F-ing rootkits.... [Archive] - Glock Talk

PDA

View Full Version : F-ing rootkits....


jpa
04-05-2010, 14:18
I got a good one (well, one of the computers from work does anyway). WinXP Pro SP3, laptop boots straight into a fake virus scan and starts "finding" viruses on it. It hides the start menu, no right-clicking on anything, the task manager is greyed out when you ctrl-alt-del. Even booting in safe mode w/ command prompt, you can't run regedit. I think this one got me.

Anyone ever successfully beat one of these suckers without having to reinstall the OS?

IndyGunFreak
04-05-2010, 14:23
I got a good one (well, one of the computers from work does anyway). WinXP Pro SP3, laptop boots straight into a fake virus scan and starts "finding" viruses on it. It hides the start menu, no right-clicking on anything, the task manager is greyed out when you ctrl-alt-del. Even booting in safe mode w/ command prompt, you can't run regedit. I think this one got me.

Anyone ever successfully beat one of these suckers without having to reinstall the OS?

Boy that sounds wicked..lol.

Rootkits(good ones) are particularly nasty. I won't waste more than a few minutes trying to clear them. It's to easy to reinstall.

jpa
04-05-2010, 15:39
Yeah, tell me about it. If the laptop had a floppy I'd try using a rescue disk, but no luck. That and our antivirus is installed from the media copied to a shared drive, so the original disc is locked in an office in Carson City. Every thing I try to get around this stupid screen or to keep it from loading on boot is blocked. No taskmanager, no ctrl-alt-del, no loading windows w/ confirmation, none of it. We'll just reload it tomorrow I think.

ChristopherBurg
04-05-2010, 15:42
Anytime a machine is compromised you just need to bite the bullet and reformat the drive.

Even the best malware removal tools can not guarantee they removed all the malicious software. Remember those malicious guys are making money off of keeping your machine infected and in their botnet therefore they are going to put as many back doors and access methods in your system they can. This ensures that if they're tool is found and removed their automated scripts can reinfect the machine quick, fast, and in a hurry.

Anytime you get any malware just reformat the drive and reinstall your operating system.

Pierre!
04-05-2010, 18:39
Get ahold of Systems Internals. They have tools that will let you whack at will, and see the process start so you can block future runs...

They had some videos talking about how to stop virus attacks a while ago. Don't know that they are still relevant to tell the truth.

Might as well Nuke it while you are at it. I have had 3 now that would install aaaallllmmmmoooosssstttt all the way before puking and refuse to finish the XP install. Yah, they were THAT deeply rooted.

I believe it was Darik's Boot N Nuke that I used... run it overnight, install in the AM.

Worked every time for me! Also taught the user that "fun and games" will cost you some time...

Good Luck, and let us know what works for the "Brain Trust"...

Linux3
04-05-2010, 18:39
Anyone ever successfully beat one of these suckers without having to reinstall the OS?
Nope, and if they think they did they are not living where the busses run.
Reformat and reinstall.
Or consider a new choice is operating systems.

jpa
04-07-2010, 08:53
Nope, and if they think they did they are not living where the busses run.
Reformat and reinstall.
Or consider a new choice is operating systems.

Good point. Good thing all our laptops at work are the same model dell and we have a stack of recovery cd's. XP is reinstalled with the apps and all is good again.

Not my pc or I'd consider changing the OS. Good thing there was no important data on it.

mcole
04-07-2010, 19:53
try shutting the laptop down. unplug from power. take out the battery. let it sit for 24 hours. put the battery back in and plug to power. start it up. SOMETIMES this will work (about half the time). worth the shot. mcoe

area727
04-07-2010, 21:06
I recently had something similar happen to a machine at work, no idea how it got infected...needless to say, its now running Ubuntu. :)

ChristopherBurg
04-07-2010, 21:53
try shutting the laptop down. unplug from power. take out the battery. let it sit for 24 hours. put the battery back in and plug to power. start it up. SOMETIMES this will work (about half the time). worth the shot. mcoe

This will not change the data saved on the hard drive and thus will not fix any issues involving malware installed on the machine.

HKUSP45Css
04-08-2010, 13:17
I boot to WinPE on a thumb drive and go in to the registry from there. It's not rocket surgey if you have the tools, root kits are not the end all be all of malware.

Nope, and if they think they did they are not living where the busses run.
Reformat and reinstall.

Or, as my pappy used to say "the less a man makes declarative statements, the less apt he is to foolish in hindsight."

I've cleaned root kits manually when I didn't have anything better to do just to learn their behavior. I've also used software to clean them after I was able to get the machines back to a useable state manually.

It takes longer than a re-install in most cases but, sometimes, a re-install isn't an option.

ChristopherBurg
04-08-2010, 15:03
The problem with going the route of removal is the fact you can't guarantee you removed everything.

For instance let's say a machine is infected with a root kit. This root kit allows remote access to the machine which the malicious hacker who compromised the machine uses. The malicious hacker, while accessing the machine, installs several other back doors on the system in case the root kit is every removed. This doesn't just apply to root kits buy any malware.

This sounds like a lot of work but most script kiddies these days do exactly that. It's rare for a machine to be infected by only a single piece of malware, usually after one gets on it installs others.

This game changed completely once malware stopped being about bragging rights and started being about money. There is a financial interest in keeping machines infected (adding them as part of a botnet which is rented out to people wanting to perform DDoS attacks for instance). Due to this malicious hackers go through great lengths to ensure they can reinfect a machine if their initial compromise is discovered and removed.

There is know way of know if something new was installed after the initial malware was installed. Sure a scanning and removal tool might know about the initial malware. The same tool very well may not know about the brand new tools that was also installed after.

The only way to clean a machine and know for sure it's safe is to completely reinstall the operating system.