Malware Risk - April 20th (Flash/Java)

Technical Support
We're now seeing a new version of a rootkit/trojan combo we've been successfully fighting for 4 1/2 months.

This new version is totally different from the previous versions. The tools we use are 100% ineffective to this thing. Malwarebytes & Combofix staff have given up as everything they throw at it gets laughed off.

The only way to remove this thing is to reformat your hard drive, losing absolutely everything on the drive in the process.

We don't know the infection route, so to minimize the risk of getting infected with this thing, PLEASE make sure everything is updated and practice safe habits while surfing the Internet.

Java:
www.java.com

Adobe:
http://get.adobe.com/reader/

Flash:
http://get.adobe.com/flashplayer/

Shockwave Player
http://get.adobe.com/shockwave/


I HIGHLY recommend running this web app from Secunia:
http://secunia.com/vulnerability_scanning/online/

It'll tell you any program thats out of date, which can cause security vulnerabilities which can cause you to get infected with malware.
What are the detection methods? Please provide some links.
The only way we're catching it is with certain 132 errors. Some variants of the root kit are easily killed. The case we ran into this morning is the second infection that could not be cleaned.
________________________________________________
Unofficial WoW Tech Support Pages
http://www.wowpedia.org/Portal:Technical_support
Live Support Chat
irc://chat.freenode.net/wowtech
http://webchat.freenode.net/?channels=wowtech
Any links you can provide, to other forums, or identifying characteristics (autoruns/process explorer/gmer/rootrepeal/something) would be greatly appreciated.
That's just it. The standard tools do not catch it right now. We've thrown RKill, Combofix, Sophos, GMER, and a few other tools at it, and it just laughs at the attempt.

We've restored known infection points from originals, and the bug laughs as it reinfects the file. When you run the root kit tools, they sail through without a hitch and the bug remains hidden.

Remember, this thing is written in a manner so that it tries VERY hard to remain hidden and undetected (hence the name root kit).

Here's an example from Malwarebytes. It's but one symptom that let the user know something was wrong.

http://forums.malwarebytes.org/index.php?showtopic=81966

Again, the only way we've been catching it is with certain 132 errors. And it should be noted, just because you get a 132 error, it doesn't mean you've caught this particular bug.

________________________________________________
Unofficial WoW Tech Support Pages
http://www.wowpedia.org/Portal:Technical_support
Live Support Chat
irc://chat.freenode.net/wowtech
http://webchat.freenode.net/?channels=wowtech
i've seen a volsnap rootkit infection on windows xp, about 6-7 days ago, may or may not be the same one. It was a tidserv variant with the same symptoms (random sounds, etc.) in your link. we were able to unhook its exec using rootrepeal then destroy it with tdsskiller, however tdsskiller couldn't see it until it was unhooked.

another option would be to boot to ubuntu from a CD and troubleshoot from there.

of course, formatting is always the safest route.

it'd be interesting to get my hands on a copy of this for testing purposes...
That's the one... It's mutated again. Even restoring volsnap.sys from the cab files doesn't work any longer.
________________________________________________
Unofficial WoW Tech Support Pages
http://www.wowpedia.org/Portal:Technical_support
Live Support Chat
irc://chat.freenode.net/wowtech
http://webchat.freenode.net/?channels=wowtech
04/20/2011 10:12 AMPosted by Yoshimeti
it'd be interesting to get my hands on a copy of this for testing purposes...


IRC details are in Drez's signature. That's where the regulars gather to take care of all these rootkits. Come say "Oh hai" to Shaellawen.

As for getting a hands on it ? I'm not sure if they've even managed to catch it yet. Only see the affects of it like the ripples of a great shark passing you by.
________________________________________________
Bringing you walls of text and cookies since 2005 :)

Mac Tech Support MVP (moonlights in other forums)
Here to Help :)
04/20/2011 10:19 AMPosted by Bluspacecow
it'd be interesting to get my hands on a copy of this for testing purposes...


IRC details are in Drez's signature. That's where the regulars gather to take care of all these rootkits. Come say "Oh hai" to Shaellawen.

As for getting a hands on it ? I'm not sure if they've even managed to catch it yet. Only see the affects of it like the ripples of a great shark passing you by.


We attempted getting 2 different versions. Turns out both versions played with file pointers, and so the volsnap.sys files uploaded to Shae's site, were both clean. :\
2 users now with this new version.

1 from Italy
1 from Canada
Suspect we have number 3 from Sweden. >.<
________________________________________________
Unofficial WoW Tech Support Pages
http://www.wowpedia.org/Portal:Technical_support
Live Support Chat
irc://chat.freenode.net/wowtech
http://webchat.freenode.net/?channels=wowtech
Some blue attention/sticky would be appreciated.

We're working our collective cans off to try & kill this. Please spread the word and update your stuff.

__________________________________________________________________________________
FIXING-Disconnections, Lag, Log-In Issues
Connection/Latency Issues
Just see my mega-thread
http://us.battle.net/wow/en/forum/topic/1020824261

Unofficial WoW Tech Support Pages
http://www.wowpedia.org/Portal:Technical_support

Live Support Chat
irc://chat.freenode.net/wowtech
http://webchat.freenode.net/?channels=wowtech
04/20/2011 10:13 AMPosted by Drezbek
That's the one... It's mutated again. Even restoring volsnap.sys from the cab files doesn't work any longer.


04/20/2011 10:22 AMPosted by Ressie
We attempted getting 2 different versions. Turns out both versions played with file pointers, and so the volsnap.sys files uploaded to Shae's site, were both clean. :\

Hmm.... Could this be the loophole we need? If I'm correct in thinking that "clean" means the original file, we could use this technique to recover the original volsnap.sys, then restore it under a clean environment.
________________________________________________
The Cataclysm has just begun...
Suspect we have number 3 from Sweden. >.<


Confirmed.

We managed to get the trojan off the user's system, and sent it on to Blizz in a pw protected rar file, however the rootkits (there are multiple rootkits this time round) make it impossible to remove right now.
________________________________________________
Technical Support MVP
For live support, http://webchat.freenode.net/?channels=wowtech
04/20/2011 05:20 PMPosted by Ressie
We managed to get the trojan off the user's system, and sent it on to Blizz in a pw protected rar file, however the rootkits (there are multiple rootkits this time round) make it impossible to remove right now.


Progress ! :D

I meanwhile need to get to the library before I collapse from exhaustion (feeling a bit crook so had no sleep :( )
04/20/2011 04:46 PMPosted by Starmaged
Hmm.... Could this be the loophole we need? If I'm correct in thinking that "clean" means the original file, we could use this technique to recover the original volsnap.sys, then restore it under a clean environment.


Won't work. Only method to get rid of it right now is to nuke and pave. Do your 3 Rs. (Reformat, Repartition, Reinstall)
________________________________________________
Unofficial WoW Tech Support Pages
http://www.wowpedia.org/Portal:Technical_support
Live Support Chat
irc://chat.freenode.net/wowtech
http://webchat.freenode.net/?channels=wowtech
Ressie, Drezbek, Drunkinhik, Starmaged

Have you identified anything in the crash logs users can see that would suggest they're affected by this and not something else?

____________________________________________________________
Account and Technical Services
Mon-Fri 12pm-8pm
Feel free to rate my services at the following link: https://www.surveymk.com/s/T8S7BX2

"Winter is coming....."
132 Execute Error

0x00200246 (points to unknown) - Bootkit
0xXXXXXXXX (points to World of Warcraft) - malware / probable bootkit
0xXXXXXXXX (points to unknown, followed by Battle.net.dll) - malware / probable bootkit

132 Could not read:

0x00000246 (points to World of Warcraft) - Bootkit.
0x00000397 (points to unknown then Battle.net.dll) - Bootkit.
0x000003CB (points to unknown then Battle.net.dll) - Bootkit.
ANYTHING (points to unknown then Battle.net.dll) - malware / probable bootkit
ANYTHING (points to Battle.net.dll) - malware / possible bootkit

Instruction matches referenced memory - malware / possible bootkil


ERROR #0 (0x85100000) Assertion Failure
Malware. Most likely our little friend the bootkit.

________________________________________________
Unofficial WoW Tech Support Pages
http://www.wowpedia.org/Portal:Technical_support
Live Support Chat
irc://chat.freenode.net/wowtech
http://webchat.freenode.net/?channels=wowtech

Join the Conversation

Return to Forum