This is more of a “note to self/rant” kinda post but maybe this will help someone else out there. Yesterday a customer dropped off a PC infected with a Rogue System Utility. The Rogue said his hard drive was damaged and files were missing. He could fix his hard drive and restore the missing files by paying $89.99.
To the client it did indeed look like his files were missing, however they were simply hidden. I unhid the files and performed a system restore back to May 17th (the client asked me to do this). Once the system restore was complete I logged into Windows and everything looked perfect. The client could access the internet, his McAfee started up and started updating and then I decided to try my typical google searches to test for redirection…that’s were it started to get ugly.
Search 1: TDSS Killer. Tried to access Kaspersky.com and got redirected to scour.com. At this point I knew I had a TDSS rootkit.
Search 2: Combofix. Oddly enough I got right to Bleeping Computer and was able to download the latest version of Combofix.
I renamed combofix to random letters, disabled McAfee and then proceeded to run Combofix. Combofix ran flawlessly and found about 20 pieces of malware, however it did not find a rootkit. “Ok, Maybe it was’t a rootkit”. I rebooted back into Safemode with Networking and tried getting to the TDSS Killer page again…no dice…uh oh. Combofix didn’t detect the rootkit at all.
I quickly popped in my USB stick filled to brim with all my anti-malware tools and tried to run tdsskiller.exe. Nothing. It wouldn’t load at all. “Wow!” I thought, “a challenge!…I haven’t seen one of these in a long time”. I broke out the Kaspersky Rescue disc…it wouldn’t load. I tried a DVD and CD. “Okkkkk…now this is getting weird”. Next I grabbed that new Microsoft System Sweeper. It started to load and then promptly died with an 0x8 code. At this point I was getting tired of this crap.
I opened the PC, took out the drive and mounted it on my new PC. My new PC runs NIS 2011 and Comodo. Running a scan on C:\Windows\System32\Drivers clearly identified volsnap.sys as a TDSS variant. NIS 2011 couldn’t delete it!!! “Ok, I’ll just delete my self.” Nope. It was protected even though the hard drive was mounted to my PC!!! “Holy crap…I haven’t seen anything like this yet”.
My next plan of action was to mount the hard drive via USB to my OSX box. The moment I plugged it in Sophos detected the Rootkit (volsnap.sys)…”bravo” I thought. However, as you may have guessed Sophos couldn’t delete it. I tried to delete it myself. Nope, still protected with some read only weirdness. I was stunned…I mean really stunned. I started thinking…”maybe this is some sort of targeted military grade type stuff…the lady did mention she was a scientist.” I admit it, I was getting paranoid.
Next I pulled out the latest version of my Ubuntu Live CD. It started to boot and even started to load…then it locked up. What a shock. “This is insane!!!” I thought.
Finally I found the solution. I was going through my CD’s and spotted an old UBCD4Win from last year. It was a CD-R. “What the hell” I thought. It booted flawlessly and even allowed me to delete the Volsnap.sys rootkit. I replaced the Volsnap.sys with a good one, however at this point the PC is not booting. I used a SP3 version, so maybe that’s the problem. I’ll dig back into it tonight….stay tuned…
Oh, btw other things I tried that didn’t work either:
- Rootkit Unhooker