A new rootkit?July 27th, 2010
For the third time in the last few weeks I have had to clean up yet another malware infection.
However, these have all displayed similar symptoms, and I am thinking there might be another outbreak of malware coming. I have noticed that malware seems to come in waves. I will spend a whole bunch of time cleaning it up for a while, then I will go months with out having to clean any up… then it’ll come back in force again.
I’m not sure of the injection vector of the latest version (the previous wave seemed to enjoy Java exploits quite a lot), but I can give you a fairly obvious and quick to diagnose symptom and a quick way to clean it up.
The first and easiest check on an infected machine is try and visit http://windowsupdate.microsoft.com. On the machines I have seen, regular websites will work like cnn.com or google.com, but you can not get to the Windows Update site. It will just snap to a page not found error.
The second easy check basically confirms that Windows Updates are being blocked. Hop in to the Event Viewer, and look in the Application log. You should see a whole onslaught of errors from crypt32 complaining that it “Failed auto update retrieval of third-part root list sequence number from…The connection with the server was terminated abnormally”. This is almost a guaranteed sign you’ve picked yourself up some new malware, and more specifically a rootkit. This rootkit is sort of nasty in that it makes you think you have got the machine all cleaned up. If you run a Malwarebytes Antimalware scan the scan will come back clean, and the system will seem normal (aside from the errors in Event Viewer and not being able to get to Windows Updates).
To get rid of this bugger you’re going to need a bit more powerful medication. If Malwarebytes Antimalware is cough syrup, this thing is full-body radiation. I am speaking of Combofix. First a word of warning: Combofix can seriously hose your computer. Do not run it unless you are a computer expert and able to manually repair any damage that may be inadvertently caused by Combofix. That said, I have never had a problem with Combofix, it has always worked great for me.
Don’t be afraid by Combofix’s low-level appearance. It appears that way because that is what it is, low-level. It gets deep in the system and does what it needs. How it actually works is a trade secret that only the author of the program knows. He must keep the methods he uses secretive so that malware writers won’t be able to stop his cleanup efforts and make his program useless.
So you run Combofix and follow it’s steps and take note of it’s warnings and you’ll eventually get to it’s notice that it found rootkit activity:
Excellent news! Not so excellent you have a rootkit, but excellent that Combofix has detected it and will now proceed with the cleanup. Your machine will reboot at least once to continue with the cleanup and Combofix will go about it’s business of cleaning up the mess you have. combofix has over 50 stages, so it can take a while to run. Just be patient, let it do it’s thing, and never interrupt it.
After Combofix has done it’s thing, it will display a notepad window with a log file of what it has done. If you’re bored you can browse through the logs and see it’s work. At this point your machine is rootkit free, and you should be able to once again get to the Windows Updates web site. At this point I always do a couple things. One, make sure to go ahead and run a Malwarebytes Antimalware scan to clean up any remaining malware not picked up by Combofix (Combofix only goes after the major problems, where as Malwarebytes goes for a full system cleaning). Next, update the browser, java, and flash plugins on the machine, and run all Windows Updates to insure the machine hasn’t missed anything important while the rootkit was blocking it from checking.
As I said, I am not sure of the injection vector of this particular rootkit as I have only seen it’s aftermath, but regardless, the cleanup method is the same for this as is with many other malware infections. Combofix it, Malwarebytes, and then update the system. Good luck and feel free to sound off in the comments with any questions.