[Gootkit/Xswkit] New rootkit found!

[Jojo51]

Hi,

We use Roguekiller for years and we found with it the best cleaning tool that we can add to our antivirus solution. You doing a great job and its a luck to being able to use your software to solve some crisis situations.

Sadly, we are reporting a new rootkit that have infected several computers on our network. This virus infect principal Windows process as "explorer.exe", "svchost.exe" and others by injecting his code on the fly. Roguekiller report the infection, can kill few infected process on memory but not clean it. Each time we make a scan with RK, the threat is back on the same process over and over.

In addition, the issue reported by our users is that they cannot work on their computer because the screen always flashing and showing a windows that ask to install a trusted certificate. The screen flashing because when the virus start its bad job, the antivirus (ESET Endpoint) kills the infected process but without being able to clean the infection. It seems that the virus only works completely on the user profil used to install it, we log on on the local administrator session without getting this error flashing message. But, even when we scan the system through this session, it reports some infested process (injected) but less.

You can find the RogueKiller's scan report and the screenshot of the error in this archive.

Hope you will provide a solution.

Best regards,


J. PEREIRA

[Tigzy]

Hello
Any chance to get a explorer.exe full dump? I'd like to extract the payload, that should help us to put a name on the infection.

EDIT: also, could you analyse that file on virus total? C:\Windows\cwbrxd.exe

[Jojo51]

Hi!

Thanks for the quick answer! 

We have analysed the "cwbrxd.exe" file on VirusTotal but it doesn't report any infection. Through this link, you will find an archive with two "explorer.exe" dumps files because we found two of them in memory, but impossible to know which is the good one...

http://users.hexanet.fr/~pereira/explorer.zip

Thanks a lot for any help you can grant!

Best regards,


J. PEREIRA

[Tigzy]

Thanks, I'll take a look shortly.

[Tigzy]

VT came back clean https://www.virustotal.com/fr/file/6c1b0f6a4a765ebac4d742f1d62ceace2339941482a19f56b81b2841575d3cd6/analysis/1419261925/
I can see openssl related code in the dumped section, but no string that could help us.

Can you scan with Malwarebytes?

[Jojo51]

Yes, we already did the Anti-Malware and even Anti-Rootkit scan, this afternoon for the third time. No infection reported by this tools. 

By the way, our ESET Antivirus report now a threat on its log, speaking about a "Kryptic" virus variant. If it can help... 

[Tigzy]

Where is the threat reported?
Could be useful to scan with OTL: http://www.bleepingcomputer.com/download/otl/

[Jojo51]

Hi!

Still working hard on the subject without finding a solution.

We've done the scan with OTL as you asked in your last post, but it cannot clean anything too. You can find the log in attachment.

Thanks for your help!


J. PEREIRA

[Tigzy]

This is uncommon:

PRC - C:\Windows\SysWOW64\svchost.exe  [comLaunch] (Microsoft Corporation)
PRC - C:\Windows\SysWOW64\rundll32.exe (Microsoft Corporation)

on x64, having system processes on 32 bits can be suspicious.

And indeed:

O4 - HKU\.DEFAULT..\Run: [rundll32] mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" File not found
O4 - HKU\S-1-5-18..\Run: [rundll32] mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" File not found
O4 - HKU\S-1-5-19..\Run: [rundll32] mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" File not found
O4 - HKU\S-1-5-20..\Run: [rundll32] mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" File not found
O4 - HKU\S-1-5-21-1742386255-4278694884-558714565-500..\Run: [rundll32] mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>" File not found

That looks like Poweliks.
Could you give me a dump (in raw hive format!) of the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

It's very important, please.
EDIT: dump can be made with regedit, right click => export. chose the raw format, not .reg

[Tigzy]

And also, please do the same for that key:

HKEY_CURRENT_USER\Software\ xsw\loader (mind the space)

[Jojo51]

Many thanks for your feeback, I will get the informations you need and send you as quick as possible !

[Tigzy]

By the way Malwarebytes should be able to remove it.

[Jojo51]

Hi!

First, I wish you all the best to all the Virus "Threat Fighters" for the new 2015 year!!

Back to the business...

Sorry for the delayed answers, I have investigated and spent a lot of time in this issue and discovered some usefull informations. So, thanks to your last message, I found infection in the registry at differents locations. The virus seems to put install itself in each NTUSER.DAT file that constitue the hive registry linked to each user. I each ones, I find track of it, here what it is :

Found an "xsw" registry key in HKEY_CURRENT_USER\Software\ xsw\
Found an "cxsw" registry key in HKEY_CURRENT_LOCAL_MACHINE\Software\
Found multiples binary in HKEY_CURRENT_USER\Software\ AppDataLow\
Found an value "Rundll32" in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Deleting the xsw registry key, binaries in AppDataLow and rundll32 value in RUN key seems to be good because the antivirus stop to report the threat after the reboot. BUT, the cxsw still comes back after the first reboot and the virus seems to be always in the system, RogueKiller still reporting the injected process in explorer.exe and others.

So, that is what I can bring you as new informations. At this address, http://users.hexanet.fr/~pereira/Virus.zip , you will find the dumps you asked, in differents formats to be sure you can exploit it. Anti-Malware doesn't solve anything, it even fail to report the infection...

Thanks again for your help, I hope that you will find the solution.

Best regards,

J. PEREIRA

[Tigzy]

Ok gotcha.
I would need to have a dump of explorer.exe also, can you download/start process hacker and make a full dump of it? Also, do you have several explorer.exe processes? The dump is quite big, but you should be able to share it with Google Drive/Dropbox.
That would help me to make a signature for the injected process.

A things that may work for the removal:

- Start Roguekiller, the prescan will kill the injected processes. Leave it without doing the scan (won't find anything anyway)
- With regedit, go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run , and remove the rundll32 value.
- Reboot, let me know if the threat is gone.

[Jojo51]

Yes, here the new "explorer.exe" created via Process Hacker : http://users.hexanet.fr/~pereira/explorer.exe.dmp

Already done this with RogueKiller, but the threat is still back after the reboot. The most strange is that on some computers, the threat seems to no be completely installed because I cannot find all the tracks that we spoke about in my last post. But, error message that show the "certificate Installation" is still present, RogueKiller still find Injected proc in services.exe, isass.exe, explorer.exe etc... 

That's an big one!