Removal and forensics of advanced rootkit employing Shadow Walker technology - help needed!!!

Removal and forensics of advanced rootkit employing Shadow Walker technology - help needed!!!
Secure Home | Search | About
Login Password
Register Now! Lost Password?

Microsoft Applications Security - Microsoft's general security discussions and announcements 

Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Removal and forensics of advanced rootkit employing Shadow Walker technology - help needed!!! Polanski24 07-15-2006
Posted by Polanski24 on July 15, 2006, 5:24 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello!

Last week one of my home systems was seriously compromised with than
brand new and undetected Trojan-Downloader.Win32.Small.dey. I got
bitter credit from KasperskyLabs for discovering malware but they did
not manage to provide any solution to removing all payloads installed
by it. Due to fortunate errors made by rootkit programmer which allows
for easy spotting of its presence with system abnormal behaviour
symptoms I coul easily spot presence of malware on compromised system.

For thread discussing infection pls check: http://tinyurl.com/zxrg8

All tools but one used to search for malware/rootkit failed. Only SVV
(System Virginity Verifier by Joanna Ruktowska) managed to discover
infection which most probably employs Shadow Walker technology. Pls
find below results from running SVV.

Note that kl1.sys and klif.sys driver modules are part of Kaspersky
Antivirus installation.

Removal of unprotected haspnt.sys still leaves symptoms and gives svv
check result posted below original one.

Any help on forensic investigation and removal of rootkit would be
greatly appreciated.

rgrds


__________________________________________________
Original SVV check:

C:\svv check /m
WARNING: Service Table redirection detected
origKiServiceTbl: 0x804e26a8 - 0x804e2ba8
currKiServiceTbl: 0x829b1b58 - 0x829b1ffc
ntoskrnl.exe (804d7000 - 806eb600)... suspected! (verdict = 5).
module ntoskrnl.exe [0x804d7000 - 0x806eb600]:
0x804db03d (section .text) [RtlPrefetchMemoryNonTemporal()+0] 1
byte(s): exclusion filter: RtlPrefetchMemoryNonTemporal() [c3->90]
file :c3
memory :90
verdict = 1

0x804dbaa2 (section .text) 18 byte(s): exclusion filter:
KeFlushCurrentTb()
file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1

0x804dbaba (section .text) 1 byte(s): exclusion filter:
KeFlushCurrentTb() [c3->00]
file :c3
memory :00
verdict = 1

0x804de8ea (section .text) 1 byte(s): exclusion filter:
KiSystemCallExitBranch() [05->06]
file :05
memory :06
verdict = 1

0x804e2878 [KiServiceTable[116]] 4 byte(s):
KiServiceTable HOOK:
address 0xf7a4f23e is inside kl1.sys module [0xf7a4e000-0xf7a53000]
target module path: kl1.sys
file :e3 0c 57 80
memory :3e f2 a4 f7
verdict = 2

0x804fbe09 (section .text) [FsRtlCheckLockForReadAccess()+0] 5
byte(s):
JMPing code (jmp to: 0xf521ff3b)
address 0xf521ff3b is inside klif.sys module [0xf5209000-0xf5237000]
target module path: \SystemRoot\System32\drivers\klif.sys
file :8b ff 55 8b ec
memory :e9 32 41 d2 74
verdict = 2

IDT[1] points to 0x83f9501d (addr DOES NOT belong to ANY MODULE!)
verdict = 5
UNFIXABLE!

IDT[3] points to 0x83f9503c (addr DOES NOT belong to ANY MODULE!)
verdict = 5
UNFIXABLE!

IDT[6] points to 0xf79c116d which is inside Haspnt.sys module
[0xf79be000-0xf79ca000]
target module path: \??\G:\WINDOWS\System32\drivers\Haspnt.sys
verdict = 5
UNFIXABLE!

IDT[14] points to 0xf79c0fc2 which is inside Haspnt.sys module
[0xf79be000-0xf79ca000]
target module path: \??\G:\WINDOWS\System32\drivers\Haspnt.sys
verdict = 5
UNFIXABLE!

module ntoskrnl.exe: end of details
kernel32.dll (7c800000 - 7c8fb000)... innocent hooking (verdict
= 2).
module kernel32.dll [0x7c800000 - 0x7c8fb000]:
0x7c802f58 (section .text) 15 byte(s): Inside EAT
file :77 1d 00 00 4f 1d 00 00 f1 1a 00 00 d3 ac 00
memory :c4 2f 08 00 d3 2f 08 00 f1 2f 08 00 e2 2f 08
verdict = 2

module kernel32.dll: end of details

SYSTEM INFECTION LEVEL: 5
0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!

___________________________________________________
Check after disabling haspnt.sys

svv check /a /m
WARNING: Service Table redirection detected
origKiServiceTbl: 0x804e26a8 - 0x804e2ba8
currKiServiceTbl: 0x82b9db58 - 0x82b9dffc
WARNING: Veryfing integrity of ALL kernel modules may cause a SYSTEM
CRASH!
Do you want to continue (yes/no)?
yes
ntoskrnl.exe (804d7000 - 806eb600)... suspected! (verdict = 5).
module ntoskrnl.exe [0x804d7000 - 0x806eb600]:
0x804db03d (section .text) [RtlPrefetchMemoryNonTemporal()+0] 1
byte(s): exclusion filter: RtlPrefetchMemoryNonTemporal() [c3->90]
file :c3
memory :90
verdict = 1

0x804dbaa2 (section .text) 18 byte(s): exclusion filter:
KeFlushCurrentTb()
file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1

0x804dbaba (section .text) 1 byte(s): exclusion filter:
KeFlushCurrentTb() [c3->00]
file :c3
memory :00
verdict = 1

0x804de8ea (section .text) 1 byte(s): exclusion filter:
KiSystemCallExitBranch() [05->06]
file :05
memory :06
verdict = 1

0x804e2878 [KiServiceTable[116]] 4 byte(s):
KiServiceTable HOOK:
address 0xf7a4f23e is inside kl1.sys module [0xf7a4e000-0xf7a53000]
target module path: kl1.sys
file :e3 0c 57 80
memory :3e f2 a4 f7
verdict = 2

0x804fbe09 (section .text) [FsRtlCheckLockForReadAccess()+0] 5
byte(s):
JMPing code (jmp to: 0xf510bf3b)
address 0xf510bf3b is inside klif.sys module [0xf50f5000-0xf5123000]
target module path: \SystemRoot\System32\drivers\klif.sys
file :8b ff 55 8b ec
memory :e9 32 01 c1 74
verdict = 2

IDT[1] points to 0x83f9501d (addr DOES NOT belong to ANY MODULE!)
verdict = 5
UNFIXABLE!

IDT[3] points to 0x83f9503c (addr DOES NOT belong to ANY MODULE!)
verdict = 5
UNFIXABLE!

IDT[14] points to 0x83f9507a (addr DOES NOT belong to ANY MODULE!)
verdict = 5
UNFIXABLE!

module ntoskrnl.exe: end of details
dump_atapi.sys (f5092000 - f50aa000)... Image file not found!
dump_WMILIB.SYS (f7cce000 - f7cd0000)... Image file not found!
hardlock.sys (bac50000 - bacc1000)... Wrong PE image format!
kernel32.dll (7c800000 - 7c8fb000)... innocent hooking (verdict
= 2).
module kernel32.dll [0x7c800000 - 0x7c8fb000]:
0x7c802f58 (section .text) 15 byte(s): Inside EAT
file :77 1d 00 00 4f 1d 00 00 f1 1a 00 00 d3 ac 00
memory :c4 2f 08 00 d3 2f 08 00 f1 2f 08 00 e2 2f 08
verdict = 2

module kernel32.dll: end of details

SYSTEM INFECTION LEVEL: 5
0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!


Posted by karl levinson, mvp on July 15, 2006, 9:17 am
If you were  Registered and logged in, you could reply and use other advanced thread options

> Hello!
>
> Last week one of my home systems was seriously compromised with than
> brand new and undetected Trojan-Downloader.Win32.Small.dey. I got
> bitter credit from KasperskyLabs for discovering malware but they did
> not manage to provide any solution to removing all payloads installed
> by it. Due to fortunate errors made by rootkit programmer which allows
> for easy spotting of its presence with system abnormal behaviour
> symptoms I coul easily spot presence of malware on compromised system.

Question, I'm curious what was the name of the file you submitted to
Kaspersky?

You're certain there's no chance the SVV could be incorrect? It doesn't
look like there are any guarantees made with that tool. You don't have a
similarly configured system you could run SVV against and compare the
results, do you?



Posted by Polanski24 on July 15, 2006, 11:28 am
If you were  Registered and logged in, you could reply and use other advanced thread options

karl levinson, mvp wrote:
> > Hello!
> >
> > Last week one of my home systems was seriously compromised with than
> > brand new and undetected Trojan-Downloader.Win32.Small.dey. I got
> > bitter credit from KasperskyLabs for discovering malware but they did
> > not manage to provide any solution to removing all payloads installed
> > by it. Due to fortunate errors made by rootkit programmer which allows
> > for easy spotting of its presence with system abnormal behaviour
> > symptoms I coul easily spot presence of malware on compromised system.
>
> Question, I'm curious what was the name of the file you submitted to
> Kaspersky?
>
> You're certain there's no chance the SVV could be incorrect? It doesn't
> look like there are any guarantees made with that tool. You don't have a
> similarly configured system you could run SVV against and compare the
> results, do you?

OMG

If IDT (Interrupt Descriptor Table) entry No 14 is redirected to memory
area which has no module with executable code in there system should
crash with blue screen of death at first page fault (even without that
since it will happen immediately after memory manager starts running).

I would recommend reading:

"IA-32 Intel Architecture Software Developer's Manual Volume 3 -
System Programming Guide" item No - 253668-16 in particular chapter 5.

And after that phrack #63 article on raising the bar for rootkit
detection.

rgrds


Posted by Karl Levinson on July 15, 2006, 3:53 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


>> You're certain there's no chance the SVV could be incorrect? It doesn't
>> look like there are any guarantees made with that tool. You don't have a
>> similarly configured system you could run SVV against and compare the
>> results, do you?
>
> OMG
>
> If IDT (Interrupt Descriptor Table) entry No 14 is redirected to memory
> area which has no module with executable code in there system should
> crash with blue screen of death at first page fault (even without that
> since it will happen immediately after memory manager starts running).

... assuming the results from the tool are accurate, hence my question.

What was the name of that file you submitted?



Posted by Gerry Hickman on July 15, 2006, 6:13 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi Polanski,

Can you clarify a couple of things;

1. How did this Trojan get onto your computer in the first place?
2. Were you running as an Administrator at the time?

Polanski24 wrote:
> Hello!
>
> Last week one of my home systems was seriously compromised with than
> brand new and undetected Trojan-Downloader.Win32.Small.dey. I got
> bitter credit from KasperskyLabs for discovering malware but they did
> not manage to provide any solution to removing all payloads installed
> by it. Due to fortunate errors made by rootkit programmer which allows
> for easy spotting of its presence with system abnormal behaviour
> symptoms I coul easily spot presence of malware on compromised system.
>
> For thread discussing infection pls check: http://tinyurl.com/zxrg8
>
> All tools but one used to search for malware/rootkit failed. Only SVV
> (System Virginity Verifier by Joanna Ruktowska) managed to discover
> infection which most probably employs Shadow Walker technology. Pls
> find below results from running SVV.
>
> Note that kl1.sys and klif.sys driver modules are part of Kaspersky
> Antivirus installation.
>
> Removal of unprotected haspnt.sys still leaves symptoms and gives svv
> check result posted below original one.
>
> Any help on forensic investigation and removal of rootkit would be
> greatly appreciated.
>
> rgrds
>
>
> __________________________________________________
> Original SVV check:
>
> C:\svv check /m
> WARNING: Service Table redirection detected
> origKiServiceTbl: 0x804e26a8 - 0x804e2ba8
> currKiServiceTbl: 0x829b1b58 - 0x829b1ffc
> ntoskrnl.exe (804d7000 - 806eb600)... suspected! (verdict = 5).
> module ntoskrnl.exe [0x804d7000 - 0x806eb600]:
> 0x804db03d (section .text) [RtlPrefetchMemoryNonTemporal()+0] 1
> byte(s): exclusion filter: RtlPrefetchMemoryNonTemporal() [c3->90]
> file :c3
> memory :90
> verdict = 1
>
> 0x804dbaa2 (section .text) 18 byte(s): exclusion filter:
> KeFlushCurrentTb()
> file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
> memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
> verdict = 1
>
> 0x804dbaba (section .text) 1 byte(s): exclusion filter:
> KeFlushCurrentTb() [c3->00]
> file :c3
> memory :00
> verdict = 1
>
> 0x804de8ea (section .text) 1 byte(s): exclusion filter:
> KiSystemCallExitBranch() [05->06]
> file :05
> memory :06
> verdict = 1
>
> 0x804e2878 [KiServiceTable[116]] 4 byte(s):
> KiServiceTable HOOK:
> address 0xf7a4f23e is inside kl1.sys module [0xf7a4e000-0xf7a53000]
> target module path: kl1.sys
> file :e3 0c 57 80
> memory :3e f2 a4 f7
> verdict = 2
>
> 0x804fbe09 (section .text) [FsRtlCheckLockForReadAccess()+0] 5
> byte(s):
> JMPing code (jmp to: 0xf521ff3b)
> address 0xf521ff3b is inside klif.sys module [0xf5209000-0xf5237000]
> target module path: \SystemRoot\System32\drivers\klif.sys
> file :8b ff 55 8b ec
> memory :e9 32 41 d2 74
> verdict = 2
>
> IDT[1] points to 0x83f9501d (addr DOES NOT belong to ANY MODULE!)
> verdict = 5
> UNFIXABLE!
>
> IDT[3] points to 0x83f9503c (addr DOES NOT belong to ANY MODULE!)
> verdict = 5
> UNFIXABLE!
>
> IDT[6] points to 0xf79c116d which is inside Haspnt.sys module
> [0xf79be000-0xf79ca000]
> target module path: \??\G:\WINDOWS\System32\drivers\Haspnt.sys
> verdict = 5
> UNFIXABLE!
>
> IDT[14] points to 0xf79c0fc2 which is inside Haspnt.sys module
> [0xf79be000-0xf79ca000]
> target module path: \??\G:\WINDOWS\System32\drivers\Haspnt.sys
> verdict = 5
> UNFIXABLE!
>
> module ntoskrnl.exe: end of details
> kernel32.dll (7c800000 - 7c8fb000)... innocent hooking (verdict
> = 2).
> module kernel32.dll [0x7c800000 - 0x7c8fb000]:
> 0x7c802f58 (section .text) 15 byte(s): Inside EAT
> file :77 1d 00 00 4f 1d 00 00 f1 1a 00 00 d3 ac 00
> memory :c4 2f 08 00 d3 2f 08 00 f1 2f 08 00 e2 2f 08
> verdict = 2
>
> module kernel32.dll: end of details
>
> SYSTEM INFECTION LEVEL: 5
> 0 - BLUE
> 1 - GREEN
> 2 - YELLOW
> 3 - ORANGE
> 4 - RED
> --> 5 - DEEPRED
> SUSPECTED modifications detected. System is probably infected!
>
> ___________________________________________________
> Check after disabling haspnt.sys
>
> svv check /a /m
> WARNING: Service Table redirection detected
> origKiServiceTbl: 0x804e26a8 - 0x804e2ba8
> currKiServiceTbl: 0x82b9db58 - 0x82b9dffc
> WARNING: Veryfing integrity of ALL kernel modules may cause a SYSTEM
> CRASH!
> Do you want to continue (yes/no)?
> yes
> ntoskrnl.exe (804d7000 - 806eb600)... suspected! (verdict = 5).
> module ntoskrnl.exe [0x804d7000 - 0x806eb600]:
> 0x804db03d (section .text) [RtlPrefetchMemoryNonTemporal()+0] 1
> byte(s): exclusion filter: RtlPrefetchMemoryNonTemporal() [c3->90]
> file :c3
> memory :90
> verdict = 1
>
> 0x804dbaa2 (section .text) 18 byte(s): exclusion filter:
> KeFlushCurrentTb()
> file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
> memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
> verdict = 1
>
> 0x804dbaba (section .text) 1 byte(s): exclusion filter:
> KeFlushCurrentTb() [c3->00]
> file :c3
> memory :00
> verdict = 1
>
> 0x804de8ea (section .text) 1 byte(s): exclusion filter:
> KiSystemCallExitBranch() [05->06]
> file :05
> memory :06
> verdict = 1
>
> 0x804e2878 [KiServiceTable[116]] 4 byte(s):
> KiServiceTable HOOK:
> address 0xf7a4f23e is inside kl1.sys module [0xf7a4e000-0xf7a53000]
> target module path: kl1.sys
> file :e3 0c 57 80
> memory :3e f2 a4 f7
> verdict = 2
>
> 0x804fbe09 (section .text) [FsRtlCheckLockForReadAccess()+0] 5
> byte(s):
> JMPing code (jmp to: 0xf510bf3b)
> address 0xf510bf3b is inside klif.sys module [0xf50f5000-0xf5123000]
> target module path: \SystemRoot\System32\drivers\klif.sys
> file :8b ff 55 8b ec
> memory :e9 32 01 c1 74
> verdict = 2
>
> IDT[1] points to 0x83f9501d (addr DOES NOT belong to ANY MODULE!)
> verdict = 5
> UNFIXABLE!
>
> IDT[3] points to 0x83f9503c (addr DOES NOT belong to ANY MODULE!)
> verdict = 5
> UNFIXABLE!
>
> IDT[14] points to 0x83f9507a (addr DOES NOT belong to ANY MODULE!)
> verdict = 5
> UNFIXABLE!
>
> module ntoskrnl.exe: end of details
> dump_atapi.sys (f5092000 - f50aa000)... Image file not found!
> dump_WMILIB.SYS (f7cce000 - f7cd0000)... Image file not found!
> hardlock.sys (bac50000 - bacc1000)... Wrong PE image format!
> kernel32.dll (7c800000 - 7c8fb000)... innocent hooking (verdict
> = 2).
> module kernel32.dll [0x7c800000 - 0x7c8fb000]:
> 0x7c802f58 (section .text) 15 byte(s): Inside EAT
> file :77 1d 00 00 4f 1d 00 00 f1 1a 00 00 d3 ac 00
> memory :c4 2f 08 00 d3 2f 08 00 f1 2f 08 00 e2 2f 08
> verdict = 2
>
> module kernel32.dll: end of details
>
> SYSTEM INFECTION LEVEL: 5
> 0 - BLUE
> 1 - GREEN
> 2 - YELLOW
> 3 - ORANGE
> 4 - RED
> --> 5 - DEEPRED
> SUSPECTED modifications detected. System is probably infected!
>


--
Gerry Hickman (London UK)

Similar ThreadsPosted
Preferred RootKit detection/removal tool? August 16, 2008, 6:33 pm
Microsoft Vista Technology November 25, 2005, 1:18 pm
Access and roles in DCOM technology December 27, 2005, 3:52 am
Shared Folder Forensics November 14, 2005, 8:39 am
Digital Forensics Magazine Issue 1 for Free November 12, 2009, 6:49 am
GS 14/15 Branch Chief Computer Forensics job opening in Johnstown, PA July 19, 2006, 8:33 pm
Advanced Features March 27, 2008, 8:44 pm
Advanced Antivirus November 7, 2008, 3:57 pm
Shares Advanced Security Tab June 19, 2008, 1:06 pm
Advanced Atrributes Tab under folder properties June 24, 2008, 10:30 am

The site map in XML format XML site map

Contact Us | Privacy Policy