DRC - Digital reality crew logo
DRC Forum | Register | Log in | Forum help | Search

After 10 years, my box is finally rooted


DRC Forum
» Personal Interests
    » Computers
        » After 10 years, my box is finally rooted
            » Page 1 of 1

  Post new topicReply to topic

Author Message
|DRC| Wartex






Saturday, April 3 2010, 12:53:37 #42929     After 10 years, my box is finally rooted


After 10 years of having no viruses and no antiviruses, my PC has finally been owned. And it's been owned fucking hard. I was surfing the net with javascript and flash off in Firefox, visited my regular website and BAM, owned!

One of the ads was served via IFRAME with a java applet. The virus is a rootkit that uses buffer overflow in JRE and then infects several programs (winlogon and whatever is in registry autorun). Once it runs, it locks several executables at the same time so you can't delete them or kill a process and they are checking on each other very often. The rookit is made of many many parts. The orchestrator is a .sys file that is installed as a device driver, it damages most antivirus executables. Once the virus infects several programs, it dowloands the body of Antivirus 2010, which is malware fake antivirus and changes Open command for exe files to invoke the GUI every time ANYTHING runs.

Did I mention, if you try to damage it in some way, it severely restricts your rights, no registry editing, no gpedit.msc and you can't run anything. All virus parts have dynamic size, all UPX compressed. The loader is written in assembler and the rest in visual studio c++. It also hides registry branches.

All virus processes are hidden from process explorer. I booted from a different OS but unfortunately it had Skype in autorun and it fucked the 2nd OS (win7 x64) but not as bad. I managed to install kaspersky via "repair" option and remove almost everything rootkit-wise and everything malware-wise using Malwarebyte's Antimalware....

But... There is another driver somewhere where no antivirus sees and it's in TCP/IP stack. The moment you plug in the network cable, you can see rootkit being downloaded and then rootkit downloads the rest of malware.

Hosts file is also edited (127.0.0.1 = brenz.pl), and rootkit restrict internet access for anything but itself. It also uses chinese QQ2010 messenger protocol for command and control.

If I ever trace the fucker who controls it, I will buy a ticket there (I know he is in Romania) and fucking put a sledgehammer thru his skull.

The battle continues. I will NOT reinstall the OS.
_________________

Profile | Send PM | WWW | AIM | YIM | MSN | SKYPE | ICQ
 
Sponsored Ad






Today #     Sponsored Ads


WWW
 
|DRC| Death






Saturday, April 3 2010, 15:45:37 #42930     


|DRC| Wartex wrote:
If I ever trace the fucker who controls it, I will buy a ticket there (I know he is in Romania) and fucking put a sledgehammer thru his skull.


LOL. How did you manage to stay 10 years virus-free without any anti-virus software? Surprised

When you say trace the owner, can you trace his home address from an IP? Infact can you trace my address from anything you can see in CP? (curious)
Profile | Send PM | AIM | YIM | MSN | ICQ
 
|DRC| Zyprexa






Saturday, April 3 2010, 16:04:10 #42931     


hey bud, what's the name of this rootkit? is it a known issue?
how are you going to go about getting rid of the rootkit?
Profile | Send PM
 
|DRC| Wartex






Saturday, April 3 2010, 21:49:18 #42932     


The rootkit is (I assume) based on Metasploit, with some custom modules. It's a part of a huge botnet (100k nodes, hundreds of domains hosting the virus). The software is called "Antivirus 2010" and is basically a fake antivirus, it's called "extortionware". It creates a popup that shows a you have a ton a viruses and demands you to pay to "fix the problem". It pops up every 10 seconds or more often.

It's very common and is widespread as fuck, esp via facebook/myspace and sometimes google adsense. It's very well designed and totally fucks up your machine on the deepest level, very resilient to deletion and hides extremely well. Most antiviruses are useless against it, that's why I'm trying to remove it manually.

Whoever is installing the fake antivirus is a customer of a dude who wrote the rootkit, because when I crippled it, it changed attack tactic several times, it looks like a "rented" botnet. At some point I thought it was no longer automated, because too much shit was being changed as I removed various modules of the virus, the bot baron is probably getting and IM or SMS when a new PC is infected and then if he sees the attack fails, he manually tries to change shit/reinfect.

Death: I can see your IP addy right above posts, I can potentially contact your ISP, send a fake court order and demand to reveal your account info. That's of course is illegal but very plausible.

The reason I know rootkit is romanian because there are text strings in the binary code that reveal dude's windows username, first name and language settings. It's probably controlled via a ton of proxies, sometimes a chain of IRC servers, or even a distributed network where bots "poll" other bots for commands from the "baron". The rootkit was titled "project1" in visual studio so I assume it was a moron modifying an existing bot for his needs.

The worst part is people who write this shit usually make a fucking killing off idiots who pay, some convicted botnet operators admitted to making 700 grand USD a MONTH just running spam from infected PCs for pennies per email.

2 major spammers were killed in russia, one was shot and another dude's skull was caved in with an iron, when 2nd dude was killed, national traffic went down by 25%. Think about it.
Profile | Send PM | WWW | AIM | YIM | MSN | SKYPE | ICQ
 
|DRC| Dwel13R






Tuesday, April 6 2010, 09:48:26 #42933     Re: After 10 years, my box is finally rooted


|DRC| Wartex wrote:
I will NOT reinstall the OS.


which was that?

I have not used an anti-virus for years. Ive fixed other peoples problems with combofix from bleepingcomputer, NOT combofix.org and superantispyware. there is another one i used too, i think it was stinger? hell, I forget.
_________________
Profile | Send PM | WWW | MSN
 
Display posts from previous:   


Jump to 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Optimized with phpBB SEO
Questions? Contact us at fubar_54-144-84-155@wartex.net