Windows XP Virus
in [Windows XP]
|
Prev: repair windows xp from a secondary instance of windows?
Next: Prevent users from saving music and pictures to their hard drives without folder redirection?
From: MowGreen on 14 Mar 2010 15:28 MowGreen wrote: > Seeing that paper was published in 2008 Correction. The presentation was done in Geneva at VB2009, on the 23rd of September, 2009: http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx MowGreen ================ *-343-* FDNY Never Forgotten ================ banthecheck.com "Security updates should *never* have *non-security content* prechecked
From: PA Bear [MS MVP] on 14 Mar 2010 16:46 IIRC, the... > ...'hard disk recovery card', hardware > widely used by Internet cafés in China to which the author refers has nothing to do with (Windows) System Restore but rather the hardware equivalent of the hidden Recovery partition found on so many Notebook PCs now (in place of the OEM supplying disks). -- ~PA Bear Errabundi Saepe, Semper Certi MowGreen wrote: > Upon further review ... root kits that can penetrate System Restore > *** DO EXIST ***. I had downloaded this paper from Microsoft Australia > in January but neglected to read it: > > http://www.microsoft.com/downloads/details.aspx?FamilyID=27B9B205-D4AD-49F1-B7D7-66EE185C59CE&displaylang=en&displaylang=en > > > > 'I CAN'T GO BACK TO YESTERDAY, BECAUSE I WAS A > DIFFERENT PERSON THEN' > Chun Feng > Microsoft, Level 5 > > " ABSTRACT > System Restore hardware and software have been widely > implemented, and are commonly used by computer users to > revert back to a pre-preserved 'good' state after being affected > by malware or other threats to system integrity. As these > restore facilities have become commonplace, so too has the > malware that attempts to penetrate them. This type of malware > reaches into the depths of the affected machine and targets the > file system driver. > In late 2007, a mysterious new breed of malware appeared in > China and has been evolving quickly since. This malware, > named Win32/Dogrobot, is designed deliberately to penetrate > a 'hard disk recovery card' – hardware widely used by Internet > cafés in China. Surprisingly, Dogrobot has caused more than > eight billion RMB (around 1.2 billion USD) in losses to > Internet cafés in China. (This cost far exceeds that caused by > the notorious Win32/Viking virus.) > This paper tracks the five generations of Dogrobot and > presents the novel rootkit technique used by Dogrobot to > penetrate System Restore on Windows systems, covering > penetration from the Windows volume management layer used > by early variants, to the Windows IDE/ATAPI Port Driver layer > used by the latest variants. This paper also closely examines > Dogrobot's propagation methods, including the use of > zero-day exploits and ARP spoofing. " > > > Seeing that paper was published in 2008 I'm wondering what generation > Win32/Dogrobot is now at and what other capabilities it currently has. > Perhaps the MS Malware Protection page has some info. It does: > > http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32%2fDogrobot&showall=False&CBF=False&sortby=relevance&sortdir=desc&size=10&page=1 > > So the misconception was on my part. Mowa culpa. > > MowGreen > ================ > *-343-* FDNY > Never Forgotten > ================ > > banthecheck.com > "Security updates should *never* have *non-security content* prechecked > > > > philo wrote: >> glee wrote: >>> "philo" <philo(a)privacy.net> wrote in message >>> news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d(a)ntd.net... >>>>> snip >>>>>>> >>>>>> I used the word "hiding" >>>>>> as I needed to scan the drive from another system to detect it. >>>>>> >>>>>> The rootkit was designed to operate from within the restore volume. >>>>> >>>>> Please provide documentation. >>>> some good reading here >>>> >>>> (may warp) >>>> >>>> >>>> http://books.google.com/books?id=5Cs46M9FV0sC&pg=PA4&lpg=PA4&dq=rootkit+in+restore+volume&source=bl&ots=pUMJIDwhIu&sig=e3x1AMGWY-Wuki2uu68TCa1XAk0&hl=en&ei=ue2cS7woi-oz9rm45g0&sa=X&oi=book_result&ct=result&resnum=2&ved=0CAgQ6AEwATgK#v=onepage&q=rootkit%20in%20restore%20volume&f=false >>>> >>> >>> VERY Interesting.....thanks for the link. I have not seen mention of >>> this before.....will send it on to folks in the field to see what kind >>> of feedback I get from there...should be interesting. >> >> >> You are welcome >> those evil folks who write rootkits >> >> I must admit ... are quite clever. >> >> That kind of malware is far more dangerous that a virus >> in that it may actually result in savings accounts and credit card >> compromises. >> >> Rootkits are a very real and a very nasty threat!!!!! >> >> Not to be taken lightly. >> >> I urge all people to take caution >> >> and for the folks at MS to work very hard on the issue of root kits!!!!
From: philo on 14 Mar 2010 19:15 MowGreen wrote: > MowGreen wrote: >> Seeing that paper was published in 2008 > > Correction. The presentation was done in Geneva at VB2009, on the 23rd > of September, 2009: > http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx > > > > MowGreen > ================ > *-343-* FDNY > Never Forgotten > ================ > > banthecheck.com > "Security updates should *never* have *non-security content* prechecked Thanks for posting back my main point was to alert people who think their systems are secured to think again!
From: Daave on 14 Mar 2010 20:26 philo wrote: > MowGreen wrote: >> MowGreen wrote: >>> Seeing that paper was published in 2008 >> >> Correction. The presentation was done in Geneva at VB2009, on the >> 23rd of September, 2009: >> http://blogs.technet.com/mmpc/archive/2009/09/15/i-can-t-go-back-to-yesterday-see-you-in-geneva.aspx >> >> >> >> MowGreen >> ================ >> *-343-* FDNY >> Never Forgotten >> ================ >> >> banthecheck.com >> "Security updates should *never* have *non-security content* >> prechecked > > > Thanks for posting back > > my main point was to alert people who think their systems are secured > > to think again! We are all on the same page as far as that is concerned, philo. The point I was making was that even if you are able to delete rootkit files in the restore volume, you aren't necessarily rootkit-free. If the rootkit was indeed phoning home, it is highly unlikely it was doing so from that location (then again, I appreciate your link; I will read that in depth). Chances are it was phoning home from another location you were unable to detect.
From: MowGreen on 15 Mar 2010 13:59
Read the article again, BroBear. And, 'bear' in mind that the author has NOT analyzed any newer generations than what existed in *August 2008*. A check of the MS Malware Protection's encyclopedia shows plenty more variants of Dogrobot that have appeared since then: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32%2fDogrobot&showall=True&CBF=True&sortby=date&sortdir=desc&size=10 " Fifth generation The fifth generation of Dogrobot was noticed in the wild in August 2008. In this generation, Dogrobot uses a new technique, PASS_THROUGH, in order to penetrate through System Restore. Windows OS provides three I/O control codes: IOCTL_SCSI_PASS_THROUGH (0x4D004), IOCTL_ATA_PASS_THROUGH (0x4D02C) and IOCTL_ IDE_PASS_THROUGH (0x4D028), and user-mode applications can send IRP with these I/O control codes via DeviceIoControl( ) to the disk.sys driver. These IRPs will be forwarded directly down to the lower driver (e.g. atapi.sys) in order to perform disk read/write or other disk operations [10]. Some System Restore solutions don't intercept the read/write access via PASS_THROUGH and this is exploited by the fi fth generation to compromise System Restore. The disassembly of the code used by Dogrobot to write to disk via IOCTL_ ATA_PASS_THROUGH is depicted in Figure 11. " Does atapi.sys ring a bell ? Remember the TDSS rookit ? MowGreen ================ *-343-* FDNY Never Forgotten ================ banthecheck.com "Security updates should *never* have *non-security content* prechecked PA Bear [MS MVP] wrote: > IIRC, the... > >> ...'hard disk recovery card', hardware >> widely used by Internet cafés in China > > to which the author refers has nothing to do with (Windows) System > Restore but > rather the hardware equivalent of the hidden Recovery partition found on so > many Notebook PCs now (in place of the OEM supplying disks). > -- > ~PA Bear > Errabundi Saepe, Semper Certi > > > MowGreen wrote: >> Upon further review ... root kits that can penetrate System Restore >> *** DO EXIST ***. I had downloaded this paper from Microsoft Australia >> in January but neglected to read it: >> >> http://www.microsoft.com/downloads/details.aspx?FamilyID=27B9B205-D4AD-49F1-B7D7-66EE185C59CE&displaylang=en&displaylang=en >> >> >> >> >> 'I CAN'T GO BACK TO YESTERDAY, BECAUSE I WAS A >> DIFFERENT PERSON THEN' >> Chun Feng >> Microsoft, Level 5 >> >> " ABSTRACT >> System Restore hardware and software have been widely >> implemented, and are commonly used by computer users to >> revert back to a pre-preserved 'good' state after being affected >> by malware or other threats to system integrity. As these >> restore facilities have become commonplace, so too has the >> malware that attempts to penetrate them. This type of malware >> reaches into the depths of the affected machine and targets the >> file system driver. >> In late 2007, a mysterious new breed of malware appeared in >> China and has been evolving quickly since. This malware, >> named Win32/Dogrobot, is designed deliberately to penetrate >> a 'hard disk recovery card' – hardware widely used by Internet >> cafés in China. Surprisingly, Dogrobot has caused more than >> eight billion RMB (around 1.2 billion USD) in losses to >> Internet cafés in China. (This cost far exceeds that caused by >> the notorious Win32/Viking virus.) >> This paper tracks the five generations of Dogrobot and >> presents the novel rootkit technique used by Dogrobot to >> penetrate System Restore on Windows systems, covering >> penetration from the Windows volume management layer used >> by early variants, to the Windows IDE/ATAPI Port Driver layer >> used by the latest variants. This paper also closely examines >> Dogrobot's propagation methods, including the use of >> zero-day exploits and ARP spoofing. " >> >> >> Seeing that paper was published in 2008 I'm wondering what generation >> Win32/Dogrobot is now at and what other capabilities it currently has. >> Perhaps the MS Malware Protection page has some info. It does: >> >> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32%2fDogrobot&showall=False&CBF=False&sortby=relevance&sortdir=desc&size=10&page=1 >> >> >> So the misconception was on my part. Mowa culpa. >> >> MowGreen >> ================ >> *-343-* FDNY >> Never Forgotten >> ================ >> >> banthecheck.com >> "Security updates should *never* have *non-security content* prechecked >> >> >> >> philo wrote: >>> glee wrote: >>>> "philo" <philo(a)privacy.net> wrote in message >>>> news:ROidnTsOvtW0cwHWnZ2dnUVZ_s2dnZ2d(a)ntd.net... >>>>>> snip >>>>>>>> >>>>>>> I used the word "hiding" >>>>>>> as I needed to scan the drive from another system to detect it. >>>>>>> >>>>>>> The rootkit was designed to operate from within the restore volume. >>>>>> >>>>>> Please provide documentation. >>>>> some good reading here >>>>> >>>>> (may warp) >>>>> >>>>> >>>>> http://books.google.com/books?id=5Cs46M9FV0sC&pg=PA4&lpg=PA4&dq=rootkit+in+restore+volume&source=bl&ots=pUMJIDwhIu&sig=e3x1AMGWY-Wuki2uu68TCa1XAk0&hl=en&ei=ue2cS7woi-oz9rm45g0&sa=X&oi=book_result&ct=result&resnum=2&ved=0CAgQ6AEwATgK#v=onepage&q=rootkit%20in%20restore%20volume&f=false >>>>> >>>>> >>>> >>>> VERY Interesting.....thanks for the link. I have not seen mention of >>>> this before.....will send it on to folks in the field to see what kind >>>> of feedback I get from there...should be interesting. >>> >>> >>> You are welcome >>> those evil folks who write rootkits >>> >>> I must admit ... are quite clever. >>> >>> That kind of malware is far more dangerous that a virus >>> in that it may actually result in savings accounts and credit card >>> compromises. >>> >>> Rootkits are a very real and a very nasty threat!!!!! >>> >>> Not to be taken lightly. >>> >>> I urge all people to take caution >>> >>> and for the folks at MS to work very hard on the issue of root kits!!!! > |