Annoying trojan warning

[Pilotasso]

Hey guys.

 

Just had a little of an adventure trying to swat a trojan from my system. There were multiple driver install audio warnings on my system with delays these past couple of days but I never figured what it was (no visible notification window).

 

My Anti-virus and anti spyware programs could detect the registry keys of the trojan but were unable to get to the source of the infection so it just kept coming back causing more frustration. I decided to hunt and kill the thing with my bare hands (so to speak). Heres my findings:

 

Its a Fake alert trojan variant (there are hundreds) but could not tell which one it was precisely. Neither would my security software tell me. I opened up the task manager and took a look at the running processes. I have very few running so, immediately 1 of them caught my eye: BPK.exe (32bit)

 

Ran MSCONFIG on the search bar, and there it was buried like a tick:

(highlighted in blue)

 

First thing I did was to search for "BPK" in windows explorer, and there was 1 file plus several temporary directories with this name associated. Tried to delete them, no success as they were protected. So I went back the the process manager window to kill BPK process tree. It came back up after a few seconds, not only that, even after de-selecting the boot up command on MSCONFIG (shown above) it would be back in the next restart. I though "mhhh this is it".

 

I remember the virus library mentioned it was often associated with browsers and windows desktop managers so removed all respective trees from the process window. Then I came back to BPK while the explorer window was just beside the process window (quick reflexes before it comes back!!!) so I killed BPK process tree and there I rushed to delete the file. Success!

 

Immediately I ran my anti spyware to locate again the registry key it left behind, and erased it. Its been a hour and no reinstalls (usually it took only 15 minutes to reinstall).

 

So there you have it. If you have a trojan of this kind, this is how to kill this pest.

Edited December 13, 2010 by Pilotasso

[topdog]

Good find, but I would not rest there. It's quite likely you've disabled only 15-20% of the infection. What you have there appears to be a keylogger, but the drivers tampering may well have been embedded in, (the item in HKLM\...\CurrentVersion\Run disabled through msconfig wasn't amongst any driver files itself,) and generally these items don't work alone.

 

http://www.microsoft.com/security/sir/story/default.aspx#section_3_1

 

These botnet 'families' often deliver a multitude of threats at once and some are more discrete than others, and can continue to operate in isolation. You may not be recording and sending keypresses to a botnet anymore, but you may still be doing other work for them.

 

Until a recent encounter with a particularly sneaky one (thwarted attempts from a good quantity of anti-malware products to find or eradicate it, similar as to your own experience), I wouldn't have given a second glance at the product that did cure it, now I would use it in the first instance if I saw anything similar, and I recommend you do the following:

 

1. Turn off System Restore service (this allows Windows built-in file protection method to keep restoring malware that has taken advantage of it, you need to do this until the system is certain to be clean again). In Vista, right-click My Computer -> Advanced System Settings -> System Protection -> uncheck disks.

 

2. Download (possibly to another machine then copy across with usb key / cd) the latest Dr.Web CureIt! file from http://www.freedrweb.com/download+cureit/

 

3. Boot up your machine into Safe Mode (which isn't safe, but does reduce the number of necessary running processes on startup which helps).

 

4. Run (no need to install) the CureIt! file and use its Enhanceed Protection Mode (acts like a 'secure shell', like Windows admin prompt screens, and disables interaction from many sources).

 

5. Once it completes, you can delete the file from your computer again (anytime you need it, grab the newest version anyway, don't rely on an old copy), and re-enable System Restore.

 

If you were hit by any of the Alureon / Koobface / etc. variants that have been resurfacing with new and potent deliveries over the past couple of months (even though the botnet families themselves are years old), you're going to want to do a more thorough search for rootkits, tampered MBRs, tampered system drivers, etc.

 

These have been successful in getting past some 'up to date' patched systems running anti-malware products on them, and do a nasty amount of data/identity theft.

 

For example, I've watched one trying to reach what looks like a 'legit' website with a 'bad' URL that generates 404 responses, so what looks like a harmless virus is in fact sending via cookie and URL querystrings a constant dribble-feed of personal data from your system to their own. Without any 'browser' software/processes running, without any random executables running, as it had just piggybacked onto the Windows graphics engine via gdiplus.dll and was able to be triggered by anything that any app was doing to redraw a window frame (it may have clinched onto the Close button, or the alt-space application menu, or anything, allowing it to remain well hidden and frequently accessed/launched by oblivious user actions through non-infected apps).

 

If you did somehow only manage to contract a single infection, you may have gotten lucky by just being a standalone keylogger used by some of the MMO game account stealing attacks (whether you even play them), but I wouldn't take the risk, and I also wouldn't count on what even 1, or 2, or 3 different anti-malware products reported, I've seen more than this fail to detect/cure a modern threat variant until a month+ after it has been into the wild.

Edited December 14, 2010 by topdog

[Pilotasso]

Forgot to mention I did disable system restore before trying to clean it. A friend of mine told me these things have more difficulty to spread without it.

[topdog]

They have more difficulty in getting 're-installed with zero effort / code of their own' when SRS is off, is all.

 

It's just one of those features that Microsoft put in with good intentions (if by good, we mean, reducing bad PR and burdens on their Support department, by making the OS more self-healing), that is all too easily exploited because it is too transparent and unconfigurable to us users/administrators as to exactly what it is doing and when.

 

Just like hooking into and leeching off other Windows elements, like the graphics subsystem, is a 'good' method at letting legitimate and clean code end up serving an illegitimate purpose.

 

So again though, disabling SRS is just a part of the process, and I would not rest there. You've gotten a golden warning about being compromised by probably only the 'weakest link' in a virus package, and it should serve only one purpose: to cause you to seek out and purge the rest.

 

Hopefully it will be for nothing and you will have been lucky to only get the lone keylogger, but we already know you're not that lucky to just chance it being so without the extra diligence, since your system has already been proven to be successfully compromised recently.

 

The family I had to get rid of recently included ALL of the following in ONE payload:

 

- Modified MBR backdoor

- Graphics subsystem hacked

- SRS manipulated

- Data-stealing background web agent

- Keylogger

- Ransomware 'cure' offerings posing as Microsoft partner products

- Several random-name random-key backdoor Service installations (note: they don't show up in Device Manager or the Services applet, only in the registry)

- Firewall disabling

- Auto-updates disabling / DNS hijack (instead, converts things like Windows Updates into another re-installing backdoor)

- Background banner-ad clicker botnet slave (note: again no browser apps/processes running, this is how some of the criminals are funding their illegal activities, by siphoning money from clean businesses just trying to advertise their products online)

 

The only clue this was happening could be seen by an occasional/rare flicker of the screen (like a change of resolution just happened) or by mercilessly monitoring and confirming all IP traffic (actually checking each packet stream to see where it was going and what it was carrying, not relying on strict firewall rules).

 

Some of these I cleaned by hand, some I could not, but this was all from just one source (aka Win32/Alureon or backdoor.tdss), and was able to run in the background still after the hand-cleaning, whilst there were 2 anti-malware product agents that were 'protecting' my system and a 3rd was running on-demand to scan and find the threats. All 3 were failures (but not all would normally expected to be).

 

The entire machine was quarantined during this time so I had no concern about it actually doing any harm with the above (after I watched the network traffic in Wireshark, I had already advised my router to dump all network traffic from that machine to a bogus internal IP, so I could continue to monitor it and the success of the apps trying to deal with it), otherwise it would have been tempting to just say purge and burn the disk, and do a reinstall of the OS.

 

I hadn't had to deal with a good infection for some time though, so I wanted to persist just to bring me back up to date on current affairs of malware.

 

If you're content with your level of diligence, fine, I won't press it any further (or beat a dead horse) from here on. I've made my point, and based on what you've posted, I would in no way make any assumption that the system is clean - I could only conclude that one unsubtle threat was cleaned.

[bumfire]

*Sniff sniff sniff*

 

I smell

 

WAREZ :music_whistling::D

 

As topdog mentions Pilotasso, I would recommend you run the pc through something to make sure you still havent got some dregs left over, I would run it through combofix, that shit eats the hardest of bad shit up and spits it out. If you use 64bit, then I dont think combofix works on 64bit, so hitmanpro is probably the better option there.

 

If you find any file or whatever on your pc that you suspect of being a nasty, send it to these guys and they will figure it out for you

 

www.VirusTotal.com

 

Also download free malwarebytes antimalware, that tool is invaluable, seriously also superantispyware, those along with your daily AV app should keep you safe.

 

Persoanlly I run eset smart security which contains nod32 and a firewall and some malware security, also malwarebytes antimalware, it really is great that little app, those two items have kept me clean for years.

Edited December 15, 2010 by bumfire

[Pilotasso]

Warez...not. Pr0n

[Succellus]

:music_whistling:Why dont you have all the $ex thing you want with DCS A10 ?

[bumfire]

Warez...not. Pr0n

 

pr0n FTW :thumbup:

[topdog]

Malwarebytes Anti-Malware is one of the products that failed to detect/remove the problem with the backdoor.tdss rootkit. I used the latest version of it at the time, and it offered no protection (note: this was in the last 2-3 weeks).

[bumfire]

Has it been updated now ?

 

But then again, nothing is gunna detect everything, so it best to have a few things running because one will detect somethigns and the other will detect other things, if only one thing could detect everything, I guess we live and dream.

 

EDIT:

 

Its been updated, as its picked up the rootkit in some users rigs. A new version of MBAM was released last week, not just an update of def's, it was an full version change that needed a reboot, so I guess that was when it was able to pick up the RK.

 

http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html

 

Not alot of things were detecting this RK on the 20th november, this thing is supposedly silently raping the net and not being picked up.

Edited December 16, 2010 by bumfire