July 8, 2007

Rootkits & Trojans

On June 26 my brother asked me to fix a problem on his computer. My brother's Windows XP Home had been crashing unexpectedly with a blue error screen (BSOD). His antivirus program was BitDefender 9.5 Standard.

The computer crashed soon after I analyzed the Startup items in msconfig. The file that caused the problem was Icbw49.sys. The error message was "Page_Fault_in_nonpaged_area". A Google search for the file name returned zero hits. If the file was a legitimate system file as indicated by it's "sys" name extension, there should have been many hits. Usually a Google search on a problem will find posts by people who have had the same problem. Often solutions can be found. I was disturbed that the file name was not in Google's index.

I went to Control Panel, Folder Options, View, and made changes to display the contents of system folders, show hidden files and folders, show extensions for known file types, and show protected operating system files. Then I searched C: (the only hard drive) for the file Icbw49.sys. The file was not found. Distrusting the XP search facility I manually searched several Windows folders where I thought the file might be. I found no file by that name. Wow. I speculated that the file was being assembled in memory by some form of malware.

I ran a BitDefender scan of C:. BitDefender found and quarantined the following four infections.


I had never encountered a rootkit before, although I had read about them. I know it's better to restore a hard disk from an image backup than it is to try to remove all the pieces of a rootkit, but there was no backup. I had no desire to reformat the drive, reinstall Windows, and reinstall every program. I hoped that the rootkit wasn't written very well; a position supported by two facts -- it caused page faults and BitDefender found pieces of it. I think the most competently written rootkits would neither crash the system nor be found by antivirus products.

I decided the best thing to do would be to reload a restore point from before the infection and hope that whatever BitDefender had not quarantined would be eliminated by the restore. I had last performed maintenance tasks on the computer during my visit of May 9-15. We decided to restore the system back to May 17. The restore process completed with a message that said something like "Cannot restore system to May 17, 2007. No files were changed."

We knew the crashes had begun on June 11. So we tried to restore the system to any restore point created after May 17. Every attempt to restore to any date from May 17 through June 11 failed with the same message. Restoring to the June 12 restore point succeeded, but that was the first restore point after the system had been infected. At that point I knew we were dealing with something truly clever and devious. The malware (rootkit/virus/Trojan/key-logger/worm) was preventing restoration of the system to any pre-infection date. Wow.

I began to think the malware had won. I feared having to take drastic and time-consuming action. I thought of one last thing to try... a long shot. I rebooted the computer into Safe Mode, which limits the number of dlls, drivers, and other system files that are loaded. I tried to recover the system to the May 17 restore point, and it worked! The malware couldn't stop the recovery being run in Safe Mode. Whew!

Then I ran a complete scan using Spybot Search & Destroy. Of course the scan found many insignificant items like tracking cookies, but it also found the following five threats.


Spybot successfully removed each of the threats.

My brother and his wife know not to run executables attached to emails, so I guessed that the many infections were due to drive-by downloads while surfing with Internet Explorer. They had been using both Internet Explorer and Mozilla. I installed Firefox and suggested they use Mozilla or Firefox to avoid future infections.

The BitDefender 9.5 subscription was expiring and I didn't want to install BitDefender 10, so I installed AVG Free 7.5. A complete scan with AVG showed no threats. I then installed and ran AVG Anti-Rootkit, which also found no threats. Nothing significant was found by an Adaware scan either. Finally, I created a new restore point.

Hopefully the system is clean now and any undiscovered rootkit pieces will not be able to do anything bad. Also hopefully no personal data was transmitted to a hacker.

No comments:

Post a Comment