Archive for May, 2006

Sony rootkit settlement gets final nod

Monday, May 22nd, 2006

A final approval to a settlement in a class action suit against Sony BMG has been issued by a federal judge. It ends a long running debacle that Sony BMG in which have paid a heavy price for their rootkit planting actions. At least 15 class action suits were brought against Sony BMG by lawyers and some were judged together in some states as they were so similiar.

If anyone bought a CD that contained the imfamous rootkit they can receive replacement a CD, free music downloads and additional cash payments have also been mentioned. Every person who had bought one of the CD’s ( here is a list of the offending CD’s ) should go and get a replacement under the terms of the settlement. The more people who apply the more big corporations will see that trying to mess with people’s computers will have an adverse affect in the future and should put them off trying such an action.

The Sony BMG rootkit sandal broke out in Nov 2005 after Mark Russanovich discovered something funny when he went to listen to a Sony music CD. He discovered that the DRM software installed a rootkit that hide the Digital Rights Management (DRM ) files so that users could not bypass the DRM software. It was soon released that malware writers could use the same technology to hide their own files on a Sony BMG infected PC.

First4Internet’s XCP and SunnComm’s MediaMax were the names of the DRM software installed and hidden by the rootkit.

The final agreement (click for PDF) is here. Get a copy and if you have some of the CD’s and are affected get a refund.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in News, Sony Rootkit | No Comments »

New Zero Day Attack Targets Word Users with Rootkit

Monday, May 22nd, 2006

New malware attacks have been targetting several versions of Microsft Word according to Symantec and many other Anti Virus companies. A trojan horse is sent in a specially crafted Word document which takes advantage of a previously unknown Word vulrabiity to infect users PC’s. The Trojan Horse has the ability to allow a remote intruder to gain access and control over the computer. The Trojan Horse also hides any files or processes that it uses to avoid being found. Sophos has determined that it hooks the following API’s

Kernel32.dll FindFirstFileW
FindNextFileW
Module32NewW
Psapi.dll EnumProcessModules
GetModuleFileNameW
Advapi32.dll EnumServicesStatusA
EnumServicesStatusW
RegEnumKeyA
RegEnumKeyExA
RegEnumKeyExW
RegEnumKeyW
RegEnumValueA
RegEnumValueExA
RegEnumValueExW
RegEnumValueW
RegQueryValueExA
RegQueryValueExW
RegSetValueExA
RegSetValueExW

Sophos has calle the Trojan Troj/Oscor-B but it is better known to users as W32/Ginwui.A or Backdoor.Ginwui.

The person or people who wrote the Trojan had exclusive knowledge of a vulenrability in MS Word and sent specially crafted Word documents to email addresses belonging to a particular company in Asia. The object was to retrieve information from the computers that were affected.

This seems to be a new direction malware writers are taking and it is worth a lot of money to the hackers, etc who are constantly trying to find vulnerabilities in software that are unknown to all other users. This enables them to attack software and have a small chance of being found out in the initial stages. Apparently there is big money being paid for exclusive knowledge of holes in software.

A complete list of affected Word versions is available here ..http://xforce.iss.net/xforce/xfdb/26556

The one lesson for everyone with regards to this infection is to beware of attachments from anyone who you are not familiar with.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in Microsoft, New Rootkits, News | No Comments »

Rootkit software infects gamblers’ computers

Wednesday, May 17th, 2006

Users who recently downloaded a program to help them calculate rackback on previously played poker hands have had their PC infected with malicious files and a rootkit. The program called Rackback Calculator with a filename of RBCalc.exe was downloaded from a well known and legitimate website called Checkraised.com. Checkraised.com had employed an external programmer to create the program for them. The programmer would email the program into Checkraised and they put it up on their website. Checkraised were informed by a third party that malware existed in the RBCalc.exe. On inspection of RBCalc.exe it was found that it held piece of malware that would retrieve the usernames and password for the users pokersites including Partypoker, Empirepoker, Eurobetpoker and Pokernow from the users PC. It also included the functionality for the attacker to gain access to the users computer remotely. The attacker would then play poker against himself and the infected user would lose all their money to the attacker in their absence.

What was unique about this attack is that RBCalc.exe also included a rootkit to hide the existance of the files that the attacker was using on the PC. What the attacker didnt realise is that the very presence of a rootkit indicated that malicious files were more than likely present.

Poker players who have used any version of RBCalc.exe are advised to delete the program. Even poker players who have not used RBCalc.exe should still follow the procedure below as they may have been infected by other methods or software.

Open up your C:\Windows\System32\ directory. Look for the following files.

\WINDOWS\system32\d3dclsrv.dll
\WINDOWS\system32\ndsdavsrv.sys
\WINDOWS\system32\comclg32.dll
\WINDOWS\system32\utlsrv.exe
Please note that these files have VERY similar names to system files needed by Windows. This is because they want you to believe these files are important. You are only infected if these file names are EXACTLY the same as above.

If you notice these files then it is safe to assume you are infected. To remove these please delete the following:

\WINDOWS\system32\d3dclsrv.dll
\WINDOWS\system32\ndsdavsrv.sys
\WINDOWS\system32\comclg32.dll
Then open the registry (START > RUN > type ‘regedit’). In the folder view on the right please open up the following path:

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ndsdavsrv
In that folder you will see the following:

ImagePath=\??\C:\WINDOWS\System32\ndsdavsrv.sys . Please delete this entry.
Reboot your machine.
Go back to the registry (START > RUN > type ‘regedit’) and open the following path:

HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\Run

You will see the following key.

Comclg32=C:\WINDOWS\System32\utlsrv.exe /Comclg32.dll

Please delete that entry.
Now bring up your Task Manager (CTRL+ALT+DEL, click the Processes tab). Look for the program utlsrv.exe and right click on it and select End Process.
Open the C:\Windows\System32 folder and find the file utlsrv.exe. Delete it.
Poker players should then change all their passwords for any poker site they use.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in New Rootkits, News | No Comments »

Spyware, Rootkit Maker Stops Distribution

Thursday, May 11th, 2006

ContextPlus, which is a “Marketing Company” has stopped distribution of its malicious software which included spyware and also rootkits to hide the spyware. It cited operating concerns as the reason for stopping. ContextPlus probably knew they would have long legal battles ahead because of their behaviour. This brings to an end the company who brought us rootkits into the mainstream PC world via its Apropos rootkit.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in News, Spyware | No Comments »