talk about my problem
    i was running zonealarm security suite

    one day zone alarm detected one malware that supposed to be a medium threat , i can't remember its name because my computer didnt gave me the time to read the total decription of the malware (it was a rootkit :|), my computer rebooted alone (more like an instant crash thant a reboot)

    i ran zonealarm anti virus and malware tool to find out what happened after that sucpicious crash and what was the name of the threat

    nothing detected , so i couldn't find out what happened

    it was late , after that i decided to stop computer and go to bed

    when i booted my computer the next day , the computer was like crazy on bios loading

    my bios told me that i was under overvcloking and settings were not fine to run

    the boot sequence was stop by my motherboard security module because of these (dangerous)settings ===>black screen + voice telling me (maydaymayday you're going down)

    i was surprised because i never overclocked my computer and if i do this , i can still alway go on setting screen to change values if they are corrupted

    i tried to boot up my comp by every possible ways ==>nothing , always the same blackscreen

    i tried to go on setting screen : impossible , the computer was totally locked
    the only thing i could hear was the voice message of my motherboard telling me that overclock values were bad and dangerous

    as my computer decided not to launch because of corrupted settings , i tried to reset em by moving my bios setting jumper on motherboard , but i could'nt find it and lost my motherboard guide with jumpers location

    so i decided to remove the bios cell and put it in again

    after that my computer booted up , and i could acces my bios settings (everything was reset to default )

    finally it started , but on windows xp loading screen i always got a blackscreen (not crashed , more like a freeze)

    so i rebooted again in secure mode to look what was bad : i checked every device and a lot of settings but nothing was anormal

    so i rebooted normaly ==> impossible to get onto normal windows xp

    i rebooted again and used the f8menu to start windows with last good configuration , and it worked

    rebooted again withtout doing anything , and this time xp started normally

    i am a bit paranoid so after that i decided to find out what happened

    so i tried a lot of tools (not at same time because of the problems you get when you install more than one tool who look at you files)

    so far i tried ewido /
    zonealarm (the av integrated to the firewall)
    nod32
    8 well known online scans (mcafe / panda / trend / symantec .... etc )

    i tried also to find out if a rootkit was running

    i tried

    gmer (nothing suspect)
    darkspy 1.5 (always crash the computer , even with all Av tools completely uninstalled)

    i tried also the sysinternal one and found nothing


    i have an article from january 2006 saying that future rootkits could have easy acces to bios flash memory because of their new ACPI rewriting possibilities
    http://www.securityfocus.com/news/11372



    my computer is working fine right now , but i feel its not clean

    am i having a new generation of rootkit ?

    any ideas on tools to detect something like that ?
    (i tried most of the conventional ones)


    Thank you in advance for your suggestions
    excuse me for my bad english ;)
     
    Last edited: Nov 15, 2006
  2. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Look at this, it´s not much, if it´s deep hidden, but some hints are always there, e.g. :

    http://i15.tinypic.com/2utpwtx.png

    If you doubt and think about bios rootkit, use linux from cd check install process behaviour, check windows xp install process behaviour, look about restricted rights, checkboxes tell you, you are not admin but however you are really in admin mode.

    For example check also Ndis.sys, check sysfiles that may be replaced, use IAT Hooks Analyzer. Look for Port 0 attacks.
     
    Last edited: Nov 15, 2006
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Maybe, they're pretty easy to make and implement.
    Look up information about your system, bios, motherboard - hardware protection etc and further reading at blackhat.com - making, detection.

    Edit : look for clues, logs, debugging. This method is the way in, the bios only offers a small amount of space so look for other clues backdoors etc - look to see what your system is up to in normal use.
     
    Last edited: Nov 15, 2006
  4. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Another damn hint is, if you formatted your hd and reinstalled a brandnew windows, then you look into HKLM\Software or Services and find old entries of your former Windows Installation (or entries from a cross Win Installation on another Harddisk) without having installed them.

    They use a unknown kind of file infection to save their infos via registry to stay persistent.

    Another thing that should alarm you: when some of your favorite Apps stop working and quit because of internals BOs.
     
    Last edited: Nov 15, 2006
  5. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    That is a lie. Not true. Most boards nowadays have no jumpers for bios (for example: MSI). Vulnerable from the beginning.

    I also would pay attention (to make paranoia perfect) about deleting things, could be possible that they won´t be deleted (only shifted to other areas of your hd) or your shredder is manipulated, anything is possible.

    Source

    The thing with
    sounds cruel.
     
    Last edited: Nov 15, 2006
  6. Erya

    Erya Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    Location:
    South of france in Toulouse
    thank you all for fast answers

    i am actually checking my files with IAT analyzer

    also looked at blackhat but they dont seem to be listing exploits anymore , they are only promoting their conferences

    is there something similar to rootshell.com actually ? (just discovered they closed ;) )

    @Systemjunkie : what do you mean by checking port 0 attack ?
    can i do this with a tool like port explorer ?



    am i allowed to post some log files if they are not from hijack this ?
    (just read its forbidden for some obscure reason to post hijack logs here now )
     
  7. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Port Explorer is a cool tool too, but I am not sure. Outpost Pro shows a good possibility to survey Port 0.

    Send via pm if you want and send screens of your IAT results, the red hooked one, e.g. of explorer.exe, taskmgr.exe.
     
    Last edited: Nov 15, 2006
  8. Erya

    Erya Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    Location:
    South of france in Toulouse
    im back , i tried RootkitHook analyzer 2.0 and found Two supect thingy

    first one is my sptd.sys (file hidden by daemon tool for mouting images against securom and other protections ) this one is normal np prob with it

    but i just found a thing that fear me : Sandbox.sys



    here are some lines of the log
    NtDeleteValueKey, ZwDeleteValueKey 65 0xAAC60530 YES Sandbox.SYS
    NtOpenFile, ZwOpenFile 116 0xAAC55AA0 YES Sandbox.SYS
    NtQueryDirectoryFile, ZwQueryDirectoryFile 145 0xAAC56FE0 YES Sandbox.SYS
    NtUnloadDriver, ZwUnloadDriver 262 0xAAC61420 YES Sandbox.SYS


    it has something like 20 Nt commands enabled



    Edit : just found out that outpost pro use a sandbox.sys everything is allright im now going to pm systemjunkie if i found any suspect things with IAT analyzer
     
Loading...
Thread Status:
Not open for further replies.