Windows XP Virus
in [Windows XP]
|
Prev: repair windows xp from a secondary instance of windows?
Next: Prevent users from saving music and pictures to their hard drives without folder redirection?
From: philo on 15 Mar 2010 15:25 Daave wrote: > philo wrote: >> MowGreen wrote: >>> MowGreen wrote: >>>> Seeing that paper was published in 2008 >>> Correction. The presentation was done in Geneva at VB2009, on the >>> 23rd of September, 2009: >>> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx >>> >>> >>> >>> MowGreen >>> ================ >>> *-343-* FDNY >>> Never Forgotten >>> ================ >>> >>> banthecheck.com >>> "Security updates should *never* have *non-security content* >>> prechecked >> >> Thanks for posting back >> >> my main point was to alert people who think their systems are secured >> >> to think again! > > We are all on the same page as far as that is concerned, philo. The > point I was making was that even if you are able to delete rootkit files > in the restore volume, you aren't necessarily rootkit-free. If the > rootkit was indeed phoning home, it is highly unlikely it was doing so > from that location (then again, I appreciate your link; I will read that > in depth). Chances are it was phoning home from another location you > were unable to detect. > > I ran numerous scans using four different root kit detection programs. It appears to be clean and the user has since made on-line financial transactions without getting hacked... but with root kits...I don't know of one can ever be 100% sure nasty stuff!
From: glee on 15 Mar 2010 15:58 "philo" <philo(a)privacy.net> wrote in message news:6YednTAIgKspFAPWnZ2dnUVZ_hWdnZ2d(a)ntd.net... > Daave wrote: >> philo wrote: >>> MowGreen wrote: >>>> MowGreen wrote: >>>>> Seeing that paper was published in 2008 >>>> Correction. The presentation was done in Geneva at VB2009, on the >>>> 23rd of September, 2009: >>>> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx >>>> >>>> >>>> >>>> >>> >>> Thanks for posting back >>> >>> my main point was to alert people who think their systems are >>> secured >>> >>> to think again! >> >> We are all on the same page as far as that is concerned, philo. The >> point I was making was that even if you are able to delete rootkit >> files in the restore volume, you aren't necessarily rootkit-free. If >> the rootkit was indeed phoning home, it is highly unlikely it was >> doing so from that location (then again, I appreciate your link; I >> will read that in depth). Chances are it was phoning home from >> another location you were unable to detect. > > > I ran numerous scans using four different root kit detection programs. > > It appears to be clean and the user has since made on-line financial > transactions without getting hacked... > > but with root kits...I don't know of one can ever be 100% sure > > nasty stuff! Did you run those rootkit programs while the drive was slaved to another computer, rather than being booted from the drive being scanned? I ask for obvious reasons. The safest method is to scan from outside the OS with a rootkit scanner AND an anti-virus app AND a spyware detection app like MBAM. I think we all agree on that as a *preferred* protocol. What is being described in the articles both you and Mow posted, is not conclusive that the malware is actually being run (and therefore "active") from within the SVI folders. It appears that the folder created by the infection inside the SVI folder was used to store components used for the initial installation of the infection, but the infection itself is actually executing as a service out of the System32 folder tree and loading from the Service Registry Key.....note please the quote from the article you cited: "....running as a service allows the rootkit to survive a reboot". Even if this is the case, that it isn't active in the SVI, the fact that the folder was easily hacked for storage makes it possible that sooner or later, a rootkit will come along that will succeed in actually running from there. It just get nastier all the time....and we can't afford to be smug and say it can "never" happen. Never say never...especially about malware. ;-) -- Glen Ventura, MS MVP Oct. 2002 - Sept. 2009 A+ http://dts-l.net/
From: philo on 15 Mar 2010 18:03 glee wrote: > "philo" <philo(a)privacy.net> wrote in message > news:6YednTAIgKspFAPWnZ2dnUVZ_hWdnZ2d(a)ntd.net... >> Daave wrote: >>> philo wrote: >>>> MowGreen wrote: >>>>> MowGreen wrote: >>>>>> Seeing that paper was published in 2008 >>>>> Correction. The presentation was done in Geneva at VB2009, on the >>>>> 23rd of September, 2009: >>>>> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> Thanks for posting back >>>> >>>> my main point was to alert people who think their systems are secured >>>> >>>> to think again! >>> >>> We are all on the same page as far as that is concerned, philo. The >>> point I was making was that even if you are able to delete rootkit >>> files in the restore volume, you aren't necessarily rootkit-free. If >>> the rootkit was indeed phoning home, it is highly unlikely it was >>> doing so from that location (then again, I appreciate your link; I >>> will read that in depth). Chances are it was phoning home from >>> another location you were unable to detect. >> >> >> I ran numerous scans using four different root kit detection programs. >> >> It appears to be clean and the user has since made on-line financial >> transactions without getting hacked... >> >> but with root kits...I don't know of one can ever be 100% sure >> >> nasty stuff! > > Did you run those rootkit programs while the drive was slaved to another > computer, rather than being booted from the drive being scanned? I ask > for obvious reasons. > > The safest method is to scan from outside the OS with a rootkit scanner > AND an anti-virus app AND a spyware detection app like MBAM. I think we > all agree on that as a *preferred* protocol. > > What is being described in the articles both you and Mow posted, is not > conclusive that the malware is actually being run (and therefore > "active") from within the SVI folders. It appears that the folder > created by the infection inside the SVI folder was used to store > components used for the initial installation of the infection, but the > infection itself is actually executing as a service out of the System32 > folder tree and loading from the Service Registry Key.....note please > the quote from the article you cited: "....running as a service allows > the rootkit to survive a reboot". > > Even if this is the case, that it isn't active in the SVI, the fact that > the folder was easily hacked for storage makes it possible that sooner > or later, a rootkit will come along that will succeed in actually > running from there. It just get nastier all the time....and we can't > afford to be smug and say it can "never" happen. Never say > never...especially about malware. ;-) Fortunately my machines have removable drive kits so it was easy for me to pop the infected drive in another machine to scan it... Once I was sure the machine was clean...I did check to see what services were running and made sure I could identify all non-Microsoft services. Of course one thing I did not do was see if the rootkit may have been spawning some service...which of course would mean that it was not running from within the restore volume. of course that does not make it less dangerous...and we all need to use caution and not assume our machines are impervious to malware
From: MowGreen on 15 Mar 2010 18:18
glee wrote: > "philo" <philo(a)privacy.net> wrote in message > news:6YednTAIgKspFAPWnZ2dnUVZ_hWdnZ2d(a)ntd.net... >> Daave wrote: >>> philo wrote: >>>> MowGreen wrote: >>>>> MowGreen wrote: >>>>>> Seeing that paper was published in 2008 >>>>> Correction. The presentation was done in Geneva at VB2009, on the >>>>> 23rd of September, 2009: >>>>> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> Thanks for posting back >>>> >>>> my main point was to alert people who think their systems are secured >>>> >>>> to think again! >>> >>> We are all on the same page as far as that is concerned, philo. The >>> point I was making was that even if you are able to delete rootkit >>> files in the restore volume, you aren't necessarily rootkit-free. If >>> the rootkit was indeed phoning home, it is highly unlikely it was >>> doing so from that location (then again, I appreciate your link; I >>> will read that in depth). Chances are it was phoning home from >>> another location you were unable to detect. >> >> >> I ran numerous scans using four different root kit detection programs. >> >> It appears to be clean and the user has since made on-line financial >> transactions without getting hacked... >> >> but with root kits...I don't know of one can ever be 100% sure >> >> nasty stuff! > > Did you run those rootkit programs while the drive was slaved to another > computer, rather than being booted from the drive being scanned? I ask > for obvious reasons. > > The safest method is to scan from outside the OS with a rootkit scanner > AND an anti-virus app AND a spyware detection app like MBAM. I think we > all agree on that as a *preferred* protocol. > > What is being described in the articles both you and Mow posted, is not > conclusive that the malware is actually being run (and therefore > "active") from within the SVI folders. It appears that the folder > created by the infection inside the SVI folder was used to store > components used for the initial installation of the infection, but the > infection itself is actually executing as a service out of the System32 > folder tree and loading from the Service Registry Key.....note please > the quote from the article you cited: "....running as a service allows > the rootkit to survive a reboot". > > Even if this is the case, that it isn't active in the SVI, the fact that > the folder was easily hacked for storage makes it possible that sooner > or later, a rootkit will come along that will succeed in actually > running from there. It just get nastier all the time....and we can't > afford to be smug and say it can "never" happen. Never say > never...especially about malware. ;-) Mal-coders stash executables in TIF but they are not executed until something outside of TIF calls them to run. So, technically speaking, malware executables are not active in TIF. It's the same with executables in SVI but ... the prevailing notion was that one needed to utilize an infected restore point to pWn the system. Another anti-malware warrior explained how this Vista System Restore Rootkit functions: http://www.rootkit.com/newsread.php?newsid=900 " This is not a rootkit that runs from SVI either. The rootkit initiates a system restore, and it then intercepts and diverts SR execution so malicious files and registry keys are restored. Once the PC is shutdown and restarted the infected file(s) and autostart(s) that were introduced by the subverted SR, will take effect. The advantage of using such a rootkit, is that it is enables malware to silently install without activating any HIPS or security program alerts. " MowGreen ================ *-343-* FDNY Never Forgotten ================ banthecheck.com "Security updates should *never* have *non-security content* prechecked |