techno blog of a former coder: February 2009

OK , recently i have found that my computer behaves weird.
Bad browsing experience for example. Trying to reach our corporate email with no success.The email is hosted with goggle apps . google.com is resoled to some ip address. After some researches and guesses i have found that :

%SystemRoot%\system32\drivers\etc\hosts
is "slightly "altered.

long listing here:

#
127.0.0.1 localhost
#
92.62.101.129 google.co.uk
92.62.101.129 google.co.in
92.62.101.129 google.com
92.62.101.129 google.ru
92.62.101.129 google.de
92.62.101.129 google.ca
92.62.101.129 google.fr
92.62.101.129 google.it
92.62.101.129 google.es
92.62.101.129 google.pl
92.62.101.129 google.nl
92.62.101.129 www.google.co.uk
92.62.101.129 www.google.co.in
92.62.101.129 www.google.com
92.62.101.129 www.google.ru
92.62.101.129 www.google.de
92.62.101.129 www.google.ca
92.62.101.129 www.google.fr
92.62.101.129 www.google.it
92.62.101.129 www.google.es
92.62.101.129 www.google.pl
92.62.101.129 www.google.nl
#
# Some shit to block
#
0.0.0.0 virusinfo.info
0.0.0.0 www.virusinfo.info
0.0.0.0 projecthoneypot.org
0.0.0.0 www.projecthoneypot.org
0.0.0.0 novirus.ru
0.0.0.0 www.novirus.ru
0.0.0.0 anti-malware.com
0.0.0.0 www.anti-malware.com
0.0.0.0 offensivecomputing.net
0.0.0.0 www.offensivecomputing.net
0.0.0.0 zeustracker.abuse.ch
0.0.0.0 www.zeustracker.abuse.ch
0.0.0.0 www.malekal.com
0.0.0.0 www3.malekal.com
0.0.0.0 forum.malekal.com
0.0.0.0 www.threatexpert.com
0.0.0.0 threatexpert.com
0.0.0.0 www.microsoft.com
0.0.0.0 update.microsoft.com
0.0.0.0 www.virustotal.com
0.0.0.0 virusscan.jotti.org
0.0.0.0 www.av-comparatives.org
0.0.0.0 av-comparatives.org
0.0.0.0 av-test.org
0.0.0.0 www.av-test.org
0.0.0.0 www.scanwith.com
0.0.0.0 www.virusbtn.com
0.0.0.0 adwarereport.com
0.0.0.0 www.adwarereport.com
0.0.0.0 malwarebytes.org
0.0.0.0 www.malwarebytes.org
0.0.0.0 dw.com.com
0.0.0.0 spywarewarrior.com
0.0.0.0 www.spywarewarrior.com
0.0.0.0 avsoft.ru
0.0.0.0 www.avsoft.ru
0.0.0.0 onecare.live.com
0.0.0.0 anubis.iseclab.org
0.0.0.0 wepawet.iseclab.org
0.0.0.0 iseclab.org
0.0.0.0 www.iseclab.org
0.0.0.0 www.freespaceinternetsecurity.com
0.0.0.0 freespaceinternetsecurity.com
0.0.0.0 sunbelt-software.com
0.0.0.0 www.sunbelt-software.com
0.0.0.0 www.prevx.com
0.0.0.0 prevx.com
0.0.0.0 analysis.seclab.tuwien.ac.at
0.0.0.0 www.joebox.org
0.0.0.0 joebox.org
0.0.0.0 gmer.net
0.0.0.0 www.gmer.net
0.0.0.0 antirootkit.com
0.0.0.0 www.antirootkit.com
0.0.0.0 sectools.org
0.0.0.0 www.sandboxie.com
0.0.0.0 sandboxie.com
0.0.0.0 nepenthes.mwcollect.org
0.0.0.0 mwcollect.org
0.0.0.0 www.amtso.org
0.0.0.0 amtso.org
0.0.0.0 www.nsslabs.com
0.0.0.0 nsslabs.com
0.0.0.0 www.icsalabs.com
0.0.0.0 icsalabs.com
0.0.0.0 www.checkvir.com
0.0.0.0 checkvir.com
0.0.0.0 www.check-mark.com
0.0.0.0 check-mark.com
0.0.0.0 www.protectstar-testlab.org
0.0.0.0 protectstar-testlab.org
0.0.0.0 www.anti-malware-test.com
0.0.0.0 anti-malware-test.com
0.0.0.0 av-test.de
0.0.0.0 www.av-test.de
0.0.0.0 www.wildlist.org
0.0.0.0 wildlist.org
0.0.0.0 www.aavar.org
0.0.0.0 aavar.org
0.0.0.0 centralops.net
0.0.0.0 www.staysafeonline.info
0.0.0.0 staysafeonline.info
0.0.0.0 www.rokop-security.de
0.0.0.0 rokop-security.de
0.0.0.0 www.wilderssecurity.com
0.0.0.0 wilderssecurity.com
0.0.0.0 www.superantispyware.com
0.0.0.0 superantispyware.com
0.0.0.0 update.microsoft.com
#
# Karl Spermsky
#
0.0.0.0 www.kaspersky.com
0.0.0.0 www.kaspersky.ru
0.0.0.0 kaspersky.ru
0.0.0.0 www.avp.ru
0.0.0.0 avp.ru
0.0.0.0 www.viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 www.viruslist.ru
0.0.0.0 www.kaspersky-antivirus.ru
0.0.0.0 kaspersky-antivirus.ru
0.0.0.0 downloads1.kaspersky-labs.com
0.0.0.0 downloads2.kaspersky-labs.com
0.0.0.0 downloads3.kaspersky-labs.com
0.0.0.0 downloads4.kaspersky-labs.com
0.0.0.0 downloads5.kaspersky-labs.com
0.0.0.0 downloads-us1.kaspersky-labs.com
0.0.0.0 downloads-us2.kaspersky-labs.com
0.0.0.0 downloads-us3.kaspersky-labs.com
0.0.0.0 downloads-eu1.kaspersky-labs.com
0.0.0.0 downloads-eu2.kaspersky-labs.com
0.0.0.0 kavdumps.kaspersky.com
0.0.0.0 www.kasperskyclub.com
0.0.0.0 forum.kasperskyclub.com
0.0.0.0 forum.kasperskyclub.ru
0.0.0.0 kasperskyclub.ru
0.0.0.0 kasperskyclub.com
0.0.0.0 ftp.kasperskylab.ru
0.0.0.0 ftp.kaspersky.ru
0.0.0.0 ftp.kaspersky-labs.com
0.0.0.0 data.kaspersky.ru
0.0.0.0 z-oleg.com
0.0.0.0 www.z-oleg.com
#
# danilOFF
#
0.0.0.0 drweb.com
0.0.0.0 www.drweb.com
0.0.0.0 freedrweb.com
0.0.0.0 www.freedrweb.com
0.0.0.0 drweb.com.ua
0.0.0.0 www.drweb.com.ua
0.0.0.0 drweb.ru
0.0.0.0 www.drweb.ru
0.0.0.0 av-desk.com
0.0.0.0 www.av-desk.com
0.0.0.0 drweb.net
0.0.0.0 www.drweb.net
0.0.0.0 ftp.drweb.com
0.0.0.0 dr-web.ru
0.0.0.0 www.dr-web.ru
0.0.0.0 download.drweb.com
0.0.0.0 support.drweb.com
0.0.0.0 updates.sald.com
0.0.0.0 sald.com
0.0.0.0 www.sald.com
0.0.0.0 drweb.imshop.de
#
# Symantec
#
0.0.0.0 safeweb.norton.com
0.0.0.0 www.safeweb.norton.com
0.0.0.0 www.symantec.com
0.0.0.0 shop.symantecstore.com
0.0.0.0 liveupdate.symantec.com
0.0.0.0 liveupdate.symantecliveupdate.com
0.0.0.0 service1.symantec.com
0.0.0.0 www.service1.symantec.com
0.0.0.0 security.symantec.com
0.0.0.0 liveupdate.symantec.d4p.net
0.0.0.0 securityresponse.symantec.com
0.0.0.0 sygate.com
0.0.0.0 www.sygate.com
#
# Eset NOD32
#
0.0.0.0 esetnod32.ru
0.0.0.0 www.esetnod32.ru
0.0.0.0 eset.com
0.0.0.0 www.eset.com
0.0.0.0 eset.com.ua
0.0.0.0 www.eset.com.ua
0.0.0.0 nod32.com.ua
0.0.0.0 www.nod32.com.ua
0.0.0.0 download.eset.com
0.0.0.0 update.eset.com
0.0.0.0 eset.eu
0.0.0.0 www.eset.eu
0.0.0.0 nod32.it
0.0.0.0 www.nod32.it
0.0.0.0 nod32.su
0.0.0.0 www.nod32.su
0.0.0.0 nod-32.ru
0.0.0.0 www.nod-32.ru
0.0.0.0 allnod.com
0.0.0.0 www.allnod.com
0.0.0.0 allnod.info
0.0.0.0 www.allnod.info
0.0.0.0 virusall.ru
0.0.0.0 www.virusall.ru
0.0.0.0 nod32eset.org
0.0.0.0 www.nod32eset.org
0.0.0.0 eset.sk
0.0.0.0 www.eset.sk
0.0.0.0 nod32.nl
0.0.0.0 www.nod32.nl
#
# antivir
#
0.0.0.0 dl1.antivir.de
0.0.0.0 dl2.antivir.de
0.0.0.0 dl3.antivir.de
0.0.0.0 dl4.antivir.de
0.0.0.0 free-av.com
0.0.0.0 www.free-av.com
0.0.0.0 free-av.de
0.0.0.0 www.free-av.de
0.0.0.0 avira.com
0.0.0.0 www.avira.com
0.0.0.0 avira.de
0.0.0.0 www.avira.de
0.0.0.0 www1.avira.com
0.0.0.0 dlpro.antivir.com
0.0.0.0 forum.avira.com
0.0.0.0 www.forum.avira.com
0.0.0.0 avirus.ru
0.0.0.0 www.avirus.ru
0.0.0.0 avira-antivir.ru
0.0.0.0 www.avira-antivir.ru
0.0.0.0 avirus.com.ua
0.0.0.0 www.avirus.com.ua
#
# mcafee
#
0.0.0.0 mcafee.com
0.0.0.0 www.mcafee.com
0.0.0.0 home.mcafee.com
0.0.0.0 us.mcafee.com
0.0.0.0 ru.mcafee.com
0.0.0.0 de.mcafee.com
0.0.0.0 ca.mcafee.com
0.0.0.0 fr.mcafee.com
0.0.0.0 es.mcafee.com
0.0.0.0 it.mcafee.com
0.0.0.0 uk.mcafee.com
0.0.0.0 mx.mcafee.com
0.0.0.0 ru.mcafee.com
0.0.0.0 mcafee-online.com
0.0.0.0 www.mcafee-online.com
0.0.0.0 mcafeesecurity.com
0.0.0.0 www.mcafeesecurity.com
0.0.0.0 mcafeesecure.com
0.0.0.0 www.mcafeesecure.com
0.0.0.0 avertlabs.com
0.0.0.0 www.avertlabs.com
0.0.0.0 download.nai.com
0.0.0.0 nai.com
0.0.0.0 www.nai.com
0.0.0.0 secure.nai.com
0.0.0.0 eu.shopmcafee.com
0.0.0.0 shop.mcafee.com
0.0.0.0 siblog.mcafee.com
0.0.0.0 mcafeestore.com
0.0.0.0 www.mcafeestore.com
0.0.0.0 service.mcafee.com
0.0.0.0 siteadvisor.com
0.0.0.0 www.siteadvisor.com
0.0.0.0 scanalert.com
0.0.0.0 www.drsolomon.com
0.0.0.0 mcafee-at-home.com
0.0.0.0 wwww.mcafee-at-home.com
0.0.0.0 networkassociates.com
0.0.0.0 www.networkassociates.com
#
# Avast
#
0.0.0.0 avast.ru
0.0.0.0 www.avast.ru
0.0.0.0 avast.com
0.0.0.0 www.avast.com
0.0.0.0 onlinescan.avast.com
0.0.0.0 download1.avast.com
0.0.0.0 download2.avast.com
0.0.0.0 download3.avast.com
0.0.0.0 download4.avast.com
0.0.0.0 download5.avast.com
0.0.0.0 download6.avast.com
0.0.0.0 download7.avast.com
#
# AVG
#
0.0.0.0 free.avg.com
0.0.0.0 avg.com
0.0.0.0 www.avg.com
0.0.0.0 sshop.avg.com
0.0.0.0 www.grisoft.cz
0.0.0.0 www.grisoft.com
0.0.0.0 free.grisoft.com
#
# Bitdefender
#
0.0.0.0 bitdefender.com
0.0.0.0 www.bitdefender.com
0.0.0.0 bitdefender.de
0.0.0.0 www.bitdefender.de
0.0.0.0 bitdefender.com.ua
0.0.0.0 www.bitdefender.com.ua
0.0.0.0 bitdefender.ru
0.0.0.0 www.bitdefender.ru
0.0.0.0 myaccount.bitdefender.com
0.0.0.0 download.bitdefender.com
0.0.0.0 ftp.bitdefender.com
0.0.0.0 forum.bitdefender.com
0.0.0.0 upgrade.bitdefender.com
#
# Agnitum
#
0.0.0.0 agnitum.ru
0.0.0.0 www.agnitum.ru
0.0.0.0 agnitum.com
0.0.0.0 www.agnitum.com
0.0.0.0 agnitum.de
0.0.0.0 www.agnitum.de
0.0.0.0 outpostfirewall.com
0.0.0.0 www.outpostfirewall.com
0.0.0.0 dl1.agnitum.com
0.0.0.0 dl2.agnitum.com
#
# Comodo
#
0.0.0.0 antivirus.comodo.com
0.0.0.0 comodo.com
0.0.0.0 www.comodo.com
0.0.0.0 forums.comodo.com
0.0.0.0 comodogroup.com
0.0.0.0 www.comodogroup.com
0.0.0.0 personalfirewall.comodo.com
0.0.0.0 www.personalfirewall.comodo.com
0.0.0.0 hackerguardian.com
0.0.0.0 www.hackerguardian.com
0.0.0.0 www.nsclean.com
0.0.0.0 nsclean.com
#
# ClamAv
#
0.0.0.0 clamav.net
0.0.0.0 www.clamav.net
0.0.0.0 db.local.clamav.net
0.0.0.0 clamsupport.sourcefire.com
0.0.0.0 lurker.clamav.net
0.0.0.0 wiki.clamav.net
0.0.0.0 w32.clamav.net
0.0.0.0 lists.clamav.net
0.0.0.0 clamwin.com
0.0.0.0 www.clamwin.com
0.0.0.0 ru.clamwin.com
0.0.0.0 gietl.com
0.0.0.0 www.gietl.com
0.0.0.0 clamav.dyndns.org
#
# F-Secure
#
0.0.0.0 f-secure.com
0.0.0.0 www.f-secure.com
0.0.0.0 support.f-secure.com
0.0.0.0 f-secure.ru
0.0.0.0 www.f-secure.ru
0.0.0.0 ftp.f-secure.com
0.0.0.0 europe.f-secure.com
0.0.0.0 www.europe.f-secure.com
0.0.0.0 f-secure.de
0.0.0.0 www.f-secure.de
0.0.0.0 support.f-secure.de
0.0.0.0 ftp.f-secure.de
0.0.0.0 f-secure.co.uk
0.0.0.0 www.f-secure.co.uk
0.0.0.0 retail.sp.f-secure.com
0.0.0.0 retail01.sp.f-secure.com
0.0.0.0 retail02.sp.f-secure.com
0.0.0.0 ftp.europe.f-secure.com
#
# Norman
#
0.0.0.0 norman.com
0.0.0.0 www.norman.com
0.0.0.0 download.norman.no
0.0.0.0 sandbox.norman.no
0.0.0.0 norman.no
0.0.0.0 www.norman.no
0.0.0.0 niuone.norman.no
#
# Panda
#
0.0.0.0 pandasecurity.com
0.0.0.0 www.pandasecurity.com
0.0.0.0 viruslab.ru
0.0.0.0 www.viruslab.ru
0.0.0.0 pandasoftware.com
0.0.0.0 www.pandasoftware.com
0.0.0.0 acs.pandasoftware.com
0.0.0.0 www.pandasoftware.es
#
# VBA32
#
0.0.0.0 anti-virus.by
0.0.0.0 www.anti-virus.by
0.0.0.0 virusblokada.ru
0.0.0.0 www.virusblokada.ru
0.0.0.0 vba32.de
0.0.0.0 www.vba32.de
#
# Other shit
#
0.0.0.0 ftp.nai.com
0.0.0.0 secuser.com
0.0.0.0 www.secuser.com
0.0.0.0 tds.diamondcs.com.au
0.0.0.0 windowsupdate.microsoft.com
0.0.0.0 lavasoftusa.com
0.0.0.0 www.lavasoftusa.com
0.0.0.0 lavasoftusa.de
0.0.0.0 www.lavasoftusa.de
0.0.0.0 diamondcs.com.au
0.0.0.0 shop.ca.com
0.0.0.0 downloads.my-etrust.com
0.0.0.0 v4.windowsupdate.microsoft.com
0.0.0.0 v5.windowsupdate.microsoft.com
0.0.0.0 noadware.net
0.0.0.0 www.noadware.net
0.0.0.0 zonelabs.com
0.0.0.0 www.zonelabs.com
0.0.0.0 moosoft.com
0.0.0.0 www.moosoft.com
0.0.0.0 secuser.model-fx.com
0.0.0.0 pccreg.antivirus.com
0.0.0.0 k-otik.com
0.0.0.0 vupen.com
0.0.0.0 www.vupen.com
0.0.0.0 housecall.trendmicro.com
0.0.0.0 trendmicro.com
0.0.0.0 www.trendmicro.com
0.0.0.0 us.trendmicro.com
0.0.0.0 uk.trendmicro.com
0.0.0.0 de.trendmicro.com
0.0.0.0 fr.trendmicro.com
0.0.0.0 es.trendmicro.com
0.0.0.0 it.trendmicro.com
0.0.0.0 br.trendmicro.com
0.0.0.0 antivirus.cai.com
0.0.0.0 sophos.com
0.0.0.0 www.sophos.com
0.0.0.0 securitoo.com
0.0.0.0 nordnet.com
0.0.0.0 www.nordnet.com
0.0.0.0 avgfrance.com
0.0.0.0 www.avgfrance.com
0.0.0.0 antivirus-online.de
0.0.0.0 www.antivirus-online.de
0.0.0.0 ftp.esafe.com
0.0.0.0 ftp.microworldsystems.com
0.0.0.0 ftp.ca.co
0.0.0.0 files.trendmicro-europe.com
0.0.0.0 inline-software.de
0.0.0.0 ravantivirus.com
0.0.0.0 www.ravantivirus.com
0.0.0.0 f-prot.com
0.0.0.0 www.f-prot.com
0.0.0.0 files.f-prot.com
0.0.0.0 secure.f-prot.com
0.0.0.0 vsantivirus.com
0.0.0.0 www.vsantivirus.com
0.0.0.0 openantivirus.org
0.0.0.0 www.openantivirus.org
0.0.0.0 www3.ca.com
0.0.0.0 dialognauka.ru
0.0.0.0 www.dialognauka.ru
0.0.0.0 anti-virus-software-review.com
0.0.0.0 www.anti-virus-software-review.com
0.0.0.0 www.vet.com.au
0.0.0.0 antiviraldp.com
0.0.0.0 www.antiviraldp.com
0.0.0.0 www.proantivirus.com
0.0.0.0 pestpatrol.com
0.0.0.0 www.pestpatrol.com
0.0.0.0 simplysup.com
0.0.0.0 www.simplysup.com
0.0.0.0 misec.net
0.0.0.0 www.misec.net
0.0.0.0 www1.my-etrust.com
0.0.0.0 authentium.com
0.0.0.0 www.authentium.com
0.0.0.0 finjan.com
0.0.0.0 www.finjan.com
0.0.0.0 www.ikarus-software.at
0.0.0.0 www.ika-rus.com
0.0.0.0 ika-rus.com
0.0.0.0 tinysoftware.com
0.0.0.0 www.tinysoftware.com
0.0.0.0 visualizesoftware.com
0.0.0.0 www.visualizesoftware.com
0.0.0.0 kerio.com
0.0.0.0 www.kerio.com
0.0.0.0 www.kerio.eu
0.0.0.0 www.zonelabs.com
0.0.0.0 zonelog.co.uk
0.0.0.0 www.zonelog.co.uk
0.0.0.0 webroot.com
0.0.0.0 www.webroot.com
0.0.0.0 www.lavasoft.nu
0.0.0.0 spywareguide.com
0.0.0.0 www.spywareguide.com
0.0.0.0 spyblocker-software.com
0.0.0.0 www.spyblocker-software.com
#
# even more shit
#
0.0.0.0 www.spamhaus.org
0.0.0.0 spamcop.net
0.0.0.0 www.spamcop.net
0.0.0.0 bobbear.co.uk
0.0.0.0 www.bobbear.co.uk
0.0.0.0 domaintools.com
0.0.0.0 www.domaintools.com
0.0.0.0 centralops.net
0.0.0.0 www.centralops.net
0.0.0.0 www.robtex.com
0.0.0.0 dnsstuff.com
0.0.0.0 www.dnsstuff.com
0.0.0.0 ripe.net
0.0.0.0 www.ripe.net
0.0.0.0 www.met.police.uk
0.0.0.0 nbi.gov.ph
0.0.0.0 www.nbi.gov.ph
0.0.0.0 www.police.gov.hk
0.0.0.0 treasury.gov
0.0.0.0 www.treasury.gov
0.0.0.0 cybercrime.gov
0.0.0.0 www.cybercrime.gov
0.0.0.0 www.cybercrime.ch
0.0.0.0 enisa.europa.eu
0.0.0.0 www.enisa.europa.eu
0.0.0.0 www.interpol.int
0.0.0.0 www.fsa.gov.uk
0.0.0.0 www.companies-house.gov.uk
0.0.0.0 fraudaid.com
0.0.0.0 www.fraudaid.com
0.0.0.0 scambusters.org
0.0.0.0 www.scambusters.org
0.0.0.0 spamtrackers.eu
0.0.0.0 www.spamtrackers.eu
#
# Have a nice day, motherfuckers!
#
0.0.0.0 unpck.com
0.0.0.0 www.unpck.com
0.0.0.0 sextv1.tv
0.0.0.0 www.sextv1.tv
0.0.0.0 proxyrent.net
0.0.0.0 www.proxyrent.net
#
Hm,  it seems that  the botnet has me.

The simplest  thing that  came to  mind mind is to  download antivirus and run it.
Here comes the bride: dr web free scanning tool.
It finds nothing importnt thow .
ok,  hands on.
First  i  downloaded gmer. and it  shows  a number of hooked APIs in different User mode Apps.
trying to hunt the hooker with the debugger gives me nothing ,  but  hey ,  we have more tools.
I downloaded sysinternal's rootkit revealer that  was able to  locate
hidden files.

The  most  interesting was  %SystemRoot%\system32\twex.exe.

Registry  editor  located the start  of this malware under userinit.
If you try  to remove the value - it gets restored immediately .
So  we  need to  remove the file. as it is hidden from API  we cannot  kill it .
Yet  again sysinternals saves our day.
using   Move files  utility  we can schedule the rename of the file  during boot.

That  is all.

Also  i  found this tool to  be quqite handy: HookShark -userland rootkit  revealer.
techno blog of a former coder

Wednesday, February 25, 2009

Hunting an evil Trojan bot : on viruses and antiviruses

Monday, February 16, 2009

a mutual admiration society

Friday, February 13, 2009

Using .Net in GINA . WebServices, remoting, XML etc.,

Followers

Blog Archive

About Me
