Author Topic: Infected with very advanced, persistent rootkit(s) and likely other malware  (Read 14113 times)

0 Members and 1 Guest are viewing this topic.

November 21, 2018, 05:03:47 AM

Hostn4me

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Hello everyone,


I just tried to post a thread in the Malware Removal section asking for help analyzing logs which contain quite a bit of unknown malware/rootkit(s). I typed up my post (luckily I saved it before trying to post), attached my logs, and after I clicked "Post" I was simply redirected back to the "Start new topic" page and there was no error/informational message explaining why this occurred. I then checked the Malware Removal section and my thread was/is no where to be found. Does it have to first go through an approval process before it is officially posted? I would think if so it would have told me so after I submitted it, but I'm not sure.


If anyone could please kindly advise me on what I should do, I would very much appreciate it.


Thanks in advance.
« Last Edit: November 21, 2018, 03:44:50 PM by Curson »

Reply #1November 21, 2018, 03:00:58 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: I tried to post a thread in the Malware Removal section but failed...
« Reply #1 on: November 21, 2018, 03:00:58 PM »
Hi Hostn4me,

It was likely an error, there is no vetting process to post in this section of the forum.
In order to save time, I manually moved your thread to the Malware Removal section.

Feel free to directly explain your issue here an attach your logs.

Regards.

Reply #2November 21, 2018, 03:33:18 PM

Hostn4me

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: I tried to post a thread in the Malware Removal section but failed...
« Reply #2 on: November 21, 2018, 03:33:18 PM »
Hello Curson,

Thank you very much. I will go ahead and update this thread momentarily. However, before I do so I'm going to send you a PM with a quick question if you don't mind.

Thanks again.

Reply #3November 21, 2018, 03:47:32 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Hi Hostn4me,

You are very welcome.
That's fine, please go ahead.

Regards.

Reply #4November 21, 2018, 04:26:16 PM

Hostn4me

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Sure thing. Please bear with me while I add some new information to the post I originally wrote as I would like to be as detailed as possible.

Reply #5November 21, 2018, 07:10:29 PM

Hostn4me

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Hello,


I am finished updating my post and I just tried to submit it again and the same thing happened. I was redirected to the same post form I had just tried to submit my post from, except once again everything was blank. It's not a huge issue because once again I made sure to save everything I had typed up, I'm just not sure what the problem is. Please refer to the attached screenshot "Posting_Error.png" in order to see exactly what I'm being redirected to after trying to submit my post.


I am using the latest version of Google Chrome on Windows 10 Pro (64-bit). However, I do have Xubuntu installed within a Virtual Machine so let me try to submit it from within Xubuntu using the latest version of Firefox. Other than that, any other suggestions are more than welcome.


Note: Before submitting my post, I verified that the total size of all of my attachments is well below the maximum size allowed and no single attachment is larger than 10000KB.


Any help and/or advice would be greatly appreciated!


Thanks in advance.

Reply #6November 21, 2018, 08:41:44 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Hi Hostn4me,

Could you please check that the files you try to attach only include the following extensions : doc, gif, jpg, jpeg, pdf, png, txt, zip, rar, 7z, log, json.
If that's not the case, it may be the reason why you are unable to post.

Regards.

Reply #7November 22, 2018, 01:44:56 AM

Hostn4me

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Hello Curson,

I apologize for my delayed response; today turned into a busy day away from the computer. However, to answer your question, I am not attaching any files that contain any extensions that are not allowed. I am posting files with the following extensions: txt, log, png, jpg

I had moved everything that I want to post to my Linux VM before I had to take care of some offline business so I am fixing to try to post from my Linux VM right now.

Thanks in advance.
« Last Edit: November 22, 2018, 03:16:11 AM by Hostn4me »

Reply #8November 22, 2018, 02:40:00 AM

Hostn4me

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Hello,

I just tried to post from my Linux VM using Firefox with no luck. However, this time it didn't even begin uploading my attachments therefore it didn't redirect back to the same (blank) reply/post page. All that happened after I clicked "Post" was Firefox I would assume only attempted to send a request to Adlice's servers, however Firefox obviously did not receive a response because once again, I can only assume the connection was dropped because the "Sending request..." message in Firefox's status bar eventually disappeared and obviously nothing else happened after that.

What I am going to try next is posting from my dedicated server running Windows Server 2012 R2 Standard Edition, however this time I'm going to put all of my attachments into either a single 7-Zip or a regular zip archive.

Wish me luck...  ;) 
« Last Edit: November 22, 2018, 03:16:31 AM by Hostn4me »

Reply #9November 22, 2018, 08:09:27 AM

Hostn4me

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Infected with very advanced, persistent rootkit(s) and likely other malware
« Reply #9 on: November 22, 2018, 08:09:27 AM »

Hello all,

Since June 11 of this year I have been infected with what I determined to be a kernel-mode rootkit two days after the initial infection. Although I could not prove this is in fact what I was infected with at the time, I am now personally confident without a doubt that unless it's a "virtualized" rootkit (which I know very little about), due to the things I've seen over the past several months, it has to have subverted the Windows Kernel. Hopefully I'm wrong and it is just some very advanced and persistent malware, but nothing that has subverted the Windows Kernel (wishful thinking at this point, in my opinion).

I have attached logs from FRST, GMER, and Adlice Diag. Please note that the scan log from GMER is only composed of the 5 to 10 second auto scan that GMER performs every time it is launched. Just this simple and short auto scan detected 13 hidden rootkit/malware Services. GMER then notified me of these detections and asked me if I wanted to conduct a full scan. Of course I clicked yes, however for the first time out of the 50+ times I've ran GMER on my infected computers (yes, there are multiple infected systems, including a dedicated server), it was scanning very, very slow. However, for the first time ever (unsurprisingly as far as I'm concerned), it wasn't detecting anything. With that said, due to the fact that it was running so slow, I could see (in the status bar on its GUI) that it was scanning over hooks that it had detected as malicious many times in the past. If this doesn't indicate a kernel-mode rootkit, I'd love to know what it is that is present on my systems. Lastly, for some reason GMER always eventually triggers a BSoD when I run it on any system that has Windows 10 installed. However, on any system with a version of Windows below version 10, there is no BSoD.

As far as aswMBR, it too triggers a BSoD on all Windows 10 systems. Please note that I also attached a screenshot of the GMER GUI displaying the 13 hidden rootkit/malware Services after it had finished its auto scan. Lastly, there is a screenshot that shows an RPC error. This error occurred when I tried to open the "rKits_mWare.png" screenshot with the results hours after I had taken it. Whether it's related to any rootkit(s) or malware that is present on my systems, I cannot be 100% certain.

Below I'm going to try my best to only list certain things that I feel are important enough to include in my original post. There will be a lot that I leave out, but I will only come forth with the information that will be left out if requested to do so (as in, if it's even needed).

1) If you take a look at the attached screenshot "Corrupted_MBR.jpg" you will see that my current MBR is corrupted, however this is nothing new. The message is displayed very early within the boot process and it doesn't matter whether I select Yes or No. This message is occurring on the computer that generated the attached scans.

2) Ever since the initial infection, I've honestly lost count but I want to say 4 or 5 HDDs have been "sabotaged" so-to-speak. What I mean by this is the MBR was corrupted beyond repair on one HDD, with another HDD the computer wouldn't or could no longer recognize the HDD (the same computer quit recognizing any removable media inserted into its USB ports two to three hours before it restarted on its own only to not be able to boot because it could no longer recognize the HDD), and then two other HDDs (when trying to install Windows) would trigger the Windows' 10 Advanced System Repair (but of course it could not be repaired and these HDDs are now useless), and with these same HDDs, I remember trying to install Ubuntu but was met with an error that mentioned the Windows Kernel (although this is all I remember about this specific error message), and lastly these last two HDDs I'm referencing could no longer boot into Live Windows or Linux environments. I believe there was one more HDD that was rendered useless but this was the first one to go very early on and I'm pretty sure aside from the HDD, the one and only Administrator account all of a sudden was disabled and the only other accessible User account couldn't perform basic tasks such as launching File Explorer, Task Manager, etc.

3) Within the past two or three weeks, for reasons unknown to me, the rootkit(s) and/or other malware that has been dropped and loaded since the initial infection really started attacking certain systems. One system could no longer access the Internet and would not even make an attempt to connect upon booting into Windows. From then on I was prevented from opening Settings, the Network and Sharing Center, running any troubleshooters, etc. Also, on every infected system, one of the hallmark traits of these infection(s) is that (of course) Windows Update is rendered useless.

4) *VERY IMPORTANT* With all of these HDDs being rendered useless, surely I replaced at least one of them with a new HHD, right? Yes, I did, and the rootkit(s)/malware survived this HDD replacement. Although I had not flashed the BIOS on this particular computer in which I replaced the HDD in at this point, I think it's important to point out that the computer I am speaking of is the same computer that generated all of these scan logs. What's more, I literally just formatted this same computer for likely the 7th or 8th time within the last month and a half (no, I'm not kidding) with the latest format and subsequent re-installation of Windows occurring only several days ago on 11/16/2018 at 1:42:45 PM. This is important because prior to re-installing Windows this time around, I did go ahead and flash the BIOS and I also securely erased and wiped my current HDD sector by sector after purchasing a program which I will not name or link to out of fear of doing so being an act that breaks forum rules and/or policy(s). What I will say is that this program can be installed locally, or it can be burned as an ISO file thus creating a Windows PE Live CD/DVD/USB which I verified can boot into both Windows 7 Pro and Windows 10 Pro without any problems (I opted for the live boot option using a DVD).

The last thing I'll say about this software is that one of the many data sanitation methods it utilizes is DoD 5220.22-M which was once the official software-based data wiping standard for several US governmental agencies. However, this doesn't impress me in the least bit and neither does the fact that I was either re-infected by the rootkit(s)/malware (wherever they may be hiding), or it's even possible I didn't need to be "re-infected" again because formatting during a regular Windows installation, securely erasing and wiping the disk, flashing the BIOS, and most importantly, a darn HDD replacement didn't even prevent this nasty thing from either maintaining persistence or regaining persistence.

5) *VERY IMPORTANT* Over the last week or so, MEGAsync, SpiderOakONE, Chrome, Firefox, and possibly another program or two I am forgetting (all which are currently installed and running on the system that generated the scan logs) alerted me to the fact that it was highly possible that there were active Man in the Middle attacks being conducted within my OS environment. Although I personally have not had any of my accounts compromised thus far (that I know of at this point), others who own computers infected by these rootkit(s)/malware haven't been so lucky. Two different people have had their personal debit card information stolen and fraudulent charges were transacted, and one of these people also had the company's (in which they work for) bank account and debit card compromised as well. When it comes to the company's bank account information being compromised, the perpetrators used this info to print out fraudulent checks and they were good enough fakes because they were able to cash them without any issues.

6) *IMPORTANT* I currently have SMB v1 and SMB v2 enabled (not by choice) on a minimum of two systems that I'm aware of, and even more than these two systems (likely ALL infected systems) have a hidden Remote Admin share enabled, as well as a hidden Remote IPC share. The Admin share can be removed but it immediately returns after the computer(s) are rebooted and the IPC share cannot be removed. If needed, I can provide screenshots of these shares as well as any other evidence pertaining to the things I've mentioned within this post.

I could literally go on and on for the next 24 hours (probably longer), but I think this is plenty of information, not to mention a good stopping point. However, PLEASE NOTE that whichever helper is assigned to my thread (as well as any Moderators or Admins on this forum), I do have some very important information I need to share with the helper at the very least, although I am not willing to do so in public (you will understand why). With that said, once my helper has been assigned I will send him/her a PM with this information and in the meantime (or at any time) if any Moderators or Admins would like to be privy to this private information, please send me a PM and I will respond accordingly.

Thanks to everyone in advance for taking the time to read my thread. I will be patiently awaiting a response from whichever helper I am assigned. Lastly, if any further information and/or screenshots/logs will be required from me (in case the attached logs and screenshots in this post are not enough), please do not hesitate to ask because I have loads and loads of both screenshots and logs, as well as notes and likely other things that I have saved over the past several months. I would only need to gather all of this info and put it in one spot as it's currently spread across various systems and removable media. However, judging by the previous malware removal threads that have been posted in which I have read, I'm not sure any of this will be necessary, although I wanted to make sure I offered anything and everything I've accumulated.

Thanks again!
« Last Edit: November 22, 2018, 08:45:51 AM by Hostn4me »

Reply #10November 22, 2018, 05:43:46 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: Infected with very advanced, persistent rootkit(s) and likely other malware
« Reply #10 on: November 22, 2018, 05:43:46 PM »
Hi Hostn4me,

Is this machine part of some professionnal infrastructure / critical system ?

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a file named MBRDUMP.txt in the same folder where FRST is. Please attach it to your reply.

Regards.

Reply #11November 23, 2018, 06:35:32 PM

Hostn4me

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: Infected with very advanced, persistent rootkit(s) and likely other malware
« Reply #11 on: November 23, 2018, 06:35:32 PM »
Hello Curson,


As fate would have it, the laptop in which the scan logs were generated from and posted above in this thread crashed yesterday morning. This was before I was able to see or apply your fix. Furthermore, it not only crashed, the HDD was ruined (that's one more HDD that is gone due to this rookit/malware). I could not reinstall Linux or Windows on it. I was able to replace the HDD within this laptop and I'm going to go ahead and put either Windows 7 or Windows 10 on it and considering it will still be infected, I will perform some more scans and post them. I plan to have this done ASAP.


If you have any suggestions, questions, or anything at all, please let me know.


Thanks for your patience and for your time.

Reply #12November 23, 2018, 08:22:35 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2812
  • Reputation:
    100
    • View Profile
Re: Infected with very advanced, persistent rootkit(s) and likely other malware
« Reply #12 on: November 23, 2018, 08:22:35 PM »
Hi Hostn4me,

There is probably something going very wrong with your motherboard firmware, since the change of drive and the reinstallation of the system didn't resolve the issue.
A good approach would be to analyse the EFI of your computer and check for the presence of a bootkit. An offline analysis of the GPT of your drives may be worth a try, too.

However, such investigations are complicated and should usually be conducted on site. That's why I strongly advise you to contact an enterprise specialised in such investigations to help you solving this issue. I'm afraid, there is nothing we can to help you with this, here, at Adlice.

Regards.

Reply #13November 24, 2018, 06:15:27 AM

Hostn4me

  • Newbie

  • Offline
  • *

  • 10
  • Reputation:
    0
    • View Profile
Re: Infected with very advanced, persistent rootkit(s) and likely other malware
« Reply #13 on: November 24, 2018, 06:15:27 AM »
Hello Curson,

Thank you very much for the detailed explanation. With that said, since reading your latest post I have done some digging and I may be onto something. With that said, there are two important things I left out of my OP (one intentionally, and one simply because my OP would have been very, very long had I not forced myself to come to a stopping point). I am currently typing you a PM which will contain the private information I intentionally left out of my OP, and after I send you the PM, I will go ahead and update this thread.

Please understand that I am not disregarding what you said about the ultimate remediation of everything that is on my systems (a bootkit in particular) generally being conducted on-site. In fact, I started to consider this to be the case myself a couple of months back; as in, this situation likely would not be able to be resolved remotely. However, considering there is so much that I left out of my OP and because of this there is still so many important factors you have no way of knowing, I'd like to run a few more of them by you (definitely not all of them, only the most important at this stage) and get your opinion before I go ahead and decide that my only option is hiring a specialist to handle this on-site (I hope you don't mind). If it does in fact end up coming down to me having to hire someone to fix everything on-site, I have no issue doing this. Lastly, I am positive that once you read these things I keep mentioning that I left out of my OP and am working on sending your way, I whole-heartedly feel my reasons for wanting to make sure that my only choice will ultimately come down to hiring a local specialist will become clear.

Thank you so much for the time and effort you have put into this. You, alone and single-handedly have helped me out more than anyone else, and more than you know and I cannot express how truly grateful I am.

I'll be in touch soon!  :)