Part 2 of “My Night With A New Nasty Rootkit”

Let me just start by saying that I’m fried from last night.  I was up until 1 am getting 2 clients fixed and ready for pickup, so I’m not sure if this story will translate out to how amazing I thought it was.

Anyway…

So, I get home yesterday around 7 pm and go right to work on the PC that *had* the volsnap.sys rootkit (~53kb).  I replaced volsnap.sys with a good one (~24kb), rebooted and….doh…BSOD 0X7b.  So, I went back to the BART cd and ran:

  • Dr. Web Cureit
  • SAS
  • Avira

All of them came up clear.  I was like…”grrreaaat…something is calling the malicious code in the 53kb version of the volsnap.sys….hmmm…maybe it’s a MBR (bootkit)”.  I then proceeded to run FIXBOOT and FIXMBR to wipe any MBR rootkit. ….annnnndddd….BSOD again…of course.

Now I was pissed.  I had to figure this out because I knew I would be seeing a lot more of these in the next few days/weeks.  I decided I’d try my bootable Norton Rescue Disc to see if it would spot anything.  While that was loading I started setting up client number 2.

This is where it got interesting for me.

Client 2 said she had a fake antivirus.  I tried to boot into safemode with networking….0X7b!!!  Ahhhhh…I’m going insane from this sh*t tonight.  “I can’t believe it” I thought “I think I’ve got another one already!”.

I popped the BART CD in her computer and it started fine.  My mind was racing to find out if she had a ~53kb volsnap.sys….and she did!!!  “Ha!  I knew it!”

…..now I started thinking….I can’t figure out how to make the first client boot.  The 0x7b was seriously cramp’in my Thursday night party night.  What if I grab the volsnap.sys rootkit from her machine and put it back in the machine that was giving me the 0x7b (client #1, the first client).  I bet it’ll boot and then I can see of those Combofix guys have a fix for this variant yet.

Voila!!!  The PC started booting into normal Windows Mode.  I loaded the absolute latest version of Combofix ….annnnnd thank the computer gods it found “Rootkit Activity”!!!   Combofix ran and took care of the rootkit.  After the Combofix run I ran TDSS Killer without any issues.

The client picked up his machine with no clue of what I went through to make him a happy, referring customer.

…and yeah…I still have Client #2 to work on when I get home 😛

, ,

19 Responses to Part 2 of “My Night With A New Nasty Rootkit”

  1. Warwagon June 3, 2011 at 7:04 pm #

    Thanks for the Info Matt. Gonna add this to my notes.

  2. malwarekilla June 3, 2011 at 7:09 pm #

    @Warwagon – sure, hope it helps a few people out there.

  3. dan June 3, 2011 at 7:29 pm #

    matt, great job!

  4. malwarekilla June 3, 2011 at 7:52 pm #

    @dan – Thanks Dan!

  5. estechguy June 3, 2011 at 8:16 pm #

    @malwarekilla – Thanks for the info!!! The best computer guys find out what is wrong and fix it rather reinstalling the OS. Also, I wanted to say thank you for all you have done on youtube and remove-mlaware.com. It Rocks! (: I would not be where I am today with being involved with tech if it wasn’t for you. Once I found your youtube Chanel things started to spring off. Everything you have done is very much appreciated. That is at least by me. (;

    • malwarekilla June 6, 2011 at 8:01 pm #

      @estechguy – thanks for the compliments!

  6. wasgij6 June 3, 2011 at 9:31 pm #

    hey matt have you given comodo cleaning essentials a try?
    they just releases 1.7 today
    “What’s new in CCE 1.7.192479.98?
    IMPROVED: More powerful disk access method which can detect tough hidden rootkits
    IMPROVED: Latest anti-virus engine integrated
    FIXED: Hidden services FP under certain circumstance
    FIXED: CCE can now detect and remove all TDL3/4 rootkits
    FIXED: CCE hangs before system restarts in x64 system”

    DACS is still being developed so its still not back in this version

    • malwarekilla June 6, 2011 at 8:02 pm #

      @wasgij6 – yeah, I’m going to try Comodo Clean Essentials. Sounds like a good video too.

  7. Sheen June 4, 2011 at 1:16 am #

    Damn awesome Matt, Thank you for making time posting it here. That’s why everyday I check this one 😉

    More power!

    • malwarekilla June 6, 2011 at 8:02 pm #

      @Sheen – thanks Sheen!

  8. Scott June 5, 2011 at 1:51 am #

    @Matt Rizos

    Please do a video on that TDSS varient with Process Hacker 2 and SpyDLL Remover (resplendence.com).

    Thanks for the entertainment.

    ZOU

  9. Carlos June 6, 2011 at 4:00 am #

    To: Matt Rizos

    Matt, I’ve been looking forward to watch a video of Comodo Internet Security version 5.4 (their latest) made by you. Although, it did not receive a certification by AV-Test.org when tested, it was partly because it scored too low on the USABILITY testing due to it flagged some legitimate files as malware and thus, had false positives. On the other hand, it scored decently on PREVENTION. Last time you tested this suite was version 4 and it happened either last year or the year before. I’m not a Comodo user myself but I’m exploring several FREE anti-malware alternatives when my subscription to ESET NOD32 v4.2 runs out within a month. I’m increasingly getting tired of this yearly renewal cycle, I think I need a rest.

  10. Shaun Zhang June 6, 2011 at 5:23 am #

    Comodo Internet Security version 5 has a secure DNS, that can block some malware websites, when you are doing a review on Comodo Internet Security, make sure you choose to enable the comodo DNS during installation when it asks you to, to do this, choose ‘I would like to use Comodo secure DNS servers’ when the comodo DNS configuration screen shows up during installation of Comodo Internet Security

  11. wasgij6 June 6, 2011 at 5:49 am #

    i am a comodo user and their dns is alright
    they are working on SiteInspector
    it is only an on demand site checker for now but they want to integrate it into cis and comodo dragon by the end of this year

    check it out its extremely useful and accurate
    http://siteinspector.comodo.com/

    it checks for many different things on a website
    it acts as a vulnerable user and tracks what the site does
    this is what it checks for: “SI now detects buffer overflow attacks, JS files with suspicious code, IE crashnig, malicious files, malicious scripts, it uses few blacklist, has ip matching, detects suspicious file/registry modification, detecting of a pdf exploits (starting acrobat reader) as well.”

    http://forums.comodo.com/siteinspector-b240.0/

  12. thomas June 6, 2011 at 9:40 pm #

    nice post Matt! It is nice to see that you don’t give up easily!

  13. Jonathan Baker June 7, 2011 at 3:17 pm #

    Just a heads up another easy way to fix these (I am seeing alot of them lately as well) is to hook up the infected hard drive to another computer and scan with Microsoft Security Essentials and it fixes the Volsnap.sys rootkit.

  14. dan June 20, 2011 at 5:02 pm #

    matt,

    just to let you know the kaspersky rescue disk is able to disinfect this rootkit. I had any issue with windows vista where it had the bluescreen. Could not get into windows in normal mode or in safe mode. I even tried disabling automatic startup on system failure when you press f8 and no dice. I was trying to avoid having to reinstall everything. Just out of curiosity I tried the kaspersky cd and it was able to run and disinfect the infected file.

  15. Sethdood June 24, 2011 at 9:00 am #

    Too late for me!

    On a client’s PC I decided to treat this guy like average malware, and it was a HUGE mistake, because I wound up with essentially your night #1- no working volsnap.sys and a bsod, with no CDs able to boot at all except for UBCD4win. Really weird how only that one works! My guess is it has something to do with how UBCD is somehow coded to rape the BIOS into booting- no “…to boot from cd…” option with CDROM drive 1st in the boot order, it just goes. Unfortunately I do NOT have a second infected machine to copy the old infected volsnap.sys file from. Been through lots of different file recoveries and nothing is finding the deleted file. There doesn’t seem to be a solution after this point, I can’t even get to a CLEAN volsnap.sys to copy over! Now I get to sit here copying his files over from his drive, once I rip it out, as I declare his machine dead.

    • malwarekilla June 24, 2011 at 6:02 pm #

      @Sethdood – ouch! I really feel your pain on this man. I just got lucky…

Leave a Reply