Part 2 of “My Night With A New Nasty Rootkit”

Let me just start by saying that I’m fried from last night.  I was up until 1 am getting 2 clients fixed and ready for pickup, so I’m not sure if this story will translate out to how amazing I thought it was.


So, I get home yesterday around 7 pm and go right to work on the PC that *had* the volsnap.sys rootkit (~53kb).  I replaced volsnap.sys with a good one (~24kb), rebooted and….doh…BSOD 0X7b.  So, I went back to the BART cd and ran:

  • Dr. Web Cureit
  • SAS
  • Avira

All of them came up clear.  I was like…”grrreaaat…something is calling the malicious code in the 53kb version of the volsnap.sys….hmmm…maybe it’s a MBR (bootkit)”.  I then proceeded to run FIXBOOT and FIXMBR to wipe any MBR rootkit. ….annnnndddd….BSOD again…of course.

Now I was pissed.  I had to figure this out because I knew I would be seeing a lot more of these in the next few days/weeks.  I decided I’d try my bootable Norton Rescue Disc to see if it would spot anything.  While that was loading I started setting up client number 2.

This is where it got interesting for me.

Client 2 said she had a fake antivirus.  I tried to boot into safemode with networking….0X7b!!!  Ahhhhh…I’m going insane from this sh*t tonight.  “I can’t believe it” I thought “I think I’ve got another one already!”.

I popped the BART CD in her computer and it started fine.  My mind was racing to find out if she had a ~53kb volsnap.sys….and she did!!!  “Ha!  I knew it!”

… I started thinking….I can’t figure out how to make the first client boot.  The 0x7b was seriously cramp’in my Thursday night party night.  What if I grab the volsnap.sys rootkit from her machine and put it back in the machine that was giving me the 0x7b (client #1, the first client).  I bet it’ll boot and then I can see of those Combofix guys have a fix for this variant yet.

Voila!!!  The PC started booting into normal Windows Mode.  I loaded the absolute latest version of Combofix ….annnnnd thank the computer gods it found “Rootkit Activity”!!!   Combofix ran and took care of the rootkit.  After the Combofix run I ran TDSS Killer without any issues.

The client picked up his machine with no clue of what I went through to make him a happy, referring customer.

…and yeah…I still have Client #2 to work on when I get home 😛

, ,