Wednesday, February 25, 2009

Hunting an evil Trojan bot : on viruses and antiviruses

OK , recently i have found that my computer behaves weird.
Bad browsing experience for example. Trying to reach our corporate email with no success.The email is hosted with goggle apps . google.com is resoled to some ip address. After some researches and guesses i have found that :

%SystemRoot%\system32\drivers\etc\hosts
is "slightly "altered.

long listing here:


#
127.0.0.1 localhost
#
92.62.101.129 google.co.uk
92.62.101.129 google.co.in
92.62.101.129 google.com
92.62.101.129 google.ru
92.62.101.129 google.de
92.62.101.129 google.ca
92.62.101.129 google.fr
92.62.101.129 google.it
92.62.101.129 google.es
92.62.101.129 google.pl
92.62.101.129 google.nl
92.62.101.129 www.google.co.uk
92.62.101.129 www.google.co.in
92.62.101.129 www.google.com
92.62.101.129 www.google.ru
92.62.101.129 www.google.de
92.62.101.129 www.google.ca
92.62.101.129 www.google.fr
92.62.101.129 www.google.it
92.62.101.129 www.google.es
92.62.101.129 www.google.pl
92.62.101.129 www.google.nl
#
# Some shit to block
#
0.0.0.0 virusinfo.info
0.0.0.0 www.virusinfo.info
0.0.0.0 projecthoneypot.org
0.0.0.0 www.projecthoneypot.org
0.0.0.0 novirus.ru
0.0.0.0 www.novirus.ru
0.0.0.0 anti-malware.com
0.0.0.0 www.anti-malware.com
0.0.0.0 offensivecomputing.net
0.0.0.0 www.offensivecomputing.net
0.0.0.0 zeustracker.abuse.ch
0.0.0.0 www.zeustracker.abuse.ch
0.0.0.0 www.malekal.com
0.0.0.0 www3.malekal.com
0.0.0.0 forum.malekal.com
0.0.0.0 www.threatexpert.com
0.0.0.0 threatexpert.com
0.0.0.0 www.microsoft.com
0.0.0.0 update.microsoft.com
0.0.0.0 www.virustotal.com
0.0.0.0 virusscan.jotti.org
0.0.0.0 www.av-comparatives.org
0.0.0.0 av-comparatives.org
0.0.0.0 av-test.org
0.0.0.0 www.av-test.org
0.0.0.0 www.scanwith.com
0.0.0.0 www.virusbtn.com
0.0.0.0 adwarereport.com
0.0.0.0 www.adwarereport.com
0.0.0.0 malwarebytes.org
0.0.0.0 www.malwarebytes.org
0.0.0.0 dw.com.com
0.0.0.0 spywarewarrior.com
0.0.0.0 www.spywarewarrior.com
0.0.0.0 avsoft.ru
0.0.0.0 www.avsoft.ru
0.0.0.0 onecare.live.com
0.0.0.0 anubis.iseclab.org
0.0.0.0 wepawet.iseclab.org
0.0.0.0 iseclab.org
0.0.0.0 www.iseclab.org
0.0.0.0 www.freespaceinternetsecurity.com
0.0.0.0 freespaceinternetsecurity.com
0.0.0.0 sunbelt-software.com
0.0.0.0 www.sunbelt-software.com
0.0.0.0 www.prevx.com
0.0.0.0 prevx.com
0.0.0.0 analysis.seclab.tuwien.ac.at
0.0.0.0 www.joebox.org
0.0.0.0 joebox.org
0.0.0.0 gmer.net
0.0.0.0 www.gmer.net
0.0.0.0 antirootkit.com
0.0.0.0 www.antirootkit.com
0.0.0.0 sectools.org
0.0.0.0 www.sandboxie.com
0.0.0.0 sandboxie.com
0.0.0.0 nepenthes.mwcollect.org
0.0.0.0 mwcollect.org
0.0.0.0 www.amtso.org
0.0.0.0 amtso.org
0.0.0.0 www.nsslabs.com
0.0.0.0 nsslabs.com
0.0.0.0 www.icsalabs.com
0.0.0.0 icsalabs.com
0.0.0.0 www.checkvir.com
0.0.0.0 checkvir.com
0.0.0.0 www.check-mark.com
0.0.0.0 check-mark.com
0.0.0.0 www.protectstar-testlab.org
0.0.0.0 protectstar-testlab.org
0.0.0.0 www.anti-malware-test.com
0.0.0.0 anti-malware-test.com
0.0.0.0 av-test.de
0.0.0.0 www.av-test.de
0.0.0.0 www.wildlist.org
0.0.0.0 wildlist.org
0.0.0.0 www.aavar.org
0.0.0.0 aavar.org
0.0.0.0 centralops.net
0.0.0.0 www.staysafeonline.info
0.0.0.0 staysafeonline.info
0.0.0.0 www.rokop-security.de
0.0.0.0 rokop-security.de
0.0.0.0 www.wilderssecurity.com
0.0.0.0 wilderssecurity.com
0.0.0.0 www.superantispyware.com
0.0.0.0 superantispyware.com
0.0.0.0 update.microsoft.com
#
# Karl Spermsky
#
0.0.0.0 www.kaspersky.com
0.0.0.0 www.kaspersky.ru
0.0.0.0 kaspersky.ru
0.0.0.0 www.avp.ru
0.0.0.0 avp.ru
0.0.0.0 www.viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 www.viruslist.ru
0.0.0.0 www.kaspersky-antivirus.ru
0.0.0.0 kaspersky-antivirus.ru
0.0.0.0 downloads1.kaspersky-labs.com
0.0.0.0 downloads2.kaspersky-labs.com
0.0.0.0 downloads3.kaspersky-labs.com
0.0.0.0 downloads4.kaspersky-labs.com
0.0.0.0 downloads5.kaspersky-labs.com
0.0.0.0 downloads-us1.kaspersky-labs.com
0.0.0.0 downloads-us2.kaspersky-labs.com
0.0.0.0 downloads-us3.kaspersky-labs.com
0.0.0.0 downloads-eu1.kaspersky-labs.com
0.0.0.0 downloads-eu2.kaspersky-labs.com
0.0.0.0 kavdumps.kaspersky.com
0.0.0.0 www.kasperskyclub.com
0.0.0.0 forum.kasperskyclub.com
0.0.0.0 forum.kasperskyclub.ru
0.0.0.0 kasperskyclub.ru
0.0.0.0 kasperskyclub.com
0.0.0.0 ftp.kasperskylab.ru
0.0.0.0 ftp.kaspersky.ru
0.0.0.0 ftp.kaspersky-labs.com
0.0.0.0 data.kaspersky.ru
0.0.0.0 z-oleg.com
0.0.0.0 www.z-oleg.com
#
# danilOFF
#
0.0.0.0 drweb.com
0.0.0.0 www.drweb.com
0.0.0.0 freedrweb.com
0.0.0.0 www.freedrweb.com
0.0.0.0 drweb.com.ua
0.0.0.0 www.drweb.com.ua
0.0.0.0 drweb.ru
0.0.0.0 www.drweb.ru
0.0.0.0 av-desk.com
0.0.0.0 www.av-desk.com
0.0.0.0 drweb.net
0.0.0.0 www.drweb.net
0.0.0.0 ftp.drweb.com
0.0.0.0 dr-web.ru
0.0.0.0 www.dr-web.ru
0.0.0.0 download.drweb.com
0.0.0.0 support.drweb.com
0.0.0.0 updates.sald.com
0.0.0.0 sald.com
0.0.0.0 www.sald.com
0.0.0.0 drweb.imshop.de
#
# Symantec
#
0.0.0.0 safeweb.norton.com
0.0.0.0 www.safeweb.norton.com
0.0.0.0 www.symantec.com
0.0.0.0 shop.symantecstore.com
0.0.0.0 liveupdate.symantec.com
0.0.0.0 liveupdate.symantecliveupdate.com
0.0.0.0 service1.symantec.com
0.0.0.0 www.service1.symantec.com
0.0.0.0 security.symantec.com
0.0.0.0 liveupdate.symantec.d4p.net
0.0.0.0 securityresponse.symantec.com
0.0.0.0 sygate.com
0.0.0.0 www.sygate.com
#
# Eset NOD32
#
0.0.0.0 esetnod32.ru
0.0.0.0 www.esetnod32.ru
0.0.0.0 eset.com
0.0.0.0 www.eset.com
0.0.0.0 eset.com.ua
0.0.0.0 www.eset.com.ua
0.0.0.0 nod32.com.ua
0.0.0.0 www.nod32.com.ua
0.0.0.0 download.eset.com
0.0.0.0 update.eset.com
0.0.0.0 eset.eu
0.0.0.0 www.eset.eu
0.0.0.0 nod32.it
0.0.0.0 www.nod32.it
0.0.0.0 nod32.su
0.0.0.0 www.nod32.su
0.0.0.0 nod-32.ru
0.0.0.0 www.nod-32.ru
0.0.0.0 allnod.com
0.0.0.0 www.allnod.com
0.0.0.0 allnod.info
0.0.0.0 www.allnod.info
0.0.0.0 virusall.ru
0.0.0.0 www.virusall.ru
0.0.0.0 nod32eset.org
0.0.0.0 www.nod32eset.org
0.0.0.0 eset.sk
0.0.0.0 www.eset.sk
0.0.0.0 nod32.nl
0.0.0.0 www.nod32.nl
#
# antivir
#
0.0.0.0 dl1.antivir.de
0.0.0.0 dl2.antivir.de
0.0.0.0 dl3.antivir.de
0.0.0.0 dl4.antivir.de
0.0.0.0 free-av.com
0.0.0.0 www.free-av.com
0.0.0.0 free-av.de
0.0.0.0 www.free-av.de
0.0.0.0 avira.com
0.0.0.0 www.avira.com
0.0.0.0 avira.de
0.0.0.0 www.avira.de
0.0.0.0 www1.avira.com
0.0.0.0 dlpro.antivir.com
0.0.0.0 forum.avira.com
0.0.0.0 www.forum.avira.com
0.0.0.0 avirus.ru
0.0.0.0 www.avirus.ru
0.0.0.0 avira-antivir.ru
0.0.0.0 www.avira-antivir.ru
0.0.0.0 avirus.com.ua
0.0.0.0 www.avirus.com.ua
#
# mcafee
#
0.0.0.0 mcafee.com
0.0.0.0 www.mcafee.com
0.0.0.0 home.mcafee.com
0.0.0.0 us.mcafee.com
0.0.0.0 ru.mcafee.com
0.0.0.0 de.mcafee.com
0.0.0.0 ca.mcafee.com
0.0.0.0 fr.mcafee.com
0.0.0.0 es.mcafee.com
0.0.0.0 it.mcafee.com
0.0.0.0 uk.mcafee.com
0.0.0.0 mx.mcafee.com
0.0.0.0 ru.mcafee.com
0.0.0.0 mcafee-online.com
0.0.0.0 www.mcafee-online.com
0.0.0.0 mcafeesecurity.com
0.0.0.0 www.mcafeesecurity.com
0.0.0.0 mcafeesecure.com
0.0.0.0 www.mcafeesecure.com
0.0.0.0 avertlabs.com
0.0.0.0 www.avertlabs.com
0.0.0.0 download.nai.com
0.0.0.0 nai.com
0.0.0.0 www.nai.com
0.0.0.0 secure.nai.com
0.0.0.0 eu.shopmcafee.com
0.0.0.0 shop.mcafee.com
0.0.0.0 siblog.mcafee.com
0.0.0.0 mcafeestore.com
0.0.0.0 www.mcafeestore.com
0.0.0.0 service.mcafee.com
0.0.0.0 siteadvisor.com
0.0.0.0 www.siteadvisor.com
0.0.0.0 scanalert.com
0.0.0.0 www.drsolomon.com
0.0.0.0 mcafee-at-home.com
0.0.0.0 wwww.mcafee-at-home.com
0.0.0.0 networkassociates.com
0.0.0.0 www.networkassociates.com
#
# Avast
#
0.0.0.0 avast.ru
0.0.0.0 www.avast.ru
0.0.0.0 avast.com
0.0.0.0 www.avast.com
0.0.0.0 onlinescan.avast.com
0.0.0.0 download1.avast.com
0.0.0.0 download2.avast.com
0.0.0.0 download3.avast.com
0.0.0.0 download4.avast.com
0.0.0.0 download5.avast.com
0.0.0.0 download6.avast.com
0.0.0.0 download7.avast.com
#
# AVG
#
0.0.0.0 free.avg.com
0.0.0.0 avg.com
0.0.0.0 www.avg.com
0.0.0.0 sshop.avg.com
0.0.0.0 www.grisoft.cz
0.0.0.0 www.grisoft.com
0.0.0.0 free.grisoft.com
#
# Bitdefender
#
0.0.0.0 bitdefender.com
0.0.0.0 www.bitdefender.com
0.0.0.0 bitdefender.de
0.0.0.0 www.bitdefender.de
0.0.0.0 bitdefender.com.ua
0.0.0.0 www.bitdefender.com.ua
0.0.0.0 bitdefender.ru
0.0.0.0 www.bitdefender.ru
0.0.0.0 myaccount.bitdefender.com
0.0.0.0 download.bitdefender.com
0.0.0.0 ftp.bitdefender.com
0.0.0.0 forum.bitdefender.com
0.0.0.0 upgrade.bitdefender.com
#
# Agnitum
#
0.0.0.0 agnitum.ru
0.0.0.0 www.agnitum.ru
0.0.0.0 agnitum.com
0.0.0.0 www.agnitum.com
0.0.0.0 agnitum.de
0.0.0.0 www.agnitum.de
0.0.0.0 outpostfirewall.com
0.0.0.0 www.outpostfirewall.com
0.0.0.0 dl1.agnitum.com
0.0.0.0 dl2.agnitum.com
#
# Comodo
#
0.0.0.0 antivirus.comodo.com
0.0.0.0 comodo.com
0.0.0.0 www.comodo.com
0.0.0.0 forums.comodo.com
0.0.0.0 comodogroup.com
0.0.0.0 www.comodogroup.com
0.0.0.0 personalfirewall.comodo.com
0.0.0.0 www.personalfirewall.comodo.com
0.0.0.0 hackerguardian.com
0.0.0.0 www.hackerguardian.com
0.0.0.0 www.nsclean.com
0.0.0.0 nsclean.com
#
# ClamAv
#
0.0.0.0 clamav.net
0.0.0.0 www.clamav.net
0.0.0.0 db.local.clamav.net
0.0.0.0 clamsupport.sourcefire.com
0.0.0.0 lurker.clamav.net
0.0.0.0 wiki.clamav.net
0.0.0.0 w32.clamav.net
0.0.0.0 lists.clamav.net
0.0.0.0 clamwin.com
0.0.0.0 www.clamwin.com
0.0.0.0 ru.clamwin.com
0.0.0.0 gietl.com
0.0.0.0 www.gietl.com
0.0.0.0 clamav.dyndns.org
#
# F-Secure
#
0.0.0.0 f-secure.com
0.0.0.0 www.f-secure.com
0.0.0.0 support.f-secure.com
0.0.0.0 f-secure.ru
0.0.0.0 www.f-secure.ru
0.0.0.0 ftp.f-secure.com
0.0.0.0 europe.f-secure.com
0.0.0.0 www.europe.f-secure.com
0.0.0.0 f-secure.de
0.0.0.0 www.f-secure.de
0.0.0.0 support.f-secure.de
0.0.0.0 ftp.f-secure.de
0.0.0.0 f-secure.co.uk
0.0.0.0 www.f-secure.co.uk
0.0.0.0 retail.sp.f-secure.com
0.0.0.0 retail01.sp.f-secure.com
0.0.0.0 retail02.sp.f-secure.com
0.0.0.0 ftp.europe.f-secure.com
#
# Norman
#
0.0.0.0 norman.com
0.0.0.0 www.norman.com
0.0.0.0 download.norman.no
0.0.0.0 sandbox.norman.no
0.0.0.0 norman.no
0.0.0.0 www.norman.no
0.0.0.0 niuone.norman.no
#
# Panda
#
0.0.0.0 pandasecurity.com
0.0.0.0 www.pandasecurity.com
0.0.0.0 viruslab.ru
0.0.0.0 www.viruslab.ru
0.0.0.0 pandasoftware.com
0.0.0.0 www.pandasoftware.com
0.0.0.0 acs.pandasoftware.com
0.0.0.0 www.pandasoftware.es
#
# VBA32
#
0.0.0.0 anti-virus.by
0.0.0.0 www.anti-virus.by
0.0.0.0 virusblokada.ru
0.0.0.0 www.virusblokada.ru
0.0.0.0 vba32.de
0.0.0.0 www.vba32.de
#
# Other shit
#
0.0.0.0 ftp.nai.com
0.0.0.0 secuser.com
0.0.0.0 www.secuser.com
0.0.0.0 tds.diamondcs.com.au
0.0.0.0 windowsupdate.microsoft.com
0.0.0.0 lavasoftusa.com
0.0.0.0 www.lavasoftusa.com
0.0.0.0 lavasoftusa.de
0.0.0.0 www.lavasoftusa.de
0.0.0.0 diamondcs.com.au
0.0.0.0 shop.ca.com
0.0.0.0 downloads.my-etrust.com
0.0.0.0 v4.windowsupdate.microsoft.com
0.0.0.0 v5.windowsupdate.microsoft.com
0.0.0.0 noadware.net
0.0.0.0 www.noadware.net
0.0.0.0 zonelabs.com
0.0.0.0 www.zonelabs.com
0.0.0.0 moosoft.com
0.0.0.0 www.moosoft.com
0.0.0.0 secuser.model-fx.com
0.0.0.0 pccreg.antivirus.com
0.0.0.0 k-otik.com
0.0.0.0 vupen.com
0.0.0.0 www.vupen.com
0.0.0.0 housecall.trendmicro.com
0.0.0.0 trendmicro.com
0.0.0.0 www.trendmicro.com
0.0.0.0 us.trendmicro.com
0.0.0.0 uk.trendmicro.com
0.0.0.0 de.trendmicro.com
0.0.0.0 fr.trendmicro.com
0.0.0.0 es.trendmicro.com
0.0.0.0 it.trendmicro.com
0.0.0.0 br.trendmicro.com
0.0.0.0 antivirus.cai.com
0.0.0.0 sophos.com
0.0.0.0 www.sophos.com
0.0.0.0 securitoo.com
0.0.0.0 nordnet.com
0.0.0.0 www.nordnet.com
0.0.0.0 avgfrance.com
0.0.0.0 www.avgfrance.com
0.0.0.0 antivirus-online.de
0.0.0.0 www.antivirus-online.de
0.0.0.0 ftp.esafe.com
0.0.0.0 ftp.microworldsystems.com
0.0.0.0 ftp.ca.co
0.0.0.0 files.trendmicro-europe.com
0.0.0.0 inline-software.de
0.0.0.0 ravantivirus.com
0.0.0.0 www.ravantivirus.com
0.0.0.0 f-prot.com
0.0.0.0 www.f-prot.com
0.0.0.0 files.f-prot.com
0.0.0.0 secure.f-prot.com
0.0.0.0 vsantivirus.com
0.0.0.0 www.vsantivirus.com
0.0.0.0 openantivirus.org
0.0.0.0 www.openantivirus.org
0.0.0.0 www3.ca.com
0.0.0.0 dialognauka.ru
0.0.0.0 www.dialognauka.ru
0.0.0.0 anti-virus-software-review.com
0.0.0.0 www.anti-virus-software-review.com
0.0.0.0 www.vet.com.au
0.0.0.0 antiviraldp.com
0.0.0.0 www.antiviraldp.com
0.0.0.0 www.proantivirus.com
0.0.0.0 pestpatrol.com
0.0.0.0 www.pestpatrol.com
0.0.0.0 simplysup.com
0.0.0.0 www.simplysup.com
0.0.0.0 misec.net
0.0.0.0 www.misec.net
0.0.0.0 www1.my-etrust.com
0.0.0.0 authentium.com
0.0.0.0 www.authentium.com
0.0.0.0 finjan.com
0.0.0.0 www.finjan.com
0.0.0.0 www.ikarus-software.at
0.0.0.0 www.ika-rus.com
0.0.0.0 ika-rus.com
0.0.0.0 tinysoftware.com
0.0.0.0 www.tinysoftware.com
0.0.0.0 visualizesoftware.com
0.0.0.0 www.visualizesoftware.com
0.0.0.0 kerio.com
0.0.0.0 www.kerio.com
0.0.0.0 www.kerio.eu
0.0.0.0 www.zonelabs.com
0.0.0.0 zonelog.co.uk
0.0.0.0 www.zonelog.co.uk
0.0.0.0 webroot.com
0.0.0.0 www.webroot.com
0.0.0.0 www.lavasoft.nu
0.0.0.0 spywareguide.com
0.0.0.0 www.spywareguide.com
0.0.0.0 spyblocker-software.com
0.0.0.0 www.spyblocker-software.com
#
# even more shit
#
0.0.0.0 www.spamhaus.org
0.0.0.0 spamcop.net
0.0.0.0 www.spamcop.net
0.0.0.0 bobbear.co.uk
0.0.0.0 www.bobbear.co.uk
0.0.0.0 domaintools.com
0.0.0.0 www.domaintools.com
0.0.0.0 centralops.net
0.0.0.0 www.centralops.net
0.0.0.0 www.robtex.com
0.0.0.0 dnsstuff.com
0.0.0.0 www.dnsstuff.com
0.0.0.0 ripe.net
0.0.0.0 www.ripe.net
0.0.0.0 www.met.police.uk
0.0.0.0 nbi.gov.ph
0.0.0.0 www.nbi.gov.ph
0.0.0.0 www.police.gov.hk
0.0.0.0 treasury.gov
0.0.0.0 www.treasury.gov
0.0.0.0 cybercrime.gov
0.0.0.0 www.cybercrime.gov
0.0.0.0 www.cybercrime.ch
0.0.0.0 enisa.europa.eu
0.0.0.0 www.enisa.europa.eu
0.0.0.0 www.interpol.int
0.0.0.0 www.fsa.gov.uk
0.0.0.0 www.companies-house.gov.uk
0.0.0.0 fraudaid.com
0.0.0.0 www.fraudaid.com
0.0.0.0 scambusters.org
0.0.0.0 www.scambusters.org
0.0.0.0 spamtrackers.eu
0.0.0.0 www.spamtrackers.eu
#
# Have a nice day, motherfuckers!
#
0.0.0.0 unpck.com
0.0.0.0 www.unpck.com
0.0.0.0 sextv1.tv
0.0.0.0 www.sextv1.tv
0.0.0.0 proxyrent.net
0.0.0.0 www.proxyrent.net
#
Hm,  it seems that  the botnet has me.

The simplest  thing that  came to  mind mind is to  download antivirus and run it.
Here comes the bride: dr web free scanning tool.
It finds nothing importnt thow .
ok,  hands on.
First  i  downloaded gmer. and it  shows  a number of hooked APIs in different User mode Apps.
trying to hunt the hooker with the debugger gives me nothing ,  but  hey ,  we have more tools.
I downloaded sysinternal's rootkit revealer that  was able to  locate
hidden files.

The  most  interesting was  %SystemRoot%\system32\twex.exe.

Registry  editor  located the start  of this malware under userinit.
If you try  to remove the value - it gets restored immediately .
So  we  need to  remove the file. as it is hidden from API  we cannot  kill it .
Yet  again sysinternals saves our day.
using   Move files  utility  we can schedule the rename of the file  during boot.

That  is all.

Also  i  found this tool to  be quqite handy: HookShark -userland rootkit  revealer.


Posted by at
Labels: , , , ,

2 comments:

  1. tab242February 27, 2009 at 1:53 AM

    thank you for info, yesterday i've found the same sh#t on my friend's PC. I've tried drweb live cd, bitdefender live cd, kaspersky live cd - no luck. Only in safe mode I get the alarm on twex.exe from AVZ scanner. But there was a very late and I decided to fall asleep instead to further malware fighting :) Today I do continue my investigations :)

    ReplyDelete
  2. Sergey RogachovMarch 2, 2009 at 6:29 AM

    wish you luck.
    my try to remove it under safe mode was not successful . it was up and runnig . so i used move files utility.

    ReplyDelete

Subscribe to: Post Comments (Atom)