Rootkit Removal big problem

#1
Good afternoon all, need some good advice with this one as i am completely stuck

A computer i am working on had a rootkit so tried to remove with usual anti virus (avg) then superant.ispyware remover and malware bytes.
Did not work so tried malware in safe mode but no joy.

Reformatted the hard drive and started a fresh install with win xp.
Install went fine and installed avast anti virus and microsoft malware remover tool and up dated all software (internet explorer to ie 8 for example)

Problem is that the rootkit is still on the machine. Any top tips would be most welcome

HH
 
#2
It must be residing in the MBR, use a Windows DVD to get into the Recovery Console and type fixmbr, that will write a new boot sector and erase the little ******.
 
#3
It must be residing in the MBR, use a Windows DVD to get into the Recovery Console and type fixmbr, that will write a new boot sector and erase the little ******.
Cheers matey will give that a go now, have just reformatted and installed again

hh
 
#4
All depends on the level of rootkit that has infected your machine. What tool is alerting you to the presence of a rootkit and what symptoms are you experiencing?

Some rootkits bury themselves in at the hardware level where they place code inside the actual chips in your machine. They can burrow into graphic / audio cards, hard drive controllers, chips and memory on your mboard etc...No matter how many times you reformat you are fucked as the rootkit is not sitting in your operating system.

As for the likes of avg, avast etc....some are good, others are crap. I prefer avast myself but i also have this little nugget that i highly recommend. Its called avz and is pretty powerful as an av toolkit. Its takes some getting used to and i had a lot of false positives to begin with - read the manual and check out the forums. I think it was designed by some russian hacker who has now been poached by kaspersky labs. I have had to use google translate on the link as the site is in russian.

AVZ main page

Another link direct from kaspersky:

kaspersky labs
 
#5
All depends on the level of rootkit that has infected your machine. What tool is alerting you to the presence of a rootkit and what symptoms are you experiencing?

Some rootkits bury themselves in at the hardware level where they place code inside the actual chips in your machine. They can burrow into graphic / audio cards, hard drive controllers, chips and memory on your mboard etc...No matter how many times you reformat you are fucked as the rootkit is not sitting in your operating system.

As for the likes of avg, avast etc....some are good, others are crap. I prefer avast myself but i also have this little nugget that i highly recommend. Its called avz and is pretty powerful as an av toolkit. Its takes some getting used to and i had a lot of false positives to begin with - read the manual and check out the forums. I think it was designed by some russian hacker who has now been poached by kaspersky labs. I have had to use google translate on the link as the site is in russian.

AVZ main page

Another link direct from kaspersky:

kaspersky labs
CDT and SNLR thanks for the extra advice it is much appreciated.

I got rid of it in the end by the following methods

(At first used microsoft xp pro disc to format hard drive before installing but damm thing kept returning)
Acting on snlr advice decided to see if it was MBR resident so re-installed and lo and behold it appeared again, so.............

Did a bit of digging and got an independant drive wiper to do cleaning of hard drive from cnet then re-installed again using only genuine products
Once OS installed put on AVAST and did scan (nothing showing)
Loaded Superantispyware and did scan (nowt)
Re-boot scan with avast and it picked up a "rootkit" hiding in windows\system32 as a hidden file

Have had the desktop restarting periodically since last post and visiting websites (safe ones) and it seems to be fine now.

I tried the Kapersky TDSS Killer at first but the rootkit had that null and void straight away.
Got to admit that was the most difficult one i have come across for a long time.
Anyway cheers for help

HH
 
#6
Some rootkits bury themselves in at the hardware level where they place code inside the actual chips in your machine. They can burrow into graphic / audio cards, hard drive controllers, chips and memory on your mboard etc...No matter how many times you reformat you are fucked as the rootkit is not sitting in your operating system.
Really? Do you have a reference to these rootkits?
 
#7
CDT is right, Dogmeat. Google for Chernobyl/CIH rootkit. We had a bit of a mare with it back in 98. It reflashed the ******* BIOS. An added pain in the arse was that the preformatted Sony floppy disks were using to boot from had the Stoned_Angelina virus on them. A bad couple of days!

For wider reading, Google "firmware rootkits"
 
#8
As dangerous of a problem as an attack of this nature presents, however, there's one overriding factor that makes it unlikely that we'll ever see an attack of this sort in the wild. The duo's BIOS hack isn't a bug you can catch by opening the wrong e-mail—it must be installed, either by someone with physical access to the system, or remotely by a person with root-level access. This is not the sort of exploit that anyone bothers with on a grand scale. Not only is it highly impractical, it's also pointless—why go to so much trouble to infect a PC running at a Ma and Pa store if you can spend a hundredth of a cent and send them an infected e-mail they'll open and run? If an organization is genuinely vulnerable to this type of attack, it means one of two things: Either the business's IT security is absolutely horrible and has failed on multiple levels, or it's an inside job. Either way, a number of gates have been left open to leave a system vulnerable to a BIOS-level assault.
Pretty much as I thought. Largely theoretical and highly impractical. The ones in the wild targeted only the Award BIOS in PCs - not gfx or sound cards, nor hard disks. I'm fine with a bit of paranoia over security, but the sort of misguided shrieking hysteria posted by CTD_Dodger is as dangerous as it is counter-productive.
 
#11
Pretty much as I thought. Largely theoretical and highly impractical. The ones in the wild targeted only the Award BIOS in PCs - not gfx or sound cards, nor hard disks. I'm fine with a bit of paranoia over security, but the sort of misguided shrieking hysteria posted by CTD_Dodger is as dangerous as it is counter-productive.

Dog, how the hell am I causing hysteria, I was merely offering advice and some input into the thread. The only person getting irate seems to be you.

Anyway, what is your point exactly? Are you stating that rootkits can only infect the OS and BIOS. You seem to imply that I am talking bullshit about the graphics/audio cards. As for the hard drive, I said ‘Controller’, not the physical disk – pay attention to the post dear and read with more care.

Back on topic, I take it you have never heard of PCI rootkits – no, thought not. Any PCI device which has flashable firmware is open to this type of rootkit.


Black Hat Presentation 2007:

Implementing and detecting a PCI rootkit


Scroll to the section ‘Firmware Rootkits 3.4:

Firmware Rootkits


Now dog, go wipe that egg off your face.
 
#12
Dog, how the hell am I causing hysteria, I was merely offering advice and some input into the thread. The only person getting irate seems to be you. Anyway, what is your point exactly? Are you stating that rootkits can only infect the OS and BIOS. You seem to imply that I am talking bullshit about the graphics/audio cards. As for the hard drive, I said ‘Controller’, not the physical disk – pay attention to the post dear and read with more care. Back on topic, I take it you have never heard of PCI rootkits – no, thought not. Any PCI device which has flashable firmware is open to this type of rootkit. Black Hat Presentation 2007: Implementing and detecting a PCI rootkit Scroll to the section ‘Firmware Rootkits 3.4: Firmware Rootkits Now dog, go wipe that egg off your face.
So your example is some old proof of concept exercise from 2007? Well, I'm almost ready to apologise - perhaps if you could just post some examples of actual firmware rootkits currently in the wild in 2012, it might just tip the balance.
 
#15
#16
So your example is some old proof of concept exercise from 2007? Well, I'm almost ready to apologise - perhaps if you could just post some examples of actual firmware rootkits currently in the wild in 2012, it might just tip the balance.

It may have been just a poc back in 2007 but do you think rootkit developers have ignored it since then. Consider that time to be the foundation for pci rootkit development and think of where it could be now. It may not be highly publicised due to the fact that nobody would know if they have been infected, no scans would detect its presence at the hw layer. Think of the task of trying to implement a solution because there are thousands of variants of hardware out there - unlike rootkits designed for an OS.

Q: Would you know if you have been infected and how would you detect it?


Again, more recent development but would you know if it is out there on your card.


Rootkit on a NIC


Development is now targeting Apple hw:

We've also seen a number of other interesting examples of hardware level/firmware based malware in the last couple of years. In 2009, a security researcher known as "K. Chen" presented at Black Hat/DEFCON that it was possible to hack and infect Apple Mac keyboards. Chen had found a way to reverse engineer the keyboard's firmware upgrade facility and was able to inject a keystroke logger and potentially install rootkits which would be difficult or almost immune to detection, and would be persistent regardless of a re-installation of a machine's operating system. While Apple later patched this vulnerability in a security update for Mac OS X thanks to K. Chen’s research, this example clearly shows that anything relying on firmware is a potential target for malware infection.

Similarly, earlier this year, another Apple product was found vulnerable to a firmware based attack - the batteries used by Apple Macbooks, Macbook Pros and Macbook Airs. Security researcher Charlie Miller, was able to modify the firmware on Macbook batteries, which performs functions such as monitoring the battery charge level and heat regulation of the battery. It seems that these batteries' firmware chips shipped with a default password, which when discovered, would allow a hacker to control the functions of the battery, as well as potentially infect the batteries with persistent malware.
 
#17
I'm still not seeing anything that makes firmware rootkits something to be concerned over. They're difficult to engineer, highly target-specific, far from trivial to install and have no discernible distribution vector. While they might be interesting from an academic viewpoint, the threat from more virulent forms of modern malware to your bank account, credit card details and the ransoming of data is an order of magnitude more relevant. So +1 for giving me some interesting reading and -1 for making a mountain out of a worm-cast.
 
#18
I'm still not seeing anything that makes firmware rootkits something to be concerned over. They're difficult to engineer, highly target-specific, far from trivial to install and have no discernible distribution vector. While they might be interesting from an academic viewpoint, the threat from more virulent forms of modern malware to your bank account, credit card details and the ransoming of data is an order of magnitude more relevant. So +1 for giving me some interesting reading and -1 for making a mountain out of a worm-cast.
Oh dear.
 
#19
I'm still not seeing anything that makes firmware rootkits something to be concerned over. They're difficult to engineer, highly target-specific, far from trivial to install and have no discernible distribution vector. While they might be interesting from an academic viewpoint, the threat from more virulent forms of modern malware to your bank account, credit card details and the ransoming of data is an order of magnitude more relevant. So +1 for giving me some interesting reading and -1 for making a mountain out of a worm-cast.
So looks like i only scored 0 - damn, better luck next time. If i knew that then i would have got my head stuck into some braindumps before sitting the 'Dogmeat Rootkit Pepsi Challenge'.

I am not out to convince you Mr Chappie, i was only presenting facts to the discussion.
 
#20
I'm still not seeing anything that makes firmware rootkits something to be concerned over. They're difficult to engineer, highly target-specific, far from trivial to install and have no discernible distribution vector.
Stuxnet is all those things and more, it's all a question of what threat models you are working with. As a home/corporate user you are correct that it's unlikely to matter, but understand that this stuff does exist and will be in use somewhere and it won't be in Academia. I remember chatting with L0pht and other guys about NIC firmware sniffers and the like over a decade ago, tis not new.
 

Similar threads

Latest Threads

Top