|
Posted by William on December 28, 2006, 10:16 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>
> William wrote:
>> On 12/26/2006 10:21 PM, something possessed Raffi to write:
>> > David H. Lipman wrote:
>> >>
>> >>
>> >>
>> >> | I had some time to do packet analysis using Etherial and most of
>> >> | the conenctions were DNS queries and SMTP connections.
>> >>
>> >> | I went ahead and blocked all traffic from the PC to the ISP DNS
>> >> | servers in my firewall (Comodo). The DNS server for my PC is
>> >> | statically defined as the gateway router. Since the ISP DNS was
>> >> | no longer accessible it rerouted the DNS queries (and/or query
>> >> | responses) to the gateway router. These were a bunch of MX
>> >> | queries for mostly .ru domains.
>> >>
>> >> | Next I blocked all inbound and outbound UDP connections for
>> >> | svchost.exe and services.exe. This stopped most of the traffic.
>> >> | After a while I started seeing traffic to a couple of specific
>> >> | ip addresses (208.66.195.78 and 62.189.194.215) which don't
>> >> | resolve to anything with nslookup. I blocked these IP addresses
>> >> | in the firewall as well. Next the PC started sending out a bunch
>> >> | of broadcasts (.255). So I blocked outbound broadcast
>> >> | connections.
>> >>
>> >> | Next it started sending broadcast to 0.255 using the ZIP (Zone
>> >> | Information Protocol) protocol. I don't think I've seen this one
>> >> | before. I haven't been able to block these yet.
>> >>
>> >> | My guess is the PC is somehow being used as a DNS/SMTP relay.
>> >> | Another guess is my svchost.exe and/or services.exe have been
>> >> | compromized.
>> >>
>> >> | As usual, any help in getting to the bottom of this would be
>> >> | welcome.
>> >>
>> >> | Raffi
>> >>
>> >> http://www.dnsstuff.com/tools/whois.ch?ip=!NET-208-66-195-64-1
&serv
>> >> er=whois.arin.net
>> >>
>> >> http://www.dnsstuff.com/tools/whois.ch?ip=62.189.194.215&email=on
>> >>
>> >>
>> >> This is suspicious.
>> >>
>> >> You may have to backup the PC, wipe it and then reinstall the OS
>> >> from scratch if all the csnas have come up negative.
>> >>
>> >> The only other option is to use anti RootKit software such as Gmer
>> >> and BlackLight to find the malware. Otherwise, wipe the system.
>> >>
>> >> --
>> >> Dave
>> >> http://www.claymania.com/removal-trojan-adware.html
>> >> http://www.ik-cs.com/got-a-virus.htm
>> >
>> > Update - I had tried a couple of rootkit detection software without
>> > success and had given up. But gmer finally found it. Turns out it
>> > is a rootkit. It's called Backdoor.Rustock.B. It uses the following
>> > hidden data stream c:\windows\system32:lzx32.sys
>> > (c:\windows\system32:18467). This Symantec website has more
>> > information:
>> > http://www.symantec.com/security_response/writeup.jsp?docid=2006-
070
>> > 513-1305-99&tabid=3
>> >
>> > The syptoms for the rootkit are similar to what I'm experiencing.
>> > From what I've read so far it might be tricky to get rid of. It
>> > seems to be active in safe mode as well. I'll be searching for a
>> > way to get rid of it. If there are any ideas out there, please let
>> > me know.
>> >
>> > Thanks for all the help.
>> > Raffi
>> >
>> First, stay of the network with your infected PC. Secondly, Get
>> PEBuilder and create a BartPE LiveCD. Use this to edit your
>> registry.hiv file in order to remove the rootkit (I haven't done the
>> research because my blood sugar is getting low, so you'll need to do
>> the research to figure out what registry keys in registry.hiv should
>> be deleted (or maybe someone else here will be nice enough to post
>> those for you). Good luck.
>>
>> Cheers,
>>
>> Will
>
> Will,
>
> Thanks for the suggestions. I did manage to clean my system using a
> tool called "rustbfix.exe". My guess is this tool disables the root
> kit in the registry but doesn't actually delete the stream
> (c:\windows\system32:lzx32.sys). After running the tool, I ran
> gmer.exe again and had to manually delete the stream. The stream was
> inaccessible before but after running the cleaning tool, I was able to
> delete it.
>
> Anyway, this little adventure took up alot of my time and hopefully
> this message thread will help others get to a fix much quicker/easier.
>
> Thanks for everyone for the help and suggestions.
>
> Raffi
>
OK. Surf safely, now, and seriously, be careful with the P2P.
| 
XML site map