Tuesday, January 31, 2012

Security Shield


Security Shield is pretty straight-forward to remove. You can either use the serial number :

64C665BE-4DE7-423B-A6B6-BC0172B25DF2

Or you can remove it the old-fashioned way. Start by renaming the taskmgr so that we can kill the process. I renamed mine to "explorer.exe" and it seemed to work well enough. find and kill the process:


Run a quick scan with your favorite anti-malware utility. (MalwareBytes' is mine) You are all set. This one only left 1 file in "%userprofile%\Local Settings\Application Data\<random.exe>" I found no registry entries or anything weird in startup. Here are some more screenshots:










Wednesday, January 18, 2012

Fixing Security Center


Some of you have experienced the Windows Security Center failing to start after the removal of the ZeroAccess rootkit. Here is how you fix it:

Always be sure to double check by running a firewall reset, you can do this by opening command prompt as administrator and typing the following command:

netsh firewall reset

You should see something like this if it is working:



If it is off or broken by the infection, you will see an error that says “The Service has not been Started.” Here is what you need to do:

1. Download the missing registry entries here and extract the .reg files to the desktop. You need to restore all of the registry entries for the following services:



Base Filtering Engine - HKLM\System\CurrentControlSet\Services\BFE

Windows Security Center Service - HKLM\System\CurrentControlSet\Services\WscSvc

Windows Shared Access - HKLM\System\CurrentControlSet\Services\SharedAcccess

Windows Defender Service - HKLM\System\CurrentControlSet\Services\WinDefend

Windows Firewall Service - HKLM\System\CurrentControlSet\Services\MpsSvc

IP Helper Service - HKLM\System\CurrentControlSet\Services\iphlpsvc



You can find these service registry keys in the downloaded zip file or you can export them from a machine in which these services are functioning correctly. Just importing these registry entries is not enough to get all of these services back and running correctly, some of these entries need special permissions to run.

Import the registry keys by double-clicking each of the files for their respective service. Reboot the PC once you have all of the registry keys imported.

Important Note: After importing registry keys for these services, you need to reboot so that they can start correctly.

2. Now that you have all of the registry entries imported, you can start the Windows Security Center Service and the Windows Defender Service. In order to start the firewall service, you need to have the Base Filtering Engine Service up and running correctly. You’ll notice when you try to start “BFE” that you will get an error with error code 5 which means “Access Denied”. To fix this, you need to allow access to the proper account. Open up regedit and navigate here:

HKLM\System\CurrentControlSet\Services\BFE\Parameters.

Right-click and select “Permissions”. Click “Add…”


You want to add the account “NT Service\BFE” like this:


Once added, you should allow the “BFE” account “Full Control” as pictured above. Do not edit any of the other permissions for that service, you will do that next.

3. Run CMD as Administrator and copy/paste the following command (or have fun typing it out) You need to make sure that the command is all on one line and that there are no spaces between the sets of brackets (sorry for the word wrap but I only have so much space...)

sc sdset bfe D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 

This command resets the default security descriptors for the service and set all the permissions according to factory specs.

4. Now you need to do the same for the Windows SharedAccess Service. So, in regedit, navigate to HKLM\System\CurrentControlSet\Services\SharedAccess. There are 4 subkeys that need to have permissions reset, as well as some sub-subkeys (yea, it’s a word now, I just made it up) Here are the keys that you need to set permissions on:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Defaults\FirewallPolicy 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy

For each of the above keys, right-click and click “Permissions” than click on “Add…” just like you did above.



For the SharedAccess service, you need to add a different account which is called “NT Service\MpsSvc”



Also just like the BFE service, add “Full Control” and click “Apply” You will need to run another command to ensure that all other permissions are correct. Run CMD as Administrator and copy\paste this command to do it automatically:

sc sdset sharedaccess D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWRPWPDTLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) 

You should be able to start the all of the services correctly now. If not, check your dependencies and make sure all dependent services are started. You may also want to check your ICS service. For some reason, it helps me get the firewall running in some cases. Disable it again after you get the firewall service running. I recommend rebooting to make sure that all of the services are starting up Automatically as they should. Email me if you have any questions/comments.

ZeroAccess Rootkit



               ZeroAccess behavior has changed lately. Now it installs an extra service. This service seems to act as a protection mechanism for the rootkit to help it survive reboots. TDSSKiller seems to do a good job of finding both the infection and the service. Some of you may have seen the service some up as Backdoor.Multi.ZAccess.gen in TDSSKiller. TDSSKiller shouold not be used on ZeroAccess as anything more than a detection tool if you want to be 100% safe.

Tools you will need:

o   XueTr by linxer - http://www.xuetr.com/download/XueTr.zip

                First, you will need to run XueTr. Once you open it up, you may or may not see a message like this:


               

                The first thing we want to look for is the Object Hijack in the Kernel tab. This tab will help us verify that the infection is active and which system file is being affected. With an active infection, you should have 4 objects in the Object Hijack tab: 2 hijacks on the MBR, 1 Abnormal Driver, and 1 Hijacked Kernel Module. By looking at the Kernel Module that has been hijacked, we can determine which file needs to be replaced.



               
                Everything needs to be done in a specific order or this will not work properly. Additionally, we want to make sure all other programs are closed and that any AV software is deactivated before moving forward. We also need to make 100% sure that system restore is enabled and in a working state, and that we create a restore point prior to moving any further into the disinfection process.
                
                Our next step is to find a good copy of the driver, I will leave that part to you. Once you have your clean driver, place it onto the C:\ drive of the infected PC.  We will now need to open up our Avenger tool and write a script for it. The script for ZeroAccess is fairly straight-forward but if you would like to read more about Avenger and how the scripting is done, you can find the information on the SwanDog64 website noted above. Assuming that the infected driver is ipsec.sys, the script should read as follows:

             Files to Move:
     C:\ipsec.sys | C:\Windows\System32\Drivers\ipsec.sys


                We want to run the script. Select Yes.



                We want to make sure that we do not reboot when asked by Avenger. We will reboot later once we have the rest of the infection taken care of. Select No.



                Leave Avenger open and just minimize it. Next, we go back to XueTr and remove our MBR Hijack. Select the Ring0 Hooks tab, then the Disk tab. You will see a message saying "Existed DR0 AttachToDevice Hijack, Do you restore it..." Yes you do :)


               

                We have so far addressed the hijack on the kernel module(our Avenger script), and we have removed the MBR hijack, so we have 2 more steps to go. Next, we will deal with the service. You may find that some samples do not have the service, please skip this step if you do not have the service installed. You can find this by running TDSSKiller (it shows up as  Backdoor.Multi.ZAccess.gen ) Go to the Services tab. This one can be a bit tricky because it is named differently each time. The main things to look for here is that it is always abnormal, so XueTr will show up with blue highlighting on those services, it is always started by svchost.exe, File Corporation is Iomega or Oak Technologies, and it either has random letters and words for the description, or has the description:

"New service would allow parents to control their children's online activity".


               
                There may be more than one of these services so you need to look carefully through this tab. Once you have found the service(s), right click and select delete. Please do not stop the service first, deleting it is enough and stopping usually has adverse effects.

                We are now onto the last part, the Driver. Navigate to the Kernel Module tab. Scroll all the way to the bottom and you can see a Suspicious DriverObject that is highlighted in red. Right-click and select Delete Driver (File and Reg). Then we want to unload the driver. As XueTr tells us, this is dangerous and should always be the last step before reboot. Try to be quick when you reboot after unloading or you have the possibility of getting BSOD. Please keep that in mind and be cautious when performing this last step.





                Yes you are sure you want to continue.

             
               
                Once the driver has been unloaded, quickly move to the Setting tab and select Force System Reboot. Click Yes on the confirmation and wait for the system to reboot.


                
                On successful reboot, you should see the Avenger results on the screen. If all went well, it will say that your file was successfully replaced. Now time to double check with XueTr, TDSSKiller is also fine to double check. Open it back up and navigate to the Kernel tab, then Object Hijack.


                If there are 0 objects, then PC is clean.

SST Rootkit




                Just wanted to share with you the steps to take to remove the SST rootkit. It is also knows as Backboot.Gen by TDSSKiller. The best way to determine if you have this rootkit or not is to download and run the latest TDSSKiller. If the program does not launch at all, you likely are dealing with an SST infection. Make sure that you are running at least Windows XP Service Pack 2 for TDSSKiller to work. If you have sp1, TDSSKiller will not launch and you need to update your service pack before using TDSSKiller. You can also check the partitions on the PC, if any of the system drive's partitions are FAT format, you  may have the infection as well. Here are the step you need to take to remove this rootkit:

      Open up XueTr and navigate to the Kernel Tab > Notify Routine. You will see this:



You will notice that 2 of the items show up in red. We need to remove both of the ones here that have the module "unknown image". Right-Click on them and select delete on CreateProcess like this:



Then again for LoadImage:



      Open up TDSSKiller and make sure that it is the latest version. Once you scan, you should come up with “Rootkit.Boot.SST.x” – Cure the infection:

      Please note that you may have SST.b in TDSSKiller, all of the same steps apply to the "SST.b" variant. Also, it is VERY IMPORTANT that you do not cure any other infections at this point. If you have SST, you need to cure that but skip all other infections that tdsskiller might find. If you find that you are infected with ZeroAccess as well, please refer to the ZeroAccess section of this blog for further instructions once you have cleared out SST. 

 

      You will be prompted to overwrite the MBR code due to TDSSKiller not being able to “Cure” it, as long as the infected PC does not have a setup running a custom boot loader, select “Yes” 



      Reboot with TDSSKiller and you are all set. 



Make sure to remove all other infections after removing SST. A good mbam full scan should do the trick. Email me if you have questions/comments.

Security Defender




Security Defender runs a bit differently than normal rogues. It places its dll files in different folders and launches using rundll32.exe instead of using an executable.






This rogue is contracted by the user getting redirected to a website which will run a "malware scan". This scan will always show that the user is "infected" and has a popup window with the option to "remove" infections. A file download follows and, if run, the user is infected with Security Defender.




The removal process is fairly simple, kill rundll32.exe and use your favorite malware scanner (MalwareBytes' is mine).



Files

C:\Windows\System32\53D4813B-6A65-17DC-1AA7-DABF1A67D772.avi
C:\Windows\System32\53D4813B-6A65-17DC-1AA7-DABF1A67D772.ico
C:\Documents and Settings\<User Name Here>\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.avi
C:\Documents and Settings\<User Name Here>\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.ico
C:\Documents and Settings\<User Name Here>\Application Data\Security Defender\{55134541-8195-4710-C5AD-EF3E5B78ED6C}.pst
C:\Documents and Settings\<User Name Here>\Application Data\Security Defender\{DE4B19BB-A312-44B5-F8AF-B20C20C8DF0C}.pst
C:\Documents and Settings\<User Name Here>\Local Settings\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.avi
C:\Documents and Settings\<User Name Here>\Local Settings\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.ico
C:\Documents and Settings\All Users\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.avi
C:\Documents and Settings\All Users\Application Data\53D4813B-6A65-17DC-1AA7-DABF1A67D772.ico
C:\Program Files\Security Defender\Security Defender.dll
C:\Program Files\Security Defender\Security Defender.ico
C:\Documents and Settings\<User Name Here>\Desktop\Security Defender.lnk
C:\Documents and Settings\<User Name Here>\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Defender.lnk
C:\Documents and Settings\<User Name Here>\Start Menu\Programs\Startup\53D4813B-6A65-17DC-1AA7-DABF1A67D772.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\53D4813B-6A65-17DC-1AA7-DABF1A67D772.lnk




Notable Registry Keys

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run]

@53D4813B-6A65-17DC-1AA7-DABF1A67D772

[HKEY_CUURENT_USER\Software\Microsoft\Windows\Currentversion\Run]

@53D4813B-6A65-17DC-1AA7-DABF1A67D772


VirusTotal:

Security Defender.dll VT: 2/42 (4.8%)

System Check







I’m sure we have all been wondering where the fake HDD scanner malware has gone. Well, it’s back and a bit better than before. So let’s get started. First, let’s take a look at what the infection actually does to the system. There are 3 major changes that this rogue makes:





1. It immediately disables task manager and registry tools when launched.
2. It hides all files in the HDD, starting at the root directory.
3. It moves certain shortcuts from the start menu, the desktop, and quick launch folders into a temp folder. Path is %temp%\smtmp




This guy is easily removed with very little effort using an activation code courtesy of Xylitol. The activation code is: 1203978628012489708290478989147. All you need to do is let the program complete its scan and then enter the activation code into the activation window along with whatever email address you choose. The email address does not have to be valid and I highly recommend that you do not use any real email address in this activation window. I found that you do not necessarily need to go through the activation dialogue box to activate it. When activated, the rogue creates a text file which is placed onto the desktop. All that you need to do is move a copy of that file onto the desktop while the rogue is actively running and it will activate itself. You can find the text at the bottom of this post.




Once activated, he is very easy to remove. Process can be killed from the system tray icon and then removed with your favorite Anti-Malware product (I prefer MalwareBytes’ Anti-Malware). Once the process is killed, you can decide to take it a step further and use the uninstall icon found in the start menu to remove the desktop icon and executable if you’d like.






If you have already killed and deleted the process, and have not removed the temp files yet, don’t worry, there is still an easy way to get all of your stuff back. I wrote a small tool that will unhide all of the files that were hidden on the drive, and then move all of the shortcuts back to their original locations. It can be found here: Shortcut Recovery Tool



More images:







Here is a copy of the text file created by the rogue during activation. All you need to do is paste the below text into notepad and save it as "System Check License.txt" (without the quotes) onto your desktop, wait for your icons to be displayed again, and then reboot and move on with removal. :)

Thank you for purchase, System Check!Your activation code: 1203978628012489708290478989147Please use this download link to install Master Utilities if your software copy has been removed or lost. http://yourlicenseactivate.com/license/download/master.exeContact us through Help&Support section in the Master Utilities menu or by phone +1.877.2357459





VirusTotal: System Check


15/43 (34.9%)

MD5: fd58ad7cc72e9286a618f127fa241946

Internet Security Guard


To help get connected remotely and to help remove this rogue enter this key (thanks to S!ri):
 U2FD-S2LA-H4KA-UEPB


Manual Instructions

Another fake MSE...  Internet Security Guard this time. This one is fairly straight-forward to remove. It disables task manager using an image file execution option. To get around this, we must rename taskmgr to something that Windows needs running to operate such as "winlogon.exe". The following command from the run box should suffice:

cmd /k copy "C:\windows\system32\taskmgr.exe" "%userprofile%\desktop\winlogon.exe" 

This will copy the task manager to the desktop and rename it to "winlogon.exe" which will allow it to run. Now kill the process. Run your favorite malware scanner (MalwareBytes' is mine) and you are all set. 





Files Created

C:\Documents and Settings\All Users\Application Data\<random>\<random>.exe
C:\Documents and Settings\Administrator\Desktop\Internet Security Guard.lnk
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security Guard.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Security Guard.lnk C:\Documents and Settings\Administrator\Start Menu\Internet Security Guard.lnk

Notable Registry Keys Infected

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Internet Security Guard
HKCR\SOFTWARE\Microsoft\Internet Explorer\SearchScopes | URL (Hijack.SearchPage) -> 
Bad: (hxxp://findgala.com/?&uid=8027&q={searchTerms})

There are 760 more keys made and 30 more values infected but they are all image file execution options or policies to disable either real AV or other fake AV so I will not be listing all of them here. :)


Sunday, January 15, 2012

Multi-Rogue 2012





Thanks to Xylitol, here are a few registration keys that you can try to help get remote connection and removal before following the steps below:

3425-814615-3990
9443-077673-5028

I have seen a few of these rogues that have not been accepting the registration keys lately. Today I would like to go over with you the method that I use to connect remotely when the registration key does not work properly.


The first thing that we need to do is get the task manager open. To do this, you will need to use the key combination: ctrl + shift + esc – this will bypass the rogue’s process killing mechanism.

Hold down Ctrl and click “New Task” – This will open a command prompt window for you. Launch regedit.exe from the command prompt window.


Remove the exe file association that is created by the rogue. This can be found at HKEY_CURRENT_USER\Software\Classes\.exe - This file association is created by the rogue for the rogue’s use only so just delete the key.



After the file association has been removed, the rogue can no longer launch when trying to launch normal applications, so it is ok to kill the process now. I like to have the customer kill the process from the “Applications” tab as shown below.


At this point you can get your remote session up. Note that the file association has also been corrupted when launching the default browser from the start menu, so keep that in mind. From here, I recommend checking for any rootkit infections by using TDSSKiller.



If any infections are found in TDSSKiller, please follow the instructions and reboot when asked. I will go over removal methods of the rootkits commonly associated with this infection in other posts. 

Last step is to use your favorite malware scanner to ensure all traces have been removed. MalwareBytes' Anti-Malware is my favorite. Make sure that you run a full scan to ensure that you have removed items from all user accounts and system restore.

Some of these have a worm infection called Parite. You will find the infection in the log file of the MalwareBytes' scan that you just ran if it is present. This can be removed by using the BitDefender Parite Removal Tool.



Finally, do yourself a favor and create a restore point ;)


Advanced Information

Registry Keys Modified

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command HKEY_CURRENT_USER\Software\Classes\.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


Files Modified


%CommonAppData%\<random characters>
%LocalAppData%\<random characters>
%LocalAppData%\<random 3 chars>.exe
%Temp%\<random characters>
%UserProfile%\Templates\<random characters>