Probably unknown Rootkit, very silent.

RkU detects something. Sophos was incapable to remove the cookie shown above, IceSword 1.2 didn´t detect it, using another HD and via chkdsk I could solve the problem of this hanging cookie in no-man´s-land.

Tcpip.sys hook very strange, my blue screens I showed in earlier threads also revealed this little beasty nothing.

Dumping of area results in bluescreen.

Beside does anyone know if IceSword creates a file called "krgxy.sys" in system32´s drivers folder?
I used IceSword in safe mode and this "krgxy.sys" had the same size like IceSwords "Isdrv120.sys" but
was of temporary nature and couldn´t be backtraced.

Gmer said this as I scanned from another HD:

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\DRIVERS\update.sys
.text tcpip.sys!tcpxsum + 11E EB956155 29 Bytes [ 24, 9D, 48, 62, 95, EB, 13, ... ]
.text tcpip.sys!tcpxsum + 13F EB956176 21 Bytes [ 56, 14, 13, C2, 8B, 56, 18, ... ]
.text tcpip.sys!IPAllocBuff EB967E62 45 Bytes [ 90, 8B, FF, 55, 8B, EC, 83, ... ]
.text tcpip.sys!IPAllocBuff + 2E EB967E90 167 Bytes [ 4D, F8, 8B, C6, 74, 0C, 03, ... ]
.text tcpip.sys!IPInjectPkt + 99 EB967F38 246 Bytes [ 83, FF, 14, 0F, 86, 12, 01, ... ]
.text tcpip.sys!IPInjectPkt + 190 EB96802F 17 Bytes [ 15, 10, 7F, 97, EB, FF, 75, ... ]
.text tcpip.sys!IPInjectPkt + 1A5 EB968044 28 Bytes [ F8, EB, C5, FF, 05, 90, 87, ... ]
.text tcpip.sys!IPInjectPkt + 1C2 EB968061 11 Bytes [ 5F, 5E, 5B, C9, C2, 14, 00, ... ]
? C:\WINDOWS\system32\1.tmp Das System kann die angegebene Datei nicht finden.
? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS Das System kann die angegebene Datei nicht finden.
? System32\Drivers\IsDrv120.sys Das System kann die angegebene Datei nicht finden.

(Info: 1.tmp = sophos ar.)

 

Some news about our china asp intruders:

Code 69559D9C IoWriteOperationCount


Very old..I guess 1999, damn what hellish oldschool guys are these.
Probably the basic code is from ntrootkit. (just a bad feeling..)

 

What about this:



Sometimes userland, sometimes kernelmode. Hybrid.

@EP this is the content I catched with memory.dmp from:ntkrnlpa.exe+0x0002cb40
hook: 0x80503e64 => E1492a1a, unknown code page is this:

ÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÈÐÔ ÿÿÿ ÈÐÔ ÿÿÿ ÈÐÔ ÿÿÿ ÈÐÔ ÿÿÿ ÈÐÔ ÿÿÿ ÈÐÔ ÿÿÿ ÈÐÔ ÿÿÿ ÈÐÔ ÈÐÔ ÿÿÿ ÈÐÔ ÈÐÔ ÈÐÔ ÈÐÔ €€€ @@@ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ ÿÿÿ Àˆ³6 À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À Àt¸†À

If you watch it in Hex you will see a dual "t" list with one 6 and three @@@

 

Gmer and EP seem to make holiday. But I have interesting shadows for you.



0x81 must be near to system idle, near at the core of the kernel.

 

With high probability a new spambot / rustock variant.

Tried to autospam with outlook, I caught one try,
if you are using ie you won´t get a change to see that, bad invisible beast.

Internet Explorer 7 even with up to date patches is highly vulnerable for Spambot, be aware.

It has a weak point, at some point it will slow down your system, you will feel that, you cannot directly see that.

Actually only IceSword (??) and Rku 3.3 can find some traces, Gmer, sophos ar nearly not or in very rare cases.

 

Obviously, you are one of those guys I would hear speak when I was attending DECUS conventions... "a sysinternals guy".

A guy that understood what CMKRNL was! (I had a license plate that said, CMKRNL, but people thought is was "Carmel Corn".)

I find this thread very interesting, but only understand about 1%. I have learned "0x81 must be near to system idle, near at the core of the kernel."

I also recognize that screen shot from IceSword and RkU.

Please keep doing whatever you are doing... maybe my understanding will go up to 1.1%.

Also, you have no need to reply to this post, because I would probably not understand anyway.

I am NOT being a smart axe, I really do like this thread.

Mike

P.S.

DECUS = DEC Users (remember VMS!)
CMKRNL = Change Mode to Kernel​

 

@Flinchlock: That´s nice to hear.

I only dedicate myself to beat the "Matrix"

I have a good feeling that my enthusiasm may be able to win sometimes, no matter how high our desperation against the upper evil may be.

Probably actually I belong to the most curious and most freaky minds, that may be my destiny for now.

At the point were others get fear and buy a new computer I start with eager and more motivation
then ever to see what ghosts are doing in the machine.

 

OK, maybe I will plug my cable modem back in.

Mike

 

No problem, keep relaxed.

We will illuminate the shadow, it´s only a matter of time. ...10 years later...

http://i15.tinypic.com/4l3x2s7.png

This shows how sophos 1.3 starts to get insane.

http://i16.tinypic.com/502vy3n.png

 

Well, this all is also too complex for me, but I do have a question, how do you end up with all these rootkit infections, and are these really rootkits or do you just think they are?

 

count me amongst the people that are unable to appreciate the genuis at work here. and in the face of such guruness, i am nearly intimidated enough not to ask my simple minded questions....nearly.

simpleton question 1) can technologies such a Sandboxie and Shadowuser stand-up against what i perceive to be advanced malware techniques?

simpleton question number 2) i noticed softs Rootkit Revealer and AVG Anti-virus were not used in the detection of these rootkits. are they not powerful/useful enough to ferret out with accuracie these potentially malicious files?

as i profusely apologize for myself i am hopeful that the underlying theory of if i don't ask i will never know wins the day .


Mike

 

Thats a real good question. Actually it´s open end, I follow my intuition, I´m keen of digging deeper, but if it starts ruining my health too much I should better stop rkhunting

Probably persistent Rootkit, polymorphic file infector or a hybrid of mentioned, something in this direction imho.
But you can also see several bugs of Anti-Rootkits. The spam that it sends into my mailbox seem to be a spambot variant. It uses words of what you typed or contexts and mix the whole up then sends it out.

No problem. Beside everyone can be genius you only need damn lot of energy, stamina, fascination, curiosity, passion and a portion of fanatism combined with a little bit insanity.

Hm, I guess no, except the malware is not aware of such tools.
Concerning tools like DF or Shadowuser, I am a bit sceptical, it´s a good idea, but if your bios or hardware is already infected, that way will be a dead end one. Damnly be aware to have a real clean PC, if not your malware always returns too. ;-)

RKRevealer is not bad, but unfortunately a bit out of date, pretty slow and
not the first choice against new malware imho. AVG is a moderate av company, not bad but not at the top too, they play in the middle field imho. RkU has good potential, but the latest version is a bit crazy and the harddisk seems to adopt the raw sounds of code hook scanning procedure.

Beside actually Rootkits are faster and more sophisticated then Anti-Rootkits, that´s the big problem.

The other thing with Rku is, that there seems to be a interest conflict, that may lead in some points to unreliability. (some times ago e.g. Unreal.A was detected by noadware, but not by RkU)

RkU shows still many vulnerabilities, look the <unknown> stack analysis (sysinternals) shows, how Rku all version
are blocked from starting. (Error opening driver) Maybe a conflict, is not sure.

http://i14.tinypic.com/63aj0wy.png

7c81 is ntdll.dll area. And @Gmer: A former version of your tool could detect this, but the newer one not.

 

I have a ASUS A7V333 MOBO with...

1. "Supervisor Password" Enabled (need pwd to change BIOS settings)
2. "Boot Virus Detection" Enabled

In general, does a BIOS pwd stop BIOS infections?

Mike

 

I am not sure, I never tried to flash the bios with pass protection. But if you are interested concerning bios rootkits read black hats pdf

Theoretically it must be possible to circumvent pass protection by silently resetting the pass, just my opinion, don´t know it exactly actually.

The mobo vendors should protect all flashing components, it´s a shame that they are so slow concerning these important facts, just one dip-switch for each flash component that would be a good way imho.

What Heasman writes with this only infection once in a month e.g. that´s the most beasty thing.
You are in doubt then reject your doubts a.s.o.. because it doesn´t happen daily e.g... a devil circle.

Pay attention on syssetup.dll, setupapi.dll and netshell.dll, signs for bios infection.

Look Mem Dump of unknown code page:

NtFsÈ®¯á zᘔ¯á Ña
ˆÙŸá 
NtFC
IoNm\ P r o g r a m m e \ P C T o o l s F i r e w a l l P l u s \ A l l o w A l l R u l e s S e t . r l s . s i g IoNm\ P r o g r a m m e \ P C T o o l s F i r e w a l l P l u s \ A l l o w A l l R u l e s S e t . r l s s i g hNtffÈ H h‰z†|:á|:á `;á ¸9á¸9áˆ9áa³†0
@






€ Àƒˆ†P:á


;áh‰z† ÿÿÿÿÿÿÿÿ

Allow All. They attack the ruleset of each firewall.

Look how RkU wonderwork got BOs. (which in general means his application failed to load, gmer is at least at this point more reliable, but the unhook procedure of gmer is a pain)

 

Hello,

simmikie, no reason to be afraid.

1. SystemJunkie = System + Junkie, he likes this stuff.

2. Rootkits, a threat? Well, depends on you really. If you understand how the computer works, how operating systems (Windows in this case) work and what the possible scenarios are, then you should not be worried.

"Evil" rootkits will get installed if:

- A system vulnerability exists which can allow for remote execution.

This is simply remedied by:

a. Using Linux.

b. Using non-MS software in Windows, like Firefox browser, Thunderbird mail client, OpenOffice instead of MS Office. These alternative and far superior programs do not embed themselves in the system, are far more secure by default and far more robust, and will not trigger into suicide mode when they encounter various would-be exploits.

- Not falling for traps; like visit this link here and install this software here.

So that's it, basically. Avoid being stupid and you'll avoid infections. You have the full control of what you do and you decide what happens.

3. How to get rid of "evil" rootkits?

Again, very simple.

- Use imaging software and roll back to a safe date.
- Boot from a live CD (Linux or Windows) and simply DELETE offending entries. While mighty powerful when Windows is running, all files are nothing but sitting ducks when the system is dormant.

There you go.

Basically, use Firefox (or Opera), have a firewall installed, do not follow stupid links or install programs that you are not absolutely sure of, and you'll be ok. Everything else is just extras.

Mrk

 

Yup, I did read (and re-read) that.

Also per page 24 of the Heasman PDF, also acpi.sys.

You also need to watch (see Tiny Watcher) these file (see C:\WINDOWS\inf\acpi.inf)

C:\WINDOWS\system32\drivers\acpi.sys http://www.file.net/process/acpi.sys.html​

C:\WINDOWS\system32\drivers\acpiec.sys (http://www.file.net/process/acpiec.sys.html)​

Looks like that "safe date" could be a month ago! This is just another reason to move "My Documents" from your system partition.

Mike

 

Hello,

Safe date can also be a year ago if needed. Not much different from formatting and starting over, except that it should take less time.

My documents is a useless folder. It should remain empty. A non-system partition should contain user information. Thus, if the system is rolled back to a previous date, only system will have to be updated.

Example: I keep games on a non-system partition. I did a restore on one of the machines recently to a date 3 days earlier. In those 3 days, I have installed a game. Now, going back to the previous date, supposedly my game was gone. But the files were there. After simple reinstall, I continued playing from the point where I stopped the last time.

Mrk

 

How very true!

So, do you tweak each program to put the data on "D:\Mrk\MyDocs\prog1"?

You are saying, you do not move "My Documents" to "D:\Mrk\My Documents"... right?

Mike

 

Hello,

No, I do not save anything in My Documents or move them or anything at all.

Document partition can be D:, can be H:, can be anything. In fact, I have separate partitions for games, for personal files, for downloads, for downloaded program installers, for Linux files, for music, for virtual machines....

I tweak some programs, others tweak themselves (remember last...), and some I click manually to save where I desire. I also believe in folders and sub-folders. I can easily make 2,000 folders for 4,000 files, all nicely pyramidded.

My brother and I have also taught our family to stay away from My Documents. We have a bet. Any time we find a file in his My Documents, our father owes us a six pack of Heineken.

Mrk

 

VERY GOOD IDEA! I will probably do that my next system rebuild. Heck, maybe some malware looks in the registry to find where I moved "My Documents".

And my beer is better than your beer. Sheaf Stout

Mike

 

Yes, I actually gave up using IE7+Fixes.
I saw live what Spambots made when I did not use IE, with IE I´d never been able to see any moves of the rogue fraction.

Normally everyone stores his data on another partition, in my case D, and D was erased. ;-) HD Error 11. (but no problem for me, I am still relaxed)
I scratched the first layer from the matrix with my own products and I found that, through Software:

Pù{(ø{, Pù‹(ø‹



(The typical blue screens remind me to someon e who described the Rustock weakpoint (BSODs), but they occur especially if I really stress the system in several ways)



I bet it´s chinese, japanese, korean or russian origin.

 

The 2nd layer from the matrix:

C:\Programme\G DATA AOL\virlex\description6c61.htmlle.cmapmap.datmlgt_normal.pnggices.wrapper.dlll42deu.dllpolicy®┼
C:\Programme\G DATA AOL\virlex\description6c61.htmlle.cmapmap.datmlgt_normal.pnggices.wrapper.dlll42deu.dllpolicy®┼

On his march he left a lot of traces... I will check them.

 

Some news from the evil fraction:

 

How can you drink that garbage? Try Amstel.