Home page logo
/

basics logo Security Basics mailing list archives

Re: computer with rootkit?
From: Matias Katz <matias () matiaskatz com>
Date: Wed, 28 Sep 2011 18:22:48 -0300

Rootkits are excellent hiders. You cannot trust your supposedly infected PC in any way. Not the task manager, not the boot loader, not the OS, not the drivers, not anything. Moreso, you cannot trust a VM started inside your PC to run wireshark or anything.

And network disconnection is highly recommended.

Your options are:

1) Connect the infected PC to a new PC with 2 nics (as stated below), sniff traffic for **at least** 24 hours (rootkits can sit and wait if they feel 2) Connect a hub (also, as stated below) and sniff the traffic from any PC on the LAN. they may be being sniffed). After sniffing, format the bridge PC (I wouldn't trust it after having the infected PC connected to the Internet through it) 3) Slam a WNIC to the infected PC, try to make it browse wirelessly and sniff the traffic with any PC on the WLAN

Also, to check locally:

1) Run a LiveCD diagnostic tool (there are a few out there)
2) Run a LiveCD linux/windows/whatever and dig manually for debris (filesystem, registry, INI and INF files, services, DLLs, etc)

And I'm sorry to say, that even after all that, I still wouldn't trust that PC.

Hope to have helped, please ping me if you have any question or comments :)

Matias Katz

Mail: matias () matiaskatz com
GPG:  0x8C7C3B7E
TW:   @matiaskatz
Blog: www.matiaskatz.com

Buenos Aires, Argentina


On 09/28/2011 04:55 PM, admin lewis wrote:
> nice.. but generally u need of a new pc with 2 nics..
> One of the big problem of the sniffer is exactly this.. u need a new machine..
> many years ago it was easy with an ethernet hub..
> now hubs are out of the market.. so it's more difficult to run a sniffer..
>
> 2011/9/28 Quigley, Joe <Joe.Quigley () informausa com>:
>> You could use wireshark, or something similar, to see whats going in and out of the machine. I highly recommend you don’t leave the machine on the production network as it may be actively scanning it other machine to infect.
>>
>> Good luck,
>> jq
>>
>> -----Original Message-----
>> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Francois Yang
>> Sent: Wednesday, September 28, 2011 12:58 PM
>> To: security basics
>> Subject: computer with rootkit?
>>
>> I have a computer with Winxp.
>> I believe it has a rootkit on it and I'm trying to figure out if
>> there's a way to find out what it is instead of just wiping the box
>> clean.
>> I want to find out what it is and maybe it will give me an idea of how
>> the computer got infected in the first place so I can prevent others
>> from getting infected with the same malware.
>>
>> the rootkit or malware deletes any AV you throw at it.
>> I tried Symantec, Kaspersky and even Malwarebyte.  Once installed they
>> automatically get deleted.
>> when I try to launch tools from the sysinternals suite they close
>> right after they open or won't open at all.
>> I tried to launch, process explorer, process monitor, autorun and none
>> of them worked at first.
>> I ran msconfig and disabled all startup items and disabled all
>> services from launching.
>> when I rebooted, I got the same issue with launching any of the tools.
>> however, when I used the Desktops utility from Sysinsternals, and
>> launched the tools from another window, some of them worked.
>> Process explorer and Process monitor worked, but since most of the
>> services and startup were disabled, they didn't see much.
>> autorun would not load at all.
>>
>> I also ran Gmer and it would run for awhile until it hit something
>> then it would die.
>> Gmer did find a suspicious process that pointed to the c:\windows\ directory.
>> the process is 784049767:255598753.exe
>> If I move the file from the c:\windows directory to the desktop and
>> kill the process, it restarts pointing to the file on the desktop.
>> If I delete the file, it creates a new one with the same name in the
>> c:\windows directory.
>> the process is also tied to the lybraries, ntdl.dll and kernel32.dll.
>>
>> This is probably out of my league, but I'm still interested to figure
>> out what it is and what it's trying to do.
>>
>> anyone have any suggestions on what else I can do?
>>
>> thanks.
>>
>> Frank
>>
>> ------------------------------------------------------------------------
>> Securing Apache Web Server with thawte Digital Certificate
>> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>>
>> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
>> ------------------------------------------------------------------------
>>
>>
>
>
>


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]