Malekal's forum

[Malekal_morte]

Max++ rootkit qui patche un fichier système (selon la variante %system%\eventlog.dll ou %system%\drivers\cdfs.sys ou %system%\drivers\fips.sys ).
Ce dernier provoque des redirections lors des recherches Google

GMER montre des lignes du type : "\\?\globalroot\Device\__max++>\XXXXXXXX.x86.dll"

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1124] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1216] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1272] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [1280] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1352] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1916] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [1976] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [2468] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [2620] 0x35670000

Eventuellement :

---- Threads - GMER 1.0.15 ----

Thread System [4:268] 86FD8930
Thread System [4:460] 97C457FA

La dernière variante donnant ce rapport sur GMER :

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-04 08:56:20
Windows 5.1.2600 Service Pack 2
Running: x2e3v29c.exe; Driver: C:\DOCUME~1\MALEKA~1\LOCALS~1\Temp\fwrcyaog.sys


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[336] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] 35672D0C
IAT C:\Program Files\Internet Explorer\iexplore.exe[336] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 35672C96
IAT C:\WINDOWS\system32\svchost.exe[980] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] 35672D0C
IAT C:\WINDOWS\system32\svchost.exe[980] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 35672C96
IAT C:\WINDOWS\system32\svchost.exe[1084] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] 35672D0C
IAT C:\WINDOWS\system32\svchost.exe[1084] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 35672C96
IAT C:\WINDOWS\system32\svchost.exe[1156] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] 35672D0C
IAT C:\WINDOWS\system32\svchost.exe[1156] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 35672C96
IAT C:\WINDOWS\system32\spoolsv.exe[1524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] 35672D0C
IAT C:\WINDOWS\system32\spoolsv.exe[1524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 35672C96

---- Devices - GMER 1.0.15 ----

Device \Driver\Disk \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074 FA18DC0C

---- Modules - GMER 1.0.15 ----

Module \SystemRoot\System32\Drivers\Fips.SYS (*** hidden *** ) FA18B000-FA193000 (32768 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:564] FA18E96A

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Malekal_morte\Cookies\malekal_morte@lavasoft[2].txt 362 bytes
File C:\Documents and Settings\Malekal_morte\Cookies\malekal_morte@www.lavasoft[1].txt 79 bytes
File C:\Documents and Settings\Malekal_morte\Cookies\malekal_morte@edt02[1].txt 148 bytes

---- EOF - GMER 1.0.15 ----

Combofix peut montrer mes injections dans les processus ce qui nous donne des lignes :

- - - - - - - > 'winlogon.exe'(1056)
c:\windows\system32\awgina.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(1116)
max++.00.x86 35670000 49152 \\74.117.114.86\max++.x86.dll
c:\program files\Bonjour\mdnsNSP.dll
- - - - - - > 'explorer.exe'(3124)
max++.00.x86 35670000 49152 \\74.117.114.86\max++.x86.dll

Win32kDiag peut supprimer ce rootkit (selon la variante) en lançant via la commande :

"%userprofile%\desktop\win32kdiag.exe" -f -r

Les liens de téléchargements de Win32kDiag :

• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/ro ... 2kDiag.exe
• http://rootrepeal.psikotick.com/Win32kDiag.exe

Exemple de rapport de suppression :

Running from: C:\Documents and Settings\xxxx\My Documents\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\xxxx\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...


Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10E.tmp\ZAP10E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\RegisteredPackages\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9b9c80e2f055ce97c0f0b65924ea9f29\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 03:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\9d43ab99-d1d5-457d-98df-f6da1f2e59ff\9d43ab99-d1d5-457d-98df-f6da1f2e59ff

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\beb9832c-8b0d-47f9-83c4-15d6e4748733\beb9832c-8b0d-47f9-83c4-15d6e4748733

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\CTZAPXX\Drivers\WDM\COMMON\COMMON

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\CTZAPXX\Drivers\WDM\LANG\LANG

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\CTZAPXX\Drivers\WDM\WIN2K_XP\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{49F609AE-FA37-4DAC-8736-5E373C4F8298}\{49F609AE-FA37-4DAC-8736-5E373C4F8298}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Quelques liens en anglais sur la bête (thanx angel) :
http://forums.malwarebytes.org/index.ph ... opic=26706
http://www.security-forums.com/viewtopic.php?t=58106
http://trusteer.com/list-context/public ... click-time

[Curson]

Une nouvelle variante patche maintenant %windir%\system32\driver\rdpdr.sys

ComboFix remplace automatiquement le fichier infecté :

Infected copy of c:\windows\system32\drivers\rdpdr.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\rdpdr.sys

[Curson]

Nouvelle variante ciblant %windir%\system32\driver\ipnat.sys

Rapport Gmer :

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\Disk \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074 B83F2BDE

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) B8418000-B841E780 (26496 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:664] B83F393A

[Curson]

Cette infection porte désormais le nom de Rootkit ZeroAccess.

Résultats obtenus avec VirusTotal :

a-squared 4.5.0.50 2010.01.28 Trojan.Rootkit!IK
AntiVir 7.9.1.154 2010.01.28 TR/Rootkit.Gen
Antiy-AVL 2.0.3.7 2010.01.28 Trojan/Win32.ZAccess.gen
Ikarus T3.1.1.80.0 2010.01.28 Trojan.Rootkit
Jiangmin 13.0.900 2010.01.28 Rootkit.ZAccess.f
McAfee+Artemis 5875 2010.01.28 Suspect-D!F25C3123FE42
McAfee-GW-Edition 6.8.5 2010.01.28 Heuristic.BehavesLike.Win32.Rootkit.H
Norman 6.04.03 2010.01.28 W32/Rootkit.BGXP
Symantec 20091.2.0.41 2010.01.28 Supicious.Insight
TheHacker 6.5.0.9.167 2010.01.28 Trojan/ZAccess.dl
VirusBuster 5.0.21.0 2010.01.28 Trojan.Rootkit.ZL

[Malekal_morte]

Nouvelle variante : http://www.malekal.com/2011/07/05/siref ... ccess-max/