In my previous post I have talked about how to manually clean and remove the downadup worm. I wrote that article back in March, 2009 when new variants of downadup started to appear in which antivirus venders haven't yet developed definitions for. However, since mid-April I havent personally encountered any new or unique variants of downadup. I started to do a quick evaluation of almost all the conflicker removal tools listed here: http://isc.sans.org/diary.html?storyid=5860 The tests were made on infected live machines and networks. The results I have found are:
The best downadup detection tool:
Mcafee Conficker Detection Tool: http://www.mcafee.com/us/enterprise/confickertest.html This program ROCKS! The only two products from Mcafee that I would recommend every enterprise to have: Secureweb and Mcafee Conficker Detection Tool. The detection tool requires no installation, very easy to use and extremely fast. I have been using this tool since April after Mcafee fixed a bug in it. Every business that I have recommended the tool to them have highly praised it and love it so much.
The best downadup removal tool:
I have found that the kaspersky Kido Killer is the best so far. It requires no installation and no reboot for removal. It is very fast and effective. It has worked with different variants that I have come across offline. Sadly, when I tested the Bitdefender Conflicker removal tool (which I thought was good) on some machines, it did not succesfully remove one of the variants although it did detect it.
KK.exe has some neat command line that not only removes the infection, it can also restore the windows services that were disabled (does not restore windefender and security center though), restores the display of hidden system files, disables autorun, restore safeboot keys and many more.
I commonly use the following command line: kk.exe -j -a -x -l report.txt
Windefender and the windows Security center can then be restored by the following command lines: sc config wscsvc start= auto sc config winDefend start= auto sc start wscsvc sc start WinDefend
The worst tool I came across was Symantec Downadup removal tool. It took over 6 hours scanning and since I am impatient I gave up and had to abort it. I could not tell if it actually does detect or remove the worm.
1. The quickest way to know if a Win 2k, 2k3, XP, Vista or 2k8 machine is infected regardless of the conflicker variant (even if it was a user-mode rookit - such rootikit only hides the dll file and its service key) , is by running this command-line:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v netsvcs I use a batch file to do this. Based on the results, you can then detemine the randomly generated name of the windows service of the infection. e.g. abcde. It is usually found at the end of the list. If there is no randomly named service listed then most likely conficker is not there.
Another quick way to determine if conficker exist, is by running gmer. The results of the quick scan that gmer runs when starting would show that C:\windows\system32\svchost.exe is hidden and highlighted in red. But at the end, you will need to know the service name associated with conficker by going through the netsvcs list.
2. End process of the svchost.exe associated with netsvc, by using tasklist /svc and taskkill pid
3. Browse to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\abcde You may not view the contents of the key since the permissions were removed by the infection.
right-click the abcde key > permission > add > everyone > select full control > ok > F5 to refresh > go to the parameters key and take not the path of the dll
e.g. c:\windows\system32\wxyz.dll
4. Use fixpolicies.exe to reset policies that were added by the worm, such as disabling viewing system files.
5. Look for the dll file located at C:\windows\system32\
right-click the dll file > properties > uncheck read-only > ok > then delete the file. If the file cannot be deleted try stopping the service first.
In case you cannot find the file, you will need to use gmer and browse for the file from the files tab. Then use the delete button on the right.
6. Use the following command-line to delete the service:
sc delete abcde
7. Reboot the computer
8. You can create a batch file to restore the following windows services:
sc config wscsvc start= auto
sc config winDefend start= auto
sc config wuauserv start= auto
sc config BITS start= auto
sc config ERSvc start= auto
sc config WerSvc start= auto
sc start wscsvc
sc start WinDefend
sc start wuauserv
sc start BITS
sc start ERSvc
sc start WerSvc
9. Finally, make sure the machines has the latest recommended updates from microsoft:
http://windowsupdate.microsoft.com The most important is that kb958644 is installed.
Categorizing the rootkit detection and removal method is solely based on my personal opinion. I will appreciate any feedback or reports of inaccuracies, fallacies, found in this article:
abuibrahim0 ATgmailDOTcom
Important Guidelines Before Removing a Rootkit if a rootkit is found on a machine:
1. Backup all important data, emails, documents, etc.
Þ this is just for safety measures. Removing a rootkit can cause system instability and a antirootkit software may sometimes remove a system file along with the rootkit. This step is particular important when using automatic tools for rooktit detections and removal.
2. Disconnect from the internet
3. Close down All Scheduling/Updating + Running Background tasks etc.
4. Disable real-time monitoring programs
5. When scanning for a rootkit, do not use the computer at all
6. Use 2 or more rootkit scanners
ÞNever rely on the results of one anti-rootkit software. Rootkits uses different technologies for hiding and no single anti-rootkit can find all rookit techniques.
Methods of Detecting and Removing Rootkits:
1. Automatic Detection and Removal
2. Semi-automaticDetection and Removal
3. ManualDetection and Removal
4. AdvancedDetection and Removal
1) Automatic Detection and Removal:
Tools that automates the process of detecting a rootkit and removes them. Minimal skills are required to uses these tools.
1. Highly unstable software. Have used it once at the rootkit revelations forum and it destroyed windows beyond repair
2. Highly unpredicatable -> they sometimes report that they remove a rootkit and they actually did nothing
3. Highly unreliable -> cannot find rootkits that use newer techniques.
The automatic tools are good though if you are removing the most popular or classic rootkits such as pe386.
2) Semi-automatic Detection and Removal:
- For more experienced users
- You will need to distinguish rootkits from false positives
- Such tools will highlight entries that are predicted to be rootkits. For example Icesword and GMER will highlight services and processes that are rootkits. RKunhooker will tag what are hidden.
Examples:
1.GMER
2. Icesword
3. Rootkit Unhooker
4. Darkspy
5. SVV
6. VICE
7. RootRepeal
Detection and Removal are split into two ways:
1. Rookits that use drivers (more common):
- Two important indicators are: hidden service, and rootkit files.
Rootkit files can be found at processes list (ex. Icesword), SSDT list (ex Icesword), rootkit file scan (ex. GMER), rootkit file browsing (ex. Darkspy) or from the service image path in the registry.
- Rootkit Removal steps:
Step1: Stop or Disable Service
Step2: End executable process(s)
Step3: Delete service and related files
2. Rootkits that use inline hooking or DLL hooking such as Vanquish (less common):
- One important indicator: presence of a dll file
The dll file can be found by two ways: "Code Hook" scan using RKunhooker (recommended), the other way is doing a full file scan using GMER or any other anti-rootkit tool
Note: GMER and Icesword do not automatically find these kind of rookits. Only when a full file scan is performed or rootkit file browsing, some hidden files may appear.
Also
- Removal steps:
Step1: perform "Code Hook" scan using RKunhooker
Step2: highlight all entries related to culprit dll file and click 'unhook selected'
Step3: End executable related process(s) if applicable (ex. vanquish.exe)
Step4: Delete dll and related files
3) Manual Detection and Removal:
¨ Manual Detection Tools:
1. RootkitRevealer
2. Rootkit Hook Analyzer
3. Sysprot
For how to know if there is a rootkit present in the rootkitrevealer results:
» given that the rootkit does not use SafeBoot keys to be hidden in safe mode as well
2. DOS commands
»may or may not work. HackerDefender can be completely deactivated and cleaned up using this method
such as:
ScstopRKservice
ScdeleteRKservice
Net stopRKservice
REG DELETE RKregpath
3. Manual Removal Tools
Example:
- Delete on reboot using killbox
- Avenger
- Combofix
In combofix the rootkit:: directive is not always needed. I found that file::, driver:: and killall:: are enough with most rootkits I have encountered.
4) Advanced Detection and Removal:
1. Slaving hard-drive to another computer and perform a normal anti-virus scan
2. Using a Bootable CD-ROM such as BartPE and UBCD4Win
as you can observe the presence of the phrase: "\Device\Harddisk0\DR0" any where in a GMER log is an indication of an MBR rootkit regardless of its variant. However, you may need to verify first that changes done to MBR is not perfomed by a legitimate application such as acronis.
When replying to a hijackthis log either it is a practice log or a live log, you will need to do the following actions in order:
1. The first thing is to make sure that hjt log posted is not an attachment. Do not open the log attachment. Ask the OP to copy and paste the logfile into a new post. A lot of forums have policies that the OP's should post the contents of the log file and not attach files unless requested to do so.
2. If the user posted an unreadable log or one with spaces in between the entries, have them rescan with HijackThis and when notepad opens, go to "Format" and uncheck "Word Wrap." Otherwise this will waist a lot of time for helpers to read the logfile.
3. Make sure:
- that hijackthis program used is the latest version
- the log file is not cut-off (incomplete log)
- hijackthis is not running from a temporary folder
- the date stamp of the log file is not more than a week old. You can ask the OP to post an updated logfile
- the OP is authorized to remove files from the company PC
- the OP is not being helped at another forum for the same log
4. Do not assist the OP at all if p2p programs are found within the log or mentioned anywhere by the OP. Request the OP to remove all the P2P programs before proceeding with the cleanup or advising any further instructions.
5. If there is any hints from the OP posts/log, or doubt that the OP may not be using a legitimate windows copy, then ask the OP to download and run the MGA diagnostics tool from microsoft to verify that the windows copy is valid. The tool can be downloaded from here:
If the windows copy is not legitimate, the thread should be locked immediately. The thread will also be locked if the OP has any cracks or warez to any other commercial software.
Hints of non-legitimate copies could be: wgatray.exe process is running. or If the OP has a very old service pack, like XP no-SP, XP SP1, Vista no-SP, Win 2k SP3. However, XP SP3 is relatively new so an OP with XP SP2 only should not raise an alarm.
6. If two or more antivirus programs are found, then ask the OP to uninstall one of them. Two antivirus programs are enough to make the computer unusable. So ask the OP to do so before or within the same post when providing malware removal instructions.
7. If the OP is infected with a malware, then It is a good practice to double-check if the malware is a backdoor+password stealer. In this case you will have to inform the OP about the compromise and to change passwords, contact banks, etc.
8. If there is no firewall or anti-virus and the OP does not have a serious infection. Then ask the OP to download, install, update and scan the computer before posting any removal instructions. However, if the OP has by definition a worm, a virus, backdoor, malicious keylogger, botnets, or an unknown malware that uses a service, then it is better to install the anti-virus after removing the malware. Viruses in particular are known to either disrupt, infect or delete anti-virus software especially if they aren't installed yet.
9. If the OP has any of the protection programs listed here, then ask the OP to temporarily disable the real time protection tools when providing instructions for malware removal. Once the malware is removed, remember to re-enable the protections tools. An exception to this is when the malware removal procedure is done in safe mode.
10. Once all of the above is cleared, then you can post removal instructions in any form that is applicable, using online scans, manually deleting files, hijackthis fixes, combofix, etc.
BEC Scammers Adventures on the Run
-
Last week the case of Valentine FOMBE was finally brought to a close. FOMBE
was sentenced to 144 months in Federal prison and ordered to pay $325,856
in...
Good Bye Verizon, You Let Success Go To Your Head
-
Do you remember when Verizon Wireless had the best signal anywhere in the
US?
There was a time when Verizon was the only choice if you wanted a strong
sig...
July 2016 security update release
-
Today we released security updates to provide additional protections
against malicious attackers. As a best practice, we encourage customers to
apply secur...
Announcement: In memory of Donna Buenaventura
-
We’ve received the sad news from Donna’s husband that she passed away
unexpectedly on December 13, 2011. Donna has been a strong advocate for
security and ...
Moving House
-
Yes, we are :)
*Click the image to visit the new GFI Labs Blog*
An inevitable move, this. After all, Sunbelt Software has been part of GFI
Software for m...
Posts
