19

I'm a professional Windows system administrator, but I've been caught off-guard (or maybe some malware writer has been very clever) and I caught some unknown malware on my home computer (Windows 7 x64 SP1); it must be a very recent one and/or of a rootkit kind, because no antivirus/antimalware/antitrojian/antianything seems to be able to find it, and I've tried quite some of them (and I have quite some experience using them).

It went in two days ago via Internet Explorer 8, which was fully patched, so this is worrying on its own because it clearly exploited some still-unpatched hole (I didn't download or run anything, just opened some web page); it then did some obvious malware-y things like hiding files and icons, flashing system error popups and rebooting the system, and then I found the main executable and removed it... but it left something behind; something that managed to hide so deeply in the system that no tool was able to find it, from popular antivirus programs to highly specific malware detection tools. Of course, I've also checked all the common malware hiding spots (Registry, services, hosts file, browser add-ons, etc.).

How do I know it's there? Google searches (on the Google site, not through the search bar) get sometimes redirected to completely unrelated ad sites, and I have two iexplore.exe processes constantly running in the background (and automatically respawning if I kill them), being launched by nobody else than svchost.exe (as Process Explorer dutily documented) and connecting to obviously fake search sites.

Apart from the obvious question "how do I get rid of it?", what I'm more interested in is how to get some expert to analyze my system in order to find what kind of beast it is, so that it may be stopped before it goes out in the wild... if it already hasn't.


Edit: looks like it actually was a rootkit; I finally got rid of it by rewriting the MBR and boot sector of the system drive. Don't know yet what the boot code was actually loading, some executable must still be lingering around... but at least it's inactive now.

Benoit Esnard
  • 13,979
  • 7
  • 65
  • 65
Massimo
  • 731
  • 5
  • 13
  • First time on this site, if you think this question is more appropriate for ServerFault or (ehm) SuperUser, feel free to say it. I'm of course interested in removing the thing, but I'm also very concerned about a potential new and powerful malware. – Massimo Jul 12 '11 at 21:50
  • My hunch would be that it's TDSS, it may be worth giving TDSSKiller (http://support.kaspersky.com/faq/?qid=208280684) a try. – Mike1980 Jul 12 '11 at 22:46
  • Good guess, made it myself too :-) But that's one of the "highly specific malware detection tools" that found nothing. – Massimo Jul 12 '11 at 22:49
  • @Massimo Did you keep a copy of the MBR / boot sector, by any chance? – forest Jun 01 '18 at 03:33

4 Answers4

16

If you can find the offending executable or dll, one thing you can do is to upload it at https://www.virustotal.com. Try even the svchost file if you feel it's suspicious.

It will show you how many antivirus engines detect it out of a huge list, and will also forward your sample, if it fails to be detected, to antivirus companies for further processing and signature development.

john
  • 10,998
  • 1
  • 36
  • 43
  • 1
    +1 since this reaches the most number of AV companies/malware researchers in one stroke. – Andrew Lambert Jul 13 '11 at 06:06
  • 1
    If I can actually *find* an executable, I'll do this for sure. This is exactly the kind of answer I was looking for, by the way. – Massimo Jul 13 '11 at 06:12
8

Many antivirus vendors will more than happily examine a file - as an example, this is Comodo's upload link. Microsoft will also take a look.

I've never actually submitted malware to an antivirus vendor, but I'm pretty certain if it is new malware you won't get analysis done there and then if you see what I mean - you'll probably get an "in database, does this" or "not in database, we'll take a look" type result, since automatically analysing malware is quite hard except for trivial code. I'm not sure even if it was a new piece of malware that you would get feedback, but the result would be an added detection signature and potentially patched exploits if they are unknown, so it is absolutely worth doing to be part of the solution, if you like.

In terms of exploring what it does in greater detail, windbg and process monitor are great companion tools to process explorer and autoruns is an excellent tool for examining startup entry points for changes.

The standard advice with rootkits is a clean install from trusted media since it is pretty hard to know, for certain, you've got rid of it, so if it comes back, that is my advice, along with quarantining the system from others on the network to be sure it doesn't begin exploiting those.

If it is a rootkit and a well written one it may be able to evade certain detection tools. Often, variants of malware are released after the exploit mechanism they used is patched, so you could be in that window and that may explain why a given malware detector doesn't work for the malware it is supposed to detect.

  • I don't have any file to submit... it was *quite* hard to find any trace of it; I managed to disable it by restoring the boot sector to a clean state, but I still have *no idea* of where the actual malware files are. I totally agree with the clean install, though (will be done ASAP). – Massimo Jul 13 '11 at 06:04
  • Try running Microsoft's new Offline System Sweeper and see if it turns up anything. – Andrew Lambert Jul 13 '11 at 06:08
5

how to get some expert to analyze my system in order to find what kind of beast it is, so that it may be stopped before it goes out in the wild... if it already hasn't.


If you have it on your home system then by definition it is in the wild. So, too late for that. Unfortunatly for analyzing, you may have destroyed an important component in the MBR.

In my opinion the best way to analyze the malware on your system would be to disconnect it from the network. Use a cold boot technique to image the RAM. Power it down, remove the hard drive, and then image the hard drive drive. Image any flash on the motherboard, PCI cards, or anything else the provides persistant writable storage. Then analysis begins! Of course you would need to keep the system hardware available in an unused state in case the researcher wants to verify a theory.

Or you could do as @Ninefingers suggests, seems a lot simpler that way.

this.josh
  • 8,843
  • 2
  • 29
  • 51
  • Agreed that I should have saved evidence for analysis; I was a bit concerned about removing the infection, though... and, anyway, besides the boot sector, I still can't find (manually or through scanners) any offending file. – Massimo Jul 13 '11 at 06:17
  • Given a clever enough attacker you wouldn't find the file(s). The recent stuxnet malware created a in-RAM-only file by storing encrypted fragments in multiple innocuous places, decrypting the fragments and reassembling them in memory. If this was a similar scheme and the decryption key was in the MBR, then the fragments will be undecipherable. – this.josh Jul 13 '11 at 06:34
  • They are becoming increasingly cleaver, aren't they? :-/ Wonder why they keep using these things only for adware... such a rootkit would have gone undetected *forever* if it wasn't for those search hijacking and iexplore.exe background processes. – Massimo Jul 13 '11 at 06:45
  • 3
    @Massimo - Worryingly, there is a lot of evidence they aren't. We keep finding malware which has gone undetected for a very long time - usually by accident while ivestigating something else! It generally seems to be provision of root access channels and information siphoning. – Rory Alsop Jul 13 '11 at 07:57
  • @Rory: this is making me wonder enough to open a different question; see here: http://security.stackexchange.com/questions/5244/why-do-malware-creators-use-such-clever-technologies-for-such-silly-purposes. – Massimo Jul 13 '11 at 08:40
0

My advice is to follow these steps:

  1. Perform an online scan from ESET website

  2. You can create a rescue disk from Kaspersky's website. I have never tried myself but if it should contain a command-line scanner. Sometimes a malware or rootkit remains undetected on Windows but can be easily removed from the shell. Completely turn-off your PC and boot from the bootable rescue disk and perform a complete system scan using command-line scanner.

  3. You can try a small tool known as well. It is called Malware Bytes. Even though it is not a full-fledged Anti-Virus, but it does detects few nasty malwares and fake tools that other branded Anti-Virus products are unable to detect.

  4. Through VirusTotal, a suspicious file is automatically transferred to many Anti-Virus vendors. But if you suspect a malware behavior and don't have any suspicious file, I recommend to follow the above given steps. Also consult Kaspersky forum.

RPK
  • 195
  • 1
  • 1
  • 7