Recently, two of my “high risk” Internet users caught a nasty spell of malware. How nasty? Try rootkit nasty! Rootkits go above and beyond spyware by replacing system files and concealing themselves from system utilities. The first PC had a combination of spyware named TSPY_QQPASS.BUY and a rootkit named Greypigeon. Both PCs had the latest version of Symantec Corporate Antivirus with the latest virus definitions.
I will once again will voice my displeasure with Symantec. They claim that SAV does greyware detection and therefore you should disable Windows Defender if you are running Windows Vista. However, this is the second time in 3 months that Symantec has completely failed us. It did detect the spyware on the first PC, but it was unable to clean it. It was also impossible to unload or terminate SAV to clean off the virus, as it pops in your face every time you try to delete a file. Removing the spyware was impossible: I spent over 2 hours trying to get it off only to have the executables keep returning. I ended up doing a System Restore within Windows XP to restore startup sanity and then cleaning up the dormant spyware files by hand (neither Symantec nor Mcafee would identify the majority of the bad files: I ended up Googling some of the files I kept seeing reappear like “gg.exe” and “zz.exe” and then backtracked other filenames mentioned in the article like newinfo.rxk, then deleted those one-by-one).
The spyware was clever, quite clever actually. Most spyware files are dated with the date they infect the system. However, this spyware was pre-dated back to August 2004, along with most of the other legitimate Windows files. Someone went through a lot of trouble to keep this stuff hidden, as this is the date that service pack 2 was released for Windows XP, therefore most legitimate files are dated 8/4/04. The spyware also took on legitimate looking Windows names, such as rpcs.exe and svchost.exe. Not being digitally signed, however, gives them away.
On to the next PC…this time it was called into the Help Desk as being a problem with Microsoft Excel. It seems that data in Excel wasn’t scrolling when the user scrolled with the mouse cursor using the right side bar. Excel was also slow and “crash prone”. I suggested we try to remove Microsoft Office and reinstall it. Upon trying to doing this, I noted the system was extremely sluggish. Opening the process list in Process Explorer revealed 4 copies of svchost.exe running: unsigned of course, along with something called rpcs.exe that was kicking off iexplore.exe and other files such as “nortons.exe” and “winform.exe”. Cleaning this up was easy actually: using a combination of Process Explorer and Autoruns, I was able to clean off most of the bad guys, except rpcs.exe kept showing back up after reboots.
Unfortunately, Rootkit Revealer would just freeze up on this system. I then tried the System Repair Engineer from kztechs.com. Right away SRE lets me know that something is wrong:
Clicking on details gives me this:
The really funny part is if you go into Windows explorer and go to C:windowspss, you will see nothing there. That’s because this rootkit is incepting our calls to see this directory and is feeding us false information. If you were boot from BartPE, you would actually see the files there. We’ll proceed to the Smart Scan within SRE…all this does is create a text report of any bad stuff going on with our system. From this report, we are warned once again about C:windowspss3.dll being a dangerous API hook, as well as 3.exe running as a hidden process. SRE also goes through the services and shows us any services that aren’t digitally signed. I find that Greypigeon installed a service for us! Pigeons usually crap all over the place and this is no exception: attacking via a service is not common attack vector and therefore will likely get missed (I missed it myself the first few passes).
SRE also has a few nifty repair utilities in, including the ability to restore hijacked file extensions, restore Winsock back to its default state, restore default Windows policies and restore safe mode services (some spyware removes the Safeboot key to keep you from booting into safe mode to remove them). Unfortunately, SRE cannot terminate hidden processes or locked files: we have to use Icesword for that. Icesword was written in Chinese and was translated to English, so you don’t get any documentation with it. However, it’s pretty easy to use and who ever reads documentation anyways? As Dogbert once said: “While you’re waiting, read the free novel we sent you. It’s a spanish story about a guy named “Manual” .”
We can click on the Process icon and find our victim:
We can then go back into SRE and delete the GreyPigeon service:
If someone could combine Autoruns, Process Explorer, Icesword and SRE into one product, that would be so cool!
If you want to play around with this rootkit, I’ve uploaded it here. Make sure you only load it into Virtual PC or VMware and not on your PC! THIS FILE IS FOR EDUCATIONAL PURPOSES ONLY AND I CANNOT BE HELD RESPONSIBLE FOR ANY RESULTS YOU GET FROM RUNNING IT! YOU HAVE BEEN WARNED!
So the lesson here is that just because a user gets malware does not mean we have to wipe the machine. What would we learn if we wiped the machine? Interacting with various types of malware and program bugs brings us a closer understanding of the operating system.
– Soli Deo Gloria