rootkit

External Since: Jun 15, 2005 Posts: 14

Guy here reckons there's very little on the net about the
rootkits that are going round at the moment, and suggested I
post what we came up with here. Of course it only covers the
couple we've worked on, but may be useful for others.
So:

One of several worms, usually a variant of Sdbot, drops a copy
of itself in the Windows folder and a rootkit in file RDRIV.SYS
to the system folder; filenames we’ve seen for the worm are
WKSSVC.EXE and NTSUBSYS.EXE. Note that there may be valid files
with these names in Windows\system32.

The worm itself is not usually detected as a virus: only the
RDRIV file is detected. Sometimes the only obvious symptom is
that your antivirus keeps switching itself off.

Whenever the RDRIV file is deleted it is recreated by the worm.
To discover what recreates RDRIV, first boot into Safe Mode
(RDRIV is used as a service in normal mode). Then open
RDRIV.SYS in Notepad, edit the content in some way so that it’s
no longer a valid .sys file, and after saving it, make it read
only. After re-booting to normal Windows mode, the worm will
see that the RDRIV service is not running and try to rewrite
the file, but will be unable to access it. In the event
application viewer you will see a program is attempting to
create a service but fails with the message “invalid DLL or
system file”. The freeware program Process Explorer from
SysInternals.com can be used find the executable doing this and
to delete it: the process loads every 3 seconds and you
doubleclick on it when it appears and can delete the file. You
MUST ensure that “View Hidden System Files” is ticked in the
explorer options. You could then delete RDRIV.SYS without it
reappearing, but it may be wise to leave the dummy version you
created earlier.

Next you need to sort out the registry entries that the worm
has created or modified:-

Note: %System% is the Windows system folder, which is usually
C:\WINNT\System32 on Windows NT and 2000, or C:\Windows
\System32 on Windows XP.

Remove from:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run
The entry:
Messenger ="%System%\ntsubsys.exe "
(only if you have the version using ntsubsys, and it may have
been removed by a standard virus scan)
If you had the version using wkssvc.exe, search the registry
for that and remove any entry found. DO NOT remove entries for
wkssvc.dll.

Remove from:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\lanmanserver\parameters
and
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\lanmanworkstation\parameters
The entries:
AutoShareWks = "00000000"
AutoShareServer = "00000000"
You might want to check all ControlSets, not just the
CurrentControlSet.

To undo the disabling of Windows Update, antivirus and firewall
applications:
In: HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
Change: UpdatesDisableNotify from: "00000001" to: “00000000”
Change: AntiVirusDisableNotify from: "00000001" to: “00000000”
Change: FirewallDisableNotify from: "00000001" to: “00000000”
Change: AntiVirusOverride from: "00000001" to: “00000000”
Chnage: FirewallOverride from: "00000001" to: “00000000”
From: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft
\WindowsFirewall\DomainProfile
Remove: EnableFirewall = "00000000"
From: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft
\WindowsFirewall\StandardProfile
Remove: EnableFirewall = "00000000"
From: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
\WindowsUpdate
Remove: DoNotAllowXPSP2 = "00000001"
From: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\WindowsUpdate\Auto Update
Remove: AUOptions = "00000001"

In addition, modifiy the registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
From: EnableDCOM = "N"
To: EnableDCOM = "Y"

Since the rootkit gives a remote user full control of the
machine, all stored passwords must be considered to have been
compromised, and you should check the account status of any
ecommerce you’ve used the machine for.
--
"He just said it had an 'x'."
"It isn't their necks I mind," said Piglet earnestly.
"It's their teeth."

External Since: Apr 09, 2005 Posts: 2

On Mon, 20 Jun 2005 15:24:56 +0100, Pablo Guildenstern

<ggod stuff snipped>

>Remove from:
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
>\lanmanserver\parameters
>and
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
>\lanmanworkstation\parameters
>The entries:
>AutoShareWks = "00000000"
>AutoShareServer = "00000000"

That I would NOT do, unless I really needed those hidden admin shares.

In fact, I'd do exactly the opposite; make sure those settings are
back in place, so that malware can't walk straight into the "hidden"
admin shares c$, d$, e$... that break best-practice of never
write-sharing integration points, such as StartUp folders.

Quite crafty to drop those settings in place, as many av may remove
the settings as part of the malware cleanup - opening the door again.

>You might want to check all ControlSets, not just the
>CurrentControlSet.

Agreed, though not for the reason you had in mind Wink

>Change: AntiVirusOverride from: "00000001" to: “00000000”
>Chnage: FirewallOverride from: "00000001" to: “00000000”

What do those do?

>In addition, modifiy the registry entry:
>HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
>From: EnableDCOM = "N"
>To: EnableDCOM = "Y"

>Since the rootkit gives a remote user full control of the
>machine, all stored passwords must be considered to have been
>compromised, and you should check the account status of any
>ecommerce you’ve used the machine for.

Yup. I usually take this opportunity to relocate data as well, as
often these are "duh" PCs that still have data paths like
C:\Ghastly\Long\Deeply\Nested\Path\Recover\Each\Of\These\Dirs
and will tend to mix mountains of MP3, pics, movies and incoming
malware (My Received Files) with your actual data.

>-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -