The consrv.dll infection has picked up a partner recently.
There is now a service that is paired with both the 32 and 64-bit version of
zaccess. We are able to see the infection easily on 64-bit already just by
searching for the dll via the start menu, now we can verify with TDSSKiller.
As
always, this is the time to create a system restore point. It is not advisable
to continue forward without creating a restore point.
Open up
the registry editor and navigate to: HKEY_LOCAL_MACHINE\SYSTEM\Select.
We want to look for the value "Default" - Do not confuse this with
the one on top which is "(Default)". This value will tell us which
control set will be loaded the next time Windows boots up. The "Current" value tells us which of the control sets are currently loaded. In my case, ControlSet002 is currently loaded (this will be different on each different PC). The rootkit is watching the current control set to ensure that no changes are made to it. This makes ControlSet002 impossible to modify, so I need to modify the other one. For example, If ControlSet002 is loaded, I need to modify either ControlSet001 or ControlSet003. If ControlSet001 is loaded, I need to modify either ControlSet002 or ControlSet003, etc.
We will now navigate to:
We will now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Session
Manager\SubSystems
The value that we are interested in here is the
"Windows" value. It may or may not be modified. Here is what the data
will look like with an active infection:
%SystemRoot%\system32\csrss.exe
ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On
SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4
ProfileControl=Off MaxRequestThreads=16
The key should look like this when it is clean:
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
The key should look like this when it is clean:
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
We are
particularly interested in the ServerDll part of this data. You may notice that
the order of the ServerDll data (if you omit the other data) is: basesrv, winsrv, consrv, sxssrv. We
want to change it back to the default configuration which is: basesrv, winsrv, winsrv, sxssrv. Once
you have changed the data, click ok and then press f5 on your keyboard to
refresh your view of the registry. Open the value back up to make sure that it
was not changed back by the rootkit. If it was, you will have to try another
control set such as ControlSet001. If your changes were successful, we can
refer to this control set as "fixed", go to the key: HKEY_LOCAL_MACHINE\SYSTEM\Select. We
will now change the "Default" value's data to match our
"fixed" control set, mine is ControlSet003 so my "Default"
value's data will be changed to "3".
I recommend that you familiarize your self with the NT startup process to get a better understanding of what we are doing here and why. A good source of reading to better understand how this all works can be found here at wikipedia in the "Loading Windows NT Kernel" section of this article:
I recommend that you familiarize your self with the NT startup process to get a better understanding of what we are doing here and why. A good source of reading to better understand how this all works can be found here at wikipedia in the "Loading Windows NT Kernel" section of this article:
We can
now delete C:\Windows\system32\consrv.dll.
The next step is to handle the service, we will need to open up a notepad and take a look at our TDSSKiller window again. Copy the name of the service into the notepad and then copy that to your clipboard. Open up your registry editor and make sure that 'Computer' is selected in the left pane. Go to Edit > Find and paste the service that you just copied into the find box. Click 'find next' and you should arrive at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
We are looking for the service listed in the 'netsvcs' value. Find the line that contains the service and delete that line only. Then press the 'f3' key on your keyboard to continue the search. You should get either 1 or 2 more results. Once you find the service registry keys, delete the entire key. Press 'f3' until you see the message "Finished searching through the registry." Close the registry editor and reboot. Run a full scan with MalwareBytes' Anti-Malware to remove any remaining files.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
We are looking for the service listed in the 'netsvcs' value. Find the line that contains the service and delete that line only. Then press the 'f3' key on your keyboard to continue the search. You should get either 1 or 2 more results. Once you find the service registry keys, delete the entire key. Press 'f3' until you see the message "Finished searching through the registry." Close the registry editor and reboot. Run a full scan with MalwareBytes' Anti-Malware to remove any remaining files.
A link to the html format of this video can be found here
Unzip the folder and launch the html file that is contained inside.