You are here: Home > My Night With A New Nasty Rootkit

My Night With A New Nasty Rootkit

This is more of a “note to self/rant” kinda post but maybe this will help someone else out there.  Yesterday a customer dropped off a PC infected with a Rogue System Utility.  The Rogue said his hard drive was damaged and files were missing.  He could fix his hard drive and restore the missing files by paying $89.99.

fake-system-utilityTo the client it did indeed look like his files were missing, however they were simply hidden.  I unhid the files and performed a system restore back to May 17th (the client asked me to do this).  Once the system restore was complete I logged into Windows and everything looked perfect.  The client could access the internet, his McAfee started up and started updating and then I decided to try my typical google searches to test for redirection…that’s were it started to get ugly.

Search 1:  TDSS Killer.  Tried to access Kaspersky.com and got redirected to scour.com.  At this point I knew I had a TDSS rootkit.

Search 2:  Combofix.  Oddly enough I got right to Bleeping Computer and was able to download the latest version of Combofix.

I renamed combofix to random letters, disabled McAfee and then proceeded to run Combofix.  Combofix ran flawlessly and found about 20 pieces of malware, however it did not find a rootkit.  ”Ok, Maybe it was’t a rootkit”.  I rebooted back into Safemode with Networking and tried getting to the TDSS Killer page again…no dice…uh oh.  Combofix didn’t detect the rootkit at all.

I quickly popped in my USB stick filled to brim with all my anti-malware tools and tried to run tdsskiller.exe.  Nothing.  It wouldn’t load at all.  ”Wow!” I thought, “a challenge!…I haven’t seen one of these in a long time”.  I broke out the Kaspersky Rescue disc…it wouldn’t load.  I tried a DVD and CD. “Okkkkk…now this is getting weird”.  Next I grabbed that new Microsoft System Sweeper.  It started to load and then promptly died with an 0×8 code.  At this point I was getting tired of this crap.

I opened the PC, took out the drive and mounted it on my new PC.  My new PC runs NIS 2011 and Comodo.  Running a scan on C:WindowsSystem32Drivers clearly identified volsnap.sys as a TDSS variant.  NIS 2011 couldn’t delete it!!!  ”Ok, I’ll just delete my self.”  Nope.  It was protected even though the hard drive was mounted to my PC!!!  ”Holy crap…I haven’t seen anything like this yet”.

My next plan of action was to mount the hard drive via USB to my OSX box.  The moment I plugged it in Sophos detected the Rootkit (volsnap.sys)…”bravo” I thought.  However, as you may have guessed Sophos couldn’t delete it.  I tried to delete it myself.  Nope, still protected with some read only weirdness.  I was stunned…I mean really stunned.   I started thinking…”maybe this is some sort of targeted military grade type stuff…the lady did mention she was a scientist.”  I admit it, I was getting paranoid.

Next I pulled out the latest version of my Ubuntu Live CD.  It started to boot and even started to load…then it locked up.  What a shock.  ”This is insane!!!” I thought.

Finally I found the solution.  I was going through my CD’s and spotted an old UBCD4Win from last year.  It was a CD-R.  ”What the hell” I thought.  It booted flawlessly and even allowed me to delete the Volsnap.sys rootkit.  I replaced the Volsnap.sys with a good one, however at this point the PC is not booting.  I used a SP3 version, so maybe that’s the problem.  I’ll dig back into it tonight….stay tuned…

Oh, btw other things I tried that didn’t work either:

  • Rootkit Unhooker
  • GMER
  • Defogger
  • Hitman


, , , ,

  • Jonathan

    @MALWAREKILLA : You have tried to run DrWeb CureIT from the UBCD4WIN.

  • http://rescuenerds.com rescuenerds

    Ugh, I would’ve given up right after combofix failed to remove it. Id’ tell the customer it’s time to reinstall ($179) plus data recovery ($125) and some decent antivirus security ($55). It’s more work for you, but at least you’re getting paid for your time, rather than spending hours on the original problem. And the customer can be certain that the malware and all the damage it left behind is fixed. It’s interesting academically, though.

  • malwarekilla

    @Jonathan – I didn’t. At that point I just wanted this kit dead.

    @resuenerds – boy, you’re mak’in some bank roll over there in Cali. My cost on this job was $145.00 and took me about 2 hours (so far). I was waaayyy too curious to see what would take this thing out.

  • Danny

    You should try the Kasperky Rescue Disk 10 ( http://support.kaspersky.com/faq/?qid=208282173). Desinfection of infected drivers is really good.
    What do you mean with not booting? Did you run chkdsk c: /R.
    When you get this machine running you should run tcpview or tcpeye and look for suspicious connections.

  • malwarekilla

    @Danny – I did. No dice. The hard drive is fine. Volsnap.sys needs to be replaced which is what I’m going to do.

  • Danny

    OK. Well , i had the same problem. I thought i solved it. The first Hitmapro scan detected the infected volsnap.sys. Ran everything ellse . Machine went back to my client. One day later, the problem popped up again. Eventualy, i solved the problem. Just one note : if there is a low-level infection tdss killer and microsoft safety scanner won’t run. I wish you all the best.

  • Dan

    @Malwarekilla

    You should make microsoft aware of this rogue because it sounds like this is going to be a disaster for any person who gets this.

    • malwarekilla

      @Dan – the rogue was a joke, it’s the rootkit that was flat out unbelievable.

  • malwarekilla

    @Danny – thanks Danny. I’ll keep ya up to date with tonights findings.

  • http://realsecurity.web.officelive.com/default.aspx Paul

    Interesting story Matt. I’m glad it finally worked out for you.

  • JimBob

    @Rescuenerds

    $359? Really? That wouldn’t go over too well in this state. You’d be out of business in a week. I can buy a brand new computer for a few bucks more.

    Also, I’ve yet to see what you call ‘decent antivirus’. Most of the infected computers I see have Norton, Kaspersky, or McAfee on them. I see plenty of infected machines with free AV’s as well. But, *none* of them are bulletproof by any stretch of the imagination. That’s the whole ‘Macs don’t get viruses’ mentality…just a dream.

  • Dieselman

    Matt………….Are you using the latest version of Combofix? A new version comes out 2-3 times a week. Also why didn’t you go back to Dr.Web which you used last year?

  • Dieselman

    Also did you try running an exe fix? I have 3 different tools for that.

  • Dieselman

    You also could have tried NPE. Keep in mind that TDSSKiller also has a new version just released last week as well as Gmer.

  • Dieselman

    Anything past $400 is NOT worth it to the customer. Heck my gf just bought a brand new HP core i3 laptop for $449.

  • Dieselman

    BTW Matt. Check your email. Thanks.

  • MCSW

    Hi Matt
    Sounds like that was a nasty one
    I do about 4 or 5 Virus jobs a weeks, When I get a rootkit that HITMAN or Others won’t remove i use WARRIOR BOOT CD it is very good at getting rid of Rootkits here is a link for it http://greatis.com/security/RegRun_Warrior.htm
    keep up the good work

    • malwarekilla

      @MCSW – yeah, thanks. I found that site last night. I’m going to test it on my VM.

  • estechguy

    @malwarekilla – Is the Windows XP Pro or Home Edition or another os?

    • malwarekilla

      “@malwarekilla – Is the Windows XP Pro or Home Edition or another os?”

      Windows XP Home

  • estechguy

    Also Double check the Attributes of the file as well a making sour that the permissions are correct and the permissions to run are to “SYSTEM”.

    • malwarekilla

      “Also Double check the Attributes of the file as well a making sour that the permissions are correct and the permissions to run are to “SYSTEM”.”

      Did that. That was my first thought, maybe it just had the wrong permissions or no permissions at all. I gave my Windows 7 box full read/write and I made myself the owner of volsnap.sys…still couldn’t deleted when it was slaved to my box via USB.

  • Dieselman

    Good point estechguy.

  • Christos

    I got one of these a few days ago (it was another rogue, but it was the same rootkit)
    How I got rid of the rootkit
    1)I took a NEW PC
    2)I used a Ubuntu Live CD on it
    3)I mounted the HDD in that NEW PC
    4)I deleted the file
    5)I grabbed an XP SP2 cd and replaced the volsnap.sys file
    6)GoodLuck!

  • ron

    Man, I’ve been seeing this same virus a lot. Nothing has been blocking it, Kaspersky, Avast, Vipre, etc…. How I fixed.
    In safe mode: Latest combofix, latest Rkill. ran malwarebytes.
    another Rkill & combofix scan. Then I was finally able to use TDSSKiller to get rid of the redirects.

    Also, if it deletes all shortcuts in the start menu/desktop, you can find them on the pc still. The are in C:\Documents and Settings\your user name goes here \Local Settings\Temp\smtmp. just copy back to your start menu path Hope this helps someone

  • siketa

    I think that Comodo Cleaning Essentials would also do the trick….

  • malwarekilla

    @everyone – last night was part 2. It was sooooo interesting…almost unbelievable luck. I’ll write another giant sized post as soon as I get done working on the main server.

  • Dieselman

    Thank you Matt. Check your email also and get back to me.

  • Dieselman

    We have “Malware Protector” running a muck all over are network here. Its nice that each employee is only a standard user. So when I log in as Admin nothing is there. I remove the files and folders manually from “all users” and then use MBAM to clean up any left overs.

  • Warwagon

    @ rescuenerds

    Over charge much? I charge about $85.60 for a complete reinstall.

    As far as data recovery goes, That usually just means booting to a bartpe environment and hooking a external drive up and transferring over the files they want to keep. defiantly not worth $125. Usually I’ll include everything for just $85.60. Sometimes they will get a bill for $107.00 Total.

  • Carlos

    @Matt Rizos:

    Could you try IOBit Unlocker, please? It’s a freeware from IOBit (Yeah…I know many don’t like this Chinese company because they were involved in a dispute with MBAM some time ago) but, it would be worth a try if you want to unlock the Volsnap.sys from the process that is holding it as a “hostage”…. and, if you want to manually delete the offender file.

    Let me know if you have any luck after trying it. I do myself computer works for people with fake AVs and other bad stuff every once in a while.

    Regards,

    Carlos

  • dan

    How about any of you guys letting us know which tools work and which don’t. Makes it easier to share info so we can all improve our skills and maybe share something others don’t know about.

  • Scott

    If you experiment on your VM with this TDSS variant, see if SpyDLL Remover and Process Hacker 2 can kill it.

    ZOU

    • malwarekilla

      @Scott – I’ve never tried SpyDLL Remover or Process Hacker, so I’ll check them out.

  • Scott

    I think you should do a video on this one.

  • googoo1876

    holly sh*t that is a scary rootkit! Wow I don’t know what I would do…

  • watchman

    Ron,

    thanks a ton. Your 5 steps worked perfectly. And yes you have to do all 5!!

  • PFromD

    Mine was Volsnap as well. Rkill followed by TDSSKiller from Safe mode did it for me.

  • RevSyd

    Oh man alive, was this thing a monster. I’m new to the field, was awake for 30 hours working on it and almost gave up. Hiding in the MBR is a stroke of evil genius. Volsnap.sys, Iexplore.exe, and ctfmon.exe were all being used as “hostage apps”. In the end I scanned and cleaned the HDD on an uninfected system, copied the contents onto a freshly partitioned HDD, and did a repair reinstall of XP to replace all the system files it had damaged. I knew I’d finally nailed it when Kaspersky TDSSkiller was able to run. I’d have nuked from orbit but of course the customer had never backed up anything or saved their program CDs.

    On the bright side I discovered your blog while searching for help. Just got a job at a repair shop, mostly removing malware, so I’ll probably be a big fan. Keep up the good fight!

  • RevSyd

    ps. Definitely give Process Hacker a look-see, it’s the best “taskbar replacement” I’ve ever used. That and Hiren’s Boot CD on a flash drive are my first go-to tools.

  • Kenneth

    Ron,

    Also if you lost your icons you can go to Documents and Settings\UserName\Start Menu. Right click for properties and make sure “Hidden” is uncheck. This will bring back the default icons.

  • Stanley Krute

    I tried Ron’s steps [ Safe Mode; ComboFix; RKill; MWB; RKill; ComboFix ] . Didn’t work; TDSSKiller still wouldn’t run.

    Next try: remove HD, attach to a Linux machine, remove volsnap.sys, replace with a cleaner version.

    Auugghh this is a nasty bit of work. Worst I’ve seen in a few years.

  • http://siskiyousports.net Stanley Krute

    Haha, silly me. This particular computer runs Win2K Pro. There’s no such driver as VolSnap.sys. And yet: ComboFix reports that VolSnap.sys is infected. Strange …

    Anyways, I’ve got 24 or so hrs. in on this one. A research project that needs to come to a close. So I’ll just install a new fresh Win2K Pro Install, and use Drive Snapshot mounted backup and PC Mover Pro to put the client’s apps and documents back onto that new HD.

    First time since 2004, and the first rootkit attacks that I saw, that I’ve thrown in the towel.

  • will

    sir
    volsnap.sys Microsoft Corporation
    Volume Shadow Copy Driver or Service more commonly noted as the (VSS)
    Microsoft Windows XP Service Pack 2
    C:\WINDOWS\system32\drivers\

    The Volume Shadow Copy Service (VSS) is a set of COM APIs that implements a framework to allow volume backups to be performed while applications on a system continue to write to the volumes
    reference
    http://msdn.microsoft.com/en-us/library/bb968832%28v=VS.85%29.aspx

    Applies To:
    Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
    Typically, this is a database application like SQL Server or Exchange Server, or a system service like Active Directory
    The Backup utility in the Microsoft Windows Server 2003 operating systems
    reference
    http://technet.microsoft.com/en-us/library/cc785914%28WS.10%29.aspx

    Nortons Ghost use’s its own version of this

    that file should not be deleted unless you are sure it is infected
    the file is a service driver typically related to doing
    backups, sql server 2003 2008, asp / .net programing

    i beileve if you can get windows to run from the disc you might be able to replace the driver correctly by expanding within ms config
    thier is a comand to manually expand a driver from the cab files on disc
    you would have to look that up but that will also replace the driver properly i beileve

    if you really want to find out how exactly it is working i recommend downloading
    systeminternals tools from microsoft this is a set of tools and is not a do it all application
    each is like a tool for detective work

    http://technet.microsoft.com/en-us/sysinternals

    the tutorial is more of a set of short stories documenting
    how the tools are/were used to identify specific rootkits analyze them

    http://blogs.technet.com/b/markrussinovich/

    note the orgins of many of these rootkits are gov/military funded and commercial
    in some cases its the hackers who turn out to be the good guys in the whole buisness

    reference
    http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars/1

  • Kenneth

    Finally cleaned an infected machine:

    #1 – Boot using UlitmateCD
    #2 – Ran multiple cleaners (malware and antivirus) this got the machine to a usable state
    #3 – Booted to Safe Mode with promt and ran Vipre Rescue software off a usb key
    #4 – Replaced volsnap.sys from a know good system
    #5 – Run antivirus/malware again until clean

    The #4 step was all important. After step 3 the icons returned and the antivirus/malware software was able to run but it still open up numerous unwanted windows etc. After replacing the volsnap.sys the pc was back to a workable state.

  • Gumby’s had It

    I don’t know about the rest of the civilized world, but I have reached my limit with hackers and other purveyors of deliberately harmful software. I will not hesitate to beat to death with a baseball bat any and everyone that I come across. I don’t care how old, how young, how anything. They will die very horribly and painfully, and the world will rejoice each and every maggot that we plant.


Remove-Malware Traffic Stats