|
Posted by Raffi on December 27, 2006, 1:21 am
If you were Registered and logged in, you could reply and use other advanced thread options
>
>
>
> | I had some time to do packet analysis using Etherial and most of the
> | conenctions were DNS queries and SMTP connections.
>
> | I went ahead and blocked all traffic from the PC to the ISP DNS servers
> | in my firewall (Comodo). The DNS server for my PC is statically defined
> | as the gateway router. Since the ISP DNS was no longer accessible it
> | rerouted the DNS queries (and/or query responses) to the gateway
> | router. These were a bunch of MX queries for mostly .ru domains.
>
> | Next I blocked all inbound and outbound UDP connections for svchost.exe
> | and services.exe. This stopped most of the traffic. After a while I
> | started seeing traffic to a couple of specific ip addresses
> | (208.66.195.78 and 62.189.194.215) which don't resolve to anything with
> | nslookup. I blocked these IP addresses in the firewall as well. Next
> | the PC started sending out a bunch of broadcasts (.255). So I blocked
> | outbound broadcast connections.
>
> | Next it started sending broadcast to 0.255 using the ZIP (Zone
> | Information Protocol) protocol. I don't think I've seen this one
> | before. I haven't been able to block these yet.
>
> | My guess is the PC is somehow being used as a DNS/SMTP relay. Another
> | guess is my svchost.exe and/or services.exe have been compromized.
>
> | As usual, any help in getting to the bottom of this would be welcome.
>
> | Raffi
>
>
http://www.dnsstuff.com/tools/whois.ch?ip=!NET-208-66-195-64-1&server=whois.arin.net
>
> http://www.dnsstuff.com/tools/whois.ch?ip=62.189.194.215&email=on
>
>
> This is suspicious.
>
> You may have to backup the PC, wipe it and then reinstall the OS from scratch
if all the
> csnas have come up negative.
>
> The only other option is to use anti RootKit software such as Gmer and
BlackLight to find
> the malware. Otherwise, wipe the system.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
Update - I had tried a couple of rootkit detection software without
success and had given up. But gmer finally found it. Turns out it is a
rootkit. It's called Backdoor.Rustock.B. It uses the following hidden
data stream c:\windows\system32:lzx32.sys (c:\windows\system32:18467).
This Symantec website has more information:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-99&tabid=3
The syptoms for the rootkit are similar to what I'm experiencing. From
what I've read so far it might be tricky to get rid of. It seems to be
active in safe mode as well. I'll be searching for a way to get rid of
it. If there are any ideas out there, please let me know.
Thanks for all the help.
Raffi
| 
XML site map