Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
-Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Thursday, July 12, 2012 4:40 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 89, Issue 15 Send Full-Disclosure mailing list submissions to full-disclosure@lists.grok.org.uk I've had very similar case of downloading software and getting a malware. I wanted just to get it fixed, so wheither a virus, or worm, or rootkit I do not know. Symptoms were disabled Windows update and Windows networking. TCP in general worked. I found malicious files (just a few) using one of security tools running under Linux CD-bootable to check consistency of Windows files. First I tried three AV systems (F-Secure, Kaspersky and Symantec), but they were useless. Finally, from Linux I was able to find files having inconsistent attributes, as far as I remember - the size and modification date. Nothing of particular, but: AV systems identify less than 90% of malware (both forward and backward tests), when downloading freeware stuff a virtual machine is the best option, and if after just installing of freeware Windows screw up, it is obvious what is the reason for. Mikhail -- Message: 1 Date: Thu, 12 Jul 2012 00:46:33 +0300 From: Alexandru Balan jay...@gmail.com Subject: Re: [Full-disclosure] suspicion of rootkit To: phocean 0...@phocean.net Cc: full-disclosure@lists.grok.org.uk, valdis.kletni...@vt.edu Message-ID: c0574ee4-8509-4ff4-ab60-565d0a256...@gmail.com Content-Type: text/plain; charset=iso-8859-1 Tried checking it with an AV ? http://quickscan.bitdefender.com On Jul 12, 2012, at 12:06 AM, phocean wrote: The machine is Windows XP SP3 quite up-to-date, but not fully. Except that Windows Update is not working anymore. One of the symptoms. I described the issues there: http://www.phocean.net/2012/06/30/rootkit-in-my-lab.html http://www.phocean.net/2012/07/11/rootkit-in-my-lab-part-ii.html You will see why some symptoms make me think about a rootkit. You are right, it could be some Windows being messed up. But it actually happened on a pretty fresh install: I finished setting XP and tens of analysis tools (I aimed this box to be my fresh reversing system). So even if possible, it sounds strange that a machine gets corrupted so quickly. And of course, I suspect some of these tools, got from multiple downloads. At last, I could analyse them one by one of course, but there are many so it would be painful (and I am not sure that I kept all setups). --- phocean CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
The only antivirus I have tried so far is Microsoft Security Essentials. And it finds nothing, which I certainly don't trust at all. Especially because it shows a very unusual certificate alert during the setup. I also scanned a few files that I chose (some dll and services) on VirusTotal with no results except some false positive. I also had a look on the disassembly of these files. So, I don't know what it is, but if it is a rootkit it is not a trivial one and I am afraid it is smarter than me :) --- phocean Le 12 juil. 2012 à 15:33, Mikhail A. Utin a écrit : -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Thursday, July 12, 2012 4:40 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 89, Issue 15 Send Full-Disclosure mailing list submissions to full-disclosure@lists.grok.org.uk I've had very similar case of downloading software and getting a malware. I wanted just to get it fixed, so wheither a virus, or worm, or rootkit I do not know. Symptoms were disabled Windows update and Windows networking. TCP in general worked. I found malicious files (just a few) using one of security tools running under Linux CD-bootable to check consistency of Windows files. First I tried three AV systems (F-Secure, Kaspersky and Symantec), but they were useless. Finally, from Linux I was able to find files having inconsistent attributes, as far as I remember - the size and modification date. Nothing of particular, but: AV systems identify less than 90% of malware (both forward and backward tests), when downloading freeware stuff a virtual machine is the best option, and if after just installing of freeware Windows screw up, it is obvious what is the reason for. Mikhail -- Message: 1 Date: Thu, 12 Jul 2012 00:46:33 +0300 From: Alexandru Balan jay...@gmail.com Subject: Re: [Full-disclosure] suspicion of rootkit To: phocean 0...@phocean.net Cc: full-disclosure@lists.grok.org.uk, valdis.kletni...@vt.edu Message-ID: c0574ee4-8509-4ff4-ab60-565d0a256...@gmail.com Content-Type: text/plain; charset=iso-8859-1 Tried checking it with an AV ? http://quickscan.bitdefender.com On Jul 12, 2012, at 12:06 AM, phocean wrote: The machine is Windows XP SP3 quite up-to-date, but not fully. Except that Windows Update is not working anymore. One of the symptoms. I described the issues there: http://www.phocean.net/2012/06/30/rootkit-in-my-lab.html http://www.phocean.net/2012/07/11/rootkit-in-my-lab-part-ii.html You will see why some symptoms make me think about a rootkit. You are right, it could be some Windows being messed up. But it actually happened on a pretty fresh install: I finished setting XP and tens of analysis tools (I aimed this box to be my fresh reversing system). So even if possible, it sounds strange that a machine gets corrupted so quickly. And of course, I suspect some of these tools, got from multiple downloads. At last, I could analyse them one by one of course, but there are many so it would be painful (and I am not sure that I kept all setups). --- phocean CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. signature.asc Description: Message signed with OpenPGP using GPGMail ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
A better way of proceeding on this, assuming you can afford the time, is to boot from of the many live boot CDs (UBCD4Win, BartPe, various Linux-based rescue disks) to scan the disk while the suspect OS is not in memory. Those CD images either come with, or can be caused to contain, various AV packages. Make sure the packages used are current, and scan away. Kurt On Thu, Jul 12, 2012 at 6:57 AM, phocean 0...@phocean.net wrote: The only antivirus I have tried so far is Microsoft Security Essentials. And it finds nothing, which I certainly don't trust at all. Especially because it shows a very unusual certificate alert during the setup. I also scanned a few files that I chose (some dll and services) on VirusTotal with no results except some false positive. I also had a look on the disassembly of these files. So, I don't know what it is, but if it is a rootkit it is not a trivial one and I am afraid it is smarter than me :) --- phocean Le 12 juil. 2012 à 15:33, Mikhail A. Utin a écrit : -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Thursday, July 12, 2012 4:40 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 89, Issue 15 Send Full-Disclosure mailing list submissions to full-disclosure@lists.grok.org.uk I've had very similar case of downloading software and getting a malware. I wanted just to get it fixed, so wheither a virus, or worm, or rootkit I do not know. Symptoms were disabled Windows update and Windows networking. TCP in general worked. I found malicious files (just a few) using one of security tools running under Linux CD-bootable to check consistency of Windows files. First I tried three AV systems (F-Secure, Kaspersky and Symantec), but they were useless. Finally, from Linux I was able to find files having inconsistent attributes, as far as I remember - the size and modification date. Nothing of particular, but: AV systems identify less than 90% of malware (both forward and backward tests), when downloading freeware stuff a virtual machine is the best option, and if after just installing of freeware Windows screw up, it is obvious what is the reason for. Mikhail -- Message: 1 Date: Thu, 12 Jul 2012 00:46:33 +0300 From: Alexandru Balan jay...@gmail.com Subject: Re: [Full-disclosure] suspicion of rootkit To: phocean 0...@phocean.net Cc: full-disclosure@lists.grok.org.uk, valdis.kletni...@vt.edu Message-ID: c0574ee4-8509-4ff4-ab60-565d0a256...@gmail.com Content-Type: text/plain; charset=iso-8859-1 Tried checking it with an AV ? http://quickscan.bitdefender.com On Jul 12, 2012, at 12:06 AM, phocean wrote: The machine is Windows XP SP3 quite up-to-date, but not fully. Except that Windows Update is not working anymore. One of the symptoms. I described the issues there: http://www.phocean.net/2012/06/30/rootkit-in-my-lab.html http://www.phocean.net/2012/07/11/rootkit-in-my-lab-part-ii.html You will see why some symptoms make me think about a rootkit. You are right, it could be some Windows being messed up. But it actually happened on a pretty fresh install: I finished setting XP and tens of analysis tools (I aimed this box to be my fresh reversing system). So even if possible, it sounds strange that a machine gets corrupted so quickly. And of course, I suspect some of these tools, got from multiple downloads. At last, I could analyse them one by one of course, but there are many so it would be painful (and I am not sure that I kept all setups). --- phocean CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
On Thu, Jul 12, 2012 at 9:57 AM, phocean 0...@phocean.net wrote: The only antivirus I have tried so far is Microsoft Security Essentials. And it finds nothing, which I certainly don't trust at all. Especially because it shows a very unusual certificate alert during the setup. I also scanned a few files that I chose (some dll and services) on VirusTotal with no results except some false positive. I also had a look on the disassembly of these files. So, I don't know what it is, but if it is a rootkit it is not a trivial one and I am afraid it is smarter than me :) --- phocean 0x00 you say: The only antivirus I have tried so far is Microsoft Security Essentials. and this is why you're obvious fail. Everyone knows only is Kaspersky and F-Secure is find any virus. They is after all discover Flame single-handedisly. I just checked your machine for you. You are is safe. Stay thirsty my friend ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
On Thu, 12 Jul 2012 11:00:36 -0400, ÐÑигоÑий ÐÑаÑиÑлава said: I just checked your machine for you. You are is safe. Stay thirsty my friend +1 pgp2fPfB2HtKf.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
Could you elaborate please? What that I haven't done yet? If we agree there is nothing in the RAM dump, how can we explain the artefacts? Musntlive, I never trust any antivirus. --- phocean Le 12 juil. 2012 à 17:46, valdis.kletni...@vt.edu a écrit : On Thu, 12 Jul 2012 11:00:36 -0400, Григорий Братислава said: I just checked your machine for you. You are is safe. Stay thirsty my friend +1 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
On Thu, Jul 12, 2012 at 12:09 PM, phocean 0...@phocean.net wrote: Could you elaborate please? What that I haven't done yet? If we agree there is nothing in the RAM dump, how can we explain the artefacts? Musntlive, I never trust any antivirus. --- phocean 0x00: MusntLive will always help you. .effmach x86 (or is whatever is your machine amd64, ia64) is your first friend. When you is run this, you come back and let MusntLive know. For then we must use !dml_proc and only is real hacker debug stuff. No script kid stuff. Only for when you is know WinDBG like is back of your hand is you Windows hacker. Not is Immunity or is Olly, this is these are for is how you say rookie. Now you is go dump with is effmach. Then is we can study this is yes with HB Gary memory tools. Because is HB Gary, if we know is find it, HB Gary is will find with is their backdoor into is their tools. We not worry, we find evil 1337 together. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
Yes, maybe WinDbg… Not that I am confortable with WinDBG, but certainly a good chance to learn and get more familiar. However: - Volatility: anything has to sit somehow in the memory, so there is no way for it to escape from the analysis. It has all advantages of offline analysis. I don't think Volatility is script kiddy stuff. I think it is a great tool and should be enough for my concern. - WinDBG: here we are doing live analysis, with all the difficulties it implies. It is long and painful. You have to read damn a lot of assembly, thousands of calls, decide to step into or step over, when and based on what assumptions, etc. Of course, perfect knowledge of the system internals is required. Difficulty will be raised if ever there are some anti-debugging protections. Respect to the people who can do it, they are artists, but is it really the most reasonable way to go? --- phocean Le 12 juil. 2012 à 18:22, Григорий Братислава a écrit : On Thu, Jul 12, 2012 at 12:09 PM, phocean 0...@phocean.net wrote: Could you elaborate please? What that I haven't done yet? If we agree there is nothing in the RAM dump, how can we explain the artefacts? Musntlive, I never trust any antivirus. --- phocean 0x00: MusntLive will always help you. .effmach x86 (or is whatever is your machine amd64, ia64) is your first friend. When you is run this, you come back and let MusntLive know. For then we must use !dml_proc and only is real hacker debug stuff. No script kid stuff. Only for when you is know WinDBG like is back of your hand is you Windows hacker. Not is Immunity or is Olly, this is these are for is how you say rookie. Now you is go dump with is effmach. Then is we can study this is yes with HB Gary memory tools. Because is HB Gary, if we know is find it, HB Gary is will find with is their backdoor into is their tools. We not worry, we find evil 1337 together. signature.asc Description: Message signed with OpenPGP using GPGMail ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
On Thu, Jul 12, 2012 at 12:47 PM, phocean 0...@phocean.net wrote: Yes, maybe WinDbg… Not that I am confortable with WinDBG, but certainly a good chance to learn and get more familiar. However: - Volatility: anything has to sit somehow in the memory, so there is no way for it to escape from the analysis. It has all advantages of offline analysis. I don't think Volatility is script kiddy stuff. I think it is a great tool and should be enough for my concern. - WinDBG: here we are doing live analysis, with all the difficulties it implies. It is long and painful. You have to read damn a lot of assembly, thousands of calls, decide to step into or step over, when and based on what assumptions, etc. Of course, perfect knowledge of the system internals is required. Difficulty will be raised if ever there are some anti-debugging protections. Respect to the people who can do it, they are artists, but is it really the most reasonable way to go? 0x00: MusntLive is give you now priceless advice for you must to listen: 1) WinDBG is to dump your memory 2) Is HB Gary FD Pro is used not volatility. This is because since Greg is backdoored all his tools, is we don't find problems, then when is HB Gary snooping in our session maybe they can find is problem for us. 3) Volatility is script kid tool (don't is tell anyone who is use this) 4) Step over is step into. MusntLive give you good analogy right now. Is you have choice, step into POOP or is step over POOP is what is your choice? Step over is what is hoped. Forget this is step over, into, above, sideways. Foolproof is method is to diff memory. Before and is after yes. This is key to anomalies: Before and is after ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
Not sure if you are kidding. 1) WinDBG is a debugger, not really memory dump. 2) Not sure to understand* 3) It is your opinion. 4) Don't understand. Sounds like a joke, but even with that angle I don't get it.* * If only you stopped with this weird english. --- phocean Le 12 juil. 2012 à 18:54, Григорий Братислава a écrit : On Thu, Jul 12, 2012 at 12:47 PM, phocean 0...@phocean.net wrote: Yes, maybe WinDbg… Not that I am confortable with WinDBG, but certainly a good chance to learn and get more familiar. However: - Volatility: anything has to sit somehow in the memory, so there is no way for it to escape from the analysis. It has all advantages of offline analysis. I don't think Volatility is script kiddy stuff. I think it is a great tool and should be enough for my concern. - WinDBG: here we are doing live analysis, with all the difficulties it implies. It is long and painful. You have to read damn a lot of assembly, thousands of calls, decide to step into or step over, when and based on what assumptions, etc. Of course, perfect knowledge of the system internals is required. Difficulty will be raised if ever there are some anti-debugging protections. Respect to the people who can do it, they are artists, but is it really the most reasonable way to go? 0x00: MusntLive is give you now priceless advice for you must to listen: 1) WinDBG is to dump your memory 2) Is HB Gary FD Pro is used not volatility. This is because since Greg is backdoored all his tools, is we don't find problems, then when is HB Gary snooping in our session maybe they can find is problem for us. 3) Volatility is script kid tool (don't is tell anyone who is use this) 4) Step over is step into. MusntLive give you good analogy right now. Is you have choice, step into POOP or is step over POOP is what is your choice? Step over is what is hoped. Forget this is step over, into, above, sideways. Foolproof is method is to diff memory. Before and is after yes. This is key to anomalies: Before and is after signature.asc Description: Message signed with OpenPGP using GPGMail ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
On Thu, Jul 12, 2012 at 1:02 PM, phocean 0...@phocean.net wrote: Not sure if you are kidding. 1) WinDBG is a debugger, not really memory dump. 2) Not sure to understand* 3) It is your opinion. 4) Don't understand. Sounds like a joke, but even with that angle I don't get it.* * If only you stopped with this weird english. --- phocean 0x00: MustntLive is now give up 1) I hope Dmitry Vostokov is never read this 2) Is obvious you don't 3) MusntLive is never make opinion is always fact 4) Is repeat 2. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
Me is give up too ;) Thanks anyway. --- phocean Le 12 juil. 2012 à 19:07, Григорий Братислава a écrit : On Thu, Jul 12, 2012 at 1:02 PM, phocean 0...@phocean.net wrote: Not sure if you are kidding. 1) WinDBG is a debugger, not really memory dump. 2) Not sure to understand* 3) It is your opinion. 4) Don't understand. Sounds like a joke, but even with that angle I don't get it.* * If only you stopped with this weird english. --- phocean 0x00: MustntLive is now give up 1) I hope Dmitry Vostokov is never read this 2) Is obvious you don't 3) MusntLive is never make opinion is always fact 4) Is repeat 2. signature.asc Description: Message signed with OpenPGP using GPGMail ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
On Thu, 12 Jul 2012 18:47:53 +0200, phocean said: - Volatility: anything has to sit somehow in the memory, so there is no way for it to escape from the analysis. There's a number of attacks using the MTRR and IOMMU to cause the CPU to have a different view of memory. It is indeed possible for something to be sitting in memory but not be visible to *you* (while still being visible to something that didn't expect it to be visible, and thus delivering an exploit). pgpXgQfbr39mY.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
On Thu, Jul 12, 2012 at 1:11 PM, valdis.kletni...@vt.edu wrote: There's a number of attacks using the MTRR and IOMMU to cause the CPU to have a different view of memory. It is indeed possible for something to be sitting in memory but not be visible to *you* (while still being visible to something that didn't expect it to be visible, and thus delivering an exploit). No! Only is Ptacek and Joanna know about these is attacks. Red pill, blue pill, rainbow pill. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/