Anti Rootkit Blog

In a follow up to the post : New Storm-Worm Rootkit creating Botnets here is an update. 

It has been reported that the authors of the Storm Worm which uses a rootkit called wincom32 have changed their code and tactics to try and avoid detection but in doing so have left bugs in the code.

To check your system for this rootkit please download an anti-rootkit scanner.

First of all there are now more subjects attached to the emails containing the worm:

Chinese missile shot down USA aircraft
Chinese missile shot down USA satellite
Fidel Castro dead.
First Nuclear Act of Terrorism!
Happy World Religion Day!
Hugo Chavez dead.
President of Russia Putin dead
Radical Muslim drinking enemies’ blood.
Russian missle shot down Chinese satellite
Russian missle shot down USA aircraft
Russian missle shot down USA satellite
Sadam Hussein alive!
Sadam Hussein safe and sound!
Safe and Sound
The commander of a U.S. nuclear submarine lunch the rocket by mistake.
The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
Third World War just have started!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
U.S. Southwest braces for another winter blast. More then 1000 people are dead.
Venezuelan leader: “Let’s the War beginning”.

and some love related subjects:

A Bouguet of Love
A Day in Bed Coupon
A Monkey Rose for You
A Red Hot Kiss
Against All Odds
All That Matters
Baby, I’ll Be There
Back Together
Breakfast in Bed Coupon
Can’t Wait to See You!
Cyber Love
Dinner Coupon
Dream Date Coupon
Emptiness Inside Me
Fields Of Love
For You
Full Heart
I Believe
I Can’t Function
I Dream of You
I Think of You
Internet Love
It’s Your Move
Kiss Coupon
Love Birds
Love You Deeply
Made for Each Other
Miracle of Love
Moonlit Waterfall
My Invitation
Our Love
Our Love is Free
Our Two Hearts
Passionate Kiss
Pockets of Love
Puppy Love
Red Rose
Sending You My Love
Showers of Love
Someone at Last
Soul Partners
Summer Love
Take My Hand
That Special Love
The Dance of Love
The Long Haul
The Love Bugs
This Day Forward
This Feeling
Till Morning’s Light
Till Morninig’s Light
The Mood for Love
To New Spouse
Together Again
Together You and I
Touched by Love
Twice Blest
Until the Day
We’re a Perfect Fit
Wild Nights
Will you?
When I’m With You
Worthy of You
Wrapped Up
Wrapped in Your Arms
You are our of this world
You Lucky Duck!
You Rock Me!
You Were Worth the Wait

The attachment may now have one of the following names:

GreetingPostcard.exe
MoreHere.exe
FlashPostcard.exe
GreetingCard.exe
ClickHere.exe
ReadMore.exe
FlashPostcard.exe
FullNews.exe

It firstly drops a file called wincom32.sys in one of the following folders:

C:\Windows\System (Windows 95/98/Me)
C:\Winnt\System32 (Windows NT/2000)
C:\Windows\System32 (Windows XP)

It creates a service and creates the following registry entry to start it when the PC starts up:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wincom32

The worm then tries to connect to various other bots and download more malware so that it can do it’s primary job, to send out penny stock spam. Increased spam has been seen in the last few days.

The latest version of the bot now tries to communicate with other bots on port 7871 instead of 4000 as in the previous version.

The authors have included more rootkit functionality to this version. But this rootkit contains a few bugs and has been known to crash some systems.

“It is now capable of hiding several files and registry keys by hooking several kernel functions and patching the tcpip.sys system driver to hide its ports from commands, such as netstat -o or netstat -b. However, due to some mistakes in the rootkit code, running netstat -an lets you see ports 7871 or 4000 open and waiting for connections. It is also important to note that a personal firewall will also notify you of the process services.exe trying to make connections on these ports. Furthermore, the rootkit service can be stopped by running a simple command: net stop wincom32. All files, registry keys, and ports will appear again.”
Symantec

The rootkit also checks to see if the system it is running on is a Windows 2003 machine, as it seems that the authors have not fully tested it on Windows 2003.

This latest attack change is interesting as it shows the attackers are constantly changing their tactics in the light of discoveries by anti malware companies. The attackers are also using new news headlines for the latest attacks and hoping to dupe more people into catching the worm. It seems the attackers are blatantly sticking their noses up at the anti malware industry using their new and expanding peer to peer botnet.

References:

Trojan.Peacomm Part 2 – The Botnet Evolves

Stormy Love

Stay Safe

regards

Steo
www.antirootkit.com

Some of you may have received an email today saying that “U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel” or that “230 dead as storm batters Europe”. If you did and clicked on the attachment then you have been infected by the Storm-Worm and your PC is now more than likely part of a Botnet.

Large amounts of the worm were spammed out early this morning to Europe and then to North America.

Some of the subjects of the spammed emails were crafted to coincide with current events in the news. The subjects included:

U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
230 dead as storm batters Europe.
British Muslims Genocide
Naked teens attack home director.
A killer at 11, he’s free at 21 and kill again!

The emails arrived with no text, only an attachment which seems to look like a video of the event discribed in the Subject.

The attachments may have any of the following filenames:
FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe

When the attachment is run it drops a file called wincom32.sys which is a kernel mode rootkit.

It installs itself as a service with the name “wincom32″ by creating the following registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wincom32]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\
Root\LEGACY_WINCOM32] 

This kernel mode driver acts as an advanced payload injector with sophisticated methods such as seen with Rustock.

The worm then tries to contact various IP addresses and tells the Botnet leaders that it is infected. It is then placed on a list of infected machines so that spyware and other malware can be installed at a later date when the Botnet owner wants. The machines that are unsuitable for the Botnet are also placed in a list so as not to visit them again.

The type of Botnet being setup here is called a “Peer to Peer” Botnet. It is different to the normal “Command and Control” Botnet. It shows us that malware authors are taking a new direction when it comes to their Botnets. It is harder to shut down a Peer to Peer than a Command and Control Botnet.

References:
Trojan.Peacomm: Building a Peer-to-Peer Botnet
http://www.f-secure.com/v-descs/small_dam.shtml
YouTube Video showing the speed and extent of the spread of the Storm-Worm

Keep Safe
regards
Steo
www.antirootkit.com

The anti rootkit software author who goes by the name of EP_X0FF has released information recently about a new rootkit that he has created. EP_X0FF is the author of Rootkit Unhooker one of the best antirootkit scanners at the moment. The rootkit he has created is undetectable by all anti rootkit software. The new rootkit is to be called Unreal Test Rootkit.

Here is some information on the rootkit from the Rootkit Unhooker site:

We are introducing new generation of rootkit technology.
Unreal Test Rootkit v1.0Unreal rootkit hides file and driver. Works on NT-based operation systems with NTFS file systems.

regards

Steo
www.antirootkit.com

I found this interesting blog article about how to use the Tenable Passive Vulnerability Scanner (PVS) for finding Rootkit activity. As Rootkits are used to hide information from the Operating System and bypass anti virus and anti spyware programs it is only with specific rootkit scanners that they can be found.

If a new rootkit is created and can bypass the anti rootkit scanners then it will be invisible to everyone and everthing…..except….if you scan network traffic from another PC then you can possibly see the traffic caused by the rootkit and what ports were opened. A list of open ports may show ports opened that are unknown to any application and should be investigated.

A quote from the Blog.
“When systems are compromised by some sort of rootkit, botnet agent, maleware or some other type of malicious software, they tend to use their own network channels to communicate for command and control. Obviously, some bots are more stealthy than others, but the large bulk of them open up network connections to someplace else to report home and receive commands. If these connections are on ports not normally visited  by a system, they “stick out” in the traffic.”

Check out the full blog posting here at http://blog.tenablesecurity.com/2007/01/using_new_port_.html

Keep Safe
regards
Steo

Q. How do you know when you have written a really good piece of software that protects people from rootkits?

A. When the rootkit writers or users start to target your software.

This is exactly what is currently happening with GMER, a really good antirootkit rootkit scanner. GMER is written by a person who comes from Poland who goes by the name of gmer.

GMER has become a popular antirootkit scanner this year and has become known for finding hard to find rootkits, had a nice interface and was easy to use. GMER also updated the software on a regular basis and when Rustock came on the scene in 2006 GMER adapted to checking ADS streams, a known place that Rustock hid files.

It was surprising though that in December 2006 the homepage for GMER www.gmer.net was unreachable. When a user tried to load the homepage a “page not found” type of error was shown. The hosting service for GMER had to make the site unreachable because of a DDoS ( a Distributed Denial of Service ) attack. A DDoS attack is basically where someone or gang has setup a botnet (computers taken over by hackers for their own use) that continiously tries to load the page at www.gmer.net. This causes a lot of stress on the hosting service and hence the site had to be taken offline. 

All is not lost though. With the help of a lot of people around the internet the name of GMER is getting more popular than ever before and the attacks on the GMER site have highlighted GMER as a threat to rootkit writers and users.

With the GMER site down other sites have provided a mirror of the original GMER site so people can still download and read about GMER.

A list of current sites as of the 7th Jan 2006 @ 23:55 GMT is as follows:

http://archive.mysteryfcm.co.uk/security/antirootkit/gmer/gmer.htm
http://fbeej.dk/gmer/gmer.htm
http://www.alexaur.com/anti-rk/
http://www.pperry.f2s.com/mirror/gmer/gmer.htm
http://martijnc.be/tools/gmer/gmer.htm
http://gmer.spywarefix.org/
http://gmer.it-mate.co.uk/gmer.htm
http://www.majorgeeks.com/GMER_d5198.html

The GMER software can also be downloaded from http://pcalsicuro.phpsoft.it/gmer.zip

Even as I transpose my list it looks as 2 more have been taken down.

People Power will help GMER survive these attacks only strengthen it’s reputation as a very good rootkit scanner.

Keep Safe,
regards,
Steo
www.antirootkit.com

It was in the early hours of this morning that I wrote about McAfee releasing Rootkit Detective and lo and behold I got an email this afternoon informing me about Panda Software Anti-Rootkit codenamed Tucan a new Rootkit scanner from Panda Software.

It has just been released as a Public Beta.

Here is some info from Panda:

Panda AntiRootkit (Codename Tucan) shows hidden system resources, identifying known and unknown rootkits. Tucan analizes the following system components:

- Hidden drivers
- Hidden processes
- Hidden modules
- Hidden files
- Hidden registry entries
- SDT modifications
- EAT hooks
- Modification to the IDT
- Non standard INT2E
- Non standard SYSENTER
- IRP hooks
- And more… 

The download file is a 219Kb rar file, quite small in comparison to McAfee’s Rootkit Detective.

It comes as a single file program and so there is no installation. Just unarchive the file and run it. When I first ran it, it came up with a suspected rootkit. It just gives a name but no details about whether it was a hidden process, hidden file, etc.. so it is hard to make a judgement on whether it is a false positive as so many rootkit scanners seem to come up with.

This product is still in Beta so I am sure the good people over at Panda Software will have it finely tuned before it is fully released. Download it and provide a bit of feedback to Panda about it.

More information can be found about the release from the Panda Software Research Team and there is some very good documentation on Panda Anti-Rootkit is available on the Panda Website.

Watch this space and we’ll see who is next to release a dedicated Rootkit scanner.

Keep Safe,
regards
Steo

www.antirootkit.com