[?] Unknown boot trojan

Discussion in 'Trojan Defence Suite' started by s.ushakov, Apr 24, 2005.

Thread Status:
Not open for further replies.
  1. s.ushakov

    s.ushakov Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    6
    Hi, I'm 90% sure I've got a trojan, and TDS3 does not detect it.

    The symptoms are:
    - the infected system started producing application (mainly Firefox and Java/Eclipse) and system (BSoD) crashes;
    - every attempt to reinstall (repair) the operating system on the infected drive resulted in a failure with complaints that some files cannot be copied (the files that really exist and are not corrupted); this "bad" file list was different for every new installation attempt; the result was the same whatever system (WinXP, Win2003) was installed/repaired and whatever distribution source was used.
    - an installation to a fresh HDD on the same system block completed without any problems;
    - the infected HDD operates as a secondary drive under the new operating system without any problems.

    I have a strong suspicion that I got a trojan that resides in the boot area and runs the normal bootstrapper in the VM mode.

    I have some time (not too much :mad: ) that I can spend on investigation of this phenomena before I have to reformat the infected drive (or try to repair the MBR), but I'll need guidance and instructions.

    Anybody willing to participate? ;)
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi S. Ushakov,

    Welcome to Wilders!!

    I will be recommending that you run a number of utilities from your system that has booted from the suspect install. Please review any command output files and rem out any personal information that should not be posted publicly.

    Okay, first off, can you please run AutostartViewer which you can obtain from here http://www.diamondcs.com.au/index.php?page=asviewer . When you launch it, please be sure to select all three top options in the "Main" menu and then save the log and post here

    Next, download and run from the commandline Openports found here http://www.diamondcs.com.au/openports/ . I would recommand that you run it with the -path option and redirect the output to a file such as in the following commandline

    Code:
    openports -path > openports.txt
    and post here

    Next, I would recommend that you try (if you are not running Win2k3) kproccheck from http://www.security.org.sg/code/kproccheck.html the beta2 has been stable in my experience and is needed for XP. Note that there are various options and each will provide various info so you might want to cut and paste the following into a batch file called dokproccheck and run it from the same directory as you placed the kproccheck executeable and driver

    Code:
    kproccheck -p > kproccheck.txt
    kproccheck -s >> kproccheck.txt
    kproccheck -d >> kproccheck.txt
    kproccheck -t >> kproccheck.txt
    kproccheck -g >> kproccheck.txt
    kproccheck -u
    and after you run the batch file post your kproccheck.txt here

    Semilastly (what we might do next all depends on what we find with the above ) can you please download and run RootkitRevealer from http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml and after scanning save the logfile and post.

    If you have any trouble with the above-mentioned utilities do not hesitate to speak up :)
     
  3. s.ushakov

    s.ushakov Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    6
    Hi Dan, it took me a while to scan the system, but here is the result.

    The open ports scan is not very impressive :) but I should also mention that the system feels pretty bad after several repair attempts and complains that several services failed during startup. I'm almost sure this is because the repair attempts were not successful (due to "file copy failures"), and different system components may be inconsistent (as I have applied numerous security patches in its previous life).

    Unfortunately I did not manage to install WinXP on the infected drive (I did not try too hard :) ), so my scans are all for the "repaired" Win2k3 system. Thus no kproccheck scans are available.

    I feel we still need to inspect the boot areas, but I do not feel myself an expert here, as my previous active experience with boot procedures ended with MSDOS and NU8 :)

    Regards,
    Sergey
     

    Attached Files:

  4. s.ushakov

    s.ushakov Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    6
    Dan, here comes the openports log.

    Unfortunately it is not possible to post them all at once...
     

    Attached Files:

  5. s.ushakov

    s.ushakov Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    6
    And here comes the RootkitReveal log...
     

    Attached Files:

  6. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Sergey,

    Well, the only things in the output that I kinda question are the various "embedded null" entries in the Rootkit Revealer output, but this hiding technique is used by various legit programs. If you haven't already done so, you might look at the various datestamps on those keys to see if they fit in with some software you might have installed then or if the date corresponds with the time your system started developing the symptoms. Anyways, one would normally expect additional items to be shown for the actual cloaked executeables or their corrsponding run keys if this were a rootkit (which theory I know you weren't leaning toward).

    It may be, as you say, that this would be a MBR or PBS type malware but while I find that somewhat unlikely I cannot think of a ready way with which we could rule it out.

    I'm sorry I couldn't be of more help to you on this.

    Regards,

    Dan
     
  7. s.ushakov

    s.ushakov Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    6
    Ok Dan, thank you for your interest and willing to help anyway.

    Do you know any other communities that may have better experience in MBR/PBS issues?

    Regards,
    Sergey

    PS None of the "embedded null" entries seems suspicious to me...
     
  8. Sandish

    Sandish Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    51
    This sounds more like a damaged RAM-module than a trojan / backdoor - did you check it?
     
  9. s.ushakov

    s.ushakov Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    6
    Well, that was one of my first ideas too... So one of my first steps was a hardware check - nothing special found...

    But this idea does not explain the difference in system installation behavior between two HDDs - the old one that I suspect infected and the new clean one...

    The OS installer behaves smoothly on the new (clean) HDD and produces strange errors after reboot with the old one... And no hardware problems with the old HDD`meanwhile...
     
Thread Status:
Not open for further replies.