Crap, my computer has been rootkitted

Posted by: fredk

Crap, my computer has been rootkitted - 09/15/12 04:40 PM

Any of the IT guys here have any experience with the zeroaccess virus?

I got hit by a fake antivirus the other day and instead of immediately booting into safe mode I tried to remove it and think I ended up installing the rootkit (via elevated process on Vista).

I'm going to restore from an Axronis image to clean up the computer, but the image is old, so I'm copying some files from my desktop onto a thumb drive.

I know this is a nasty botnet virus, so I want to be cautious.

My questions are as follows:

1. Do I need to be concerned with this virus propagating onto the thumb drive? Thumb drives are cheap and the data I copied is useful, but not critical. I'll toss the drive if there is a risk.

2. Might this virus insert itself into data files on the computer? I've partitioned the drive so that I can restore just the OS onto a system drive. In the past that has been sufficient to clean up infections. Again, I want to be extra cautious.

Thanks.
Posted by: Ken.C

Re: Crap, my computer has been rootkitted - 09/15/12 06:47 PM

I would use something like this: http://www.symantec.com/security_response/writeup.jsp?docid=2011-121607-4952-99

Generally they work ok, and then you won't have to roll it back.
Posted by: fredk

Re: Crap, my computer has been rootkitted - 09/15/12 09:50 PM

Well, mixed results from that. It seems to have removed something as my AV is back, Something nasty is still trying to load and is being blocked by the AV. I'm running a full scan now.

Update service is gone as are a few other services. Trying to use the Catalyst Control Center results in a bluescreen.

I'll try a repair install of the OS when the scan is done.

I'm not entirely convinced the computer is clean though. I may still re-image.
Posted by: Ken.C

Re: Crap, my computer has been rootkitted - 09/15/12 10:07 PM

Do you have system restore turned on? I would try reverting to a checkpoint about a week in the past if so. That'll also save you some time.
Posted by: fredk

Re: Crap, my computer has been rootkitted - 09/16/12 01:29 PM

Well, no restore points. The scan picked up 8 or 9 virus files, all in temp directories.

I still feel more comfortable with doing an image restore to make absolutely sure my system is clean. Too bad I havn't kept more up to date on my imaging. blush It won't make a big difference as I have not changed the system much over time. I'll have an hour or so of updates to install.
Posted by: J. B.

Re: Crap, my computer has been rootkitted - 09/16/12 01:38 PM

before doing an image restore, i would prefer to use the system after the cleanup; it might be ok and then you will not spend hours restoring it.
if it's still there, you will soon know.
Posted by: Ya_basta

Re: Crap, my computer has been rootkitted - 09/16/12 06:13 PM

Fred, have you considered using the free services from agents on a website like Bleeping Computer? I had a nasty virus a couple years ago, and with the assistance of an agent from the same site, my computer was virus free and in perfect working order. Here's a recent thread regarding the same trojan that was removed.
Posted by: fredk

Re: Crap, my computer has been rootkitted - 09/16/12 06:14 PM

From Symantec:
Quote:
Furthermore, it opens a back door and connects to a command and control (C&C) server, which allows the remote attacker access to the compromised computer. The attacker is then able to perform any number of actions on the computer, and the computer may then become part of a wider botnet.

This is why I am concerned. If this was nuisance malware, I would clean up and wait. If my computer is now part of a botnet, I'm not so sure I would see obvious activity.
Posted by: fredk

Re: Crap, my computer has been rootkitted - 09/16/12 06:16 PM

Cam. I started at Bleeping computer. It was one of their tools that detected signs of zeroaccess.
Posted by: Ya_basta

Re: Crap, my computer has been rootkitted - 09/16/12 06:35 PM

Originally Posted By: fredk
Cam. I started at Bleeping computer. It was one of their tools that detected signs of zeroaccess.


Did an agent pick up your case?
Posted by: Murph

Re: Crap, my computer has been rootkitted - 09/17/12 09:10 AM

I'm no expert on removals but to add some unwelcome pessimism, be sure to check your system carefully after system restores. Even a full format & reinstall of the OS can be reinfected in seconds after the first full boot up. Some of the more sinister packages out there are now downloading fake bios updates for components. These infected components (once untouchable) remain infected and can trigger the reintroduction of the unwanted package.

For those wondering WTF I am talking about, I'll try to explain.
One of the nice things about being connected to the Internet is that if you buy buggy hardware, there is often an update available as a download to fix it. What used to be permanent ROM on motherboards and components is now up-datable and the extremely ambitious villains are now taking advantage of this.

As a very recent axample that I have seen first hand, a former workmate of mine has been struggling for over a month now after realizing his laptop was hijacked by some malicious code. Even though he is a computer geek of the elite kind, he only became aware of this after becoming a waypoint for a DOS attack and had his ISP send his IP to nullsville land for a while. In short, he was denied any and all Internet access and was told he was part of a DOS attack when he called the support line to see what was up.

After multiple failed removal attempts, restore points, system wipes, installing alternate OSs from USB sticks, etc. He used a utility in Linux to look at all the BIOS loads on his hardware and discovered that the BIOS for his onboard video card had a suspicious looking name to it. Further research showed that this was indeed an infected copy of the manufacturer's BIOS and was likely loaded by a trojan like zeroaccess that has the ability to download and install other items.

So far, the code in the BIOS is holding open thousands of ports that any software firewall can't seem to overcome and if you go so far as to try and format your machine clean, it simply waits happily on the video card for you to reboot and then re-downloads an appropriate virus package for your OS. So far it has instantly infected WindowsXP, Windows 7 and 2 flavors of Linux.

Running an OS from a read only USB drive prevented the full package be reinstalled but its' not perfect and his ports are still wide open so his laptop can only be used for limited functionality.

He tried downloading the BIOS update from a clean machine, placing it behind a hardware firewall, booting from a protected USB and then finally running the BIOS update but the BIOS no longer allows itself to be updated. He tried calling the makers of the card but could not receive anything past the usual scripted support answers to his very specific questions on BIOS updates.

He still has it isolated behind a hardware firewall to keep it clean from the secondary infection that makes him a DOS relay but he can't close his ports or remove the bad BIOS.

My super advanced technical advice was to brick the damn thing. It's a 2 year old laptop that was under 400.00 new. He is determined to figure it out as a personal challenge now. So far, he remains defeated.

Rewriting a BIOS would be no simple task and the location the DOS attack was targeting combined seem to indicate that this was more than just the efforts of a muddling teen in a basement trying to get a few VISA numbers.

ANYWHOOOO
I know that didn't help at all but I thought some people on here might find it to be an amusing story.
Posted by: pmbuko

Re: Crap, my computer has been rootkitted - 09/17/12 09:45 AM

Remind me to check the MD5 hashes of all the firmware/BIOS updates I download from now on.
Posted by: MarkSJohnson

Re: Crap, my computer has been rootkitted - 09/17/12 11:14 AM

Originally Posted By: Murph
I thought some people on here might find it to be an amusing story.


I think the word you were looking for was scary!
Posted by: fredk

Re: Crap, my computer has been rootkitted - 09/17/12 04:44 PM

Originally Posted By: Murph
I'm no expert on removals but to add some unwelcome pessimism, be sure to check your system carefully after system restores. Even a full format & reinstall of the OS can be reinfected in seconds after the first full boot up. Some of the more sinister packages out there are now downloading fake bios updates for components.

Thanks for reinforcing my paranoia. I'll put that second tinfoil hat on now. I was discussing this exact thing with my son last night. I had wondered, but this is the first I had heard of this sort of hack.

Is there an easy way to ckeck if the BIOS has been flashed? Geez I didn't even know that video cards had their own bios.

Cam. I kept asking for agent 99, but they just put me trough to this wierd Max guy.
Posted by: Murph

Re: Crap, my computer has been rootkitted - 09/19/12 08:49 AM

I don't think that this is what you have Fred but if you come to suspect it, he took extensive notes that I can get you.

I can't remember what utility he was using to list BIOS versions but I'll ask tonight and here is what I do remember he said.

He thinks it is something called "Mebromi" although I am probably spelling that wrong. It only supposedly effects BIOS versions created by Award. This makes sense, I guess, as you would have to code your package very specifically to the BIOS code you are targetting. His MB is a Phoenix Technologies so if you have a Phoenix MB with Award BIOS, you might check closer. His video card is onboard on the MB and it appears that is the video BIOS files it seemed to modify. Who knows, it may be infecting the main BIOS as well but it seems to match. Dunno, just going by what he tells me. I refuse to get sucked into troubleshooting this with him as he is extremely obsessive and I suspect this will engulf him for years if he can't fix it. He is already hanging out in the scariest of newsgroups trying to find an SME to help him.

It seems to instantly rewrite the master boot record and then hides downloaders and stuff all over the place. Removal tools tend to just make his drives unbootable and he has to load an OS from a protected USB and reformat then reinstall an OS which instantly gets re-infected.

Until a tool is created that successfully patches his BIOS back to normal, he is screwed. One benefit I suppose, he is learning a lot about the deep intricacies of Linux as he is mainly using that as his safe boot tool from USB.
Posted by: fredk

Re: Crap, my computer has been rootkitted - 09/20/12 12:18 AM

Originally Posted By: Murph
I don't think that this is what you have Fred but if you come to suspect it, he took extensive notes that I can get you.

::peeks out from under triple lined tinfoil hat::

You don't? Actually I don't either, I just wonder how you figure out if you are. Your friend did not catch the infection until his ISP shut him down.

The plan now is to buy a small SSD and put the OS on there. I can then use the HDD for data.
Posted by: Murph

Re: Crap, my computer has been rootkitted - 09/20/12 07:54 AM

Sounds like Peter could explain that much better than I could. In this case, he started noticing misnamed .DLL files. This didn't lead to BIOS suspicions of course but when he couldn't clean and reinstall without being reinfected, he struggled for a while then eventually remembered his Linux dual boot side had used something called "TPM" to store secure copies of his BIOS and he compared the hashes and they no longer matched. He tried to patch the BIOS but could not. Something like that anyways. Honestly, it is deeper than I have the water wings for.

After that he rambled for about 20 minutes about all the linux based things he tried and lost me. Sorry.
Posted by: MarkSJohnson

Re: Crap, my computer has been rootkitted - 09/20/12 08:56 AM

Originally Posted By: Murph
After that he rambled for about 20 minutes about all the linux based things he tried and lost me. Sorry.

Heard the "peeping frogs", huh?