Rootkit keylogger: userinit, wJQs.exe, adv.exe, sysguard.exe, lowsec, sdra64.exe?

Discussion in 'malware problems & news' started by LuckMan212, Mar 20, 2009.

Thread Status:
Not open for further replies.
  1. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Hey guys,
    I removed a pretty stealthy rootkit from a client's work machine today. She called me in the morning complaining of "lots of popups". I headed over there immediately and checked into it. She had NOD32, SuperAntiSpyware, Windows Firewall and XP SP3 installed, and her browser is Firefox 3.07 at the time of infection. So her system should have been reasonably secure!

    Symptoms:
    1) something had modified the HTTP proxy to "localhost" port 7171. She could not open www.google.com, it would throw up a connection error.
    2) a process called "s.exe" was running in task manager and consuming 50% cpu. Checked it with ProcessExplorer running from my write-protected usb stick showed open TCP/HTTP connections from s.exe.
    3) I also found various traces of malware with Autoruns. Interestingly, the NT logon UserInit section had been modified. I reverted it to default in Regedit and noticed something almost immediately changed it back.
    4) Ran rootalyzer and saw this:
    http://img408.imageshack.us/img408/3416/rootalyz.png

    Removal
    To get rid of that I booted up with my WinPE disc and deleted those files, I was then able to clean the rest of the malware off using various combinations of commandline tools, a fresh install of SaS and Spybot S&D. All checked out clean :D and I updated the NOD32 to v4.0 just for good measure. I created a mini-quarantine of these files for forensic purposes if anyone wants to have a look, I've zipped it up here:

    ~Link removed. No links to malware or potentially harmful files are to be posted on this forum.~

    I also submitted those same files to VirusTotal and they came up 30-40% malware, and suggested possible keylogger activity (as did Google). I notified my client right away to change her passwords and check for any suspicious activity on her accounts even though the virus was only present and active on her system for a few hours. She informed me that she doesn't typically type in her passwords; she keeps them saved in autocomplete (that might be worse!!) so I don't know if these were compromised. As far as I know most keyloggers intercept the keystrokes but not a stored password although I suppose the malware could have easily transmitted her ProtectedStorage and decrypted her passwords. Not sure if Firefox is also vulnerable to this.

    Bottom Line:
    I am worried about it and was wondering if anyone's come across this beast, is it really a keylogger and if so, is there any way to tell what information might have leaked? Anyone got any more info to share? thanks o_O
     

    Attached Files:

    Last edited by a moderator: Mar 20, 2009
  2. XDD

    XDD Registered Member

    Joined:
    Mar 17, 2009
    Posts:
    11
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    LuckMan212, Did your client have SAS installed and running as resident, real-time protection? Do you know if your client had updated to the most current defs for her AV (I see she did not have the most current program version) and for her AS? And do you know if she was up to date with MS Critical Updates? These questions would concern me right off the bat.
     
  4. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    Actually, she probably installed it herself. From what I see in the detection list, a lot of them are fraud tools, so she may have installed something rogue, and if NOD32 was not configured to detect PUA, then it can and will infect her system.
     
  5. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Yes SAS was running in resident-mode. She was fairly current, the defs were updated but the program version itself was 1 version behind I think.
    NOD32 had the latest defs but she was running 3.0 not the newly released 4.0 - not sure that would have made a difference or not.

    After talking with her some more, I am 90% sure that this trojan got in via the recent Acrobat PDF javascript exploit. I checked her system and found that her Acrobat Reader was configured (as most are) with javascript enabled. I also learned that she uses Windows Media Player to listen to "free internet radio" stations, and these stations are loaded with pop-up ads. So that could have been a vector as well. I have directed her towards Last.fm instead and disabled the rest, and advised her to change all her passwords and carefully check her banking and online shopping accounts for suspicious activity. Fingers crossed.
     
  6. FiOS Dan

    FiOS Dan Registered Member

    Joined:
    May 24, 2006
    Posts:
    86
    Location:
    Redondo Beach, CA
    Another good one is Pandora Radio. Been using it for months with nary a pop-up at all.
     
  7. XDD

    XDD Registered Member

    Joined:
    Mar 17, 2009
    Posts:
    11
    I would tell her to run threatfire with her av. :D
     
  8. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Update: I returned to her machine and did some more forensics. I was able to determine with almost 100% certainty that the infection vector was the PDF javascript exploit, as I suspected. I also learned that she still had still been using Internet Explorer for some sites because "it has my passwords saved" (her words) GAH! :gack: So I examined her IE history and discovered the following 2 visited URLs:

    (be careful with these links! they most likely are still infected)

    ~Links removed~

    After that, I saw a bunch of requests for adserving sites including "c5.zedo.com", "tuneclub.com", "searchfeed.com" and "advancesoftwaretool.com" (VirusRemover2009). There was also a curious site called "buidnote.com" whose URL appeared to be followed by a base64-encoded string of considerable length. I am guessing that this may have been a site built to collect data from the keylogger, because when I visit the site, nothing at all is sent to the browser- no HTML or anything. So it appears to be some kind of data collector. The entry only appeared once and I tried to decrypt the data as base64 which returned some unreadable text so not exactly sure what that is. I would post the string here but I am a little worried that it may contain sensitive data.

    The good news is that the rootkit appears to have been squashed, the popups have not returned.
     
    Last edited by a moderator: Mar 24, 2009
  9. Thejustincase

    Thejustincase Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1
    Basically I need an answer if you have one, I was doing a security scan on my computer and something came up saying that A threat was detected, I googled the file name and this thread came up.

    The name of it is buidnote.com and What I wanted to know is how I can get rid of it. What honestly confuses me is that the "threat name" is 'exploit lucky ecploit pack.' I have no idea what this is.
     
  10. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
    Thejustincase, first, welcome to Wilders!

    Try Malwarebytes' Anti-Malware free trial version and/or SUPERAntiSpyware Free Edition as soon as possible. Regardless of the exploit name, they are malware and these 2 programs do an excellent job eradicating them. Keep us posted.
     
  11. Bill Artman

    Bill Artman Registered Member

    Joined:
    Mar 30, 2008
    Posts:
    20
    Location:
    Kansas City Metro
    Last night my daughter who is using NOD32 V3 anti-virus appears to be infected with kaka.exe and sysguard.exe. Her NOD32 virus definitions are current.

    Do you need to run more that one anti virus/spyware software your machine. Some of the different programs conflict if they are run on the same PC.

    Thanks!
     
  12. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
    Bill, threats are getting more sophisticated by the minute, trying to bypass well known AV programs, and as long as you run programs such as MBAM and SAS (links in above post) on demand, not real time, they will not conflict. I advise you to use these two applications on that PC as soon as possible.
     
  13. Bill Artman

    Bill Artman Registered Member

    Joined:
    Mar 30, 2008
    Posts:
    20
    Location:
    Kansas City Metro
    JRViejo -

    Thanks for your reply. This issue is more difficult because my daughter in in Virginia and I am in Kansas City and I am trying to help her over the phone.

    I will look at MBAM and SAS as you suggest. The other problem is that when ever she tries to get onto the Internet (to get these programs) apparently the virus or whatever is infecting her computer points Internet Explorer to a specific site and she can't type in the URL she wants.

    Thanks again for your help,
     
  14. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    hi bill

    if she boots in safe mode prob F8 with networking that may not happen.
    or search's with a different search engine
    or try and download and install a different browser

    she/or you could even watch a video from matt @ malware on youtube on MBAM on SAS and download and then run them herself. ( where I got my info ).

    Main thing is not too panic - and have a think about what personal data may be gone. probably banking stuff would be the main risk , or credit cards , depending if they hold the customer liable or not.

    Hope this helps
    J
     
  15. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
    Bill, that's why I said that threats are very clever today. OK, she's going to need something more powerful, before trying MBAM & SAS, and it's called Dr.Web Curit!

    Have a friend (with a clean PC) download the program for her and burn it to a CD; she can run the software from that CD. Keep us posted.
     
  16. Bill Artman

    Bill Artman Registered Member

    Joined:
    Mar 30, 2008
    Posts:
    20
    Location:
    Kansas City Metro
    Joey and JR;

    Thanks for your info - I'll keep you posted.
     
Loading...
Thread Status:
Not open for further replies.