WARNING: New Rootkit?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I was troubleshooting a client's computer and came across a strange
problem.  The shares I had setup on their server were randomly
dropping.  To say the least, I was quite confused.  I rebooted the
server and a Security Warning appeared prompting me if I wanted to run
svchos32.exe.  At this point, I suspected some sort of virus infection.
 According to the security warning, this file was located in the
C:\Windows\System32 folder.  I made sure not to hide hidden files,
inspected the directory in question and could not find anything.  At
this point, I began thinking perhaps this could be a rootkit.  I went
to the Sysinternals website and downloaded both autoruns and rootkit
reavealer.  After performing a search from the autoruns program, I
determined that the file in question was trying to start from an entry
in the registry.  The entry had a description of "Microsoft Box."
After disabling this file from starting, I have not experienced any
more problems.  I am currently running rootkit revealer and will post
my results if anything of interest appears.


Re: WARNING: New Rootkit?

animedreamer@verizon.net wrote:

[snip]
Quoted text here. Click to load it

You could additionally try F-Secure's Blacklight, which not only scans
for rootkits but also should be able to remove them:
http://www.f-secure.com/blacklight/try.shtml

Gabriela

Re: WARNING: New Rootkit?


Quoted text here. Click to load it

But if you've been owned enough to have a full rootkit installed on a
given machine, you'd be completely nuts to trust any tool to remove a
rootkit.  :-)

You'd want to reformat and reinstall from original media.

Good info on blacklight's capabilities though!

--
Todd H.
http://www.toddh.net /

Re: WARNING: New Rootkit?

comphelp@toddh.net (Todd H.) wrote:

Quoted text here. Click to load it

I agree. Because you never know what someone might already have
(remotely) done with it.

Quoted text here. Click to load it

You're right. If it was my machine, I wouldn't trust it anymore,
unless it got formatted and reinstalled.

But in my opinion: Between "don't do anything about the malware" and
"format and reinstall" there's the "remove malware" option, which is
still a bit (only a *little* bit!) better than doing nothing.

Gabriela

Re: WARNING: New Rootkit?


Quoted text here. Click to load it

But that is ancillary to the removal of the rootkit, just as removing a backdoor
may be simple - but you don't know what else was done while it was active.

Quoted text here. Click to load it

If I had reason to believe that it wasn't actually used maliciously, I would
just remove it. Otherwise, - that's what a good backup strategy is for.

Quoted text here. Click to load it

:))



Re: WARNING: New Rootkit?



Quoted text here. Click to load it

In this instance, a rootkit could be a single program - and easily removed

Quoted text here. Click to load it

Rootkits ain't what they used to be. It could be as simple as a filter driver
that hides the presence of one directory from the system's utilities by filtering
data returned from the file system before the utility gets it.

...it used to mean you were completely hosed by the presence of multiple
trojaned executable files



Site Timeline