Windows XP Virus
in [Windows XP]
|
Prev: repair windows xp from a secondary instance of windows?
Next: Prevent users from saving music and pictures to their hard drives without folder redirection?
From: philo on 14 Mar 2010 10:09 Daave wrote: > philo wrote: >> Daave wrote: >>> philo wrote: >>>> Daave wrote: >>>>> philo wrote: >>>>>> PA Bear [MS MVP] wrote: >>>>>>> philo wrote: >>>>>>> <snip> >>>>>>>> About a year ago I repaired a machine that had been compromised. >>>>>>>> >>>>>>>> It had been used for on-line banking and credit card >>>>>>>> transactions and two accounts had been hacked. >>>>>>>> >>>>>>>> First thing I did was scan for root kits in all the places one >>>>>>>> would expect. >>>>>>>> >>>>>>>> Nothing found. >>>>>>>> >>>>>>>> After giving the machine a thorough scan... >>>>>>>> the root kit was found "hiding" in the restore volume! >>>>>>> So what? That "restore volume" wasn't active & posed no threat >>>>>>> unless you or the user selected that particular Restore Point. >>>>>>> >>>>>> You missed the point entirely.. >>>>>> >>>>>> the root kit was able to "phone home" >>>>>> >>>>>> from within the restore volume. >>>>>> >>>>>> those Russian chaps are rather clever >>>>> If the rootkit was phoing home, it was doing so from a location >>>>> other than the restore volume. Just because you are unable to >>>>> detect it doesn't mean it isn't there! >>>>> >>>>> >>>> I'll answer the both of you here: >>>> >>>> Wrong >>> Unsubstantiated. >>> >>> It has already been established that certain rootkits are >>> next-to-impossible to detect. >>> >>> The rootkit that you say was "hiding" in the restore point obviously >>> wasn't hidden! However, the rootkit very likely remained in the >>> system (the restore volume doesn't count unless you use SR, using >>> that particular restore point), hidden from you. And your situation >>> is not the only one. >>> >>> >> I used the word "hiding" >> as I needed to scan the drive from another system to detect it. >> >> The rootkit was designed to operate from within the restore volume. > > Please provide documentation. > > some good reading here (may warp) http://books.google.com/books?id=5Cs46M9FV0sC&pg=PA4&lpg=PA4&dq=rootkit+in+restore+volume&source=bl&ots=pUMJIDwhIu&sig=e3x1AMGWY-Wuki2uu68TCa1XAk0&hl=en&ei=ue2cS7woi-oz9rm45g0&sa=X&oi=book_result&ct=result&resnum=2&ved=0CAgQ6AEwATgK#v=onepage&q=rootkit%20in%20restore%20volume&f=false
From: glee on 14 Mar 2010 12:09 "philo" <philo(a)privacy.net> wrote in message news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d(a)ntd.net... >> snip >>>> >>> I used the word "hiding" >>> as I needed to scan the drive from another system to detect it. >>> >>> The rootkit was designed to operate from within the restore volume. >> >> Please provide documentation. > some good reading here > > (may warp) > > > http://books.google.com/books?id=5Cs46M9FV0sC&pg=PA4&lpg=PA4&dq=rootkit+in+restore+volume&source=bl&ots=pUMJIDwhIu&sig=e3x1AMGWY-Wuki2uu68TCa1XAk0&hl=en&ei=ue2cS7woi-oz9rm45g0&sa=X&oi=book_result&ct=result&resnum=2&ved=0CAgQ6AEwATgK#v=onepage&q=rootkit%20in%20restore%20volume&f=false VERY Interesting.....thanks for the link. I have not seen mention of this before.....will send it on to folks in the field to see what kind of feedback I get from there...should be interesting. -- Glen Ventura, MS MVP Oct. 2002 - Sept. 2009 A+ http://dts-l.net/
From: philo on 14 Mar 2010 13:23 glee wrote: > "philo" <philo(a)privacy.net> wrote in message > news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d(a)ntd.net... >>> snip >>>>> >>>> I used the word "hiding" >>>> as I needed to scan the drive from another system to detect it. >>>> >>>> The rootkit was designed to operate from within the restore volume. >>> >>> Please provide documentation. >> some good reading here >> >> (may warp) >> >> >> http://books.google.com/books?id=5Cs46M9FV0sC&pg=PA4&lpg=PA4&dq=rootkit+in+restore+volume&source=bl&ots=pUMJIDwhIu&sig=e3x1AMGWY-Wuki2uu68TCa1XAk0&hl=en&ei=ue2cS7woi-oz9rm45g0&sa=X&oi=book_result&ct=result&resnum=2&ved=0CAgQ6AEwATgK#v=onepage&q=rootkit%20in%20restore%20volume&f=false >> > > VERY Interesting.....thanks for the link. I have not seen mention of > this before.....will send it on to folks in the field to see what kind > of feedback I get from there...should be interesting. You are welcome those evil folks who write rootkits I must admit ... are quite clever. That kind of malware is far more dangerous that a virus in that it may actually result in savings accounts and credit card compromises. Rootkits are a very real and a very nasty threat!!!!! Not to be taken lightly. I urge all people to take caution and for the folks at MS to work very hard on the issue of root kits!!!!
From: Ronin on 14 Mar 2010 14:36 May warp what? My mind (BTDT)? ;-) -- Ronin "philo" <philo(a)privacy.net> wrote in message news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d(a)ntd.net... > Daave wrote: <SNIP> >> >> Please provide documentation. > some good reading here > > (may warp) > > > http://books.google.com/books?id=5Cs46M9FV0sC&pg=PA4&lpg=PA4&dq=rootkit+in+restore+volume&source=bl&ots=pUMJIDwhIu&sig=e3x1AMGWY-Wuki2uu68TCa1XAk0&hl=en&ei=ue2cS7woi-oz9rm45g0&sa=X&oi=book_result&ct=result&resnum=2&ved=0CAgQ6AEwATgK#v=onepage&q=rootkit%20in%20restore%20volume&f=false
From: MowGreen on 14 Mar 2010 14:55
Upon further review ... root kits that can penetrate System Restore *** DO EXIST ***. I had downloaded this paper from Microsoft Australia in January but neglected to read it: http://www.microsoft.com/downloads/details.aspx?FamilyID=27B9B205-D4AD-49F1-B7D7-66EE185C59CE&displaylang=en&displaylang=en 'I CAN'T GO BACK TO YESTERDAY, BECAUSE I WAS A DIFFERENT PERSON THEN' Chun Feng Microsoft, Level 5 " ABSTRACT System Restore hardware and software have been widely implemented, and are commonly used by computer users to revert back to a pre-preserved 'good' state after being affected by malware or other threats to system integrity. As these restore facilities have become commonplace, so too has the malware that attempts to penetrate them. This type of malware reaches into the depths of the affected machine and targets the file system driver. In late 2007, a mysterious new breed of malware appeared in China and has been evolving quickly since. This malware, named Win32/Dogrobot, is designed deliberately to penetrate a 'hard disk recovery card' – hardware widely used by Internet cafés in China. Surprisingly, Dogrobot has caused more than eight billion RMB (around 1.2 billion USD) in losses to Internet cafés in China. (This cost far exceeds that caused by the notorious Win32/Viking virus.) This paper tracks the five generations of Dogrobot and presents the novel rootkit technique used by Dogrobot to penetrate System Restore on Windows systems, covering penetration from the Windows volume management layer used by early variants, to the Windows IDE/ATAPI Port Driver layer used by the latest variants. This paper also closely examines Dogrobot's propagation methods, including the use of zero-day exploits and ARP spoofing. " Seeing that paper was published in 2008 I'm wondering what generation Win32/Dogrobot is now at and what other capabilities it currently has. Perhaps the MS Malware Protection page has some info. It does: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32%2fDogrobot&showall=False&CBF=False&sortby=relevance&sortdir=desc&size=10&page=1 So the misconception was on my part. Mowa culpa. MowGreen ================ *-343-* FDNY Never Forgotten ================ banthecheck.com "Security updates should *never* have *non-security content* prechecked philo wrote: > glee wrote: >> "philo" <philo(a)privacy.net> wrote in message >> news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d(a)ntd.net... >>>> snip >>>>>> >>>>> I used the word "hiding" >>>>> as I needed to scan the drive from another system to detect it. >>>>> >>>>> The rootkit was designed to operate from within the restore volume. >>>> >>>> Please provide documentation. >>> some good reading here >>> >>> (may warp) >>> >>> >>> http://books.google.com/books?id=5Cs46M9FV0sC&pg=PA4&lpg=PA4&dq=rootkit+in+restore+volume&source=bl&ots=pUMJIDwhIu&sig=e3x1AMGWY-Wuki2uu68TCa1XAk0&hl=en&ei=ue2cS7woi-oz9rm45g0&sa=X&oi=book_result&ct=result&resnum=2&ved=0CAgQ6AEwATgK#v=onepage&q=rootkit%20in%20restore%20volume&f=false >>> >> >> VERY Interesting.....thanks for the link. I have not seen mention of >> this before.....will send it on to folks in the field to see what kind >> of feedback I get from there...should be interesting. > > > You are welcome > those evil folks who write rootkits > > I must admit ... are quite clever. > > That kind of malware is far more dangerous that a virus > in that it may actually result in savings accounts and credit card > compromises. > > Rootkits are a very real and a very nasty threat!!!!! > > Not to be taken lightly. > > I urge all people to take caution > > and for the folks at MS to work very hard on the issue of root kits!!!! |