Hey,

I got a box at work that has been severely compromised.
I am going with it's botted because the number of out
bound connections is insane.

I traced a few ip's and they all go to places that have
no web presence, just owned blocks of addresses.
(If that even makes sense)

I have run gmer, rubotted, rootkit revealer and reanimator.
All of them have failed except gmer which, after cleaning
what gmer found, it returned with a vengeance.

The best I have determined was it was included in a bogus
Google chrome download.

My question is, are there any better tools out there
than the ones I am running?

Malwarebytes finds a ton of stuff and I can delete it
but it comes right back. Same for gmer.
Reanimator digs the shits out but gives me a bsod
upon discovering it.
Combofix wont run. Rubotted wont run. Rootkit revealer wont run.
Comodo runs but I am sure it is compromised.

It started as a ransomware.

Any thoughts?

Woodmann

Ah, be a scared grandmother and pay the ransom

Nah, I know you don't work that way. The fact that it "comes back" may mean it's using one of a number of system callbacks. Try Kernel Detective, and if it runs check /Kd+/System Notify Callbacks and look for unusual (non-Comodo, non-PGP, etc.) callbacks, specifically CreateProcess, LoadImage and especially CmRegisterCallback. The latter can be used so that even if you (or a tool) deletes a registry key, it will just take note of that and recreate it moments later. Delete any suspicious callbacks and then continue with the cleanup process.

There's a whole list of ARK's here that you might want to look into as well. I'm not really familiar with the majority of them.

http://www.kernelmode.info/forum/viewtopic.php?f=11&t=10

Have you tried dropping to safe mode and running those tools you mentioned ?

also http://support.kaspersky.com/faq/?qid=208283363 might help, saved a few machines with this

Hi Woodmann,

I'm not able to answer your question, but as my root server recently also became a victim of some dumb kiddy-haxx0r which installed malware on my system i just want to give you valuable hint...

don't even try to clean the machine. if you only are interested in the malware samples, ok, than its the effort worth. but if you intention is to clean the machine in order to use is later 'productivly', then forget!!! don't do this. you simply shift the trouble a few weeks towards the future. reset the machine, format it, and install everything from the scratch...

on my machine i really had an interesting sample of malware which replaced commands like ls, ps and fstab...no av was detected that!! i cleaned a lot of malware from the system, but right after cleaning i got infected again and again...there is no way of entirely cleaning your system in a manner that you can be sure everything is fine now.

Probably you know that by yourself, but i felt it is my duty to say it again )

Regards,
OHPen

i agree. Even though cleaning sounds like fun for reversers i have realized backing up your data and reformatting is always the quickest solution.

Howdy,

When it's all said and done, the box will be gutted.
What data is on there that I save will have to be run
on a forensics box to make sure it is clean before
I put it back onto the computer.

The big caveat is, that infected box is on our network.
(currently unplugged)

Tried safe mode and the fucker still ran.

I will try Kayakers suggestion only to see
what this thing is doing.

Thanks, Woodmann

Format c:\ -> hackint0sh

Howdy Woody,
Any samples can upload it here? I like to have some fun with it

Howdy,

If I can isolate it, I will save it just for all you mal freaks .

Woodmann

... in paranoid security mode, you'll also have to rewrite MBR, who knows..

Is it not possible to use a bootable live cd, with say the progies incorporated that were able to detect the culprit?

Just throwing out an idea but maybe a snapshot of the machine using a memory dump tool. Software that can be used for that can be Moonsols Win32dd/win64dd, Kntdd, Memoryze, etc.

If this is a virtual machine pausing the system creates the image file for you.

Once gathering a memory dump of the machine you can use volatility to examine the processes running in memory and dump them from the memory image. There are also tons of plug-ins for Volatility for parsing different parts of the memory dump.

Gathering information with Volatility can yield you some of the following information.

-pslist > list processes similar to task manager
-psscan > list processes by bypassing the linked list and looks for EPROCESS data structures and lists EPROCESS offsets
-psdiff > show the difference between these two lists and often helps to identify that hidden process(rootkit)
-procexedump > to dump the process to an executable file from memory for debugging and more static analysis. Note: you can use the offset "-o" or the PID "-p" to identify the process to dump.

If you think there is a dll injection you can use the -dlllist for the process you think is being injected as well. This actually doesn't work all that well.

There is a plug-in for dll injection:
-malfind

There is a ton more you can do with memory analysis, but just throwing out some ideas.

*Malwarebytes finds a ton of stuff and I can delete it
but it comes right back.

Probably there are still hidden files.Its usually starts up the hidden file using registry,its a very tedious job to search for the culprit,my ideal way is to image the harddisk and do it virtualbox or vmware.

Tons of great ideas .

When I get the time I will start trying them.

Woodmann

Howdy,

Well, after a week of work and a lot of non-compliance from various programs,
I was able to clean it.

The master boot record was infected so it was a back and forth battle.
Once slaved I was able to clean it and save the data on it.

I can only provide the names of the shit and what it was infecting.

termvw32.dll AKA Darkmoon
temvw32.dll AKA Murlo
compeate.dll AKA Papras
sl32tie.dll This one I cant find an explanation.

Two of them are ransom ware. They were probably bastardized to carry a payload.

I wish I could afford the time to really dig into these but I dont so I had to
clean it, watch it for a week and put it back into the box.

If I missed anything and it comes back, it gets nuked.

It took a multitude of tools to do this BUT, the most important thing
is that once I slaved it, it stopped renaming/writing itself.

So I have learned that if you suspect it is MBR, slave it and
MAKE ABSOLUTELY SURE, no drives have file sharing set when
you slave it. None on the infected drive and none on the host OS drive
and any other partitions, just for good measure.

If it cant boot, it cant spread. But I am sure that will change .

Woodmann

I wonder if this was the designer's way of covering his tracks between his botnet master and his victims. Maybe it was searching for further orders?

It might be sensible to have an algorithm progressively generate IP addresses, and continually send out connections to these seemingly pointless addresses in search of some identifying fingerprint (home). Some day, depending on chance, the device could find a box that the designer has more direct control over, and further instructions could be delivered to the infected machine. Reminds me of rainbow tables, where a trade off is made to reduce ghz by supplying additional GB, but in this case, the trade off is made to prevent origin discovery by making the number of IP addresses to audit prohibitively numerous at the cost of time until it can get future orders (latency).

I don't suppose you noticed any pattern to the IP addresses before you cleaned out, did you? Did it seem to be an infinite number of IPs it was attempting to connect to or was it a concise bank of them limited to a single block with mostly repeats? I can't think of anything sneaker that might be going on at least. If you have time and the infected files still, consideration should be made to redirect the infection's blank connection attempts to a box you control and monitor its behavior. There's enough information to break point when it attempts to open a connection at this point, right? Then you might have a better idea of how to test these seemingly pointless IPs to be sure that there's nothing receiving the packets and willing to communicate.

I just had a box get an infection the other day, myself. With infatuation, I watched it, and somehow it was able to hijack every web browser installed on it in an annoyingly buggy, inconsistent manor (google redirect that turned out blank pages mostly). I ran a barrage of tests briefer than the list you shared, and they all turned up nothing. I went through hijack this and didn't find anything obviously outstanding, which raised my interest. The next day, it was completely gone. Someone initiated a windows restore point =( Well aren't they the savvy cracker today...

It's probably for the best, I don't have time for these fun sorts of things anymore. We need to make a global holiday where we all put aside our work, call in sick, and devote ourselves to hunting down these web liabilities and turning them into web assets and write reports on what creative things we've discovered.

Can you upload the mysterious binary that doesn't seem to have been reported on yet? Was it interacting in the connection generating at all? I'd love to learn more about its interesting network quirks.

Howdy are,

The amount of connections it was trying to make was unbelievable.
I let it go 2 times just to see how many it was attempting to connect to
and I had to unplug it when it got to 400.

I looked at some of them and it was just looking for anything that was open.
I didnt see it calling home due to the numerous connections.

I just dont have the time to trace every little thing.
Mals/virs/roots/bots are not my primary job so I cant spend the time.

Once the drive was slaved it would not co-operate with my VM (Oracle).
So I douched it about 40 times and plugged it back into its old box
and watched and it made no attempt to connect and has been running for the
week with no network access while I log whether or not it even tries.
I will check it tomorrow.

Now, the windows restore thing is quite interesting.
I wonder if once it has dropped its payload it creates a false sense
of comfort so no one looks deeper?

Woodmann

I would approach this from the DB analyst's perspective. I wonder if wire shark will store Destination IP, time, and response in a manageable database. After a couple days worth of data collection or so, you could do frequency checks and see if they're all repeats or if they are instead progressively scanning (an IP called several times on day 1 and 2 never gets called again). If it were me, I would check to see how the virus acts when it finds an active box. I don't know too much about DNS, but I think you can reroute some of it's IP addresses to any local address you want. Then see what the two computers have to say to each other. I suppose you didn't bother unpacking the virus (that's the most unfun part of the whole thing) but the next step would be to figure out what the virus wants it's host to say to it. Then, if I had any time, I'd write a quick script that is able to attempt a connection with an IP and tell me if it says what the virus wants me to say. Then I could feed the database of IP's to the script and figure out where it's home is. Of course, I'm under the assumption that none the IPs collected will actually lead home.

It could also just be trying to overwhelm your router to encourage ransom payment, but you'd think it would be connecting to live hosts and not firing blanks. Industry rules to not pose a risk of disrupting internet services?




I know what you mean, I've got other stuff I should be doing right now actually, lol. But I find them thoroughly interesting. I actually don't have a decent testing lab set up at the moment and I'm not sure if I'll have the time (but I caught my infection source! Long story short, he doesn't know when a typo filled email isn't really from the government).




It turns out, the guy who emailed me with his computer problems only thought he fixed the virus. I assumed he did this before I saw the infection on his machine, but he did the restore before I even saw it. This restore point is probably what broke the virus and caused it to hijack me to blank pages. I got down there late last night, put in the OS disk and did fixmbr which alerted me to the fact that my MBR was altered! I can easily wipe the drive, but I might take this opportunity to learn more about setting up DNS servers.

Here's a copy of my infection source if anyone wants to see something. I'm 100% sure this is it and it involved. I wonder if it's from the same batch that you got Woodmann. I'm going look further into this tomorrow. I let gmer look the computer over in safe mode after the fixmbr, although it may have restored itself during the boot to safemode.

THIS FILE CONTAINS MALICIOUS CODE
http://www.MegaShare.com/3521003

Howdy,

That hard disk did not want to play in my VM.
I have no idea why. I dont have the time so
I have nothing other than the names the scanners
spit out.

I never thought it was trying to choke the router.
Interesting theory. I can understand why a ransom ware
would try such a thing.

I am sticking with a bot. I dont think a router attack
would really be used except to open it up to allow maximum
connections and disable any protection the router has.

It didnt infect any other box on the network. (yet?)

I would have loved to have had the time to play with it.

Anyway, the box is connected to the internet only as of this afternoon.
I will check the logs tomorrow and see if it has tried its old tricks again.

Woodmann

are, your file is just downloader. it will download:

http://sfkdhjnsfjg.ru/pusk3.exe

we should not lost this malware; uploaded unpacks.
pass: malware

thank you was hoping to get my hands on this :]

hi,
I wasn't able to download the original file in megashare,anyone care to upload here?
thanks

Didn't include it with unpacks as: "IRS document.exe"
that is just downloader.

I thought you only upload the unpacked files,thanks

@evaluator: the sections of the packed one are looking interesting. is it a custom packer or some known stuff ?

Regards,
OHPen.

VirusBlokAda's Anti-Rootkit beta (http://anti-virus.by/en/beta.shtml) is better than GMER for kernel mode, but not user mode. It looks at more auto-run entries, but it is not able to do userspace crossview detection, so it won't see anything which is hidden. Since you said it came back after gmer cleaning, I think that means you need to try to find the points of persistence. Or alternatively instead of just cleaning out the memory, identify what files are related to the changes and try to wipe the files (again, VBA is decent at this).